@veloxts/auth 0.3.3 → 0.3.4

package/dist/policies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../src/policies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAYvE;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO,EAC9D,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC,GACzC,IAAI,CAEN;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS,CAE5E;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,YAAY,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO,EAC5D,OAAO,EAAE,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC,GAC1C,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,GAAG,CAAC,SAAS,GAAG,OAAO,EAC3C,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,SAAS,GACnB,OAAO,CAAC,OAAO,CAAC,CAoBlB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,SAAS,GAAG,OAAO,EAC9C,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,SAAS,GACnB,OAAO,CAAC,OAAO,CAAC,CAElB;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,SAAS,GAAG,OAAO,EACjD,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,SAAS,GACnB,OAAO,CAAC,IAAI,CAAC,CASf;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO,KAAK,aAAa,CACrF,KAAK,EACL,SAAS,CACV,CAEA;AAED,cAAM,aAAa,CAAC,KAAK,GAAG,IAAI,EAAE,SAAS,GAAG,OAAO;IACnD,OAAO,CAAC,OAAO,CAA0C;IAEzD;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,GAAG,IAAI;IAKlE;;OAEG;IACH,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK1B;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,GAAE,MAAM,SAAuC,GAAG,IAAI;IAQ3F;;OAEG;IACH,YAAY,CACV,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EAAE,EACf,UAAU,GAAE,MAAM,SAAuC,GACxD,IAAI;IAWP;;OAEG;IACH,KAAK,IAAI,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC;IAI3C;;OAEG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,SAAS,CAAC;CAKnE;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,SAAS,SAAS;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,EAC/F,UAAU,GAAE,QAAQ,GAAG,UAAqB,GAC3C,gBAAgB,CAAC,IAAI,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,EAAE,SAAS,CAAC,CAevD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,KAAK,gBAAgB,CAAC,IAAI,EAAE,SAAS,CAAC,CAOnF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,KAAK,gBAAgB,CAClE,IAAI,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,EACxB,SAAS,CACV,CASA"}

package/dist/policies.js

@@ -0,0 +1,240 @@
+/**
+ * Resource-level authorization policies for @veloxts/auth
+ * @module auth/policies
+ */
+// ============================================================================
+// Policy Registry
+// ============================================================================
+/**
+ * Global policy registry
+ * Maps resource names to their policy definitions
+ */
+const policyRegistry = new Map();
+/**
+ * Registers a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * registerPolicy('Post', {
+ *   view: (user, post) => true, // Anyone can view
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ * });
+ * ```
+ */
+export function registerPolicy(resourceName, policy) {
+    policyRegistry.set(resourceName, policy);
+}
+/**
+ * Gets a registered policy by resource name
+ */
+export function getPolicy(resourceName) {
+    return policyRegistry.get(resourceName);
+}
+/**
+ * Clears all registered policies (useful for testing)
+ */
+export function clearPolicies() {
+    policyRegistry.clear();
+}
+// ============================================================================
+// Policy Definition Helper
+// ============================================================================
+/**
+ * Defines a policy for a resource type
+ *
+ * @example
+ * ```typescript
+ * const PostPolicy = definePolicy<User, Post>({
+ *   view: () => true,
+ *   create: (user) => user.emailVerified,
+ *   update: (user, post) => user.id === post.authorId,
+ *   delete: (user, post) => user.id === post.authorId || user.role === 'admin',
+ *   publish: (user, post) => user.role === 'editor' && user.id === post.authorId,
+ * });
+ *
+ * // Register it
+ * registerPolicy('Post', PostPolicy);
+ * ```
+ */
+export function definePolicy(actions) {
+    return actions;
+}
+// ============================================================================
+// Authorization Checks
+// ============================================================================
+/**
+ * Checks if a user can perform an action on a resource
+ *
+ * @example
+ * ```typescript
+ * const canEdit = await can(user, 'update', 'Post', post);
+ * if (!canEdit) {
+ *   throw new ForbiddenError('Cannot edit this post');
+ * }
+ * ```
+ */
+export async function can(user, action, resourceName, resource) {
+    // No user = no permission
+    if (!user) {
+        return false;
+    }
+    const policy = policyRegistry.get(resourceName);
+    if (!policy) {
+        // No policy registered = deny by default
+        console.warn(`No policy registered for resource: ${resourceName}`);
+        return false;
+    }
+    const actionHandler = policy[action];
+    if (!actionHandler) {
+        // Action not defined = deny by default
+        return false;
+    }
+    return actionHandler(user, resource);
+}
+/**
+ * Checks if a user cannot perform an action (inverse of can)
+ */
+export async function cannot(user, action, resourceName, resource) {
+    return !(await can(user, action, resourceName, resource));
+}
+/**
+ * Throws an error if user cannot perform action
+ *
+ * @example
+ * ```typescript
+ * await authorize(ctx.user, 'delete', 'Post', post);
+ * // If we get here, user is authorized
+ * await db.post.delete({ where: { id: post.id } });
+ * ```
+ */
+export async function authorize(user, action, resourceName, resource) {
+    const allowed = await can(user, action, resourceName, resource);
+    if (!allowed) {
+        const error = new Error(`Unauthorized: cannot ${action} ${resourceName}${resource ? ` (id: ${resource.id ?? 'unknown'})` : ''}`);
+        error.statusCode = 403;
+        throw error;
+    }
+}
+// ============================================================================
+// Policy Builder
+// ============================================================================
+/**
+ * Fluent policy builder for complex policies
+ *
+ * @example
+ * ```typescript
+ * const CommentPolicy = createPolicyBuilder<User, Comment>()
+ *   .allow('view', () => true)
+ *   .allow('create', (user) => user.emailVerified)
+ *   .allow('update', (user, comment) => user.id === comment.authorId)
+ *   .allow('delete', (user, comment) =>
+ *     user.id === comment.authorId || user.role === 'admin'
+ *   )
+ *   .build();
+ * ```
+ */
+export function createPolicyBuilder() {
+    return new PolicyBuilder();
+}
+class PolicyBuilder {
+    actions = {};
+    /**
+     * Allows an action based on the check function
+     */
+    allow(action, check) {
+        this.actions[action] = check;
+        return this;
+    }
+    /**
+     * Denies an action (always returns false)
+     */
+    deny(action) {
+        this.actions[action] = () => false;
+        return this;
+    }
+    /**
+     * Allows action only for resource owner
+     * Assumes resource has a userId or authorId field
+     */
+    allowOwner(action, ownerField = 'userId') {
+        this.actions[action] = (user, resource) => {
+            const ownerId = resource?.[ownerField];
+            return ownerId === user.id;
+        };
+        return this;
+    }
+    /**
+     * Allows action for owner OR users with specific role
+     */
+    allowOwnerOr(action, roles, ownerField = 'userId') {
+        this.actions[action] = (user, resource) => {
+            const ownerId = resource?.[ownerField];
+            const userRole = user.role;
+            const isOwner = ownerId === user.id;
+            const hasRole = typeof userRole === 'string' && roles.includes(userRole);
+            return isOwner || hasRole;
+        };
+        return this;
+    }
+    /**
+     * Builds the final policy definition
+     */
+    build() {
+        return { ...this.actions };
+    }
+    /**
+     * Builds and registers the policy
+     */
+    register(resourceName) {
+        const policy = this.build();
+        registerPolicy(resourceName, policy);
+        return policy;
+    }
+}
+// ============================================================================
+// Common Policy Patterns
+// ============================================================================
+/**
+ * Creates a policy that allows all actions for admins
+ * and owner-only for regular users
+ */
+export function createOwnerOrAdminPolicy(ownerField = 'userId') {
+    const isOwnerOrAdmin = (user, resource) => {
+        if (user.role === 'admin') {
+            return true;
+        }
+        const ownerId = resource[ownerField];
+        return ownerId === user.id;
+    };
+    return {
+        view: () => true,
+        create: () => true,
+        update: isOwnerOrAdmin,
+        delete: isOwnerOrAdmin,
+    };
+}
+/**
+ * Creates a read-only policy (only view allowed)
+ */
+export function createReadOnlyPolicy() {
+    return {
+        view: () => true,
+        create: () => false,
+        update: () => false,
+        delete: () => false,
+    };
+}
+/**
+ * Creates a policy for admin-only resources
+ */
+export function createAdminOnlyPolicy() {
+    const isAdmin = (user) => user.role === 'admin';
+    return {
+        view: isAdmin,
+        create: isAdmin,
+        update: isAdmin,
+        delete: isAdmin,
+    };
+}
+//# sourceMappingURL=policies.js.map

package/dist/policies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.js","sourceRoot":"","sources":["../src/policies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;AAE3D;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,YAAoB,EACpB,MAA0C;IAE1C,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,MAA0B,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,YAAoB;IAC5C,OAAO,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,YAAY,CAC1B,OAA2C;IAE3C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,GAAG,CACvB,IAA6B,EAC7B,MAAc,EACd,YAAoB,EACpB,QAAoB;IAEpB,0BAA0B;IAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,yCAAyC;QACzC,OAAO,CAAC,IAAI,CAAC,sCAAsC,YAAY,EAAE,CAAC,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAA8C,CAAC;IAClF,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,uCAAuC;QACvC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,QAAqB,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,IAA6B,EAC7B,MAAc,EACd,YAAoB,EACpB,QAAoB;IAEpB,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAA6B,EAC7B,MAAc,EACd,YAAoB,EACpB,QAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,wBAAwB,MAAM,IAAI,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,SAAU,QAA4B,CAAC,EAAE,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7H,CAAC;QACD,KAAwC,CAAC,UAAU,GAAG,GAAG,CAAC;QAC3D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,mBAAmB;IAIjC,OAAO,IAAI,aAAa,EAAoB,CAAC;AAC/C,CAAC;AAED,MAAM,aAAa;IACT,OAAO,GAAuC,EAAE,CAAC;IAEzD;;OAEG;IACH,KAAK,CAAC,MAAc,EAAE,KAAqC;QACzD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,MAAc;QACjB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,MAAc,EAAE,aAA8B,QAA2B;QAClF,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;YACxC,MAAM,OAAO,GAAG,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC;YACvC,OAAO,OAAO,KAAM,IAAa,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,YAAY,CACV,MAAc,EACd,KAAe,EACf,aAA8B,QAA2B;QAEzD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;YACxC,MAAM,OAAO,GAAG,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC;YACvC,MAAM,QAAQ,GAAI,IAAiC,CAAC,IAAI,CAAC;YACzD,MAAM,OAAO,GAAG,OAAO,KAAM,IAAa,CAAC,EAAE,CAAC;YAC9C,MAAM,OAAO,GAAG,OAAO,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACzE,OAAO,OAAO,IAAI,OAAO,CAAC;QAC5B,CAAC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK;QACH,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,YAAoB;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC5B,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACrC,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,aAAoC,QAAQ;IAE5C,MAAM,cAAc,GAAG,CAAC,IAA8B,EAAE,QAAmB,EAAW,EAAE;QACtF,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;QACrC,OAAO,OAAO,KAAK,IAAI,CAAC,EAAE,CAAC;IAC7B,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI;QAChB,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;QAClB,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,cAAc;KACvB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI;QAChB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;QACnB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;QACnB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;KACpB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB;IAInC,MAAM,OAAO,GAAG,CAAC,IAA8B,EAAW,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC;IAEnF,OAAO;QACL,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,OAAO;QACf,MAAM,EAAE,OAAO;QACf,MAAM,EAAE,OAAO;KAChB,CAAC;AACJ,CAAC"}