@stonecrop/casl-middleware 0.7.0

package/dist/src/middleware/jwt.d.ts

@@ -0,0 +1,114 @@
+import jwt from 'jsonwebtoken';
+import type { Context, User } from '../types';
+export interface JWTConfig {
+    enabled?: boolean;
+    secret?: string;
+    publicKey?: string;
+    algorithms?: jwt.Algorithm[];
+    issuer?: string;
+    audience?: string;
+    extractUser?: (payload: any) => User | undefined;
+    headerName?: string;
+    tokenPrefix?: string;
+    optional?: boolean;
+    maxAge?: string;
+}
+export interface JWTPayload extends jwt.JwtPayload {
+    sub?: string;
+    roles?: string[];
+    permissions?: Array<{
+        action: string;
+        subject: string;
+        conditions?: any;
+    }>;
+    [key: string]: any;
+}
+/**
+ * JWT middleware factory for GraphQL servers
+ *
+ * @example
+ * ```typescript
+ * // In Nuxt Yoga
+ * export default defineNuxtConfig({
+ *   yoga: {
+ *     middleware: [
+ *       createJWTMiddleware({
+ *         enabled: true,
+ *         secret: process.env.JWT_SECRET,
+ *         optional: true // Don't fail if no token
+ *       })
+ *     ]
+ *   }
+ * })
+ *
+ * // In Postgraphile
+ * const jwtPlugin = createPostgraphileJWTPlugin({
+ *   secret: process.env.JWT_SECRET,
+ *   extractUser: (payload) => ({
+ *     id: payload.user_id,
+ *     roles: payload.user_roles
+ *   })
+ * })
+ * ```
+ */
+export declare const createJWTMiddleware: (config?: JWTConfig) => (context: Context, next: () => Promise<any>) => Promise<any>;
+/**
+ * Create a JWT token with user data
+ */
+export declare const createJWT: (user: User, config: {
+    secret: string;
+    expiresIn?: string | number;
+    issuer?: string;
+    audience?: string;
+    additionalClaims?: Record<string, any>;
+}) => string;
+/**
+ * Integration with CASL ability builder
+ */
+export declare const createJWTAbilityBuilder: (config?: JWTConfig) => (user?: User) => Promise<import("./ability").AppAbility>;
+/**
+ * Postgraphile-specific JWT plugin
+ */
+export declare const createPostgraphileJWTPlugin: (config: JWTConfig) => {
+    name: string;
+    version: string;
+    grafast: {
+        hooks: {
+            context(ctx: any, build: any): Promise<any>;
+        };
+    };
+};
+/**
+ * Express/Koa middleware for REST endpoints
+ */
+export declare const createHTTPJWTMiddleware: (config: JWTConfig) => (req: any, res: any, next: any) => Promise<void>;
+/**
+ * Refresh token utilities
+ */
+export declare const refreshTokenUtils: {
+    /**
+     * Create access and refresh tokens
+     */
+    createTokenPair: (user: User, config: {
+        accessSecret: string;
+        refreshSecret: string;
+        accessExpiresIn?: string;
+        refreshExpiresIn?: string;
+    }) => {
+        accessToken: string;
+        refreshToken: string;
+    };
+    /**
+     * Verify refresh token and create new access token
+     */
+    refreshAccessToken: (refreshToken: string, config: {
+        accessSecret: string;
+        refreshSecret: string;
+        getUserById: (id: string) => Promise<User | null>;
+        accessExpiresIn?: string;
+    }) => Promise<{
+        accessToken: string;
+        user: User;
+    }>;
+};
+//# sourceMappingURL=jwt.d.ts.map

package/dist/src/middleware/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/middleware/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAA;AAE9B,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAG7C,MAAM,WAAW,SAAS;IACzB,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,UAAU,CAAC,EAAE,GAAG,CAAC,SAAS,EAAE,CAAA;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,IAAI,GAAG,SAAS,CAAA;IAChD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,MAAM,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,UAAW,SAAQ,GAAG,CAAC,UAAU;IACjD,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;IAChB,WAAW,CAAC,EAAE,KAAK,CAAC;QACnB,MAAM,EAAE,MAAM,CAAA;QACd,OAAO,EAAE,MAAM,CAAA;QACf,UAAU,CAAC,EAAE,GAAG,CAAA;KAChB,CAAC,CAAA;IACF,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;CAClB;AAeD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAQ,SAAc,MAoB3C,SAAS,OAAO,EAAE,MAAM,MAAM,OAAO,CAAC,GAAG,CAAC,iBAoExD,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,GACrB,MAAM,IAAI,EACV,QAAQ;IACP,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;CACtC,KACC,MAiBF,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,GAAI,SAAQ,SAAc,MAC/C,OAAO,IAAI,4CAsBzB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,QAAQ,SAAS;;;;;yBAQtC,GAAG,SAAS,GAAG;;;CAwBrC,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,GAAI,QAAQ,SAAS,MAI1C,KAAK,GAAG,EAAE,KAAK,GAAG,EAAE,MAAM,GAAG,kBA4B3C,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC7B;;OAEG;4BAEI,IAAI,UACF;QACP,YAAY,EAAE,MAAM,CAAA;QACpB,aAAa,EAAE,MAAM,CAAA;QACrB,eAAe,CAAC,EAAE,MAAM,CAAA;QACxB,gBAAgB,CAAC,EAAE,MAAM,CAAA;KACzB;;;;IAkCF;;OAEG;uCAEY,MAAM,UACZ;QACP,YAAY,EAAE,MAAM,CAAA;QACpB,aAAa,EAAE,MAAM,CAAA;QACrB,WAAW,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAA;QACjD,eAAe,CAAC,EAAE,MAAM,CAAA;KACxB;;;;CAyCF,CAAA"}

package/dist/src/middleware/jwt.js

@@ -0,0 +1,291 @@
+import jwt from 'jsonwebtoken';
+import { AbilityBuilder, PureAbility } from '@casl/ability';
+import { defaultAbilityBuilder } from './ability';
+/**
+ * Default user extractor from JWT payload
+ */
+const defaultUserExtractor = (payload) => {
+    if (!payload.sub)
+        return undefined;
+    return {
+        id: payload.sub,
+        roles: payload.roles || [],
+        ...payload, // Include any additional claims
+    };
+};
+/**
+ * JWT middleware factory for GraphQL servers
+ *
+ * @example
+ * ```typescript
+ * // In Nuxt Yoga
+ * export default defineNuxtConfig({
+ *   yoga: {
+ *     middleware: [
+ *       createJWTMiddleware({
+ *         enabled: true,
+ *         secret: process.env.JWT_SECRET,
+ *         optional: true // Don't fail if no token
+ *       })
+ *     ]
+ *   }
+ * })
+ *
+ * // In Postgraphile
+ * const jwtPlugin = createPostgraphileJWTPlugin({
+ *   secret: process.env.JWT_SECRET,
+ *   extractUser: (payload) => ({
+ *     id: payload.user_id,
+ *     roles: payload.user_roles
+ *   })
+ * })
+ * ```
+ */
+export const createJWTMiddleware = (config = {}) => {
+    const { enabled = true, secret, publicKey, algorithms = ['HS256'], issuer, audience, headerName = 'authorization', tokenPrefix = 'Bearer ', optional = false, extractUser = defaultUserExtractor, maxAge, } = config;
+    // Validate configuration
+    if (enabled && !secret && !publicKey) {
+        throw new Error('JWT middleware requires either secret or publicKey');
+    }
+    return async (context, next) => {
+        // Skip if JWT is disabled
+        if (!enabled) {
+            return next();
+        }
+        try {
+            // Extract token from request headers
+            const authHeader = context.req?.headers?.get?.(headerName) ||
+                context.request?.headers?.get?.(headerName) ||
+                context.headers?.[headerName];
+            if (!authHeader) {
+                if (optional) {
+                    return next();
+                }
+                throw new Error('No authorization header found');
+            }
+            // Remove token prefix
+            const token = authHeader.startsWith(tokenPrefix) ? authHeader.slice(tokenPrefix.length) : authHeader;
+            // Prepare verification options
+            const verifyOptions = {
+                algorithms,
+                ...(issuer && { issuer }),
+                ...(audience && { audience }),
+                ...(maxAge && { maxAge }),
+            };
+            // Verify and decode token
+            const secretOrPublicKey = publicKey || secret;
+            const payload = jwt.verify(token, secretOrPublicKey, verifyOptions);
+            // Extract user from payload
+            const user = extractUser(payload);
+            if (user) {
+                context.user = user;
+                // Store the raw payload for potential use
+                context.jwtPayload = payload;
+            }
+            // Continue to next middleware
+            return next();
+        }
+        catch (error) {
+            if (optional) {
+                // Log error in development
+                if (process.env.NODE_ENV === 'development') {
+                    console.warn('JWT verification failed (optional):', error.message);
+                }
+                // Continue without user if optional
+                return next();
+            }
+            // Re-throw with more specific error messages
+            if (error.name === 'TokenExpiredError') {
+                throw new Error('Token has expired');
+            }
+            else if (error.name === 'JsonWebTokenError') {
+                throw new Error('Invalid token');
+            }
+            else if (error.name === 'NotBeforeError') {
+                throw new Error('Token not active yet');
+            }
+            throw error;
+        }
+    };
+};
+/**
+ * Create a JWT token with user data
+ */
+export const createJWT = (user, config) => {
+    const { secret, expiresIn = '1h', issuer, audience, additionalClaims = {} } = config;
+    const payload = {
+        sub: user.id,
+        roles: user.roles || [],
+        ...additionalClaims,
+    };
+    const signOptions = {};
+    // Add optional fields only if they exist
+    if (issuer !== undefined)
+        signOptions.issuer = issuer;
+    if (audience !== undefined)
+        signOptions.audience = audience;
+    if (expiresIn !== undefined)
+        signOptions.expiresIn = expiresIn; // Type cast to avoid TS issues
+    return jwt.sign(payload, secret, signOptions);
+};
+/**
+ * Integration with CASL ability builder
+ */
+export const createJWTAbilityBuilder = (config = {}) => {
+    return async (user) => {
+        // If user has direct permissions in JWT, use those
+        const jwtPermissions = user?.permissions;
+        if (jwtPermissions && Array.isArray(jwtPermissions)) {
+            // Build ability from JWT permissions
+            const { can, cannot, build } = new AbilityBuilder(PureAbility);
+            jwtPermissions.forEach((permission) => {
+                if (permission.inverted) {
+                    cannot(permission.action, permission.subject, permission.conditions);
+                }
+                else {
+                    can(permission.action, permission.subject, permission.conditions);
+                }
+            });
+            return build();
+        }
+        // Fall back to role-based abilities
+        return defaultAbilityBuilder(user);
+    };
+};
+/**
+ * Postgraphile-specific JWT plugin
+ */
+export const createPostgraphileJWTPlugin = (config) => {
+    return {
+        name: 'JWTAuthPlugin',
+        version: '1.0.0',
+        // Hook into Postgraphile's context building
+        grafast: {
+            hooks: {
+                async context(ctx, build) {
+                    const middleware = createJWTMiddleware(config);
+                    // Create a simple context object that the middleware can work with
+                    const context = {
+                        req: ctx.req,
+                        headers: ctx.req?.headers,
+                        user: undefined,
+                        jwtPayload: undefined,
+                    };
+                    // Run the JWT middleware
+                    await middleware(context, async () => { });
+                    // Add user to Postgraphile context
+                    if (context.user) {
+                        return { ...ctx, user: context.user, jwtPayload: context.jwtPayload };
+                    }
+                    return ctx;
+                },
+            },
+        },
+    };
+};
+/**
+ * Express/Koa middleware for REST endpoints
+ */
+export const createHTTPJWTMiddleware = (config) => {
+    const jwtMiddleware = createJWTMiddleware(config);
+    // Express middleware
+    return async (req, res, next) => {
+        const context = {
+            req: {
+                headers: {
+                    get: (name) => req.headers[name],
+                },
+            },
+            headers: req.headers,
+            user: undefined,
+            jwtPayload: undefined,
+        };
+        try {
+            await jwtMiddleware(context, async () => { });
+            req.user = context.user;
+            req.jwtPayload = context.jwtPayload;
+            next();
+        }
+        catch (error) {
+            if (config.optional) {
+                next();
+            }
+            else {
+                res.status(401).json({
+                    error: error.message,
+                    code: 'UNAUTHORIZED',
+                });
+            }
+        }
+    };
+};
+/**
+ * Refresh token utilities
+ */
+export const refreshTokenUtils = {
+    /**
+     * Create access and refresh tokens
+     */
+    createTokenPair: (user, config) => {
+        const { accessSecret, refreshSecret, accessExpiresIn = '15m', refreshExpiresIn = '7d' } = config;
+        const accessPayload = {
+            sub: user.id,
+            roles: user.roles,
+            type: 'access',
+        };
+        const refreshPayload = {
+            sub: user.id,
+            type: 'refresh',
+        };
+        // Create access token with proper options
+        const accessOptions = {};
+        if (accessExpiresIn) {
+            accessOptions.expiresIn = accessExpiresIn; // Type cast to avoid TS issues
+        }
+        const accessToken = jwt.sign(accessPayload, accessSecret, accessOptions);
+        // Create refresh token with proper options
+        const refreshOptions = {};
+        if (refreshExpiresIn) {
+            refreshOptions.expiresIn = refreshExpiresIn; // Type cast to avoid TS issues
+        }
+        const refreshToken = jwt.sign(refreshPayload, refreshSecret, refreshOptions);
+        return { accessToken, refreshToken };
+    },
+    /**
+     * Verify refresh token and create new access token
+     */
+    refreshAccessToken: async (refreshToken, config) => {
+        const { accessSecret, refreshSecret, getUserById, accessExpiresIn = '15m' } = config;
+        try {
+            // Verify refresh token
+            const payload = jwt.verify(refreshToken, refreshSecret);
+            if (payload.type !== 'refresh') {
+                throw new Error('Invalid token type');
+            }
+            // Get fresh user data
+            const user = await getUserById(payload.sub);
+            if (!user) {
+                throw new Error('User not found');
+            }
+            // Create new access token
+            const accessPayload = {
+                sub: user.id,
+                roles: user.roles,
+                type: 'access',
+            };
+            // Create access token with proper options
+            const accessOptions = {};
+            if (accessExpiresIn) {
+                accessOptions.expiresIn = accessExpiresIn; // Type cast to avoid TS issues
+            }
+            const accessToken = jwt.sign(accessPayload, accessSecret, accessOptions);
+            return { accessToken, user };
+        }
+        catch (error) {
+            if (error.name === 'TokenExpiredError') {
+                throw new Error('Refresh token expired');
+            }
+            throw error;
+        }
+    },
+};

package/dist/src/middleware/postgraphile.d.ts

@@ -0,0 +1,7 @@
+import { GraphileConfig } from 'postgraphile/graphile-build';
+/**
+ * PostGraphile plugin for CASL authorization
+ * @public
+ */
+export declare const pglCaslPlugin: GraphileConfig.Plugin;
+//# sourceMappingURL=postgraphile.d.ts.map

package/dist/src/middleware/postgraphile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgraphile.d.ts","sourceRoot":"","sources":["../../../src/middleware/postgraphile.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAI5D;;;GAGG;AACH,eAAO,MAAM,aAAa,EAAE,cAAc,CAAC,MAkFzC,CAAA"}

package/dist/src/middleware/postgraphile.js

@@ -0,0 +1,80 @@
+import { extendSchema, gql } from 'postgraphile/utils';
+import { createAbility } from './ability';
+/**
+ * PostGraphile plugin for CASL authorization
+ * @public
+ */
+export const pglCaslPlugin = extendSchema(build => {
+    const { grafast: { constant, object, sideEffect }, } = build;
+    return {
+        typeDefs: gql `
+			input CreateAbilityInput {
+				userId: String!
+				roles: [String!]
+			}
+
+			type AbilityResponse {
+				success: Boolean!
+				ability: JSON
+				message: String
+			}
+
+			type SecretData {
+				id: String!
+				content: String!
+			}
+
+			extend type Query {
+				getSecretData: SecretData
+			}
+
+			extend type Mutation {
+				createAbility(input: CreateAbilityInput!): AbilityResponse!
+			}
+		`,
+        objects: {
+            Query: {
+                plans: {
+                    async getSecretData() {
+                        // TODO: This should be protected by CASL
+                        // const $ability = context<Context>().get('ability')
+                        // if (!$ability.can('read', 'SecretData')) {
+                        // 	throw new Error('Access denied')
+                        // }
+                        return object({
+                            id: constant('123'),
+                            content: constant('This is protected content'),
+                        });
+                    },
+                },
+            },
+            Mutation: {
+                plans: {
+                    async createAbility(_plan, fieldArgs) {
+                        const $input = fieldArgs.getRaw().input;
+                        const $userId = $input.userId;
+                        const $roles = $input.roles;
+                        return sideEffect([$userId, $roles], async ([userId, roles]) => {
+                            // Make this async
+                            try {
+                                const ability = await createAbility({ id: userId, roles }); // Await here
+                                return {
+                                    success: true,
+                                    ability: ability.rules,
+                                    message: 'Ability created successfully',
+                                };
+                            }
+                            catch (error) {
+                                return {
+                                    success: false,
+                                    ability: null,
+                                    message: error instanceof Error ? error.message : 'Unknown error occurred',
+                                };
+                            }
+                        });
+                    },
+                },
+            },
+        },
+    };
+});

package/dist/src/middleware/yoga.d.ts

@@ -0,0 +1,15 @@
+import type { Plugin } from 'graphql-yoga';
+import type { Context, MiddlewareOptions } from '../types';
+export declare const yogaCaslPlugin: Plugin<Context>;
+/**
+ * Create a GraphQL Yoga plugin for CASL authorization
+ * Note: This is a placeholder for future implementation
+ *
+ * @param options - CASL middleware configuration options
+ * @returns Yoga plugin
+ * @public
+ */
+export declare const createYogaPlugin: (options?: MiddlewareOptions) => {
+    onExecute: ({ args }: any) => Promise<void>;
+};
+//# sourceMappingURL=yoga.d.ts.map

package/dist/src/middleware/yoga.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"yoga.d.ts","sourceRoot":"","sources":["../../../src/middleware/yoga.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAI1C,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAA;AAO1D,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,OAAO,CAO1C,CAAA;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,GAAI,UAAS,iBAAsB;0BAIlC,GAAG;CAMhC,CAAA"}

package/dist/src/middleware/yoga.js

@@ -0,0 +1,32 @@
+import { createAbility } from './ability';
+import { createCaslMiddleware } from './graphql';
+const getLoggedInUser = () => {
+    // Mock user for demonstration purposes
+    return { id: '1', roles: ['editor'] };
+};
+export const yogaCaslPlugin = {
+    onContextBuilding: async ({ context, extendContext }) => {
+        // Make this async
+        const user = getLoggedInUser();
+        const ability = await createAbility(user); // Await here
+        extendContext({ ability, user });
+    },
+};
+/**
+ * Create a GraphQL Yoga plugin for CASL authorization
+ * Note: This is a placeholder for future implementation
+ *
+ * @param options - CASL middleware configuration options
+ * @returns Yoga plugin
+ * @public
+ */
+export const createYogaPlugin = (options = {}) => {
+    const middleware = createCaslMiddleware(options);
+    return {
+        onExecute: async ({ args }) => {
+            // TODO: Implement Yoga plugin
+            // This would integrate with GraphQL Yoga's plugin system
+            console.log('Yoga plugin not yet implemented');
+        },
+    };
+};

package/dist/src/tsdoc-metadata.json

@@ -0,0 +1,11 @@
+// This file is read by tools that parse documentation comments conforming to the TSDoc standard.
+// It should be published with your NPM package.  It should not be tracked by Git.
+{
+  "tsdocVersion": "0.12",
+  "toolPackages": [
+    {
+      "packageName": "@microsoft/api-extractor",
+      "packageVersion": "7.55.2"
+    }
+  ]
+}

package/dist/src/types/index.d.ts

@@ -0,0 +1,114 @@
+import { GraphQLResolveInfo } from 'graphql';
+import type { AppAbility, AbilityBuilderFunction } from '../middleware/ability';
+/**
+ * User information for authorization
+ * @public
+ */
+export interface User {
+    /** Unique identifier for the user */
+    id: string;
+    /** Array of role names assigned to the user */
+    roles?: string[];
+    /** Additional user properties */
+    [key: string]: any;
+}
+/**
+ * GraphQL context with CASL ability and user information
+ * @public
+ */
+export interface Context {
+    /** CASL ability instance for authorization checks */
+    ability?: AppAbility;
+    /** Current authenticated user */
+    user?: User;
+    /** Additional context properties */
+    [key: string]: any;
+}
+/**
+ * Configuration options for CASL middleware
+ * @public
+ */
+export interface MiddlewareOptions {
+    /** Mapping of GraphQL types to authorization subjects */
+    subjectMap?: Record<string, string>;
+    /** Mapping of GraphQL operations to CASL actions */
+    actionMap?: Record<string, string>;
+    /** Field-level permission rules */
+    fieldPermissions?: Record<string, FieldPermission[]>;
+    /** Custom function to build user abilities */
+    abilityBuilder?: AbilityBuilderFunction;
+    /** Enable debug logging */
+    debug?: boolean;
+}
+/**
+ * Field-level permission definition for fine-grained access control
+ * @public
+ */
+export interface FieldPermission {
+    /** CASL action (e.g., 'read', 'write') */
+    action: string;
+    /** Subject/resource type to apply permission to */
+    subject: string;
+    /** Specific field name (optional) */
+    field?: string;
+    /** Conditional rules for permission */
+    conditions?: any;
+}
+/**
+ * GraphQL resolver function type
+ * @public
+ */
+export type ResolverFn = (root: any, args: any, context: Context, info: GraphQLResolveInfo) => Promise<any> | any;
+/**
+ * Middleware function that wraps a GraphQL resolver with authorization logic
+ * @public
+ */
+export type MiddlewareFn = (resolve: ResolverFn, root: any, args: any, context: Context, info: GraphQLResolveInfo) => Promise<any> | any;
+/**
+ * Plugin configuration options for framework integrations
+ * @public
+ */
+export interface PluginOptions extends MiddlewareOptions {
+    /** Custom function to build user abilities */
+    abilityBuilder?: AbilityBuilderFunction;
+    /** Ability caching configuration */
+    cacheOptions?: {
+        /** Time-to-live in milliseconds */
+        ttl?: number;
+        /** Function to generate cache key from user */
+        key?: (user?: User) => string;
+    };
+}
+/**
+ * Response type for ability creation mutations
+ * @public
+ */
+export interface AbilityResponse {
+    /** Whether the ability was created successfully */
+    success: boolean;
+    /** The created ability rules */
+    ability: any;
+    /** Success or error message */
+    message: string;
+}
+/**
+ * Input type for creating a new ability
+ * @public
+ */
+export interface CreateAbilityInput {
+    /** User ID to create ability for */
+    userId: string;
+    /** Array of role names to assign */
+    roles: string[];
+}
+export interface AbilityRule {
+    id?: string;
+    roleId?: string;
+    userId?: string;
+    action: string | string[];
+    subject: string;
+    fields?: string[];
+    conditions?: any;
+    inverted?: boolean;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/src/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAA;AAE5C,OAAO,KAAK,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAA;AAE/E;;;GAGG;AACH,MAAM,WAAW,IAAI;IACpB,qCAAqC;IACrC,EAAE,EAAE,MAAM,CAAA;IACV,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;IAChB,iCAAiC;IACjC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,OAAO;IACvB,qDAAqD;IACrD,OAAO,CAAC,EAAE,UAAU,CAAA;IACpB,iCAAiC;IACjC,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,oCAAoC;IACpC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;CAClB;AAID;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IACjC,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACnC,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAClC,mCAAmC;IACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACpD,8CAA8C;IAC9C,cAAc,CAAC,EAAE,sBAAsB,CAAA;IACvC,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAA;CACf;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC/B,0CAA0C;IAC1C,MAAM,EAAE,MAAM,CAAA;IACd,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAA;IACf,qCAAqC;IACrC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,uCAAuC;IACvC,UAAU,CAAC,EAAE,GAAG,CAAA;CAChB;AAED;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,kBAAkB,KAAK,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;AAEjH;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAC1B,OAAO,EAAE,UAAU,EACnB,IAAI,EAAE,GAAG,EACT,IAAI,EAAE,GAAG,EACT,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,kBAAkB,KACpB,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;AAEvB;;;GAGG;AACH,MAAM,WAAW,aAAc,SAAQ,iBAAiB;IACvD,8CAA8C;IAC9C,cAAc,CAAC,EAAE,sBAAsB,CAAA;IACvC,oCAAoC;IACpC,YAAY,CAAC,EAAE;QACd,mCAAmC;QACnC,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,+CAA+C;QAC/C,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,KAAK,MAAM,CAAA;KAC7B,CAAA;CACD;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC/B,mDAAmD;IACnD,OAAO,EAAE,OAAO,CAAA;IAChB,gCAAgC;IAChC,OAAO,EAAE,GAAG,CAAA;IACZ,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAA;CACf;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAA;IACd,oCAAoC;IACpC,KAAK,EAAE,MAAM,EAAE,CAAA;CACf;AAGD,MAAM,WAAW,WAAW;IAC3B,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IACzB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,UAAU,CAAC,EAAE,GAAG,CAAA;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAA;CAClB"}