@wrelik/db 0.1.3 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +18 -14
- package/CHANGELOG.md +11 -0
- package/dist/client/index.d.mts +3 -0
- package/dist/client/index.d.ts +3 -0
- package/dist/{unsupported.js → client/index.js} +12 -11
- package/dist/client/index.mjs +9 -0
- package/dist/server/index.d.mts +12 -0
- package/dist/server/index.d.ts +12 -0
- package/dist/server/index.js +71 -0
- package/dist/server/index.mjs +43 -0
- package/dist/shared/index.d.mts +10 -0
- package/dist/shared/index.d.ts +10 -0
- package/dist/shared/index.js +18 -0
- package/dist/shared/index.mjs +0 -0
- package/package.json +30 -6
- package/src/client/index.test.ts +7 -0
- package/src/client/index.ts +5 -0
- package/src/server/index.test.ts +47 -0
- package/src/server/index.ts +52 -0
- package/src/shared/index.ts +1 -0
- package/src/shared/types.ts +10 -0
- package/dist/index.d.mts +0 -7
- package/dist/index.d.ts +0 -7
- package/dist/index.js +0 -63
- package/dist/index.mjs +0 -35
- package/dist/unsupported.d.mts +0 -3
- package/dist/unsupported.d.ts +0 -3
- package/dist/unsupported.mjs +0 -12
- package/src/index.ts +0 -39
- package/src/unsupported.ts +0 -14
package/.turbo/turbo-build.log
CHANGED
|
@@ -1,23 +1,27 @@
|
|
|
1
1
|
|
|
2
|
-
> @wrelik/db@0.
|
|
3
|
-
> tsup src/index.ts src/
|
|
2
|
+
> @wrelik/db@2.0.0 build /home/runner/work/wrelik-kit/wrelik-kit/packages/db
|
|
3
|
+
> tsup src/server/index.ts src/client/index.ts src/shared/index.ts --format cjs,esm --dts --clean
|
|
4
4
|
|
|
5
|
-
[34mCLI[39m Building entry: src/index.ts, src/
|
|
5
|
+
[34mCLI[39m Building entry: src/client/index.ts, src/server/index.ts, src/shared/index.ts
|
|
6
6
|
[34mCLI[39m Using tsconfig: tsconfig.json
|
|
7
7
|
[34mCLI[39m tsup v8.5.1
|
|
8
8
|
[34mCLI[39m Target: es2022
|
|
9
9
|
[34mCLI[39m Cleaning output folder
|
|
10
10
|
[34mCJS[39m Build start
|
|
11
11
|
[34mESM[39m Build start
|
|
12
|
-
[
|
|
13
|
-
[
|
|
14
|
-
[
|
|
15
|
-
[32mCJS[39m
|
|
16
|
-
[
|
|
17
|
-
[
|
|
12
|
+
[32mCJS[39m [1mdist/client/index.js [22m[32m1.27 KB[39m
|
|
13
|
+
[32mCJS[39m [1mdist/server/index.js [22m[32m2.37 KB[39m
|
|
14
|
+
[32mCJS[39m [1mdist/shared/index.js [22m[32m767.00 B[39m
|
|
15
|
+
[32mCJS[39m ⚡️ Build success in 95ms
|
|
16
|
+
[32mESM[39m [1mdist/shared/index.mjs [22m[32m0 B[39m
|
|
17
|
+
[32mESM[39m [1mdist/client/index.mjs [22m[32m268.00 B[39m
|
|
18
|
+
[32mESM[39m [1mdist/server/index.mjs [22m[32m1.19 KB[39m
|
|
19
|
+
[32mESM[39m ⚡️ Build success in 94ms
|
|
18
20
|
[34mDTS[39m Build start
|
|
19
|
-
[32mDTS[39m ⚡️ Build success in
|
|
20
|
-
[32mDTS[39m [1mdist/index.d.ts
|
|
21
|
-
[32mDTS[39m [1mdist/
|
|
22
|
-
[32mDTS[39m [1mdist/index.d.
|
|
23
|
-
[32mDTS[39m [1mdist/
|
|
21
|
+
[32mDTS[39m ⚡️ Build success in 5047ms
|
|
22
|
+
[32mDTS[39m [1mdist/client/index.d.ts [22m[32m77.00 B[39m
|
|
23
|
+
[32mDTS[39m [1mdist/server/index.d.ts [22m[32m718.00 B[39m
|
|
24
|
+
[32mDTS[39m [1mdist/shared/index.d.ts [22m[32m340.00 B[39m
|
|
25
|
+
[32mDTS[39m [1mdist/client/index.d.mts [22m[32m77.00 B[39m
|
|
26
|
+
[32mDTS[39m [1mdist/server/index.d.mts [22m[32m719.00 B[39m
|
|
27
|
+
[32mDTS[39m [1mdist/shared/index.d.mts [22m[32m340.00 B[39m
|
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,16 @@
|
|
|
1
1
|
# @wrelik/db
|
|
2
2
|
|
|
3
|
+
## 2.0.0
|
|
4
|
+
|
|
5
|
+
### Major Changes
|
|
6
|
+
|
|
7
|
+
- 818ed58: Refactor runtime packages to strict subpath exports (`/server`, `/client`, `/shared`) with side-effect free entrypoints and hard CI/runtime boundary enforcement.
|
|
8
|
+
|
|
9
|
+
### Patch Changes
|
|
10
|
+
|
|
11
|
+
- Updated dependencies [818ed58]
|
|
12
|
+
- @wrelik/errors@2.0.0
|
|
13
|
+
|
|
3
14
|
## 0.1.3
|
|
4
15
|
|
|
5
16
|
### Patch Changes
|
|
@@ -17,17 +17,18 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
17
17
|
};
|
|
18
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
19
|
|
|
20
|
-
// src/
|
|
21
|
-
var
|
|
22
|
-
__export(
|
|
23
|
-
|
|
20
|
+
// src/client/index.ts
|
|
21
|
+
var client_exports = {};
|
|
22
|
+
__export(client_exports, {
|
|
23
|
+
serverOnlyClientStub: () => serverOnlyClientStub
|
|
24
24
|
});
|
|
25
|
-
module.exports = __toCommonJS(
|
|
26
|
-
|
|
25
|
+
module.exports = __toCommonJS(client_exports);
|
|
26
|
+
var serverOnlyClientStub = (() => {
|
|
27
27
|
throw new Error(
|
|
28
|
-
"
|
|
28
|
+
"@wrelik/db/client is a server-only adapter stub. Use @wrelik/db/server on the backend and call your backend API from client or Expo apps."
|
|
29
29
|
);
|
|
30
|
-
}
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
30
|
+
})();
|
|
31
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
32
|
+
0 && (module.exports = {
|
|
33
|
+
serverOnlyClientStub
|
|
34
|
+
});
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
// src/client/index.ts
|
|
2
|
+
var serverOnlyClientStub = (() => {
|
|
3
|
+
throw new Error(
|
|
4
|
+
"@wrelik/db/client is a server-only adapter stub. Use @wrelik/db/server on the backend and call your backend API from client or Expo apps."
|
|
5
|
+
);
|
|
6
|
+
})();
|
|
7
|
+
export {
|
|
8
|
+
serverOnlyClientStub
|
|
9
|
+
};
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { TenantAccessChecker, TransactionExecutor } from '../shared/index.mjs';
|
|
2
|
+
|
|
3
|
+
declare function createTenantAccessService(checker: TenantAccessChecker): {
|
|
4
|
+
assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
5
|
+
};
|
|
6
|
+
declare function withTenantContext<T>(tenantId: string, handler: (tenantId: string) => Promise<T>): Promise<T>;
|
|
7
|
+
declare function withTransaction<TClient, T>(executor: TransactionExecutor<TClient>, handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
declare function applyTenantScope<TWhere extends Record<string, unknown>>(tenantId: string, where?: TWhere): TWhere & {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
};
|
|
11
|
+
|
|
12
|
+
export { applyTenantScope, createTenantAccessService, withTenantContext, withTransaction };
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { TenantAccessChecker, TransactionExecutor } from '../shared/index.js';
|
|
2
|
+
|
|
3
|
+
declare function createTenantAccessService(checker: TenantAccessChecker): {
|
|
4
|
+
assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
5
|
+
};
|
|
6
|
+
declare function withTenantContext<T>(tenantId: string, handler: (tenantId: string) => Promise<T>): Promise<T>;
|
|
7
|
+
declare function withTransaction<TClient, T>(executor: TransactionExecutor<TClient>, handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
declare function applyTenantScope<TWhere extends Record<string, unknown>>(tenantId: string, where?: TWhere): TWhere & {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
};
|
|
11
|
+
|
|
12
|
+
export { applyTenantScope, createTenantAccessService, withTenantContext, withTransaction };
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/server/index.ts
|
|
21
|
+
var server_exports = {};
|
|
22
|
+
__export(server_exports, {
|
|
23
|
+
applyTenantScope: () => applyTenantScope,
|
|
24
|
+
createTenantAccessService: () => createTenantAccessService,
|
|
25
|
+
withTenantContext: () => withTenantContext,
|
|
26
|
+
withTransaction: () => withTransaction
|
|
27
|
+
});
|
|
28
|
+
module.exports = __toCommonJS(server_exports);
|
|
29
|
+
var import_shared = require("@wrelik/errors/shared");
|
|
30
|
+
function createTenantAccessService(checker) {
|
|
31
|
+
return {
|
|
32
|
+
async assertTenantAccess(userId, tenantId) {
|
|
33
|
+
if (!userId || !tenantId) {
|
|
34
|
+
throw new import_shared.TenantRequiredError();
|
|
35
|
+
}
|
|
36
|
+
const allowed = await checker({ userId, tenantId });
|
|
37
|
+
if (!allowed) {
|
|
38
|
+
throw new import_shared.PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
async function withTenantContext(tenantId, handler) {
|
|
44
|
+
if (!tenantId) {
|
|
45
|
+
throw new import_shared.TenantRequiredError();
|
|
46
|
+
}
|
|
47
|
+
return handler(tenantId);
|
|
48
|
+
}
|
|
49
|
+
async function withTransaction(executor, handler) {
|
|
50
|
+
return executor.transaction(handler);
|
|
51
|
+
}
|
|
52
|
+
function applyTenantScope(tenantId, where) {
|
|
53
|
+
if (!tenantId) {
|
|
54
|
+
throw new import_shared.TenantRequiredError();
|
|
55
|
+
}
|
|
56
|
+
const tenantIdInWhere = where?.tenantId;
|
|
57
|
+
if (typeof tenantIdInWhere === "string" && tenantIdInWhere !== tenantId) {
|
|
58
|
+
throw new import_shared.PermissionDeniedError(`Cross-tenant access blocked for tenant ${tenantIdInWhere}`);
|
|
59
|
+
}
|
|
60
|
+
return {
|
|
61
|
+
...where ?? {},
|
|
62
|
+
tenantId
|
|
63
|
+
};
|
|
64
|
+
}
|
|
65
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
66
|
+
0 && (module.exports = {
|
|
67
|
+
applyTenantScope,
|
|
68
|
+
createTenantAccessService,
|
|
69
|
+
withTenantContext,
|
|
70
|
+
withTransaction
|
|
71
|
+
});
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
// src/server/index.ts
|
|
2
|
+
import { PermissionDeniedError, TenantRequiredError } from "@wrelik/errors/shared";
|
|
3
|
+
function createTenantAccessService(checker) {
|
|
4
|
+
return {
|
|
5
|
+
async assertTenantAccess(userId, tenantId) {
|
|
6
|
+
if (!userId || !tenantId) {
|
|
7
|
+
throw new TenantRequiredError();
|
|
8
|
+
}
|
|
9
|
+
const allowed = await checker({ userId, tenantId });
|
|
10
|
+
if (!allowed) {
|
|
11
|
+
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
};
|
|
15
|
+
}
|
|
16
|
+
async function withTenantContext(tenantId, handler) {
|
|
17
|
+
if (!tenantId) {
|
|
18
|
+
throw new TenantRequiredError();
|
|
19
|
+
}
|
|
20
|
+
return handler(tenantId);
|
|
21
|
+
}
|
|
22
|
+
async function withTransaction(executor, handler) {
|
|
23
|
+
return executor.transaction(handler);
|
|
24
|
+
}
|
|
25
|
+
function applyTenantScope(tenantId, where) {
|
|
26
|
+
if (!tenantId) {
|
|
27
|
+
throw new TenantRequiredError();
|
|
28
|
+
}
|
|
29
|
+
const tenantIdInWhere = where?.tenantId;
|
|
30
|
+
if (typeof tenantIdInWhere === "string" && tenantIdInWhere !== tenantId) {
|
|
31
|
+
throw new PermissionDeniedError(`Cross-tenant access blocked for tenant ${tenantIdInWhere}`);
|
|
32
|
+
}
|
|
33
|
+
return {
|
|
34
|
+
...where ?? {},
|
|
35
|
+
tenantId
|
|
36
|
+
};
|
|
37
|
+
}
|
|
38
|
+
export {
|
|
39
|
+
applyTenantScope,
|
|
40
|
+
createTenantAccessService,
|
|
41
|
+
withTenantContext,
|
|
42
|
+
withTransaction
|
|
43
|
+
};
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
interface TenantAccessInput {
|
|
2
|
+
userId: string;
|
|
3
|
+
tenantId: string;
|
|
4
|
+
}
|
|
5
|
+
type TenantAccessChecker = (input: TenantAccessInput) => Promise<boolean>;
|
|
6
|
+
interface TransactionExecutor<TClient> {
|
|
7
|
+
transaction<T>(handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
export type { TenantAccessChecker, TenantAccessInput, TransactionExecutor };
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
interface TenantAccessInput {
|
|
2
|
+
userId: string;
|
|
3
|
+
tenantId: string;
|
|
4
|
+
}
|
|
5
|
+
type TenantAccessChecker = (input: TenantAccessInput) => Promise<boolean>;
|
|
6
|
+
interface TransactionExecutor<TClient> {
|
|
7
|
+
transaction<T>(handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
export type { TenantAccessChecker, TenantAccessInput, TransactionExecutor };
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __copyProps = (to, from, except, desc) => {
|
|
7
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
8
|
+
for (let key of __getOwnPropNames(from))
|
|
9
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
10
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
11
|
+
}
|
|
12
|
+
return to;
|
|
13
|
+
};
|
|
14
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
15
|
+
|
|
16
|
+
// src/shared/index.ts
|
|
17
|
+
var shared_exports = {};
|
|
18
|
+
module.exports = __toCommonJS(shared_exports);
|
|
File without changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@wrelik/db",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "2.0.0",
|
|
4
4
|
"publishConfig": {
|
|
5
5
|
"access": "public"
|
|
6
6
|
},
|
|
@@ -9,11 +9,27 @@
|
|
|
9
9
|
"url": "https://github.com/lwhite702/wrelik-kit.git",
|
|
10
10
|
"directory": "packages/db"
|
|
11
11
|
},
|
|
12
|
-
"
|
|
13
|
-
"
|
|
14
|
-
|
|
12
|
+
"sideEffects": false,
|
|
13
|
+
"exports": {
|
|
14
|
+
"./server": {
|
|
15
|
+
"types": "./dist/server/index.d.ts",
|
|
16
|
+
"import": "./dist/server/index.mjs",
|
|
17
|
+
"require": "./dist/server/index.js"
|
|
18
|
+
},
|
|
19
|
+
"./client": {
|
|
20
|
+
"types": "./dist/client/index.d.ts",
|
|
21
|
+
"import": "./dist/client/index.mjs",
|
|
22
|
+
"require": "./dist/client/index.js"
|
|
23
|
+
},
|
|
24
|
+
"./shared": {
|
|
25
|
+
"types": "./dist/shared/index.d.ts",
|
|
26
|
+
"import": "./dist/shared/index.mjs",
|
|
27
|
+
"require": "./dist/shared/index.js"
|
|
28
|
+
},
|
|
29
|
+
"./package.json": "./package.json"
|
|
30
|
+
},
|
|
15
31
|
"dependencies": {
|
|
16
|
-
"@wrelik/errors": "0.
|
|
32
|
+
"@wrelik/errors": "2.0.0"
|
|
17
33
|
},
|
|
18
34
|
"devDependencies": {
|
|
19
35
|
"@types/node": "^25.2.0",
|
|
@@ -22,9 +38,17 @@
|
|
|
22
38
|
"@wrelik/eslint-config": "0.1.1",
|
|
23
39
|
"@wrelik/tsconfig": "0.1.1"
|
|
24
40
|
},
|
|
41
|
+
"wrelik": {
|
|
42
|
+
"runtimes": [
|
|
43
|
+
"server",
|
|
44
|
+
"client",
|
|
45
|
+
"shared"
|
|
46
|
+
]
|
|
47
|
+
},
|
|
25
48
|
"scripts": {
|
|
26
|
-
"build": "tsup src/index.ts src/
|
|
49
|
+
"build": "tsup src/server/index.ts src/client/index.ts src/shared/index.ts --format cjs,esm --dts --clean",
|
|
27
50
|
"lint": "eslint src/",
|
|
51
|
+
"typecheck": "tsc --noEmit",
|
|
28
52
|
"test": "vitest run --passWithNoTests"
|
|
29
53
|
}
|
|
30
54
|
}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { PermissionDeniedError, TenantRequiredError } from '@wrelik/errors/shared';
|
|
3
|
+
import { applyTenantScope, createTenantAccessService, withTenantContext, withTransaction } from './index';
|
|
4
|
+
|
|
5
|
+
describe('@wrelik/db/server', () => {
|
|
6
|
+
it('asserts tenant access with injected checker', async () => {
|
|
7
|
+
const service = createTenantAccessService(async ({ userId, tenantId }) => {
|
|
8
|
+
return userId === 'u1' && tenantId === 't1';
|
|
9
|
+
});
|
|
10
|
+
|
|
11
|
+
await expect(service.assertTenantAccess('u1', 't1')).resolves.toBeUndefined();
|
|
12
|
+
await expect(service.assertTenantAccess('', 't1')).rejects.toThrow(TenantRequiredError);
|
|
13
|
+
await expect(service.assertTenantAccess('u1', 't2')).rejects.toThrow(PermissionDeniedError);
|
|
14
|
+
});
|
|
15
|
+
|
|
16
|
+
it('runs work through explicit transaction wrappers', async () => {
|
|
17
|
+
const result = await withTransaction<{ txId: string }, string>(
|
|
18
|
+
{
|
|
19
|
+
transaction: async (handler) => handler({ txId: '1' }),
|
|
20
|
+
},
|
|
21
|
+
async (tx) => tx.txId,
|
|
22
|
+
);
|
|
23
|
+
|
|
24
|
+
expect(result).toBe('1');
|
|
25
|
+
});
|
|
26
|
+
|
|
27
|
+
it('rejects empty tenant contexts', async () => {
|
|
28
|
+
await expect(withTenantContext('', async () => 'ok')).rejects.toThrow(TenantRequiredError);
|
|
29
|
+
});
|
|
30
|
+
|
|
31
|
+
it('always applies tenant filters and preserves other filters', () => {
|
|
32
|
+
expect(applyTenantScope('t1', { status: 'active' })).toEqual({
|
|
33
|
+
status: 'active',
|
|
34
|
+
tenantId: 't1',
|
|
35
|
+
});
|
|
36
|
+
});
|
|
37
|
+
|
|
38
|
+
it('blocks cross-tenant reads by default', () => {
|
|
39
|
+
expect(() => applyTenantScope('t1', { tenantId: 't2', status: 'active' })).toThrow(PermissionDeniedError);
|
|
40
|
+
expect(() => applyTenantScope('', { status: 'active' })).toThrow(TenantRequiredError);
|
|
41
|
+
});
|
|
42
|
+
|
|
43
|
+
it('does not expose root or client subpath imports', () => {
|
|
44
|
+
expect(() => require.resolve('@wrelik/db')).toThrow();
|
|
45
|
+
expect(() => require.resolve('@wrelik/db/client')).not.toThrow();
|
|
46
|
+
});
|
|
47
|
+
});
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import { PermissionDeniedError, TenantRequiredError } from '@wrelik/errors/shared';
|
|
2
|
+
import type { TenantAccessChecker, TransactionExecutor } from '../shared';
|
|
3
|
+
|
|
4
|
+
export function createTenantAccessService(checker: TenantAccessChecker) {
|
|
5
|
+
return {
|
|
6
|
+
async assertTenantAccess(userId: string, tenantId: string): Promise<void> {
|
|
7
|
+
if (!userId || !tenantId) {
|
|
8
|
+
throw new TenantRequiredError();
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
const allowed = await checker({ userId, tenantId });
|
|
12
|
+
|
|
13
|
+
if (!allowed) {
|
|
14
|
+
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
15
|
+
}
|
|
16
|
+
},
|
|
17
|
+
};
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
export async function withTenantContext<T>(tenantId: string, handler: (tenantId: string) => Promise<T>) {
|
|
21
|
+
if (!tenantId) {
|
|
22
|
+
throw new TenantRequiredError();
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
return handler(tenantId);
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
export async function withTransaction<TClient, T>(
|
|
29
|
+
executor: TransactionExecutor<TClient>,
|
|
30
|
+
handler: (tx: TClient) => Promise<T>,
|
|
31
|
+
): Promise<T> {
|
|
32
|
+
return executor.transaction(handler);
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
export function applyTenantScope<TWhere extends Record<string, unknown>>(
|
|
36
|
+
tenantId: string,
|
|
37
|
+
where?: TWhere,
|
|
38
|
+
): TWhere & { tenantId: string } {
|
|
39
|
+
if (!tenantId) {
|
|
40
|
+
throw new TenantRequiredError();
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
const tenantIdInWhere = where?.tenantId;
|
|
44
|
+
if (typeof tenantIdInWhere === 'string' && tenantIdInWhere !== tenantId) {
|
|
45
|
+
throw new PermissionDeniedError(`Cross-tenant access blocked for tenant ${tenantIdInWhere}`);
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
return {
|
|
49
|
+
...(where ?? ({} as TWhere)),
|
|
50
|
+
tenantId,
|
|
51
|
+
};
|
|
52
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export type { TenantAccessChecker, TenantAccessInput, TransactionExecutor } from './types';
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
export interface TenantAccessInput {
|
|
2
|
+
userId: string;
|
|
3
|
+
tenantId: string;
|
|
4
|
+
}
|
|
5
|
+
|
|
6
|
+
export type TenantAccessChecker = (input: TenantAccessInput) => Promise<boolean>;
|
|
7
|
+
|
|
8
|
+
export interface TransactionExecutor<TClient> {
|
|
9
|
+
transaction<T>(handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
10
|
+
}
|
package/dist/index.d.mts
DELETED
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
type AccessChecker = (userId: string, tenantId: string) => Promise<boolean>;
|
|
2
|
-
declare function setTenantAccessChecker(checker: AccessChecker): void;
|
|
3
|
-
declare function assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
4
|
-
declare function withTenant<T>(tenantId: string, fn: (tenantId: string) => Promise<T>): Promise<T>;
|
|
5
|
-
declare function getPrismaSingleton<T>(factory: () => T): T;
|
|
6
|
-
|
|
7
|
-
export { assertTenantAccess, getPrismaSingleton, setTenantAccessChecker, withTenant };
|
package/dist/index.d.ts
DELETED
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
type AccessChecker = (userId: string, tenantId: string) => Promise<boolean>;
|
|
2
|
-
declare function setTenantAccessChecker(checker: AccessChecker): void;
|
|
3
|
-
declare function assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
4
|
-
declare function withTenant<T>(tenantId: string, fn: (tenantId: string) => Promise<T>): Promise<T>;
|
|
5
|
-
declare function getPrismaSingleton<T>(factory: () => T): T;
|
|
6
|
-
|
|
7
|
-
export { assertTenantAccess, getPrismaSingleton, setTenantAccessChecker, withTenant };
|
package/dist/index.js
DELETED
|
@@ -1,63 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __defProp = Object.defineProperty;
|
|
3
|
-
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
-
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
-
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
-
var __export = (target, all) => {
|
|
7
|
-
for (var name in all)
|
|
8
|
-
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
-
};
|
|
10
|
-
var __copyProps = (to, from, except, desc) => {
|
|
11
|
-
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
-
for (let key of __getOwnPropNames(from))
|
|
13
|
-
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
-
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
-
}
|
|
16
|
-
return to;
|
|
17
|
-
};
|
|
18
|
-
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
-
|
|
20
|
-
// src/index.ts
|
|
21
|
-
var index_exports = {};
|
|
22
|
-
__export(index_exports, {
|
|
23
|
-
assertTenantAccess: () => assertTenantAccess,
|
|
24
|
-
getPrismaSingleton: () => getPrismaSingleton,
|
|
25
|
-
setTenantAccessChecker: () => setTenantAccessChecker,
|
|
26
|
-
withTenant: () => withTenant
|
|
27
|
-
});
|
|
28
|
-
module.exports = __toCommonJS(index_exports);
|
|
29
|
-
var import_errors = require("@wrelik/errors");
|
|
30
|
-
var accessChecker = async () => false;
|
|
31
|
-
function setTenantAccessChecker(checker) {
|
|
32
|
-
accessChecker = checker;
|
|
33
|
-
}
|
|
34
|
-
async function assertTenantAccess(userId, tenantId) {
|
|
35
|
-
if (!userId || !tenantId) {
|
|
36
|
-
throw new import_errors.TenantRequiredError();
|
|
37
|
-
}
|
|
38
|
-
const allowed = await accessChecker(userId, tenantId);
|
|
39
|
-
if (!allowed) {
|
|
40
|
-
throw new import_errors.PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
41
|
-
}
|
|
42
|
-
}
|
|
43
|
-
function withTenant(tenantId, fn) {
|
|
44
|
-
if (!tenantId) {
|
|
45
|
-
throw new import_errors.TenantRequiredError();
|
|
46
|
-
}
|
|
47
|
-
return fn(tenantId);
|
|
48
|
-
}
|
|
49
|
-
function getPrismaSingleton(factory) {
|
|
50
|
-
const globalForPrisma = global;
|
|
51
|
-
const prisma = globalForPrisma.prisma || factory();
|
|
52
|
-
if (process.env.NODE_ENV !== "production") {
|
|
53
|
-
globalForPrisma.prisma = prisma;
|
|
54
|
-
}
|
|
55
|
-
return prisma;
|
|
56
|
-
}
|
|
57
|
-
// Annotate the CommonJS export names for ESM import in node:
|
|
58
|
-
0 && (module.exports = {
|
|
59
|
-
assertTenantAccess,
|
|
60
|
-
getPrismaSingleton,
|
|
61
|
-
setTenantAccessChecker,
|
|
62
|
-
withTenant
|
|
63
|
-
});
|
package/dist/index.mjs
DELETED
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
// src/index.ts
|
|
2
|
-
import { PermissionDeniedError, TenantRequiredError } from "@wrelik/errors";
|
|
3
|
-
var accessChecker = async () => false;
|
|
4
|
-
function setTenantAccessChecker(checker) {
|
|
5
|
-
accessChecker = checker;
|
|
6
|
-
}
|
|
7
|
-
async function assertTenantAccess(userId, tenantId) {
|
|
8
|
-
if (!userId || !tenantId) {
|
|
9
|
-
throw new TenantRequiredError();
|
|
10
|
-
}
|
|
11
|
-
const allowed = await accessChecker(userId, tenantId);
|
|
12
|
-
if (!allowed) {
|
|
13
|
-
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
14
|
-
}
|
|
15
|
-
}
|
|
16
|
-
function withTenant(tenantId, fn) {
|
|
17
|
-
if (!tenantId) {
|
|
18
|
-
throw new TenantRequiredError();
|
|
19
|
-
}
|
|
20
|
-
return fn(tenantId);
|
|
21
|
-
}
|
|
22
|
-
function getPrismaSingleton(factory) {
|
|
23
|
-
const globalForPrisma = global;
|
|
24
|
-
const prisma = globalForPrisma.prisma || factory();
|
|
25
|
-
if (process.env.NODE_ENV !== "production") {
|
|
26
|
-
globalForPrisma.prisma = prisma;
|
|
27
|
-
}
|
|
28
|
-
return prisma;
|
|
29
|
-
}
|
|
30
|
-
export {
|
|
31
|
-
assertTenantAccess,
|
|
32
|
-
getPrismaSingleton,
|
|
33
|
-
setTenantAccessChecker,
|
|
34
|
-
withTenant
|
|
35
|
-
};
|
package/dist/unsupported.d.mts
DELETED
package/dist/unsupported.d.ts
DELETED
package/dist/unsupported.mjs
DELETED
|
@@ -1,12 +0,0 @@
|
|
|
1
|
-
// src/unsupported.ts
|
|
2
|
-
function unsupported() {
|
|
3
|
-
throw new Error(
|
|
4
|
-
"This package is server-only and cannot be used in client/mobile environments. Access this functionality via a backend API instead."
|
|
5
|
-
);
|
|
6
|
-
}
|
|
7
|
-
throw new Error(
|
|
8
|
-
"This package is server-only and cannot be used in client/mobile environments. Access this functionality via a backend API instead."
|
|
9
|
-
);
|
|
10
|
-
export {
|
|
11
|
-
unsupported as default
|
|
12
|
-
};
|
package/src/index.ts
DELETED
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
import { PermissionDeniedError, TenantRequiredError } from '@wrelik/errors';
|
|
2
|
-
|
|
3
|
-
// Helper types
|
|
4
|
-
type AccessChecker = (userId: string, tenantId: string) => Promise<boolean>;
|
|
5
|
-
|
|
6
|
-
let accessChecker: AccessChecker = async () => false; // Default deny
|
|
7
|
-
|
|
8
|
-
export function setTenantAccessChecker(checker: AccessChecker) {
|
|
9
|
-
accessChecker = checker;
|
|
10
|
-
}
|
|
11
|
-
|
|
12
|
-
export async function assertTenantAccess(userId: string, tenantId: string) {
|
|
13
|
-
if (!userId || !tenantId) {
|
|
14
|
-
throw new TenantRequiredError();
|
|
15
|
-
}
|
|
16
|
-
const allowed = await accessChecker(userId, tenantId);
|
|
17
|
-
if (!allowed) {
|
|
18
|
-
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
19
|
-
}
|
|
20
|
-
}
|
|
21
|
-
|
|
22
|
-
export function withTenant<T>(tenantId: string, fn: (tenantId: string) => Promise<T>): Promise<T> {
|
|
23
|
-
if (!tenantId) {
|
|
24
|
-
throw new TenantRequiredError();
|
|
25
|
-
}
|
|
26
|
-
return fn(tenantId);
|
|
27
|
-
}
|
|
28
|
-
|
|
29
|
-
// Singleton pattern for Prisma
|
|
30
|
-
export function getPrismaSingleton<T>(factory: () => T): T {
|
|
31
|
-
const globalForPrisma = global as unknown as { prisma: T };
|
|
32
|
-
const prisma = globalForPrisma.prisma || factory();
|
|
33
|
-
|
|
34
|
-
if (process.env.NODE_ENV !== 'production') {
|
|
35
|
-
globalForPrisma.prisma = prisma;
|
|
36
|
-
}
|
|
37
|
-
|
|
38
|
-
return prisma;
|
|
39
|
-
}
|
package/src/unsupported.ts
DELETED
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
export default function unsupported() {
|
|
2
|
-
throw new Error(
|
|
3
|
-
'This package is server-only and cannot be used in client/mobile environments. ' +
|
|
4
|
-
'Access this functionality via a backend API instead.',
|
|
5
|
-
);
|
|
6
|
-
}
|
|
7
|
-
|
|
8
|
-
// Using a Proxy to trap named imports if possible, or just the top level throw is usually enough for side-effect imports.
|
|
9
|
-
// But for named imports, we might need to export them?
|
|
10
|
-
// Since we can't mock all exports, the top level throw is best.
|
|
11
|
-
throw new Error(
|
|
12
|
-
'This package is server-only and cannot be used in client/mobile environments. ' +
|
|
13
|
-
'Access this functionality via a backend API instead.',
|
|
14
|
-
);
|