@spinajs/rbac-http-user 2.0.474 → 2.0.476
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/cjs/controllers/LoginController.d.ts +4 -27
- package/lib/cjs/controllers/LoginController.d.ts.map +1 -1
- package/lib/cjs/controllers/LoginController.js +27 -46
- package/lib/cjs/controllers/LoginController.js.map +1 -1
- package/lib/cjs/index.d.ts +0 -5
- package/lib/cjs/index.d.ts.map +1 -1
- package/lib/cjs/index.js +0 -5
- package/lib/cjs/index.js.map +1 -1
- package/lib/mjs/controllers/LoginController.d.ts +4 -27
- package/lib/mjs/controllers/LoginController.d.ts.map +1 -1
- package/lib/mjs/controllers/LoginController.js +29 -48
- package/lib/mjs/controllers/LoginController.js.map +1 -1
- package/lib/mjs/index.d.ts +0 -5
- package/lib/mjs/index.d.ts.map +1 -1
- package/lib/mjs/index.js +0 -5
- package/lib/mjs/index.js.map +1 -1
- package/lib/tsconfig.cjs.tsbuildinfo +1 -1
- package/lib/tsconfig.mjs.tsbuildinfo +1 -1
- package/package.json +11 -11
- package/lib/cjs/controllers/ActiveRoleController.d.ts +0 -41
- package/lib/cjs/controllers/ActiveRoleController.d.ts.map +0 -1
- package/lib/cjs/controllers/ActiveRoleController.js +0 -135
- package/lib/cjs/controllers/ActiveRoleController.js.map +0 -1
- package/lib/cjs/controllers/ImpersonationController.d.ts +0 -72
- package/lib/cjs/controllers/ImpersonationController.d.ts.map +0 -1
- package/lib/cjs/controllers/ImpersonationController.js +0 -277
- package/lib/cjs/controllers/ImpersonationController.js.map +0 -1
- package/lib/cjs/dto/impersonate-dto.d.ts +0 -24
- package/lib/cjs/dto/impersonate-dto.d.ts.map +0 -1
- package/lib/cjs/dto/impersonate-dto.js +0 -34
- package/lib/cjs/dto/impersonate-dto.js.map +0 -1
- package/lib/cjs/dto/switchRole-dto.d.ts +0 -24
- package/lib/cjs/dto/switchRole-dto.d.ts.map +0 -1
- package/lib/cjs/dto/switchRole-dto.js +0 -34
- package/lib/cjs/dto/switchRole-dto.js.map +0 -1
- package/lib/cjs/handlers/DefaultLogoutHandler.d.ts +0 -14
- package/lib/cjs/handlers/DefaultLogoutHandler.d.ts.map +0 -1
- package/lib/cjs/handlers/DefaultLogoutHandler.js +0 -61
- package/lib/cjs/handlers/DefaultLogoutHandler.js.map +0 -1
- package/lib/cjs/handlers/ImpersonationLogoutHandler.d.ts +0 -18
- package/lib/cjs/handlers/ImpersonationLogoutHandler.d.ts.map +0 -1
- package/lib/cjs/handlers/ImpersonationLogoutHandler.js +0 -66
- package/lib/cjs/handlers/ImpersonationLogoutHandler.js.map +0 -1
- package/lib/cjs/logout.d.ts +0 -51
- package/lib/cjs/logout.d.ts.map +0 -1
- package/lib/cjs/logout.js +0 -29
- package/lib/cjs/logout.js.map +0 -1
- package/lib/mjs/controllers/ActiveRoleController.d.ts +0 -41
- package/lib/mjs/controllers/ActiveRoleController.d.ts.map +0 -1
- package/lib/mjs/controllers/ActiveRoleController.js +0 -132
- package/lib/mjs/controllers/ActiveRoleController.js.map +0 -1
- package/lib/mjs/controllers/ImpersonationController.d.ts +0 -72
- package/lib/mjs/controllers/ImpersonationController.d.ts.map +0 -1
- package/lib/mjs/controllers/ImpersonationController.js +0 -274
- package/lib/mjs/controllers/ImpersonationController.js.map +0 -1
- package/lib/mjs/dto/impersonate-dto.d.ts +0 -24
- package/lib/mjs/dto/impersonate-dto.d.ts.map +0 -1
- package/lib/mjs/dto/impersonate-dto.js +0 -31
- package/lib/mjs/dto/impersonate-dto.js.map +0 -1
- package/lib/mjs/dto/switchRole-dto.d.ts +0 -24
- package/lib/mjs/dto/switchRole-dto.d.ts.map +0 -1
- package/lib/mjs/dto/switchRole-dto.js +0 -31
- package/lib/mjs/dto/switchRole-dto.js.map +0 -1
- package/lib/mjs/handlers/DefaultLogoutHandler.d.ts +0 -14
- package/lib/mjs/handlers/DefaultLogoutHandler.d.ts.map +0 -1
- package/lib/mjs/handlers/DefaultLogoutHandler.js +0 -58
- package/lib/mjs/handlers/DefaultLogoutHandler.js.map +0 -1
- package/lib/mjs/handlers/ImpersonationLogoutHandler.d.ts +0 -18
- package/lib/mjs/handlers/ImpersonationLogoutHandler.d.ts.map +0 -1
- package/lib/mjs/handlers/ImpersonationLogoutHandler.js +0 -63
- package/lib/mjs/handlers/ImpersonationLogoutHandler.js.map +0 -1
- package/lib/mjs/logout.d.ts +0 -51
- package/lib/mjs/logout.d.ts.map +0 -1
- package/lib/mjs/logout.js +0 -25
- package/lib/mjs/logout.js.map +0 -1
|
@@ -1,34 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.ImpersonateDto = exports.ImpersonateDtoSchema = void 0;
|
|
13
|
-
const validation_1 = require("@spinajs/validation");
|
|
14
|
-
exports.ImpersonateDtoSchema = {
|
|
15
|
-
$schema: 'http://json-schema.org/draft-07/schema#',
|
|
16
|
-
title: 'Impersonate DTO',
|
|
17
|
-
type: 'object',
|
|
18
|
-
properties: {
|
|
19
|
-
TargetUuid: { type: 'string', format: 'uuid', description: 'UUID of the user to impersonate' },
|
|
20
|
-
Password: { type: 'string', maxLength: 32, description: 'Impersonator password (required when rbac.impersonation.requirePassword is true)' },
|
|
21
|
-
},
|
|
22
|
-
required: ['TargetUuid'],
|
|
23
|
-
};
|
|
24
|
-
let ImpersonateDto = class ImpersonateDto {
|
|
25
|
-
constructor(data) {
|
|
26
|
-
Object.assign(this, data);
|
|
27
|
-
}
|
|
28
|
-
};
|
|
29
|
-
exports.ImpersonateDto = ImpersonateDto;
|
|
30
|
-
exports.ImpersonateDto = ImpersonateDto = __decorate([
|
|
31
|
-
(0, validation_1.Schema)(exports.ImpersonateDtoSchema),
|
|
32
|
-
__metadata("design:paramtypes", [Object])
|
|
33
|
-
], ImpersonateDto);
|
|
34
|
-
//# sourceMappingURL=impersonate-dto.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"impersonate-dto.js","sourceRoot":"","sources":["../../../src/dto/impersonate-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,oBAAoB,GAAG;IAClC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,iBAAiB;IACxB,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,iCAAiC,EAAE;QAC9F,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,kFAAkF,EAAE;KAC7I;IACD,QAAQ,EAAE,CAAC,YAAY,CAAC;CACzB,CAAC;AAGK,IAAM,cAAc,GAApB,MAAM,cAAc;IAKzB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAM,EAAC,4BAAoB,CAAC;;GAChB,cAAc,CAQ1B"}
|
|
@@ -1,24 +0,0 @@
|
|
|
1
|
-
export declare const SwitchRoleDtoSchema: {
|
|
2
|
-
$schema: string;
|
|
3
|
-
title: string;
|
|
4
|
-
type: string;
|
|
5
|
-
properties: {
|
|
6
|
-
Role: {
|
|
7
|
-
type: string;
|
|
8
|
-
minLength: number;
|
|
9
|
-
description: string;
|
|
10
|
-
};
|
|
11
|
-
Password: {
|
|
12
|
-
type: string;
|
|
13
|
-
maxLength: number;
|
|
14
|
-
description: string;
|
|
15
|
-
};
|
|
16
|
-
};
|
|
17
|
-
required: string[];
|
|
18
|
-
};
|
|
19
|
-
export declare class SwitchRoleDto {
|
|
20
|
-
Role: string;
|
|
21
|
-
Password?: string;
|
|
22
|
-
constructor(data: any);
|
|
23
|
-
}
|
|
24
|
-
//# sourceMappingURL=switchRole-dto.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"switchRole-dto.d.ts","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;CAS/B,CAAC;AAEF,qBACa,aAAa;IACjB,IAAI,EAAE,MAAM,CAAC;IAEb,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,GAAG;CAGtB"}
|
|
@@ -1,34 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.SwitchRoleDto = exports.SwitchRoleDtoSchema = void 0;
|
|
13
|
-
const validation_1 = require("@spinajs/validation");
|
|
14
|
-
exports.SwitchRoleDtoSchema = {
|
|
15
|
-
$schema: 'http://json-schema.org/draft-07/schema#',
|
|
16
|
-
title: 'Switch active role DTO',
|
|
17
|
-
type: 'object',
|
|
18
|
-
properties: {
|
|
19
|
-
Role: { type: 'string', minLength: 1, description: 'Role to activate. Must be one of the user\'s assigned roles.' },
|
|
20
|
-
Password: { type: 'string', maxLength: 32, description: 'User password. Required when activating roles listed in rbac.roleSwitch.requirePassword.' },
|
|
21
|
-
},
|
|
22
|
-
required: ['Role'],
|
|
23
|
-
};
|
|
24
|
-
let SwitchRoleDto = class SwitchRoleDto {
|
|
25
|
-
constructor(data) {
|
|
26
|
-
Object.assign(this, data);
|
|
27
|
-
}
|
|
28
|
-
};
|
|
29
|
-
exports.SwitchRoleDto = SwitchRoleDto;
|
|
30
|
-
exports.SwitchRoleDto = SwitchRoleDto = __decorate([
|
|
31
|
-
(0, validation_1.Schema)(exports.SwitchRoleDtoSchema),
|
|
32
|
-
__metadata("design:paramtypes", [Object])
|
|
33
|
-
], SwitchRoleDto);
|
|
34
|
-
//# sourceMappingURL=switchRole-dto.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"switchRole-dto.js","sourceRoot":"","sources":["../../../src/dto/switchRole-dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAA6C;AAEhC,QAAA,mBAAmB,GAAG;IACjC,OAAO,EAAE,yCAAyC;IAClD,KAAK,EAAE,wBAAwB;IAC/B,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,8DAA8D,EAAE;QACnH,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,0FAA0F,EAAE;KACrJ;IACD,QAAQ,EAAE,CAAC,MAAM,CAAC;CACnB,CAAC;AAGK,IAAM,aAAa,GAAnB,MAAM,aAAa;IAKxB,YAAY,IAAS;QACnB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;CACF,CAAA;AARY,sCAAa;wBAAb,aAAa;IADzB,IAAA,mBAAM,EAAC,2BAAmB,CAAC;;GACf,aAAa,CAQzB"}
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
import { SessionProvider } from '@spinajs/rbac';
|
|
2
|
-
import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
|
|
3
|
-
/**
|
|
4
|
-
* Default logout handler: deletes the session and clears the ssid cookie.
|
|
5
|
-
* Runs last (priority 999) so any earlier handler can short-circuit (e.g.
|
|
6
|
-
* the impersonation revert handler) before the session is destroyed.
|
|
7
|
-
*/
|
|
8
|
-
export declare class DefaultLogoutHandler extends LogoutHandler {
|
|
9
|
-
Priority: number;
|
|
10
|
-
protected SessionProvider: SessionProvider;
|
|
11
|
-
protected SessionCookieConfig: Record<string, unknown>;
|
|
12
|
-
handle(context: ILogoutContext): Promise<ILogoutResult | null>;
|
|
13
|
-
}
|
|
14
|
-
//# sourceMappingURL=DefaultLogoutHandler.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,oBAAqB,SAAQ,aAAa;IAC9C,QAAQ,SAAO;IAGtB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAG5C,SAAS,CAAC,mBAAmB,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE3C,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAuB5E"}
|
|
@@ -1,61 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.DefaultLogoutHandler = void 0;
|
|
13
|
-
const di_1 = require("@spinajs/di");
|
|
14
|
-
const configuration_1 = require("@spinajs/configuration");
|
|
15
|
-
const rbac_1 = require("@spinajs/rbac");
|
|
16
|
-
const logout_js_1 = require("../logout.js");
|
|
17
|
-
/**
|
|
18
|
-
* Default logout handler: deletes the session and clears the ssid cookie.
|
|
19
|
-
* Runs last (priority 999) so any earlier handler can short-circuit (e.g.
|
|
20
|
-
* the impersonation revert handler) before the session is destroyed.
|
|
21
|
-
*/
|
|
22
|
-
let DefaultLogoutHandler = class DefaultLogoutHandler extends logout_js_1.LogoutHandler {
|
|
23
|
-
constructor() {
|
|
24
|
-
super(...arguments);
|
|
25
|
-
this.Priority = 999;
|
|
26
|
-
}
|
|
27
|
-
async handle(context) {
|
|
28
|
-
if (!context.Ssid) {
|
|
29
|
-
// Nothing to delete; still return a result so the chain stops.
|
|
30
|
-
return { Body: null };
|
|
31
|
-
}
|
|
32
|
-
await this.SessionProvider.delete(context.Ssid);
|
|
33
|
-
return {
|
|
34
|
-
Body: null,
|
|
35
|
-
Cookies: [
|
|
36
|
-
{
|
|
37
|
-
Name: 'ssid',
|
|
38
|
-
Value: '',
|
|
39
|
-
Options: {
|
|
40
|
-
httpOnly: true,
|
|
41
|
-
maxAge: 0,
|
|
42
|
-
...this.SessionCookieConfig,
|
|
43
|
-
},
|
|
44
|
-
},
|
|
45
|
-
],
|
|
46
|
-
};
|
|
47
|
-
}
|
|
48
|
-
};
|
|
49
|
-
exports.DefaultLogoutHandler = DefaultLogoutHandler;
|
|
50
|
-
__decorate([
|
|
51
|
-
(0, configuration_1.AutoinjectService)('rbac.session'),
|
|
52
|
-
__metadata("design:type", rbac_1.SessionProvider)
|
|
53
|
-
], DefaultLogoutHandler.prototype, "SessionProvider", void 0);
|
|
54
|
-
__decorate([
|
|
55
|
-
(0, configuration_1.Config)('rbac.session.cookie', {}),
|
|
56
|
-
__metadata("design:type", Object)
|
|
57
|
-
], DefaultLogoutHandler.prototype, "SessionCookieConfig", void 0);
|
|
58
|
-
exports.DefaultLogoutHandler = DefaultLogoutHandler = __decorate([
|
|
59
|
-
(0, di_1.Injectable)(logout_js_1.LogoutHandler)
|
|
60
|
-
], DefaultLogoutHandler);
|
|
61
|
-
//# sourceMappingURL=DefaultLogoutHandler.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/DefaultLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oCAAyC;AACzC,0DAAmE;AACnE,wCAAgD;AAChD,4CAA4E;AAE5E;;;;GAIG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,yBAAa;IAAhD;;QACE,aAAQ,GAAG,GAAG,CAAC;IA+BxB,CAAC;IAvBQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,+DAA+D;YAC/D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEhD,OAAO;YACL,IAAI,EAAE,IAAI;YACV,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,QAAQ,EAAE,IAAI;wBACd,MAAM,EAAE,CAAC;wBACT,GAAG,IAAI,CAAC,mBAAmB;qBAC5B;iBACF;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAhCY,oDAAoB;AAIrB;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACN,sBAAe;6DAAC;AAGlC;IADT,IAAA,sBAAM,EAAC,qBAAqB,EAAE,EAAE,CAAC;;iEACsB;+BAP7C,oBAAoB;IADhC,IAAA,eAAU,EAAC,yBAAa,CAAC;GACb,oBAAoB,CAgChC"}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
import { SessionProvider, User } from '@spinajs/rbac';
|
|
2
|
-
import { LogoutHandler, ILogoutContext, ILogoutResult } from '../logout.js';
|
|
3
|
-
/**
|
|
4
|
-
* Logout handler that detects an active impersonation and reverts it instead
|
|
5
|
-
* of destroying the session. Runs early (priority 10) so it short-circuits
|
|
6
|
-
* the default session-deletion handler when applicable.
|
|
7
|
-
*/
|
|
8
|
-
export declare class ImpersonationLogoutHandler extends LogoutHandler {
|
|
9
|
-
Priority: number;
|
|
10
|
-
protected SessionProvider: SessionProvider;
|
|
11
|
-
handle(context: ILogoutContext): Promise<ILogoutResult | null>;
|
|
12
|
-
/**
|
|
13
|
-
* Hook for tests to intercept event emission without stubbing the module-level
|
|
14
|
-
* `_ev` ESM binding.
|
|
15
|
-
*/
|
|
16
|
-
protected emitEvent(original: User, target: User): Promise<void>;
|
|
17
|
-
}
|
|
18
|
-
//# sourceMappingURL=ImpersonationLogoutHandler.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"ImpersonationLogoutHandler.d.ts","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,IAAI,EAA0B,MAAM,eAAe,CAAC;AAE9E,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE5E;;;;GAIG;AACH,qBACa,0BAA2B,SAAQ,aAAa;IACpD,QAAQ,SAAM;IAGrB,SAAS,CAAC,eAAe,EAAG,eAAe,CAAC;IAE/B,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IA0B3E;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;CAGjE"}
|
|
@@ -1,66 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.ImpersonationLogoutHandler = void 0;
|
|
13
|
-
const di_1 = require("@spinajs/di");
|
|
14
|
-
const configuration_1 = require("@spinajs/configuration");
|
|
15
|
-
const rbac_1 = require("@spinajs/rbac");
|
|
16
|
-
const queue_1 = require("@spinajs/queue");
|
|
17
|
-
const logout_js_1 = require("../logout.js");
|
|
18
|
-
/**
|
|
19
|
-
* Logout handler that detects an active impersonation and reverts it instead
|
|
20
|
-
* of destroying the session. Runs early (priority 10) so it short-circuits
|
|
21
|
-
* the default session-deletion handler when applicable.
|
|
22
|
-
*/
|
|
23
|
-
let ImpersonationLogoutHandler = class ImpersonationLogoutHandler extends logout_js_1.LogoutHandler {
|
|
24
|
-
constructor() {
|
|
25
|
-
super(...arguments);
|
|
26
|
-
this.Priority = 10;
|
|
27
|
-
}
|
|
28
|
-
async handle(context) {
|
|
29
|
-
const session = context.Session;
|
|
30
|
-
if (!session)
|
|
31
|
-
return null;
|
|
32
|
-
const impersonatorUuid = session.Data.get('Impersonator');
|
|
33
|
-
if (!impersonatorUuid)
|
|
34
|
-
return null;
|
|
35
|
-
const original = await rbac_1.User.getByUuid(impersonatorUuid);
|
|
36
|
-
session.Data.set('User', original.Uuid);
|
|
37
|
-
session.Data.delete('Impersonator');
|
|
38
|
-
session.Data.delete('ImpersonationStartedAt');
|
|
39
|
-
const restoredActiveRole = session.Data.get('OriginalActiveRole') ?? original.Role?.[0];
|
|
40
|
-
if (restoredActiveRole) {
|
|
41
|
-
session.Data.set('ActiveRole', restoredActiveRole);
|
|
42
|
-
}
|
|
43
|
-
session.Data.delete('OriginalActiveRole');
|
|
44
|
-
await this.SessionProvider.save(session);
|
|
45
|
-
await this.emitEvent(original, context.User);
|
|
46
|
-
// Take ownership of the response: no cookie change — the original user's
|
|
47
|
-
// session continues.
|
|
48
|
-
return { Body: { ImpersonationEnded: true } };
|
|
49
|
-
}
|
|
50
|
-
/**
|
|
51
|
-
* Hook for tests to intercept event emission without stubbing the module-level
|
|
52
|
-
* `_ev` ESM binding.
|
|
53
|
-
*/
|
|
54
|
-
emitEvent(original, target) {
|
|
55
|
-
return (0, queue_1._ev)(new rbac_1.UserImpersonationEnded(original, target))();
|
|
56
|
-
}
|
|
57
|
-
};
|
|
58
|
-
exports.ImpersonationLogoutHandler = ImpersonationLogoutHandler;
|
|
59
|
-
__decorate([
|
|
60
|
-
(0, configuration_1.AutoinjectService)('rbac.session'),
|
|
61
|
-
__metadata("design:type", rbac_1.SessionProvider)
|
|
62
|
-
], ImpersonationLogoutHandler.prototype, "SessionProvider", void 0);
|
|
63
|
-
exports.ImpersonationLogoutHandler = ImpersonationLogoutHandler = __decorate([
|
|
64
|
-
(0, di_1.Injectable)(logout_js_1.LogoutHandler)
|
|
65
|
-
], ImpersonationLogoutHandler);
|
|
66
|
-
//# sourceMappingURL=ImpersonationLogoutHandler.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"ImpersonationLogoutHandler.js","sourceRoot":"","sources":["../../../src/handlers/ImpersonationLogoutHandler.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oCAAyC;AACzC,0DAA2D;AAC3D,wCAA8E;AAC9E,0CAAqC;AACrC,4CAA4E;AAE5E;;;;GAIG;AAEI,IAAM,0BAA0B,GAAhC,MAAM,0BAA2B,SAAQ,yBAAa;IAAtD;;QACE,aAAQ,GAAG,EAAE,CAAC;IAsCvB,CAAC;IAjCQ,KAAK,CAAC,MAAM,CAAC,OAAuB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAChC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAuB,CAAC;QAChF,IAAI,CAAC,gBAAgB;YAAE,OAAO,IAAI,CAAC;QAEnC,MAAM,QAAQ,GAAG,MAAM,WAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAExD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAC9C,MAAM,kBAAkB,GAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAwB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAChH,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAE1C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAE7C,yEAAyE;QACzE,qBAAqB;QACrB,OAAO,EAAE,IAAI,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED;;;OAGG;IACO,SAAS,CAAC,QAAc,EAAE,MAAY;QAC9C,OAAO,IAAA,WAAG,EAAC,IAAI,6BAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;IAC7D,CAAC;CACF,CAAA;AAvCY,gEAA0B;AAI3B;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACN,sBAAe;mEAAC;qCAJjC,0BAA0B;IADtC,IAAA,eAAU,EAAC,yBAAa,CAAC;GACb,0BAA0B,CAuCtC"}
|
package/lib/cjs/logout.d.ts
DELETED
|
@@ -1,51 +0,0 @@
|
|
|
1
|
-
import type { ISession, User } from '@spinajs/rbac';
|
|
2
|
-
/**
|
|
3
|
-
* Per-request context handed to each {@link LogoutHandler} during logout.
|
|
4
|
-
* The session may be null when the caller has no active session — handlers
|
|
5
|
-
* should treat that as a no-op.
|
|
6
|
-
*/
|
|
7
|
-
export interface ILogoutContext {
|
|
8
|
-
/** Raw signed session cookie value (already unsigned by the framework) */
|
|
9
|
-
Ssid: string;
|
|
10
|
-
/** Restored session, or null when none is active */
|
|
11
|
-
Session: ISession | null;
|
|
12
|
-
/** Logged-in user as resolved by RbacMiddleware */
|
|
13
|
-
User: User;
|
|
14
|
-
}
|
|
15
|
-
/** Cookie operation a handler may attach to its response */
|
|
16
|
-
export interface ILogoutCookie {
|
|
17
|
-
Name: string;
|
|
18
|
-
Value: string;
|
|
19
|
-
Options: Record<string, unknown>;
|
|
20
|
-
}
|
|
21
|
-
/** Response payload a handler returns when it takes ownership of the logout */
|
|
22
|
-
export interface ILogoutResult {
|
|
23
|
-
/** Response body */
|
|
24
|
-
Body?: unknown;
|
|
25
|
-
/** Cookie operations to attach */
|
|
26
|
-
Cookies?: ILogoutCookie[];
|
|
27
|
-
}
|
|
28
|
-
/**
|
|
29
|
-
* Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
|
|
30
|
-
* by the logout controller and executed in ascending Priority order. The first
|
|
31
|
-
* handler that returns a non-null result takes ownership of the response — the
|
|
32
|
-
* chain stops there. Returning null defers to the next handler.
|
|
33
|
-
*
|
|
34
|
-
* Built-ins:
|
|
35
|
-
* - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
|
|
36
|
-
* is active, revert it and keep the session alive.
|
|
37
|
-
* - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
|
|
38
|
-
* clear the ssid cookie.
|
|
39
|
-
*
|
|
40
|
-
* Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
|
|
41
|
-
* lower than 999 to run before the default session destruction.
|
|
42
|
-
*/
|
|
43
|
-
export declare abstract class LogoutHandler {
|
|
44
|
-
/**
|
|
45
|
-
* Lower runs first. Default 100. The default cleanup handler runs at 999;
|
|
46
|
-
* pick a value below that to run before it.
|
|
47
|
-
*/
|
|
48
|
-
Priority: number;
|
|
49
|
-
abstract handle(context: ILogoutContext): Promise<ILogoutResult | null>;
|
|
50
|
-
}
|
|
51
|
-
//# sourceMappingURL=logout.d.ts.map
|
package/lib/cjs/logout.d.ts.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAC;IAEb,oDAAoD;IACpD,OAAO,EAAE,QAAQ,GAAG,IAAI,CAAC;IAEzB,mDAAmD;IACnD,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,4DAA4D;AAC5D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,IAAI,CAAC,EAAE,OAAO,CAAC;IAEf,kCAAkC;IAClC,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;;;;;GAcG;AACH,8BAAsB,aAAa;IACjC;;;OAGG;IACI,QAAQ,EAAE,MAAM,CAAO;aAEd,MAAM,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAC/E"}
|
package/lib/cjs/logout.js
DELETED
|
@@ -1,29 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.LogoutHandler = void 0;
|
|
4
|
-
/**
|
|
5
|
-
* Pluggable logout step. Handlers are resolved via `DI.resolve(Array.ofType(LogoutHandler))`
|
|
6
|
-
* by the logout controller and executed in ascending Priority order. The first
|
|
7
|
-
* handler that returns a non-null result takes ownership of the response — the
|
|
8
|
-
* chain stops there. Returning null defers to the next handler.
|
|
9
|
-
*
|
|
10
|
-
* Built-ins:
|
|
11
|
-
* - {@link ImpersonationLogoutHandler} (priority 10) — when an impersonation
|
|
12
|
-
* is active, revert it and keep the session alive.
|
|
13
|
-
* - {@link DefaultLogoutHandler} (priority 999) — destroy the session and
|
|
14
|
-
* clear the ssid cookie.
|
|
15
|
-
*
|
|
16
|
-
* Register custom handlers with @Injectable(LogoutHandler). Choose a Priority
|
|
17
|
-
* lower than 999 to run before the default session destruction.
|
|
18
|
-
*/
|
|
19
|
-
class LogoutHandler {
|
|
20
|
-
constructor() {
|
|
21
|
-
/**
|
|
22
|
-
* Lower runs first. Default 100. The default cleanup handler runs at 999;
|
|
23
|
-
* pick a value below that to run before it.
|
|
24
|
-
*/
|
|
25
|
-
this.Priority = 100;
|
|
26
|
-
}
|
|
27
|
-
}
|
|
28
|
-
exports.LogoutHandler = LogoutHandler;
|
|
29
|
-
//# sourceMappingURL=logout.js.map
|
package/lib/cjs/logout.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/logout.ts"],"names":[],"mappings":";;;AAkCA;;;;;;;;;;;;;;GAcG;AACH,MAAsB,aAAa;IAAnC;QACE;;;WAGG;QACI,aAAQ,GAAW,GAAG,CAAC;IAGhC,CAAC;CAAA;AARD,sCAQC"}
|
|
@@ -1,41 +0,0 @@
|
|
|
1
|
-
import { SwitchRoleDto } from '../dto/switchRole-dto.js';
|
|
2
|
-
import { BaseController, Ok, BadRequestResponse, Unauthorized } from '@spinajs/http';
|
|
3
|
-
import { AccessControl, AuthProvider, PasswordProvider, SessionProvider } from '@spinajs/rbac';
|
|
4
|
-
import type { ISession, User } from '@spinajs/rbac';
|
|
5
|
-
import { IActiveRoleResponse } from '@spinajs/rbac-http';
|
|
6
|
-
/**
|
|
7
|
-
* Active role endpoints.
|
|
8
|
-
* Let users with multiple roles inspect and switch the currently active role.
|
|
9
|
-
* The active role drives all request-bound permission checks; the user's full
|
|
10
|
-
* role list remains available so they can switch back at any time.
|
|
11
|
-
* @tags Authentication
|
|
12
|
-
*/
|
|
13
|
-
export declare class ActiveRoleController extends BaseController {
|
|
14
|
-
protected AC: AccessControl;
|
|
15
|
-
protected AuthProvider: AuthProvider;
|
|
16
|
-
protected PasswordProvider: PasswordProvider;
|
|
17
|
-
protected SessionProvider: SessionProvider;
|
|
18
|
-
protected RolesRequiringPassword: string[];
|
|
19
|
-
/**
|
|
20
|
-
* Get active role
|
|
21
|
-
* Returns the currently active role for the session, all roles the user may switch to,
|
|
22
|
-
* and the RBAC grants resolved for the active role.
|
|
23
|
-
* @security cookieAuth
|
|
24
|
-
* @returns {IActiveRoleResponse}
|
|
25
|
-
* @response 401 No active session
|
|
26
|
-
*/
|
|
27
|
-
getActiveRole(user: User, ActiveRole: string): Promise<Ok<IActiveRoleResponse>>;
|
|
28
|
-
/**
|
|
29
|
-
* Switch active role
|
|
30
|
-
* Switches the active role for the current session. The requested role must be one of
|
|
31
|
-
* the user's assigned roles. If the role is listed in `rbac.roleSwitch.requirePassword`,
|
|
32
|
-
* the user's password must also be provided and is re-verified.
|
|
33
|
-
* @security cookieAuth
|
|
34
|
-
* @returns {IActiveRoleResponse}
|
|
35
|
-
* @response 400 Requested role is not assigned to the user
|
|
36
|
-
* @response 401 Password verification required or failed
|
|
37
|
-
*/
|
|
38
|
-
switchActiveRole(user: User, session: ISession, payload: SwitchRoleDto): Promise<Ok<IActiveRoleResponse> | BadRequestResponse | Unauthorized>;
|
|
39
|
-
protected buildResponse(user: User, activeRole: string): IActiveRoleResponse;
|
|
40
|
-
}
|
|
41
|
-
//# sourceMappingURL=ActiveRoleController.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"ActiveRoleController.d.ts","sourceRoot":"","sources":["../../../src/controllers/ActiveRoleController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAO,kBAAkB,EAAE,YAAY,EAAU,MAAM,eAAe,CAAC;AACxH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAiB,MAAM,eAAe,CAAC;AAC9G,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAGpD,OAAO,EAA+E,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEtI;;;;;;GAMG;AACH,qBACa,oBAAqB,SAAQ,cAAc;IAEtD,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAG5B,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,sBAAsB,EAAE,MAAM,EAAE,CAAC;IAE3C;;;;;;;OAOG;IAGU,aAAa,CAAiB,IAAI,EAAE,IAAI,EAAiB,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAI3H;;;;;;;;;OASG;IAGU,gBAAgB,CACX,IAAI,EAAE,IAAI,EACP,OAAO,EAAE,QAAQ,EAC5B,OAAO,EAAE,aAAa,GAC7B,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,GAAG,kBAAkB,GAAG,YAAY,CAAC;IAqCvE,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB;CAQ7E"}
|
|
@@ -1,132 +0,0 @@
|
|
|
1
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
-
};
|
|
7
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
-
};
|
|
10
|
-
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
11
|
-
return function (target, key) { decorator(target, key, paramIndex); }
|
|
12
|
-
};
|
|
13
|
-
import { SwitchRoleDto } from '../dto/switchRole-dto.js';
|
|
14
|
-
import { BaseController, BasePath, Post, Body, Ok, Get, BadRequestResponse, Unauthorized, Policy } from '@spinajs/http';
|
|
15
|
-
import { AccessControl, AuthProvider, PasswordProvider, SessionProvider, _unwindGrants } from '@spinajs/rbac';
|
|
16
|
-
import { Autoinject } from '@spinajs/di';
|
|
17
|
-
import { AutoinjectService, Config } from '@spinajs/configuration';
|
|
18
|
-
import { LoggedPolicy, User as UserRouteArg, Session as SessionRouteArg, FromSession } from '@spinajs/rbac-http';
|
|
19
|
-
/**
|
|
20
|
-
* Active role endpoints.
|
|
21
|
-
* Let users with multiple roles inspect and switch the currently active role.
|
|
22
|
-
* The active role drives all request-bound permission checks; the user's full
|
|
23
|
-
* role list remains available so they can switch back at any time.
|
|
24
|
-
* @tags Authentication
|
|
25
|
-
*/
|
|
26
|
-
let ActiveRoleController = class ActiveRoleController extends BaseController {
|
|
27
|
-
/**
|
|
28
|
-
* Get active role
|
|
29
|
-
* Returns the currently active role for the session, all roles the user may switch to,
|
|
30
|
-
* and the RBAC grants resolved for the active role.
|
|
31
|
-
* @security cookieAuth
|
|
32
|
-
* @returns {IActiveRoleResponse}
|
|
33
|
-
* @response 401 No active session
|
|
34
|
-
*/
|
|
35
|
-
async getActiveRole(user, ActiveRole) {
|
|
36
|
-
return new Ok(this.buildResponse(user, ActiveRole ?? user.Role?.[0]));
|
|
37
|
-
}
|
|
38
|
-
/**
|
|
39
|
-
* Switch active role
|
|
40
|
-
* Switches the active role for the current session. The requested role must be one of
|
|
41
|
-
* the user's assigned roles. If the role is listed in `rbac.roleSwitch.requirePassword`,
|
|
42
|
-
* the user's password must also be provided and is re-verified.
|
|
43
|
-
* @security cookieAuth
|
|
44
|
-
* @returns {IActiveRoleResponse}
|
|
45
|
-
* @response 400 Requested role is not assigned to the user
|
|
46
|
-
* @response 401 Password verification required or failed
|
|
47
|
-
*/
|
|
48
|
-
async switchActiveRole(user, session, payload) {
|
|
49
|
-
if (!user.Role?.includes(payload.Role)) {
|
|
50
|
-
return new BadRequestResponse({
|
|
51
|
-
error: {
|
|
52
|
-
code: 'E_ROLE_NOT_ASSIGNED',
|
|
53
|
-
message: `Role '${payload.Role}' is not assigned to user`,
|
|
54
|
-
},
|
|
55
|
-
});
|
|
56
|
-
}
|
|
57
|
-
if (this.RolesRequiringPassword?.includes(payload.Role)) {
|
|
58
|
-
if (!payload.Password) {
|
|
59
|
-
return new Unauthorized({
|
|
60
|
-
error: {
|
|
61
|
-
code: 'E_PASSWORD_REQUIRED',
|
|
62
|
-
message: `Password is required to activate role '${payload.Role}'`,
|
|
63
|
-
},
|
|
64
|
-
});
|
|
65
|
-
}
|
|
66
|
-
const valid = await this.PasswordProvider.verify(user.Password, payload.Password);
|
|
67
|
-
if (!valid) {
|
|
68
|
-
return new Unauthorized({
|
|
69
|
-
error: {
|
|
70
|
-
code: 'E_PASSWORD_INVALID',
|
|
71
|
-
message: 'Invalid password',
|
|
72
|
-
},
|
|
73
|
-
});
|
|
74
|
-
}
|
|
75
|
-
}
|
|
76
|
-
session.Data.set('ActiveRole', payload.Role);
|
|
77
|
-
await this.SessionProvider.save(session);
|
|
78
|
-
return new Ok(this.buildResponse(user, payload.Role));
|
|
79
|
-
}
|
|
80
|
-
buildResponse(user, activeRole) {
|
|
81
|
-
const grants = activeRole ? _unwindGrants(activeRole, this.AC.getGrants()) : {};
|
|
82
|
-
return {
|
|
83
|
-
ActiveRole: activeRole,
|
|
84
|
-
AvailableRoles: user.Role ?? [],
|
|
85
|
-
Grants: grants,
|
|
86
|
-
};
|
|
87
|
-
}
|
|
88
|
-
};
|
|
89
|
-
__decorate([
|
|
90
|
-
Autoinject(AccessControl),
|
|
91
|
-
__metadata("design:type", AccessControl)
|
|
92
|
-
], ActiveRoleController.prototype, "AC", void 0);
|
|
93
|
-
__decorate([
|
|
94
|
-
AutoinjectService('rbac.auth'),
|
|
95
|
-
__metadata("design:type", AuthProvider)
|
|
96
|
-
], ActiveRoleController.prototype, "AuthProvider", void 0);
|
|
97
|
-
__decorate([
|
|
98
|
-
AutoinjectService('rbac.password'),
|
|
99
|
-
__metadata("design:type", PasswordProvider)
|
|
100
|
-
], ActiveRoleController.prototype, "PasswordProvider", void 0);
|
|
101
|
-
__decorate([
|
|
102
|
-
AutoinjectService('rbac.session'),
|
|
103
|
-
__metadata("design:type", SessionProvider)
|
|
104
|
-
], ActiveRoleController.prototype, "SessionProvider", void 0);
|
|
105
|
-
__decorate([
|
|
106
|
-
Config('rbac.roleSwitch.requirePassword', { defaultValue: [] }),
|
|
107
|
-
__metadata("design:type", Array)
|
|
108
|
-
], ActiveRoleController.prototype, "RolesRequiringPassword", void 0);
|
|
109
|
-
__decorate([
|
|
110
|
-
Get('active-role'),
|
|
111
|
-
Policy(LoggedPolicy),
|
|
112
|
-
__param(0, UserRouteArg()),
|
|
113
|
-
__param(1, FromSession()),
|
|
114
|
-
__metadata("design:type", Function),
|
|
115
|
-
__metadata("design:paramtypes", [Function, String]),
|
|
116
|
-
__metadata("design:returntype", Promise)
|
|
117
|
-
], ActiveRoleController.prototype, "getActiveRole", null);
|
|
118
|
-
__decorate([
|
|
119
|
-
Post('active-role'),
|
|
120
|
-
Policy(LoggedPolicy),
|
|
121
|
-
__param(0, UserRouteArg()),
|
|
122
|
-
__param(1, SessionRouteArg()),
|
|
123
|
-
__param(2, Body()),
|
|
124
|
-
__metadata("design:type", Function),
|
|
125
|
-
__metadata("design:paramtypes", [Function, Object, SwitchRoleDto]),
|
|
126
|
-
__metadata("design:returntype", Promise)
|
|
127
|
-
], ActiveRoleController.prototype, "switchActiveRole", null);
|
|
128
|
-
ActiveRoleController = __decorate([
|
|
129
|
-
BasePath('auth')
|
|
130
|
-
], ActiveRoleController);
|
|
131
|
-
export { ActiveRoleController };
|
|
132
|
-
//# sourceMappingURL=ActiveRoleController.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"ActiveRoleController.js","sourceRoot":"","sources":["../../../src/controllers/ActiveRoleController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACxH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9G,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,IAAI,IAAI,YAAY,EAAE,OAAO,IAAI,eAAe,EAAE,WAAW,EAAuB,MAAM,oBAAoB,CAAC;AAEtI;;;;;;GAMG;AAEI,IAAM,oBAAoB,GAA1B,MAAM,oBAAqB,SAAQ,cAAc;IAgBtD;;;;;;;OAOG;IAGU,AAAN,KAAK,CAAC,aAAa,CAAiB,IAAU,EAAiB,UAAkB;QACtF,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;;;;OASG;IAGU,AAAN,KAAK,CAAC,gBAAgB,CACX,IAAU,EACP,OAAiB,EAC5B,OAAsB;QAE9B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,SAAS,OAAO,CAAC,IAAI,2BAA2B;iBAC1D;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,sBAAsB,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACtB,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE;wBACL,IAAI,EAAE,qBAAqB;wBAC3B,OAAO,EAAE,0CAA0C,OAAO,CAAC,IAAI,GAAG;qBACnE;iBACF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YAClF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,YAAY,CAAC;oBACtB,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,kBAAkB;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACxD,CAAC;IAES,aAAa,CAAC,IAAU,EAAE,UAAkB;QACpD,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,OAAO;YACL,UAAU,EAAE,UAAU;YACtB,cAAc,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;YAC/B,MAAM,EAAE,MAAM;SACf,CAAC;IACJ,CAAC;CACF,CAAA;AAzFW;IADT,UAAU,CAAC,aAAa,CAAC;8BACZ,aAAa;gDAAC;AAGlB;IADT,iBAAiB,CAAC,WAAW,CAAC;8BACP,YAAY;0DAAC;AAG3B;IADT,iBAAiB,CAAC,eAAe,CAAC;8BACP,gBAAgB;8DAAC;AAGnC;IADT,iBAAiB,CAAC,cAAc,CAAC;8BACP,eAAe;6DAAC;AAGjC;IADT,MAAM,CAAC,iCAAiC,EAAE,EAAE,YAAY,EAAE,EAAc,EAAE,CAAC;;oEACjC;AAY9B;IAFZ,GAAG,CAAC,aAAa,CAAC;IAClB,MAAM,CAAC,YAAY,CAAC;IACO,WAAA,YAAY,EAAE,CAAA;IAAc,WAAA,WAAW,EAAE,CAAA;;;;yDAEpE;AAcY;IAFZ,IAAI,CAAC,aAAa,CAAC;IACnB,MAAM,CAAC,YAAY,CAAC;IAElB,WAAA,YAAY,EAAE,CAAA;IACd,WAAA,eAAe,EAAE,CAAA;IACjB,WAAA,IAAI,EAAE,CAAA;;uDAAU,aAAa;;4DAoC/B;AAjFU,oBAAoB;IADhC,QAAQ,CAAC,MAAM,CAAC;GACJ,oBAAoB,CA2FhC"}
|
|
@@ -1,72 +0,0 @@
|
|
|
1
|
-
import { ImpersonateDto } from '../dto/impersonate-dto.js';
|
|
2
|
-
import { BaseController, Ok, BadRequestResponse, Unauthorized, ForbiddenResponse, Conflict, NotFound } from '@spinajs/http';
|
|
3
|
-
import { AccessControl, PasswordProvider, SessionProvider, User, UserImpersonationStarted, UserImpersonationEnded } from '@spinajs/rbac';
|
|
4
|
-
import type { ISession } from '@spinajs/rbac';
|
|
5
|
-
import { IImpersonationResponse, IImpersonationState, IUserWithGrants } from '@spinajs/rbac-http';
|
|
6
|
-
/**
|
|
7
|
-
* Impersonation endpoints.
|
|
8
|
-
*
|
|
9
|
-
* A user holding `createAny` on the virtual resource `user:impersonate` can
|
|
10
|
-
* temporarily act as another user. While impersonation is active, the session
|
|
11
|
-
* carries both identities — `User` is the target, `Impersonator` is the
|
|
12
|
-
* original. Permission checks therefore "see" the target by default; the
|
|
13
|
-
* original is preserved only for audit and for ending the impersonation.
|
|
14
|
-
*
|
|
15
|
-
* @tags Authentication
|
|
16
|
-
*/
|
|
17
|
-
export declare class ImpersonationController extends BaseController {
|
|
18
|
-
protected AC: AccessControl;
|
|
19
|
-
protected PasswordProvider: PasswordProvider;
|
|
20
|
-
protected SessionProvider: SessionProvider;
|
|
21
|
-
protected RequirePassword: boolean;
|
|
22
|
-
protected ProtectedRoles: string[];
|
|
23
|
-
/**
|
|
24
|
-
* Get impersonation state
|
|
25
|
-
* Returns whether an impersonation is currently active for this session.
|
|
26
|
-
* @security cookieAuth
|
|
27
|
-
* @returns {IImpersonationState}
|
|
28
|
-
* @response 401 No active session
|
|
29
|
-
*/
|
|
30
|
-
getState(Impersonator: string, User: string, ImpersonationStartedAt: string): Promise<Ok<IImpersonationState>>;
|
|
31
|
-
/**
|
|
32
|
-
* Start impersonation
|
|
33
|
-
* Begins impersonating the target user. The caller must have `createAny` on
|
|
34
|
-
* virtual resource `user:impersonate`. The target must not hold any role in
|
|
35
|
-
* `rbac.impersonation.protectedRoles` and must not have effective grants
|
|
36
|
-
* exceeding the caller's. If `rbac.impersonation.requirePassword` is true,
|
|
37
|
-
* the caller's password must be supplied and is verified.
|
|
38
|
-
* @security cookieAuth
|
|
39
|
-
* @returns {IImpersonationResponse}
|
|
40
|
-
* @response 400 Target equals caller or invalid payload
|
|
41
|
-
* @response 401 Password required or invalid
|
|
42
|
-
* @response 403 Caller lacks permission, target is protected, or escalation detected
|
|
43
|
-
* @response 404 Target user not found / inactive / banned / deleted
|
|
44
|
-
* @response 409 An impersonation is already in progress for this session
|
|
45
|
-
*/
|
|
46
|
-
start(caller: User, session: ISession, payload: ImpersonateDto): Promise<Ok<IImpersonationResponse> | BadRequestResponse | Unauthorized | ForbiddenResponse | NotFound | Conflict>;
|
|
47
|
-
/**
|
|
48
|
-
* Stop impersonation
|
|
49
|
-
* Restores the original user's session and returns their login-style payload.
|
|
50
|
-
* @security cookieAuth
|
|
51
|
-
* @returns {IUserWithGrants}
|
|
52
|
-
* @response 400 No impersonation is currently active
|
|
53
|
-
*/
|
|
54
|
-
stop(target: User, session: ISession): Promise<Ok<IUserWithGrants> | BadRequestResponse>;
|
|
55
|
-
/**
|
|
56
|
-
* Emit an impersonation lifecycle event. Wrapped in a protected method so
|
|
57
|
-
* tests can intercept without stubbing module-level ESM bindings.
|
|
58
|
-
*/
|
|
59
|
-
protected emitEvent(event: UserImpersonationStarted | UserImpersonationEnded): Promise<void>;
|
|
60
|
-
/**
|
|
61
|
-
* Load the impersonation target (with Metadata so IsBanned works). Extracted
|
|
62
|
-
* as a protected method so tests can stub it without setting up a database.
|
|
63
|
-
*/
|
|
64
|
-
protected loadTarget(uuid: string): Promise<User | undefined>;
|
|
65
|
-
/**
|
|
66
|
-
* Load the original (impersonator) user. Extracted for the same reason as
|
|
67
|
-
* loadTarget — keeps the controller easy to test in isolation.
|
|
68
|
-
*/
|
|
69
|
-
protected loadOriginal(uuid: string): Promise<User | undefined>;
|
|
70
|
-
protected buildResponse(target: User, impersonator: User, activeRole: string, startedAt: string): IImpersonationResponse;
|
|
71
|
-
}
|
|
72
|
-
//# sourceMappingURL=ImpersonationController.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"ImpersonationController.d.ts","sourceRoot":"","sources":["../../../src/controllers/ImpersonationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,cAAc,EAA6B,EAAE,EAAO,kBAAkB,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,EAAU,MAAM,eAAe,CAAC;AACpK,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,IAAI,EACJ,wBAAwB,EACxB,sBAAsB,EAGvB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAK9C,OAAO,EAKL,sBAAsB,EACtB,mBAAmB,EACnB,eAAe,EAChB,MAAM,oBAAoB,CAAC;AAI5B;;;;;;;;;;GAUG;AACH,qBACa,uBAAwB,SAAQ,cAAc;IAEzD,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAG5B,SAAS,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAG7C,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAG3C,SAAS,CAAC,eAAe,EAAE,OAAO,CAAC;IAGnC,SAAS,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;IAEnC;;;;;;OAMG;IAGU,QAAQ,CACJ,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,MAAM,EACZ,sBAAsB,EAAE,MAAM,GAC5C,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAYnC;;;;;;;;;;;;;;OAcG;IAGU,KAAK,CACA,MAAM,EAAE,IAAI,EACT,OAAO,EAAE,QAAQ,EAC5B,OAAO,EAAE,cAAc,GAC9B,OAAO,CACR,EAAE,CAAC,sBAAsB,CAAC,GAAG,kBAAkB,GAAG,YAAY,GAAG,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,CACzG;IAsFD;;;;;;OAMG;IAGU,IAAI,CACC,MAAM,EAAE,IAAI,EACT,OAAO,EAAE,QAAQ,GACnC,OAAO,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,kBAAkB,CAAC;IA4CpD;;;OAGG;IACH,SAAS,CAAC,SAAS,CAAC,KAAK,EAAE,wBAAwB,GAAG,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5F;;;OAGG;IACH,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAI7D;;;OAGG;IACH,SAAS,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC;IAI/D,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,sBAAsB;CAWzH"}
|