@sunboyoo/supabase-rbac 1.0.2

package/dist/index.cjs

@@ -0,0 +1,209 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  RBACManager: () => RBACManager,
+  decodeClaims: () => decodeClaims,
+  getMergedRoleIds: () => getMergedRoleIds,
+  hasRole: () => hasRole,
+  isUuid: () => isUuid,
+  uniqueStable: () => uniqueStable
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/shared.ts
+var import_jose = require("jose");
+var IS_UUID = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+function isUuid(v) {
+  return typeof v === "string" && IS_UUID.test(v);
+}
+function uniqueStable(arr) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const x of arr) {
+    if (seen.has(x)) continue;
+    seen.add(x);
+    out.push(x);
+  }
+  return out;
+}
+function decodeClaims(token) {
+  if (!token) return null;
+  try {
+    return (0, import_jose.decodeJwt)(token);
+  } catch {
+    return null;
+  }
+}
+function getMergedRoleIds(params) {
+  const { token, appId, includeGlobal = true, globalAppId = "global" } = params;
+  const claims = decodeClaims(token);
+  const roleMap = claims?.app_metadata?.role_ids ?? {};
+  const appRoles = Array.isArray(roleMap[appId]) ? roleMap[appId] : [];
+  const gRoles = includeGlobal && Array.isArray(roleMap[globalAppId]) ? roleMap[globalAppId] : [];
+  const merged = uniqueStable([...appRoles, ...gRoles]).filter(isUuid);
+  const userId = isUuid(claims?.sub) ? claims.sub : null;
+  const exp = typeof claims?.exp === "number" ? claims.exp : null;
+  return { roleIds: merged, claims, userId, exp };
+}
+function hasRole(userRoleIds, required, mode = "any") {
+  if (!required || required.length === 0) return true;
+  if (!userRoleIds || userRoleIds.length === 0) return false;
+  const set = new Set(userRoleIds);
+  if (mode === "all") {
+    for (const r of required) if (!set.has(r)) return false;
+    return true;
+  }
+  for (const r of required) if (set.has(r)) return true;
+  return false;
+}
+
+// src/server.ts
+var import_pg = __toESM(require("pg"), 1);
+var { Pool } = import_pg.default;
+function qIdent(ident) {
+  return `"${String(ident).replace(/"/g, '""')}"`;
+}
+var RBACManager = class {
+  pool;
+  schema;
+  constructor(opts) {
+    this.pool = new Pool({ connectionString: opts.connectionString });
+    this.schema = opts.rbacSchema ?? "rbac";
+  }
+  async close() {
+    await this.pool.end();
+  }
+  /** EN: Run a transaction.
+   *  中文：事务封装
+   */
+  async tx(fn) {
+    const client = await this.pool.connect();
+    try {
+      await client.query("begin");
+      const res = await fn(client);
+      await client.query("commit");
+      return res;
+    } catch (e) {
+      await client.query("rollback");
+      throw e;
+    } finally {
+      client.release();
+    }
+  }
+  async createApp(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `insert into ${s}.apps (id, name) values ($1, $2)
+       on conflict (id) do update set name = excluded.name`,
+      [params.id, params.name]
+    );
+  }
+  async createPermission(params) {
+    const s = qIdent(this.schema);
+    const res = await this.pool.query(
+      `insert into ${s}.permissions (app_id, name, description)
+       values ($1, $2, $3)
+       on conflict (app_id, name) do update set description = excluded.description
+       returning id`,
+      [params.appId, params.name, params.description ?? null]
+    );
+    return res.rows[0].id;
+  }
+  async createRole(params) {
+    const s = qIdent(this.schema);
+    const res = await this.pool.query(
+      `insert into ${s}.roles (app_id, name, description)
+       values ($1, $2, $3)
+       on conflict (app_id, name) do update set description = excluded.description
+       returning id`,
+      [params.appId, params.name, params.description ?? null]
+    );
+    return res.rows[0].id;
+  }
+  async grantPermissionToRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `insert into ${s}.role_permissions (app_id, role_id, permission_id)
+       values ($1, $2, $3)
+       on conflict do nothing`,
+      [params.appId, params.roleId, params.permissionId]
+    );
+  }
+  async revokePermissionFromRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `delete from ${s}.role_permissions
+       where app_id = $1 and role_id = $2 and permission_id = $3`,
+      [params.appId, params.roleId, params.permissionId]
+    );
+  }
+  async assignRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `insert into ${s}.user_roles (user_id, role_id)
+       values ($1, $2)
+       on conflict do nothing`,
+      [params.userId, params.roleId]
+    );
+  }
+  async removeRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `delete from ${s}.user_roles where user_id = $1 and role_id = $2`,
+      [params.userId, params.roleId]
+    );
+  }
+  async getUserRoleIds(params) {
+    const s = qIdent(this.schema);
+    const includeGlobal = params.includeGlobal ?? true;
+    const globalAppId = params.globalAppId ?? "global";
+    const appIds = includeGlobal ? [params.appId, globalAppId] : [params.appId];
+    const res = await this.pool.query(
+      `select r.id as role_id
+       from ${s}.user_roles ur
+       join ${s}.roles r on r.id = ur.role_id
+       where ur.user_id = $1 and r.app_id = any($2::text[])
+       order by r.app_id, r.id`,
+      [params.userId, appIds]
+    );
+    return res.rows.map((x) => x.role_id);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  RBACManager,
+  decodeClaims,
+  getMergedRoleIds,
+  hasRole,
+  isUuid,
+  uniqueStable
+});

package/dist/index.d.cts

@@ -0,0 +1,4 @@
+export { L as Logger, P as PermissionNameOptions, b as RBACClaims, c as RBACProviderProps, d as RBACState, R as RoleCheckMode, a as RoleIdsByApp, U as UUID } from './types-BayIl-Ha.cjs';
+export { decodeClaims, getMergedRoleIds, hasRole, isUuid, uniqueStable } from './shared.cjs';
+export { RBACManager, RBACManagerOptions } from './server.cjs';
+import 'pg';

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { L as Logger, P as PermissionNameOptions, b as RBACClaims, c as RBACProviderProps, d as RBACState, R as RoleCheckMode, a as RoleIdsByApp, U as UUID } from './types-BayIl-Ha.js';
+export { decodeClaims, getMergedRoleIds, hasRole, isUuid, uniqueStable } from './shared.js';
+export { RBACManager, RBACManagerOptions } from './server.js';
+import 'pg';

package/dist/index.js

@@ -0,0 +1,18 @@
+import {
+  RBACManager
+} from "./chunk-23MRNBGM.js";
+import {
+  decodeClaims,
+  getMergedRoleIds,
+  hasRole,
+  isUuid,
+  uniqueStable
+} from "./chunk-ZFY3OHWO.js";
+export {
+  RBACManager,
+  decodeClaims,
+  getMergedRoleIds,
+  hasRole,
+  isUuid,
+  uniqueStable
+};

package/dist/server.cjs

@@ -0,0 +1,150 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
+  RBACManager: () => RBACManager
+});
+module.exports = __toCommonJS(server_exports);
+var import_pg = __toESM(require("pg"), 1);
+var { Pool } = import_pg.default;
+function qIdent(ident) {
+  return `"${String(ident).replace(/"/g, '""')}"`;
+}
+var RBACManager = class {
+  pool;
+  schema;
+  constructor(opts) {
+    this.pool = new Pool({ connectionString: opts.connectionString });
+    this.schema = opts.rbacSchema ?? "rbac";
+  }
+  async close() {
+    await this.pool.end();
+  }
+  /** EN: Run a transaction.
+   *  中文：事务封装
+   */
+  async tx(fn) {
+    const client = await this.pool.connect();
+    try {
+      await client.query("begin");
+      const res = await fn(client);
+      await client.query("commit");
+      return res;
+    } catch (e) {
+      await client.query("rollback");
+      throw e;
+    } finally {
+      client.release();
+    }
+  }
+  async createApp(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `insert into ${s}.apps (id, name) values ($1, $2)
+       on conflict (id) do update set name = excluded.name`,
+      [params.id, params.name]
+    );
+  }
+  async createPermission(params) {
+    const s = qIdent(this.schema);
+    const res = await this.pool.query(
+      `insert into ${s}.permissions (app_id, name, description)
+       values ($1, $2, $3)
+       on conflict (app_id, name) do update set description = excluded.description
+       returning id`,
+      [params.appId, params.name, params.description ?? null]
+    );
+    return res.rows[0].id;
+  }
+  async createRole(params) {
+    const s = qIdent(this.schema);
+    const res = await this.pool.query(
+      `insert into ${s}.roles (app_id, name, description)
+       values ($1, $2, $3)
+       on conflict (app_id, name) do update set description = excluded.description
+       returning id`,
+      [params.appId, params.name, params.description ?? null]
+    );
+    return res.rows[0].id;
+  }
+  async grantPermissionToRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `insert into ${s}.role_permissions (app_id, role_id, permission_id)
+       values ($1, $2, $3)
+       on conflict do nothing`,
+      [params.appId, params.roleId, params.permissionId]
+    );
+  }
+  async revokePermissionFromRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `delete from ${s}.role_permissions
+       where app_id = $1 and role_id = $2 and permission_id = $3`,
+      [params.appId, params.roleId, params.permissionId]
+    );
+  }
+  async assignRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `insert into ${s}.user_roles (user_id, role_id)
+       values ($1, $2)
+       on conflict do nothing`,
+      [params.userId, params.roleId]
+    );
+  }
+  async removeRole(params) {
+    const s = qIdent(this.schema);
+    await this.pool.query(
+      `delete from ${s}.user_roles where user_id = $1 and role_id = $2`,
+      [params.userId, params.roleId]
+    );
+  }
+  async getUserRoleIds(params) {
+    const s = qIdent(this.schema);
+    const includeGlobal = params.includeGlobal ?? true;
+    const globalAppId = params.globalAppId ?? "global";
+    const appIds = includeGlobal ? [params.appId, globalAppId] : [params.appId];
+    const res = await this.pool.query(
+      `select r.id as role_id
+       from ${s}.user_roles ur
+       join ${s}.roles r on r.id = ur.role_id
+       where ur.user_id = $1 and r.app_id = any($2::text[])
+       order by r.app_id, r.id`,
+      [params.userId, appIds]
+    );
+    return res.rows.map((x) => x.role_id);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  RBACManager
+});

package/dist/server.d.cts

@@ -0,0 +1,57 @@
+import pg from 'pg';
+import { U as UUID } from './types-BayIl-Ha.cjs';
+
+interface RBACManagerOptions {
+    connectionString: string;
+    rbacSchema?: string;
+}
+declare class RBACManager {
+    private pool;
+    private schema;
+    constructor(opts: RBACManagerOptions);
+    close(): Promise<void>;
+    /** EN: Run a transaction.
+     *  中文：事务封装
+     */
+    tx<T>(fn: (client: pg.PoolClient) => Promise<T>): Promise<T>;
+    createApp(params: {
+        id: string;
+        name: string;
+    }): Promise<void>;
+    createPermission(params: {
+        appId: string;
+        name: string;
+        description?: string | null;
+    }): Promise<UUID>;
+    createRole(params: {
+        appId: string;
+        name: string;
+        description?: string | null;
+    }): Promise<UUID>;
+    grantPermissionToRole(params: {
+        appId: string;
+        roleId: UUID;
+        permissionId: UUID;
+    }): Promise<void>;
+    revokePermissionFromRole(params: {
+        appId: string;
+        roleId: UUID;
+        permissionId: UUID;
+    }): Promise<void>;
+    assignRole(params: {
+        userId: UUID;
+        roleId: UUID;
+    }): Promise<void>;
+    removeRole(params: {
+        userId: UUID;
+        roleId: UUID;
+    }): Promise<void>;
+    getUserRoleIds(params: {
+        userId: UUID;
+        appId: string;
+        includeGlobal?: boolean;
+        globalAppId?: string;
+    }): Promise<UUID[]>;
+}
+
+export { RBACManager, type RBACManagerOptions };

package/dist/server.d.ts

@@ -0,0 +1,57 @@
+import pg from 'pg';
+import { U as UUID } from './types-BayIl-Ha.js';
+
+interface RBACManagerOptions {
+    connectionString: string;
+    rbacSchema?: string;
+}
+declare class RBACManager {
+    private pool;
+    private schema;
+    constructor(opts: RBACManagerOptions);
+    close(): Promise<void>;
+    /** EN: Run a transaction.
+     *  中文：事务封装
+     */
+    tx<T>(fn: (client: pg.PoolClient) => Promise<T>): Promise<T>;
+    createApp(params: {
+        id: string;
+        name: string;
+    }): Promise<void>;
+    createPermission(params: {
+        appId: string;
+        name: string;
+        description?: string | null;
+    }): Promise<UUID>;
+    createRole(params: {
+        appId: string;
+        name: string;
+        description?: string | null;
+    }): Promise<UUID>;
+    grantPermissionToRole(params: {
+        appId: string;
+        roleId: UUID;
+        permissionId: UUID;
+    }): Promise<void>;
+    revokePermissionFromRole(params: {
+        appId: string;
+        roleId: UUID;
+        permissionId: UUID;
+    }): Promise<void>;
+    assignRole(params: {
+        userId: UUID;
+        roleId: UUID;
+    }): Promise<void>;
+    removeRole(params: {
+        userId: UUID;
+        roleId: UUID;
+    }): Promise<void>;
+    getUserRoleIds(params: {
+        userId: UUID;
+        appId: string;
+        includeGlobal?: boolean;
+        globalAppId?: string;
+    }): Promise<UUID[]>;
+}
+
+export { RBACManager, type RBACManagerOptions };

package/dist/server.js

@@ -0,0 +1,6 @@
+import {
+  RBACManager
+} from "./chunk-23MRNBGM.js";
+export {
+  RBACManager
+};

package/dist/shared.cjs

@@ -0,0 +1,82 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/shared.ts
+var shared_exports = {};
+__export(shared_exports, {
+  decodeClaims: () => decodeClaims,
+  getMergedRoleIds: () => getMergedRoleIds,
+  hasRole: () => hasRole,
+  isUuid: () => isUuid,
+  uniqueStable: () => uniqueStable
+});
+module.exports = __toCommonJS(shared_exports);
+var import_jose = require("jose");
+var IS_UUID = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+function isUuid(v) {
+  return typeof v === "string" && IS_UUID.test(v);
+}
+function uniqueStable(arr) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const x of arr) {
+    if (seen.has(x)) continue;
+    seen.add(x);
+    out.push(x);
+  }
+  return out;
+}
+function decodeClaims(token) {
+  if (!token) return null;
+  try {
+    return (0, import_jose.decodeJwt)(token);
+  } catch {
+    return null;
+  }
+}
+function getMergedRoleIds(params) {
+  const { token, appId, includeGlobal = true, globalAppId = "global" } = params;
+  const claims = decodeClaims(token);
+  const roleMap = claims?.app_metadata?.role_ids ?? {};
+  const appRoles = Array.isArray(roleMap[appId]) ? roleMap[appId] : [];
+  const gRoles = includeGlobal && Array.isArray(roleMap[globalAppId]) ? roleMap[globalAppId] : [];
+  const merged = uniqueStable([...appRoles, ...gRoles]).filter(isUuid);
+  const userId = isUuid(claims?.sub) ? claims.sub : null;
+  const exp = typeof claims?.exp === "number" ? claims.exp : null;
+  return { roleIds: merged, claims, userId, exp };
+}
+function hasRole(userRoleIds, required, mode = "any") {
+  if (!required || required.length === 0) return true;
+  if (!userRoleIds || userRoleIds.length === 0) return false;
+  const set = new Set(userRoleIds);
+  if (mode === "all") {
+    for (const r of required) if (!set.has(r)) return false;
+    return true;
+  }
+  for (const r of required) if (set.has(r)) return true;
+  return false;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  decodeClaims,
+  getMergedRoleIds,
+  hasRole,
+  isUuid,
+  uniqueStable
+});

package/dist/shared.d.cts

@@ -0,0 +1,28 @@
+import { U as UUID, b as RBACClaims, R as RoleCheckMode } from './types-BayIl-Ha.cjs';
+
+declare function isUuid(v: unknown): v is UUID;
+declare function uniqueStable<T>(arr: T[]): T[];
+/** EN: Decode claims from JWT without verification (UI gating only). Fail-closed.
+ *  中文：不验签解码 JWT claims（仅用于 UI 显隐），失败则返回 null（默认拒绝）
+ */
+declare function decodeClaims(token: string | undefined): RBACClaims | null;
+/** EN: Extract merged role ids (target app + optional global), sanitize UUIDs.
+ *  中文：提取并合并 roleIds（目标 app + 可选 global），并清洗为合法 UUID
+ */
+declare function getMergedRoleIds(params: {
+    token: string | undefined;
+    appId: string;
+    includeGlobal?: boolean | undefined;
+    globalAppId?: string | undefined;
+}): {
+    roleIds: UUID[];
+    claims: RBACClaims | null;
+    userId: UUID | null;
+    exp: number | null;
+};
+/** EN: Role gating helper.
+ *  中文：role 判定辅助
+ */
+declare function hasRole(userRoleIds: UUID[], required: UUID[], mode?: RoleCheckMode): boolean;
+
+export { decodeClaims, getMergedRoleIds, hasRole, isUuid, uniqueStable };

package/dist/shared.d.ts

@@ -0,0 +1,28 @@
+import { U as UUID, b as RBACClaims, R as RoleCheckMode } from './types-BayIl-Ha.js';
+
+declare function isUuid(v: unknown): v is UUID;
+declare function uniqueStable<T>(arr: T[]): T[];
+/** EN: Decode claims from JWT without verification (UI gating only). Fail-closed.
+ *  中文：不验签解码 JWT claims（仅用于 UI 显隐），失败则返回 null（默认拒绝）
+ */
+declare function decodeClaims(token: string | undefined): RBACClaims | null;
+/** EN: Extract merged role ids (target app + optional global), sanitize UUIDs.
+ *  中文：提取并合并 roleIds（目标 app + 可选 global），并清洗为合法 UUID
+ */
+declare function getMergedRoleIds(params: {
+    token: string | undefined;
+    appId: string;
+    includeGlobal?: boolean | undefined;
+    globalAppId?: string | undefined;
+}): {
+    roleIds: UUID[];
+    claims: RBACClaims | null;
+    userId: UUID | null;
+    exp: number | null;
+};
+/** EN: Role gating helper.
+ *  中文：role 判定辅助
+ */
+declare function hasRole(userRoleIds: UUID[], required: UUID[], mode?: RoleCheckMode): boolean;
+
+export { decodeClaims, getMergedRoleIds, hasRole, isUuid, uniqueStable };

package/dist/shared.js

@@ -0,0 +1,14 @@
+import {
+  decodeClaims,
+  getMergedRoleIds,
+  hasRole,
+  isUuid,
+  uniqueStable
+} from "./chunk-ZFY3OHWO.js";
+export {
+  decodeClaims,
+  getMergedRoleIds,
+  hasRole,
+  isUuid,
+  uniqueStable
+};