@stonecrop/casl-middleware 0.7.0

package/src/middleware/postgraphile.ts

@@ -0,0 +1,93 @@
+import { extendSchema, gql } from 'postgraphile/utils'
+import type { ExecutableStep } from 'postgraphile/grafast'
+import { GraphileConfig } from 'postgraphile/graphile-build'
+
+import { createAbility } from './ability'
+
+/**
+ * PostGraphile plugin for CASL authorization
+ * @public
+ */
+export const pglCaslPlugin: GraphileConfig.Plugin = extendSchema(build => {
+	const {
+		grafast: { constant, object, sideEffect },
+	} = build
+
+	return {
+		typeDefs: gql`
+			input CreateAbilityInput {
+				userId: String!
+				roles: [String!]
+			}
+
+			type AbilityResponse {
+				success: Boolean!
+				ability: JSON
+				message: String
+			}
+
+			type SecretData {
+				id: String!
+				content: String!
+			}
+
+			extend type Query {
+				getSecretData: SecretData
+			}
+
+			extend type Mutation {
+				createAbility(input: CreateAbilityInput!): AbilityResponse!
+			}
+		`,
+
+		objects: {
+			Query: {
+				plans: {
+					async getSecretData() {
+						// TODO: This should be protected by CASL
+						// const $ability = context<Context>().get('ability')
+						// if (!$ability.can('read', 'SecretData')) {
+						// 	throw new Error('Access denied')
+						// }
+
+						return object({
+							id: constant('123'),
+							content: constant('This is protected content'),
+						})
+					},
+				},
+			},
+
+			Mutation: {
+				plans: {
+					async createAbility(_plan: any, fieldArgs: any) {
+						const $input = fieldArgs.getRaw().input
+						const $userId = $input.userId
+						const $roles = $input.roles
+
+						return sideEffect(
+							[$userId as ExecutableStep, $roles as ExecutableStep],
+							async ([userId, roles]: [string, string[]]) => {
+								// Make this async
+								try {
+									const ability = await createAbility({ id: userId, roles }) // Await here
+									return {
+										success: true,
+										ability: ability.rules,
+										message: 'Ability created successfully',
+									}
+								} catch (error) {
+									return {
+										success: false,
+										ability: null,
+										message: error instanceof Error ? error.message : 'Unknown error occurred',
+									}
+								}
+							}
+						)
+					},
+				},
+			},
+		},
+	}
+})

package/src/middleware/yoga.ts

@@ -0,0 +1,39 @@
+import type { Plugin } from 'graphql-yoga'
+
+import { createAbility } from './ability'
+import { createCaslMiddleware } from './graphql'
+import type { Context, MiddlewareOptions } from '../types'
+
+const getLoggedInUser = () => {
+	// Mock user for demonstration purposes
+	return { id: '1', roles: ['editor'] }
+}
+
+export const yogaCaslPlugin: Plugin<Context> = {
+	onContextBuilding: async ({ context, extendContext }) => {
+		// Make this async
+		const user = getLoggedInUser()
+		const ability = await createAbility(user) // Await here
+		extendContext({ ability, user })
+	},
+}
+
+/**
+ * Create a GraphQL Yoga plugin for CASL authorization
+ * Note: This is a placeholder for future implementation
+ *
+ * @param options - CASL middleware configuration options
+ * @returns Yoga plugin
+ * @public
+ */
+export const createYogaPlugin = (options: MiddlewareOptions = {}) => {
+	const middleware = createCaslMiddleware(options)
+
+	return {
+		onExecute: async ({ args }: any) => {
+			// TODO: Implement Yoga plugin
+			// This would integrate with GraphQL Yoga's plugin system
+			console.log('Yoga plugin not yet implemented')
+		},
+	}
+}

package/src/types/index.ts

@@ -0,0 +1,133 @@
+import { GraphQLResolveInfo } from 'graphql'
+
+import type { AppAbility, AbilityBuilderFunction } from '../middleware/ability'
+
+/**
+ * User information for authorization
+ * @public
+ */
+export interface User {
+	/** Unique identifier for the user */
+	id: string
+	/** Array of role names assigned to the user */
+	roles?: string[]
+	/** Additional user properties */
+	[key: string]: any
+}
+
+/**
+ * GraphQL context with CASL ability and user information
+ * @public
+ */
+export interface Context {
+	/** CASL ability instance for authorization checks */
+	ability?: AppAbility
+	/** Current authenticated user */
+	user?: User
+	/** Additional context properties */
+	[key: string]: any
+}
+
+// ... rest of the file stays the same
+
+/**
+ * Configuration options for CASL middleware
+ * @public
+ */
+export interface MiddlewareOptions {
+	/** Mapping of GraphQL types to authorization subjects */
+	subjectMap?: Record<string, string>
+	/** Mapping of GraphQL operations to CASL actions */
+	actionMap?: Record<string, string>
+	/** Field-level permission rules */
+	fieldPermissions?: Record<string, FieldPermission[]>
+	/** Custom function to build user abilities */
+	abilityBuilder?: AbilityBuilderFunction
+	/** Enable debug logging */
+	debug?: boolean
+}
+
+/**
+ * Field-level permission definition for fine-grained access control
+ * @public
+ */
+export interface FieldPermission {
+	/** CASL action (e.g., 'read', 'write') */
+	action: string
+	/** Subject/resource type to apply permission to */
+	subject: string
+	/** Specific field name (optional) */
+	field?: string
+	/** Conditional rules for permission */
+	conditions?: any
+}
+
+/**
+ * GraphQL resolver function type
+ * @public
+ */
+export type ResolverFn = (root: any, args: any, context: Context, info: GraphQLResolveInfo) => Promise<any> | any
+
+/**
+ * Middleware function that wraps a GraphQL resolver with authorization logic
+ * @public
+ */
+export type MiddlewareFn = (
+	resolve: ResolverFn,
+	root: any,
+	args: any,
+	context: Context,
+	info: GraphQLResolveInfo
+) => Promise<any> | any
+
+/**
+ * Plugin configuration options for framework integrations
+ * @public
+ */
+export interface PluginOptions extends MiddlewareOptions {
+	/** Custom function to build user abilities */
+	abilityBuilder?: AbilityBuilderFunction
+	/** Ability caching configuration */
+	cacheOptions?: {
+		/** Time-to-live in milliseconds */
+		ttl?: number
+		/** Function to generate cache key from user */
+		key?: (user?: User) => string
+	}
+}
+
+/**
+ * Response type for ability creation mutations
+ * @public
+ */
+export interface AbilityResponse {
+	/** Whether the ability was created successfully */
+	success: boolean
+	/** The created ability rules */
+	ability: any
+	/** Success or error message */
+	message: string
+}
+
+/**
+ * Input type for creating a new ability
+ * @public
+ */
+export interface CreateAbilityInput {
+	/** User ID to create ability for */
+	userId: string
+	/** Array of role names to assign */
+	roles: string[]
+}
+
+// Rule definition for database storage
+export interface AbilityRule {
+	id?: string
+	roleId?: string
+	userId?: string
+	action: string | string[]
+	subject: string
+	fields?: string[]
+	conditions?: any
+	inverted?: boolean
+}