npm - @zero-server/sdk - Versions diffs - 0.9.0 - Mend

@zero-server/sdk 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (126) hide show

package/LICENSE +21 -0
package/README.md +437 -0
package/index.js +412 -0
package/lib/app.js +1172 -0
package/lib/auth/authorize.js +399 -0
package/lib/auth/enrollment.js +367 -0
package/lib/auth/index.js +57 -0
package/lib/auth/jwt.js +731 -0
package/lib/auth/oauth.js +362 -0
package/lib/auth/session.js +588 -0
package/lib/auth/trustedDevice.js +409 -0
package/lib/auth/twoFactor.js +1150 -0
package/lib/auth/webauthn.js +946 -0
package/lib/body/index.js +14 -0
package/lib/body/json.js +109 -0
package/lib/body/multipart.js +440 -0
package/lib/body/raw.js +71 -0
package/lib/body/rawBuffer.js +161 -0
package/lib/body/sendError.js +25 -0
package/lib/body/text.js +75 -0
package/lib/body/typeMatch.js +42 -0
package/lib/body/urlencoded.js +235 -0
package/lib/cli.js +845 -0
package/lib/cluster.js +666 -0
package/lib/debug.js +372 -0
package/lib/env/index.js +465 -0
package/lib/errors.js +683 -0
package/lib/fetch/index.js +256 -0
package/lib/grpc/balancer.js +378 -0
package/lib/grpc/call.js +708 -0
package/lib/grpc/client.js +764 -0
package/lib/grpc/codec.js +1221 -0
package/lib/grpc/credentials.js +398 -0
package/lib/grpc/frame.js +262 -0
package/lib/grpc/health.js +287 -0
package/lib/grpc/index.js +121 -0
package/lib/grpc/metadata.js +461 -0
package/lib/grpc/proto.js +821 -0
package/lib/grpc/reflection.js +590 -0
package/lib/grpc/server.js +445 -0
package/lib/grpc/status.js +118 -0
package/lib/grpc/watch.js +173 -0
package/lib/http/index.js +10 -0
package/lib/http/request.js +727 -0
package/lib/http/response.js +799 -0
package/lib/lifecycle.js +557 -0
package/lib/middleware/compress.js +230 -0
package/lib/middleware/cookieParser.js +237 -0
package/lib/middleware/cors.js +93 -0
package/lib/middleware/csrf.js +137 -0
package/lib/middleware/errorHandler.js +101 -0
package/lib/middleware/helmet.js +176 -0
package/lib/middleware/index.js +17 -0
package/lib/middleware/logger.js +74 -0
package/lib/middleware/rateLimit.js +88 -0
package/lib/middleware/requestId.js +54 -0
package/lib/middleware/static.js +326 -0
package/lib/middleware/timeout.js +72 -0
package/lib/middleware/validator.js +255 -0
package/lib/observe/health.js +326 -0
package/lib/observe/index.js +50 -0
package/lib/observe/logger.js +359 -0
package/lib/observe/metrics.js +805 -0
package/lib/observe/tracing.js +592 -0
package/lib/orm/adapters/json.js +290 -0
package/lib/orm/adapters/memory.js +764 -0
package/lib/orm/adapters/mongo.js +764 -0
package/lib/orm/adapters/mysql.js +933 -0
package/lib/orm/adapters/postgres.js +1144 -0
package/lib/orm/adapters/redis.js +1534 -0
package/lib/orm/adapters/sql-base.js +212 -0
package/lib/orm/adapters/sqlite.js +858 -0
package/lib/orm/audit.js +649 -0
package/lib/orm/cache.js +394 -0
package/lib/orm/geo.js +387 -0
package/lib/orm/index.js +784 -0
package/lib/orm/migrate.js +432 -0
package/lib/orm/model.js +1706 -0
package/lib/orm/plugin.js +375 -0
package/lib/orm/procedures.js +836 -0
package/lib/orm/profiler.js +233 -0
package/lib/orm/query.js +1772 -0
package/lib/orm/replicas.js +241 -0
package/lib/orm/schema.js +307 -0
package/lib/orm/search.js +380 -0
package/lib/orm/seed/data/commerce.js +136 -0
package/lib/orm/seed/data/internet.js +111 -0
package/lib/orm/seed/data/locations.js +204 -0
package/lib/orm/seed/data/names.js +338 -0
package/lib/orm/seed/data/person.js +128 -0
package/lib/orm/seed/data/phone.js +211 -0
package/lib/orm/seed/data/words.js +134 -0
package/lib/orm/seed/factory.js +178 -0
package/lib/orm/seed/fake.js +1186 -0
package/lib/orm/seed/index.js +18 -0
package/lib/orm/seed/rng.js +71 -0
package/lib/orm/seed/seeder.js +125 -0
package/lib/orm/seed/unique.js +68 -0
package/lib/orm/snapshot.js +366 -0
package/lib/orm/tenancy.js +605 -0
package/lib/orm/views.js +350 -0
package/lib/router/index.js +436 -0
package/lib/sse/index.js +8 -0
package/lib/sse/stream.js +349 -0
package/lib/ws/connection.js +451 -0
package/lib/ws/handshake.js +125 -0
package/lib/ws/index.js +14 -0
package/lib/ws/room.js +223 -0
package/package.json +73 -0
package/types/app.d.ts +223 -0
package/types/auth.d.ts +520 -0
package/types/cluster.d.ts +75 -0
package/types/env.d.ts +80 -0
package/types/errors.d.ts +316 -0
package/types/fetch.d.ts +43 -0
package/types/grpc.d.ts +432 -0
package/types/index.d.ts +384 -0
package/types/lifecycle.d.ts +60 -0
package/types/middleware.d.ts +320 -0
package/types/observe.d.ts +304 -0
package/types/orm.d.ts +1887 -0
package/types/request.d.ts +109 -0
package/types/response.d.ts +157 -0
package/types/router.d.ts +78 -0
package/types/sse.d.ts +78 -0
package/types/websocket.d.ts +126 -0

package/lib/auth/authorize.js ADDED Viewed

@@ -0,0 +1,399 @@
+/**
+ * @module auth/authorize
+ * @description Authorization helpers — role-based access control (RBAC),
+ *              permission-based access, and policy classes.
+ *
+ *              Works with any authentication middleware that sets `req.user`.
+ *
+ * @example
+ *   const { createApp, jwt, authorize, can, canAny, Policy, gate,
+ *       attachUserHelpers, Router } = require('@zero-server/sdk');
+ *   const app = createApp();
+ *
+ *   app.use(jwt({ secret: process.env.JWT_SECRET }));
+ *   app.use(attachUserHelpers());
+ *
+ *   // Role-based — only admins and editors can modify posts
+ *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
+ *       res.json({ updated: true });
+ *   });
+ *
+ *   // Permission-based — require ALL listed permissions
+ *   app.delete('/users/:id', can('users:read', 'users:delete'), (req, res) => {
+ *       res.json({ deleted: true });
+ *   });
+ *
+ *   // ANY permission — useful for overlapping access
+ *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
+ *       res.json({ reports: [] });
+ *   });
+ *
+ *   // Policy class — resource-level authorization
+ *   class PostPolicy extends Policy {
+ *       before(user) { if (user.role === 'superadmin') return true; }
+ *       update(user, post) { return user.id === post.authorId || user.role === 'admin'; }
+ *       delete(user, post) { return user.role === 'admin'; }
+ *   }
+ *
+ *   app.put('/posts/:id', gate(new PostPolicy(), 'update', async (req) => {
+ *       return await Post.findById(req.params.id);
+ *   }), (req, res) => {
+ *       // req.resource is auto-populated by gate()
+ *       res.json({ updated: req.resource });
+ *   });
+ *
+ *   // Inline checks via attachUserHelpers()
+ *   app.get('/dashboard', (req, res) => {
+ *       const data = { user: req.user.sub };
+ *       if (req.user.is('admin')) data.adminPanel = true;
+ *       if (req.user.can('reports:export')) data.canExport = true;
+ *       res.json(data);
+ *   });
+ */
+const log = require('../debug')('zero:auth');
+// -- Role-Based Access Control ------------------------------------
+/**
+ * Role-based authorization middleware.
+ * Checks `req.user.role` or `req.user.roles` against allowed roles.
+ *
+ * Returns 401 if `req.user` is missing (not authenticated).
+ * Returns 403 if the user's role is not in the allowed list.
+ *
+ * @param {...string} roles - Allowed roles.
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example
+ *   app.get('/admin', authorize('admin'), (req, res) => {
+ *       res.json({ message: 'Welcome, admin!' });
+ *   });
+ *
+ * @example | Multiple Roles
+ *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
+ *       res.json({ updated: true });
+ *   });
+ */
+function authorize(...roles)
+{
+    const allowed = new Set(roles.flat());
+    return function authorizeMiddleware(req, res, next)
+    {
+        if (!req.user)
+        {
+            return res.status(401).json({
+                error: 'Authentication required',
+                code: 'NOT_AUTHENTICATED',
+                statusCode: 401,
+            });
+        }
+        const userRoles = _extractRoles(req.user);
+        const hasRole = userRoles.some(r => allowed.has(r));
+        if (!hasRole)
+        {
+            log.debug('access denied: user roles [%s] not in [%s]', userRoles.join(', '), [...allowed].join(', '));
+            return res.status(403).json({
+                error: 'Insufficient permissions',
+                code: 'FORBIDDEN',
+                statusCode: 403,
+            });
+        }
+        log.debug('authorized: role=%s', userRoles.find(r => allowed.has(r)));
+        next();
+    };
+}
+// -- Permission-Based Access Control --------------------------------
+/**
+ * Permission-based authorization middleware.
+ * Checks `req.user.permissions` (array or Set) for the required permission(s).
+ *
+ * Permission strings follow a `resource:action` convention:
+ *   - `'posts:write'` — write access to posts
+ *   - `'users:delete'` — delete users
+ *   - `'*'` — superuser wildcard
+ *
+ * @param {...string} permissions - Required permissions (ALL must be present unless `opts.any` is true).
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example | Require Specific Permission
+ *   app.post('/posts', can('posts:write'), (req, res) => {
+ *       res.status(201).json(req.body);
+ *   });
+ *
+ * @example | Require ALL Permissions
+ *   app.put('/users/:id', can('users:read', 'users:write'), (req, res) => {
+ *       res.json({ updated: true });
+ *   });
+ *
+ * @example | Require ANY Permission
+ *   app.get('/dashboard', canAny('admin:read', 'reports:read'), (req, res) => {
+ *       res.json({ dashboard: true });
+ *   });
+ */
+function can(...permissions)
+{
+    return _permissionMiddleware(permissions.flat(), false);
+}
+/**
+ * Like `can()`, but passes if the user has ANY of the listed permissions.
+ *
+ * @param {...string} permissions - Permissions to check (any one is sufficient).
+ * @returns {Function} Middleware.
+ *
+ * @example
+ *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
+ *       res.json({ reports: [] });
+ *   });
+ */
+function canAny(...permissions)
+{
+    return _permissionMiddleware(permissions.flat(), true);
+}
+/** @private */
+function _permissionMiddleware(required, anyMode)
+{
+    return function permissionMiddleware(req, res, next)
+    {
+        if (!req.user)
+        {
+            return res.status(401).json({
+                error: 'Authentication required',
+                code: 'NOT_AUTHENTICATED',
+                statusCode: 401,
+            });
+        }
+        const userPerms = _extractPermissions(req.user);
+        // Wildcard superuser
+        if (userPerms.has('*'))
+        {
+            log.debug('wildcard permission granted');
+            return next();
+        }
+        const check = anyMode
+            ? required.some(p => userPerms.has(p))
+            : required.every(p => userPerms.has(p));
+        if (!check)
+        {
+            log.debug('permission denied: required [%s] (mode=%s)', required.join(', '), anyMode ? 'any' : 'all');
+            return res.status(403).json({
+                error: 'Insufficient permissions',
+                code: 'FORBIDDEN',
+                statusCode: 403,
+            });
+        }
+        next();
+    };
+}
+// -- Policy Classes -----------------------------------------------
+/**
+ * Base policy class for resource-level authorization.
+ * Subclass and define methods matching action names.
+ * Each method receives `(user, resource)` and returns `boolean`.
+ *
+ * @example
+ *   class PostPolicy extends Policy {
+ *       view()                 { return true; }          // anyone can view
+ *       update(user, post)     { return user.id === post.authorId; }
+ *       delete(user, post)     { return user.role === 'admin'; }
+ *       publish(user, post)    { return ['admin', 'editor'].includes(user.role); }
+ *   }
+ */
+class Policy
+{
+    /**
+     * Check if an action is allowed.
+     * Falls through to the action method if defined, otherwise denies.
+     *
+     * @param {string} action - The action name (method name).
+     * @param {object} user - The authenticated user.
+     * @param {object} [resource] - The resource being accessed.
+     * @returns {boolean|Promise<boolean>}
+     */
+    check(action, user, resource)
+    {
+        if (typeof this.before === 'function')
+        {
+            const beforeResult = this.before(user, action, resource);
+            if (beforeResult === true) return true;
+            if (beforeResult === false) return false;
+            // undefined = continue to action method
+        }
+        if (typeof this[action] !== 'function') return false;
+        return this[action](user, resource);
+    }
+}
+/**
+ * Policy gate middleware.
+ * Runs a policy check against a resource loaded from the request.
+ *
+ * @param {Policy} policy - Policy instance.
+ * @param {string} action - Action name to check.
+ * @param {Function} [getResource] - `async (req) => resource` loader. If omitted, passes `null`.
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example
+ *   const postPolicy = new PostPolicy();
+ *
+ *   // With resource loader
+ *   app.put('/posts/:id', gate(postPolicy, 'update', async (req) => {
+ *       return await Post.findById(req.params.id);
+ *   }), (req, res) => {
+ *       res.json({ updated: req.resource });
+ *   });
+ *
+ *   // Without resource (for create/list actions)
+ *   app.post('/posts', gate(postPolicy, 'create'), (req, res) => {
+ *       res.status(201).json(req.body);
+ *   });
+ */
+function gate(policy, action, getResource)
+{
+    return async function gateMiddleware(req, res, next)
+    {
+        if (!req.user)
+        {
+            return res.status(401).json({
+                error: 'Authentication required',
+                code: 'NOT_AUTHENTICATED',
+                statusCode: 401,
+            });
+        }
+        let resource = null;
+        if (typeof getResource === 'function')
+        {
+            resource = await getResource(req);
+        }
+        const allowed = await policy.check(action, req.user, resource);
+        if (!allowed)
+        {
+            log.debug('policy denied: action=%s', action);
+            return res.status(403).json({
+                error: 'Action not allowed',
+                code: 'POLICY_DENIED',
+                statusCode: 403,
+            });
+        }
+        // Attach resource if loaded — saves a redundant DB query in the handler
+        if (resource && !req.resource) req.resource = resource;
+        next();
+    };
+}
+// -- req.user helpers (mixed in by middleware barrel) ----------------
+/**
+ * Attach convenience authorization methods to `req.user`.
+ * Call this middleware after JWT/session middleware.
+ *
+ * Adds:
+ *   - `req.user.is(...roles)` — check roles
+ *   - `req.user.can(...perms)` — check permissions
+ *
+ * @returns {Function} Middleware.
+ *
+ * @example
+ *   app.use(jwt({ secret }));
+ *   app.use(attachUserHelpers());
+ *
+ *   app.get('/dashboard', (req, res) => {
+ *       if (req.user.is('admin')) {
+ *           // admin view
+ *       }
+ *       if (req.user.can('reports:export')) {
+ *           // show export button
+ *       }
+ *   });
+ */
+function attachUserHelpers()
+{
+    return function userHelpersMiddleware(req, res, next)
+    {
+        if (!req.user) return next();
+        if (!req.user.is)
+        {
+            req.user.is = (...roles) =>
+            {
+                const userRoles = _extractRoles(req.user);
+                return roles.flat().some(r => userRoles.includes(r));
+            };
+        }
+        if (!req.user.can)
+        {
+            req.user.can = (...perms) =>
+            {
+                const userPerms = _extractPermissions(req.user);
+                if (userPerms.has('*')) return true;
+                return perms.flat().every(p => userPerms.has(p));
+            };
+        }
+        next();
+    };
+}
+// -- Internal Helpers -----------------------------------------------
+/**
+ * Normalise user roles from various formats.
+ * Supports `user.role` (string), `user.roles` (array), and `user.role` (array).
+ *
+ * @param {object} user
+ * @returns {string[]}
+ * @private
+ */
+function _extractRoles(user)
+{
+    if (!user) return [];
+    if (Array.isArray(user.roles)) return user.roles;
+    if (Array.isArray(user.role)) return user.role;
+    if (typeof user.role === 'string') return [user.role];
+    return [];
+}
+/**
+ * Normalise user permissions from various formats.
+ * Supports `user.permissions` (array or Set), `user.scopes` (array).
+ *
+ * @param {object} user
+ * @returns {Set<string>}
+ * @private
+ */
+function _extractPermissions(user)
+{
+    if (!user) return new Set();
+    if (user.permissions instanceof Set) return user.permissions;
+    if (Array.isArray(user.permissions)) return new Set(user.permissions);
+    if (Array.isArray(user.scopes)) return new Set(user.scopes);
+    return new Set();
+}
+module.exports = {
+    authorize,
+    can,
+    canAny,
+    Policy,
+    gate,
+    attachUserHelpers,
+};