@spinajs/rbac-http-user 2.0.473 → 2.0.474

package/lib/mjs/controllers/ActiveRoleController.d.ts

@@ -0,0 +1,41 @@
+import { SwitchRoleDto } from '../dto/switchRole-dto.js';
+import { BaseController, Ok, BadRequestResponse, Unauthorized } from '@spinajs/http';
+import { AccessControl, AuthProvider, PasswordProvider, SessionProvider } from '@spinajs/rbac';
+import type { ISession, User } from '@spinajs/rbac';
+import { IActiveRoleResponse } from '@spinajs/rbac-http';
+/**
+ * Active role endpoints.
+ * Let users with multiple roles inspect and switch the currently active role.
+ * The active role drives all request-bound permission checks; the user's full
+ * role list remains available so they can switch back at any time.
+ * @tags Authentication
+ */
+export declare class ActiveRoleController extends BaseController {
+    protected AC: AccessControl;
+    protected AuthProvider: AuthProvider;
+    protected PasswordProvider: PasswordProvider;
+    protected SessionProvider: SessionProvider;
+    protected RolesRequiringPassword: string[];
+    /**
+     * Get active role
+     * Returns the currently active role for the session, all roles the user may switch to,
+     * and the RBAC grants resolved for the active role.
+     * @security cookieAuth
+     * @returns {IActiveRoleResponse}
+     * @response 401 No active session
+     */
+    getActiveRole(user: User, ActiveRole: string): Promise<Ok<IActiveRoleResponse>>;
+    /**
+     * Switch active role
+     * Switches the active role for the current session. The requested role must be one of
+     * the user's assigned roles. If the role is listed in `rbac.roleSwitch.requirePassword`,
+     * the user's password must also be provided and is re-verified.
+     * @security cookieAuth
+     * @returns {IActiveRoleResponse}
+     * @response 400 Requested role is not assigned to the user
+     * @response 401 Password verification required or failed
+     */
+    switchActiveRole(user: User, session: ISession, payload: SwitchRoleDto): Promise<Ok<IActiveRoleResponse> | BadRequestResponse | Unauthorized>;
+    protected buildResponse(user: User, activeRole: string): IActiveRoleResponse;
+}
+//# sourceMappingURL=ActiveRoleController.d.ts.map

package/lib/mjs/controllers/ActiveRoleController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ActiveRoleController.d.ts","sourceRoot":"","sources":["../../../src/controllers/ActiveRoleController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAO,kBAAkB,EAAE,YAAY,EAAU,MAAM,eAAe,CAAC;AACxH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAiB,MAAM,eAAe,CAAC;AAC9G,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAGpD,OAAO,EAA+E,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEtI;;;;;;GAMG;AACH,qBACa,oBAAqB,SAAQ,cAAc;IAEtD,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAG5B,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,sBAAsB,EAAE,MAAM,EAAE,CAAC;IAE3C;;;;;;;OAOG;IAGU,aAAa,CAAiB,IAAI,EAAE,IAAI,EAAiB,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAI3H;;;;;;;;;OASG;IAGU,gBAAgB,CACX,IAAI,EAAE,IAAI,EACP,OAAO,EAAE,QAAQ,EAC5B,OAAO,EAAE,aAAa,GAC7B,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,GAAG,kBAAkB,GAAG,YAAY,CAAC;IAqCvE,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB;CAQ7E"}

package/lib/mjs/controllers/ActiveRoleController.js

@@ -0,0 +1,132 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { SwitchRoleDto } from '../dto/switchRole-dto.js';
+import { BaseController, BasePath, Post, Body, Ok, Get, BadRequestResponse, Unauthorized, Policy } from '@spinajs/http';
+import { AccessControl, AuthProvider, PasswordProvider, SessionProvider, _unwindGrants } from '@spinajs/rbac';
+import { Autoinject } from '@spinajs/di';
+import { AutoinjectService, Config } from '@spinajs/configuration';
+import { LoggedPolicy, User as UserRouteArg, Session as SessionRouteArg, FromSession } from '@spinajs/rbac-http';
+/**
+ * Active role endpoints.
+ * Let users with multiple roles inspect and switch the currently active role.
+ * The active role drives all request-bound permission checks; the user's full
+ * role list remains available so they can switch back at any time.
+ * @tags Authentication
+ */
+let ActiveRoleController = class ActiveRoleController extends BaseController {
+    /**
+     * Get active role
+     * Returns the currently active role for the session, all roles the user may switch to,
+     * and the RBAC grants resolved for the active role.
+     * @security cookieAuth
+     * @returns {IActiveRoleResponse}
+     * @response 401 No active session
+     */
+    async getActiveRole(user, ActiveRole) {
+        return new Ok(this.buildResponse(user, ActiveRole ?? user.Role?.[0]));
+    }
+    /**
+     * Switch active role
+     * Switches the active role for the current session. The requested role must be one of
+     * the user's assigned roles. If the role is listed in `rbac.roleSwitch.requirePassword`,
+     * the user's password must also be provided and is re-verified.
+     * @security cookieAuth
+     * @returns {IActiveRoleResponse}
+     * @response 400 Requested role is not assigned to the user
+     * @response 401 Password verification required or failed
+     */
+    async switchActiveRole(user, session, payload) {
+        if (!user.Role?.includes(payload.Role)) {
+            return new BadRequestResponse({
+                error: {
+                    code: 'E_ROLE_NOT_ASSIGNED',
+                    message: `Role '${payload.Role}' is not assigned to user`,
+                },
+            });
+        }
+        if (this.RolesRequiringPassword?.includes(payload.Role)) {
+            if (!payload.Password) {
+                return new Unauthorized({
+                    error: {
+                        code: 'E_PASSWORD_REQUIRED',
+                        message: `Password is required to activate role '${payload.Role}'`,
+                    },
+                });
+            }
+            const valid = await this.PasswordProvider.verify(user.Password, payload.Password);
+            if (!valid) {
+                return new Unauthorized({
+                    error: {
+                        code: 'E_PASSWORD_INVALID',
+                        message: 'Invalid password',
+                    },
+                });
+            }
+        }
+        session.Data.set('ActiveRole', payload.Role);
+        await this.SessionProvider.save(session);
+        return new Ok(this.buildResponse(user, payload.Role));
+    }
+    buildResponse(user, activeRole) {
+        const grants = activeRole ? _unwindGrants(activeRole, this.AC.getGrants()) : {};
+        return {
+            ActiveRole: activeRole,
+            AvailableRoles: user.Role ?? [],
+            Grants: grants,
+        };
+    }
+};
+__decorate([
+    Autoinject(AccessControl),
+    __metadata("design:type", AccessControl)
+], ActiveRoleController.prototype, "AC", void 0);
+__decorate([
+    AutoinjectService('rbac.auth'),
+    __metadata("design:type", AuthProvider)
+], ActiveRoleController.prototype, "AuthProvider", void 0);
+__decorate([
+    AutoinjectService('rbac.password'),
+    __metadata("design:type", PasswordProvider)
+], ActiveRoleController.prototype, "PasswordProvider", void 0);
+__decorate([
+    AutoinjectService('rbac.session'),
+    __metadata("design:type", SessionProvider)
+], ActiveRoleController.prototype, "SessionProvider", void 0);
+__decorate([
+    Config('rbac.roleSwitch.requirePassword', { defaultValue: [] }),
+    __metadata("design:type", Array)
+], ActiveRoleController.prototype, "RolesRequiringPassword", void 0);
+__decorate([
+    Get('active-role'),
+    Policy(LoggedPolicy),
+    __param(0, UserRouteArg()),
+    __param(1, FromSession()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Function, String]),
+    __metadata("design:returntype", Promise)
+], ActiveRoleController.prototype, "getActiveRole", null);
+__decorate([
+    Post('active-role'),
+    Policy(LoggedPolicy),
+    __param(0, UserRouteArg()),
+    __param(1, SessionRouteArg()),
+    __param(2, Body()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Function, Object, SwitchRoleDto]),
+    __metadata("design:returntype", Promise)
+], ActiveRoleController.prototype, "switchActiveRole", null);
+ActiveRoleController = __decorate([
+    BasePath('auth')
+], ActiveRoleController);
+export { ActiveRoleController };
+//# sourceMappingURL=ActiveRoleController.js.map

package/lib/mjs/controllers/ActiveRoleController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ActiveRoleController.js","sourceRoot":"","sources":["../../../src/controllers/ActiveRoleController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACxH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9G,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,IAAI,IAAI,YAAY,EAAE,OAAO,IAAI,eAAe,EAAE,WAAW,EAAuB,MAAM,oBAAoB,CAAC;AAEtI;;;;;;GAMG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,cAAc;IAgBtD;;;;;;;OAOG;IAGU,AAAN,KAAK,CAAC,aAAa,CAAiB,IAAU,EAAiB,UAAkB;QACtF,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;;;;OASG;IAGU,AAAN,KAAK,CAAC,gBAAgB,CACX,IAAU,EACP,OAAiB,EAC5B,OAAsB;QAE9B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,SAAS,OAAO,CAAC,IAAI,2BAA2B;iBAC1D;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,sBAAsB,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACtB,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE;wBACL,IAAI,EAAE,qBAAqB;wBAC3B,OAAO,EAAE,0CAA0C,OAAO,CAAC,IAAI,GAAG;qBACnE;iBACF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YAClF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,kBAAkB;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACxD,CAAC;IAES,aAAa,CAAC,IAAU,EAAE,UAAkB;QACpD,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,OAAO;YACL,UAAU,EAAE,UAAU;YACtB,cAAc,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;YAC/B,MAAM,EAAE,MAAM;SACf,CAAC;IACJ,CAAC;CACF,CAAA;AAzFW;IADT,UAAU,CAAC,aAAa,CAAC;8BACZ,aAAa;gDAAC;AAGlB;IADT,iBAAiB,CAAC,WAAW,CAAC;8BACP,YAAY;0DAAC;AAG3B;IADT,iBAAiB,CAAC,eAAe,CAAC;8BACP,gBAAgB;8DAAC;AAGnC;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACP,eAAe;6DAAC;AAGjC;IADT,MAAM,CAAC,iCAAiC,EAAE,EAAE,YAAY,EAAE,EAAc,EAAE,CAAC;;oEACjC;AAY9B;IAFZ,GAAG,CAAC,aAAa,CAAC;IAClB,MAAM,CAAC,YAAY,CAAC;IACO,WAAA,YAAY,EAAE,CAAA;IAAc,WAAA,WAAW,EAAE,CAAA;;;;yDAEpE;AAcY;IAFZ,IAAI,CAAC,aAAa,CAAC;IACnB,MAAM,CAAC,YAAY,CAAC;IAElB,WAAA,YAAY,EAAE,CAAA;IACd,WAAA,eAAe,EAAE,CAAA;IACjB,WAAA,IAAI,EAAE,CAAA;;uDAAU,aAAa;;4DAoC/B;AAjFU,oBAAoB;IADhC,QAAQ,CAAC,MAAM,CAAC;GACJ,oBAAoB,CA2FhC"}

package/lib/mjs/controllers/ImpersonationController.d.ts

@@ -0,0 +1,72 @@
+import { ImpersonateDto } from '../dto/impersonate-dto.js';
+import { BaseController, Ok, BadRequestResponse, Unauthorized, ForbiddenResponse, Conflict, NotFound } from '@spinajs/http';
+import { AccessControl, PasswordProvider, SessionProvider, User, UserImpersonationStarted, UserImpersonationEnded } from '@spinajs/rbac';
+import type { ISession } from '@spinajs/rbac';
+import { IImpersonationResponse, IImpersonationState, IUserWithGrants } from '@spinajs/rbac-http';
+/**
+ * Impersonation endpoints.
+ *
+ * A user holding `createAny` on the virtual resource `user:impersonate` can
+ * temporarily act as another user. While impersonation is active, the session
+ * carries both identities — `User` is the target, `Impersonator` is the
+ * original. Permission checks therefore "see" the target by default; the
+ * original is preserved only for audit and for ending the impersonation.
+ *
+ * @tags Authentication
+ */
+export declare class ImpersonationController extends BaseController {
+    protected AC: AccessControl;
+    protected PasswordProvider: PasswordProvider;
+    protected SessionProvider: SessionProvider;
+    protected RequirePassword: boolean;
+    protected ProtectedRoles: string[];
+    /**
+     * Get impersonation state
+     * Returns whether an impersonation is currently active for this session.
+     * @security cookieAuth
+     * @returns {IImpersonationState}
+     * @response 401 No active session
+     */
+    getState(Impersonator: string, User: string, ImpersonationStartedAt: string): Promise<Ok<IImpersonationState>>;
+    /**
+     * Start impersonation
+     * Begins impersonating the target user. The caller must have `createAny` on
+     * virtual resource `user:impersonate`. The target must not hold any role in
+     * `rbac.impersonation.protectedRoles` and must not have effective grants
+     * exceeding the caller's. If `rbac.impersonation.requirePassword` is true,
+     * the caller's password must be supplied and is verified.
+     * @security cookieAuth
+     * @returns {IImpersonationResponse}
+     * @response 400 Target equals caller or invalid payload
+     * @response 401 Password required or invalid
+     * @response 403 Caller lacks permission, target is protected, or escalation detected
+     * @response 404 Target user not found / inactive / banned / deleted
+     * @response 409 An impersonation is already in progress for this session
+     */
+    start(caller: User, session: ISession, payload: ImpersonateDto): Promise<Ok<IImpersonationResponse> | BadRequestResponse | Unauthorized | ForbiddenResponse | NotFound | Conflict>;
+    /**
+     * Stop impersonation
+     * Restores the original user's session and returns their login-style payload.
+     * @security cookieAuth
+     * @returns {IUserWithGrants}
+     * @response 400 No impersonation is currently active
+     */
+    stop(target: User, session: ISession): Promise<Ok<IUserWithGrants> | BadRequestResponse>;
+    /**
+     * Emit an impersonation lifecycle event. Wrapped in a protected method so
+     * tests can intercept without stubbing module-level ESM bindings.
+     */
+    protected emitEvent(event: UserImpersonationStarted | UserImpersonationEnded): Promise<void>;
+    /**
+     * Load the impersonation target (with Metadata so IsBanned works). Extracted
+     * as a protected method so tests can stub it without setting up a database.
+     */
+    protected loadTarget(uuid: string): Promise<User | undefined>;
+    /**
+     * Load the original (impersonator) user. Extracted for the same reason as
+     * loadTarget — keeps the controller easy to test in isolation.
+     */
+    protected loadOriginal(uuid: string): Promise<User | undefined>;
+    protected buildResponse(target: User, impersonator: User, activeRole: string, startedAt: string): IImpersonationResponse;
+}
+//# sourceMappingURL=ImpersonationController.d.ts.map

package/lib/mjs/controllers/ImpersonationController.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ImpersonationController.d.ts","sourceRoot":"","sources":["../../../src/controllers/ImpersonationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,cAAc,EAA6B,EAAE,EAAO,kBAAkB,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,EAAU,MAAM,eAAe,CAAC;AACpK,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,IAAI,EACJ,wBAAwB,EACxB,sBAAsB,EAGvB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAK9C,OAAO,EAKL,sBAAsB,EACtB,mBAAmB,EACnB,eAAe,EAChB,MAAM,oBAAoB,CAAC;AAI5B;;;;;;;;;;GAUG;AACH,qBACa,uBAAwB,SAAQ,cAAc;IAEzD,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAG5B,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,eAAe,EAAE,OAAO,CAAC;IAGnC,SAAS,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;IAEnC;;;;;;OAMG;IAGU,QAAQ,CACJ,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,MAAM,EACZ,sBAAsB,EAAE,MAAM,GAC5C,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAYnC;;;;;;;;;;;;;;OAcG;IAGU,KAAK,CACA,MAAM,EAAE,IAAI,EACT,OAAO,EAAE,QAAQ,EAC5B,OAAO,EAAE,cAAc,GAC9B,OAAO,CACR,EAAE,CAAC,sBAAsB,CAAC,GAAG,kBAAkB,GAAG,YAAY,GAAG,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,CACzG;IAsFD;;;;;;OAMG;IAGU,IAAI,CACC,MAAM,EAAE,IAAI,EACT,OAAO,EAAE,QAAQ,GACnC,OAAO,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,kBAAkB,CAAC;IA4CpD;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,KAAK,EAAE,wBAAwB,GAAG,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5F;;;OAGG;IACH,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAI7D;;;OAGG;IACH,SAAS,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAI/D,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,sBAAsB;CAWzH"}

package/lib/mjs/controllers/ImpersonationController.js

@@ -0,0 +1,274 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { ImpersonateDto } from '../dto/impersonate-dto.js';
+import { BaseController, BasePath, Post, Del, Body, Ok, Get, BadRequestResponse, Unauthorized, ForbiddenResponse, Conflict, NotFound, Policy } from '@spinajs/http';
+import { AccessControl, PasswordProvider, SessionProvider, User, UserImpersonationStarted, UserImpersonationEnded, _unwindGrants, canImpersonate, } from '@spinajs/rbac';
+import { Autoinject } from '@spinajs/di';
+import { AutoinjectService, Config } from '@spinajs/configuration';
+import { _ev } from '@spinajs/queue';
+import { DateTime } from 'luxon';
+import { LoggedPolicy, User as UserRouteArg, Session as SessionRouteArg, FromSession, } from '@spinajs/rbac-http';
+const IMPERSONATE_RESOURCE = 'user:impersonate';
+/**
+ * Impersonation endpoints.
+ *
+ * A user holding `createAny` on the virtual resource `user:impersonate` can
+ * temporarily act as another user. While impersonation is active, the session
+ * carries both identities — `User` is the target, `Impersonator` is the
+ * original. Permission checks therefore "see" the target by default; the
+ * original is preserved only for audit and for ending the impersonation.
+ *
+ * @tags Authentication
+ */
+let ImpersonationController = class ImpersonationController extends BaseController {
+    /**
+     * Get impersonation state
+     * Returns whether an impersonation is currently active for this session.
+     * @security cookieAuth
+     * @returns {IImpersonationState}
+     * @response 401 No active session
+     */
+    async getState(Impersonator, User, ImpersonationStartedAt) {
+        if (!Impersonator) {
+            return new Ok({ Active: false });
+        }
+        return new Ok({
+            Active: true,
+            ImpersonatorUuid: Impersonator,
+            TargetUuid: User,
+            StartedAt: ImpersonationStartedAt,
+        });
+    }
+    /**
+     * Start impersonation
+     * Begins impersonating the target user. The caller must have `createAny` on
+     * virtual resource `user:impersonate`. The target must not hold any role in
+     * `rbac.impersonation.protectedRoles` and must not have effective grants
+     * exceeding the caller's. If `rbac.impersonation.requirePassword` is true,
+     * the caller's password must be supplied and is verified.
+     * @security cookieAuth
+     * @returns {IImpersonationResponse}
+     * @response 400 Target equals caller or invalid payload
+     * @response 401 Password required or invalid
+     * @response 403 Caller lacks permission, target is protected, or escalation detected
+     * @response 404 Target user not found / inactive / banned / deleted
+     * @response 409 An impersonation is already in progress for this session
+     */
+    async start(caller, session, payload) {
+        if (session?.Data.get('Impersonator')) {
+            return new Conflict({
+                error: {
+                    code: 'E_IMPERSONATION_ACTIVE',
+                    message: 'An impersonation is already in progress. Stop the current one before starting another.',
+                },
+            });
+        }
+        if (caller.Uuid === payload.TargetUuid) {
+            return new BadRequestResponse({
+                error: { code: 'E_SELF_IMPERSONATION', message: 'Cannot impersonate yourself' },
+            });
+        }
+        // Permission to impersonate is itself an RBAC permission honoring ActiveRole.
+        const activeRole = session?.Data.get('ActiveRole') ?? caller.Role?.[0];
+        const roles = activeRole ? [activeRole] : caller.Role;
+        const allowed = this.AC.can(roles).createAny(IMPERSONATE_RESOURCE).granted;
+        if (!allowed) {
+            return new ForbiddenResponse({
+                error: { code: 'E_IMPERSONATE_FORBIDDEN', message: `Role(s) ${roles} cannot impersonate other users` },
+            });
+        }
+        const target = await this.loadTarget(payload.TargetUuid);
+        if (!target) {
+            return new NotFound({ error: { code: 'E_TARGET_NOT_FOUND', message: 'Target user not found' } });
+        }
+        if (!target.IsActive || target.IsBanned) {
+            return new NotFound({ error: { code: 'E_TARGET_UNAVAILABLE', message: 'Target user is not available' } });
+        }
+        const check = canImpersonate({
+            originalRoles: caller.Role,
+            targetRoles: target.Role,
+            protectedRoles: this.ProtectedRoles ?? [],
+            ac: this.AC,
+        });
+        if (!check.allowed) {
+            return new ForbiddenResponse({
+                error: {
+                    code: check.reason === 'PROTECTED_ROLE' ? 'E_TARGET_PROTECTED' : 'E_PRIVILEGE_ESCALATION',
+                    message: check.reason === 'PROTECTED_ROLE'
+                        ? `Target has a protected role (${check.detail}) and cannot be impersonated`
+                        : `Target has a privilege the impersonator lacks (${check.detail})`,
+                },
+            });
+        }
+        if (this.RequirePassword) {
+            if (!payload.Password) {
+                return new Unauthorized({
+                    error: { code: 'E_PASSWORD_REQUIRED', message: 'Password confirmation is required to start impersonation' },
+                });
+            }
+            const valid = await this.PasswordProvider.verify(caller.Password, payload.Password);
+            if (!valid) {
+                return new Unauthorized({ error: { code: 'E_PASSWORD_INVALID', message: 'Invalid password' } });
+            }
+        }
+        // Persist impersonation state. We keep the impersonator's previous
+        // ActiveRole so it can be restored on stop; effective ActiveRole becomes
+        // the target's first role.
+        const startedAt = DateTime.now().toISO();
+        const previousActiveRole = session.Data.get('ActiveRole');
+        session.Data.set('Impersonator', caller.Uuid);
+        session.Data.set('User', target.Uuid);
+        session.Data.set('ImpersonationStartedAt', startedAt);
+        if (previousActiveRole !== undefined) {
+            session.Data.set('OriginalActiveRole', previousActiveRole);
+        }
+        const targetActiveRole = target.Role?.[0];
+        if (targetActiveRole) {
+            session.Data.set('ActiveRole', targetActiveRole);
+        }
+        await this.SessionProvider.save(session);
+        await this.emitEvent(new UserImpersonationStarted(caller, target));
+        return new Ok(this.buildResponse(target, caller, targetActiveRole, startedAt));
+    }
+    /**
+     * Stop impersonation
+     * Restores the original user's session and returns their login-style payload.
+     * @security cookieAuth
+     * @returns {IUserWithGrants}
+     * @response 400 No impersonation is currently active
+     */
+    async stop(target, session) {
+        const impersonatorUuid = session?.Data.get('Impersonator');
+        if (!impersonatorUuid) {
+            return new BadRequestResponse({
+                error: { code: 'E_NO_IMPERSONATION', message: 'No impersonation is currently in progress' },
+            });
+        }
+        const original = await this.loadOriginal(impersonatorUuid);
+        if (!original) {
+            // Stale session referencing a deleted impersonator — destroy the
+            // impersonation block to recover but report an error so the caller
+            // can re-authenticate.
+            session.Data.delete('Impersonator');
+            session.Data.delete('ImpersonationStartedAt');
+            session.Data.delete('OriginalActiveRole');
+            await this.SessionProvider.save(session);
+            return new BadRequestResponse({
+                error: { code: 'E_IMPERSONATOR_GONE', message: 'Original user no longer exists' },
+            });
+        }
+        // Restore the original session state.
+        session.Data.set('User', original.Uuid);
+        session.Data.delete('Impersonator');
+        session.Data.delete('ImpersonationStartedAt');
+        const restoredActiveRole = session.Data.get('OriginalActiveRole') ?? original.Role?.[0];
+        if (restoredActiveRole) {
+            session.Data.set('ActiveRole', restoredActiveRole);
+        }
+        session.Data.delete('OriginalActiveRole');
+        await this.SessionProvider.save(session);
+        await this.emitEvent(new UserImpersonationEnded(original, target));
+        const grants = restoredActiveRole ? _unwindGrants(restoredActiveRole, this.AC.getGrants()) : {};
+        return new Ok({
+            ...original.dehydrateWithRelations({ dateTimeFormat: 'iso' }),
+            ActiveRole: restoredActiveRole,
+            Grants: grants,
+        });
+    }
+    /**
+     * Emit an impersonation lifecycle event. Wrapped in a protected method so
+     * tests can intercept without stubbing module-level ESM bindings.
+     */
+    emitEvent(event) {
+        return _ev(event)();
+    }
+    /**
+     * Load the impersonation target (with Metadata so IsBanned works). Extracted
+     * as a protected method so tests can stub it without setting up a database.
+     */
+    loadTarget(uuid) {
+        return User.query().whereUuid(uuid).populate('Metadata').notDeleted().first();
+    }
+    /**
+     * Load the original (impersonator) user. Extracted for the same reason as
+     * loadTarget — keeps the controller easy to test in isolation.
+     */
+    loadOriginal(uuid) {
+        return User.getByUuid(uuid);
+    }
+    buildResponse(target, impersonator, activeRole, startedAt) {
+        const grants = activeRole ? _unwindGrants(activeRole, this.AC.getGrants()) : {};
+        return {
+            User: target.dehydrateWithRelations({ dateTimeFormat: 'iso' }),
+            Impersonator: impersonator.dehydrateWithRelations({ dateTimeFormat: 'iso' }),
+            ActiveRole: activeRole,
+            AvailableRoles: target.Role ?? [],
+            Grants: grants,
+            StartedAt: startedAt,
+        };
+    }
+};
+__decorate([
+    Autoinject(AccessControl),
+    __metadata("design:type", AccessControl)
+], ImpersonationController.prototype, "AC", void 0);
+__decorate([
+    AutoinjectService('rbac.password'),
+    __metadata("design:type", PasswordProvider)
+], ImpersonationController.prototype, "PasswordProvider", void 0);
+__decorate([
+    AutoinjectService('rbac.session'),
+    __metadata("design:type", SessionProvider)
+], ImpersonationController.prototype, "SessionProvider", void 0);
+__decorate([
+    Config('rbac.impersonation.requirePassword', { defaultValue: true }),
+    __metadata("design:type", Boolean)
+], ImpersonationController.prototype, "RequirePassword", void 0);
+__decorate([
+    Config('rbac.impersonation.protectedRoles', { defaultValue: ['system'] }),
+    __metadata("design:type", Array)
+], ImpersonationController.prototype, "ProtectedRoles", void 0);
+__decorate([
+    Get('impersonate'),
+    Policy(LoggedPolicy),
+    __param(0, FromSession()),
+    __param(1, FromSession()),
+    __param(2, FromSession()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, String, String]),
+    __metadata("design:returntype", Promise)
+], ImpersonationController.prototype, "getState", null);
+__decorate([
+    Post('impersonate'),
+    Policy(LoggedPolicy),
+    __param(0, UserRouteArg()),
+    __param(1, SessionRouteArg()),
+    __param(2, Body()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [User, Object, ImpersonateDto]),
+    __metadata("design:returntype", Promise)
+], ImpersonationController.prototype, "start", null);
+__decorate([
+    Del('impersonate'),
+    Policy(LoggedPolicy),
+    __param(0, UserRouteArg()),
+    __param(1, SessionRouteArg()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [User, Object]),
+    __metadata("design:returntype", Promise)
+], ImpersonationController.prototype, "stop", null);
+ImpersonationController = __decorate([
+    BasePath('auth')
+], ImpersonationController);
+export { ImpersonationController };
+//# sourceMappingURL=ImpersonationController.js.map

package/lib/mjs/controllers/ImpersonationController.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ImpersonationController.js","sourceRoot":"","sources":["../../../src/controllers/ImpersonationController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,kBAAkB,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACpK,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,IAAI,EACJ,wBAAwB,EACxB,sBAAsB,EACtB,aAAa,EACb,cAAc,GACf,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACjC,OAAO,EACL,YAAY,EACZ,IAAI,IAAI,YAAY,EACpB,OAAO,IAAI,eAAe,EAC1B,WAAW,GAIZ,MAAM,oBAAoB,CAAC;AAE5B,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AAEhD;;;;;;;;;;GAUG;AAEI,IAAM,uBAAuB,GAA7B,MAAM,uBAAwB,SAAQ,cAAc;IAgBzD;;;;;;OAMG;IAGU,AAAN,KAAK,CAAC,QAAQ,CACJ,YAAoB,EACpB,IAAY,EACZ,sBAA8B;QAE7C,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,CAAC;QACD,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,IAAI;YACZ,gBAAgB,EAAE,YAAY;YAC9B,UAAU,EAAE,IAAI;YAChB,SAAS,EAAE,sBAAsB;SAClC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;;;OAcG;IAGU,AAAN,KAAK,CAAC,KAAK,CACA,MAAY,EACT,OAAiB,EAC5B,OAAuB;QAI/B,IAAI,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,QAAQ,CAAC;gBAClB,KAAK,EAAE;oBACL,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,wFAAwF;iBAClG;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC;YACvC,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,KAAK,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,6BAA6B,EAAE;aAChF,CAAC,CAAC;QACL,CAAC;QAED,8EAA8E;QAC9E,MAAM,UAAU,GAAI,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,YAAY,CAAwB,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/F,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;QACtD,MAAM,OAAO,GAAI,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAS,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC,OAAO,CAAC;QACpF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,iBAAiB,CAAC;gBAC3B,KAAK,EAAE,EAAE,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE,WAAW,KAAK,iCAAiC,EAAE;aACvG,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,uBAAuB,EAAE,EAAE,CAAC,CAAC;QACnG,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACxC,OAAO,IAAI,QAAQ,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,8BAA8B,EAAE,EAAE,CAAC,CAAC;QAC5G,CAAC;QAED,MAAM,KAAK,GAAG,cAAc,CAAC;YAC3B,aAAa,EAAE,MAAM,CAAC,IAAI;YAC1B,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,EAAE;YACzC,EAAE,EAAE,IAAI,CAAC,EAAE;SACZ,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,IAAI,iBAAiB,CAAC;gBAC3B,KAAK,EAAE;oBACL,IAAI,EAAE,KAAK,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,wBAAwB;oBACzF,OAAO,EAAE,KAAK,CAAC,MAAM,KAAK,gBAAgB;wBACxC,CAAC,CAAC,gCAAgC,KAAK,CAAC,MAAM,8BAA8B;wBAC5E,CAAC,CAAC,kDAAkD,KAAK,CAAC,MAAM,GAAG;iBACtE;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACtB,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,0DAA0D,EAAE;iBAC5G,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YACpF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,YAAY,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;YAClG,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,yEAAyE;QACzE,2BAA2B;QAC3B,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,EAAE,CAAC,KAAK,EAAG,CAAC;QAC1C,MAAM,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAuB,CAAC;QAEhF,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;QACtD,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC1C,IAAI,gBAAgB,EAAE,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,wBAAwB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAEnE,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAiB,EAAE,SAAS,CAAC,CAAC,CAAC;IAClF,CAAC;IAED;;;;;;OAMG;IAGU,AAAN,KAAK,CAAC,IAAI,CACC,MAAY,EACT,OAAiB;QAEpC,MAAM,gBAAgB,GAAG,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,CAAuB,CAAC;QACjF,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,2CAA2C,EAAE;aAC5F,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,iEAAiE;YACjE,mEAAmE;YACnE,uBAAuB;YACvB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;YAC1C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzC,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,KAAK,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,gCAAgC,EAAE;aAClF,CAAC,CAAC;QACL,CAAC;QAED,sCAAsC;QACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAE9C,MAAM,kBAAkB,GAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAwB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAChH,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAE1C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,sBAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAEnE,MAAM,MAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,aAAa,CAAC,kBAAkB,EAAE,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChG,OAAO,IAAI,EAAE,CAAC;YACZ,GAAI,QAAQ,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAS;YACtE,UAAU,EAAE,kBAAkB;YAC9B,MAAM,EAAE,MAAM;SACI,CAAC,CAAC;IACxB,CAAC;IAED;;;OAGG;IACO,SAAS,CAAC,KAAwD;QAC1E,OAAO,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;IACtB,CAAC;IAED;;;OAGG;IACO,UAAU,CAAC,IAAY;QAC/B,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC,KAAK,EAA+B,CAAC;IAC7G,CAAC;IAED;;;OAGG;IACO,YAAY,CAAC,IAAY;QACjC,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAA8B,CAAC;IAC3D,CAAC;IAES,aAAa,CAAC,MAAY,EAAE,YAAkB,EAAE,UAAkB,EAAE,SAAiB;QAC7F,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,OAAO;YACL,IAAI,EAAE,MAAM,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAQ;YACrE,YAAY,EAAE,YAAY,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAQ;YACnF,UAAU,EAAE,UAAU;YACtB,cAAc,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;YACjC,MAAM,EAAE,MAAM;YACd,SAAS,EAAE,SAAS;SACrB,CAAC;IACJ,CAAC;CACF,CAAA;AA/OW;IADT,UAAU,CAAC,aAAa,CAAC;8BACZ,aAAa;mDAAC;AAGlB;IADT,iBAAiB,CAAC,eAAe,CAAC;8BACP,gBAAgB;iEAAC;AAGnC;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACP,eAAe;gEAAC;AAGjC;IADT,MAAM,CAAC,oCAAoC,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;;gEAClC;AAGzB;IADT,MAAM,CAAC,mCAAmC,EAAE,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAa,EAAE,CAAC;;+DACnD;AAWtB;IAFZ,GAAG,CAAC,aAAa,CAAC;IAClB,MAAM,CAAC,YAAY,CAAC;IAElB,WAAA,WAAW,EAAE,CAAA;IACb,WAAA,WAAW,EAAE,CAAA;IACb,WAAA,WAAW,EAAE,CAAA;;;;uDAWf;AAmBY;IAFZ,IAAI,CAAC,aAAa,CAAC;IACnB,MAAM,CAAC,YAAY,CAAC;IAElB,WAAA,YAAY,EAAE,CAAA;IACd,WAAA,eAAe,EAAE,CAAA;IACjB,WAAA,IAAI,EAAE,CAAA;;qCAFiB,IAAI,UAEX,cAAc;;oDAuFhC;AAWY;IAFZ,GAAG,CAAC,aAAa,CAAC;IAClB,MAAM,CAAC,YAAY,CAAC;IAElB,WAAA,YAAY,EAAE,CAAA;IACd,WAAA,eAAe,EAAE,CAAA;;qCADM,IAAI;;mDA4C7B;AA5MU,uBAAuB;IADnC,QAAQ,CAAC,MAAM,CAAC;GACJ,uBAAuB,CAiPnC"}

package/lib/mjs/controllers/LoginController.d.ts

@@ -4,6 +4,7 @@ import { AuthProvider, SessionProvider, AccessControl } from '@spinajs/rbac';
 import { Configuration } from '@spinajs/configuration';
 import { ILoginResponse } from '@spinajs/rbac-http';
 import { User } from '@spinajs/rbac';
+import type { ISession } from '@spinajs/rbac';
 /**
  * Authentication endpoints.
  * Handles user login, logout, and current-session inspection.
@@ -33,19 +34,41 @@ export declare class LoginController extends BaseController {
     /**
      * Logout
      * Destroys the current session identified by the `ssid` cookie and clears the cookie on the client.
+     * If an impersonation is active, the session is NOT destroyed — instead the
+     * impersonation is ended and the original user resumes their session.
      * Requires the user to be logged in (session exists), but full authorization (2FA) is not required.
      * @security cookieAuth
      * @response 401 No active session
      */
-    logout(ssid: string): Promise<Ok<any>>;
+    logout(ssid: string, session: ISession, user: User): Promise<Ok<any>>;
     /**
      * Get current user
-     * Returns the user object associated with the current session.
+     * Returns the user object associated with the current session along with the
+     * currently active role and the full list of roles the user may switch to.
      * Requires the user to be logged in (session exists), but full authorization (2FA) is not required.
      * @security cookieAuth
-     * @returns {IUserProfile} User data from the current session
+     * @returns {User} User data from the current session
      * @response 401 No active session
      */
-    whoami(User: User): Promise<Ok<User>>;
+    whoami(User: User, ActiveRole: string): Promise<Ok<{
+        ActiveRole: string;
+        AvailableRoles: string[];
+        Email: string;
+        Password: string;
+        Id: number;
+        Uuid: string;
+        Login: string;
+        Role: string[];
+        CreatedAt: import("luxon").DateTime;
+        RegisteredAt: import("luxon").DateTime;
+        DeletedAt: import("luxon").DateTime;
+        LastLoginAt: import("luxon").DateTime;
+        IsActive: boolean;
+        IsGuest: boolean;
+        IsBanned: boolean;
+        IsDirty: boolean;
+        Metadata: Omit<import("@spinajs/orm").ModelDataWithRelationData<import("@spinajs/rbac").UserMetadataBase>, import("@spinajs/orm").ExcludedModelProperties>[];
+        PrimaryKeyValue: any;
+    }>>;
 }
 //# sourceMappingURL=LoginController.d.ts.map

package/lib/mjs/controllers/LoginController.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LoginController.d.ts","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAe,YAAY,EAAU,MAAM,eAAe,CAAC;AAC5G,OAAO,EAAE,YAAY,EAAE,eAAe,EAAsB,aAAa,EAAiB,MAAM,eAAe,CAAC;AAEhH,OAAO,EAA6B,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAElF,OAAO,EAAsC,cAAc,EAAmB,MAAM,oBAAoB,CAAC;AACzG,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAGrC;;;;;GAKG;AACH,qBACa,eAAgB,SAAQ,cAAc;IAEjD,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IAGvC,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAK3C,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC;IAKxC,SAAS,CAAC,oBAAoB,EAAE,OAAO,CAAC;IAMxC,SAAS,CAAC,sBAAsB,EAAE,OAAO,CAAC;IAG1C,SAAS,CAAC,mBAAmB,EAAE,GAAG,CAAC;IAGnC,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAE5B;;;;;;;;;OASG;IAEU,KAAK,CAAiB,MAAM,EAAE,IAAI,EAAgB,IAAI,EAAE,MAAM,EAAU,WAAW,EAAE,YAAY,GAAG,OAAO,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,YAAY,CAAC;IAwG3J;;;;;;OAMG;IAGU,MAAM,CAAe,IAAI,EAAE,MAAM;IA0B9C;;;;;;;OAOG;IAGU,MAAM,CAAiB,IAAI,EAAE,IAAI;CAK/C"}
+{"version":3,"file":"LoginController.d.ts","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAe,YAAY,EAAU,MAAM,eAAe,CAAC;AAC5G,OAAO,EAAE,YAAY,EAAE,eAAe,EAAsB,aAAa,EAAiB,MAAM,eAAe,CAAC;AAEhH,OAAO,EAA6B,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAElF,OAAO,EAA+E,cAAc,EAAmB,MAAM,oBAAoB,CAAC;AAClJ,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAI9C;;;;;GAKG;AACH,qBACa,eAAgB,SAAQ,cAAc;IAEjD,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IAGvC,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAK3C,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC;IAKxC,SAAS,CAAC,oBAAoB,EAAE,OAAO,CAAC;IAMxC,SAAS,CAAC,sBAAsB,EAAE,OAAO,CAAC;IAG1C,SAAS,CAAC,mBAAmB,EAAE,GAAG,CAAC;IAGnC,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAE5B;;;;;;;;;OASG;IAEU,KAAK,CAAiB,MAAM,EAAE,IAAI,EAAgB,IAAI,EAAE,MAAM,EAAU,WAAW,EAAE,YAAY,GAAG,OAAO,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,YAAY,CAAC;IA+G3J;;;;;;;;OAQG;IAGU,MAAM,CAAe,IAAI,EAAE,MAAM,EAAqB,OAAO,EAAE,QAAQ,EAAkB,IAAI,EAAE,IAAI;IA6BhH;;;;;;;;OAQG;IAGU,MAAM,CAAiB,IAAI,EAAE,IAAI,EAAiB,UAAU,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;CAQlF"}