@spinajs/rbac-http-user 2.0.473 → 2.0.474

package/lib/mjs/controllers/LoginController.js

@@ -13,10 +13,11 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { UserLoginDto } from '../dto/userLogin-dto.js';
 import { BaseController, BasePath, Post, Body, Ok, Get, Cookie, Unauthorized, Policy } from '@spinajs/http';
 import { AuthProvider, SessionProvider, login, UserSession, AccessControl, _unwindGrants } from '@spinajs/rbac';
-import { Autoinject } from '@spinajs/di';
+import { Autoinject, DI } from '@spinajs/di';
 import { AutoinjectService, Config, Configuration } from '@spinajs/configuration';
-import { LoggedPolicy, User as UserRouteArg } from '@spinajs/rbac-http';
+import { LoggedPolicy, User as UserRouteArg, Session as SessionRouteArg, FromSession } from '@spinajs/rbac-http';
 import { User } from '@spinajs/rbac';
+import { LogoutHandler } from '../logout.js';
 /**
  * Authentication endpoints.
  * Handles user login, logout, and current-session inspection.
@@ -60,6 +61,12 @@ let LoginController = class LoginController extends BaseController {
             ];
             let result;
             session.Data.set('User', user.Uuid);
+            // Default active role = first role from the user's role list.
+            // Users with multiple roles can later switch via /auth/active-role.
+            const activeRole = user.Role?.[0];
+            if (activeRole) {
+                session.Data.set('ActiveRole', activeRole);
+            }
             // we have two states for user
             // LOGGED - when user use proper login/password and session is created
             // AUTHORIZED - when user is atuhenticated eg. by 2fa check. If 2fa is disabled
@@ -87,12 +94,12 @@ let LoginController = class LoginController extends BaseController {
             else {
                 session.Data.set('Authorized', true);
                 const grants = this.AC.getGrants();
-                const userGrants = user.Role.map(r => _unwindGrants(r, grants));
-                const combinedGrants = Object.assign({}, ...userGrants);
+                const combinedGrants = activeRole ? _unwindGrants(activeRole, grants) : {};
                 // dehydrateWithRelations({ dateTimeFormat: 'iso' }) converts DateTime to ISO strings
                 // at runtime — the ORM types don't reflect the dateTimeFormat option in generics
                 result = {
                     ...user.dehydrateWithRelations({ dateTimeFormat: "iso" }),
+                    ActiveRole: activeRole,
                     Grants: combinedGrants,
                 };
             }
@@ -117,43 +124,52 @@ let LoginController = class LoginController extends BaseController {
     /**
      * Logout
      * Destroys the current session identified by the `ssid` cookie and clears the cookie on the client.
+     * If an impersonation is active, the session is NOT destroyed — instead the
+     * impersonation is ended and the original user resumes their session.
      * Requires the user to be logged in (session exists), but full authorization (2FA) is not required.
      * @security cookieAuth
      * @response 401 No active session
      */
-    async logout(ssid) {
+    async logout(ssid, session, user) {
         if (!ssid) {
             return new Ok();
         }
-        await this.SessionProvider.delete(ssid);
-        // send empty cookie to confirm session deletion
-        return new Ok(null, {
-            Coockies: [
-                {
-                    Name: 'ssid',
-                    Value: '',
-                    Options: {
-                        httpOnly: true,
-                        maxAge: 0,
-                        // any optopnal cookie options
-                        // or override default ones
-                        ...this.SessionCookieConfig
-                    },
-                },
-            ],
-        });
+        // Delegate to the registered LogoutHandler chain. Each handler decides
+        // whether to take ownership of the response (returns non-null) or defer
+        // to the next handler. Built-ins:
+        //  - ImpersonationLogoutHandler (priority 10): reverts an active
+        //    impersonation and keeps the session alive.
+        //  - DefaultLogoutHandler (priority 999): destroys the session and clears
+        //    the ssid cookie.
+        // Apps can register additional handlers via @Injectable(LogoutHandler).
+        const handlers = await DI.resolve(Array.ofType(LogoutHandler));
+        const sorted = [...handlers].sort((a, b) => a.Priority - b.Priority);
+        const ctx = { Ssid: ssid, Session: session, User: user };
+        for (const handler of sorted) {
+            const result = await handler.handle(ctx);
+            if (result) {
+                return new Ok(result.Body ?? null, { Coockies: result.Cookies ?? [] });
+            }
+        }
+        // No handler claimed the request — should not happen as long as the
+        // default handler is registered, but return a clean response anyway.
+        return new Ok();
     }
     /**
      * Get current user
-     * Returns the user object associated with the current session.
+     * Returns the user object associated with the current session along with the
+     * currently active role and the full list of roles the user may switch to.
      * Requires the user to be logged in (session exists), but full authorization (2FA) is not required.
      * @security cookieAuth
-     * @returns {IUserProfile} User data from the current session
+     * @returns {User} User data from the current session
      * @response 401 No active session
      */
-    async whoami(User) {
-        // user is taken from session data
-        return new Ok(User);
+    async whoami(User, ActiveRole) {
+        return new Ok({
+            ...User.dehydrateWithRelations({ dateTimeFormat: 'iso' }),
+            ActiveRole: ActiveRole ?? User.Role?.[0],
+            AvailableRoles: User.Role ?? [],
+        });
     }
 };
 __decorate([
@@ -207,16 +223,19 @@ __decorate([
     Get(),
     Policy(LoggedPolicy),
     __param(0, Cookie(true)),
+    __param(1, SessionRouteArg()),
+    __param(2, UserRouteArg()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [String]),
+    __metadata("design:paramtypes", [String, Object, User]),
     __metadata("design:returntype", Promise)
 ], LoginController.prototype, "logout", null);
 __decorate([
     Get(),
     Policy(LoggedPolicy),
     __param(0, UserRouteArg()),
+    __param(1, FromSession()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [User]),
+    __metadata("design:paramtypes", [User, String]),
     __metadata("design:returntype", Promise)
 ], LoginController.prototype, "whoami", null);
 LoginController = __decorate([

package/lib/mjs/controllers/LoginController.js.map

@@ -1 +1 @@
-{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAC5G,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAChH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAElF,OAAO,EAAE,YAAY,EAAE,IAAI,IAAI,YAAY,EAAmC,MAAM,oBAAoB,CAAC;AACzG,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAGrC;;;;;GAKG;AAEI,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,cAAc;IAgCjD;;;;;;;;;OASG;IAEU,AAAN,KAAK,CAAC,KAAK,CAAiB,MAAY,EAAgB,IAAY,EAAU,WAAyB;QAC5G,IAAI,CAAC;YAEH,0DAA0D;YAC1D,2BAA2B;YAC3B,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAElC,MAAM,QAAQ,GAAG;gBACf;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,OAAO,CAAC,SAAS;oBACxB,OAAO,EAAE;wBACP,MAAM,EAAE,IAAI;wBACZ,QAAQ,EAAE,IAAI;wBAEd,4BAA4B;wBAC5B,MAAM,EAAE,IAAI,CAAC,qBAAqB,GAAG,IAAI;wBAEzC,8BAA8B;wBAC9B,2BAA2B;wBAC3B,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF,CAAC;YACF,IAAI,MAAsB,CAAC;YAE3B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAEpC,8BAA8B;YAC9B,sEAAsE;YACtE,+EAA+E;YAC/E,yDAAyD;YACzD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;YAEzB,gDAAgD;YAChD,OAAO,CAAC,MAAM,EAAE,CAAC;YAIjB,IAAI,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mCAAmC,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBACI,IAAI,IAAI,CAAC,oBAAoB,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAEnE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAC9C,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBAEN,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;gBAErC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC;gBACnC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;gBAChE,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,UAAU,CAAC,CAAC;gBAExD,qFAAqF;gBACrF,iFAAiF;gBACjF,MAAM,GAAG;oBACP,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;oBACzD,MAAM,EAAE,cAAc;iBACO,CAAC;YAClC,CAAC;YAGD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,iCAAiC,EAAE;gBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,OAAO,IAAI,EAAE,CAAC,MAAM,EAAE;gBACpB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;QAEL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAErB,OAAO,IAAI,YAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAe,IAAY;QAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,EAAE,EAAE,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAExC,gDAAgD;QAChD,OAAO,IAAI,EAAE,CAAC,IAAI,EAAE;YAClB,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,QAAQ,EAAE,IAAI;wBACd,MAAM,EAAE,CAAC;wBAET,8BAA8B;wBAC9B,2BAA2B;wBAC3B,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAiB,IAAU;QAE5C,kCAAkC;QAClC,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;CACF,CAAA;AAnMW;IADT,UAAU,EAAE;8BACY,aAAa;sDAAC;AAG7B;IADT,iBAAiB,CAAC,WAAW,CAAC;8BACP,YAAY;qDAAC;AAG3B;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACP,eAAe;wDAAC;AAKjC;IAHT,MAAM,CAAC,yBAAyB,EAAE;QACjC,YAAY,EAAE,GAAG;KAClB,CAAC;;8DACsC;AAK9B;IAHT,MAAM,CAAC,4BAA4B,EAAE;QACpC,YAAY,EAAE,KAAK;KACpB,CAAC;;6DACsC;AAM9B;IAHT,MAAM,CAAC,8BAA8B,EAAE;QACtC,YAAY,EAAE,KAAK;KACpB,CAAC;;+DACwC;AAGhC;IADT,MAAM,CAAC,qBAAqB,EAAE,EAAE,CAAC;;4DACC;AAGzB;IADT,UAAU,CAAC,aAAa,CAAC;8BACZ,aAAa;2CAAC;AAaf;IADZ,IAAI,EAAE;IACa,WAAA,YAAY,EAAE,CAAA;IAAgB,WAAA,MAAM,CAAC,IAAI,CAAC,CAAA;IAAgB,WAAA,IAAI,EAAE,CAAA;;qCAAzC,IAAI,UAAmD,YAAY;;4CAsG7G;AAWY;IAFZ,GAAG,EAAE;IACL,MAAM,CAAC,YAAY,CAAC;IACA,WAAA,MAAM,CAAC,IAAI,CAAC,CAAA;;;;6CAwBhC;AAYY;IAFZ,GAAG,EAAE;IACL,MAAM,CAAC,YAAY,CAAC;IACA,WAAA,YAAY,EAAE,CAAA;;qCAAO,IAAI;;6CAI7C;AApMU,eAAe;IAD3B,QAAQ,CAAC,MAAM,CAAC;GACJ,eAAe,CAqM3B"}
+{"version":3,"file":"LoginController.js","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAC5G,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAChH,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAElF,OAAO,EAAE,YAAY,EAAE,IAAI,IAAI,YAAY,EAAE,OAAO,IAAI,eAAe,EAAE,WAAW,EAAmC,MAAM,oBAAoB,CAAC;AAClJ,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAErC,OAAO,EAAE,aAAa,EAAkB,MAAM,cAAc,CAAC;AAG7D;;;;;GAKG;AAEI,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,cAAc;IAgCjD;;;;;;;;;OASG;IAEU,AAAN,KAAK,CAAC,KAAK,CAAiB,MAAY,EAAgB,IAAY,EAAU,WAAyB;QAC5G,IAAI,CAAC;YAEH,0DAA0D;YAC1D,2BAA2B;YAC3B,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,KAAK,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;YAElC,MAAM,QAAQ,GAAG;gBACf;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,OAAO,CAAC,SAAS;oBACxB,OAAO,EAAE;wBACP,MAAM,EAAE,IAAI;wBACZ,QAAQ,EAAE,IAAI;wBAEd,4BAA4B;wBAC5B,MAAM,EAAE,IAAI,CAAC,qBAAqB,GAAG,IAAI;wBAEzC,8BAA8B;wBAC9B,2BAA2B;wBAC3B,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF,CAAC;YACF,IAAI,MAAsB,CAAC;YAE3B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAEpC,8DAA8D;YAC9D,oEAAoE;YACpE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAClC,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAC7C,CAAC;YAED,8BAA8B;YAC9B,sEAAsE;YACtE,+EAA+E;YAC/E,yDAAyD;YACzD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;YAEzB,gDAAgD;YAChD,OAAO,CAAC,MAAM,EAAE,CAAC;YAIjB,IAAI,IAAI,CAAC,sBAAsB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mCAAmC,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBACI,IAAI,IAAI,CAAC,oBAAoB,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAEnE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAC9C,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;gBAEH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;gBAExC,MAAM,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBAEN,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;gBAErC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC;gBACnC,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAE3E,qFAAqF;gBACrF,iFAAiF;gBACjF,MAAM,GAAG;oBACP,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;oBACzD,UAAU,EAAE,UAAU;oBACtB,MAAM,EAAE,cAAc;iBACO,CAAC;YAClC,CAAC;YAGD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,iCAAiC,EAAE;gBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,OAAO,IAAI,EAAE,CAAC,MAAM,EAAE;gBACpB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;QAEL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAErB,OAAO,IAAI,YAAY,CAAC;gBACtB,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,6BAA6B;iBACvC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAe,IAAY,EAAqB,OAAiB,EAAkB,IAAU;QAC9G,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,EAAE,EAAE,CAAC;QAClB,CAAC;QAED,uEAAuE;QACvE,wEAAwE;QACxE,kCAAkC;QAClC,iEAAiE;QACjE,gDAAgD;QAChD,0EAA0E;QAC1E,sBAAsB;QACtB,wEAAwE;QACxE,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAErE,MAAM,GAAG,GAAmB,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACzE,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,IAAI,EAAE,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,qEAAqE;QACrE,OAAO,IAAI,EAAE,EAAE,CAAC;IAClB,CAAC;IAED;;;;;;;;OAQG;IAGU,AAAN,KAAK,CAAC,MAAM,CAAiB,IAAU,EAAiB,UAAkB;QAE/E,OAAO,IAAI,EAAE,CAAC;YACZ,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;YACzD,UAAU,EAAE,UAAU,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;YACxC,cAAc,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;SAChC,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AAnNW;IADT,UAAU,EAAE;8BACY,aAAa;sDAAC;AAG7B;IADT,iBAAiB,CAAC,WAAW,CAAC;8BACP,YAAY;qDAAC;AAG3B;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACP,eAAe;wDAAC;AAKjC;IAHT,MAAM,CAAC,yBAAyB,EAAE;QACjC,YAAY,EAAE,GAAG;KAClB,CAAC;;8DACsC;AAK9B;IAHT,MAAM,CAAC,4BAA4B,EAAE;QACpC,YAAY,EAAE,KAAK;KACpB,CAAC;;6DACsC;AAM9B;IAHT,MAAM,CAAC,8BAA8B,EAAE;QACtC,YAAY,EAAE,KAAK;KACpB,CAAC;;+DACwC;AAGhC;IADT,MAAM,CAAC,qBAAqB,EAAE,EAAE,CAAC;;4DACC;AAGzB;IADT,UAAU,CAAC,aAAa,CAAC;8BACZ,aAAa;2CAAC;AAaf;IADZ,IAAI,EAAE;IACa,WAAA,YAAY,EAAE,CAAA;IAAgB,WAAA,MAAM,CAAC,IAAI,CAAC,CAAA;IAAgB,WAAA,IAAI,EAAE,CAAA;;qCAAzC,IAAI,UAAmD,YAAY;;4CA6G7G;AAaY;IAFZ,GAAG,EAAE;IACL,MAAM,CAAC,YAAY,CAAC;IACA,WAAA,MAAM,CAAC,IAAI,CAAC,CAAA;IAAgB,WAAA,eAAe,EAAE,CAAA;IAAqB,WAAA,YAAY,EAAE,CAAA;;qDAAO,IAAI;;6CA2B/G;AAaY;IAFZ,GAAG,EAAE;IACL,MAAM,CAAC,YAAY,CAAC;IACA,WAAA,YAAY,EAAE,CAAA;IAAc,WAAA,WAAW,EAAE,CAAA;;qCAApB,IAAI;;6CAO7C;AApNU,eAAe;IAD3B,QAAQ,CAAC,MAAM,CAAC;GACJ,eAAe,CAqN3B"}

package/lib/mjs/dto/impersonate-dto.d.ts

@@ -0,0 +1,24 @@
+export declare const ImpersonateDtoSchema: {
+    $schema: string;
+    title: string;
+    type: string;
+    properties: {
+        TargetUuid: {
+            type: string;
+            format: string;
+            description: string;
+        };
+        Password: {
+            type: string;
+            maxLength: number;
+            description: string;
+        };
+    };
+    required: string[];
+};
+export declare class ImpersonateDto {
+    TargetUuid: string;
+    Password?: string;
+    constructor(data: any);
+}
+//# sourceMappingURL=impersonate-dto.d.ts.map

package/lib/mjs/dto/impersonate-dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"impersonate-dto.d.ts","sourceRoot":"","sources":["../../../src/dto/impersonate-dto.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;CAShC,CAAC;AAEF,qBACa,cAAc;IAClB,UAAU,EAAE,MAAM,CAAC;IAEnB,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,GAAG;CAGtB"}

package/lib/mjs/dto/impersonate-dto.js

@@ -0,0 +1,31 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Schema } from '@spinajs/validation';
+export const ImpersonateDtoSchema = {
+    $schema: 'http://json-schema.org/draft-07/schema#',
+    title: 'Impersonate DTO',
+    type: 'object',
+    properties: {
+        TargetUuid: { type: 'string', format: 'uuid', description: 'UUID of the user to impersonate' },
+        Password: { type: 'string', maxLength: 32, description: 'Impersonator password (required when rbac.impersonation.requirePassword is true)' },
+    },
+    required: ['TargetUuid'],
+};
+let ImpersonateDto = class ImpersonateDto {
+    constructor(data) {
+        Object.assign(this, data);
+    }
+};
+ImpersonateDto = __decorate([
+    Schema(ImpersonateDtoSchema),
+    __metadata("design:paramtypes", [Object])
+], ImpersonateDto);
+export { ImpersonateDto };
+//# sourceMappingURL=impersonate-dto.js.map

package/lib/mjs/dto/impersonate-dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"impersonate-dto.js","sourceRoot":"","sources":["../../../src/dto/impersonate-dto.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,iBAAiB;IACxB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,iCAAiC,EAAE;QAC9F,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,kFAAkF,EAAE;KAC7I;IACD,QAAQ,EAAE,CAAC,YAAY,CAAC;CACzB,CAAC;AAGK,IAAM,cAAc,GAApB,MAAM,cAAc;IAKzB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,cAAc;IAD1B,MAAM,CAAC,oBAAoB,CAAC;;GAChB,cAAc,CAQ1B"}

package/lib/mjs/dto/switchRole-dto.d.ts

@@ -0,0 +1,24 @@
+export declare const SwitchRoleDtoSchema: {
+    $schema: string;
+    title: string;
+    type: string;
+    properties: {
+        Role: {
+            type: string;
+            minLength: number;
+            description: string;
+        };
+        Password: {
+            type: string;
+            maxLength: number;
+            description: string;
+        };
+    };
+    required: string[];
+};
+export declare class SwitchRoleDto {
+    Role: string;
+    Password?: string;
+    constructor(data: any);
+}
+//# sourceMappingURL=switchRole-dto.d.ts.map

package/lib/mjs/dto/switchRole-dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"switchRole-dto.d.ts","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;CAS/B,CAAC;AAEF,qBACa,aAAa;IACjB,IAAI,EAAE,MAAM,CAAC;IAEb,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,GAAG;CAGtB"}

package/lib/mjs/dto/switchRole-dto.js

@@ -0,0 +1,31 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Schema } from '@spinajs/validation';
+export const SwitchRoleDtoSchema = {
+    $schema: 'http://json-schema.org/draft-07/schema#',
+    title: 'Switch active role DTO',
+    type: 'object',
+    properties: {
+        Role: { type: 'string', minLength: 1, description: 'Role to activate. Must be one of the user\'s assigned roles.' },
+        Password: { type: 'string', maxLength: 32, description: 'User password. Required when activating roles listed in rbac.roleSwitch.requirePassword.' },
+    },
+    required: ['Role'],
+};
+let SwitchRoleDto = class SwitchRoleDto {
+    constructor(data) {
+        Object.assign(this, data);
+    }
+};
+SwitchRoleDto = __decorate([
+    Schema(SwitchRoleDtoSchema),
+    __metadata("design:paramtypes", [Object])
+], SwitchRoleDto);
+export { SwitchRoleDto };
+//# sourceMappingURL=switchRole-dto.js.map

package/lib/mjs/dto/switchRole-dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"switchRole-dto.js","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,wBAAwB;IAC/B,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,8DAA8D,EAAE;QACnH,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,0FAA0F,EAAE;KACrJ;IACD,QAAQ,EAAE,CAAC,MAAM,CAAC;CACnB,CAAC;AAGK,IAAM,aAAa,GAAnB,MAAM,aAAa;IAKxB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,aAAa;IADzB,MAAM,CAAC,mBAAmB,CAAC;;GACf,aAAa,CAQzB"}

package/lib/mjs/handlers/DefaultLogoutHandler.d.ts

@@ -0,0 +1,14 @@
+import { SessionProvider } from '@spinajs/rbac';
+import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
+/**
+ * Default logout handler: deletes the session and clears the ssid cookie.
+ * Runs last (priority 999) so any earlier handler can short-circuit (e.g.
+ * the impersonation revert handler) before the session is destroyed.
+ */
+export declare class DefaultLogoutHandler extends LogoutHandler {
+    Priority: number;
+    protected SessionProvider: SessionProvider;
+    protected SessionCookieConfig: Record<string, unknown>;
+    handle(context: ILogoutContext): Promise<ILogoutResult | null>;
+}
+//# sourceMappingURL=DefaultLogoutHandler.d.ts.map

package/lib/mjs/handlers/DefaultLogoutHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DefaultLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,oBAAqB,SAAQ,aAAa;IAC9C,QAAQ,SAAO;IAGtB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAG5C,SAAS,CAAC,mBAAmB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE3C,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAuB5E"}

package/lib/mjs/handlers/DefaultLogoutHandler.js

@@ -0,0 +1,58 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable } from '@spinajs/di';
+import { AutoinjectService, Config } from '@spinajs/configuration';
+import { SessionProvider } from '@spinajs/rbac';
+import { LogoutHandler } from '../logout.js';
+/**
+ * Default logout handler: deletes the session and clears the ssid cookie.
+ * Runs last (priority 999) so any earlier handler can short-circuit (e.g.
+ * the impersonation revert handler) before the session is destroyed.
+ */
+let DefaultLogoutHandler = class DefaultLogoutHandler extends LogoutHandler {
+    constructor() {
+        super(...arguments);
+        this.Priority = 999;
+    }
+    async handle(context) {
+        if (!context.Ssid) {
+            // Nothing to delete; still return a result so the chain stops.
+            return { Body: null };
+        }
+        await this.SessionProvider.delete(context.Ssid);
+        return {
+            Body: null,
+            Cookies: [
+                {
+                    Name: 'ssid',
+                    Value: '',
+                    Options: {
+                        httpOnly: true,
+                        maxAge: 0,
+                        ...this.SessionCookieConfig,
+                    },
+                },
+            ],
+        };
+    }
+};
+__decorate([
+    AutoinjectService('rbac.session'),
+    __metadata("design:type", SessionProvider)
+], DefaultLogoutHandler.prototype, "SessionProvider", void 0);
+__decorate([
+    Config('rbac.session.cookie', {}),
+    __metadata("design:type", Object)
+], DefaultLogoutHandler.prototype, "SessionCookieConfig", void 0);
+DefaultLogoutHandler = __decorate([
+    Injectable(LogoutHandler)
+], DefaultLogoutHandler);
+export { DefaultLogoutHandler };
+//# sourceMappingURL=DefaultLogoutHandler.js.map

package/lib/mjs/handlers/DefaultLogoutHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DefaultLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAiC,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,aAAa;IAAhD;;QACE,aAAQ,GAAG,GAAG,CAAC;IA+BxB,CAAC;IAvBQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,+DAA+D;YAC/D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEhD,OAAO;YACL,IAAI,EAAE,IAAI;YACV,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,QAAQ,EAAE,IAAI;wBACd,MAAM,EAAE,CAAC;wBACT,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AA5BW;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACN,eAAe;6DAAC;AAGlC;IADT,MAAM,CAAC,qBAAqB,EAAE,EAAE,CAAC;;iEACsB;AAP7C,oBAAoB;IADhC,UAAU,CAAC,aAAa,CAAC;GACb,oBAAoB,CAgChC"}

package/lib/mjs/handlers/ImpersonationLogoutHandler.d.ts

@@ -0,0 +1,18 @@
+import { SessionProvider, User } from '@spinajs/rbac';
+import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
+/**
+ * Logout handler that detects an active impersonation and reverts it instead
+ * of destroying the session. Runs early (priority 10) so it short-circuits
+ * the default session-deletion handler when applicable.
+ */
+export declare class ImpersonationLogoutHandler extends LogoutHandler {
+    Priority: number;
+    protected SessionProvider: SessionProvider;
+    handle(context: ILogoutContext): Promise<ILogoutResult | null>;
+    /**
+     * Hook for tests to intercept event emission without stubbing the module-level
+     * `_ev` ESM binding.
+     */
+    protected emitEvent(original: User, target: User): Promise<void>;
+}
+//# sourceMappingURL=ImpersonationLogoutHandler.d.ts.map

package/lib/mjs/handlers/ImpersonationLogoutHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ImpersonationLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,IAAI,EAA0B,MAAM,eAAe,CAAC;AAE9E,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,0BAA2B,SAAQ,aAAa;IACpD,QAAQ,SAAM;IAGrB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAE/B,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IA0B3E;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;CAGjE"}

package/lib/mjs/handlers/ImpersonationLogoutHandler.js

@@ -0,0 +1,63 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable } from '@spinajs/di';
+import { AutoinjectService } from '@spinajs/configuration';
+import { SessionProvider, User, UserImpersonationEnded } from '@spinajs/rbac';
+import { _ev } from '@spinajs/queue';
+import { LogoutHandler } from '../logout.js';
+/**
+ * Logout handler that detects an active impersonation and reverts it instead
+ * of destroying the session. Runs early (priority 10) so it short-circuits
+ * the default session-deletion handler when applicable.
+ */
+let ImpersonationLogoutHandler = class ImpersonationLogoutHandler extends LogoutHandler {
+    constructor() {
+        super(...arguments);
+        this.Priority = 10;
+    }
+    async handle(context) {
+        const session = context.Session;
+        if (!session)
+            return null;
+        const impersonatorUuid = session.Data.get('Impersonator');
+        if (!impersonatorUuid)
+            return null;
+        const original = await User.getByUuid(impersonatorUuid);
+        session.Data.set('User', original.Uuid);
+        session.Data.delete('Impersonator');
+        session.Data.delete('ImpersonationStartedAt');
+        const restoredActiveRole = session.Data.get('OriginalActiveRole') ?? original.Role?.[0];
+        if (restoredActiveRole) {
+            session.Data.set('ActiveRole', restoredActiveRole);
+        }
+        session.Data.delete('OriginalActiveRole');
+        await this.SessionProvider.save(session);
+        await this.emitEvent(original, context.User);
+        // Take ownership of the response: no cookie change — the original user's
+        // session continues.
+        return { Body: { ImpersonationEnded: true } };
+    }
+    /**
+     * Hook for tests to intercept event emission without stubbing the module-level
+     * `_ev` ESM binding.
+     */
+    emitEvent(original, target) {
+        return _ev(new UserImpersonationEnded(original, target))();
+    }
+};
+__decorate([
+    AutoinjectService('rbac.session'),
+    __metadata("design:type", SessionProvider)
+], ImpersonationLogoutHandler.prototype, "SessionProvider", void 0);
+ImpersonationLogoutHandler = __decorate([
+    Injectable(LogoutHandler)
+], ImpersonationLogoutHandler);
+export { ImpersonationLogoutHandler };
+//# sourceMappingURL=ImpersonationLogoutHandler.js.map

package/lib/mjs/handlers/ImpersonationLogoutHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ImpersonationLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAC9E,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,aAAa,EAAiC,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AAEI,IAAM,0BAA0B,GAAhC,MAAM,0BAA2B,SAAQ,aAAa;IAAtD;;QACE,aAAQ,GAAG,EAAE,CAAC;IAsCvB,CAAC;IAjCQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAChC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAuB,CAAC;QAChF,IAAI,CAAC,gBAAgB;YAAE,OAAO,IAAI,CAAC;QAEnC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAExD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAC9C,MAAM,kBAAkB,GAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAwB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAChH,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAE1C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAE7C,yEAAyE;QACzE,qBAAqB;QACrB,OAAO,EAAE,IAAI,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED;;;OAGG;IACO,SAAS,CAAC,QAAc,EAAE,MAAY;QAC9C,OAAO,GAAG,CAAC,IAAI,sBAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;IAC7D,CAAC;CACF,CAAA;AAnCW;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACN,eAAe;mEAAC;AAJjC,0BAA0B;IADtC,UAAU,CAAC,aAAa,CAAC;GACb,0BAA0B,CAuCtC"}

package/lib/mjs/index.d.ts

@@ -1,6 +1,11 @@
 import { Bootstrapper } from '@spinajs/di';
 export * from './controllers/LoginController.js';
+export * from './controllers/ActiveRoleController.js';
+export * from './controllers/ImpersonationController.js';
 export * from './controllers/UserController.js';
+export * from './logout.js';
+export * from './handlers/ImpersonationLogoutHandler.js';
+export * from './handlers/DefaultLogoutHandler.js';
 export * from './controllers/UserMetadataController.js';
 export * from "./controllers/TwoFactorAuthController.js";
 export * from "./cli/EnableUser2Fa.js";

package/lib/mjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAc,MAAM,aAAa,CAAC;AAIvD,cAAc,kCAAkC,CAAC;AACjD,cAAc,iCAAiC,CAAC;AAChD,cAAc,yCAAyC,CAAC;AACxD,cAAc,0CAA0C,CAAC;AAEzD,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AAEzC,cAAc,kBAAkB,CAAC;AAGjC,qBACa,wBAAyB,SAAQ,YAAY;IAC/C,SAAS,IAAI,IAAI;CAO3B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAc,MAAM,aAAa,CAAC;AAIvD,cAAc,kCAAkC,CAAC;AACjD,cAAc,uCAAuC,CAAC;AACtD,cAAc,0CAA0C,CAAC;AACzD,cAAc,iCAAiC,CAAC;AAEhD,cAAc,aAAa,CAAC;AAC5B,cAAc,0CAA0C,CAAC;AACzD,cAAc,oCAAoC,CAAC;AACnD,cAAc,yCAAyC,CAAC;AACxD,cAAc,0CAA0C,CAAC;AAEzD,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AAEzC,cAAc,kBAAkB,CAAC;AAGjC,qBACa,wBAAyB,SAAQ,YAAY;IAC/C,SAAS,IAAI,IAAI;CAO3B"}

package/lib/mjs/index.js

@@ -8,7 +8,12 @@ import { Bootstrapper, Injectable } from '@spinajs/di';
 import { UserMetadataBase } from '@spinajs/rbac';
 import { TWO_FA_METATADATA_KEYS } from './2fa/Default2FaToken.js';
 export * from './controllers/LoginController.js';
+export * from './controllers/ActiveRoleController.js';
+export * from './controllers/ImpersonationController.js';
 export * from './controllers/UserController.js';
+export * from './logout.js';
+export * from './handlers/ImpersonationLogoutHandler.js';
+export * from './handlers/DefaultLogoutHandler.js';
 export * from './controllers/UserMetadataController.js';
 export * from "./controllers/TwoFactorAuthController.js";
 export * from "./cli/EnableUser2Fa.js";

package/lib/mjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,cAAc,kCAAkC,CAAC;AACjD,cAAc,iCAAiC,CAAC;AAChD,cAAc,yCAAyC,CAAC;AACxD,cAAc,0CAA0C,CAAC;AAEzD,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AAEzC,cAAc,kBAAkB,CAAC;AAI1B,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,YAAY;IAC/C,SAAS;QACZ,gBAAgB,CAAC,WAAW,GAAG;YAC3B,GAAG,gBAAgB,CAAC,WAAW;YAC/B,sBAAsB,CAAC,KAAK;YAC5B,sBAAsB,CAAC,GAAG;SAC7B,CAAA;IACL,CAAC;CACJ,CAAA;AARY,wBAAwB;IADpC,UAAU,CAAC,YAAY,CAAC;GACZ,wBAAwB,CAQpC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,cAAc,kCAAkC,CAAC;AACjD,cAAc,uCAAuC,CAAC;AACtD,cAAc,0CAA0C,CAAC;AACzD,cAAc,iCAAiC,CAAC;AAEhD,cAAc,aAAa,CAAC;AAC5B,cAAc,0CAA0C,CAAC;AACzD,cAAc,oCAAoC,CAAC;AACnD,cAAc,yCAAyC,CAAC;AACxD,cAAc,0CAA0C,CAAC;AAEzD,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AAEzC,cAAc,kBAAkB,CAAC;AAI1B,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,YAAY;IAC/C,SAAS;QACZ,gBAAgB,CAAC,WAAW,GAAG;YAC3B,GAAG,gBAAgB,CAAC,WAAW;YAC/B,sBAAsB,CAAC,KAAK;YAC5B,sBAAsB,CAAC,GAAG;SAC7B,CAAA;IACL,CAAC;CACJ,CAAA;AARY,wBAAwB;IADpC,UAAU,CAAC,YAAY,CAAC;GACZ,wBAAwB,CAQpC"}

package/lib/mjs/logout.d.ts

@@ -0,0 +1,51 @@
+import type { ISession, User } from '@spinajs/rbac';
+/**
+ * Per-request context handed to each {@link LogoutHandler} during logout.
+ * The session may be null when the caller has no active session — handlers
+ * should treat that as a no-op.
+ */
+export interface ILogoutContext {
+    /** Raw signed session cookie value (already unsigned by the framework) */
+    Ssid: string;
+    /** Restored session, or null when none is active */
+    Session: ISession | null;
+    /** Logged-in user as resolved by RbacMiddleware */
+    User: User;
+}
+/** Cookie operation a handler may attach to its response */
+export interface ILogoutCookie {
+    Name: string;
+    Value: string;
+    Options: Record<string, unknown>;
+}
+/** Response payload a handler returns when it takes ownership of the logout */
+export interface ILogoutResult {
+    /** Response body */
+    Body?: unknown;
+    /** Cookie operations to attach */
+    Cookies?: ILogoutCookie[];
+}
+/**
+ * Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
+ * by the logout controller and executed in ascending Priority order. The first
+ * handler that returns a non-null result takes ownership of the response — the
+ * chain stops there. Returning null defers to the next handler.
+ *
+ * Built-ins:
+ *  - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
+ *    is active, revert it and keep the session alive.
+ *  - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
+ *    clear the ssid cookie.
+ *
+ * Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
+ * lower than 999 to run before the default session destruction.
+ */
+export declare abstract class LogoutHandler {
+    /**
+     * Lower runs first. Default 100. The default cleanup handler runs at 999;
+     * pick a value below that to run before it.
+     */
+    Priority: number;
+    abstract handle(context: ILogoutContext): Promise<ILogoutResult | null>;
+}
+//# sourceMappingURL=logout.d.ts.map

package/lib/mjs/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAC;IAEb,oDAAoD;IACpD,OAAO,EAAE,QAAQ,GAAG,IAAI,CAAC;IAEzB,mDAAmD;IACnD,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,4DAA4D;AAC5D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,IAAI,CAAC,EAAE,OAAO,CAAC;IAEf,kCAAkC;IAClC,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;;;;;GAcG;AACH,8BAAsB,aAAa;IACjC;;;OAGG;IACI,QAAQ,EAAE,MAAM,CAAO;aAEd,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAC/E"}

package/lib/mjs/logout.js

@@ -0,0 +1,25 @@
+/**
+ * Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
+ * by the logout controller and executed in ascending Priority order. The first
+ * handler that returns a non-null result takes ownership of the response — the
+ * chain stops there. Returning null defers to the next handler.
+ *
+ * Built-ins:
+ *  - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
+ *    is active, revert it and keep the session alive.
+ *  - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
+ *    clear the ssid cookie.
+ *
+ * Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
+ * lower than 999 to run before the default session destruction.
+ */
+export class LogoutHandler {
+    constructor() {
+        /**
+         * Lower runs first. Default 100. The default cleanup handler runs at 999;
+         * pick a value below that to run before it.
+         */
+        this.Priority = 100;
+    }
+}
+//# sourceMappingURL=logout.js.map

package/lib/mjs/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":"AAkCA;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAgB,aAAa;IAAnC;QACE;;;WAGG;QACI,aAAQ,GAAW,GAAG,CAAC;IAGhC,CAAC;CAAA"}