@sunboyoo/supabase-rbac 1.0.2

package/dist/client.cjs

@@ -0,0 +1,307 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/client.tsx
+var client_exports = {};
+__export(client_exports, {
+  RBACProvider: () => RBACProvider,
+  useRBAC: () => useRBAC
+});
+module.exports = __toCommonJS(client_exports);
+var import_react = require("react");
+
+// src/shared.ts
+var import_jose = require("jose");
+var IS_UUID = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+function isUuid(v) {
+  return typeof v === "string" && IS_UUID.test(v);
+}
+function uniqueStable(arr) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const x of arr) {
+    if (seen.has(x)) continue;
+    seen.add(x);
+    out.push(x);
+  }
+  return out;
+}
+function decodeClaims(token) {
+  if (!token) return null;
+  try {
+    return (0, import_jose.decodeJwt)(token);
+  } catch {
+    return null;
+  }
+}
+function getMergedRoleIds(params) {
+  const { token, appId, includeGlobal = true, globalAppId = "global" } = params;
+  const claims = decodeClaims(token);
+  const roleMap = claims?.app_metadata?.role_ids ?? {};
+  const appRoles = Array.isArray(roleMap[appId]) ? roleMap[appId] : [];
+  const gRoles = includeGlobal && Array.isArray(roleMap[globalAppId]) ? roleMap[globalAppId] : [];
+  const merged = uniqueStable([...appRoles, ...gRoles]).filter(isUuid);
+  const userId = isUuid(claims?.sub) ? claims.sub : null;
+  const exp = typeof claims?.exp === "number" ? claims.exp : null;
+  return { roleIds: merged, claims, userId, exp };
+}
+function hasRole(userRoleIds, required, mode = "any") {
+  if (!required || required.length === 0) return true;
+  if (!userRoleIds || userRoleIds.length === 0) return false;
+  const set = new Set(userRoleIds);
+  if (mode === "all") {
+    for (const r of required) if (!set.has(r)) return false;
+    return true;
+  }
+  for (const r of required) if (set.has(r)) return true;
+  return false;
+}
+
+// src/client.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var permissionCache = /* @__PURE__ */ new Map();
+function cacheKey(appId, userId) {
+  return `${appId}|${userId ?? "anon"}`;
+}
+function log(logger, level, msg, meta) {
+  const fn = logger?.[level];
+  if (typeof fn === "function") fn(msg, meta);
+}
+var RBACContext = (0, import_react.createContext)(null);
+function RBACProvider(props) {
+  const {
+    client,
+    appId,
+    includeGlobal = true,
+    globalAppId = "global",
+    permissions: permOptsRaw,
+    logger,
+    children
+  } = props;
+  const permOpts = {
+    enabled: permOptsRaw?.enabled ?? false,
+    rpcName: permOptsRaw?.rpcName ?? "get_my_permissions",
+    ttlMs: permOptsRaw?.ttlMs ?? 6e4,
+    nonBlocking: permOptsRaw?.nonBlocking ?? true
+  };
+  const sb = client;
+  const [isAuthenticated, setIsAuthenticated] = (0, import_react.useState)(false);
+  const [userId, setUserId] = (0, import_react.useState)(null);
+  const [roleIds, setRoleIds] = (0, import_react.useState)([]);
+  const [permissionNames, setPermissionNames] = (0, import_react.useState)([]);
+  const [isRBACLoading, setIsRBACLoading] = (0, import_react.useState)(true);
+  const [isPermissionLoading, setIsPermissionLoading] = (0, import_react.useState)(false);
+  const isRBACReady = !isRBACLoading;
+  const isPermissionReady = permOpts.enabled ? !isPermissionLoading : true;
+  const syncLock = (0, import_react.useRef)(null);
+  const permissionRequestId = (0, import_react.useRef)(0);
+  const sessionEpoch = (0, import_react.useRef)(0);
+  const pendingSync = (0, import_react.useRef)(null);
+  const fetchPermissionNames = (0, import_react.useCallback)(async (params) => {
+    if (!permOpts.enabled) return [];
+    if (!params.userId) return [];
+    const key = cacheKey(params.appId, params.userId);
+    const now = Date.now();
+    const existing = permissionCache.get(key);
+    const fresh = existing && existing.inflight == null && now - existing.fetchedAt < permOpts.ttlMs && // EN: If token exp changed, treat cache as stale to avoid wrong UI
+    // 中文：token exp 变化则视为过期，避免 UI 错判
+    existing.tokenExp === params.tokenExp;
+    if (fresh) return existing.names;
+    if (existing?.inflight) return existing.inflight;
+    const inflight = (async () => {
+      setIsPermissionLoading(true);
+      try {
+        const { data, error } = await sb.rpc(permOpts.rpcName, { target_app_id: params.appId });
+        if (error) throw error;
+        const names = Array.isArray(data) ? data.map((x) => String(x?.permission_name ?? "")).filter((s) => s.length > 0) : [];
+        permissionCache.set(key, { fetchedAt: Date.now(), names, inflight: null, tokenExp: params.tokenExp });
+        return names;
+      } catch (e) {
+        permissionCache.set(key, {
+          fetchedAt: existing?.fetchedAt ?? 0,
+          names: existing?.names ?? [],
+          inflight: null,
+          tokenExp: params.tokenExp
+        });
+        throw e;
+      } finally {
+        setIsPermissionLoading(false);
+      }
+    })();
+    permissionCache.set(key, { fetchedAt: existing?.fetchedAt ?? 0, names: existing?.names ?? [], inflight, tokenExp: params.tokenExp });
+    return inflight;
+  }, [permOpts.enabled, permOpts.rpcName, permOpts.ttlMs, sb]);
+  const applySession = (0, import_react.useCallback)(async (session, epoch) => {
+    const accessToken = session?.access_token;
+    const authed = Boolean(session?.user?.id);
+    const { roleIds: merged, userId: parsedUid, exp } = getMergedRoleIds({
+      token: accessToken,
+      appId,
+      includeGlobal,
+      globalAppId
+    });
+    const uid = session?.user?.id && typeof session.user.id === "string" ? session.user.id : parsedUid;
+    if (epoch !== sessionEpoch.current) return;
+    setIsAuthenticated(authed);
+    setUserId(uid ?? null);
+    setRoleIds(merged);
+    const requestId = ++permissionRequestId.current;
+    if (!permOpts.enabled) {
+      setPermissionNames([]);
+      return;
+    }
+    const load = async () => {
+      try {
+        if (epoch !== sessionEpoch.current) return;
+        const names = await fetchPermissionNames({ appId, userId: uid ?? null, tokenExp: exp });
+        if (epoch !== sessionEpoch.current || requestId !== permissionRequestId.current) return;
+        setPermissionNames(names);
+      } catch (e) {
+        if (epoch !== sessionEpoch.current || requestId !== permissionRequestId.current) return;
+        setPermissionNames([]);
+        log(logger, "warn", "[RBAC] permissions RPC failed; degraded to role-only gating.", e);
+      }
+    };
+    if (permOpts.nonBlocking) void load();
+    else await load();
+  }, [appId, includeGlobal, globalAppId, permOpts.enabled, permOpts.nonBlocking, fetchPermissionNames, logger]);
+  const runSync = (0, import_react.useCallback)((forceSessionUpdate = false, sessionHint) => {
+    const promise = (async () => {
+      setIsRBACLoading(true);
+      try {
+        if (forceSessionUpdate && sb.auth.refreshSession) {
+          await sb.auth.refreshSession();
+        }
+        const session = sessionHint ? sessionHint : (await sb.auth.getSession()).data.session;
+        const epoch = sessionEpoch.current;
+        await applySession(session, epoch);
+      } finally {
+        setIsRBACLoading(false);
+      }
+    })();
+    syncLock.current = promise;
+    promise.finally(() => {
+      const pending = pendingSync.current;
+      if (pending) {
+        pendingSync.current = null;
+        const next = runSync(pending.forceSessionUpdate, pending.sessionHint);
+        next.then(pending.resolve, pending.reject);
+        return;
+      }
+      if (syncLock.current === promise) {
+        syncLock.current = null;
+      }
+    });
+    return promise;
+  }, [applySession, sb]);
+  const sync = (0, import_react.useCallback)((forceSessionUpdate = false, sessionHint) => {
+    if (syncLock.current) {
+      if (!pendingSync.current) {
+        let resolve;
+        let reject;
+        const promise = new Promise((res, rej) => {
+          resolve = res;
+          reject = rej;
+        });
+        pendingSync.current = { forceSessionUpdate, sessionHint, promise, resolve, reject };
+      } else {
+        pendingSync.current.forceSessionUpdate = pendingSync.current.forceSessionUpdate || forceSessionUpdate;
+        if (sessionHint) {
+          pendingSync.current.sessionHint = sessionHint;
+        } else if (forceSessionUpdate) {
+          pendingSync.current.sessionHint = void 0;
+        }
+      }
+      return pendingSync.current.promise;
+    }
+    return runSync(forceSessionUpdate, sessionHint);
+  }, [runSync]);
+  (0, import_react.useEffect)(() => {
+    void sync(false);
+    const { data: { subscription } } = sb.auth.onAuthStateChange((event, session) => {
+      if (event === "SIGNED_OUT") {
+        sessionEpoch.current++;
+        const pending = pendingSync.current;
+        pendingSync.current = null;
+        if (pending) pending.resolve();
+        permissionRequestId.current++;
+        setIsAuthenticated(false);
+        setUserId(null);
+        setRoleIds([]);
+        setPermissionNames([]);
+        setIsRBACLoading(false);
+        setIsPermissionLoading(false);
+        return;
+      }
+      if (event === "SIGNED_IN" || event === "TOKEN_REFRESHED" || event === "USER_UPDATED") {
+        void sync(false, session);
+      }
+    });
+    return () => subscription.unsubscribe();
+  }, [sb, sync]);
+  const refresh = (0, import_react.useCallback)(async (forceSessionUpdate = true) => {
+    await sync(forceSessionUpdate);
+  }, [sync]);
+  const hasRole2 = (0, import_react.useCallback)((required, mode = "any") => {
+    return hasRole(roleIds, required, mode);
+  }, [roleIds]);
+  const hasPermission = (0, import_react.useCallback)((permissionName) => {
+    if (!permOpts.enabled) return false;
+    if (!permissionName) return false;
+    return permissionNames.includes(permissionName);
+  }, [permOpts.enabled, permissionNames]);
+  const value = (0, import_react.useMemo)(() => ({
+    appId,
+    isAuthenticated,
+    userId,
+    roleIds,
+    permissionNames,
+    isRBACLoading,
+    isPermissionLoading,
+    isRBACReady,
+    isPermissionReady,
+    refresh,
+    hasRole: hasRole2,
+    hasPermission
+  }), [
+    appId,
+    isAuthenticated,
+    userId,
+    roleIds,
+    permissionNames,
+    isRBACLoading,
+    isPermissionLoading,
+    isRBACReady,
+    isPermissionReady,
+    refresh,
+    hasRole2,
+    hasPermission
+  ]);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(RBACContext.Provider, { value, children });
+}
+function useRBAC() {
+  const ctx = (0, import_react.useContext)(RBACContext);
+  if (!ctx) throw new Error("useRBAC must be used within <RBACProvider>.");
+  return ctx;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  RBACProvider,
+  useRBAC
+});

package/dist/client.d.cts

@@ -0,0 +1,7 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { c as RBACProviderProps, d as RBACState } from './types-BayIl-Ha.cjs';
+
+declare function RBACProvider(props: RBACProviderProps): react_jsx_runtime.JSX.Element;
+declare function useRBAC(): RBACState;
+
+export { RBACProvider, useRBAC };

package/dist/client.d.ts

@@ -0,0 +1,7 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { c as RBACProviderProps, d as RBACState } from './types-BayIl-Ha.js';
+
+declare function RBACProvider(props: RBACProviderProps): react_jsx_runtime.JSX.Element;
+declare function useRBAC(): RBACState;
+
+export { RBACProvider, useRBAC };

package/dist/client.js

@@ -0,0 +1,237 @@
+import {
+  getMergedRoleIds,
+  hasRole
+} from "./chunk-ZFY3OHWO.js";
+
+// src/client.tsx
+import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState } from "react";
+import { jsx } from "react/jsx-runtime";
+var permissionCache = /* @__PURE__ */ new Map();
+function cacheKey(appId, userId) {
+  return `${appId}|${userId ?? "anon"}`;
+}
+function log(logger, level, msg, meta) {
+  const fn = logger?.[level];
+  if (typeof fn === "function") fn(msg, meta);
+}
+var RBACContext = createContext(null);
+function RBACProvider(props) {
+  const {
+    client,
+    appId,
+    includeGlobal = true,
+    globalAppId = "global",
+    permissions: permOptsRaw,
+    logger,
+    children
+  } = props;
+  const permOpts = {
+    enabled: permOptsRaw?.enabled ?? false,
+    rpcName: permOptsRaw?.rpcName ?? "get_my_permissions",
+    ttlMs: permOptsRaw?.ttlMs ?? 6e4,
+    nonBlocking: permOptsRaw?.nonBlocking ?? true
+  };
+  const sb = client;
+  const [isAuthenticated, setIsAuthenticated] = useState(false);
+  const [userId, setUserId] = useState(null);
+  const [roleIds, setRoleIds] = useState([]);
+  const [permissionNames, setPermissionNames] = useState([]);
+  const [isRBACLoading, setIsRBACLoading] = useState(true);
+  const [isPermissionLoading, setIsPermissionLoading] = useState(false);
+  const isRBACReady = !isRBACLoading;
+  const isPermissionReady = permOpts.enabled ? !isPermissionLoading : true;
+  const syncLock = useRef(null);
+  const permissionRequestId = useRef(0);
+  const sessionEpoch = useRef(0);
+  const pendingSync = useRef(null);
+  const fetchPermissionNames = useCallback(async (params) => {
+    if (!permOpts.enabled) return [];
+    if (!params.userId) return [];
+    const key = cacheKey(params.appId, params.userId);
+    const now = Date.now();
+    const existing = permissionCache.get(key);
+    const fresh = existing && existing.inflight == null && now - existing.fetchedAt < permOpts.ttlMs && // EN: If token exp changed, treat cache as stale to avoid wrong UI
+    // 中文：token exp 变化则视为过期，避免 UI 错判
+    existing.tokenExp === params.tokenExp;
+    if (fresh) return existing.names;
+    if (existing?.inflight) return existing.inflight;
+    const inflight = (async () => {
+      setIsPermissionLoading(true);
+      try {
+        const { data, error } = await sb.rpc(permOpts.rpcName, { target_app_id: params.appId });
+        if (error) throw error;
+        const names = Array.isArray(data) ? data.map((x) => String(x?.permission_name ?? "")).filter((s) => s.length > 0) : [];
+        permissionCache.set(key, { fetchedAt: Date.now(), names, inflight: null, tokenExp: params.tokenExp });
+        return names;
+      } catch (e) {
+        permissionCache.set(key, {
+          fetchedAt: existing?.fetchedAt ?? 0,
+          names: existing?.names ?? [],
+          inflight: null,
+          tokenExp: params.tokenExp
+        });
+        throw e;
+      } finally {
+        setIsPermissionLoading(false);
+      }
+    })();
+    permissionCache.set(key, { fetchedAt: existing?.fetchedAt ?? 0, names: existing?.names ?? [], inflight, tokenExp: params.tokenExp });
+    return inflight;
+  }, [permOpts.enabled, permOpts.rpcName, permOpts.ttlMs, sb]);
+  const applySession = useCallback(async (session, epoch) => {
+    const accessToken = session?.access_token;
+    const authed = Boolean(session?.user?.id);
+    const { roleIds: merged, userId: parsedUid, exp } = getMergedRoleIds({
+      token: accessToken,
+      appId,
+      includeGlobal,
+      globalAppId
+    });
+    const uid = session?.user?.id && typeof session.user.id === "string" ? session.user.id : parsedUid;
+    if (epoch !== sessionEpoch.current) return;
+    setIsAuthenticated(authed);
+    setUserId(uid ?? null);
+    setRoleIds(merged);
+    const requestId = ++permissionRequestId.current;
+    if (!permOpts.enabled) {
+      setPermissionNames([]);
+      return;
+    }
+    const load = async () => {
+      try {
+        if (epoch !== sessionEpoch.current) return;
+        const names = await fetchPermissionNames({ appId, userId: uid ?? null, tokenExp: exp });
+        if (epoch !== sessionEpoch.current || requestId !== permissionRequestId.current) return;
+        setPermissionNames(names);
+      } catch (e) {
+        if (epoch !== sessionEpoch.current || requestId !== permissionRequestId.current) return;
+        setPermissionNames([]);
+        log(logger, "warn", "[RBAC] permissions RPC failed; degraded to role-only gating.", e);
+      }
+    };
+    if (permOpts.nonBlocking) void load();
+    else await load();
+  }, [appId, includeGlobal, globalAppId, permOpts.enabled, permOpts.nonBlocking, fetchPermissionNames, logger]);
+  const runSync = useCallback((forceSessionUpdate = false, sessionHint) => {
+    const promise = (async () => {
+      setIsRBACLoading(true);
+      try {
+        if (forceSessionUpdate && sb.auth.refreshSession) {
+          await sb.auth.refreshSession();
+        }
+        const session = sessionHint ? sessionHint : (await sb.auth.getSession()).data.session;
+        const epoch = sessionEpoch.current;
+        await applySession(session, epoch);
+      } finally {
+        setIsRBACLoading(false);
+      }
+    })();
+    syncLock.current = promise;
+    promise.finally(() => {
+      const pending = pendingSync.current;
+      if (pending) {
+        pendingSync.current = null;
+        const next = runSync(pending.forceSessionUpdate, pending.sessionHint);
+        next.then(pending.resolve, pending.reject);
+        return;
+      }
+      if (syncLock.current === promise) {
+        syncLock.current = null;
+      }
+    });
+    return promise;
+  }, [applySession, sb]);
+  const sync = useCallback((forceSessionUpdate = false, sessionHint) => {
+    if (syncLock.current) {
+      if (!pendingSync.current) {
+        let resolve;
+        let reject;
+        const promise = new Promise((res, rej) => {
+          resolve = res;
+          reject = rej;
+        });
+        pendingSync.current = { forceSessionUpdate, sessionHint, promise, resolve, reject };
+      } else {
+        pendingSync.current.forceSessionUpdate = pendingSync.current.forceSessionUpdate || forceSessionUpdate;
+        if (sessionHint) {
+          pendingSync.current.sessionHint = sessionHint;
+        } else if (forceSessionUpdate) {
+          pendingSync.current.sessionHint = void 0;
+        }
+      }
+      return pendingSync.current.promise;
+    }
+    return runSync(forceSessionUpdate, sessionHint);
+  }, [runSync]);
+  useEffect(() => {
+    void sync(false);
+    const { data: { subscription } } = sb.auth.onAuthStateChange((event, session) => {
+      if (event === "SIGNED_OUT") {
+        sessionEpoch.current++;
+        const pending = pendingSync.current;
+        pendingSync.current = null;
+        if (pending) pending.resolve();
+        permissionRequestId.current++;
+        setIsAuthenticated(false);
+        setUserId(null);
+        setRoleIds([]);
+        setPermissionNames([]);
+        setIsRBACLoading(false);
+        setIsPermissionLoading(false);
+        return;
+      }
+      if (event === "SIGNED_IN" || event === "TOKEN_REFRESHED" || event === "USER_UPDATED") {
+        void sync(false, session);
+      }
+    });
+    return () => subscription.unsubscribe();
+  }, [sb, sync]);
+  const refresh = useCallback(async (forceSessionUpdate = true) => {
+    await sync(forceSessionUpdate);
+  }, [sync]);
+  const hasRole2 = useCallback((required, mode = "any") => {
+    return hasRole(roleIds, required, mode);
+  }, [roleIds]);
+  const hasPermission = useCallback((permissionName) => {
+    if (!permOpts.enabled) return false;
+    if (!permissionName) return false;
+    return permissionNames.includes(permissionName);
+  }, [permOpts.enabled, permissionNames]);
+  const value = useMemo(() => ({
+    appId,
+    isAuthenticated,
+    userId,
+    roleIds,
+    permissionNames,
+    isRBACLoading,
+    isPermissionLoading,
+    isRBACReady,
+    isPermissionReady,
+    refresh,
+    hasRole: hasRole2,
+    hasPermission
+  }), [
+    appId,
+    isAuthenticated,
+    userId,
+    roleIds,
+    permissionNames,
+    isRBACLoading,
+    isPermissionLoading,
+    isRBACReady,
+    isPermissionReady,
+    refresh,
+    hasRole2,
+    hasPermission
+  ]);
+  return /* @__PURE__ */ jsx(RBACContext.Provider, { value, children });
+}
+function useRBAC() {
+  const ctx = useContext(RBACContext);
+  if (!ctx) throw new Error("useRBAC must be used within <RBACProvider>.");
+  return ctx;
+}
+export {
+  RBACProvider,
+  useRBAC
+};