@spinajs/rbac-http-user 2.0.473 → 2.0.474

package/lib/cjs/controllers/LoginController.js

@@ -20,6 +20,7 @@ const di_1 = require("@spinajs/di");
 const configuration_1 = require("@spinajs/configuration");
 const rbac_http_1 = require("@spinajs/rbac-http");
 const rbac_2 = require("@spinajs/rbac");
+const logout_js_1 = require("../logout.js");
 /**
  * Authentication endpoints.
  * Handles user login, logout, and current-session inspection.
@@ -63,6 +64,12 @@ let LoginController = class LoginController extends http_1.BaseController {
             ];
             let result;
             session.Data.set('User', user.Uuid);
+            // Default active role = first role from the user's role list.
+            // Users with multiple roles can later switch via /auth/active-role.
+            const activeRole = user.Role?.[0];
+            if (activeRole) {
+                session.Data.set('ActiveRole', activeRole);
+            }
             // we have two states for user
             // LOGGED - when user use proper login/password and session is created
             // AUTHORIZED - when user is atuhenticated eg. by 2fa check. If 2fa is disabled
@@ -90,12 +97,12 @@ let LoginController = class LoginController extends http_1.BaseController {
             else {
                 session.Data.set('Authorized', true);
                 const grants = this.AC.getGrants();
-                const userGrants = user.Role.map(r => (0, rbac_1._unwindGrants)(r, grants));
-                const combinedGrants = Object.assign({}, ...userGrants);
+                const combinedGrants = activeRole ? (0, rbac_1._unwindGrants)(activeRole, grants) : {};
                 // dehydrateWithRelations({ dateTimeFormat: 'iso' }) converts DateTime to ISO strings
                 // at runtime — the ORM types don't reflect the dateTimeFormat option in generics
                 result = {
                     ...user.dehydrateWithRelations({ dateTimeFormat: "iso" }),
+                    ActiveRole: activeRole,
                     Grants: combinedGrants,
                 };
             }
@@ -120,43 +127,52 @@ let LoginController = class LoginController extends http_1.BaseController {
     /**
      * Logout
      * Destroys the current session identified by the `ssid` cookie and clears the cookie on the client.
+     * If an impersonation is active, the session is NOT destroyed — instead the
+     * impersonation is ended and the original user resumes their session.
      * Requires the user to be logged in (session exists), but full authorization (2FA) is not required.
      * @security cookieAuth
      * @response 401 No active session
      */
-    async logout(ssid) {
+    async logout(ssid, session, user) {
         if (!ssid) {
             return new http_1.Ok();
         }
-        await this.SessionProvider.delete(ssid);
-        // send empty cookie to confirm session deletion
-        return new http_1.Ok(null, {
-            Coockies: [
-                {
-                    Name: 'ssid',
-                    Value: '',
-                    Options: {
-                        httpOnly: true,
-                        maxAge: 0,
-                        // any optopnal cookie options
-                        // or override default ones
-                        ...this.SessionCookieConfig
-                    },
-                },
-            ],
-        });
+        // Delegate to the registered LogoutHandler chain. Each handler decides
+        // whether to take ownership of the response (returns non-null) or defer
+        // to the next handler. Built-ins:
+        //  - ImpersonationLogoutHandler (priority 10): reverts an active
+        //    impersonation and keeps the session alive.
+        //  - DefaultLogoutHandler (priority 999): destroys the session and clears
+        //    the ssid cookie.
+        // Apps can register additional handlers via @Injectable(LogoutHandler).
+        const handlers = await di_1.DI.resolve(Array.ofType(logout_js_1.LogoutHandler));
+        const sorted = [...handlers].sort((a, b) => a.Priority - b.Priority);
+        const ctx = { Ssid: ssid, Session: session, User: user };
+        for (const handler of sorted) {
+            const result = await handler.handle(ctx);
+            if (result) {
+                return new http_1.Ok(result.Body ?? null, { Coockies: result.Cookies ?? [] });
+            }
+        }
+        // No handler claimed the request — should not happen as long as the
+        // default handler is registered, but return a clean response anyway.
+        return new http_1.Ok();
     }
     /**
      * Get current user
-     * Returns the user object associated with the current session.
+     * Returns the user object associated with the current session along with the
+     * currently active role and the full list of roles the user may switch to.
      * Requires the user to be logged in (session exists), but full authorization (2FA) is not required.
      * @security cookieAuth
-     * @returns {IUserProfile} User data from the current session
+     * @returns {User} User data from the current session
      * @response 401 No active session
      */
-    async whoami(User) {
-        // user is taken from session data
-        return new http_1.Ok(User);
+    async whoami(User, ActiveRole) {
+        return new http_1.Ok({
+            ...User.dehydrateWithRelations({ dateTimeFormat: 'iso' }),
+            ActiveRole: ActiveRole ?? User.Role?.[0],
+            AvailableRoles: User.Role ?? [],
+        });
     }
 };
 exports.LoginController = LoginController;
@@ -211,16 +227,19 @@ __decorate([
     (0, http_1.Get)(),
     (0, http_1.Policy)(rbac_http_1.LoggedPolicy),
     __param(0, (0, http_1.Cookie)(true)),
+    __param(1, (0, rbac_http_1.Session)()),
+    __param(2, (0, rbac_http_1.User)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [String]),
+    __metadata("design:paramtypes", [String, Object, rbac_2.User]),
     __metadata("design:returntype", Promise)
 ], LoginController.prototype, "logout", null);
 __decorate([
     (0, http_1.Get)(),
     (0, http_1.Policy)(rbac_http_1.LoggedPolicy),
     __param(0, (0, rbac_http_1.User)()),
+    __param(1, (0, rbac_http_1.FromSession)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [rbac_2.User]),
+    __metadata("design:paramtypes", [rbac_2.User, String]),
     __metadata("design:returntype", Promise)
 ], LoginController.prototype, "whoami", null);
 exports.LoginController = LoginController = __decorate([

package/lib/cjs/controllers/LoginController.js.map

@@ -1 +1 @@
-{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,8DAAuD;AACvD,wCAA4G;AAC5G,wCAAgH;AAChH,oCAAyC;AACzC,0DAAkF;AAElF,kDAAyG;AACzG,wCAAqC;AAGrC;;;;;GAKG;AAEI,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,qBAAc;IAgCjD;;;;;;;;;OASG;IAEU,AAAN,KAAK,CAAC,KAAK,CAAiB,MAAY,EAAgB,IAAY,EAAU,WAAyB;QAC5G,IAAI,CAAC;YAEH,0DAA0D;YAC1D,2BAA2B;YAC3B,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAA,YAAK,EAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,IAAI,kBAAW,EAAE,CAAC;YAElC,MAAM,QAAQ,GAAG;gBACf;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,OAAO,CAAC,SAAS;oBACxB,OAAO,EAAE;wBACP,MAAM,EAAE,IAAI;wBACZ,QAAQ,EAAE,IAAI;wBAEd,4BAA4B;wBAC5B,MAAM,EAAE,IAAI,CAAC,qBAAqB,GAAG,IAAI;wBAEzC,8BAA8B;wBAC9B,2BAA2B;wBAC3B,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF,CAAC;YACF,IAAI,MAAsB,CAAC;YAE3B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAEpC,8BAA8B;YAC9B,sEAAsE;YACtE,+EAA+E;YAC/E,yDAAyD;YACzD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;YAEzB,gDAAgD;YAChD,OAAO,CAAC,MAAM,EAAE,CAAC;YAIjB,IAAI,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mCAAmC,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBACI,IAAI,IAAI,CAAC,oBAAoB,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAEnE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAC9C,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBAEN,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;gBAErC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC;gBACnC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,oBAAa,EAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;gBAChE,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,UAAU,CAAC,CAAC;gBAExD,qFAAqF;gBACrF,iFAAiF;gBACjF,MAAM,GAAG;oBACP,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;oBACzD,MAAM,EAAE,cAAc;iBACO,CAAC;YAClC,CAAC;YAGD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,iCAAiC,EAAE;gBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,OAAO,IAAI,SAAE,CAAC,MAAM,EAAE;gBACpB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;QAEL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAErB,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAe,IAAY;QAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,SAAE,EAAE,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,SAAE,CAAC,IAAI,EAAE;YAClB,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,QAAQ,EAAE,IAAI;wBACd,MAAM,EAAE,CAAC;wBAET,8BAA8B;wBAC9B,2BAA2B;wBAC3B,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAiB,IAAU;QAE5C,kCAAkC;QAClC,OAAO,IAAI,SAAE,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;CACF,CAAA;AArMY,0CAAe;AAEhB;IADT,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAG7B;IADT,IAAA,iCAAiB,EAAC,WAAW,CAAC;8BACP,mBAAY;qDAAC;AAG3B;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;wDAAC;AAKjC;IAHT,IAAA,sBAAM,EAAC,yBAAyB,EAAE;QACjC,YAAY,EAAE,GAAG;KAClB,CAAC;;8DACsC;AAK9B;IAHT,IAAA,sBAAM,EAAC,4BAA4B,EAAE;QACpC,YAAY,EAAE,KAAK;KACpB,CAAC;;6DACsC;AAM9B;IAHT,IAAA,sBAAM,EAAC,8BAA8B,EAAE;QACtC,YAAY,EAAE,KAAK;KACpB,CAAC;;+DACwC;AAGhC;IADT,IAAA,sBAAM,EAAC,qBAAqB,EAAE,EAAE,CAAC;;4DACC;AAGzB;IADT,IAAA,eAAU,EAAC,oBAAa,CAAC;8BACZ,oBAAa;2CAAC;AAaf;IADZ,IAAA,WAAI,GAAE;IACa,WAAA,IAAA,gBAAY,GAAE,CAAA;IAAgB,WAAA,IAAA,aAAM,EAAC,IAAI,CAAC,CAAA;IAAgB,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAzC,WAAI,UAAmD,+BAAY;;4CAsG7G;AAWY;IAFZ,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,wBAAY,CAAC;IACA,WAAA,IAAA,aAAM,EAAC,IAAI,CAAC,CAAA;;;;6CAwBhC;AAYY;IAFZ,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,wBAAY,CAAC;IACA,WAAA,IAAA,gBAAY,GAAE,CAAA;;qCAAO,WAAI;;6CAI7C;0BApMU,eAAe;IAD3B,IAAA,eAAQ,EAAC,MAAM,CAAC;GACJ,eAAe,CAqM3B"}
+{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,8DAAuD;AACvD,wCAA4G;AAC5G,wCAAgH;AAChH,oCAA6C;AAC7C,0DAAkF;AAElF,kDAAkJ;AAClJ,wCAAqC;AAErC,4CAA6D;AAG7D;;;;;GAKG;AAEI,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,qBAAc;IAgCjD;;;;;;;;;OASG;IAEU,AAAN,KAAK,CAAC,KAAK,CAAiB,MAAY,EAAgB,IAAY,EAAU,WAAyB;QAC5G,IAAI,CAAC;YAEH,0DAA0D;YAC1D,2BAA2B;YAC3B,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAA,YAAK,EAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,IAAI,kBAAW,EAAE,CAAC;YAElC,MAAM,QAAQ,GAAG;gBACf;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,OAAO,CAAC,SAAS;oBACxB,OAAO,EAAE;wBACP,MAAM,EAAE,IAAI;wBACZ,QAAQ,EAAE,IAAI;wBAEd,4BAA4B;wBAC5B,MAAM,EAAE,IAAI,CAAC,qBAAqB,GAAG,IAAI;wBAEzC,8BAA8B;wBAC9B,2BAA2B;wBAC3B,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF,CAAC;YACF,IAAI,MAAsB,CAAC;YAE3B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAEpC,8DAA8D;YAC9D,oEAAoE;YACpE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAClC,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAC7C,CAAC;YAED,8BAA8B;YAC9B,sEAAsE;YACtE,+EAA+E;YAC/E,yDAAyD;YACzD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;YAEzB,gDAAgD;YAChD,OAAO,CAAC,MAAM,EAAE,CAAC;YAIjB,IAAI,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mCAAmC,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBACI,IAAI,IAAI,CAAC,oBAAoB,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAEnE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAC9C,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBAEN,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;gBAErC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC;gBACnC,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,IAAA,oBAAa,EAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAE3E,qFAAqF;gBACrF,iFAAiF;gBACjF,MAAM,GAAG;oBACP,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;oBACzD,UAAU,EAAE,UAAU;oBACtB,MAAM,EAAE,cAAc;iBACO,CAAC;YAClC,CAAC;YAGD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,iCAAiC,EAAE;gBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,OAAO,IAAI,SAAE,CAAC,MAAM,EAAE;gBACpB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;QAEL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAErB,OAAO,IAAI,mBAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAe,IAAY,EAAqB,OAAiB,EAAkB,IAAU;QAC9G,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,SAAE,EAAE,CAAC;QAClB,CAAC;QAED,uEAAuE;QACvE,wEAAwE;QACxE,kCAAkC;QAClC,iEAAiE;QACjE,gDAAgD;QAChD,0EAA0E;QAC1E,sBAAsB;QACtB,wEAAwE;QACxE,MAAM,QAAQ,GAAG,MAAM,OAAE,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,yBAAa,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAErE,MAAM,GAAG,GAAmB,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACzE,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,IAAI,SAAE,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,qEAAqE;QACrE,OAAO,IAAI,SAAE,EAAE,CAAC;IAClB,CAAC;IAED;;;;;;;;OAQG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAiB,IAAU,EAAiB,UAAkB;QAE/E,OAAO,IAAI,SAAE,CAAC;YACZ,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;YACzD,UAAU,EAAE,UAAU,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;YACxC,cAAc,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;SAChC,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AArNY,0CAAe;AAEhB;IADT,IAAA,eAAU,GAAE;8BACY,6BAAa;sDAAC;AAG7B;IADT,IAAA,iCAAiB,EAAC,WAAW,CAAC;8BACP,mBAAY;qDAAC;AAG3B;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;wDAAC;AAKjC;IAHT,IAAA,sBAAM,EAAC,yBAAyB,EAAE;QACjC,YAAY,EAAE,GAAG;KAClB,CAAC;;8DACsC;AAK9B;IAHT,IAAA,sBAAM,EAAC,4BAA4B,EAAE;QACpC,YAAY,EAAE,KAAK;KACpB,CAAC;;6DACsC;AAM9B;IAHT,IAAA,sBAAM,EAAC,8BAA8B,EAAE;QACtC,YAAY,EAAE,KAAK;KACpB,CAAC;;+DACwC;AAGhC;IADT,IAAA,sBAAM,EAAC,qBAAqB,EAAE,EAAE,CAAC;;4DACC;AAGzB;IADT,IAAA,eAAU,EAAC,oBAAa,CAAC;8BACZ,oBAAa;2CAAC;AAaf;IADZ,IAAA,WAAI,GAAE;IACa,WAAA,IAAA,gBAAY,GAAE,CAAA;IAAgB,WAAA,IAAA,aAAM,EAAC,IAAI,CAAC,CAAA;IAAgB,WAAA,IAAA,WAAI,GAAE,CAAA;;qCAAzC,WAAI,UAAmD,+BAAY;;4CA6G7G;AAaY;IAFZ,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,wBAAY,CAAC;IACA,WAAA,IAAA,aAAM,EAAC,IAAI,CAAC,CAAA;IAAgB,WAAA,IAAA,mBAAe,GAAE,CAAA;IAAqB,WAAA,IAAA,gBAAY,GAAE,CAAA;;qDAAO,WAAI;;6CA2B/G;AAaY;IAFZ,IAAA,UAAG,GAAE;IACL,IAAA,aAAM,EAAC,wBAAY,CAAC;IACA,WAAA,IAAA,gBAAY,GAAE,CAAA;IAAc,WAAA,IAAA,uBAAW,GAAE,CAAA;;qCAApB,WAAI;;6CAO7C;0BApNU,eAAe;IAD3B,IAAA,eAAQ,EAAC,MAAM,CAAC;GACJ,eAAe,CAqN3B"}

package/lib/cjs/dto/impersonate-dto.d.ts

@@ -0,0 +1,24 @@
+export declare const ImpersonateDtoSchema: {
+    $schema: string;
+    title: string;
+    type: string;
+    properties: {
+        TargetUuid: {
+            type: string;
+            format: string;
+            description: string;
+        };
+        Password: {
+            type: string;
+            maxLength: number;
+            description: string;
+        };
+    };
+    required: string[];
+};
+export declare class ImpersonateDto {
+    TargetUuid: string;
+    Password?: string;
+    constructor(data: any);
+}
+//# sourceMappingURL=impersonate-dto.d.ts.map

package/lib/cjs/dto/impersonate-dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"impersonate-dto.d.ts","sourceRoot":"","sources":["../../../src/dto/impersonate-dto.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;CAShC,CAAC;AAEF,qBACa,cAAc;IAClB,UAAU,EAAE,MAAM,CAAC;IAEnB,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,GAAG;CAGtB"}

package/lib/cjs/dto/impersonate-dto.js

@@ -0,0 +1,34 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ImpersonateDto = exports.ImpersonateDtoSchema = void 0;
+const validation_1 = require("@spinajs/validation");
+exports.ImpersonateDtoSchema = {
+    $schema: 'http://json-schema.org/draft-07/schema#',
+    title: 'Impersonate DTO',
+    type: 'object',
+    properties: {
+        TargetUuid: { type: 'string', format: 'uuid', description: 'UUID of the user to impersonate' },
+        Password: { type: 'string', maxLength: 32, description: 'Impersonator password (required when rbac.impersonation.requirePassword is true)' },
+    },
+    required: ['TargetUuid'],
+};
+let ImpersonateDto = class ImpersonateDto {
+    constructor(data) {
+        Object.assign(this, data);
+    }
+};
+exports.ImpersonateDto = ImpersonateDto;
+exports.ImpersonateDto = ImpersonateDto = __decorate([
+    (0, validation_1.Schema)(exports.ImpersonateDtoSchema),
+    __metadata("design:paramtypes", [Object])
+], ImpersonateDto);
+//# sourceMappingURL=impersonate-dto.js.map

package/lib/cjs/dto/impersonate-dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"impersonate-dto.js","sourceRoot":"","sources":["../../../src/dto/impersonate-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,oBAAoB,GAAG;IAClC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,iBAAiB;IACxB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,iCAAiC,EAAE;QAC9F,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,kFAAkF,EAAE;KAC7I;IACD,QAAQ,EAAE,CAAC,YAAY,CAAC;CACzB,CAAC;AAGK,IAAM,cAAc,GAApB,MAAM,cAAc;IAKzB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAM,EAAC,4BAAoB,CAAC;;GAChB,cAAc,CAQ1B"}

package/lib/cjs/dto/switchRole-dto.d.ts

@@ -0,0 +1,24 @@
+export declare const SwitchRoleDtoSchema: {
+    $schema: string;
+    title: string;
+    type: string;
+    properties: {
+        Role: {
+            type: string;
+            minLength: number;
+            description: string;
+        };
+        Password: {
+            type: string;
+            maxLength: number;
+            description: string;
+        };
+    };
+    required: string[];
+};
+export declare class SwitchRoleDto {
+    Role: string;
+    Password?: string;
+    constructor(data: any);
+}
+//# sourceMappingURL=switchRole-dto.d.ts.map

package/lib/cjs/dto/switchRole-dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"switchRole-dto.d.ts","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;CAS/B,CAAC;AAEF,qBACa,aAAa;IACjB,IAAI,EAAE,MAAM,CAAC;IAEb,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,GAAG;CAGtB"}

package/lib/cjs/dto/switchRole-dto.js

@@ -0,0 +1,34 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SwitchRoleDto = exports.SwitchRoleDtoSchema = void 0;
+const validation_1 = require("@spinajs/validation");
+exports.SwitchRoleDtoSchema = {
+    $schema: 'http://json-schema.org/draft-07/schema#',
+    title: 'Switch active role DTO',
+    type: 'object',
+    properties: {
+        Role: { type: 'string', minLength: 1, description: 'Role to activate. Must be one of the user\'s assigned roles.' },
+        Password: { type: 'string', maxLength: 32, description: 'User password. Required when activating roles listed in rbac.roleSwitch.requirePassword.' },
+    },
+    required: ['Role'],
+};
+let SwitchRoleDto = class SwitchRoleDto {
+    constructor(data) {
+        Object.assign(this, data);
+    }
+};
+exports.SwitchRoleDto = SwitchRoleDto;
+exports.SwitchRoleDto = SwitchRoleDto = __decorate([
+    (0, validation_1.Schema)(exports.SwitchRoleDtoSchema),
+    __metadata("design:paramtypes", [Object])
+], SwitchRoleDto);
+//# sourceMappingURL=switchRole-dto.js.map

package/lib/cjs/dto/switchRole-dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"switchRole-dto.js","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,mBAAmB,GAAG;IACjC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,wBAAwB;IAC/B,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,8DAA8D,EAAE;QACnH,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,0FAA0F,EAAE;KACrJ;IACD,QAAQ,EAAE,CAAC,MAAM,CAAC;CACnB,CAAC;AAGK,IAAM,aAAa,GAAnB,MAAM,aAAa;IAKxB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,sCAAa;wBAAb,aAAa;IADzB,IAAA,mBAAM,EAAC,2BAAmB,CAAC;;GACf,aAAa,CAQzB"}

package/lib/cjs/handlers/DefaultLogoutHandler.d.ts

@@ -0,0 +1,14 @@
+import { SessionProvider } from '@spinajs/rbac';
+import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
+/**
+ * Default logout handler: deletes the session and clears the ssid cookie.
+ * Runs last (priority 999) so any earlier handler can short-circuit (e.g.
+ * the impersonation revert handler) before the session is destroyed.
+ */
+export declare class DefaultLogoutHandler extends LogoutHandler {
+    Priority: number;
+    protected SessionProvider: SessionProvider;
+    protected SessionCookieConfig: Record<string, unknown>;
+    handle(context: ILogoutContext): Promise<ILogoutResult | null>;
+}
+//# sourceMappingURL=DefaultLogoutHandler.d.ts.map

package/lib/cjs/handlers/DefaultLogoutHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DefaultLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,oBAAqB,SAAQ,aAAa;IAC9C,QAAQ,SAAO;IAGtB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAG5C,SAAS,CAAC,mBAAmB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE3C,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAuB5E"}

package/lib/cjs/handlers/DefaultLogoutHandler.js

@@ -0,0 +1,61 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultLogoutHandler = void 0;
+const di_1 = require("@spinajs/di");
+const configuration_1 = require("@spinajs/configuration");
+const rbac_1 = require("@spinajs/rbac");
+const logout_js_1 = require("../logout.js");
+/**
+ * Default logout handler: deletes the session and clears the ssid cookie.
+ * Runs last (priority 999) so any earlier handler can short-circuit (e.g.
+ * the impersonation revert handler) before the session is destroyed.
+ */
+let DefaultLogoutHandler = class DefaultLogoutHandler extends logout_js_1.LogoutHandler {
+    constructor() {
+        super(...arguments);
+        this.Priority = 999;
+    }
+    async handle(context) {
+        if (!context.Ssid) {
+            // Nothing to delete; still return a result so the chain stops.
+            return { Body: null };
+        }
+        await this.SessionProvider.delete(context.Ssid);
+        return {
+            Body: null,
+            Cookies: [
+                {
+                    Name: 'ssid',
+                    Value: '',
+                    Options: {
+                        httpOnly: true,
+                        maxAge: 0,
+                        ...this.SessionCookieConfig,
+                    },
+                },
+            ],
+        };
+    }
+};
+exports.DefaultLogoutHandler = DefaultLogoutHandler;
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.session'),
+    __metadata("design:type", rbac_1.SessionProvider)
+], DefaultLogoutHandler.prototype, "SessionProvider", void 0);
+__decorate([
+    (0, configuration_1.Config)('rbac.session.cookie', {}),
+    __metadata("design:type", Object)
+], DefaultLogoutHandler.prototype, "SessionCookieConfig", void 0);
+exports.DefaultLogoutHandler = DefaultLogoutHandler = __decorate([
+    (0, di_1.Injectable)(logout_js_1.LogoutHandler)
+], DefaultLogoutHandler);
+//# sourceMappingURL=DefaultLogoutHandler.js.map

package/lib/cjs/handlers/DefaultLogoutHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DefaultLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oCAAyC;AACzC,0DAAmE;AACnE,wCAAgD;AAChD,4CAA4E;AAE5E;;;;GAIG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,yBAAa;IAAhD;;QACE,aAAQ,GAAG,GAAG,CAAC;IA+BxB,CAAC;IAvBQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,+DAA+D;YAC/D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEhD,OAAO;YACL,IAAI,EAAE,IAAI;YACV,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,QAAQ,EAAE,IAAI;wBACd,MAAM,EAAE,CAAC;wBACT,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAhCY,oDAAoB;AAIrB;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACN,sBAAe;6DAAC;AAGlC;IADT,IAAA,sBAAM,EAAC,qBAAqB,EAAE,EAAE,CAAC;;iEACsB;+BAP7C,oBAAoB;IADhC,IAAA,eAAU,EAAC,yBAAa,CAAC;GACb,oBAAoB,CAgChC"}

package/lib/cjs/handlers/ImpersonationLogoutHandler.d.ts

@@ -0,0 +1,18 @@
+import { SessionProvider, User } from '@spinajs/rbac';
+import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
+/**
+ * Logout handler that detects an active impersonation and reverts it instead
+ * of destroying the session. Runs early (priority 10) so it short-circuits
+ * the default session-deletion handler when applicable.
+ */
+export declare class ImpersonationLogoutHandler extends LogoutHandler {
+    Priority: number;
+    protected SessionProvider: SessionProvider;
+    handle(context: ILogoutContext): Promise<ILogoutResult | null>;
+    /**
+     * Hook for tests to intercept event emission without stubbing the module-level
+     * `_ev` ESM binding.
+     */
+    protected emitEvent(original: User, target: User): Promise<void>;
+}
+//# sourceMappingURL=ImpersonationLogoutHandler.d.ts.map

package/lib/cjs/handlers/ImpersonationLogoutHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ImpersonationLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,IAAI,EAA0B,MAAM,eAAe,CAAC;AAE9E,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,0BAA2B,SAAQ,aAAa;IACpD,QAAQ,SAAM;IAGrB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAE/B,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IA0B3E;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;CAGjE"}

package/lib/cjs/handlers/ImpersonationLogoutHandler.js

@@ -0,0 +1,66 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ImpersonationLogoutHandler = void 0;
+const di_1 = require("@spinajs/di");
+const configuration_1 = require("@spinajs/configuration");
+const rbac_1 = require("@spinajs/rbac");
+const queue_1 = require("@spinajs/queue");
+const logout_js_1 = require("../logout.js");
+/**
+ * Logout handler that detects an active impersonation and reverts it instead
+ * of destroying the session. Runs early (priority 10) so it short-circuits
+ * the default session-deletion handler when applicable.
+ */
+let ImpersonationLogoutHandler = class ImpersonationLogoutHandler extends logout_js_1.LogoutHandler {
+    constructor() {
+        super(...arguments);
+        this.Priority = 10;
+    }
+    async handle(context) {
+        const session = context.Session;
+        if (!session)
+            return null;
+        const impersonatorUuid = session.Data.get('Impersonator');
+        if (!impersonatorUuid)
+            return null;
+        const original = await rbac_1.User.getByUuid(impersonatorUuid);
+        session.Data.set('User', original.Uuid);
+        session.Data.delete('Impersonator');
+        session.Data.delete('ImpersonationStartedAt');
+        const restoredActiveRole = session.Data.get('OriginalActiveRole') ?? original.Role?.[0];
+        if (restoredActiveRole) {
+            session.Data.set('ActiveRole', restoredActiveRole);
+        }
+        session.Data.delete('OriginalActiveRole');
+        await this.SessionProvider.save(session);
+        await this.emitEvent(original, context.User);
+        // Take ownership of the response: no cookie change — the original user's
+        // session continues.
+        return { Body: { ImpersonationEnded: true } };
+    }
+    /**
+     * Hook for tests to intercept event emission without stubbing the module-level
+     * `_ev` ESM binding.
+     */
+    emitEvent(original, target) {
+        return (0, queue_1._ev)(new rbac_1.UserImpersonationEnded(original, target))();
+    }
+};
+exports.ImpersonationLogoutHandler = ImpersonationLogoutHandler;
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.session'),
+    __metadata("design:type", rbac_1.SessionProvider)
+], ImpersonationLogoutHandler.prototype, "SessionProvider", void 0);
+exports.ImpersonationLogoutHandler = ImpersonationLogoutHandler = __decorate([
+    (0, di_1.Injectable)(logout_js_1.LogoutHandler)
+], ImpersonationLogoutHandler);
+//# sourceMappingURL=ImpersonationLogoutHandler.js.map

package/lib/cjs/handlers/ImpersonationLogoutHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ImpersonationLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oCAAyC;AACzC,0DAA2D;AAC3D,wCAA8E;AAC9E,0CAAqC;AACrC,4CAA4E;AAE5E;;;;GAIG;AAEI,IAAM,0BAA0B,GAAhC,MAAM,0BAA2B,SAAQ,yBAAa;IAAtD;;QACE,aAAQ,GAAG,EAAE,CAAC;IAsCvB,CAAC;IAjCQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAChC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAuB,CAAC;QAChF,IAAI,CAAC,gBAAgB;YAAE,OAAO,IAAI,CAAC;QAEnC,MAAM,QAAQ,GAAG,MAAM,WAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAExD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAC9C,MAAM,kBAAkB,GAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAwB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAChH,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAE1C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAE7C,yEAAyE;QACzE,qBAAqB;QACrB,OAAO,EAAE,IAAI,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED;;;OAGG;IACO,SAAS,CAAC,QAAc,EAAE,MAAY;QAC9C,OAAO,IAAA,WAAG,EAAC,IAAI,6BAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;IAC7D,CAAC;CACF,CAAA;AAvCY,gEAA0B;AAI3B;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACN,sBAAe;mEAAC;qCAJjC,0BAA0B;IADtC,IAAA,eAAU,EAAC,yBAAa,CAAC;GACb,0BAA0B,CAuCtC"}

package/lib/cjs/index.d.ts

@@ -1,6 +1,11 @@
 import { Bootstrapper } from '@spinajs/di';
 export * from './controllers/LoginController.js';
+export * from './controllers/ActiveRoleController.js';
+export * from './controllers/ImpersonationController.js';
 export * from './controllers/UserController.js';
+export * from './logout.js';
+export * from './handlers/ImpersonationLogoutHandler.js';
+export * from './handlers/DefaultLogoutHandler.js';
 export * from './controllers/UserMetadataController.js';
 export * from "./controllers/TwoFactorAuthController.js";
 export * from "./cli/EnableUser2Fa.js";

package/lib/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAc,MAAM,aAAa,CAAC;AAIvD,cAAc,kCAAkC,CAAC;AACjD,cAAc,iCAAiC,CAAC;AAChD,cAAc,yCAAyC,CAAC;AACxD,cAAc,0CAA0C,CAAC;AAEzD,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AAEzC,cAAc,kBAAkB,CAAC;AAGjC,qBACa,wBAAyB,SAAQ,YAAY;IAC/C,SAAS,IAAI,IAAI;CAO3B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAc,MAAM,aAAa,CAAC;AAIvD,cAAc,kCAAkC,CAAC;AACjD,cAAc,uCAAuC,CAAC;AACtD,cAAc,0CAA0C,CAAC;AACzD,cAAc,iCAAiC,CAAC;AAEhD,cAAc,aAAa,CAAC;AAC5B,cAAc,0CAA0C,CAAC;AACzD,cAAc,oCAAoC,CAAC;AACnD,cAAc,yCAAyC,CAAC;AACxD,cAAc,0CAA0C,CAAC;AAEzD,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AAEzC,cAAc,kBAAkB,CAAC;AAGjC,qBACa,wBAAyB,SAAQ,YAAY;IAC/C,SAAS,IAAI,IAAI;CAO3B"}

package/lib/cjs/index.js

@@ -25,7 +25,12 @@ const di_1 = require("@spinajs/di");
 const rbac_1 = require("@spinajs/rbac");
 const Default2FaToken_js_1 = require("./2fa/Default2FaToken.js");
 __exportStar(require("./controllers/LoginController.js"), exports);
+__exportStar(require("./controllers/ActiveRoleController.js"), exports);
+__exportStar(require("./controllers/ImpersonationController.js"), exports);
 __exportStar(require("./controllers/UserController.js"), exports);
+__exportStar(require("./logout.js"), exports);
+__exportStar(require("./handlers/ImpersonationLogoutHandler.js"), exports);
+__exportStar(require("./handlers/DefaultLogoutHandler.js"), exports);
 __exportStar(require("./controllers/UserMetadataController.js"), exports);
 __exportStar(require("./controllers/TwoFactorAuthController.js"), exports);
 __exportStar(require("./cli/EnableUser2Fa.js"), exports);

package/lib/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA,oCAAuD;AACvD,wCAAiD;AACjD,iEAAkE;AAElE,mEAAiD;AACjD,kEAAgD;AAChD,0EAAwD;AACxD,2EAAyD;AAEzD,yDAAuC;AACvC,2DAAyC;AAEzC,mDAAiC;AAI1B,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAY;IAC/C,SAAS;QACZ,uBAAgB,CAAC,WAAW,GAAG;YAC3B,GAAG,uBAAgB,CAAC,WAAW;YAC/B,2CAAsB,CAAC,KAAK;YAC5B,2CAAsB,CAAC,GAAG;SAC7B,CAAA;IACL,CAAC;CACJ,CAAA;AARY,4DAAwB;mCAAxB,wBAAwB;IADpC,IAAA,eAAU,EAAC,iBAAY,CAAC;GACZ,wBAAwB,CAQpC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA,oCAAuD;AACvD,wCAAiD;AACjD,iEAAkE;AAElE,mEAAiD;AACjD,wEAAsD;AACtD,2EAAyD;AACzD,kEAAgD;AAEhD,8CAA4B;AAC5B,2EAAyD;AACzD,qEAAmD;AACnD,0EAAwD;AACxD,2EAAyD;AAEzD,yDAAuC;AACvC,2DAAyC;AAEzC,mDAAiC;AAI1B,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAY;IAC/C,SAAS;QACZ,uBAAgB,CAAC,WAAW,GAAG;YAC3B,GAAG,uBAAgB,CAAC,WAAW;YAC/B,2CAAsB,CAAC,KAAK;YAC5B,2CAAsB,CAAC,GAAG;SAC7B,CAAA;IACL,CAAC;CACJ,CAAA;AARY,4DAAwB;mCAAxB,wBAAwB;IADpC,IAAA,eAAU,EAAC,iBAAY,CAAC;GACZ,wBAAwB,CAQpC"}

package/lib/cjs/logout.d.ts

@@ -0,0 +1,51 @@
+import type { ISession, User } from '@spinajs/rbac';
+/**
+ * Per-request context handed to each {@link LogoutHandler} during logout.
+ * The session may be null when the caller has no active session — handlers
+ * should treat that as a no-op.
+ */
+export interface ILogoutContext {
+    /** Raw signed session cookie value (already unsigned by the framework) */
+    Ssid: string;
+    /** Restored session, or null when none is active */
+    Session: ISession | null;
+    /** Logged-in user as resolved by RbacMiddleware */
+    User: User;
+}
+/** Cookie operation a handler may attach to its response */
+export interface ILogoutCookie {
+    Name: string;
+    Value: string;
+    Options: Record<string, unknown>;
+}
+/** Response payload a handler returns when it takes ownership of the logout */
+export interface ILogoutResult {
+    /** Response body */
+    Body?: unknown;
+    /** Cookie operations to attach */
+    Cookies?: ILogoutCookie[];
+}
+/**
+ * Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
+ * by the logout controller and executed in ascending Priority order. The first
+ * handler that returns a non-null result takes ownership of the response — the
+ * chain stops there. Returning null defers to the next handler.
+ *
+ * Built-ins:
+ *  - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
+ *    is active, revert it and keep the session alive.
+ *  - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
+ *    clear the ssid cookie.
+ *
+ * Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
+ * lower than 999 to run before the default session destruction.
+ */
+export declare abstract class LogoutHandler {
+    /**
+     * Lower runs first. Default 100. The default cleanup handler runs at 999;
+     * pick a value below that to run before it.
+     */
+    Priority: number;
+    abstract handle(context: ILogoutContext): Promise<ILogoutResult | null>;
+}
+//# sourceMappingURL=logout.d.ts.map

package/lib/cjs/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAC;IAEb,oDAAoD;IACpD,OAAO,EAAE,QAAQ,GAAG,IAAI,CAAC;IAEzB,mDAAmD;IACnD,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,4DAA4D;AAC5D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,IAAI,CAAC,EAAE,OAAO,CAAC;IAEf,kCAAkC;IAClC,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;;;;;GAcG;AACH,8BAAsB,aAAa;IACjC;;;OAGG;IACI,QAAQ,EAAE,MAAM,CAAO;aAEd,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAC/E"}

package/lib/cjs/logout.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogoutHandler = void 0;
+/**
+ * Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
+ * by the logout controller and executed in ascending Priority order. The first
+ * handler that returns a non-null result takes ownership of the response — the
+ * chain stops there. Returning null defers to the next handler.
+ *
+ * Built-ins:
+ *  - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
+ *    is active, revert it and keep the session alive.
+ *  - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
+ *    clear the ssid cookie.
+ *
+ * Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
+ * lower than 999 to run before the default session destruction.
+ */
+class LogoutHandler {
+    constructor() {
+        /**
+         * Lower runs first. Default 100. The default cleanup handler runs at 999;
+         * pick a value below that to run before it.
+         */
+        this.Priority = 100;
+    }
+}
+exports.LogoutHandler = LogoutHandler;
+//# sourceMappingURL=logout.js.map

package/lib/cjs/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":";;;AAkCA;;;;;;;;;;;;;;GAcG;AACH,MAAsB,aAAa;IAAnC;QACE;;;WAGG;QACI,aAAQ,GAAW,GAAG,CAAC;IAGhC,CAAC;CAAA;AARD,sCAQC"}