@stonecrop/casl-middleware 0.7.0

package/dist/tests/user-roles.test.js

@@ -0,0 +1,157 @@
+import { PureAbility, AbilityBuilder } from '@casl/ability';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createCaslMiddleware } from '../src/middleware/graphql';
+const Ability = PureAbility;
+// Helper to create abilities with proper matchers
+const createTestAbility = (rules) => {
+    const { can, cannot, build } = new AbilityBuilder(Ability);
+    rules.forEach(rule => {
+        if (rule.inverted) {
+            if (rule.fields && rule.conditions) {
+                cannot(rule.action, rule.subject, rule.fields, rule.conditions);
+            }
+            else if (rule.fields) {
+                cannot(rule.action, rule.subject, rule.fields);
+            }
+            else if (rule.conditions) {
+                cannot(rule.action, rule.subject, rule.conditions);
+            }
+            else {
+                cannot(rule.action, rule.subject);
+            }
+        }
+        else {
+            if (rule.fields && rule.conditions) {
+                can(rule.action, rule.subject, rule.fields, rule.conditions);
+            }
+            else if (rule.fields) {
+                can(rule.action, rule.subject, rule.fields);
+            }
+            else if (rule.conditions) {
+                can(rule.action, rule.subject, rule.conditions);
+            }
+            else {
+                can(rule.action, rule.subject);
+            }
+        }
+    });
+    return build({
+        detectSubjectType: (object) => {
+            // Handle CASL's subject() helper objects
+            if (object && typeof object === 'object') {
+                // CASL uses __caslSubjectType__ property
+                if ('__caslSubjectType__' in object) {
+                    return object.__caslSubjectType__;
+                }
+                // Fallback to other type indicators
+                if (object.type)
+                    return object.type;
+                if (object.constructor?.name && object.constructor.name !== 'Object') {
+                    return object.constructor.name;
+                }
+            }
+            return 'Unknown';
+        },
+        fieldMatcher: fields => field => {
+            if (!fields || !field)
+                return false;
+            return Array.isArray(fields) ? fields.includes(field) : fields === field;
+        },
+        conditionsMatcher: conditions => object => {
+            if (!conditions || !object)
+                return true;
+            return Object.keys(conditions).every(key => object[key] === conditions[key]);
+        },
+    });
+};
+describe('CASL GraphQL Middleware', () => {
+    let mockResolve;
+    let mockContext;
+    let mockInfo;
+    beforeEach(() => {
+        mockResolve = vi.fn().mockResolvedValue({ data: 'test' });
+        mockContext = {
+            ability: createTestAbility([
+                { action: 'read', subject: 'Query' },
+                { action: 'read', subject: 'User' },
+                { action: 'update', subject: 'User', conditions: { id: '123' } },
+            ]),
+            user: { id: '123', roles: ['user'] },
+        };
+        mockInfo = {
+            fieldName: 'getUser',
+            parentType: { name: 'Query' },
+            path: { typename: 'Query', key: 'getUser' },
+            operation: {
+                operation: 'query',
+                loc: { source: { body: 'query { getUser { id } }' } },
+            },
+        };
+    });
+    describe('Basic Middleware Functionality', () => {
+        it('should pass through when ability allows the operation', async () => {
+            const middleware = createCaslMiddleware();
+            // Don't pass args that would be treated as conditions
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+        });
+        it('should create ability when not in context', async () => {
+            const middleware = createCaslMiddleware();
+            const contextWithoutAbility = { user: { id: '123', roles: ['user'] } };
+            // The middleware creates a default ability if none exists
+            // Default ability only allows 'read' on 'Query'
+            const result = await middleware(mockResolve, {}, {}, contextWithoutAbility, mockInfo);
+            // Should work because default ability allows 'read' on 'Query'
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+            expect(contextWithoutAbility.ability).toBeDefined();
+        });
+        it('should deny access when ability does not allow operation', async () => {
+            const middleware = createCaslMiddleware();
+            // Create ability that doesn't allow 'read' on 'Query'
+            mockContext.ability = createTestAbility([{ action: 'read', subject: 'Post' }]);
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Access denied for read on Query');
+        });
+    });
+    describe('Action Mapping', () => {
+        it('should map GraphQL operations to custom actions', async () => {
+            const middleware = createCaslMiddleware({
+                actionMap: {
+                    query: 'view',
+                    mutation: 'modify',
+                    subscription: 'watch',
+                },
+            });
+            // Update ability to allow 'view' instead of 'read'
+            mockContext.ability = createTestAbility([{ action: 'view', subject: 'Query' }]);
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+            expect(result).toEqual({ data: 'test' });
+        });
+        it('should deny when custom action is not allowed', async () => {
+            const middleware = createCaslMiddleware({
+                actionMap: {
+                    query: 'view',
+                },
+            });
+            // Ability still has 'read' permission, not 'view'
+            await expect(middleware(mockResolve, {}, {}, mockContext, mockInfo)).rejects.toThrow('Access denied for view on Query');
+        });
+    });
+    describe('Subject Conditions', () => {
+        it('should handle conditional permissions correctly', async () => {
+            const middleware = createCaslMiddleware();
+            // Change to User type which has conditional permission
+            mockInfo.parentType = { name: 'User' };
+            mockInfo.path = { typename: 'User', key: 'updateUser' };
+            mockInfo.operation.operation = 'mutation';
+            // Ability allows update on User with id: '123'
+            mockContext.ability = createTestAbility([{ action: 'update', subject: 'User', conditions: { id: '123' } }]);
+            // This should work because we're not passing the conditions through args
+            // The middleware should check the general permission
+            const result = await middleware(mockResolve, {}, {}, mockContext, mockInfo);
+            expect(mockResolve).toHaveBeenCalled();
+        });
+    });
+});

package/dist/tests/yoga-plugin.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=yoga-plugin.test.d.ts.map

package/dist/tests/yoga-plugin.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"yoga-plugin.test.d.ts","sourceRoot":"","sources":["../../tests/yoga-plugin.test.ts"],"names":[],"mappings":""}

package/dist/tests/yoga-plugin.test.js

@@ -0,0 +1,47 @@
+import { describe, it, expect, vi } from 'vitest';
+import { yogaCaslPlugin } from '../src/middleware/yoga';
+describe('Yoga CASL Plugin', () => {
+    it('should be a valid Yoga plugin', () => {
+        expect(yogaCaslPlugin).toBeDefined();
+        expect(typeof yogaCaslPlugin).toBe('object');
+        expect(yogaCaslPlugin).toHaveProperty('onContextBuilding');
+    });
+    it('should extend context with ability and user', async () => {
+        const mockContext = {};
+        const extendContext = vi.fn(extension => {
+            Object.assign(mockContext, extension);
+        });
+        const contextParams = {
+            context: mockContext,
+            extendContext,
+        };
+        // Execute the plugin
+        await yogaCaslPlugin.onContextBuilding(contextParams);
+        expect(extendContext).toHaveBeenCalled();
+        expect(extendContext).toHaveBeenCalledWith(expect.objectContaining({
+            ability: expect.any(Object),
+            user: expect.objectContaining({
+                id: '1',
+                roles: ['editor'],
+            }),
+        }));
+    });
+    it('should create ability with editor permissions', async () => {
+        const mockContext = {};
+        let extendedData = {};
+        const extendContext = vi.fn(extension => {
+            extendedData = extension;
+        });
+        const contextParams = {
+            context: mockContext,
+            extendContext,
+        };
+        await yogaCaslPlugin.onContextBuilding(contextParams);
+        // Check that the ability was created with editor permissions
+        expect(extendedData.ability).toBeDefined();
+        expect(extendedData.user.roles).toContain('editor');
+        // The ability should have the permissions we expect for an editor
+        const ability = extendedData.ability;
+        expect(ability.can('read', 'Query')).toBe(true);
+    });
+});

package/package.json

@@ -0,0 +1,91 @@
+{
+  "name": "@stonecrop/casl-middleware",
+  "version": "0.7.0",
+  "license": "MIT",
+  "type": "module",
+  "homepage": "https://github.com/agritheory/stonecrop#readme",
+  "author": {
+    "name": "Tyler Matteson",
+    "email": "support@agritheory.dev"
+  },
+  "description": "CASL authorization middleware for GraphQL servers",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/agritheory/stonecrop",
+    "directory": "casl_middleware"
+  },
+  "bugs": {
+    "url": "https://github.com/agritheory/stonecrop/issues"
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/src/index.d.ts",
+        "default": "./dist/casl_middleware.js"
+      }
+    },
+    "./types": {
+      "import": "./dist/src/types/index.d.ts",
+      "require": "./dist/src/types/index.d.ts"
+    }
+  },
+  "typings": "./dist/src/index.d.ts",
+  "files": [
+    "dist/*",
+    "src/*"
+  ],
+  "keywords": [
+    "casl",
+    "graphql",
+    "authorization",
+    "middleware",
+    "postgraphile",
+    "rockfoil"
+  ],
+  "dependencies": {
+    "@casl/ability": "^6.7.5",
+    "graphql": "^16.12.0",
+    "graphql-tag": "^2.12.6",
+    "jsonwebtoken": "^9.0.3"
+  },
+  "devDependencies": {
+    "@graphql-tools/merge": "^9.1.7",
+    "@graphql-tools/schema": "^10.0.31",
+    "@graphql-tools/utils": "^11.0.0",
+    "@rushstack/heft": "^1.1.7",
+    "@types/node": "^22.19.5",
+    "@vitest/coverage-istanbul": "^4.0.17",
+    "eslint": "^9.39.2",
+    "graphql-middleware": "^6.1.35",
+    "graphql-yoga": "^5.18.0",
+    "jsdom": "^27.4.0",
+    "postgraphile": "^5.0.0-rc.3",
+    "typescript": "^5.9.3",
+    "vite": "^7.3.1",
+    "vitest": "^4.0.17",
+    "@types/jsonwebtoken": "~9.0.10",
+    "stonecrop-rig": "0.2.22"
+  },
+  "peerDependencies": {
+    "graphql-yoga": "^5.18.0",
+    "postgraphile": "^5.0.0-rc.3"
+  },
+  "peerDependenciesMeta": {
+    "postgraphile": {
+      "optional": true
+    }
+  },
+  "scripts": {
+    "_phase:build": "heft build && vite build && rushx docs",
+    "prepublish": "heft build && vite build && rushx docs",
+    "build": "heft build && vite build && rushx docs",
+    "dev": "vite",
+    "docs": "bash ../common/scripts/run-docs.sh aform",
+    "lint": "eslint .",
+    "preview": "vite preview",
+    "test": "vitest run --coverage.enabled false",
+    "test:watch": "vitest watch",
+    "test:coverage": "vitest run --coverage",
+    "test:ui": "vitest --ui"
+  }
+}

package/src/index.ts

@@ -0,0 +1,15 @@
+export { createAbility, detectSubjectType } from './middleware/ability'
+export type { AppAbility } from './middleware/ability'
+export { createCaslMiddleware } from './middleware/graphql'
+export { pglCaslPlugin } from './middleware/postgraphile'
+export type {
+	User,
+	Context,
+	MiddlewareOptions,
+	FieldPermission,
+	ResolverFn,
+	MiddlewareFn,
+	PluginOptions,
+	AbilityResponse,
+	CreateAbilityInput,
+} from './types'

package/src/middleware/ability.ts

@@ -0,0 +1,191 @@
+import { AbilityBuilder, PureAbility, type AbilityClass, type FieldMatcher, type ConditionsMatcher } from '@casl/ability'
+
+import type { Context } from '../types'
+
+/**
+ * Detects the subject type from an object for CASL authorization
+ * @param object - The object to detect the subject type from
+ * @returns The subject type string
+ * @public
+ */
+export const detectSubjectType = (object: any): string => {
+	// Handle CASL's subject() helper objects
+	if (object && typeof object === 'object') {
+		// CASL uses __caslSubjectType__ property
+		if ('__caslSubjectType__' in object) {
+			return object.__caslSubjectType__
+		}
+		// Fallback to other type indicators
+		if (object.type) return object.type
+		if (object.constructor?.name && object.constructor.name !== 'Object') {
+			return object.constructor.name
+		}
+	}
+	return 'Unknown'
+}
+
+// Simple field matcher - checks if a field is in the restricted list
+const fieldMatcher: FieldMatcher = fields => field => {
+	if (!fields || !field) return false
+	if (Array.isArray(fields)) {
+		return fields.includes(field)
+	}
+	return fields === field
+}
+
+// Simple conditions matcher - basic equality check
+const conditionsMatcher: ConditionsMatcher<any> = conditions => object => {
+	if (!conditions || !object) return true
+
+	return Object.keys(conditions).every(key => {
+		const conditionValue = conditions[key]
+		const objectValue = object[key]
+
+		// Simple equality check
+		return objectValue === conditionValue
+	})
+}
+
+/**
+ * CASL ability type for authorization with flexible subject types
+ * @public
+ */
+export type AppAbility = PureAbility<[string, any], any>
+
+/**
+ * Function type for building user abilities
+ * @public
+ */
+export type AbilityBuilderFunction = (user?: Context['user']) => Promise<AppAbility> | AppAbility
+
+const Ability = PureAbility as AbilityClass<AppAbility>
+
+/**
+ * Default ability builder - only provides minimal public access
+ */
+export const defaultAbilityBuilder = (user?: Context['user']): AppAbility => {
+	const { can, build } = new AbilityBuilder<AppAbility>(Ability)
+
+	can('read', 'Query')
+
+	return build({
+		detectSubjectType,
+		fieldMatcher,
+		conditionsMatcher,
+	})
+}
+
+/**
+ * Create ability using a provided builder function
+ * @param user - User information for building the ability
+ * @param builderFn - Function to build the ability
+ * @returns Promise resolving to the created ability
+ * @public
+ */
+export const createAbility = async (
+	user?: Context['user'],
+	builderFn: AbilityBuilderFunction = defaultAbilityBuilder
+): Promise<AppAbility> => {
+	return await builderFn(user)
+}
+
+/**
+ * Factory function for creating custom ability builders
+ */
+export const createDatabaseAbilityBuilder = (
+	fetchRules: (userId?: string) => Promise<any[]>
+): AbilityBuilderFunction => {
+	return async (user?: Context['user']) => {
+		const { can, cannot, build } = new AbilityBuilder<AppAbility>(Ability)
+
+		if (user?.id) {
+			const rules = await fetchRules(user.id)
+
+			rules.forEach(rule => {
+				if (rule.inverted) {
+					cannot(rule.action, rule.subject, rule.fields, rule.conditions)
+				} else {
+					can(rule.action, rule.subject, rule.fields, rule.conditions)
+				}
+			})
+		} else {
+			can('read', 'Query')
+		}
+
+		return build({
+			detectSubjectType,
+			fieldMatcher,
+			conditionsMatcher,
+		})
+	}
+}
+
+/**
+ * Create an ability builder from static configuration
+ */
+export const createConfigBasedAbilityBuilder = (config: {
+	roles: Record<
+		string,
+		Array<{
+			action: string | string[]
+			subject: string
+			fields?: string | string[]
+			conditions?: any
+			inverted?: boolean
+		}>
+	>
+	defaultRules?: Array<{
+		action: string | string[]
+		subject: string
+		fields?: string | string[]
+		conditions?: any
+	}>
+}): AbilityBuilderFunction => {
+	return (user?: Context['user']) => {
+		const { can, cannot, build } = new AbilityBuilder<AppAbility>(Ability)
+
+		// Apply default rules
+		if (config.defaultRules) {
+			config.defaultRules.forEach(rule => {
+				can(rule.action, rule.subject, rule.fields, rule.conditions)
+			})
+		}
+
+		// Apply role-based rules
+		if (user?.roles) {
+			user.roles.forEach(role => {
+				const rules = config.roles[role]
+				if (rules) {
+					rules.forEach(rule => {
+						// Process template variables in conditions
+						let processedConditions = rule.conditions
+						if (processedConditions && user.id) {
+							const condStr = JSON.stringify(processedConditions)
+							if (condStr.includes('{{userId}}')) {
+								processedConditions = JSON.parse(condStr.replace(/{{userId}}/g, user.id))
+							}
+						}
+
+						if (rule.inverted) {
+							cannot(rule.action, rule.subject, rule.fields, processedConditions)
+						} else {
+							can(rule.action, rule.subject, rule.fields, processedConditions)
+						}
+					})
+				}
+			})
+		}
+
+		return build({
+			detectSubjectType,
+			fieldMatcher,
+			conditionsMatcher,
+		})
+	}
+}
+
+export const createAbilityFactory = <T extends PureAbility>(
+	builderFn: (user?: Context['user']) => T
+): ((user?: Context['user']) => T) => {
+	return (user?: Context['user']) => builderFn(user)
+}

package/src/middleware/graphql.ts

@@ -0,0 +1,157 @@
+import { subject } from '@casl/ability'
+import { GraphQLError, GraphQLResolveInfo } from 'graphql'
+import { parse, visit, FieldNode, DocumentNode } from 'graphql/language'
+import { Context, MiddlewareOptions, ResolverFn } from '../types'
+import { createAbility, defaultAbilityBuilder } from './ability'
+
+// Helper to extract operation name from GraphQL info
+const getOperationName = (info: GraphQLResolveInfo): string => {
+	return info.operation.operation.toLowerCase()
+}
+
+// Helper to get full field path
+const getFieldPath = (info: GraphQLResolveInfo): string => {
+	return info.path.typename ? `${info.path.typename}.${info.path.key}` : String(info.path.key)
+}
+
+// Parse GraphQL query to extract accessed fields
+const extractAccessedFields = (query: string): string[] => {
+	const fields: string[] = []
+
+	try {
+		const ast: DocumentNode = parse(query)
+
+		visit(ast, {
+			Field: {
+				enter(node: FieldNode) {
+					if (node.name.value !== '__typename') {
+						fields.push(node.name.value)
+					}
+				},
+			},
+		})
+	} catch (error) {
+		console.error('Failed to parse GraphQL query:', error)
+	}
+
+	return fields
+}
+
+// Check if ability allows the operation
+const checkPermission = (context: Context, action: string, subjectName: string, conditions?: any): boolean => {
+	if (!context.ability) {
+		return false
+	}
+
+	try {
+		// Only use subject helper if we have specific conditions to check
+		// (not just resolver args, but actual CASL conditions)
+		if (conditions && typeof conditions === 'object') {
+			return context.ability.can(action, subject(subjectName, conditions))
+		} else {
+			// Simple check without conditions - just action and subject type
+			return context.ability.can(action, subjectName)
+		}
+	} catch (error) {
+		console.error('Permission check failed:', error)
+		return false
+	}
+}
+
+/**
+ * Creates CASL authorization middleware for GraphQL resolvers
+ * @param options - Configuration options for the middleware
+ * @returns Middleware function that wraps resolvers with authorization checks
+ * @public
+ */
+export const createCaslMiddleware = (options: MiddlewareOptions = {}) => {
+	const {
+		subjectMap = {},
+		actionMap = {
+			query: 'read',
+			mutation: 'update',
+			subscription: 'read',
+		},
+		fieldPermissions = {},
+		abilityBuilder = defaultAbilityBuilder,
+		debug = false,
+	} = options
+
+	return async (
+		resolve: ResolverFn,
+		root: any,
+		args: any,
+		context: Context,
+		info: GraphQLResolveInfo
+	): Promise<any> => {
+		// Create ability if not already in context
+		if (!context.ability) {
+			context.ability = await createAbility(context.user, abilityBuilder)
+		}
+
+		const operation = getOperationName(info)
+		const fieldPath = getFieldPath(info)
+		const action = actionMap[operation] || operation
+
+		// Get subject from map or default to type name
+		const subjectType = info.parentType.name
+		const subjectName = subjectMap[subjectType] || subjectType
+
+		if (debug) {
+			console.log(`Checking permission: ${action} on ${subjectName} at ${fieldPath}`)
+		}
+
+		// Check field-level permissions if defined
+		if (fieldPermissions[fieldPath]) {
+			const permissions = fieldPermissions[fieldPath]
+			const allowed = permissions.some(permission =>
+				// Don't pass resolver args here - only use them if the permission defines conditions
+				checkPermission(context, permission.action, permission.subject, permission.conditions)
+			)
+
+			if (!allowed) {
+				throw new GraphQLError(`Access denied for field ${fieldPath}`)
+			}
+		}
+
+		// Check operation-level permission
+		// Don't pass resolver args as conditions - they're not CASL conditions
+		const allowed = checkPermission(context, action, subjectName)
+
+		if (!allowed) {
+			throw new GraphQLError(`Access denied for ${action} on ${subjectName}`)
+		}
+
+		// Additional checks for mutations with input fields
+		if (operation === 'mutation' && args.input) {
+			const querySource = info.operation.loc?.source.body
+
+			if (querySource) {
+				const accessedFields = extractAccessedFields(querySource)
+
+				for (const field of accessedFields) {
+					// Check field-level update permissions if needed
+					const fieldAllowed = checkPermission(context, 'update', subjectName, { field })
+
+					if (!fieldAllowed && debug) {
+						console.warn(`Warning: Field ${field} update not explicitly allowed`)
+					}
+				}
+			}
+		}
+
+		// Call the resolver
+		return resolve(root, args, context, info)
+	}
+}
+
+// Utility function to combine multiple middlewares
+export const combineMiddlewares = (...middlewares: any[]) => {
+	return (resolve: ResolverFn, root: any, args: any, context: any, info: any) => {
+		const chain = middlewares.reduceRight(
+			(next, middleware) => () => middleware(next, root, args, context, info),
+			() => resolve(root, args, context, info)
+		)
+		return chain()
+	}
+}