@trailmix-cms/cms 0.4.4 → 0.7.2

package/dist/services/api-key.service.js

@@ -0,0 +1,306 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var ApiKeyService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKeyService = void 0;
+const common_1 = require("@nestjs/common");
+const trailmixModels = __importStar(require("@trailmix-cms/models"));
+const collections_1 = require("../collections");
+const authorization_service_1 = require("./authorization.service");
+const feature_service_1 = require("./feature.service");
+let ApiKeyService = ApiKeyService_1 = class ApiKeyService {
+    apiKeyCollection;
+    securityAuditCollection;
+    featureService;
+    authorizationService;
+    organizationCollection;
+    logger = new common_1.Logger(ApiKeyService_1.name);
+    constructor(apiKeyCollection, securityAuditCollection, featureService, authorizationService, organizationCollection) {
+        this.apiKeyCollection = apiKeyCollection;
+        this.securityAuditCollection = securityAuditCollection;
+        this.featureService = featureService;
+        this.authorizationService = authorizationService;
+        this.organizationCollection = organizationCollection;
+    }
+    /**
+     * Create a new API key with scope validation and authorization checks
+     */
+    async createApiKey(params, principal, auditContext) {
+        this.logger.log(`Creating API key with scope ${params.scope_type} for principal ${principal.entity._id}`);
+        // Check if scopes are configured and validate the requested scope
+        const allowedScopes = this.featureService.getApiKeyScopes();
+        if (!allowedScopes.includes(params.scope_type)) {
+            await this.securityAuditCollection.insertOne({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: principal.entity._id,
+                principal_type: principal.principal_type,
+                message: `Unauthorized attempt to create API key with scope ${params.scope_type} which is not in the allowed scopes`,
+                source: ApiKeyService_1.name,
+            });
+            throw new common_1.BadRequestException(`Scope type ${params.scope_type} is not allowed. Allowed scopes: ${allowedScopes.join(', ')}`);
+        }
+        const isGlobalAdmin = await this.authorizationService.isGlobalAdmin(principal.entity._id, principal.principal_type);
+        switch (params.scope_type) {
+            case trailmixModels.ApiKeyScope.Global: {
+                // Global-scoped: principal must be a global admin
+                if (!isGlobalAdmin) {
+                    await this.securityAuditCollection.insertOne({
+                        event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                        principal_id: principal.entity._id,
+                        principal_type: principal.principal_type,
+                        message: 'Unauthorized attempt to create global-scoped API key',
+                        source: ApiKeyService_1.name,
+                    });
+                    throw new common_1.BadRequestException('Invalid scope type');
+                }
+                if (params.scope_id) {
+                    throw new common_1.BadRequestException('Scope ID is not allowed for global-scoped API keys');
+                }
+                const apiKey = await this.apiKeyCollection.create(params, auditContext);
+                this.logger.log(`Successfully created API key ${apiKey._id} with scope ${params.scope_type}`);
+                return apiKey;
+            }
+            case trailmixModels.ApiKeyScope.Account: {
+                // Account-scoped: principal must be the account owner
+                if (!params.scope_id) {
+                    throw new common_1.BadRequestException('Scope ID is required for account-scoped API keys');
+                }
+                if (isGlobalAdmin) {
+                    const apiKey = await this.apiKeyCollection.create(params, auditContext);
+                    this.logger.log(`Successfully created API key ${apiKey._id} with scope ${params.scope_type}`);
+                    return apiKey;
+                }
+                if (principal.principal_type !== trailmixModels.Principal.Account) {
+                    throw new common_1.BadRequestException('Only accounts can create account-scoped API keys');
+                }
+                if (!principal.entity._id.equals(params.scope_id)) {
+                    await this.securityAuditCollection.insertOne({
+                        event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                        principal_id: principal.entity._id,
+                        principal_type: principal.principal_type,
+                        message: 'Unauthorized attempt to create account-scoped API key for another principal',
+                        source: ApiKeyService_1.name,
+                    });
+                    throw new common_1.BadRequestException('Scope ID must match principal ID for account-scoped API keys');
+                }
+                const apiKey = await this.apiKeyCollection.create(params, auditContext);
+                this.logger.log(`Successfully created API key ${apiKey._id} with scope ${params.scope_type}`);
+                return apiKey;
+            }
+            case trailmixModels.ApiKeyScope.Organization: {
+                // Organization-scoped: principal must have admin/owner role on the organization
+                if (!this.featureService.isOrganizationsEnabled()) {
+                    this.logger.warn('Organizations feature must be enabled to create organization-scoped API keys');
+                    throw new common_1.BadRequestException();
+                }
+                if (!this.organizationCollection) {
+                    this.logger.error('Organization collections and services are not available despite organizations feature being enabled');
+                    throw new common_1.InternalServerErrorException();
+                }
+                if (!params.scope_id) {
+                    throw new common_1.BadRequestException('Scope ID is required for organization-scoped API keys');
+                }
+                if (isGlobalAdmin) {
+                    const apiKey = await this.apiKeyCollection.create(params, auditContext);
+                    this.logger.log(`Successfully created API key ${apiKey._id} with scope ${params.scope_type}`);
+                    return apiKey;
+                }
+                const requiredRoles = [trailmixModels.RoleValue.Admin, trailmixModels.RoleValue.Owner];
+                // Check if user has admin or owner role on the organization
+                const accessResult = await this.authorizationService.resolveOrganizationAuthorization({
+                    principal,
+                    rolesAllowList: requiredRoles,
+                    principalTypeAllowList: [trailmixModels.Principal.Account],
+                    organizationId: params.scope_id,
+                });
+                if (!accessResult.hasAccess) {
+                    await this.securityAuditCollection.insertOne({
+                        event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                        principal_id: principal.entity._id,
+                        principal_type: principal.principal_type,
+                        message: `Unauthorized attempt to create organization-scoped API key for organization ${params.scope_id}`,
+                        source: ApiKeyService_1.name,
+                    });
+                    // If the principal has at least reader organization role, throw a forbidden exception since they have access to the organization
+                    if (accessResult.organizationRoles.some(role => [
+                        trailmixModels.RoleValue.Owner,
+                        trailmixModels.RoleValue.Admin,
+                        trailmixModels.RoleValue.User,
+                        trailmixModels.RoleValue.Reader,
+                    ].includes(role.role))) {
+                        throw new common_1.ForbiddenException(`Insufficient permissions to create API keys for organization ${params.scope_id}. You must have at lesat one of ${requiredRoles} role on the organization.`);
+                    }
+                    throw new common_1.BadRequestException(`Organization ${params.scope_id} does not exist `);
+                }
+                const apiKey = await this.apiKeyCollection.create(params, auditContext);
+                this.logger.log(`Successfully created API key ${apiKey._id} with scope ${params.scope_type}`);
+                return apiKey;
+            }
+            default: {
+                throw new common_1.InternalServerErrorException('Invalid scope type');
+            }
+        }
+    }
+    /**
+     * Get API keys with filtering based on principal permissions
+     */
+    async getApiKeys(principal, queryParams) {
+        this.logger.log(`Getting API keys for principal ${principal.entity._id}`);
+        const isGlobalAdmin = await this.authorizationService.isGlobalAdmin(principal.entity._id, principal.principal_type);
+        if (isGlobalAdmin) {
+            const filter = {
+                ...(queryParams.name ? { name: queryParams.name } : {}),
+                ...(queryParams.disabled ? { disabled: queryParams.disabled } : {}),
+                ...(queryParams.scope_type ? { "scope.type": queryParams.scope_type } : {}),
+                ...(queryParams.scope_id ? { "scope.id": queryParams.scope_id } : {}),
+            };
+            const apiKeys = await this.apiKeyCollection.find(filter);
+            return {
+                items: apiKeys,
+                count: apiKeys.length,
+            };
+        }
+        // Non global admins
+        if (!queryParams.scope_type) {
+            throw new common_1.BadRequestException('Scope type is required');
+        }
+        // Global-scoped API keys are not supported for non-global admins
+        if (queryParams.scope_type?.includes(trailmixModels.ApiKeyScope.Global)) {
+            await this.securityAuditCollection.insertOne({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: principal.entity._id,
+                principal_type: principal.principal_type,
+                message: 'Unauthorized attempt to get global-scoped API keys for non-global admins',
+                source: ApiKeyService_1.name,
+            });
+            throw new common_1.BadRequestException('Global-scoped API keys are not supported for non-global admins');
+        }
+        switch (queryParams.scope_type) {
+            case trailmixModels.ApiKeyScope.Account: {
+                // Account-scoped API keys
+                const filter = {
+                    ...(queryParams.name ? { name: queryParams.name } : {}),
+                    ...(queryParams.disabled ? { disabled: queryParams.disabled } : {}),
+                    "scope.type": trailmixModels.ApiKeyScope.Account,
+                    "scope.id": principal.entity._id,
+                };
+                const apiKeys = await this.apiKeyCollection.find(filter);
+                return {
+                    items: apiKeys,
+                    count: apiKeys.length,
+                };
+            }
+            case trailmixModels.ApiKeyScope.Organization: {
+                // Organization-scoped API keys
+                if (!this.featureService.isOrganizationsEnabled()) {
+                    throw new common_1.BadRequestException('Organizations feature must be enabled to query organization-scoped API keys');
+                }
+                if (!queryParams.scope_id) {
+                    throw new common_1.BadRequestException('Scope ID is required for organization-scoped API keys');
+                }
+                const organization_id = queryParams.scope_id;
+                const requiredRoles = [trailmixModels.RoleValue.Admin, trailmixModels.RoleValue.Owner];
+                // Check if user has admin or owner role on the organization
+                const accessResult = await this.authorizationService.resolveOrganizationAuthorization({
+                    principal,
+                    rolesAllowList: requiredRoles,
+                    principalTypeAllowList: [trailmixModels.Principal.Account],
+                    organizationId: organization_id,
+                });
+                if (!accessResult.hasAccess) {
+                    throw new common_1.ForbiddenException(`Insufficient permissions to create API keys for organization ${organization_id}. You must have at lesat one of ${requiredRoles} role on the organization.`);
+                }
+                const filter = {
+                    ...(queryParams.name ? { name: queryParams.name } : {}),
+                    ...(queryParams.disabled ? { disabled: queryParams.disabled } : {}),
+                    "scope.type": trailmixModels.ApiKeyScope.Organization,
+                    "scope.id": organization_id,
+                };
+                const apiKeys = await this.apiKeyCollection.find(filter);
+                return {
+                    items: apiKeys,
+                    count: apiKeys.length,
+                };
+            }
+            default: {
+                throw new common_1.InternalServerErrorException('Invalid scope type');
+            }
+        }
+    }
+    /**
+     * Get a single API key by entity, checking authorization
+     */
+    async getApiKey(apiKey, principal) {
+        const hasAccess = await this.authorizationService.authorizeApiKeyAccessForPrincipal(principal, apiKey.scope_type, apiKey.scope_id);
+        if (!hasAccess) {
+            throw new common_1.NotFoundException('API key not found');
+        }
+        return apiKey;
+    }
+    /**
+     * Delete an API key, checking authorization first
+     */
+    async deleteApiKey(apiKey, principal, auditContext) {
+        const hasAccess = await this.authorizationService.authorizeApiKeyAccessForPrincipal(principal, apiKey.scope_type, apiKey.scope_id);
+        if (!hasAccess) {
+            throw new common_1.NotFoundException('API key not found');
+        }
+        await this.apiKeyCollection.deleteOne(apiKey._id, auditContext);
+        this.logger.log(`Successfully deleted API key ${apiKey._id}`);
+    }
+};
+exports.ApiKeyService = ApiKeyService;
+exports.ApiKeyService = ApiKeyService = ApiKeyService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(4, (0, common_1.Optional)()),
+    __param(4, (0, common_1.Inject)(collections_1.OrganizationCollection)),
+    __metadata("design:paramtypes", [collections_1.ApiKeyCollection,
+        collections_1.SecurityAuditCollection,
+        feature_service_1.FeatureService,
+        authorization_service_1.AuthorizationService, Object])
+], ApiKeyService);
+//# sourceMappingURL=api-key.service.js.map

package/dist/services/api-key.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key.service.js","sourceRoot":"","sources":["../../src/services/api-key.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAAgK;AAEhK,qEAAuD;AAGvD,gDAAmG;AACnG,mEAA+D;AAC/D,uDAAmD;AAW5C,IAAM,aAAa,qBAAnB,MAAM,aAAa;IAID;IACA;IACA;IACA;IAC4C;IAPhD,MAAM,GAAG,IAAI,eAAM,CAAC,eAAa,CAAC,IAAI,CAAC,CAAC;IAEzD,YACqB,gBAAkC,EAClC,uBAAgD,EAChD,cAA8B,EAC9B,oBAA0C,EACE,sBAA0D;QAJtG,qBAAgB,GAAhB,gBAAgB,CAAkB;QAClC,4BAAuB,GAAvB,uBAAuB,CAAyB;QAChD,mBAAc,GAAd,cAAc,CAAgB;QAC9B,yBAAoB,GAApB,oBAAoB,CAAsB;QACE,2BAAsB,GAAtB,sBAAsB,CAAoC;IACvH,CAAC;IAEL;;OAEG;IACH,KAAK,CAAC,YAAY,CACd,MAAqD,EACrD,SAA2B,EAC3B,YAA+C;QAE/C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,+BAA+B,MAAM,CAAC,UAAU,kBAAkB,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QAE1G,kEAAkE;QAClE,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC,eAAe,EAAE,CAAC;QAC5D,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC;gBACzC,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;gBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;gBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,OAAO,EAAE,qDAAqD,MAAM,CAAC,UAAU,qCAAqC;gBACpH,MAAM,EAAE,eAAa,CAAC,IAAI;aAC7B,CAAC,CAAC;YACH,MAAM,IAAI,4BAAmB,CAAC,cAAc,MAAM,CAAC,UAAU,oCAAoC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjI,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,cAAc,CAAC,CAAC;QACpH,QAAQ,MAAM,CAAC,UAAU,EAAE,CAAC;YACxB,KAAK,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;gBACrC,kDAAkD;gBAClD,IAAI,CAAC,aAAa,EAAE,CAAC;oBACjB,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC;wBACzC,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;wBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;wBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;wBACxC,OAAO,EAAE,sDAAsD;wBAC/D,MAAM,EAAE,eAAa,CAAC,IAAI;qBAC7B,CAAC,CAAC;oBACH,MAAM,IAAI,4BAAmB,CAAC,oBAAoB,CAAC,CAAC;gBACxD,CAAC;gBAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAClB,MAAM,IAAI,4BAAmB,CAAC,oDAAoD,CAAC,CAAC;gBACxF,CAAC;gBAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;gBACxE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,MAAM,CAAC,GAAG,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;gBAC9F,OAAO,MAAM,CAAC;YAClB,CAAC;YACD,KAAK,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;gBACtC,sDAAsD;gBACtD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;oBACnB,MAAM,IAAI,4BAAmB,CAAC,kDAAkD,CAAC,CAAC;gBACtF,CAAC;gBAED,IAAI,aAAa,EAAE,CAAC;oBAChB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;oBACxE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,MAAM,CAAC,GAAG,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;oBAC9F,OAAO,MAAM,CAAC;gBAClB,CAAC;gBAED,IAAG,SAAS,CAAC,cAAc,KAAK,cAAc,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;oBAC/D,MAAM,IAAI,4BAAmB,CAAC,kDAAkD,CAAC,CAAC;gBACtF,CAAC;gBAED,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAChD,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC;wBACzC,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;wBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;wBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;wBACxC,OAAO,EAAE,6EAA6E;wBACtF,MAAM,EAAE,eAAa,CAAC,IAAI;qBAC7B,CAAC,CAAC;oBACH,MAAM,IAAI,4BAAmB,CAAC,8DAA8D,CAAC,CAAC;gBAClG,CAAC;gBACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;gBACxE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,MAAM,CAAC,GAAG,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;gBAC9F,OAAO,MAAM,CAAC;YAClB,CAAC;YACD,KAAK,cAAc,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC;gBAC3C,gFAAgF;gBAChF,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,sBAAsB,EAAE,EAAE,CAAC;oBAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;oBACjG,MAAM,IAAI,4BAAmB,EAAE,CAAC;gBACpC,CAAC;gBACD,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,CAAC;oBAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qGAAqG,CAAC,CAAC;oBACzH,MAAM,IAAI,qCAA4B,EAAE,CAAC;gBAC7C,CAAC;gBACD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;oBACnB,MAAM,IAAI,4BAAmB,CAAC,uDAAuD,CAAC,CAAC;gBAC3F,CAAC;gBAED,IAAI,aAAa,EAAE,CAAC;oBAChB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;oBACxE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,MAAM,CAAC,GAAG,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;oBAC9F,OAAO,MAAM,CAAC;gBAClB,CAAC;gBAED,MAAM,aAAa,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,cAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBACvF,4DAA4D;gBAC5D,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,gCAAgC,CAAC;oBAClF,SAAS;oBACT,cAAc,EAAE,aAAa;oBAC7B,sBAAsB,EAAE,CAAC,cAAc,CAAC,SAAS,CAAC,OAAO,CAAC;oBAC1D,cAAc,EAAE,MAAM,CAAC,QAAQ;iBAClC,CAAC,CAAC;gBAEH,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;oBAC1B,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC;wBACzC,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;wBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;wBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;wBACxC,OAAO,EAAE,+EAA+E,MAAM,CAAC,QAAQ,EAAE;wBACzG,MAAM,EAAE,eAAa,CAAC,IAAI;qBAC7B,CAAC,CAAC;oBAEH,iIAAiI;oBACjI,IAAI,YAAY,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1C;wBACG,cAAc,CAAC,SAAS,CAAC,KAAK;wBAC9B,cAAc,CAAC,SAAS,CAAC,KAAK;wBAC9B,cAAc,CAAC,SAAS,CAAC,IAAI;wBAC7B,cAAc,CAAC,SAAS,CAAC,MAAM;qBAElC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;wBACzB,MAAM,IAAI,2BAAkB,CAAC,gEAAgE,MAAM,CAAC,QAAQ,mCAAmC,aAAa,4BAA4B,CAAC,CAAC;oBAC9L,CAAC;oBACD,MAAM,IAAI,4BAAmB,CAAC,gBAAgB,MAAM,CAAC,QAAQ,kBAAkB,CAAC,CAAC;gBACrF,CAAC;gBAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAE,CAAC;gBACzE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,MAAM,CAAC,GAAG,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;gBAC9F,OAAO,MAAM,CAAC;YAClB,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACN,MAAM,IAAI,qCAA4B,CAAC,oBAAoB,CAAC,CAAC;YACjE,CAAC;QACL,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACZ,SAA2B,EAC3B,WAA6B;QAE7B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,kCAAkC,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QAE1E,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,cAAc,CAAC,CAAC;QACpH,IAAI,aAAa,EAAE,CAAC;YAChB,MAAM,MAAM,GAAyC;gBACjD,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACnE,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3E,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACxE,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzD,OAAO;gBACH,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,OAAO,CAAC,MAAM;aACxB,CAAC;QACN,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YAC1B,MAAM,IAAI,4BAAmB,CAAC,wBAAwB,CAAC,CAAC;QAC5D,CAAC;QAED,iEAAiE;QACjE,IAAI,WAAW,CAAC,UAAU,EAAE,QAAQ,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;YACtE,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC;gBACzC,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;gBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;gBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,OAAO,EAAE,0EAA0E;gBACnF,MAAM,EAAE,eAAa,CAAC,IAAI;aAC7B,CAAC,CAAC;YACH,MAAM,IAAI,4BAAmB,CAAC,gEAAgE,CAAC,CAAC;QACpG,CAAC;QAED,QAAQ,WAAW,CAAC,UAAU,EAAE,CAAC;YAC7B,KAAK,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;gBACtC,0BAA0B;gBAC1B,MAAM,MAAM,GAAyC;oBACjD,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvD,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnE,YAAY,EAAE,cAAc,CAAC,WAAW,CAAC,OAAO;oBAChD,UAAU,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;iBACnC,CAAC;gBACF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACzD,OAAO;oBACH,KAAK,EAAE,OAAO;oBACd,KAAK,EAAE,OAAO,CAAC,MAAM;iBACxB,CAAC;YACN,CAAC;YACD,KAAK,cAAc,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC;gBAC3C,+BAA+B;gBAC/B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,sBAAsB,EAAE,EAAE,CAAC;oBAChD,MAAM,IAAI,4BAAmB,CAAC,6EAA6E,CAAC,CAAC;gBACjH,CAAC;gBACD,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;oBACxB,MAAM,IAAI,4BAAmB,CAAC,uDAAuD,CAAC,CAAC;gBAC3F,CAAC;gBAED,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC;gBAC7C,MAAM,aAAa,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,cAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBACvF,4DAA4D;gBAC5D,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,gCAAgC,CAAC;oBAClF,SAAS;oBACT,cAAc,EAAE,aAAa;oBAC7B,sBAAsB,EAAE,CAAC,cAAc,CAAC,SAAS,CAAC,OAAO,CAAC;oBAC1D,cAAc,EAAE,eAAe;iBAClC,CAAC,CAAC;gBAEH,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;oBAC1B,MAAM,IAAI,2BAAkB,CAAC,gEAAgE,eAAe,mCAAmC,aAAa,4BAA4B,CAAC,CAAC;gBAC9L,CAAC;gBAED,MAAM,MAAM,GAAyC;oBACjD,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvD,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnE,YAAY,EAAE,cAAc,CAAC,WAAW,CAAC,YAAY;oBACrD,UAAU,EAAE,eAAe;iBAC9B,CAAC;gBACF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACzD,OAAO;oBACH,KAAK,EAAE,OAAO;oBACd,KAAK,EAAE,OAAO,CAAC,MAAM;iBACxB,CAAC;YACN,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACN,MAAM,IAAI,qCAA4B,CAAC,oBAAoB,CAAC,CAAC;YACjE,CAAC;QACL,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CACX,MAAoC,EACpC,SAA2B;QAE3B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,iCAAiC,CAAC,SAAS,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnI,IAAI,CAAC,SAAS,EAAE,CAAC;YACb,MAAM,IAAI,0BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACrD,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CACd,MAAoC,EACpC,SAA2B,EAC3B,YAA+C;QAE/C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,iCAAiC,CAAC,SAAS,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnI,IAAI,CAAC,SAAS,EAAE,CAAC;YACb,MAAM,IAAI,0BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,gCAAgC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC;CACJ,CAAA;AArRY,sCAAa;wBAAb,aAAa;IADzB,IAAA,mBAAU,GAAE;IASJ,WAAA,IAAA,iBAAQ,GAAE,CAAA;IAAE,WAAA,IAAA,eAAM,EAAC,oCAAsB,CAAC,CAAA;qCAJR,8BAAgB;QACT,qCAAuB;QAChC,gCAAc;QACR,4CAAoB;GAPtD,aAAa,CAqRzB"}

package/dist/services/auth.service.d.ts

@@ -0,0 +1,50 @@
+import { ExecutionContext } from '@nestjs/common';
+import * as trailmixModels from '@trailmix-cms/models';
+import { AccountCollection, ApiKeyCollection, SecurityAuditCollection } from '../collections';
+import { AccountService } from './account.service';
+import { GlobalRoleService } from './global-role.service';
+import { type AuthGuardHook, type RequestPrincipal } from '../types';
+export declare const AuthResult: {
+    readonly IsValid: "isValid";
+    readonly Unauthorized: "unauthorized";
+    readonly Forbidden: "forbidden";
+};
+export type AuthResult = typeof AuthResult[keyof typeof AuthResult];
+export declare class AuthService {
+    private accountService;
+    private accountCollection;
+    private globalRoleService;
+    private securityAuditCollection;
+    private authGuardHook?;
+    private apiKeyCollection?;
+    private readonly logger;
+    constructor(accountService: AccountService, accountCollection: AccountCollection, globalRoleService: GlobalRoleService, securityAuditCollection: SecurityAuditCollection, authGuardHook?: AuthGuardHook | undefined, apiKeyCollection?: ApiKeyCollection | undefined);
+    /**
+     * Validate authentication and authorization for a request
+     * @param principal The principal from the request (null if not authenticated)
+     * @param config The authentication configuration
+     * @param requestUrl The request URL for audit logging
+     * @returns AuthResult
+     */
+    validateAuth(principal: RequestPrincipal | null, config: {
+        allowAnonymous: boolean;
+        requiredPrincipalTypes: trailmixModels.Principal[];
+        requiredGlobalRoles: (trailmixModels.RoleValue | string)[];
+        requiredApiKeyScopes: trailmixModels.ApiKeyScope[];
+    }, requestUrl: string): Promise<AuthResult>;
+    /**
+     * Get the account from the request principal, if the principal is an account API key, it will return the account associated with the API key
+     * @param principal The principal
+     * @returns The account
+     */
+    getAccountFromPrincipal(principal: RequestPrincipal): Promise<trailmixModels.Account.Entity | null>;
+    /**
+     * Get the principal from the request context
+     * @param context The execution context
+     * @returns The principal or null if not found
+     */
+    getPrincipal(context: ExecutionContext): Promise<RequestPrincipal | null>;
+    private getAccount;
+    private getApiKey;
+}
+//# sourceMappingURL=auth.service.d.ts.map

package/dist/services/auth.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.d.ts","sourceRoot":"","sources":["../../src/services/auth.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGtH,OAAO,KAAK,cAAc,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAC9F,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAErE,eAAO,MAAM,UAAU;;;;CAIb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,OAAO,UAAU,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEpE,qBACa,WAAW;IAIhB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,iBAAiB;IACzB,OAAO,CAAC,iBAAiB;IACzB,OAAO,CAAC,uBAAuB;IACuB,OAAO,CAAC,aAAa,CAAC;IAChE,OAAO,CAAC,gBAAgB,CAAC;IARzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgC;gBAG3C,cAAc,EAAE,cAAc,EAC9B,iBAAiB,EAAE,iBAAiB,EACpC,iBAAiB,EAAE,iBAAiB,EACpC,uBAAuB,EAAE,uBAAuB,EACM,aAAa,CAAC,EAAE,aAAa,YAAA,EACvE,gBAAgB,CAAC,EAAE,gBAAgB,YAAA;IAG3D;;;;;;OAMG;IACG,YAAY,CACd,SAAS,EAAE,gBAAgB,GAAG,IAAI,EAClC,MAAM,EAAE;QACJ,cAAc,EAAE,OAAO,CAAC;QACxB,sBAAsB,EAAE,cAAc,CAAC,SAAS,EAAE,CAAC;QACnD,mBAAmB,EAAE,CAAC,cAAc,CAAC,SAAS,GAAG,MAAM,CAAC,EAAE,CAAC;QAC3D,oBAAoB,EAAE,cAAc,CAAC,WAAW,EAAE,CAAC;KACtD,EACD,UAAU,EAAE,MAAM,GACnB,OAAO,CAAC,UAAU,CAAC;IAwFtB;;;;OAIG;IACG,uBAAuB,CAAC,SAAS,EAAE,gBAAgB,GAAG,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAmBzG;;;;OAIG;IACG,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAqBjE,UAAU;YA+CV,SAAS;CAuB1B"}

package/dist/services/auth.service.js

@@ -0,0 +1,259 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var AuthService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = exports.AuthResult = void 0;
+const common_1 = require("@nestjs/common");
+const fastify_1 = require("@clerk/fastify");
+const trailmixModels = __importStar(require("@trailmix-cms/models"));
+const collections_1 = require("../collections");
+const account_service_1 = require("./account.service");
+const global_role_service_1 = require("./global-role.service");
+const constants_1 = require("../constants");
+exports.AuthResult = {
+    IsValid: 'isValid',
+    Unauthorized: 'unauthorized',
+    Forbidden: 'forbidden',
+};
+let AuthService = AuthService_1 = class AuthService {
+    accountService;
+    accountCollection;
+    globalRoleService;
+    securityAuditCollection;
+    authGuardHook;
+    apiKeyCollection;
+    logger = new common_1.Logger(AuthService_1.name);
+    constructor(accountService, accountCollection, globalRoleService, securityAuditCollection, authGuardHook, apiKeyCollection) {
+        this.accountService = accountService;
+        this.accountCollection = accountCollection;
+        this.globalRoleService = globalRoleService;
+        this.securityAuditCollection = securityAuditCollection;
+        this.authGuardHook = authGuardHook;
+        this.apiKeyCollection = apiKeyCollection;
+    }
+    /**
+     * Validate authentication and authorization for a request
+     * @param principal The principal from the request (null if not authenticated)
+     * @param config The authentication configuration
+     * @param requestUrl The request URL for audit logging
+     * @returns AuthResult
+     */
+    async validateAuth(principal, config, requestUrl) {
+        const { allowAnonymous, requiredPrincipalTypes, requiredGlobalRoles, requiredApiKeyScopes } = config;
+        if (!principal) {
+            if (allowAnonymous) {
+                return exports.AuthResult.IsValid;
+            }
+            return exports.AuthResult.Unauthorized;
+        }
+        if (allowAnonymous) {
+            return exports.AuthResult.IsValid;
+        }
+        // Check if principal type is required, if no required principal types, allow any principal type
+        if (requiredPrincipalTypes.length > 0 && !requiredPrincipalTypes.includes(principal.principal_type)) {
+            await this.securityAuditCollection.insertOne({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: principal.entity._id,
+                principal_type: principal.principal_type,
+                message: `Unauthorized access to ${requestUrl}, required principal type not found: ${requiredPrincipalTypes.join(', ')}`,
+                source: AuthService_1.name,
+            });
+            return exports.AuthResult.Forbidden;
+        }
+        // Check if API key scope is required, if no required API key scopes, allow any API key scope
+        if (principal.principal_type === trailmixModels.Principal.ApiKey && requiredApiKeyScopes.length > 0 && !requiredApiKeyScopes.includes(principal.entity.scope_type)) {
+            await this.securityAuditCollection.insertOne({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: principal.entity._id,
+                principal_type: principal.principal_type,
+                message: `Unauthorized access to ${requestUrl}, required API key scope is not allowed:${requiredApiKeyScopes.join(', ')}`,
+                source: AuthService_1.name,
+            });
+            return exports.AuthResult.Forbidden;
+        }
+        // If no roles are required, allow any authenticated principal
+        if (requiredGlobalRoles.length == 0) {
+            return exports.AuthResult.IsValid;
+        }
+        const globalRoleAssignments = await this.globalRoleService.find({
+            principal_id: principal.entity._id,
+            principal_type: principal.principal_type,
+        });
+        if (!globalRoleAssignments) {
+            await this.securityAuditCollection.insertOne({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: principal.entity._id,
+                principal_type: principal.principal_type,
+                message: `Unauthorized access to ${requestUrl}, no global role assignments found`,
+                source: AuthService_1.name,
+            });
+            return exports.AuthResult.Forbidden;
+        }
+        // Check if user has required role or is global admin
+        const hasRole = requiredGlobalRoles.some((role) => globalRoleAssignments.some((assignment) => assignment.role === role)) ||
+            globalRoleAssignments.some((assignment) => assignment.role === trailmixModels.RoleValue.Admin);
+        if (!hasRole) {
+            await this.securityAuditCollection.insertOne({
+                event_type: trailmixModels.SecurityAuditEventType.UnauthorizedAccess,
+                principal_id: principal.entity._id,
+                principal_type: principal.principal_type,
+                message: `Unauthorized access to ${requestUrl}, required role not found: ${requiredGlobalRoles.join(', ')}`,
+                source: AuthService_1.name,
+            });
+            return exports.AuthResult.Forbidden;
+        }
+        return exports.AuthResult.IsValid;
+    }
+    /**
+     * Get the account from the request principal, if the principal is an account API key, it will return the account associated with the API key
+     * @param principal The principal
+     * @returns The account
+     */
+    async getAccountFromPrincipal(principal) {
+        if (principal.principal_type === trailmixModels.Principal.Account) {
+            return principal.entity;
+        }
+        const apiKey = principal.entity;
+        if (apiKey.scope_type !== trailmixModels.ApiKeyScope.Account) {
+            throw new Error('API key is not account-scoped');
+        }
+        const account = await this.accountCollection.findOne({ _id: apiKey.scope_id });
+        if (!account) {
+            throw new Error('Account not found');
+        }
+        return account;
+    }
+    /**
+     * Get the principal from the request context
+     * @param context The execution context
+     * @returns The principal or null if not found
+     */
+    async getPrincipal(context) {
+        const apiKey = await this.getApiKey(context);
+        if (apiKey) {
+            return {
+                entity: apiKey,
+                principal_type: trailmixModels.Principal.ApiKey,
+            };
+        }
+        const account = await this.getAccount(context);
+        if (!account) {
+            return null;
+        }
+        return {
+            entity: account,
+            principal_type: trailmixModels.Principal.Account,
+        };
+    }
+    async getAccount(context) {
+        const request = context.switchToHttp().getRequest();
+        const auth = (0, fastify_1.getAuth)(request);
+        if (!auth.userId) {
+            return null;
+        }
+        // TODO: Cache user
+        // const cachedUser = await this.userCache.getUser(auth.userId);
+        // if (cachedUser) {
+        //     return {
+        //         account: cachedUser.account,
+        //         userPublicMetadata: cachedUser.metadata,
+        //     };
+        // }
+        const existingAccount = await this.accountService.getAccount(auth.userId);
+        if (existingAccount) {
+            return existingAccount;
+        }
+        const account = await this.accountService.upsertAccount(auth.userId);
+        // TODO: Lock this step to prevent race conditions
+        this.logger.log(`Validating account using auth guard hook: ${auth.userId}`);
+        this.logger.log(`Auth guard hook: ${this.authGuardHook}`);
+        if (this.authGuardHook) {
+            const authGuardHookresult = await this.authGuardHook.onHook(account);
+            if (!authGuardHookresult) {
+                this.logger.error('Failed to validate account using auth guard hook', {
+                    userId: auth.userId,
+                    accountId: account?._id,
+                });
+                throw new Error('Failed to validate account using auth guard hook');
+            }
+        }
+        // TODO: Cache user
+        // await this.userCache.cacheUser(auth.userId, {
+        //     account: account!,
+        //     metadata: user.publicMetadata,
+        // });
+        return account;
+    }
+    async getApiKey(context) {
+        if (!this.apiKeyCollection) {
+            return null;
+        }
+        const request = context.switchToHttp().getRequest();
+        const apiKey = request.headers[trailmixModels.API_KEY_HEADER];
+        if (!apiKey) {
+            return null;
+        }
+        // TODO: Cache api key
+        const apiKeyEntity = await this.apiKeyCollection.findOne({ api_key: apiKey });
+        if (!apiKeyEntity || apiKeyEntity.disabled) {
+            return null;
+        }
+        return apiKeyEntity;
+    }
+};
+exports.AuthService = AuthService;
+exports.AuthService = AuthService = AuthService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(4, (0, common_1.Optional)()),
+    __param(4, (0, common_1.Inject)(constants_1.PROVIDER_SYMBOLS.AUTH_GUARD_HOOK)),
+    __param(5, (0, common_1.Optional)()),
+    __metadata("design:paramtypes", [account_service_1.AccountService,
+        collections_1.AccountCollection,
+        global_role_service_1.GlobalRoleService,
+        collections_1.SecurityAuditCollection, Object, collections_1.ApiKeyCollection])
+], AuthService);
+//# sourceMappingURL=auth.service.js.map

package/dist/services/auth.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../../src/services/auth.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAAsH;AAEtH,4CAAyC;AACzC,qEAAuD;AACvD,gDAA8F;AAC9F,uDAAmD;AACnD,+DAA0D;AAC1D,4CAAgD;AAGnC,QAAA,UAAU,GAAG;IACtB,OAAO,EAAE,SAAS;IAClB,YAAY,EAAE,cAAc;IAC5B,SAAS,EAAE,WAAW;CAChB,CAAC;AAKJ,IAAM,WAAW,mBAAjB,MAAM,WAAW;IAIR;IACA;IACA;IACA;IACsD;IAC1C;IARP,MAAM,GAAG,IAAI,eAAM,CAAC,aAAW,CAAC,IAAI,CAAC,CAAC;IAEvD,YACY,cAA8B,EAC9B,iBAAoC,EACpC,iBAAoC,EACpC,uBAAgD,EACM,aAA6B,EACvE,gBAAmC;QAL/C,mBAAc,GAAd,cAAc,CAAgB;QAC9B,sBAAiB,GAAjB,iBAAiB,CAAmB;QACpC,sBAAiB,GAAjB,iBAAiB,CAAmB;QACpC,4BAAuB,GAAvB,uBAAuB,CAAyB;QACM,kBAAa,GAAb,aAAa,CAAgB;QACvE,qBAAgB,GAAhB,gBAAgB,CAAmB;IACvD,CAAC;IAEL;;;;;;OAMG;IACH,KAAK,CAAC,YAAY,CACd,SAAkC,EAClC,MAKC,EACD,UAAkB;QAElB,MAAM,EAAE,cAAc,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAAC;QAErG,IAAI,CAAC,SAAS,EAAE,CAAC;YACb,IAAI,cAAc,EAAE,CAAC;gBACjB,OAAO,kBAAU,CAAC,OAAO,CAAC;YAC9B,CAAC;YACD,OAAO,kBAAU,CAAC,YAAY,CAAC;QACnC,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACjB,OAAO,kBAAU,CAAC,OAAO,CAAC;QAC9B,CAAC;QAED,gGAAgG;QAChG,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,CAAC;YAClG,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CACxC;gBACI,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;gBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;gBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,OAAO,EAAE,0BAA0B,UAAU,wCAAwC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACxH,MAAM,EAAE,aAAW,CAAC,IAAI;aAC3B,CACJ,CAAC;YACF,OAAO,kBAAU,CAAC,SAAS,CAAC;QAChC,CAAC;QAED,6FAA6F;QAC7F,IAAI,SAAS,CAAC,cAAc,KAAK,cAAc,CAAC,SAAS,CAAC,MAAM,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YACjK,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CACxC;gBACI,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;gBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;gBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,OAAO,EAAE,0BAA0B,UAAU,2CAA2C,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACzH,MAAM,EAAE,aAAW,CAAC,IAAI;aAC3B,CACJ,CAAC;YACF,OAAO,kBAAU,CAAC,SAAS,CAAC;QAChC,CAAC;QAED,8DAA8D;QAC9D,IAAI,mBAAmB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAClC,OAAO,kBAAU,CAAC,OAAO,CAAC;QAC9B,CAAC;QAED,MAAM,qBAAqB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;YAC5D,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;YAClC,cAAc,EAAE,SAAS,CAAC,cAAc;SAC3C,CAAC,CAAC;QAGH,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACzB,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CACxC;gBACI,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;gBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;gBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,OAAO,EAAE,0BAA0B,UAAU,oCAAoC;gBACjF,MAAM,EAAE,aAAW,CAAC,IAAI;aAC3B,CACJ,CAAC;YAEF,OAAO,kBAAU,CAAC,SAAS,CAAC;QAChC,CAAC;QAED,qDAAqD;QACrD,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC9C,qBAAqB,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;YACrE,qBAAqB,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,KAAK,cAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAEnG,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CACxC;gBACI,UAAU,EAAE,cAAc,CAAC,sBAAsB,CAAC,kBAAkB;gBACpE,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG;gBAClC,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,OAAO,EAAE,0BAA0B,UAAU,8BAA8B,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC3G,MAAM,EAAE,aAAW,CAAC,IAAI;aAC3B,CACJ,CAAC;YACF,OAAO,kBAAU,CAAC,SAAS,CAAC;QAChC,CAAC;QAED,OAAO,kBAAU,CAAC,OAAO,CAAC;IAC9B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,uBAAuB,CAAC,SAA2B;QACrD,IAAI,SAAS,CAAC,cAAc,KAAK,cAAc,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YAChE,OAAO,SAAS,CAAC,MAAM,CAAC;QAC5B,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC;QAEhC,IAAI,MAAM,CAAC,UAAU,KAAK,cAAc,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC/E,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,OAAO,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,OAAyB;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,MAAM,EAAE,CAAC;YACT,OAAO;gBACH,MAAM,EAAE,MAAM;gBACd,cAAc,EAAE,cAAc,CAAC,SAAS,CAAC,MAAM;aAClD,CAAC;QACN,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,OAAO;YACH,MAAM,EAAE,OAAO;YACf,cAAc,EAAE,cAAc,CAAC,SAAS,CAAC,OAAO;SACnD,CAAC;IACN,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,OAAyB;QAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAkB,CAAC;QACpE,MAAM,IAAI,GAAG,IAAA,iBAAO,EAAC,OAAO,CAAC,CAAA;QAE7B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,mBAAmB;QACnB,gEAAgE;QAChE,oBAAoB;QACpB,eAAe;QACf,uCAAuC;QACvC,mDAAmD;QACnD,SAAS;QACT,IAAI;QAEJ,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1E,IAAI,eAAe,EAAE,CAAC;YAClB,OAAO,eAAe,CAAC;QAC3B,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErE,kDAAkD;QAClD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,6CAA6C,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;QAC1D,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACrB,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,OAAQ,CAAC,CAAC;YACtE,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBACvB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE;oBAClE,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,SAAS,EAAE,OAAO,EAAE,GAAG;iBAC1B,CAAC,CAAC;gBACH,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACxE,CAAC;QACL,CAAC;QAED,mBAAmB;QACnB,gDAAgD;QAChD,yBAAyB;QACzB,qCAAqC;QACrC,MAAM;QAEN,OAAO,OAAO,CAAC;IACnB,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,OAAyB;QAC7C,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAkB,CAAC;QACpE,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;QAE9D,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,sBAAsB;QACtB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAE9E,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;CAGJ,CAAA;AA5OY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;IASJ,WAAA,IAAA,iBAAQ,GAAE,CAAA;IAAE,WAAA,IAAA,eAAM,EAAC,4BAAgB,CAAC,eAAe,CAAC,CAAA;IACpD,WAAA,IAAA,iBAAQ,GAAE,CAAA;qCALa,gCAAc;QACX,+BAAiB;QACjB,uCAAiB;QACX,qCAAuB,UAEjB,8BAAgB;GATlD,WAAW,CA4OvB"}