@toa.io/extensions.exposition 1.0.0-alpha.101 → 1.0.0-alpha.103

package/features/identtiy.tokens.custom.feature

@@ -0,0 +1,247 @@
+@security
+Feature: Custom tokens
+
+  Background:
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role      |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | efe3a65ebbee47ed95a73edd911ea328 | app:notes |
+    And the `identity.keys` database is empty
+    And the annotation:
+      """yaml
+      /:
+        /notes:
+          auth:role: app:notes
+          GET:
+            io:output: true
+            dev:stub:
+              access: granted!
+          POST:
+            io:output: true
+            dev:stub:
+              access: granted!
+          /public:
+            GET:
+              auth:role: app:notes:public
+              io:output: true
+              dev:stub:
+                access: granted!
+      """
+
+  Scenario: Issuing a token
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+      accept: application/yaml
+
+      label: Dev token
+      lifetime: 600
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      kid: ${{ kid }}
+      exp: ${{ exp }}
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: efe3a65ebbee47ed95a73edd911ea328
+      """
+
+    # debug LRU cache
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Token with restricted scopes
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      label: Production token
+      lifetime: 0
+      scopes: [app:notes:public]
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /notes/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      """
+      GET /notes/public/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Token with restricted permissions
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      label: Restricted token
+      lifetime: 0
+      permissions: {
+        /notes/: [GET]
+      }
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /notes/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+    # method is not permitted
+    When the following request is received:
+      """
+      POST /notes/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+    # resource is not permitted
+    When the following request is received:
+      """
+      GET /notes/public/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Token revocation
+    Given the `identity.tokens` configuration:
+      """yaml
+      cache:
+        ttl: 1
+      """
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      label: One-time token
+      lifetime: 60
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: efe3a65ebbee47ed95a73edd911ea328
+      """
+    When the following request is received:
+      """
+      GET /identity/keys/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      - id: ${{ kid }}
+        label: One-time token
+        expires: ${{ expires }}
+        _created: ${{ created }}
+      """
+    When the following request is received:
+      """
+      DELETE /identity/keys/efe3a65ebbee47ed95a73edd911ea328/${{ kid }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    And after 1 second
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/octets.cloudinary.feature

@@ -29,13 +29,13 @@ Feature: Octets with Cloudinary storage
       201 Created
       content-type: application/yaml
 
-      id: 814a0034f5549e957ee61360d87457e5
+      id: ${{ id }}
       type: image/png
       size: 473831
       """
     When the following request is received:
       """
-      GET /814a0034f5549e957ee61360d87457e5 HTTP/1.1
+      GET /${{ id }} HTTP/1.1
       host: nex.toa.io
       """
     Then the stream equals to `lenna.png` is sent with the following headers:

package/features/steps/Gateway.ts

@@ -127,6 +127,8 @@ const DEFAULT_PROPERTIES: Partial<http.Options> = {
 
 const DEFAULT_CONFIGURATION: Record<string, object> = {
   'identity.tokens': {
-    key0: 'k3.local.pIZT8-9Fa6U_QtfQHOSStfGtmyzPINyKQq2Xk-hd7vA'
+    keys: {
+      0: 'k3.local.pIZT8-9Fa6U_QtfQHOSStfGtmyzPINyKQq2Xk-hd7vA'
+    }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.exposition",
-  "version": "1.0.0-alpha.101",
+  "version": "1.0.0-alpha.103",
   "description": "Toa Exposition",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -22,10 +22,12 @@
     "@toa.io/generic": "1.0.0-alpha.93",
     "@toa.io/schemas": "1.0.0-alpha.93",
     "bcryptjs": "2.4.3",
-    "error-value": "0.3.0",
+    "error-value": "0.4.1",
     "http-cache-semantics": "4.1.1",
     "js-yaml": "4.1.0",
+    "lru-cache": "11.0.1",
     "matchacho": "0.3.5",
+    "minimatch": "10.0.1",
     "msgpackr": "1.10.1",
     "negotiator": "0.6.3",
     "openspan": "1.0.0-alpha.93",
@@ -39,12 +41,13 @@
   },
   "scripts": {
     "test": "jest",
-    "transpile": "tsc && npm run transpile:bans && npm run transpile:basic && npm run transpile:tokens && npm run transpile:roles && npm run transpile:federation",
+    "transpile": "tsc && npm run transpile:bans && npm run transpile:basic && npm run transpile:tokens && npm run transpile:roles && npm run transpile:federation && npm run transpile:keys",
     "transpile:bans": "tsc -p ./components/identity.bans",
     "transpile:basic": "tsc -p ./components/identity.basic",
     "transpile:tokens": "tsc -p ./components/identity.tokens",
     "transpile:roles": "tsc -p ./components/identity.roles",
     "transpile:federation": "tsc -p ./components/identity.federation",
+    "transpile:keys": "tsc -p ./components/identity.keys",
     "features": "cucumber-js",
     "features:security": "cucumber-js --tags @security",
     "features:octets": "cucumber-js features/octets.*"
@@ -58,5 +61,5 @@
     "@types/negotiator": "0.6.1",
     "jest-esbuild": "0.3.0"
   },
-  "gitHead": "19a5855caa247439f17960dfdc25053b5eca6395"
+  "gitHead": "a52ca7d2b22f5855e2f539f5fb3425854ba476c7"
 }

package/source/directives/auth/Authorization.ts

@@ -1,5 +1,7 @@
 import assert from 'node:assert'
 import { match } from 'matchacho'
+import { console } from 'openspan'
+import { minimatch } from 'minimatch'
 import * as http from '../../HTTP'
 import { Anonymous } from './Anonymous'
 import { Id } from './Id'
@@ -57,27 +59,21 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
   }
 
   public async preflight (directives: Directive[],
-    input: Input,
+    context: Input,
     parameters: Parameter[]): Promise<Output> {
-    /**
-     * Some authentication scheme providers may create identity during authentication;
-     * therefore, we need to skip the authentication process if the Incept directive is present.
-     *
-     * If the provided credentials already exist,
-     * the inception will cause a unique constraint violation on the settle stage.
-     */
-    // const inception = directives.reduce((yes, directive) => yes || directive instanceof Incept, false)
-
-    input.identity = await this.resolve(input.authority, input.request.headers.authorization)
+    context.identity = await this.resolve(context.authority, context.request.headers.authorization)
 
     for (const directive of directives) {
-      const allow = await directive.authorize(input.identity, input, parameters)
+      const allow = await directive.authorize(context.identity, context, parameters)
 
       if (allow)
-        return directive.reply?.(input.identity) ?? null
+        if (this.permitted(context))
+          return directive.reply?.(context.identity) ?? null
+        else
+          throw new http.Forbidden()
     }
 
-    if (input.identity === null)
+    if (context.identity === null)
       throw new http.Unauthorized()
     else
       throw new http.Forbidden()
@@ -98,9 +94,7 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
       return
 
     // Role directive may have already set the value
-    if (identity.roles === undefined)
-      await Role.set(identity, this.discovery.roles)
-
+    identity.roles ??= await Role.get(identity, this.discovery.roles)
     this.tokens ??= await this.discovery.tokens
 
     const token = await this.tokens.invoke<string>('encrypt', {
@@ -132,8 +126,14 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
       }
     })
 
-    if (result instanceof Error)
+    if (result instanceof Error) {
+      const code: string | unknown = (result as unknown as { code: string }).code
+
+      if (typeof code === 'string')
+        console.info('Authentication failed', { code })
+
       return null
+    }
 
     const identity = result.identity
 
@@ -145,6 +145,18 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
     return identity
   }
 
+  private permitted (context: Input): boolean {
+    const permissions = context.identity?.permissions
+
+    if (permissions === undefined)
+      return true
+
+    return Object.entries(permissions).some(([pattern, methods]) => {
+      return methods.some((method) => method === '*' || method === context.request.method) &&
+        minimatch(context.request.url, pattern)
+    })
+  }
+
   private async banned (identity: Identity): Promise<boolean> {
     this.bans ??= await this.discovery.bans
 

package/source/directives/auth/Delegate.ts

@@ -17,9 +17,7 @@ export class Delegate implements Directive {
     if (identity === null)
       return false
 
-    if (identity.roles === undefined)
-      await Role.set(identity, this.discovery)
-
+    identity.roles ??= await Role.get(identity, this.discovery)
     context.pipelines.body.push((body) => this.embed(body, identity))
 
     return true

package/source/directives/auth/Role.ts

@@ -15,7 +15,7 @@ export class Role implements Directive {
     this.dynamic = this.roles.some((role) => role.includes('{'))
   }
 
-  public static async set (identity: Identity, discovery: Promise<Component>): Promise<void> {
+  public static async get (identity: Identity, discovery: Promise<Component>): Promise<string[]> {
     this.remote ??= await discovery
 
     const query: Query = {
@@ -23,7 +23,7 @@ export class Role implements Directive {
       limit: 1024
     }
 
-    identity.roles = await this.remote.invoke('list', { query })
+    return await this.remote.invoke('list', { query })
   }
 
   public async authorize
@@ -31,13 +31,9 @@ export class Role implements Directive {
     if (identity === null)
       return false
 
-    await Role.set(identity, this.discovery)
+    identity.roles ??= await Role.get(identity, this.discovery)
 
-    if (identity.roles!.length === 0) // Role.set()
-
-      return false
-
-    return this.match(identity.roles!, parameters)
+    return this.match(identity.roles, parameters)
   }
 
   private match (roles: string[], parameters: Parameter[]): boolean {

package/source/directives/auth/types.ts

@@ -18,8 +18,9 @@ export interface Directive {
 
 export interface Identity {
   readonly id: string
-  scheme: string | null // null for transient identities
   roles?: string[]
+  permissions?: Record<string, string[]>
+  scheme: string | null // null for transient identities
   refresh: boolean
 }
 

package/source/directives/octets/Put.ts

@@ -11,7 +11,7 @@ import type { Parameter } from '../../RTD'
 import type { Unit } from './workflows'
 import type { Entry } from '@toa.io/extensions.storages'
 import type { Remotes } from '../../Remotes'
-import type { ErrorType } from 'error-value'
+import type { Err } from 'error-value'
 import type { Component } from '@toa.io/core'
 import type { Output } from '../../io'
 import type { Input } from './types'
@@ -69,7 +69,7 @@ export class Put extends Directive {
     const entry = await this.storage.invoke<Entry>('put', request)
 
     return match<Output>(entry,
-      Error, (error: ErrorType) => this.throw(error),
+      Error, (error: Err) => this.throw(error),
       () => this.reply(input, storage, entry, parameters))
   }
 
@@ -94,7 +94,7 @@ export class Put extends Directive {
     return stream
   }
 
-  private throw (error: ErrorType): never {
+  private throw (error: Err): never {
     throw match(error.code,
       'NOT_ACCEPTABLE', () => new http.UnsupportedMediaType(),
       'TYPE_MISMATCH', () => new http.BadRequest(),
@@ -105,22 +105,6 @@ export class Put extends Directive {
       'INVALID_ID', () => new http.BadRequest(error.message),
       error)
   }
-
-  private attributes (value: string | string[]): Record<string, string> {
-    if (Array.isArray(value))
-      value = value.join(',')
-
-    const attributes: Record<string, string> = {}
-
-    for (const pair of value.split(',')) {
-      const eq = pair.indexOf('=')
-      const key = (eq === -1 ? pair : pair.slice(0, eq)).trim()
-
-      attributes[key] = eq === -1 ? 'true' : pair.slice(eq + 1).trim()
-    }
-
-    return attributes
-  }
 }
 
 export interface Options {

package/transpiled/directives/auth/Authorization.d.ts

@@ -12,8 +12,9 @@ export declare class Authorization implements DirectiveFamily<Directive, Extensi
     private tokens;
     private bans;
     create(name: string, value: any, remotes: Remotes): Directive;
-    preflight(directives: Directive[], input: Input, parameters: Parameter[]): Promise<Output>;
+    preflight(directives: Directive[], context: Input, parameters: Parameter[]): Promise<Output>;
     settle(directives: Directive[], input: Input, response: http.OutgoingMessage): Promise<void>;
     private resolve;
+    private permitted;
     private banned;
 }

package/transpiled/directives/auth/Authorization.js

@@ -29,6 +29,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.Authorization = void 0;
 const node_assert_1 = __importDefault(require("node:assert"));
 const matchacho_1 = require("matchacho");
+const openspan_1 = require("openspan");
+const minimatch_1 = require("minimatch");
 const http = __importStar(require("../../HTTP"));
 const Anonymous_1 = require("./Anonymous");
 const Id_1 = require("./Id");
@@ -57,22 +59,17 @@ class Authorization {
             this.discovery[name] ??= remotes.discover('identity', name);
         return (0, matchacho_1.match)(Class, Role_1.Role, () => new Role_1.Role(value, this.discovery.roles), Rule_1.Rule, () => new Rule_1.Rule(value, this.create.bind(this)), Incept_1.Incept, () => new Incept_1.Incept(value, this.discovery), Delegate_1.Delegate, () => new Delegate_1.Delegate(value, this.discovery.roles), () => new Class(value));
     }
-    async preflight(directives, input, parameters) {
-        /**
-         * Some authentication scheme providers may create identity during authentication;
-         * therefore, we need to skip the authentication process if the Incept directive is present.
-         *
-         * If the provided credentials already exist,
-         * the inception will cause a unique constraint violation on the settle stage.
-         */
-        // const inception = directives.reduce((yes, directive) => yes || directive instanceof Incept, false)
-        input.identity = await this.resolve(input.authority, input.request.headers.authorization);
+    async preflight(directives, context, parameters) {
+        context.identity = await this.resolve(context.authority, context.request.headers.authorization);
         for (const directive of directives) {
-            const allow = await directive.authorize(input.identity, input, parameters);
+            const allow = await directive.authorize(context.identity, context, parameters);
             if (allow)
-                return directive.reply?.(input.identity) ?? null;
+                if (this.permitted(context))
+                    return directive.reply?.(context.identity) ?? null;
+                else
+                    throw new http.Forbidden();
         }
-        if (input.identity === null)
+        if (context.identity === null)
             throw new http.Unauthorized();
         else
             throw new http.Forbidden();
@@ -85,8 +82,7 @@ class Authorization {
         if (identity.scheme === schemes_1.PRIMARY && !identity.refresh)
             return;
         // Role directive may have already set the value
-        if (identity.roles === undefined)
-            await Role_1.Role.set(identity, this.discovery.roles);
+        identity.roles ??= await Role_1.Role.get(identity, this.discovery.roles);
         this.tokens ??= await this.discovery.tokens;
         const token = await this.tokens.invoke('encrypt', {
             input: { authority: input.authority, identity }
@@ -109,8 +105,12 @@ class Authorization {
                 credentials
             }
         });
-        if (result instanceof Error)
+        if (result instanceof Error) {
+            const code = result.code;
+            if (typeof code === 'string')
+                openspan_1.console.info('Authentication failed', { code });
             return null;
+        }
         const identity = result.identity;
         if (scheme !== schemes_1.PRIMARY && (await this.banned(identity)))
             throw new http.Unauthorized();
@@ -118,6 +118,15 @@ class Authorization {
         identity.refresh = result.refresh;
         return identity;
     }
+    permitted(context) {
+        const permissions = context.identity?.permissions;
+        if (permissions === undefined)
+            return true;
+        return Object.entries(permissions).some(([pattern, methods]) => {
+            return methods.some((method) => method === '*' || method === context.request.method) &&
+                (0, minimatch_1.minimatch)(context.request.url, pattern);
+        });
+    }
     async banned(identity) {
         this.bans ??= await this.discovery.bans;
         const ban = await this.bans.invoke('observe', { query: { id: identity.id } });

package/transpiled/directives/auth/Authorization.js.map

@@ -1 +1 @@
-{"version":3,"file":"Authorization.js","sourceRoot":"","sources":["../../../source/directives/auth/Authorization.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,yCAAiC;AACjC,iDAAkC;AAClC,2CAAuC;AACvC,6BAAyB;AACzB,iCAA6B;AAC7B,iCAA6B;AAC7B,qCAAiC;AACjC,iCAA6B;AAC7B,qCAAiC;AACjC,yCAAqC;AACrC,6CAAyC;AACzC,mCAA+B;AAC/B,uCAA8C;AAC9C,qCAAiC;AAiBjC,MAAa,aAAa;IACR,OAAO,GAAa,CAAC,MAAM,CAAC,CAAA;IAC5B,IAAI,GAAW,MAAM,CAAA;IACrB,SAAS,GAAY,IAAI,CAAA;IAExB,OAAO,GAAG,EAAwB,CAAA;IAClC,SAAS,GAAG,EAA0B,CAAA;IAC/C,MAAM,GAAqB,IAAI,CAAA;IAC/B,IAAI,GAAqB,IAAI,CAAA;IAE9B,MAAM,CAAE,IAAY,EAAE,KAAU,EAAE,OAAgB;QACvD,qBAAM,CAAC,EAAE,CAAC,IAAI,IAAI,YAAY,EAC5B,mBAAmB,IAAI,sBAAsB,CAAC,CAAA;QAEhD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;QAEhC,KAAK,MAAM,IAAI,IAAI,OAAO;YACxB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,CAAA;QAE7D,OAAO,IAAA,iBAAK,EAAC,KAAK,EAChB,WAAI,EAAE,GAAG,EAAE,CAAC,IAAI,WAAI,CAAC,KAA0B,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EACtE,WAAI,EAAE,GAAG,EAAE,CAAC,IAAI,WAAI,CAAC,KAA+B,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC7E,eAAM,EAAE,GAAG,EAAE,CAAC,IAAI,eAAM,CAAC,KAAe,EAAE,IAAI,CAAC,SAAS,CAAC,EACzD,mBAAQ,EAAE,GAAG,EAAE,CAAC,IAAI,mBAAQ,CAAC,KAAe,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EACnE,GAAG,EAAE,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAA;IAC3B,CAAC;IAEM,KAAK,CAAC,SAAS,CAAE,UAAuB,EAC7C,KAAY,EACZ,UAAuB;QACvB;;;;;;WAMG;QACH,qGAAqG;QAErG,KAAK,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAEzF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC,CAAA;YAE1E,IAAI,KAAK;gBACP,OAAO,SAAS,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAA;QACpD,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI;YACzB,MAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAA;;YAE7B,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,CAAA;IAC9B,CAAC;IAEM,KAAK,CAAC,MAAM,CAAE,UAAuB,EAC1C,KAAY,EACZ,QAA8B;QAC9B,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CACnD,SAAS,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;QAEvC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;QAE/B,IAAI,QAAQ,KAAK,IAAI;YACnB,OAAM;QAER,IAAI,QAAQ,CAAC,MAAM,KAAK,iBAAO,IAAI,CAAC,QAAQ,CAAC,OAAO;YAClD,OAAM;QAER,gDAAgD;QAChD,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS;YAC9B,MAAM,WAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAEhD,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAA;QAE3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAS,SAAS,EAAE;YACxD,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,QAAQ,EAAE;SAChD,CAAC,CAAA;QAEF,MAAM,aAAa,GAAG,SAAS,KAAK,EAAE,CAAA;QAEtC,QAAQ,CAAC,OAAO,KAAK,IAAI,OAAO,EAAE,CAAA;QAClC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,aAAa,CAAC,CAAA;IACtD,CAAC;IAEO,KAAK,CAAC,OAAO,CAAE,SAAiB,EAAE,aAAiC;QACzE,IAAI,aAAa,KAAK,SAAS;YAC7B,OAAO,IAAI,CAAA;QAEb,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAA,aAAK,EAAC,aAAa,CAAC,CAAA;QAClD,MAAM,QAAQ,GAAG,mBAAS,CAAC,MAAM,CAAC,CAAA;QAElC,IAAI,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC;YAC/B,MAAM,IAAI,IAAI,CAAC,YAAY,CAAC,kCAAkC,MAAM,GAAG,CAAC,CAAA;QAE1E,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QAEvD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAuB,cAAc,EAAE;YACrF,KAAK,EAAE;gBACL,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAA;QAEF,IAAI,MAAM,YAAY,KAAK;YACzB,OAAO,IAAI,CAAA;QAEb,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;QAEhC,IAAI,MAAM,KAAK,iBAAO,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAAE,MAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAA;QAEtF,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAA;QACxB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAEjC,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,KAAK,CAAC,MAAM,CAAE,QAAkB;QACtC,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAA;QAEvC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAM,SAAS,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;QAElF,OAAO,GAAG,CAAC,MAAM,CAAA;IACnB,CAAC;CACF;AA3HD,sCA2HC;AAED,MAAM,YAAY,GAAkE;IAClF,SAAS,EAAE,qBAAS;IACpB,MAAM,EAAE,eAAM;IACd,EAAE,EAAE,OAAE;IACN,IAAI,EAAE,WAAI;IACV,IAAI,EAAE,WAAI;IACV,MAAM,EAAE,eAAM;IACd,MAAM,EAAE,eAAM;IACd,IAAI,EAAE,WAAI;IACV,QAAQ,EAAE,mBAAQ;IAClB,MAAM,EAAE,uBAAU;CACnB,CAAA;AAED,MAAM,OAAO,GAAa,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA"}
+{"version":3,"file":"Authorization.js","sourceRoot":"","sources":["../../../source/directives/auth/Authorization.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,yCAAiC;AACjC,uCAAkC;AAClC,yCAAqC;AACrC,iDAAkC;AAClC,2CAAuC;AACvC,6BAAyB;AACzB,iCAA6B;AAC7B,iCAA6B;AAC7B,qCAAiC;AACjC,iCAA6B;AAC7B,qCAAiC;AACjC,yCAAqC;AACrC,6CAAyC;AACzC,mCAA+B;AAC/B,uCAA8C;AAC9C,qCAAiC;AAiBjC,MAAa,aAAa;IACR,OAAO,GAAa,CAAC,MAAM,CAAC,CAAA;IAC5B,IAAI,GAAW,MAAM,CAAA;IACrB,SAAS,GAAY,IAAI,CAAA;IAExB,OAAO,GAAG,EAAwB,CAAA;IAClC,SAAS,GAAG,EAA0B,CAAA;IAC/C,MAAM,GAAqB,IAAI,CAAA;IAC/B,IAAI,GAAqB,IAAI,CAAA;IAE9B,MAAM,CAAE,IAAY,EAAE,KAAU,EAAE,OAAgB;QACvD,qBAAM,CAAC,EAAE,CAAC,IAAI,IAAI,YAAY,EAC5B,mBAAmB,IAAI,sBAAsB,CAAC,CAAA;QAEhD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;QAEhC,KAAK,MAAM,IAAI,IAAI,OAAO;YACxB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,CAAA;QAE7D,OAAO,IAAA,iBAAK,EAAC,KAAK,EAChB,WAAI,EAAE,GAAG,EAAE,CAAC,IAAI,WAAI,CAAC,KAA0B,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EACtE,WAAI,EAAE,GAAG,EAAE,CAAC,IAAI,WAAI,CAAC,KAA+B,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC7E,eAAM,EAAE,GAAG,EAAE,CAAC,IAAI,eAAM,CAAC,KAAe,EAAE,IAAI,CAAC,SAAS,CAAC,EACzD,mBAAQ,EAAE,GAAG,EAAE,CAAC,IAAI,mBAAQ,CAAC,KAAe,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EACnE,GAAG,EAAE,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAA;IAC3B,CAAC;IAEM,KAAK,CAAC,SAAS,CAAE,UAAuB,EAC7C,OAAc,EACd,UAAuB;QACvB,OAAO,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAE/F,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,CAAC,CAAA;YAE9E,IAAI,KAAK;gBACP,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;oBACzB,OAAO,SAAS,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAA;;oBAElD,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,CAAA;QAChC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,IAAI;YAC3B,MAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAA;;YAE7B,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,CAAA;IAC9B,CAAC;IAEM,KAAK,CAAC,MAAM,CAAE,UAAuB,EAC1C,KAAY,EACZ,QAA8B;QAC9B,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CACnD,SAAS,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;QAEvC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;QAE/B,IAAI,QAAQ,KAAK,IAAI;YACnB,OAAM;QAER,IAAI,QAAQ,CAAC,MAAM,KAAK,iBAAO,IAAI,CAAC,QAAQ,CAAC,OAAO;YAClD,OAAM;QAER,gDAAgD;QAChD,QAAQ,CAAC,KAAK,KAAK,MAAM,WAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QACjE,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAA;QAE3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAS,SAAS,EAAE;YACxD,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,QAAQ,EAAE;SAChD,CAAC,CAAA;QAEF,MAAM,aAAa,GAAG,SAAS,KAAK,EAAE,CAAA;QAEtC,QAAQ,CAAC,OAAO,KAAK,IAAI,OAAO,EAAE,CAAA;QAClC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,aAAa,CAAC,CAAA;IACtD,CAAC;IAEO,KAAK,CAAC,OAAO,CAAE,SAAiB,EAAE,aAAiC;QACzE,IAAI,aAAa,KAAK,SAAS;YAC7B,OAAO,IAAI,CAAA;QAEb,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAA,aAAK,EAAC,aAAa,CAAC,CAAA;QAClD,MAAM,QAAQ,GAAG,mBAAS,CAAC,MAAM,CAAC,CAAA;QAElC,IAAI,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC;YAC/B,MAAM,IAAI,IAAI,CAAC,YAAY,CAAC,kCAAkC,MAAM,GAAG,CAAC,CAAA;QAE1E,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QAEvD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAuB,cAAc,EAAE;YACrF,KAAK,EAAE;gBACL,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAA;QAEF,IAAI,MAAM,YAAY,KAAK,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAsB,MAAsC,CAAC,IAAI,CAAA;YAE3E,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAC1B,kBAAO,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAA;YAEjD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;QAEhC,IAAI,MAAM,KAAK,iBAAO,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAAE,MAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAA;QAEtF,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAA;QACxB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAEjC,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,SAAS,CAAE,OAAc;QAC/B,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAA;QAEjD,IAAI,WAAW,KAAK,SAAS;YAC3B,OAAO,IAAI,CAAA;QAEb,OAAO,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE;YAC7D,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;gBAClF,IAAA,qBAAS,EAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC3C,CAAC,CAAC,CAAA;IACJ,CAAC;IAEO,KAAK,CAAC,MAAM,CAAE,QAAkB;QACtC,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAA;QAEvC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAM,SAAS,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;QAElF,OAAO,GAAG,CAAC,MAAM,CAAA;IACnB,CAAC;CACF;AArID,sCAqIC;AAED,MAAM,YAAY,GAAkE;IAClF,SAAS,EAAE,qBAAS;IACpB,MAAM,EAAE,eAAM;IACd,EAAE,EAAE,OAAE;IACN,IAAI,EAAE,WAAI;IACV,IAAI,EAAE,WAAI;IACV,MAAM,EAAE,eAAM;IACd,MAAM,EAAE,eAAM;IACd,IAAI,EAAE,WAAI;IACV,QAAQ,EAAE,mBAAQ;IAClB,MAAM,EAAE,uBAAU;CACnB,CAAA;AAED,MAAM,OAAO,GAAa,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA"}

package/transpiled/directives/auth/Delegate.js

@@ -13,8 +13,7 @@ class Delegate {
     async authorize(identity, context) {
         if (identity === null)
             return false;
-        if (identity.roles === undefined)
-            await Role_1.Role.set(identity, this.discovery);
+        identity.roles ??= await Role_1.Role.get(identity, this.discovery);
         context.pipelines.body.push((body) => this.embed(body, identity));
         return true;
     }

package/transpiled/directives/auth/Delegate.js.map

@@ -1 +1 @@
-{"version":3,"file":"Delegate.js","sourceRoot":"","sources":["../../../source/directives/auth/Delegate.ts"],"names":[],"mappings":";;;AAAA,qCAAuC;AAEvC,iCAA6B;AAI7B,MAAa,QAAQ;IACF,QAAQ,CAAQ;IAChB,SAAS,CAAoB;IAE9C,YAAoB,QAAgB,EAAE,SAA6B;QACjE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;IAC5B,CAAC;IAEM,KAAK,CAAC,SAAS,CAAE,QAAyB,EAAE,OAAc;QAC/D,IAAI,QAAQ,KAAK,IAAI;YACnB,OAAO,KAAK,CAAA;QAEd,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS;YAC9B,MAAM,WAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;QAE1C,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAA;QAEjE,OAAO,IAAI,CAAA;IACb,CAAC;IAEO,KAAK,CAAE,IAAa,EAAE,QAAkB;QAC9C,IAAI,IAAI,KAAK,SAAS;YACpB,IAAI,GAAG,EAAE,CAAA;QAEX,KAAK,CAAC,IAAI,CAAC,CAAA;QACX,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;QAE/C,OAAO,IAAI,CAAA;IACb,CAAC;CACF;AA9BD,4BA8BC;AAED,SAAS,KAAK,CAAE,IAAa;IAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;QAC3C,MAAM,IAAI,iBAAU,CAAC,sBAAsB,CAAC,CAAA;AAChD,CAAC"}
+{"version":3,"file":"Delegate.js","sourceRoot":"","sources":["../../../source/directives/auth/Delegate.ts"],"names":[],"mappings":";;;AAAA,qCAAuC;AAEvC,iCAA6B;AAI7B,MAAa,QAAQ;IACF,QAAQ,CAAQ;IAChB,SAAS,CAAoB;IAE9C,YAAoB,QAAgB,EAAE,SAA6B;QACjE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;IAC5B,CAAC;IAEM,KAAK,CAAC,SAAS,CAAE,QAAyB,EAAE,OAAc;QAC/D,IAAI,QAAQ,KAAK,IAAI;YACnB,OAAO,KAAK,CAAA;QAEd,QAAQ,CAAC,KAAK,KAAK,MAAM,WAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;QAC3D,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAA;QAEjE,OAAO,IAAI,CAAA;IACb,CAAC;IAEO,KAAK,CAAE,IAAa,EAAE,QAAkB;QAC9C,IAAI,IAAI,KAAK,SAAS;YACpB,IAAI,GAAG,EAAE,CAAA;QAEX,KAAK,CAAC,IAAI,CAAC,CAAA;QACX,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;QAE/C,OAAO,IAAI,CAAA;IACb,CAAC;CACF;AA5BD,4BA4BC;AAED,SAAS,KAAK,CAAE,IAAa;IAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;QAC3C,MAAM,IAAI,iBAAU,CAAC,sBAAsB,CAAC,CAAA;AAChD,CAAC"}

package/transpiled/directives/auth/Role.d.ts

@@ -7,7 +7,7 @@ export declare class Role implements Directive {
     private readonly discovery;
     private readonly dynamic;
     constructor(roles: string | string[], discovery: Promise<Component>);
-    static set(identity: Identity, discovery: Promise<Component>): Promise<void>;
+    static get(identity: Identity, discovery: Promise<Component>): Promise<string[]>;
     authorize(identity: Identity | null, _: unknown, parameters: Parameter[]): Promise<boolean>;
     private match;
     private substitute;