npm - @simtlix/simfinity-js - Versions diffs - 2.4.6 → 2.5.0 - Mend

@simtlix/simfinity-js 2.4.6 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/.claude/worktrees/agitated-kepler/src/auth/index.js ADDED Viewed

@@ -0,0 +1,391 @@
+/**
+ * Simfinity GraphQL Authorization
+ *
+ * Production-grade centralized GraphQL authorization supporting:
+ * - RBAC / ABAC
+ * - Function-based rules
+ * - Declarative policy expressions (JSON AST)
+ * - Wildcard "*" permissions
+ * - Default allow/deny policies
+ *
+ * @example
+ * import { auth } from '@simtlix/simfinity-js';
+ * import { createYoga } from 'graphql-yoga';
+ *
+ * const { createAuthPlugin, requireAuth, requireRole } = auth;
+ *
+ * const permissions = {
+ *   Query: {
+ *     series: requireAuth(),
+ *     seasons: requireAuth(),
+ *   },
+ *   Mutation: {
+ *     deleteserie: requireRole('admin'),
+ *     deletestar: requireRole('admin'),
+ *   },
+ *   serie: {
+ *     '*': requireAuth(),
+ *   }
+ * };
+ *
+ * const authPlugin = createAuthPlugin(permissions, { defaultPolicy: 'ALLOW' });
+ * const yoga = createYoga({ schema, plugins: [authPlugin] });
+ */
+import { GraphQLObjectType, defaultFieldResolver } from 'graphql';
+import { UnauthenticatedError, ForbiddenError, createAuthError } from './errors.js';
+import { isPolicyExpression, createRuleFromExpression, evaluateExpression } from './expressions.js';
+import {
+  resolvePath,
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+} from './rules.js';
+// Re-export errors
+export { UnauthenticatedError, ForbiddenError, createAuthError } from './errors.js';
+// Re-export expression utilities
+export { evaluateExpression, isPolicyExpression, createRuleFromExpression } from './expressions.js';
+// Re-export rule helpers and utilities
+export {
+  resolvePath,
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+} from './rules.js';
+/**
+ * @typedef {'ALLOW' | 'DENY'} DefaultPolicy
+ */
+/**
+ * @typedef {Object} AuthMiddlewareOptions
+ * @property {DefaultPolicy} [defaultPolicy='DENY'] - Default policy when no rule matches
+ * @property {boolean} [debug=false] - Enable debug logging
+ */
+/**
+ * @typedef {Function} RuleFunction
+ * @param {*} parent - Parent resolver result
+ * @param {Object} args - GraphQL arguments
+ * @param {Object} ctx - GraphQL context
+ * @param {Object} info - GraphQL resolve info
+ * @returns {boolean|void|Promise<boolean|void>} - true/void to allow, false to deny
+ */
+/**
+ * @typedef {Object|RuleFunction|Array<RuleFunction>} Rule
+ */
+/**
+ * @typedef {Object.<string, Rule>} TypePermissions
+ */
+/**
+ * @typedef {Object.<string, TypePermissions>} PermissionSchema
+ */
+/**
+ * Normalizes a rule to always be an array of functions
+ * @param {Rule} rule - The rule to normalize
+ * @returns {Function[]} Array of rule functions
+ */
+const normalizeRule = (rule) => {
+  if (typeof rule === 'function') {
+    return [rule];
+  }
+  if (Array.isArray(rule)) {
+    return rule.flatMap(r => normalizeRule(r));
+  }
+  if (isPolicyExpression(rule)) {
+    return [createRuleFromExpression(rule)];
+  }
+  // Unknown rule type - return empty (will use default policy)
+  return [];
+};
+/**
+ * Gets the rule for a specific field, with wildcard fallback
+ * @param {PermissionSchema} permissions - The permission schema
+ * @param {string} typeName - The GraphQL type name
+ * @param {string} fieldName - The field name
+ * @returns {Function[]|null} Array of rule functions or null if no rule found
+ */
+const getFieldRules = (permissions, typeName, fieldName) => {
+  const typePerms = permissions[typeName];
+  if (!typePerms) {
+    return null;
+  }
+  // Check for exact field rule first
+  if (fieldName in typePerms) {
+    return normalizeRule(typePerms[fieldName]);
+  }
+  // Fallback to wildcard
+  if ('*' in typePerms) {
+    return normalizeRule(typePerms['*']);
+  }
+  return null;
+};
+/**
+ * Executes a single rule
+ * @param {Function} rule - The rule function to execute
+ * @param {*} parent - Parent resolver result
+ * @param {Object} args - GraphQL arguments
+ * @param {Object} ctx - GraphQL context
+ * @param {Object} info - GraphQL resolve info
+ * @returns {Promise<boolean>} True if allowed, false if denied
+ */
+const executeRule = async (rule, parent, args, ctx, info) => {
+  const result = await rule(parent, args, ctx, info);
+  // void/undefined/true means allow
+  if (result === undefined || result === true) {
+    return true;
+  }
+  // false means deny
+  return false;
+};
+/**
+ * Creates a graphql-middleware compatible authorization middleware.
+ *
+ * @deprecated Use {@link createAuthPlugin} instead. `applyMiddleware` from graphql-middleware
+ * can cause duplicate-type errors when the schema contains custom introspection extensions.
+ *
+ * @param {PermissionSchema} permissions - The permission schema object
+ * @param {AuthMiddlewareOptions} [options={}] - Middleware options
+ * @returns {Function} A graphql-middleware compatible middleware function
+ */
+export const createAuthMiddleware = (permissions, options = {}) => {
+  const {
+    defaultPolicy = 'DENY',
+    debug = false,
+  } = options;
+  const log = debug ? console.log.bind(console, '[auth]') : () => {};
+  /**
+   * The middleware generator function
+   * Returns a middleware object keyed by type name, each containing field resolvers
+   */
+  return async (resolve, parent, args, ctx, info) => {
+    const typeName = info.parentType.name;
+    const fieldName = info.fieldName;
+    log(`Checking ${typeName}.${fieldName}`);
+    // Get rules for this field
+    const rules = getFieldRules(permissions, typeName, fieldName);
+    // If no rules found, apply default policy
+    if (rules === null || rules.length === 0) {
+      log(`No rules for ${typeName}.${fieldName}, applying default policy: ${defaultPolicy}`);
+      if (defaultPolicy === 'DENY') {
+        throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+      }
+      // ALLOW - proceed to resolver
+      return resolve(parent, args, ctx, info);
+    }
+    // Execute all rules (AND logic - all must pass)
+    for (const rule of rules) {
+      log(`Executing rule for ${typeName}.${fieldName}`);
+      const allowed = await executeRule(rule, parent, args, ctx, info);
+      if (!allowed) {
+        log(`Rule denied access to ${typeName}.${fieldName}`);
+        throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+      }
+    }
+    log(`Access granted to ${typeName}.${fieldName}`);
+    // All rules passed - proceed to resolver
+    return resolve(parent, args, ctx, info);
+  };
+};
+/**
+ * Creates a field-level middleware object from a permission schema.
+ * This can be used with graphql-middleware's applyMiddleware.
+ *
+ * @deprecated Use {@link createAuthPlugin} instead. `applyMiddleware` from graphql-middleware
+ * can cause duplicate-type errors when the schema contains custom introspection extensions.
+ *
+ * @param {PermissionSchema} permissions - The permission schema
+ * @param {AuthMiddlewareOptions} [options={}] - Middleware options
+ * @returns {Object} Field middleware object compatible with graphql-middleware
+ */
+export const createFieldMiddleware = (permissions, options = {}) => {
+  const middleware = createAuthMiddleware(permissions, options);
+  const fieldMiddleware = {};
+  for (const typeName of Object.keys(permissions)) {
+    fieldMiddleware[typeName] = {};
+    const typePerms = permissions[typeName];
+    for (const fieldName of Object.keys(typePerms)) {
+      if (fieldName === '*') {
+        // Wildcard rules are handled by the middleware internally
+        continue;
+      }
+      fieldMiddleware[typeName][fieldName] = middleware;
+    }
+  }
+  return fieldMiddleware;
+};
+/**
+ * Creates an Envelop-compatible authorization plugin that wraps schema resolvers in-place.
+ *
+ * Unlike {@link createAuthMiddleware} (which requires graphql-middleware's `applyMiddleware`
+ * and rebuilds the schema), this plugin mutates resolvers directly on the existing schema,
+ * avoiding schema reconstruction and the duplicate-type errors it can cause.
+ *
+ * @param {PermissionSchema} permissions - The permission schema object
+ * @param {AuthMiddlewareOptions} [options={}] - Plugin options
+ * @returns {Object} An Envelop plugin with an `onSchemaChange` hook
+ *
+ * @example
+ * import { auth } from '@simtlix/simfinity-js';
+ * import { createYoga } from 'graphql-yoga';
+ *
+ * const permissions = {
+ *   Query: {
+ *     users: requireAuth(),
+ *     adminDashboard: requireRole('ADMIN')
+ *   },
+ *   User: {
+ *     '*': requireAuth(),
+ *     email: requireRole('ADMIN')
+ *   }
+ * };
+ *
+ * const authPlugin = auth.createAuthPlugin(permissions, { defaultPolicy: 'DENY' });
+ * const yoga = createYoga({ schema, plugins: [authPlugin] });
+ */
+export const createAuthPlugin = (permissions, options = {}) => {
+  const {
+    defaultPolicy = 'DENY',
+    debug = false,
+  } = options;
+  const log = debug ? console.log.bind(console, '[auth]') : () => {};
+  const processedSchemas = new WeakSet();
+  const wrapSchemaResolvers = (schema) => {
+    if (processedSchemas.has(schema)) return;
+    const typeMap = schema.getTypeMap();
+    for (const [typeName, type] of Object.entries(typeMap)) {
+      if (!(type instanceof GraphQLObjectType) || typeName.startsWith('__')) continue;
+      const fields = type.getFields();
+      for (const [fieldName, field] of Object.entries(fields)) {
+        const rules = getFieldRules(permissions, typeName, fieldName);
+        const originalResolve = field.resolve || defaultFieldResolver;
+        field.resolve = async (parent, args, ctx, info) => {
+          log(`Checking ${typeName}.${fieldName}`);
+          if (rules === null || rules.length === 0) {
+            log(`No rules for ${typeName}.${fieldName}, applying default policy: ${defaultPolicy}`);
+            if (defaultPolicy === 'DENY') {
+              throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+            }
+            return originalResolve(parent, args, ctx, info);
+          }
+          for (const rule of rules) {
+            log(`Executing rule for ${typeName}.${fieldName}`);
+            const allowed = await executeRule(rule, parent, args, ctx, info);
+            if (!allowed) {
+              log(`Rule denied access to ${typeName}.${fieldName}`);
+              throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+            }
+          }
+          log(`Access granted to ${typeName}.${fieldName}`);
+          return originalResolve(parent, args, ctx, info);
+        };
+      }
+    }
+    processedSchemas.add(schema);
+  };
+  return {
+    onSchemaChange({ schema }) {
+      wrapSchemaResolvers(schema);
+    },
+  };
+};
+// Default export with all auth utilities
+const auth = {
+  // Main factories
+  createAuthPlugin,
+  createAuthMiddleware,
+  createFieldMiddleware,
+  // Utilities
+  resolvePath,
+  // Rule helpers
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+  // Expression utilities
+  evaluateExpression,
+  isPolicyExpression,
+  createRuleFromExpression,
+  // Errors
+  UnauthenticatedError,
+  ForbiddenError,
+  createAuthError,
+};
+export default auth;

package/.claude/worktrees/agitated-kepler/src/auth/rules.js ADDED Viewed

@@ -0,0 +1,274 @@
+import { UnauthenticatedError, ForbiddenError } from './errors.js';
+/**
+ * Resolves a value from an object using a dotted path string or function.
+ * @param {Object} obj - The object to resolve from
+ * @param {string|Function} pathOrFn - Dotted path (e.g., 'user.profile.id') or function to extract value
+ * @returns {*} The resolved value or undefined if not found
+ * @example
+ * resolvePath({ user: { id: '123' } }, 'user.id') // returns '123'
+ * resolvePath({ user: { id: '123' } }, (obj) => obj.user.id) // returns '123'
+ */
+export const resolvePath = (obj, pathOrFn) => {
+  if (typeof pathOrFn === 'function') {
+    return pathOrFn(obj);
+  }
+  if (typeof pathOrFn === 'string') {
+    const parts = pathOrFn.split('.');
+    let value = obj;
+    for (const part of parts) {
+      if (value == null) return undefined;
+      value = value[part];
+    }
+    return value;
+  }
+  return undefined;
+};
+/**
+ * Rule that requires the user to be authenticated
+ * Checks for user existence at the specified path in context
+ * @param {string|Function} [userPath='user'] - Path to user in context (e.g., 'user', 'auth.user', 'session.user')
+ * @returns {Function} Rule function (parent, args, ctx, info) => boolean | throws
+ * @example
+ * requireAuth()                    // checks ctx.user
+ * requireAuth('auth.user')         // checks ctx.auth.user
+ * requireAuth('session.currentUser') // checks ctx.session.currentUser
+ */
+export const requireAuth = (userPath = 'user') => {
+  return (_parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    return true;
+  };
+};
+/**
+ * Rule that requires the user to have a specific role
+ * @param {string|string[]} role - Required role or array of roles (any match)
+ * @param {Object} [options] - Configuration options
+ * @param {string|Function} [options.userPath='user'] - Path to user in context
+ * @param {string|Function} [options.rolePath='role'] - Path to role field in user object
+ * @returns {Function} Rule function (parent, args, ctx, info) => boolean | throws
+ * @example
+ * requireRole('ADMIN')
+ * requireRole(['ADMIN', 'EDITOR'])
+ * requireRole('ADMIN', { userPath: 'auth.user', rolePath: 'roles.primary' })
+ */
+export const requireRole = (role, options = {}) => {
+  const roles = Array.isArray(role) ? role : [role];
+  const { userPath = 'user', rolePath = 'role' } = options;
+  return (_parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const userRole = resolvePath(user, rolePath);
+    if (!roles.includes(userRole)) {
+      throw new ForbiddenError(`Requires role: ${roles.join(' or ')}`);
+    }
+    return true;
+  };
+};
+/**
+ * Rule that requires the user to have a specific permission
+ * @param {string|string[]} permission - Required permission(s) (all must match if array)
+ * @param {Object} [options] - Configuration options
+ * @param {string|Function} [options.userPath='user'] - Path to user in context
+ * @param {string|Function} [options.permissionsPath='permissions'] - Path to permissions array in user object
+ * @returns {Function} Rule function (parent, args, ctx, info) => boolean | throws
+ * @example
+ * requirePermission('posts:read')
+ * requirePermission(['posts:read', 'posts:write'])
+ * requirePermission('posts:read', { userPath: 'auth.user', permissionsPath: 'grants' })
+ */
+export const requirePermission = (permission, options = {}) => {
+  const requiredPermissions = Array.isArray(permission) ? permission : [permission];
+  const { userPath = 'user', permissionsPath = 'permissions' } = options;
+  return (_parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const userPermissions = resolvePath(user, permissionsPath) || [];
+    // Check if user has wildcard permission
+    if (userPermissions.includes('*')) {
+      return true;
+    }
+    // All required permissions must be present
+    for (const perm of requiredPermissions) {
+      if (!userPermissions.includes(perm)) {
+        throw new ForbiddenError(`Missing permission: ${perm}`);
+      }
+    }
+    return true;
+  };
+};
+/**
+ * Composes multiple rules - all must pass (logical AND)
+ * @param  {...Function} rules - Rule functions to compose
+ * @returns {Function} Composed rule function
+ */
+export const composeRules = (...rules) => {
+  return async (parent, args, ctx, info) => {
+    for (const rule of rules) {
+      const result = await rule(parent, args, ctx, info);
+      // If rule returns false, deny access
+      if (result === false) {
+        return false;
+      }
+      // If rule throws, it will propagate
+    }
+    return true;
+  };
+};
+/**
+ * Creates a rule that allows access if ANY of the provided rules pass (logical OR)
+ * @param  {...Function} rules - Rule functions to check
+ * @returns {Function} Combined rule function
+ */
+export const anyRule = (...rules) => {
+  return async (parent, args, ctx, info) => {
+    let lastError = null;
+    for (const rule of rules) {
+      try {
+        const result = await rule(parent, args, ctx, info);
+        if (result !== false) {
+          return true; // At least one rule passed
+        }
+      } catch (error) {
+        lastError = error;
+        // Continue to next rule
+      }
+    }
+    // No rule passed - throw the last error or return false
+    if (lastError) {
+      throw lastError;
+    }
+    return false;
+  };
+};
+/**
+ * Creates a rule that checks if the authenticated user owns the resource
+ * @param {string|Function} [ownerField='userId'] - Path to owner ID in parent, or function to extract it
+ * @param {string|Function} [userIdField='id'] - Path to user ID in user object, or function to extract it
+ * @param {Object} [options] - Configuration options
+ * @param {string|Function} [options.userPath='user'] - Path to user in context
+ * @returns {Function} Rule function
+ * @example
+ * isOwner()                                    // compares parent.userId with ctx.user.id
+ * isOwner('authorId')                          // compares parent.authorId with ctx.user.id
+ * isOwner('author.id', 'profile.id')           // compares parent.author.id with ctx.user.profile.id
+ * isOwner('authorId', 'id', { userPath: 'auth.user' }) // uses ctx.auth.user instead of ctx.user
+ */
+export const isOwner = (ownerField = 'userId', userIdField = 'id', options = {}) => {
+  const { userPath = 'user' } = options;
+  return (parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    // Get ownerId from parent (using path or function)
+    const ownerId = resolvePath(parent, ownerField);
+    // Get userId from user object (using path or function)
+    const userId = resolvePath(user, userIdField);
+    if (ownerId === undefined || userId === undefined) {
+      return false;
+    }
+    return String(ownerId) === String(userId);
+  };
+};
+/**
+ * Creates a custom rule from a predicate function
+ * @param {Function} predicate - Function (parent, args, ctx, info) => boolean | Promise<boolean>
+ * @param {string} errorMessage - Error message if rule fails
+ * @param {string} errorCode - Error code (FORBIDDEN or UNAUTHENTICATED)
+ * @returns {Function} Rule function
+ */
+export const createRule = (predicate, errorMessage = 'Access denied', errorCode = 'FORBIDDEN') => {
+  return async (parent, args, ctx, info) => {
+    const result = await predicate(parent, args, ctx, info);
+    if (result === false) {
+      if (errorCode === 'UNAUTHENTICATED') {
+        throw new UnauthenticatedError(errorMessage);
+      }
+      throw new ForbiddenError(errorMessage);
+    }
+    return true;
+  };
+};
+/**
+ * Rule that always allows access (useful for public fields)
+ * @returns {Function} Rule function that always returns true
+ */
+export const allow = () => {
+  return () => true;
+};
+/**
+ * Rule that always denies access
+ * @param {string} message - Optional denial message
+ * @returns {Function} Rule function that always throws ForbiddenError
+ */
+export const deny = (message = 'Access denied') => {
+  return () => {
+    throw new ForbiddenError(message);
+  };
+};
+// Export all rules as an object for convenience
+const rules = {
+  // Utility
+  resolvePath,
+  // Rule helpers
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+};
+export default rules;

package/.claude/worktrees/agitated-kepler/src/const/QLOperator.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { GraphQLEnumType } from 'graphql';
+const QLOperator = new GraphQLEnumType({
+  name: 'QLOperator',
+  values: {
+    EQ: {
+      value: 'EQ',
+    },
+    LT: {
+      value: 'LT',
+    },
+    GT: {
+      value: 'GT',
+    },
+    LTE: {
+      value: 'LTE',
+    },
+    GTE: {
+      value: 'GTE',
+    },
+    BTW: {
+      value: 'BTW',
+    },
+    NE: {
+      value: 'NE',
+    },
+    IN: {
+      value: 'IN',
+    },
+    NIN: {
+      value: 'NIN',
+    },
+    LIKE: {
+      value: 'LIKE',
+    },
+  },
+});
+export default QLOperator;