@tinycloud/node-sdk 2.6.0-beta.0 → 2.6.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{core-ojeY-wet.d.cts → core-Cr-zD1lk.d.cts} +42 -0
- package/dist/{core-ojeY-wet.d.ts → core-Cr-zD1lk.d.ts} +42 -0
- package/dist/core.cjs +125 -10
- package/dist/core.cjs.map +1 -1
- package/dist/core.d.cts +1 -1
- package/dist/core.d.ts +1 -1
- package/dist/core.js +125 -10
- package/dist/core.js.map +1 -1
- package/dist/index.cjs +125 -10
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +125 -10
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/dist/core.d.cts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, disableTinyCloudDebug, enableTinyCloudDebug, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, getTinyCloudDebugLogs, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
-
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-
|
|
2
|
+
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-Cr-zD1lk.cjs';
|
|
3
3
|
import 'events';
|
|
4
4
|
import '@tinycloud/sdk-services';
|
package/dist/core.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, disableTinyCloudDebug, enableTinyCloudDebug, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, getTinyCloudDebugLogs, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
-
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-
|
|
2
|
+
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-Cr-zD1lk.js';
|
|
3
3
|
import 'events';
|
|
4
4
|
import '@tinycloud/sdk-services';
|
package/dist/core.js
CHANGED
|
@@ -2132,6 +2132,10 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2132
2132
|
await this.tc.signIn(options);
|
|
2133
2133
|
this.syncResolvedHostFromAuth();
|
|
2134
2134
|
this.initializeServices();
|
|
2135
|
+
const primarySession = this.currentTinyCloudSession();
|
|
2136
|
+
if (primarySession) {
|
|
2137
|
+
this.registerPrimarySessionGrant(primarySession);
|
|
2138
|
+
}
|
|
2135
2139
|
const bootstrapped = await this.bootstrapAccountIfNeeded();
|
|
2136
2140
|
await this.ensureRequestedEncryptionNetworks();
|
|
2137
2141
|
if (!bootstrapped && this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
|
|
@@ -2375,7 +2379,107 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2375
2379
|
host: this.config.host
|
|
2376
2380
|
},
|
|
2377
2381
|
operations,
|
|
2378
|
-
expiresAt
|
|
2382
|
+
expiresAt,
|
|
2383
|
+
provenance: "bootstrap"
|
|
2384
|
+
});
|
|
2385
|
+
}
|
|
2386
|
+
/**
|
|
2387
|
+
* Map the base session's OWN recap into runtime permission operations.
|
|
2388
|
+
*
|
|
2389
|
+
* Uses the RAW `parseRecapFromSiwe` binding — NOT `parseRecapCapabilities`,
|
|
2390
|
+
* whose `normalizeSpace` collapses `tinycloud:pkh:...:<owner>:<space>` to a
|
|
2391
|
+
* bare short name and would conflate two owners' identically-named spaces.
|
|
2392
|
+
* We must keep the full owner-scoped URI so a synthetic primary grant can
|
|
2393
|
+
* never cover an operation on a different owner's space.
|
|
2394
|
+
*
|
|
2395
|
+
* Mirrors {@link operationsFromDelegation}'s op shape: encryption network
|
|
2396
|
+
* entries (`urn:tinycloud:encryption:` paths) become `resource` ops; every
|
|
2397
|
+
* other entry becomes a `spaceId` op carrying the raw recap `space` URI.
|
|
2398
|
+
* One op per action.
|
|
2399
|
+
*
|
|
2400
|
+
* Returns `[]` for session-only / restored-without-siwe modes and for any
|
|
2401
|
+
* unparseable SIWE — the primary grant is simply not registered in that case.
|
|
2402
|
+
*/
|
|
2403
|
+
recapOperationsFromSession(session) {
|
|
2404
|
+
const siwe = session.siwe;
|
|
2405
|
+
if (!siwe) {
|
|
2406
|
+
return [];
|
|
2407
|
+
}
|
|
2408
|
+
if (this._recapOperationsCache?.siwe === siwe) {
|
|
2409
|
+
return this._recapOperationsCache.operations;
|
|
2410
|
+
}
|
|
2411
|
+
let operations = [];
|
|
2412
|
+
try {
|
|
2413
|
+
const entries = this.wasmBindings.parseRecapFromSiwe(siwe);
|
|
2414
|
+
if (Array.isArray(entries)) {
|
|
2415
|
+
operations = entries.flatMap((entry) => {
|
|
2416
|
+
const service = this.invocationServiceName(entry.service);
|
|
2417
|
+
return entry.actions.map((action) => ({
|
|
2418
|
+
...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId: entry.space },
|
|
2419
|
+
service,
|
|
2420
|
+
path: entry.path,
|
|
2421
|
+
action
|
|
2422
|
+
}));
|
|
2423
|
+
});
|
|
2424
|
+
}
|
|
2425
|
+
} catch {
|
|
2426
|
+
operations = [];
|
|
2427
|
+
}
|
|
2428
|
+
this._recapOperationsCache = { siwe, operations };
|
|
2429
|
+
return operations;
|
|
2430
|
+
}
|
|
2431
|
+
/**
|
|
2432
|
+
* Register the base (primary) session's own recap as a synthetic runtime
|
|
2433
|
+
* grant tagged `provenance: "primary"` so it always out-ranks other covering
|
|
2434
|
+
* grants in {@link findGrantForOperations}. This closes the selection-design
|
|
2435
|
+
* hazard where a broad — possibly broken — bootstrap/delegated grant could
|
|
2436
|
+
* hijack an operation the primary session itself already authorized (TC-111).
|
|
2437
|
+
*
|
|
2438
|
+
* Two safety exclusions:
|
|
2439
|
+
* - Ops whose space is in `lastActivationSkippedSpaceIds` are dropped: the
|
|
2440
|
+
* node refused to activate those spaces this sign-in even though the recap
|
|
2441
|
+
* claims them. Including them would let the synthetic primary out-rank a
|
|
2442
|
+
* working grant and 401 (the "skipped-activation inverted hijack").
|
|
2443
|
+
* - Encryption `resource` ops are kept as-is (space-independent).
|
|
2444
|
+
*
|
|
2445
|
+
* No-ops when nothing remains after exclusion. Callers (`signIn`,
|
|
2446
|
+
* `restoreSession`) clear `runtimePermissionGrants` first, so no dupes.
|
|
2447
|
+
*/
|
|
2448
|
+
registerPrimarySessionGrant(session) {
|
|
2449
|
+
const skipped = this.auth ? this.auth.lastActivationSkippedSpaceIds ?? [] : [];
|
|
2450
|
+
const operations = this.recapOperationsFromSession(session).filter(
|
|
2451
|
+
(operation) => operation.spaceId === void 0 || !skipped.some((spaceId) => this.spaceIdsEqual(spaceId, operation.spaceId))
|
|
2452
|
+
);
|
|
2453
|
+
if (operations.length === 0) {
|
|
2454
|
+
return;
|
|
2455
|
+
}
|
|
2456
|
+
const expiresAt = extractSiweExpiration(session.siwe) ?? this.getSessionExpiry();
|
|
2457
|
+
const actions = [...new Set(operations.map((operation) => operation.action))];
|
|
2458
|
+
this.runtimePermissionGrants.push({
|
|
2459
|
+
session: {
|
|
2460
|
+
delegationHeader: session.delegationHeader,
|
|
2461
|
+
delegationCid: session.delegationCid,
|
|
2462
|
+
spaceId: session.spaceId,
|
|
2463
|
+
verificationMethod: session.verificationMethod,
|
|
2464
|
+
jwk: session.jwk
|
|
2465
|
+
},
|
|
2466
|
+
delegation: {
|
|
2467
|
+
cid: session.delegationCid,
|
|
2468
|
+
delegationHeader: session.delegationHeader,
|
|
2469
|
+
delegateDID: session.verificationMethod,
|
|
2470
|
+
delegatorDID: this.did,
|
|
2471
|
+
spaceId: session.spaceId,
|
|
2472
|
+
path: "",
|
|
2473
|
+
actions,
|
|
2474
|
+
expiry: expiresAt,
|
|
2475
|
+
allowSubDelegation: true,
|
|
2476
|
+
ownerAddress: session.address,
|
|
2477
|
+
chainId: session.chainId,
|
|
2478
|
+
host: this.config.host
|
|
2479
|
+
},
|
|
2480
|
+
operations,
|
|
2481
|
+
expiresAt,
|
|
2482
|
+
provenance: "primary"
|
|
2379
2483
|
});
|
|
2380
2484
|
}
|
|
2381
2485
|
async writeManifestRegistryRecords() {
|
|
@@ -2711,6 +2815,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2711
2815
|
} else {
|
|
2712
2816
|
this._restoredTcSession = tcSession;
|
|
2713
2817
|
}
|
|
2818
|
+
this.registerPrimarySessionGrant(tcSession);
|
|
2714
2819
|
}
|
|
2715
2820
|
}
|
|
2716
2821
|
/**
|
|
@@ -3749,7 +3854,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3749
3854
|
getRuntimePermissionDelegations(permissions) {
|
|
3750
3855
|
this.pruneExpiredRuntimePermissionGrants();
|
|
3751
3856
|
if (permissions === void 0) {
|
|
3752
|
-
return this.runtimePermissionGrants.map((grant) => grant.delegation);
|
|
3857
|
+
return this.runtimePermissionGrants.filter((grant) => grant.provenance !== "primary").map((grant) => grant.delegation);
|
|
3753
3858
|
}
|
|
3754
3859
|
const session = this.currentTinyCloudSession();
|
|
3755
3860
|
if (!session || !Array.isArray(permissions) || permissions.length === 0) {
|
|
@@ -3901,7 +4006,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3901
4006
|
},
|
|
3902
4007
|
delegation,
|
|
3903
4008
|
operations: this.permissionOperations(delegatedEntries, spaceId),
|
|
3904
|
-
expiresAt
|
|
4009
|
+
expiresAt,
|
|
4010
|
+
provenance: "runtime"
|
|
3905
4011
|
});
|
|
3906
4012
|
delegations.push(delegation);
|
|
3907
4013
|
}
|
|
@@ -4562,7 +4668,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4562
4668
|
return grants;
|
|
4563
4669
|
}
|
|
4564
4670
|
for (const operation of operations) {
|
|
4565
|
-
const grant = this.findGrantForOperation(operation);
|
|
4671
|
+
const grant = this.findGrantForOperation(operation, { excludePrimary: true });
|
|
4566
4672
|
if (!grant) {
|
|
4567
4673
|
return [];
|
|
4568
4674
|
}
|
|
@@ -4602,7 +4708,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4602
4708
|
},
|
|
4603
4709
|
delegation,
|
|
4604
4710
|
operations,
|
|
4605
|
-
expiresAt: delegation.expiry
|
|
4711
|
+
expiresAt: delegation.expiry,
|
|
4712
|
+
provenance: "delegated"
|
|
4606
4713
|
};
|
|
4607
4714
|
}
|
|
4608
4715
|
installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
|
|
@@ -4617,7 +4724,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4617
4724
|
session,
|
|
4618
4725
|
delegation,
|
|
4619
4726
|
operations,
|
|
4620
|
-
expiresAt
|
|
4727
|
+
expiresAt,
|
|
4728
|
+
provenance: "delegated"
|
|
4621
4729
|
});
|
|
4622
4730
|
}
|
|
4623
4731
|
delegatedResourcesForEntries(entries, spaceId) {
|
|
@@ -4717,21 +4825,28 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4717
4825
|
});
|
|
4718
4826
|
return grant?.session ?? fallback;
|
|
4719
4827
|
}
|
|
4720
|
-
findGrantForOperations(operations) {
|
|
4828
|
+
findGrantForOperations(operations, options) {
|
|
4721
4829
|
if (operations.length === 0) {
|
|
4722
4830
|
return void 0;
|
|
4723
4831
|
}
|
|
4724
4832
|
this.pruneExpiredRuntimePermissionGrants();
|
|
4725
|
-
|
|
4833
|
+
const covering = this.runtimePermissionGrants.filter((grant) => {
|
|
4834
|
+
if (options?.excludePrimary && grant.provenance === "primary") {
|
|
4835
|
+
return false;
|
|
4836
|
+
}
|
|
4726
4837
|
return operations.every(
|
|
4727
4838
|
(operation) => grant.operations.some(
|
|
4728
4839
|
(granted) => this.operationCovers(granted, operation)
|
|
4729
4840
|
)
|
|
4730
4841
|
);
|
|
4731
4842
|
});
|
|
4843
|
+
if (covering.length === 0) {
|
|
4844
|
+
return void 0;
|
|
4845
|
+
}
|
|
4846
|
+
return covering.find((grant) => grant.provenance === "primary") ?? covering[0];
|
|
4732
4847
|
}
|
|
4733
|
-
findGrantForOperation(operation) {
|
|
4734
|
-
return this.findGrantForOperations([operation]);
|
|
4848
|
+
findGrantForOperation(operation, options) {
|
|
4849
|
+
return this.findGrantForOperations([operation], options);
|
|
4735
4850
|
}
|
|
4736
4851
|
pruneExpiredRuntimePermissionGrants() {
|
|
4737
4852
|
const now = Date.now();
|