@wrelik/db 0.1.3 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +25 -21
- package/.turbo/turbo-lint.log +5 -0
- package/.turbo/turbo-test.log +15 -0
- package/.turbo/turbo-typecheck.log +4 -0
- package/CHANGELOG.md +26 -0
- package/dist/client/index.d.mts +3 -0
- package/dist/client/index.d.ts +3 -0
- package/dist/{unsupported.js → client/index.js} +12 -11
- package/dist/client/index.mjs +9 -0
- package/dist/server/index.d.mts +12 -0
- package/dist/server/index.d.ts +12 -0
- package/dist/server/index.js +71 -0
- package/dist/server/index.mjs +43 -0
- package/dist/shared/index.d.mts +10 -0
- package/dist/shared/index.d.ts +10 -0
- package/dist/shared/index.js +18 -0
- package/dist/shared/index.mjs +0 -0
- package/package.json +36 -11
- package/src/client/index.test.ts +7 -0
- package/src/client/index.ts +5 -0
- package/src/server/index.test.ts +47 -0
- package/src/server/index.ts +52 -0
- package/src/shared/index.ts +1 -0
- package/src/shared/types.ts +10 -0
- package/tsconfig.json +3 -1
- package/dist/index.d.mts +0 -7
- package/dist/index.d.ts +0 -7
- package/dist/index.js +0 -63
- package/dist/index.mjs +0 -35
- package/dist/unsupported.d.mts +0 -3
- package/dist/unsupported.d.ts +0 -3
- package/dist/unsupported.mjs +0 -12
- package/src/index.ts +0 -39
- package/src/unsupported.ts +0 -14
package/.turbo/turbo-build.log
CHANGED
|
@@ -1,23 +1,27 @@
|
|
|
1
1
|
|
|
2
|
-
> @wrelik/db@0.1
|
|
3
|
-
> tsup src/index.ts src/
|
|
2
|
+
> @wrelik/db@2.0.1 build /Users/lee/Projects/wrelik-kit/packages/db
|
|
3
|
+
> tsup src/server/index.ts src/client/index.ts src/shared/index.ts --format cjs,esm --dts --clean
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
5
|
+
CLI Building entry: src/shared/index.ts, src/server/index.ts, src/client/index.ts
|
|
6
|
+
CLI Using tsconfig: tsconfig.json
|
|
7
|
+
CLI tsup v8.5.1
|
|
8
|
+
CLI Target: es2022
|
|
9
|
+
CLI Cleaning output folder
|
|
10
|
+
CJS Build start
|
|
11
|
+
ESM Build start
|
|
12
|
+
ESM dist/shared/index.mjs 0 B
|
|
13
|
+
ESM dist/client/index.mjs 268.00 B
|
|
14
|
+
ESM dist/server/index.mjs 1.19 KB
|
|
15
|
+
ESM ⚡️ Build success in 250ms
|
|
16
|
+
CJS dist/server/index.js 2.37 KB
|
|
17
|
+
CJS dist/shared/index.js 767.00 B
|
|
18
|
+
CJS dist/client/index.js 1.27 KB
|
|
19
|
+
CJS ⚡️ Build success in 252ms
|
|
20
|
+
DTS Build start
|
|
21
|
+
DTS ⚡️ Build success in 2589ms
|
|
22
|
+
DTS dist/server/index.d.ts 718.00 B
|
|
23
|
+
DTS dist/client/index.d.ts 77.00 B
|
|
24
|
+
DTS dist/shared/index.d.ts 340.00 B
|
|
25
|
+
DTS dist/server/index.d.mts 719.00 B
|
|
26
|
+
DTS dist/client/index.d.mts 77.00 B
|
|
27
|
+
DTS dist/shared/index.d.mts 340.00 B
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
|
|
2
|
+
> @wrelik/db@2.0.1 test /Users/lee/Projects/wrelik-kit/packages/db
|
|
3
|
+
> vitest run --passWithNoTests
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
[1m[46m RUN [49m[22m [36mv4.1.2 [39m[90m/Users/lee/Projects/wrelik-kit/packages/db[39m
|
|
7
|
+
|
|
8
|
+
[32m✓[39m src/client/index.test.ts [2m([22m[2m1 test[22m[2m)[22m[32m 14[2mms[22m[39m
|
|
9
|
+
[32m✓[39m src/server/index.test.ts [2m([22m[2m6 tests[22m[2m)[22m[32m 7[2mms[22m[39m
|
|
10
|
+
|
|
11
|
+
[2m Test Files [22m [1m[32m2 passed[39m[22m[90m (2)[39m
|
|
12
|
+
[2m Tests [22m [1m[32m7 passed[39m[22m[90m (7)[39m
|
|
13
|
+
[2m Start at [22m 20:04:59
|
|
14
|
+
[2m Duration [22m 454ms[2m (transform 332ms, setup 0ms, import 351ms, tests 21ms, environment 0ms)[22m
|
|
15
|
+
|
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,31 @@
|
|
|
1
1
|
# @wrelik/db
|
|
2
2
|
|
|
3
|
+
## 2.0.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 3262454: Upgrade runtime SDK and workspace tooling dependencies to latest compatible versions, including Clerk, Sentry, AWS SDK, Inngest, Resend, Upstash, Zod, TypeScript, Turbo, Vitest, TSUP, and ESLint.
|
|
8
|
+
|
|
9
|
+
Adopt root ESLint flat config and align wrapper peer ranges for updated SDK majors while preserving package export paths. Also apply a patched transitive Next.js resolution to close audit findings and keep production audit clean.
|
|
10
|
+
|
|
11
|
+
Note: Vite is pinned to the latest 7.x line for runtime compatibility in this environment; this avoids current rolldown native-binding failures seen with Vite 8 under Node 20.18.0.
|
|
12
|
+
|
|
13
|
+
Breaking change: `@wrelik/auth` and `@wrelik/clerk-next` now require `@clerk/nextjs@7.x` via updated peer ranges (`>=7 <8`). Consumers on Clerk v4-v6 must upgrade to Clerk v7 before adopting these versions.
|
|
14
|
+
|
|
15
|
+
- Updated dependencies [3262454]
|
|
16
|
+
- @wrelik/errors@2.0.1
|
|
17
|
+
|
|
18
|
+
## 2.0.0
|
|
19
|
+
|
|
20
|
+
### Major Changes
|
|
21
|
+
|
|
22
|
+
- 818ed58: Refactor runtime packages to strict subpath exports (`/server`, `/client`, `/shared`) with side-effect free entrypoints and hard CI/runtime boundary enforcement.
|
|
23
|
+
|
|
24
|
+
### Patch Changes
|
|
25
|
+
|
|
26
|
+
- Updated dependencies [818ed58]
|
|
27
|
+
- @wrelik/errors@2.0.0
|
|
28
|
+
|
|
3
29
|
## 0.1.3
|
|
4
30
|
|
|
5
31
|
### Patch Changes
|
|
@@ -17,17 +17,18 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
17
17
|
};
|
|
18
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
19
|
|
|
20
|
-
// src/
|
|
21
|
-
var
|
|
22
|
-
__export(
|
|
23
|
-
|
|
20
|
+
// src/client/index.ts
|
|
21
|
+
var client_exports = {};
|
|
22
|
+
__export(client_exports, {
|
|
23
|
+
serverOnlyClientStub: () => serverOnlyClientStub
|
|
24
24
|
});
|
|
25
|
-
module.exports = __toCommonJS(
|
|
26
|
-
|
|
25
|
+
module.exports = __toCommonJS(client_exports);
|
|
26
|
+
var serverOnlyClientStub = (() => {
|
|
27
27
|
throw new Error(
|
|
28
|
-
"
|
|
28
|
+
"@wrelik/db/client is a server-only adapter stub. Use @wrelik/db/server on the backend and call your backend API from client or Expo apps."
|
|
29
29
|
);
|
|
30
|
-
}
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
30
|
+
})();
|
|
31
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
32
|
+
0 && (module.exports = {
|
|
33
|
+
serverOnlyClientStub
|
|
34
|
+
});
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
// src/client/index.ts
|
|
2
|
+
var serverOnlyClientStub = (() => {
|
|
3
|
+
throw new Error(
|
|
4
|
+
"@wrelik/db/client is a server-only adapter stub. Use @wrelik/db/server on the backend and call your backend API from client or Expo apps."
|
|
5
|
+
);
|
|
6
|
+
})();
|
|
7
|
+
export {
|
|
8
|
+
serverOnlyClientStub
|
|
9
|
+
};
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { TenantAccessChecker, TransactionExecutor } from '../shared/index.mjs';
|
|
2
|
+
|
|
3
|
+
declare function createTenantAccessService(checker: TenantAccessChecker): {
|
|
4
|
+
assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
5
|
+
};
|
|
6
|
+
declare function withTenantContext<T>(tenantId: string, handler: (tenantId: string) => Promise<T>): Promise<T>;
|
|
7
|
+
declare function withTransaction<TClient, T>(executor: TransactionExecutor<TClient>, handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
declare function applyTenantScope<TWhere extends Record<string, unknown>>(tenantId: string, where?: TWhere): TWhere & {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
};
|
|
11
|
+
|
|
12
|
+
export { applyTenantScope, createTenantAccessService, withTenantContext, withTransaction };
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { TenantAccessChecker, TransactionExecutor } from '../shared/index.js';
|
|
2
|
+
|
|
3
|
+
declare function createTenantAccessService(checker: TenantAccessChecker): {
|
|
4
|
+
assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
5
|
+
};
|
|
6
|
+
declare function withTenantContext<T>(tenantId: string, handler: (tenantId: string) => Promise<T>): Promise<T>;
|
|
7
|
+
declare function withTransaction<TClient, T>(executor: TransactionExecutor<TClient>, handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
declare function applyTenantScope<TWhere extends Record<string, unknown>>(tenantId: string, where?: TWhere): TWhere & {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
};
|
|
11
|
+
|
|
12
|
+
export { applyTenantScope, createTenantAccessService, withTenantContext, withTransaction };
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/server/index.ts
|
|
21
|
+
var server_exports = {};
|
|
22
|
+
__export(server_exports, {
|
|
23
|
+
applyTenantScope: () => applyTenantScope,
|
|
24
|
+
createTenantAccessService: () => createTenantAccessService,
|
|
25
|
+
withTenantContext: () => withTenantContext,
|
|
26
|
+
withTransaction: () => withTransaction
|
|
27
|
+
});
|
|
28
|
+
module.exports = __toCommonJS(server_exports);
|
|
29
|
+
var import_shared = require("@wrelik/errors/shared");
|
|
30
|
+
function createTenantAccessService(checker) {
|
|
31
|
+
return {
|
|
32
|
+
async assertTenantAccess(userId, tenantId) {
|
|
33
|
+
if (!userId || !tenantId) {
|
|
34
|
+
throw new import_shared.TenantRequiredError();
|
|
35
|
+
}
|
|
36
|
+
const allowed = await checker({ userId, tenantId });
|
|
37
|
+
if (!allowed) {
|
|
38
|
+
throw new import_shared.PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
async function withTenantContext(tenantId, handler) {
|
|
44
|
+
if (!tenantId) {
|
|
45
|
+
throw new import_shared.TenantRequiredError();
|
|
46
|
+
}
|
|
47
|
+
return handler(tenantId);
|
|
48
|
+
}
|
|
49
|
+
async function withTransaction(executor, handler) {
|
|
50
|
+
return executor.transaction(handler);
|
|
51
|
+
}
|
|
52
|
+
function applyTenantScope(tenantId, where) {
|
|
53
|
+
if (!tenantId) {
|
|
54
|
+
throw new import_shared.TenantRequiredError();
|
|
55
|
+
}
|
|
56
|
+
const tenantIdInWhere = where?.tenantId;
|
|
57
|
+
if (typeof tenantIdInWhere === "string" && tenantIdInWhere !== tenantId) {
|
|
58
|
+
throw new import_shared.PermissionDeniedError(`Cross-tenant access blocked for tenant ${tenantIdInWhere}`);
|
|
59
|
+
}
|
|
60
|
+
return {
|
|
61
|
+
...where ?? {},
|
|
62
|
+
tenantId
|
|
63
|
+
};
|
|
64
|
+
}
|
|
65
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
66
|
+
0 && (module.exports = {
|
|
67
|
+
applyTenantScope,
|
|
68
|
+
createTenantAccessService,
|
|
69
|
+
withTenantContext,
|
|
70
|
+
withTransaction
|
|
71
|
+
});
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
// src/server/index.ts
|
|
2
|
+
import { PermissionDeniedError, TenantRequiredError } from "@wrelik/errors/shared";
|
|
3
|
+
function createTenantAccessService(checker) {
|
|
4
|
+
return {
|
|
5
|
+
async assertTenantAccess(userId, tenantId) {
|
|
6
|
+
if (!userId || !tenantId) {
|
|
7
|
+
throw new TenantRequiredError();
|
|
8
|
+
}
|
|
9
|
+
const allowed = await checker({ userId, tenantId });
|
|
10
|
+
if (!allowed) {
|
|
11
|
+
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
};
|
|
15
|
+
}
|
|
16
|
+
async function withTenantContext(tenantId, handler) {
|
|
17
|
+
if (!tenantId) {
|
|
18
|
+
throw new TenantRequiredError();
|
|
19
|
+
}
|
|
20
|
+
return handler(tenantId);
|
|
21
|
+
}
|
|
22
|
+
async function withTransaction(executor, handler) {
|
|
23
|
+
return executor.transaction(handler);
|
|
24
|
+
}
|
|
25
|
+
function applyTenantScope(tenantId, where) {
|
|
26
|
+
if (!tenantId) {
|
|
27
|
+
throw new TenantRequiredError();
|
|
28
|
+
}
|
|
29
|
+
const tenantIdInWhere = where?.tenantId;
|
|
30
|
+
if (typeof tenantIdInWhere === "string" && tenantIdInWhere !== tenantId) {
|
|
31
|
+
throw new PermissionDeniedError(`Cross-tenant access blocked for tenant ${tenantIdInWhere}`);
|
|
32
|
+
}
|
|
33
|
+
return {
|
|
34
|
+
...where ?? {},
|
|
35
|
+
tenantId
|
|
36
|
+
};
|
|
37
|
+
}
|
|
38
|
+
export {
|
|
39
|
+
applyTenantScope,
|
|
40
|
+
createTenantAccessService,
|
|
41
|
+
withTenantContext,
|
|
42
|
+
withTransaction
|
|
43
|
+
};
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
interface TenantAccessInput {
|
|
2
|
+
userId: string;
|
|
3
|
+
tenantId: string;
|
|
4
|
+
}
|
|
5
|
+
type TenantAccessChecker = (input: TenantAccessInput) => Promise<boolean>;
|
|
6
|
+
interface TransactionExecutor<TClient> {
|
|
7
|
+
transaction<T>(handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
export type { TenantAccessChecker, TenantAccessInput, TransactionExecutor };
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
interface TenantAccessInput {
|
|
2
|
+
userId: string;
|
|
3
|
+
tenantId: string;
|
|
4
|
+
}
|
|
5
|
+
type TenantAccessChecker = (input: TenantAccessInput) => Promise<boolean>;
|
|
6
|
+
interface TransactionExecutor<TClient> {
|
|
7
|
+
transaction<T>(handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
export type { TenantAccessChecker, TenantAccessInput, TransactionExecutor };
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __copyProps = (to, from, except, desc) => {
|
|
7
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
8
|
+
for (let key of __getOwnPropNames(from))
|
|
9
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
10
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
11
|
+
}
|
|
12
|
+
return to;
|
|
13
|
+
};
|
|
14
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
15
|
+
|
|
16
|
+
// src/shared/index.ts
|
|
17
|
+
var shared_exports = {};
|
|
18
|
+
module.exports = __toCommonJS(shared_exports);
|
|
File without changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@wrelik/db",
|
|
3
|
-
"version": "0.1
|
|
3
|
+
"version": "2.0.1",
|
|
4
4
|
"publishConfig": {
|
|
5
5
|
"access": "public"
|
|
6
6
|
},
|
|
@@ -9,22 +9,47 @@
|
|
|
9
9
|
"url": "https://github.com/lwhite702/wrelik-kit.git",
|
|
10
10
|
"directory": "packages/db"
|
|
11
11
|
},
|
|
12
|
-
"
|
|
13
|
-
"
|
|
14
|
-
|
|
12
|
+
"sideEffects": false,
|
|
13
|
+
"exports": {
|
|
14
|
+
"./server": {
|
|
15
|
+
"types": "./dist/server/index.d.ts",
|
|
16
|
+
"import": "./dist/server/index.mjs",
|
|
17
|
+
"require": "./dist/server/index.js"
|
|
18
|
+
},
|
|
19
|
+
"./client": {
|
|
20
|
+
"types": "./dist/client/index.d.ts",
|
|
21
|
+
"import": "./dist/client/index.mjs",
|
|
22
|
+
"require": "./dist/client/index.js"
|
|
23
|
+
},
|
|
24
|
+
"./shared": {
|
|
25
|
+
"types": "./dist/shared/index.d.ts",
|
|
26
|
+
"import": "./dist/shared/index.mjs",
|
|
27
|
+
"require": "./dist/shared/index.js"
|
|
28
|
+
},
|
|
29
|
+
"./package.json": "./package.json"
|
|
30
|
+
},
|
|
15
31
|
"dependencies": {
|
|
16
|
-
"@wrelik/errors": "0.
|
|
32
|
+
"@wrelik/errors": "2.0.1"
|
|
17
33
|
},
|
|
18
34
|
"devDependencies": {
|
|
19
|
-
"@types/node": "^25.2
|
|
20
|
-
"tsup": "^8.
|
|
21
|
-
"
|
|
22
|
-
"
|
|
23
|
-
"@wrelik/tsconfig": "0.1.
|
|
35
|
+
"@types/node": "^25.5.2",
|
|
36
|
+
"tsup": "^8.5.1",
|
|
37
|
+
"vite": "^7.3.1",
|
|
38
|
+
"vitest": "^4.1.2",
|
|
39
|
+
"@wrelik/tsconfig": "0.1.2",
|
|
40
|
+
"@wrelik/eslint-config": "0.1.2"
|
|
41
|
+
},
|
|
42
|
+
"wrelik": {
|
|
43
|
+
"runtimes": [
|
|
44
|
+
"server",
|
|
45
|
+
"client",
|
|
46
|
+
"shared"
|
|
47
|
+
]
|
|
24
48
|
},
|
|
25
49
|
"scripts": {
|
|
26
|
-
"build": "tsup src/index.ts src/
|
|
50
|
+
"build": "tsup src/server/index.ts src/client/index.ts src/shared/index.ts --format cjs,esm --dts --clean",
|
|
27
51
|
"lint": "eslint src/",
|
|
52
|
+
"typecheck": "tsc --noEmit",
|
|
28
53
|
"test": "vitest run --passWithNoTests"
|
|
29
54
|
}
|
|
30
55
|
}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { PermissionDeniedError, TenantRequiredError } from '@wrelik/errors/shared';
|
|
3
|
+
import { applyTenantScope, createTenantAccessService, withTenantContext, withTransaction } from './index';
|
|
4
|
+
|
|
5
|
+
describe('@wrelik/db/server', () => {
|
|
6
|
+
it('asserts tenant access with injected checker', async () => {
|
|
7
|
+
const service = createTenantAccessService(async ({ userId, tenantId }) => {
|
|
8
|
+
return userId === 'u1' && tenantId === 't1';
|
|
9
|
+
});
|
|
10
|
+
|
|
11
|
+
await expect(service.assertTenantAccess('u1', 't1')).resolves.toBeUndefined();
|
|
12
|
+
await expect(service.assertTenantAccess('', 't1')).rejects.toThrow(TenantRequiredError);
|
|
13
|
+
await expect(service.assertTenantAccess('u1', 't2')).rejects.toThrow(PermissionDeniedError);
|
|
14
|
+
});
|
|
15
|
+
|
|
16
|
+
it('runs work through explicit transaction wrappers', async () => {
|
|
17
|
+
const result = await withTransaction<{ txId: string }, string>(
|
|
18
|
+
{
|
|
19
|
+
transaction: async (handler) => handler({ txId: '1' }),
|
|
20
|
+
},
|
|
21
|
+
async (tx) => tx.txId,
|
|
22
|
+
);
|
|
23
|
+
|
|
24
|
+
expect(result).toBe('1');
|
|
25
|
+
});
|
|
26
|
+
|
|
27
|
+
it('rejects empty tenant contexts', async () => {
|
|
28
|
+
await expect(withTenantContext('', async () => 'ok')).rejects.toThrow(TenantRequiredError);
|
|
29
|
+
});
|
|
30
|
+
|
|
31
|
+
it('always applies tenant filters and preserves other filters', () => {
|
|
32
|
+
expect(applyTenantScope('t1', { status: 'active' })).toEqual({
|
|
33
|
+
status: 'active',
|
|
34
|
+
tenantId: 't1',
|
|
35
|
+
});
|
|
36
|
+
});
|
|
37
|
+
|
|
38
|
+
it('blocks cross-tenant reads by default', () => {
|
|
39
|
+
expect(() => applyTenantScope('t1', { tenantId: 't2', status: 'active' })).toThrow(PermissionDeniedError);
|
|
40
|
+
expect(() => applyTenantScope('', { status: 'active' })).toThrow(TenantRequiredError);
|
|
41
|
+
});
|
|
42
|
+
|
|
43
|
+
it('does not expose root or client subpath imports', () => {
|
|
44
|
+
expect(() => require.resolve('@wrelik/db')).toThrow();
|
|
45
|
+
expect(() => require.resolve('@wrelik/db/client')).not.toThrow();
|
|
46
|
+
});
|
|
47
|
+
});
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import { PermissionDeniedError, TenantRequiredError } from '@wrelik/errors/shared';
|
|
2
|
+
import type { TenantAccessChecker, TransactionExecutor } from '../shared';
|
|
3
|
+
|
|
4
|
+
export function createTenantAccessService(checker: TenantAccessChecker) {
|
|
5
|
+
return {
|
|
6
|
+
async assertTenantAccess(userId: string, tenantId: string): Promise<void> {
|
|
7
|
+
if (!userId || !tenantId) {
|
|
8
|
+
throw new TenantRequiredError();
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
const allowed = await checker({ userId, tenantId });
|
|
12
|
+
|
|
13
|
+
if (!allowed) {
|
|
14
|
+
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
15
|
+
}
|
|
16
|
+
},
|
|
17
|
+
};
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
export async function withTenantContext<T>(tenantId: string, handler: (tenantId: string) => Promise<T>) {
|
|
21
|
+
if (!tenantId) {
|
|
22
|
+
throw new TenantRequiredError();
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
return handler(tenantId);
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
export async function withTransaction<TClient, T>(
|
|
29
|
+
executor: TransactionExecutor<TClient>,
|
|
30
|
+
handler: (tx: TClient) => Promise<T>,
|
|
31
|
+
): Promise<T> {
|
|
32
|
+
return executor.transaction(handler);
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
export function applyTenantScope<TWhere extends Record<string, unknown>>(
|
|
36
|
+
tenantId: string,
|
|
37
|
+
where?: TWhere,
|
|
38
|
+
): TWhere & { tenantId: string } {
|
|
39
|
+
if (!tenantId) {
|
|
40
|
+
throw new TenantRequiredError();
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
const tenantIdInWhere = where?.tenantId;
|
|
44
|
+
if (typeof tenantIdInWhere === 'string' && tenantIdInWhere !== tenantId) {
|
|
45
|
+
throw new PermissionDeniedError(`Cross-tenant access blocked for tenant ${tenantIdInWhere}`);
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
return {
|
|
49
|
+
...(where ?? ({} as TWhere)),
|
|
50
|
+
tenantId,
|
|
51
|
+
};
|
|
52
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export type { TenantAccessChecker, TenantAccessInput, TransactionExecutor } from './types';
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
export interface TenantAccessInput {
|
|
2
|
+
userId: string;
|
|
3
|
+
tenantId: string;
|
|
4
|
+
}
|
|
5
|
+
|
|
6
|
+
export type TenantAccessChecker = (input: TenantAccessInput) => Promise<boolean>;
|
|
7
|
+
|
|
8
|
+
export interface TransactionExecutor<TClient> {
|
|
9
|
+
transaction<T>(handler: (tx: TClient) => Promise<T>): Promise<T>;
|
|
10
|
+
}
|
package/tsconfig.json
CHANGED
package/dist/index.d.mts
DELETED
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
type AccessChecker = (userId: string, tenantId: string) => Promise<boolean>;
|
|
2
|
-
declare function setTenantAccessChecker(checker: AccessChecker): void;
|
|
3
|
-
declare function assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
4
|
-
declare function withTenant<T>(tenantId: string, fn: (tenantId: string) => Promise<T>): Promise<T>;
|
|
5
|
-
declare function getPrismaSingleton<T>(factory: () => T): T;
|
|
6
|
-
|
|
7
|
-
export { assertTenantAccess, getPrismaSingleton, setTenantAccessChecker, withTenant };
|
package/dist/index.d.ts
DELETED
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
type AccessChecker = (userId: string, tenantId: string) => Promise<boolean>;
|
|
2
|
-
declare function setTenantAccessChecker(checker: AccessChecker): void;
|
|
3
|
-
declare function assertTenantAccess(userId: string, tenantId: string): Promise<void>;
|
|
4
|
-
declare function withTenant<T>(tenantId: string, fn: (tenantId: string) => Promise<T>): Promise<T>;
|
|
5
|
-
declare function getPrismaSingleton<T>(factory: () => T): T;
|
|
6
|
-
|
|
7
|
-
export { assertTenantAccess, getPrismaSingleton, setTenantAccessChecker, withTenant };
|
package/dist/index.js
DELETED
|
@@ -1,63 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __defProp = Object.defineProperty;
|
|
3
|
-
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
-
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
-
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
-
var __export = (target, all) => {
|
|
7
|
-
for (var name in all)
|
|
8
|
-
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
-
};
|
|
10
|
-
var __copyProps = (to, from, except, desc) => {
|
|
11
|
-
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
-
for (let key of __getOwnPropNames(from))
|
|
13
|
-
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
-
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
-
}
|
|
16
|
-
return to;
|
|
17
|
-
};
|
|
18
|
-
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
-
|
|
20
|
-
// src/index.ts
|
|
21
|
-
var index_exports = {};
|
|
22
|
-
__export(index_exports, {
|
|
23
|
-
assertTenantAccess: () => assertTenantAccess,
|
|
24
|
-
getPrismaSingleton: () => getPrismaSingleton,
|
|
25
|
-
setTenantAccessChecker: () => setTenantAccessChecker,
|
|
26
|
-
withTenant: () => withTenant
|
|
27
|
-
});
|
|
28
|
-
module.exports = __toCommonJS(index_exports);
|
|
29
|
-
var import_errors = require("@wrelik/errors");
|
|
30
|
-
var accessChecker = async () => false;
|
|
31
|
-
function setTenantAccessChecker(checker) {
|
|
32
|
-
accessChecker = checker;
|
|
33
|
-
}
|
|
34
|
-
async function assertTenantAccess(userId, tenantId) {
|
|
35
|
-
if (!userId || !tenantId) {
|
|
36
|
-
throw new import_errors.TenantRequiredError();
|
|
37
|
-
}
|
|
38
|
-
const allowed = await accessChecker(userId, tenantId);
|
|
39
|
-
if (!allowed) {
|
|
40
|
-
throw new import_errors.PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
41
|
-
}
|
|
42
|
-
}
|
|
43
|
-
function withTenant(tenantId, fn) {
|
|
44
|
-
if (!tenantId) {
|
|
45
|
-
throw new import_errors.TenantRequiredError();
|
|
46
|
-
}
|
|
47
|
-
return fn(tenantId);
|
|
48
|
-
}
|
|
49
|
-
function getPrismaSingleton(factory) {
|
|
50
|
-
const globalForPrisma = global;
|
|
51
|
-
const prisma = globalForPrisma.prisma || factory();
|
|
52
|
-
if (process.env.NODE_ENV !== "production") {
|
|
53
|
-
globalForPrisma.prisma = prisma;
|
|
54
|
-
}
|
|
55
|
-
return prisma;
|
|
56
|
-
}
|
|
57
|
-
// Annotate the CommonJS export names for ESM import in node:
|
|
58
|
-
0 && (module.exports = {
|
|
59
|
-
assertTenantAccess,
|
|
60
|
-
getPrismaSingleton,
|
|
61
|
-
setTenantAccessChecker,
|
|
62
|
-
withTenant
|
|
63
|
-
});
|
package/dist/index.mjs
DELETED
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
// src/index.ts
|
|
2
|
-
import { PermissionDeniedError, TenantRequiredError } from "@wrelik/errors";
|
|
3
|
-
var accessChecker = async () => false;
|
|
4
|
-
function setTenantAccessChecker(checker) {
|
|
5
|
-
accessChecker = checker;
|
|
6
|
-
}
|
|
7
|
-
async function assertTenantAccess(userId, tenantId) {
|
|
8
|
-
if (!userId || !tenantId) {
|
|
9
|
-
throw new TenantRequiredError();
|
|
10
|
-
}
|
|
11
|
-
const allowed = await accessChecker(userId, tenantId);
|
|
12
|
-
if (!allowed) {
|
|
13
|
-
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
14
|
-
}
|
|
15
|
-
}
|
|
16
|
-
function withTenant(tenantId, fn) {
|
|
17
|
-
if (!tenantId) {
|
|
18
|
-
throw new TenantRequiredError();
|
|
19
|
-
}
|
|
20
|
-
return fn(tenantId);
|
|
21
|
-
}
|
|
22
|
-
function getPrismaSingleton(factory) {
|
|
23
|
-
const globalForPrisma = global;
|
|
24
|
-
const prisma = globalForPrisma.prisma || factory();
|
|
25
|
-
if (process.env.NODE_ENV !== "production") {
|
|
26
|
-
globalForPrisma.prisma = prisma;
|
|
27
|
-
}
|
|
28
|
-
return prisma;
|
|
29
|
-
}
|
|
30
|
-
export {
|
|
31
|
-
assertTenantAccess,
|
|
32
|
-
getPrismaSingleton,
|
|
33
|
-
setTenantAccessChecker,
|
|
34
|
-
withTenant
|
|
35
|
-
};
|
package/dist/unsupported.d.mts
DELETED
package/dist/unsupported.d.ts
DELETED
package/dist/unsupported.mjs
DELETED
|
@@ -1,12 +0,0 @@
|
|
|
1
|
-
// src/unsupported.ts
|
|
2
|
-
function unsupported() {
|
|
3
|
-
throw new Error(
|
|
4
|
-
"This package is server-only and cannot be used in client/mobile environments. Access this functionality via a backend API instead."
|
|
5
|
-
);
|
|
6
|
-
}
|
|
7
|
-
throw new Error(
|
|
8
|
-
"This package is server-only and cannot be used in client/mobile environments. Access this functionality via a backend API instead."
|
|
9
|
-
);
|
|
10
|
-
export {
|
|
11
|
-
unsupported as default
|
|
12
|
-
};
|
package/src/index.ts
DELETED
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
import { PermissionDeniedError, TenantRequiredError } from '@wrelik/errors';
|
|
2
|
-
|
|
3
|
-
// Helper types
|
|
4
|
-
type AccessChecker = (userId: string, tenantId: string) => Promise<boolean>;
|
|
5
|
-
|
|
6
|
-
let accessChecker: AccessChecker = async () => false; // Default deny
|
|
7
|
-
|
|
8
|
-
export function setTenantAccessChecker(checker: AccessChecker) {
|
|
9
|
-
accessChecker = checker;
|
|
10
|
-
}
|
|
11
|
-
|
|
12
|
-
export async function assertTenantAccess(userId: string, tenantId: string) {
|
|
13
|
-
if (!userId || !tenantId) {
|
|
14
|
-
throw new TenantRequiredError();
|
|
15
|
-
}
|
|
16
|
-
const allowed = await accessChecker(userId, tenantId);
|
|
17
|
-
if (!allowed) {
|
|
18
|
-
throw new PermissionDeniedError(`User ${userId} does not have access to tenant ${tenantId}`);
|
|
19
|
-
}
|
|
20
|
-
}
|
|
21
|
-
|
|
22
|
-
export function withTenant<T>(tenantId: string, fn: (tenantId: string) => Promise<T>): Promise<T> {
|
|
23
|
-
if (!tenantId) {
|
|
24
|
-
throw new TenantRequiredError();
|
|
25
|
-
}
|
|
26
|
-
return fn(tenantId);
|
|
27
|
-
}
|
|
28
|
-
|
|
29
|
-
// Singleton pattern for Prisma
|
|
30
|
-
export function getPrismaSingleton<T>(factory: () => T): T {
|
|
31
|
-
const globalForPrisma = global as unknown as { prisma: T };
|
|
32
|
-
const prisma = globalForPrisma.prisma || factory();
|
|
33
|
-
|
|
34
|
-
if (process.env.NODE_ENV !== 'production') {
|
|
35
|
-
globalForPrisma.prisma = prisma;
|
|
36
|
-
}
|
|
37
|
-
|
|
38
|
-
return prisma;
|
|
39
|
-
}
|
package/src/unsupported.ts
DELETED
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
export default function unsupported() {
|
|
2
|
-
throw new Error(
|
|
3
|
-
'This package is server-only and cannot be used in client/mobile environments. ' +
|
|
4
|
-
'Access this functionality via a backend API instead.',
|
|
5
|
-
);
|
|
6
|
-
}
|
|
7
|
-
|
|
8
|
-
// Using a Proxy to trap named imports if possible, or just the top level throw is usually enough for side-effect imports.
|
|
9
|
-
// But for named imports, we might need to export them?
|
|
10
|
-
// Since we can't mock all exports, the top level throw is best.
|
|
11
|
-
throw new Error(
|
|
12
|
-
'This package is server-only and cannot be used in client/mobile environments. ' +
|
|
13
|
-
'Access this functionality via a backend API instead.',
|
|
14
|
-
);
|