@spinajs/rbac-http-user 2.0.474 → 2.0.475

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/lib/cjs/controllers/LoginController.d.ts +4 -27
  2. package/lib/cjs/controllers/LoginController.d.ts.map +1 -1
  3. package/lib/cjs/controllers/LoginController.js +27 -46
  4. package/lib/cjs/controllers/LoginController.js.map +1 -1
  5. package/lib/cjs/index.d.ts +0 -5
  6. package/lib/cjs/index.d.ts.map +1 -1
  7. package/lib/cjs/index.js +0 -5
  8. package/lib/cjs/index.js.map +1 -1
  9. package/lib/mjs/controllers/LoginController.d.ts +4 -27
  10. package/lib/mjs/controllers/LoginController.d.ts.map +1 -1
  11. package/lib/mjs/controllers/LoginController.js +29 -48
  12. package/lib/mjs/controllers/LoginController.js.map +1 -1
  13. package/lib/mjs/index.d.ts +0 -5
  14. package/lib/mjs/index.d.ts.map +1 -1
  15. package/lib/mjs/index.js +0 -5
  16. package/lib/mjs/index.js.map +1 -1
  17. package/lib/tsconfig.cjs.tsbuildinfo +1 -1
  18. package/lib/tsconfig.mjs.tsbuildinfo +1 -1
  19. package/package.json +11 -11
  20. package/lib/cjs/controllers/ActiveRoleController.d.ts +0 -41
  21. package/lib/cjs/controllers/ActiveRoleController.d.ts.map +0 -1
  22. package/lib/cjs/controllers/ActiveRoleController.js +0 -135
  23. package/lib/cjs/controllers/ActiveRoleController.js.map +0 -1
  24. package/lib/cjs/controllers/ImpersonationController.d.ts +0 -72
  25. package/lib/cjs/controllers/ImpersonationController.d.ts.map +0 -1
  26. package/lib/cjs/controllers/ImpersonationController.js +0 -277
  27. package/lib/cjs/controllers/ImpersonationController.js.map +0 -1
  28. package/lib/cjs/dto/impersonate-dto.d.ts +0 -24
  29. package/lib/cjs/dto/impersonate-dto.d.ts.map +0 -1
  30. package/lib/cjs/dto/impersonate-dto.js +0 -34
  31. package/lib/cjs/dto/impersonate-dto.js.map +0 -1
  32. package/lib/cjs/dto/switchRole-dto.d.ts +0 -24
  33. package/lib/cjs/dto/switchRole-dto.d.ts.map +0 -1
  34. package/lib/cjs/dto/switchRole-dto.js +0 -34
  35. package/lib/cjs/dto/switchRole-dto.js.map +0 -1
  36. package/lib/cjs/handlers/DefaultLogoutHandler.d.ts +0 -14
  37. package/lib/cjs/handlers/DefaultLogoutHandler.d.ts.map +0 -1
  38. package/lib/cjs/handlers/DefaultLogoutHandler.js +0 -61
  39. package/lib/cjs/handlers/DefaultLogoutHandler.js.map +0 -1
  40. package/lib/cjs/handlers/ImpersonationLogoutHandler.d.ts +0 -18
  41. package/lib/cjs/handlers/ImpersonationLogoutHandler.d.ts.map +0 -1
  42. package/lib/cjs/handlers/ImpersonationLogoutHandler.js +0 -66
  43. package/lib/cjs/handlers/ImpersonationLogoutHandler.js.map +0 -1
  44. package/lib/cjs/logout.d.ts +0 -51
  45. package/lib/cjs/logout.d.ts.map +0 -1
  46. package/lib/cjs/logout.js +0 -29
  47. package/lib/cjs/logout.js.map +0 -1
  48. package/lib/mjs/controllers/ActiveRoleController.d.ts +0 -41
  49. package/lib/mjs/controllers/ActiveRoleController.d.ts.map +0 -1
  50. package/lib/mjs/controllers/ActiveRoleController.js +0 -132
  51. package/lib/mjs/controllers/ActiveRoleController.js.map +0 -1
  52. package/lib/mjs/controllers/ImpersonationController.d.ts +0 -72
  53. package/lib/mjs/controllers/ImpersonationController.d.ts.map +0 -1
  54. package/lib/mjs/controllers/ImpersonationController.js +0 -274
  55. package/lib/mjs/controllers/ImpersonationController.js.map +0 -1
  56. package/lib/mjs/dto/impersonate-dto.d.ts +0 -24
  57. package/lib/mjs/dto/impersonate-dto.d.ts.map +0 -1
  58. package/lib/mjs/dto/impersonate-dto.js +0 -31
  59. package/lib/mjs/dto/impersonate-dto.js.map +0 -1
  60. package/lib/mjs/dto/switchRole-dto.d.ts +0 -24
  61. package/lib/mjs/dto/switchRole-dto.d.ts.map +0 -1
  62. package/lib/mjs/dto/switchRole-dto.js +0 -31
  63. package/lib/mjs/dto/switchRole-dto.js.map +0 -1
  64. package/lib/mjs/handlers/DefaultLogoutHandler.d.ts +0 -14
  65. package/lib/mjs/handlers/DefaultLogoutHandler.d.ts.map +0 -1
  66. package/lib/mjs/handlers/DefaultLogoutHandler.js +0 -58
  67. package/lib/mjs/handlers/DefaultLogoutHandler.js.map +0 -1
  68. package/lib/mjs/handlers/ImpersonationLogoutHandler.d.ts +0 -18
  69. package/lib/mjs/handlers/ImpersonationLogoutHandler.d.ts.map +0 -1
  70. package/lib/mjs/handlers/ImpersonationLogoutHandler.js +0 -63
  71. package/lib/mjs/handlers/ImpersonationLogoutHandler.js.map +0 -1
  72. package/lib/mjs/logout.d.ts +0 -51
  73. package/lib/mjs/logout.d.ts.map +0 -1
  74. package/lib/mjs/logout.js +0 -25
  75. package/lib/mjs/logout.js.map +0 -1
@@ -1,34 +0,0 @@
1
- "use strict";
2
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
- return c > 3 && r && Object.defineProperty(target, key, r), r;
7
- };
8
- var __metadata = (this && this.__metadata) || function (k, v) {
9
- if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
- };
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.ImpersonateDto = exports.ImpersonateDtoSchema = void 0;
13
- const validation_1 = require("@spinajs/validation");
14
- exports.ImpersonateDtoSchema = {
15
- $schema: 'http://json-schema.org/draft-07/schema#',
16
- title: 'Impersonate DTO',
17
- type: 'object',
18
- properties: {
19
- TargetUuid: { type: 'string', format: 'uuid', description: 'UUID of the user to impersonate' },
20
- Password: { type: 'string', maxLength: 32, description: 'Impersonator password (required when rbac.impersonation.requirePassword is true)' },
21
- },
22
- required: ['TargetUuid'],
23
- };
24
- let ImpersonateDto = class ImpersonateDto {
25
- constructor(data) {
26
- Object.assign(this, data);
27
- }
28
- };
29
- exports.ImpersonateDto = ImpersonateDto;
30
- exports.ImpersonateDto = ImpersonateDto = __decorate([
31
- (0, validation_1.Schema)(exports.ImpersonateDtoSchema),
32
- __metadata("design:paramtypes", [Object])
33
- ], ImpersonateDto);
34
- //# sourceMappingURL=impersonate-dto.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"impersonate-dto.js","sourceRoot":"","sources":["../../../src/dto/impersonate-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,oBAAoB,GAAG;IAClC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,iBAAiB;IACxB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,iCAAiC,EAAE;QAC9F,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,kFAAkF,EAAE;KAC7I;IACD,QAAQ,EAAE,CAAC,YAAY,CAAC;CACzB,CAAC;AAGK,IAAM,cAAc,GAApB,MAAM,cAAc;IAKzB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAM,EAAC,4BAAoB,CAAC;;GAChB,cAAc,CAQ1B"}
@@ -1,24 +0,0 @@
1
- export declare const SwitchRoleDtoSchema: {
2
- $schema: string;
3
- title: string;
4
- type: string;
5
- properties: {
6
- Role: {
7
- type: string;
8
- minLength: number;
9
- description: string;
10
- };
11
- Password: {
12
- type: string;
13
- maxLength: number;
14
- description: string;
15
- };
16
- };
17
- required: string[];
18
- };
19
- export declare class SwitchRoleDto {
20
- Role: string;
21
- Password?: string;
22
- constructor(data: any);
23
- }
24
- //# sourceMappingURL=switchRole-dto.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"switchRole-dto.d.ts","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;CAS/B,CAAC;AAEF,qBACa,aAAa;IACjB,IAAI,EAAE,MAAM,CAAC;IAEb,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,GAAG;CAGtB"}
@@ -1,34 +0,0 @@
1
- "use strict";
2
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
- return c > 3 && r && Object.defineProperty(target, key, r), r;
7
- };
8
- var __metadata = (this && this.__metadata) || function (k, v) {
9
- if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
- };
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.SwitchRoleDto = exports.SwitchRoleDtoSchema = void 0;
13
- const validation_1 = require("@spinajs/validation");
14
- exports.SwitchRoleDtoSchema = {
15
- $schema: 'http://json-schema.org/draft-07/schema#',
16
- title: 'Switch active role DTO',
17
- type: 'object',
18
- properties: {
19
- Role: { type: 'string', minLength: 1, description: 'Role to activate. Must be one of the user\'s assigned roles.' },
20
- Password: { type: 'string', maxLength: 32, description: 'User password. Required when activating roles listed in rbac.roleSwitch.requirePassword.' },
21
- },
22
- required: ['Role'],
23
- };
24
- let SwitchRoleDto = class SwitchRoleDto {
25
- constructor(data) {
26
- Object.assign(this, data);
27
- }
28
- };
29
- exports.SwitchRoleDto = SwitchRoleDto;
30
- exports.SwitchRoleDto = SwitchRoleDto = __decorate([
31
- (0, validation_1.Schema)(exports.SwitchRoleDtoSchema),
32
- __metadata("design:paramtypes", [Object])
33
- ], SwitchRoleDto);
34
- //# sourceMappingURL=switchRole-dto.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"switchRole-dto.js","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,mBAAmB,GAAG;IACjC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,wBAAwB;IAC/B,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,8DAA8D,EAAE;QACnH,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,0FAA0F,EAAE;KACrJ;IACD,QAAQ,EAAE,CAAC,MAAM,CAAC;CACnB,CAAC;AAGK,IAAM,aAAa,GAAnB,MAAM,aAAa;IAKxB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,sCAAa;wBAAb,aAAa;IADzB,IAAA,mBAAM,EAAC,2BAAmB,CAAC;;GACf,aAAa,CAQzB"}
@@ -1,14 +0,0 @@
1
- import { SessionProvider } from '@spinajs/rbac';
2
- import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
3
- /**
4
- * Default logout handler: deletes the session and clears the ssid cookie.
5
- * Runs last (priority 999) so any earlier handler can short-circuit (e.g.
6
- * the impersonation revert handler) before the session is destroyed.
7
- */
8
- export declare class DefaultLogoutHandler extends LogoutHandler {
9
- Priority: number;
10
- protected SessionProvider: SessionProvider;
11
- protected SessionCookieConfig: Record<string, unknown>;
12
- handle(context: ILogoutContext): Promise<ILogoutResult | null>;
13
- }
14
- //# sourceMappingURL=DefaultLogoutHandler.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"DefaultLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,oBAAqB,SAAQ,aAAa;IAC9C,QAAQ,SAAO;IAGtB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAG5C,SAAS,CAAC,mBAAmB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE3C,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAuB5E"}
@@ -1,61 +0,0 @@
1
- "use strict";
2
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
- return c > 3 && r && Object.defineProperty(target, key, r), r;
7
- };
8
- var __metadata = (this && this.__metadata) || function (k, v) {
9
- if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
- };
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.DefaultLogoutHandler = void 0;
13
- const di_1 = require("@spinajs/di");
14
- const configuration_1 = require("@spinajs/configuration");
15
- const rbac_1 = require("@spinajs/rbac");
16
- const logout_js_1 = require("../logout.js");
17
- /**
18
- * Default logout handler: deletes the session and clears the ssid cookie.
19
- * Runs last (priority 999) so any earlier handler can short-circuit (e.g.
20
- * the impersonation revert handler) before the session is destroyed.
21
- */
22
- let DefaultLogoutHandler = class DefaultLogoutHandler extends logout_js_1.LogoutHandler {
23
- constructor() {
24
- super(...arguments);
25
- this.Priority = 999;
26
- }
27
- async handle(context) {
28
- if (!context.Ssid) {
29
- // Nothing to delete; still return a result so the chain stops.
30
- return { Body: null };
31
- }
32
- await this.SessionProvider.delete(context.Ssid);
33
- return {
34
- Body: null,
35
- Cookies: [
36
- {
37
- Name: 'ssid',
38
- Value: '',
39
- Options: {
40
- httpOnly: true,
41
- maxAge: 0,
42
- ...this.SessionCookieConfig,
43
- },
44
- },
45
- ],
46
- };
47
- }
48
- };
49
- exports.DefaultLogoutHandler = DefaultLogoutHandler;
50
- __decorate([
51
- (0, configuration_1.AutoinjectService)('rbac.session'),
52
- __metadata("design:type", rbac_1.SessionProvider)
53
- ], DefaultLogoutHandler.prototype, "SessionProvider", void 0);
54
- __decorate([
55
- (0, configuration_1.Config)('rbac.session.cookie', {}),
56
- __metadata("design:type", Object)
57
- ], DefaultLogoutHandler.prototype, "SessionCookieConfig", void 0);
58
- exports.DefaultLogoutHandler = DefaultLogoutHandler = __decorate([
59
- (0, di_1.Injectable)(logout_js_1.LogoutHandler)
60
- ], DefaultLogoutHandler);
61
- //# sourceMappingURL=DefaultLogoutHandler.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"DefaultLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oCAAyC;AACzC,0DAAmE;AACnE,wCAAgD;AAChD,4CAA4E;AAE5E;;;;GAIG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,yBAAa;IAAhD;;QACE,aAAQ,GAAG,GAAG,CAAC;IA+BxB,CAAC;IAvBQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,+DAA+D;YAC/D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEhD,OAAO;YACL,IAAI,EAAE,IAAI;YACV,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,QAAQ,EAAE,IAAI;wBACd,MAAM,EAAE,CAAC;wBACT,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAhCY,oDAAoB;AAIrB;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACN,sBAAe;6DAAC;AAGlC;IADT,IAAA,sBAAM,EAAC,qBAAqB,EAAE,EAAE,CAAC;;iEACsB;+BAP7C,oBAAoB;IADhC,IAAA,eAAU,EAAC,yBAAa,CAAC;GACb,oBAAoB,CAgChC"}
@@ -1,18 +0,0 @@
1
- import { SessionProvider, User } from '@spinajs/rbac';
2
- import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
3
- /**
4
- * Logout handler that detects an active impersonation and reverts it instead
5
- * of destroying the session. Runs early (priority 10) so it short-circuits
6
- * the default session-deletion handler when applicable.
7
- */
8
- export declare class ImpersonationLogoutHandler extends LogoutHandler {
9
- Priority: number;
10
- protected SessionProvider: SessionProvider;
11
- handle(context: ILogoutContext): Promise<ILogoutResult | null>;
12
- /**
13
- * Hook for tests to intercept event emission without stubbing the module-level
14
- * `_ev` ESM binding.
15
- */
16
- protected emitEvent(original: User, target: User): Promise<void>;
17
- }
18
- //# sourceMappingURL=ImpersonationLogoutHandler.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"ImpersonationLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,IAAI,EAA0B,MAAM,eAAe,CAAC;AAE9E,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,0BAA2B,SAAQ,aAAa;IACpD,QAAQ,SAAM;IAGrB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAE/B,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IA0B3E;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;CAGjE"}
@@ -1,66 +0,0 @@
1
- "use strict";
2
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
- return c > 3 && r && Object.defineProperty(target, key, r), r;
7
- };
8
- var __metadata = (this && this.__metadata) || function (k, v) {
9
- if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
- };
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.ImpersonationLogoutHandler = void 0;
13
- const di_1 = require("@spinajs/di");
14
- const configuration_1 = require("@spinajs/configuration");
15
- const rbac_1 = require("@spinajs/rbac");
16
- const queue_1 = require("@spinajs/queue");
17
- const logout_js_1 = require("../logout.js");
18
- /**
19
- * Logout handler that detects an active impersonation and reverts it instead
20
- * of destroying the session. Runs early (priority 10) so it short-circuits
21
- * the default session-deletion handler when applicable.
22
- */
23
- let ImpersonationLogoutHandler = class ImpersonationLogoutHandler extends logout_js_1.LogoutHandler {
24
- constructor() {
25
- super(...arguments);
26
- this.Priority = 10;
27
- }
28
- async handle(context) {
29
- const session = context.Session;
30
- if (!session)
31
- return null;
32
- const impersonatorUuid = session.Data.get('Impersonator');
33
- if (!impersonatorUuid)
34
- return null;
35
- const original = await rbac_1.User.getByUuid(impersonatorUuid);
36
- session.Data.set('User', original.Uuid);
37
- session.Data.delete('Impersonator');
38
- session.Data.delete('ImpersonationStartedAt');
39
- const restoredActiveRole = session.Data.get('OriginalActiveRole') ?? original.Role?.[0];
40
- if (restoredActiveRole) {
41
- session.Data.set('ActiveRole', restoredActiveRole);
42
- }
43
- session.Data.delete('OriginalActiveRole');
44
- await this.SessionProvider.save(session);
45
- await this.emitEvent(original, context.User);
46
- // Take ownership of the response: no cookie change — the original user's
47
- // session continues.
48
- return { Body: { ImpersonationEnded: true } };
49
- }
50
- /**
51
- * Hook for tests to intercept event emission without stubbing the module-level
52
- * `_ev` ESM binding.
53
- */
54
- emitEvent(original, target) {
55
- return (0, queue_1._ev)(new rbac_1.UserImpersonationEnded(original, target))();
56
- }
57
- };
58
- exports.ImpersonationLogoutHandler = ImpersonationLogoutHandler;
59
- __decorate([
60
- (0, configuration_1.AutoinjectService)('rbac.session'),
61
- __metadata("design:type", rbac_1.SessionProvider)
62
- ], ImpersonationLogoutHandler.prototype, "SessionProvider", void 0);
63
- exports.ImpersonationLogoutHandler = ImpersonationLogoutHandler = __decorate([
64
- (0, di_1.Injectable)(logout_js_1.LogoutHandler)
65
- ], ImpersonationLogoutHandler);
66
- //# sourceMappingURL=ImpersonationLogoutHandler.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"ImpersonationLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oCAAyC;AACzC,0DAA2D;AAC3D,wCAA8E;AAC9E,0CAAqC;AACrC,4CAA4E;AAE5E;;;;GAIG;AAEI,IAAM,0BAA0B,GAAhC,MAAM,0BAA2B,SAAQ,yBAAa;IAAtD;;QACE,aAAQ,GAAG,EAAE,CAAC;IAsCvB,CAAC;IAjCQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAChC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAuB,CAAC;QAChF,IAAI,CAAC,gBAAgB;YAAE,OAAO,IAAI,CAAC;QAEnC,MAAM,QAAQ,GAAG,MAAM,WAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAExD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAC9C,MAAM,kBAAkB,GAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAwB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAChH,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAE1C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAE7C,yEAAyE;QACzE,qBAAqB;QACrB,OAAO,EAAE,IAAI,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED;;;OAGG;IACO,SAAS,CAAC,QAAc,EAAE,MAAY;QAC9C,OAAO,IAAA,WAAG,EAAC,IAAI,6BAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;IAC7D,CAAC;CACF,CAAA;AAvCY,gEAA0B;AAI3B;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACN,sBAAe;mEAAC;qCAJjC,0BAA0B;IADtC,IAAA,eAAU,EAAC,yBAAa,CAAC;GACb,0BAA0B,CAuCtC"}
@@ -1,51 +0,0 @@
1
- import type { ISession, User } from '@spinajs/rbac';
2
- /**
3
- * Per-request context handed to each {@link LogoutHandler} during logout.
4
- * The session may be null when the caller has no active session — handlers
5
- * should treat that as a no-op.
6
- */
7
- export interface ILogoutContext {
8
- /** Raw signed session cookie value (already unsigned by the framework) */
9
- Ssid: string;
10
- /** Restored session, or null when none is active */
11
- Session: ISession | null;
12
- /** Logged-in user as resolved by RbacMiddleware */
13
- User: User;
14
- }
15
- /** Cookie operation a handler may attach to its response */
16
- export interface ILogoutCookie {
17
- Name: string;
18
- Value: string;
19
- Options: Record<string, unknown>;
20
- }
21
- /** Response payload a handler returns when it takes ownership of the logout */
22
- export interface ILogoutResult {
23
- /** Response body */
24
- Body?: unknown;
25
- /** Cookie operations to attach */
26
- Cookies?: ILogoutCookie[];
27
- }
28
- /**
29
- * Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
30
- * by the logout controller and executed in ascending Priority order. The first
31
- * handler that returns a non-null result takes ownership of the response — the
32
- * chain stops there. Returning null defers to the next handler.
33
- *
34
- * Built-ins:
35
- * - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
36
- * is active, revert it and keep the session alive.
37
- * - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
38
- * clear the ssid cookie.
39
- *
40
- * Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
41
- * lower than 999 to run before the default session destruction.
42
- */
43
- export declare abstract class LogoutHandler {
44
- /**
45
- * Lower runs first. Default 100. The default cleanup handler runs at 999;
46
- * pick a value below that to run before it.
47
- */
48
- Priority: number;
49
- abstract handle(context: ILogoutContext): Promise<ILogoutResult | null>;
50
- }
51
- //# sourceMappingURL=logout.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAC;IAEb,oDAAoD;IACpD,OAAO,EAAE,QAAQ,GAAG,IAAI,CAAC;IAEzB,mDAAmD;IACnD,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,4DAA4D;AAC5D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,IAAI,CAAC,EAAE,OAAO,CAAC;IAEf,kCAAkC;IAClC,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;;;;;GAcG;AACH,8BAAsB,aAAa;IACjC;;;OAGG;IACI,QAAQ,EAAE,MAAM,CAAO;aAEd,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAC/E"}
package/lib/cjs/logout.js DELETED
@@ -1,29 +0,0 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.LogoutHandler = void 0;
4
- /**
5
- * Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
6
- * by the logout controller and executed in ascending Priority order. The first
7
- * handler that returns a non-null result takes ownership of the response — the
8
- * chain stops there. Returning null defers to the next handler.
9
- *
10
- * Built-ins:
11
- * - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
12
- * is active, revert it and keep the session alive.
13
- * - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
14
- * clear the ssid cookie.
15
- *
16
- * Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
17
- * lower than 999 to run before the default session destruction.
18
- */
19
- class LogoutHandler {
20
- constructor() {
21
- /**
22
- * Lower runs first. Default 100. The default cleanup handler runs at 999;
23
- * pick a value below that to run before it.
24
- */
25
- this.Priority = 100;
26
- }
27
- }
28
- exports.LogoutHandler = LogoutHandler;
29
- //# sourceMappingURL=logout.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":";;;AAkCA;;;;;;;;;;;;;;GAcG;AACH,MAAsB,aAAa;IAAnC;QACE;;;WAGG;QACI,aAAQ,GAAW,GAAG,CAAC;IAGhC,CAAC;CAAA;AARD,sCAQC"}
@@ -1,41 +0,0 @@
1
- import { SwitchRoleDto } from '../dto/switchRole-dto.js';
2
- import { BaseController, Ok, BadRequestResponse, Unauthorized } from '@spinajs/http';
3
- import { AccessControl, AuthProvider, PasswordProvider, SessionProvider } from '@spinajs/rbac';
4
- import type { ISession, User } from '@spinajs/rbac';
5
- import { IActiveRoleResponse } from '@spinajs/rbac-http';
6
- /**
7
- * Active role endpoints.
8
- * Let users with multiple roles inspect and switch the currently active role.
9
- * The active role drives all request-bound permission checks; the user's full
10
- * role list remains available so they can switch back at any time.
11
- * @tags Authentication
12
- */
13
- export declare class ActiveRoleController extends BaseController {
14
- protected AC: AccessControl;
15
- protected AuthProvider: AuthProvider;
16
- protected PasswordProvider: PasswordProvider;
17
- protected SessionProvider: SessionProvider;
18
- protected RolesRequiringPassword: string[];
19
- /**
20
- * Get active role
21
- * Returns the currently active role for the session, all roles the user may switch to,
22
- * and the RBAC grants resolved for the active role.
23
- * @security cookieAuth
24
- * @returns {IActiveRoleResponse}
25
- * @response 401 No active session
26
- */
27
- getActiveRole(user: User, ActiveRole: string): Promise<Ok<IActiveRoleResponse>>;
28
- /**
29
- * Switch active role
30
- * Switches the active role for the current session. The requested role must be one of
31
- * the user's assigned roles. If the role is listed in `rbac.roleSwitch.requirePassword`,
32
- * the user's password must also be provided and is re-verified.
33
- * @security cookieAuth
34
- * @returns {IActiveRoleResponse}
35
- * @response 400 Requested role is not assigned to the user
36
- * @response 401 Password verification required or failed
37
- */
38
- switchActiveRole(user: User, session: ISession, payload: SwitchRoleDto): Promise<Ok<IActiveRoleResponse> | BadRequestResponse | Unauthorized>;
39
- protected buildResponse(user: User, activeRole: string): IActiveRoleResponse;
40
- }
41
- //# sourceMappingURL=ActiveRoleController.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"ActiveRoleController.d.ts","sourceRoot":"","sources":["../../../src/controllers/ActiveRoleController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAO,kBAAkB,EAAE,YAAY,EAAU,MAAM,eAAe,CAAC;AACxH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAiB,MAAM,eAAe,CAAC;AAC9G,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAGpD,OAAO,EAA+E,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEtI;;;;;;GAMG;AACH,qBACa,oBAAqB,SAAQ,cAAc;IAEtD,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAG5B,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,sBAAsB,EAAE,MAAM,EAAE,CAAC;IAE3C;;;;;;;OAOG;IAGU,aAAa,CAAiB,IAAI,EAAE,IAAI,EAAiB,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAI3H;;;;;;;;;OASG;IAGU,gBAAgB,CACX,IAAI,EAAE,IAAI,EACP,OAAO,EAAE,QAAQ,EAC5B,OAAO,EAAE,aAAa,GAC7B,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,GAAG,kBAAkB,GAAG,YAAY,CAAC;IAqCvE,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB;CAQ7E"}
@@ -1,132 +0,0 @@
1
- var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
2
- var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
3
- if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
4
- else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
5
- return c > 3 && r && Object.defineProperty(target, key, r), r;
6
- };
7
- var __metadata = (this && this.__metadata) || function (k, v) {
8
- if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
9
- };
10
- var __param = (this && this.__param) || function (paramIndex, decorator) {
11
- return function (target, key) { decorator(target, key, paramIndex); }
12
- };
13
- import { SwitchRoleDto } from '../dto/switchRole-dto.js';
14
- import { BaseController, BasePath, Post, Body, Ok, Get, BadRequestResponse, Unauthorized, Policy } from '@spinajs/http';
15
- import { AccessControl, AuthProvider, PasswordProvider, SessionProvider, _unwindGrants } from '@spinajs/rbac';
16
- import { Autoinject } from '@spinajs/di';
17
- import { AutoinjectService, Config } from '@spinajs/configuration';
18
- import { LoggedPolicy, User as UserRouteArg, Session as SessionRouteArg, FromSession } from '@spinajs/rbac-http';
19
- /**
20
- * Active role endpoints.
21
- * Let users with multiple roles inspect and switch the currently active role.
22
- * The active role drives all request-bound permission checks; the user's full
23
- * role list remains available so they can switch back at any time.
24
- * @tags Authentication
25
- */
26
- let ActiveRoleController = class ActiveRoleController extends BaseController {
27
- /**
28
- * Get active role
29
- * Returns the currently active role for the session, all roles the user may switch to,
30
- * and the RBAC grants resolved for the active role.
31
- * @security cookieAuth
32
- * @returns {IActiveRoleResponse}
33
- * @response 401 No active session
34
- */
35
- async getActiveRole(user, ActiveRole) {
36
- return new Ok(this.buildResponse(user, ActiveRole ?? user.Role?.[0]));
37
- }
38
- /**
39
- * Switch active role
40
- * Switches the active role for the current session. The requested role must be one of
41
- * the user's assigned roles. If the role is listed in `rbac.roleSwitch.requirePassword`,
42
- * the user's password must also be provided and is re-verified.
43
- * @security cookieAuth
44
- * @returns {IActiveRoleResponse}
45
- * @response 400 Requested role is not assigned to the user
46
- * @response 401 Password verification required or failed
47
- */
48
- async switchActiveRole(user, session, payload) {
49
- if (!user.Role?.includes(payload.Role)) {
50
- return new BadRequestResponse({
51
- error: {
52
- code: 'E_ROLE_NOT_ASSIGNED',
53
- message: `Role '${payload.Role}' is not assigned to user`,
54
- },
55
- });
56
- }
57
- if (this.RolesRequiringPassword?.includes(payload.Role)) {
58
- if (!payload.Password) {
59
- return new Unauthorized({
60
- error: {
61
- code: 'E_PASSWORD_REQUIRED',
62
- message: `Password is required to activate role '${payload.Role}'`,
63
- },
64
- });
65
- }
66
- const valid = await this.PasswordProvider.verify(user.Password, payload.Password);
67
- if (!valid) {
68
- return new Unauthorized({
69
- error: {
70
- code: 'E_PASSWORD_INVALID',
71
- message: 'Invalid password',
72
- },
73
- });
74
- }
75
- }
76
- session.Data.set('ActiveRole', payload.Role);
77
- await this.SessionProvider.save(session);
78
- return new Ok(this.buildResponse(user, payload.Role));
79
- }
80
- buildResponse(user, activeRole) {
81
- const grants = activeRole ? _unwindGrants(activeRole, this.AC.getGrants()) : {};
82
- return {
83
- ActiveRole: activeRole,
84
- AvailableRoles: user.Role ?? [],
85
- Grants: grants,
86
- };
87
- }
88
- };
89
- __decorate([
90
- Autoinject(AccessControl),
91
- __metadata("design:type", AccessControl)
92
- ], ActiveRoleController.prototype, "AC", void 0);
93
- __decorate([
94
- AutoinjectService('rbac.auth'),
95
- __metadata("design:type", AuthProvider)
96
- ], ActiveRoleController.prototype, "AuthProvider", void 0);
97
- __decorate([
98
- AutoinjectService('rbac.password'),
99
- __metadata("design:type", PasswordProvider)
100
- ], ActiveRoleController.prototype, "PasswordProvider", void 0);
101
- __decorate([
102
- AutoinjectService('rbac.session'),
103
- __metadata("design:type", SessionProvider)
104
- ], ActiveRoleController.prototype, "SessionProvider", void 0);
105
- __decorate([
106
- Config('rbac.roleSwitch.requirePassword', { defaultValue: [] }),
107
- __metadata("design:type", Array)
108
- ], ActiveRoleController.prototype, "RolesRequiringPassword", void 0);
109
- __decorate([
110
- Get('active-role'),
111
- Policy(LoggedPolicy),
112
- __param(0, UserRouteArg()),
113
- __param(1, FromSession()),
114
- __metadata("design:type", Function),
115
- __metadata("design:paramtypes", [Function, String]),
116
- __metadata("design:returntype", Promise)
117
- ], ActiveRoleController.prototype, "getActiveRole", null);
118
- __decorate([
119
- Post('active-role'),
120
- Policy(LoggedPolicy),
121
- __param(0, UserRouteArg()),
122
- __param(1, SessionRouteArg()),
123
- __param(2, Body()),
124
- __metadata("design:type", Function),
125
- __metadata("design:paramtypes", [Function, Object, SwitchRoleDto]),
126
- __metadata("design:returntype", Promise)
127
- ], ActiveRoleController.prototype, "switchActiveRole", null);
128
- ActiveRoleController = __decorate([
129
- BasePath('auth')
130
- ], ActiveRoleController);
131
- export { ActiveRoleController };
132
- //# sourceMappingURL=ActiveRoleController.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"ActiveRoleController.js","sourceRoot":"","sources":["../../../src/controllers/ActiveRoleController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACxH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9G,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,IAAI,IAAI,YAAY,EAAE,OAAO,IAAI,eAAe,EAAE,WAAW,EAAuB,MAAM,oBAAoB,CAAC;AAEtI;;;;;;GAMG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,cAAc;IAgBtD;;;;;;;OAOG;IAGU,AAAN,KAAK,CAAC,aAAa,CAAiB,IAAU,EAAiB,UAAkB;QACtF,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;;;;OASG;IAGU,AAAN,KAAK,CAAC,gBAAgB,CACX,IAAU,EACP,OAAiB,EAC5B,OAAsB;QAE9B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,SAAS,OAAO,CAAC,IAAI,2BAA2B;iBAC1D;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,sBAAsB,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACtB,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE;wBACL,IAAI,EAAE,qBAAqB;wBAC3B,OAAO,EAAE,0CAA0C,OAAO,CAAC,IAAI,GAAG;qBACnE;iBACF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YAClF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,kBAAkB;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACxD,CAAC;IAES,aAAa,CAAC,IAAU,EAAE,UAAkB;QACpD,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,OAAO;YACL,UAAU,EAAE,UAAU;YACtB,cAAc,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;YAC/B,MAAM,EAAE,MAAM;SACf,CAAC;IACJ,CAAC;CACF,CAAA;AAzFW;IADT,UAAU,CAAC,aAAa,CAAC;8BACZ,aAAa;gDAAC;AAGlB;IADT,iBAAiB,CAAC,WAAW,CAAC;8BACP,YAAY;0DAAC;AAG3B;IADT,iBAAiB,CAAC,eAAe,CAAC;8BACP,gBAAgB;8DAAC;AAGnC;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACP,eAAe;6DAAC;AAGjC;IADT,MAAM,CAAC,iCAAiC,EAAE,EAAE,YAAY,EAAE,EAAc,EAAE,CAAC;;oEACjC;AAY9B;IAFZ,GAAG,CAAC,aAAa,CAAC;IAClB,MAAM,CAAC,YAAY,CAAC;IACO,WAAA,YAAY,EAAE,CAAA;IAAc,WAAA,WAAW,EAAE,CAAA;;;;yDAEpE;AAcY;IAFZ,IAAI,CAAC,aAAa,CAAC;IACnB,MAAM,CAAC,YAAY,CAAC;IAElB,WAAA,YAAY,EAAE,CAAA;IACd,WAAA,eAAe,EAAE,CAAA;IACjB,WAAA,IAAI,EAAE,CAAA;;uDAAU,aAAa;;4DAoC/B;AAjFU,oBAAoB;IADhC,QAAQ,CAAC,MAAM,CAAC;GACJ,oBAAoB,CA2FhC"}
@@ -1,72 +0,0 @@
1
- import { ImpersonateDto } from '../dto/impersonate-dto.js';
2
- import { BaseController, Ok, BadRequestResponse, Unauthorized, ForbiddenResponse, Conflict, NotFound } from '@spinajs/http';
3
- import { AccessControl, PasswordProvider, SessionProvider, User, UserImpersonationStarted, UserImpersonationEnded } from '@spinajs/rbac';
4
- import type { ISession } from '@spinajs/rbac';
5
- import { IImpersonationResponse, IImpersonationState, IUserWithGrants } from '@spinajs/rbac-http';
6
- /**
7
- * Impersonation endpoints.
8
- *
9
- * A user holding `createAny` on the virtual resource `user:impersonate` can
10
- * temporarily act as another user. While impersonation is active, the session
11
- * carries both identities — `User` is the target, `Impersonator` is the
12
- * original. Permission checks therefore "see" the target by default; the
13
- * original is preserved only for audit and for ending the impersonation.
14
- *
15
- * @tags Authentication
16
- */
17
- export declare class ImpersonationController extends BaseController {
18
- protected AC: AccessControl;
19
- protected PasswordProvider: PasswordProvider;
20
- protected SessionProvider: SessionProvider;
21
- protected RequirePassword: boolean;
22
- protected ProtectedRoles: string[];
23
- /**
24
- * Get impersonation state
25
- * Returns whether an impersonation is currently active for this session.
26
- * @security cookieAuth
27
- * @returns {IImpersonationState}
28
- * @response 401 No active session
29
- */
30
- getState(Impersonator: string, User: string, ImpersonationStartedAt: string): Promise<Ok<IImpersonationState>>;
31
- /**
32
- * Start impersonation
33
- * Begins impersonating the target user. The caller must have `createAny` on
34
- * virtual resource `user:impersonate`. The target must not hold any role in
35
- * `rbac.impersonation.protectedRoles` and must not have effective grants
36
- * exceeding the caller's. If `rbac.impersonation.requirePassword` is true,
37
- * the caller's password must be supplied and is verified.
38
- * @security cookieAuth
39
- * @returns {IImpersonationResponse}
40
- * @response 400 Target equals caller or invalid payload
41
- * @response 401 Password required or invalid
42
- * @response 403 Caller lacks permission, target is protected, or escalation detected
43
- * @response 404 Target user not found / inactive / banned / deleted
44
- * @response 409 An impersonation is already in progress for this session
45
- */
46
- start(caller: User, session: ISession, payload: ImpersonateDto): Promise<Ok<IImpersonationResponse> | BadRequestResponse | Unauthorized | ForbiddenResponse | NotFound | Conflict>;
47
- /**
48
- * Stop impersonation
49
- * Restores the original user's session and returns their login-style payload.
50
- * @security cookieAuth
51
- * @returns {IUserWithGrants}
52
- * @response 400 No impersonation is currently active
53
- */
54
- stop(target: User, session: ISession): Promise<Ok<IUserWithGrants> | BadRequestResponse>;
55
- /**
56
- * Emit an impersonation lifecycle event. Wrapped in a protected method so
57
- * tests can intercept without stubbing module-level ESM bindings.
58
- */
59
- protected emitEvent(event: UserImpersonationStarted | UserImpersonationEnded): Promise<void>;
60
- /**
61
- * Load the impersonation target (with Metadata so IsBanned works). Extracted
62
- * as a protected method so tests can stub it without setting up a database.
63
- */
64
- protected loadTarget(uuid: string): Promise<User | undefined>;
65
- /**
66
- * Load the original (impersonator) user. Extracted for the same reason as
67
- * loadTarget — keeps the controller easy to test in isolation.
68
- */
69
- protected loadOriginal(uuid: string): Promise<User | undefined>;
70
- protected buildResponse(target: User, impersonator: User, activeRole: string, startedAt: string): IImpersonationResponse;
71
- }
72
- //# sourceMappingURL=ImpersonationController.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"ImpersonationController.d.ts","sourceRoot":"","sources":["../../../src/controllers/ImpersonationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,cAAc,EAA6B,EAAE,EAAO,kBAAkB,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,EAAU,MAAM,eAAe,CAAC;AACpK,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,IAAI,EACJ,wBAAwB,EACxB,sBAAsB,EAGvB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAK9C,OAAO,EAKL,sBAAsB,EACtB,mBAAmB,EACnB,eAAe,EAChB,MAAM,oBAAoB,CAAC;AAI5B;;;;;;;;;;GAUG;AACH,qBACa,uBAAwB,SAAQ,cAAc;IAEzD,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAG5B,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,eAAe,EAAE,OAAO,CAAC;IAGnC,SAAS,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;IAEnC;;;;;;OAMG;IAGU,QAAQ,CACJ,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,MAAM,EACZ,sBAAsB,EAAE,MAAM,GAC5C,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAYnC;;;;;;;;;;;;;;OAcG;IAGU,KAAK,CACA,MAAM,EAAE,IAAI,EACT,OAAO,EAAE,QAAQ,EAC5B,OAAO,EAAE,cAAc,GAC9B,OAAO,CACR,EAAE,CAAC,sBAAsB,CAAC,GAAG,kBAAkB,GAAG,YAAY,GAAG,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,CACzG;IAsFD;;;;;;OAMG;IAGU,IAAI,CACC,MAAM,EAAE,IAAI,EACT,OAAO,EAAE,QAAQ,GACnC,OAAO,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,kBAAkB,CAAC;IA4CpD;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,KAAK,EAAE,wBAAwB,GAAG,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5F;;;OAGG;IACH,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAI7D;;;OAGG;IACH,SAAS,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAI/D,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,sBAAsB;CAWzH"}