npm - @voyantjs/hono - Versions diffs - 0.31.1 → 0.31.2 - Mend

@voyantjs/hono 0.31.1 → 0.31.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/middleware/auth.d.ts.map +1 -1
package/dist/middleware/auth.js +2 -20
package/dist/middleware/require-actor.d.ts.map +1 -1
package/dist/middleware/require-actor.js +35 -0
package/dist/middleware/require-permission.d.ts.map +1 -1
package/dist/middleware/require-permission.js +3 -10
package/package.json +7 -7

package/dist/middleware/auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"~~AAGA~~,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAI7C,OAAO,EACL,KAAK,SAAS,EAEd,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAA;~~AAsCpB~~,wBAAgB,WAAW,CAAC,SAAS,SAAS,cAAc,EAC1D,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAqJD"}
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAI7C,OAAO,EACL,KAAK,SAAS,EAEd,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAA;AAoBpB,wBAAgB,WAAW,CAAC,SAAS,SAAS,cAAc,EAC1D,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAqJD"}

package/dist/middleware/auth.js CHANGED Viewed

@@ -1,27 +1,9 @@
 import { apikeyTable } from "@voyantjs/db/schema/iam";
+import { permissionsToStrings } from "@voyantjs/types/api-keys";
 import { and, eq } from "drizzle-orm";
 import { sha256Base64Url } from "../auth/crypto.js";
 import { extractBearerToken, verifySession } from "../auth/session-jwt.js";
 import { resolveDbFactoryResult, } from "../types.js";
-function permissionsToScopes(permissions) {
-    if (!permissions)
-        return [];
-    try {
-        const parsed = JSON.parse(permissions);
-        const scopes = [];
-        for (const [resource, actions] of Object.entries(parsed)) {
-            if (Array.isArray(actions)) {
-                for (const action of actions) {
-                    scopes.push(`${resource}:${action}`);
-                }
-            }
-        }
-        return scopes;
-    }
-    catch {
-        return [];
-    }
-}
 const API_KEY_PREFIX = "voy_";
 function applyAuthContext(c, auth) {
     if (auth.userId)
@@ -113,7 +95,7 @@ export function requireAuth(dbFactory, opts) {
                         .then(() => { })
                         .catch(() => { }));
                 }
-                const scopes = permissionsToScopes(row.permissions);
+                const scopes = permissionsToStrings(row.permissions);
                 applyAuthContext(c, {
                     organizationId: row.referenceId,
                     scopes,

package/dist/middleware/require-actor.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"require-actor.d.ts","sourceRoot":"","sources":["../../src/middleware/require-actor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAA;~~AAC3C~~,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;~~AAElE~~;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,YAAY,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc,EAC5E,GAAG,OAAO,EAAE,KAAK,EAAE,GAClB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,~~CA+BD~~"}
1	+ {"version":3,"file":"require-actor.d.ts","sourceRoot":"","sources":["../../src/middleware/require-actor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAA;AAE3C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAkClE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,YAAY,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc,EAC5E,GAAG,OAAO,EAAE,KAAK,EAAE,GAClB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CA0CD"}

package/dist/middleware/require-actor.js CHANGED Viewed

@@ -1,3 +1,30 @@
+import { hasApiKeyPermission, permissionStringsToPermissions } from "@voyantjs/types/api-keys";
+function apiKeyResourceFromPath(pathname) {
+    const match = pathname.match(/^\/v1\/(?:admin|public)\/([^/]+)/);
+    return match?.[1] ?? null;
+}
+function apiKeyPermissionActionsForMethod(method) {
+    switch (method.toUpperCase()) {
+        case "GET":
+        case "HEAD":
+            return ["read", "search"];
+        case "POST":
+            return ["write", "trigger", "relay"];
+        case "PUT":
+        case "PATCH":
+            return ["write"];
+        case "DELETE":
+            return ["delete"];
+        default:
+            return [];
+    }
+}
+function hasAnyApiKeyPermission(scopes, resource, actions) {
+    if (!scopes || scopes.length === 0)
+        return false;
+    const permissions = permissionStringsToPermissions(scopes);
+    return actions.some((action) => hasApiKeyPermission(permissions, resource, action));
+}
 /**
  * Guards a route surface by actor type.
  *
@@ -30,6 +57,14 @@ export function requireActor(...allowed) {
         if (c.get("isInternalRequest")) {
             return next();
         }
+        if (c.get("callerType") === "api_key") {
+            const resource = apiKeyResourceFromPath(new URL(c.req.url).pathname);
+            const actions = apiKeyPermissionActionsForMethod(c.req.method);
+            if (resource && hasAnyApiKeyPermission(c.get("scopes"), resource, actions)) {
+                return next();
+            }
+            return c.json({ error: "Forbidden: API key missing required permission" }, 403);
+        }
         const actor = c.get("actor");
         if (!actor) {
             return c.json({

package/dist/middleware/require-permission.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"require-permission.d.ts","sourceRoot":"","sources":["../../src/middleware/require-permission.ts"],"names":[],"mappings":"~~AACA~~,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAG7C,OAAO,EACL,KAAK,SAAS,EAEd,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EAEnB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAA;~~AAqBpB~~,wBAAgB,iBAAiB,CAAC,SAAS,SAAS,cAAc,EAChE,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IACL,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,~~CAiED~~"}
1	+ {"version":3,"file":"require-permission.d.ts","sourceRoot":"","sources":["../../src/middleware/require-permission.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAG7C,OAAO,EACL,KAAK,SAAS,EAEd,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EAEnB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAA;AASpB,wBAAgB,iBAAiB,CAAC,SAAS,SAAS,cAAc,EAChE,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IACL,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAwED"}

package/dist/middleware/require-permission.js CHANGED Viewed

@@ -1,15 +1,7 @@
+import { hasApiKeyPermission, permissionStringsToPermissions } from "@voyantjs/types/api-keys";
 import { requireUserId } from "../auth/require-user.js";
 import { isDisposableDb, } from "../types.js";
 import { ForbiddenApiError, UnauthorizedApiError } from "../validation.js";
-function hasScope(scopes, permission) {
-    if (!scopes || scopes.length === 0)
-        return false;
-    const { resource, action } = permission;
-    return (scopes.includes("*") ||
-        scopes.includes(`${resource}:${action}`) ||
-        scopes.includes(`${resource}:*`) ||
-        scopes.includes(`*:${action}`));
-}
 export function requirePermission(dbFactory, resource, action, opts) {
     return async (c, next) => {
         const permission = { resource, action };
@@ -17,7 +9,8 @@ export function requirePermission(dbFactory, resource, action, opts) {
             return next();
         }
         const scopes = c.get("scopes");
-        if (hasScope(scopes, permission)) {
+        if (scopes &&
+            hasApiKeyPermission(permissionStringsToPermissions(scopes), permission.resource, permission.action)) {
             return next();
         }
         const userId = requireUserId(c);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@voyantjs/hono",
-  "version": "0.31.1",
+  "version": "0.31.2",
   "license": "Apache-2.0",
   "type": "module",
   "exports": {
@@ -94,18 +94,18 @@
     "drizzle-orm": "^0.45.2",
     "hono": "^4.12.10",
     "zod": "^4.3.6",
-    "@voyantjs/core": "0.31.1",
-    "@voyantjs/db": "0.31.1",
-    "@voyantjs/types": "0.31.1",
-    "@voyantjs/utils": "0.31.1",
-    "@voyantjs/workflows": "0.31.1"
+    "@voyantjs/core": "0.31.2",
+    "@voyantjs/db": "0.31.2",
+    "@voyantjs/types": "0.31.2",
+    "@voyantjs/utils": "0.31.2",
+    "@voyantjs/workflows": "0.31.2"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260426.1",
     "typescript": "^6.0.2",
     "vitest": "^4.1.2",
     "@voyantjs/voyant-typescript-config": "0.1.0",
-    "@voyantjs/workflows-orchestrator": "0.31.1"
+    "@voyantjs/workflows-orchestrator": "0.31.2"
   },
   "files": [
     "dist"