@zetra/citrineos-util 1.8.3-fork.1

package/dist/authorization/ApiAuthPlugin.d.ts

@@ -0,0 +1,52 @@
+import type { FastifyPluginAsync, FastifyReply } from 'fastify';
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+import type { IApiAuthProvider, UserInfo } from '@citrineos/base';
+/**
+ * Options for the authentication plugin
+ */
+export interface AuthPluginOptions {
+    /**
+     * Routes that don't require authentication
+     */
+    excludedRoutes?: string[];
+    /**
+     * Enable verbose debug logging
+     */
+    debug?: boolean;
+}
+/**
+ * Extend the FastifyRequest interface to include user information
+ */
+declare module 'fastify' {
+    interface FastifyRequest {
+        /**
+         * Authenticated user information
+         */
+        user?: UserInfo;
+    }
+}
+/**
+ * Extend FastifyInstance to include our auth functions and provider
+ */
+declare module 'fastify' {
+    interface FastifyInstance {
+        /**
+         * The authentication provider instance
+         */
+        authProvider: IApiAuthProvider;
+        /**
+         * Authenticates a request by validating the token in Authorization header
+         */
+        authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+        /**
+         * Authorizes a request for a specific resource
+         */
+        authorize: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    }
+}
+export declare const apiAuthPluginFp: FastifyPluginAsync<{
+    provider: IApiAuthProvider;
+    options?: AuthPluginOptions;
+    logger?: Logger<ILogObj>;
+}>;

package/dist/authorization/ApiAuthPlugin.js

@@ -0,0 +1,122 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+import { Logger } from 'tslog';
+import fp from 'fastify-plugin';
+import { HttpStatus } from '@citrineos/base';
+/**
+ * Authentication plugin for Fastify
+ * This plugin adds authentication and authorization capabilities to Fastify
+ * using the provided auth provider
+ *
+ * @param fastify Fastify instance
+ * @param provider Auth provider instance
+ * @param options Plugin options
+ */
+const apiAuthPlugin = async (fastify, { provider, options = {}, logger }) => {
+    //TODO add logger instance ?
+    const _logger = logger
+        ? logger.getSubLogger({ name: 'AuthPlugin' })
+        : new Logger({ name: 'AuthPlugin' });
+    // Register the auth provider
+    fastify.decorate('authProvider', provider);
+    // Helper to check if a route is excluded from authentication
+    function isExcludedRoute(url) {
+        // Always exclude health check
+        if (url === '/health') {
+            return true;
+        }
+        const isExcluded = !!options.excludedRoutes?.some((route) => url === route || url.startsWith(`${route}/`));
+        if (isExcluded && options.debug) {
+            _logger.debug(`Skipping authentication for excluded route: ${url}`);
+        }
+        return isExcluded;
+    }
+    // Authentication decorator - validates token from Authorization header
+    fastify.decorate('authenticate', async function (request, reply) {
+        try {
+            // Extract token
+            const token = await provider.extractToken(request);
+            if (!token) {
+                reply.code(HttpStatus.UNAUTHORIZED).send({
+                    error: 'Unauthorized',
+                    message: 'Missing or invalid authorization header',
+                });
+                return;
+            }
+            // Authenticate token
+            const authResult = await provider.authenticateToken(token);
+            if (!authResult.isAuthenticated || !authResult.user) {
+                reply.code(HttpStatus.UNAUTHORIZED).send({
+                    error: 'Unauthorized',
+                    message: authResult.error || 'Invalid token',
+                });
+                return;
+            }
+            // Store user info in request
+            request.user = authResult.user;
+            if (options.debug) {
+                _logger.debug(`Authenticated user: ${authResult.user.id} (${authResult.user.name})`);
+                _logger.debug(`Roles: ${authResult.user.roles.join(', ')}`);
+            }
+        }
+        catch (error) {
+            _logger.error('Authentication error:', error);
+            reply.code(HttpStatus.UNAUTHORIZED).send({
+                error: 'Unauthorized',
+                message: 'Authentication failed',
+            });
+        }
+    });
+    // Authorization decorator - authorizes user for the requested resource
+    fastify.decorate('authorize', async function (request, reply) {
+        try {
+            // Check if user is authenticated
+            if (!request.user) {
+                reply.code(HttpStatus.UNAUTHORIZED).send({
+                    error: 'Unauthorized',
+                    message: 'Authentication required',
+                });
+                return;
+            }
+            // Authorize user for this request
+            const authzResult = await provider.authorizeUser(request.user, request);
+            if (!authzResult.isAuthorized) {
+                reply.code(HttpStatus.FORBIDDEN).send({
+                    error: 'Forbidden',
+                    message: authzResult.error || 'Insufficient permissions',
+                });
+                return;
+            }
+            if (options.debug) {
+                _logger.debug(`Authorized user ${request.user.id} for ${request.method} ${request.url}`);
+            }
+        }
+        catch (error) {
+            _logger.error('Authorization error:', error);
+            reply.code(HttpStatus.FORBIDDEN).send({
+                error: 'Forbidden',
+                message: 'Authorization failed',
+            });
+        }
+    });
+    // Add global authentication hook for all routes
+    fastify.addHook('onRequest', async (request, reply) => {
+        // Skip authentication for excluded routes
+        if (isExcludedRoute(request.url)) {
+            if (options.debug) {
+                _logger.trace(`Skipping authentication for excluded route: ${request.url}`);
+            }
+            return;
+        }
+        // Authenticate and authorize the request
+        await fastify.authenticate(request, reply);
+        await fastify.authorize(request, reply);
+    });
+    _logger.info('Authentication plugin registered');
+};
+export const apiAuthPluginFp = fp(apiAuthPlugin, {
+    name: 'apiAuth',
+    fastify: '5.x',
+});
+//# sourceMappingURL=ApiAuthPlugin.js.map

package/dist/authorization/ApiAuthPlugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ApiAuthPlugin.js","sourceRoot":"","sources":["../../src/authorization/ApiAuthPlugin.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AAItC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAEhC,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAwD7C;;;;;;;;GAQG;AACH,MAAM,aAAa,GAId,KAAK,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;IACzD,4BAA4B;IAC5B,MAAM,OAAO,GAAG,MAAM;QACpB,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;QAC7C,CAAC,CAAC,IAAI,MAAM,CAAU,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;IAChD,6BAA6B;IAC7B,OAAO,CAAC,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IAE3C,6DAA6D;IAC7D,SAAS,eAAe,CAAC,GAAW;QAClC,8BAA8B;QAC9B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,IAAI,CAC/C,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,KAAK,GAAG,CAAC,CACxD,CAAC;QACF,IAAI,UAAU,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,+CAA+C,GAAG,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,uEAAuE;IACvE,OAAO,CAAC,QAAQ,CAAC,cAAc,EAAE,KAAK,WAAW,OAAuB,EAAE,KAAmB;QAC3F,IAAI,CAAC;YACH,gBAAgB;YAChB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACnD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;oBACvC,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,yCAAyC;iBACnD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,qBAAqB;YACrB,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAE3D,IAAI,CAAC,UAAU,CAAC,eAAe,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBACpD,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;oBACvC,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,UAAU,CAAC,KAAK,IAAI,eAAe;iBAC7C,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,6BAA6B;YAC7B,OAAO,CAAC,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC;YAE/B,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;gBACrF,OAAO,CAAC,KAAK,CAAC,UAAU,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;gBACvC,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,uBAAuB;aACjC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uEAAuE;IACvE,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,WAAW,OAAuB,EAAE,KAAmB;QACxF,IAAI,CAAC;YACH,iCAAiC;YACjC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClB,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;oBACvC,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,kCAAkC;YAClC,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAExE,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;oBACpC,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,WAAW,CAAC,KAAK,IAAI,0BAA0B;iBACzD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,mBAAmB,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC3F,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;YAC7C,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;gBACpC,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,gDAAgD;IAChD,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACpD,0CAA0C;QAC1C,IAAI,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,+CAA+C,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC9E,CAAC;YACD,OAAO;QACT,CAAC;QAED,yCAAyC;QACzC,MAAM,OAAO,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC3C,MAAM,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;AACnD,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,CAAC,aAAa,EAAE;IAC/C,IAAI,EAAE,SAAS;IACf,OAAO,EAAE,KAAK;CACf,CAAC,CAAC"}

package/dist/authorization/OidcTokenProvider.d.ts

@@ -0,0 +1,15 @@
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+export interface OidcTokenProviderConfig {
+    tokenUrl: string;
+    clientId: string;
+    clientSecret: string;
+    audience: string;
+}
+export declare class OidcTokenProvider {
+    private config;
+    private oidcToken?;
+    private readonly _logger;
+    constructor(config: OidcTokenProviderConfig, logger?: Logger<ILogObj>);
+    getToken(): Promise<string>;
+}

package/dist/authorization/OidcTokenProvider.js

@@ -0,0 +1,47 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+import { Logger } from 'tslog';
+export class OidcTokenProvider {
+    config;
+    oidcToken;
+    _logger;
+    constructor(config, logger) {
+        this.config = config;
+        this._logger = logger
+            ? logger.getSubLogger({ name: this.constructor.name })
+            : new Logger({ name: this.constructor.name });
+    }
+    async getToken() {
+        if (this.oidcToken && this.oidcToken.expiresAt > Date.now()) {
+            this._logger.debug('Returning cached OIDC token');
+            return this.oidcToken.accessToken;
+        }
+        this._logger.debug('Fetching new OIDC token');
+        const response = await fetch(this.config.tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams({
+                grant_type: 'client_credentials',
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                audience: this.config.audience,
+            }),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            this._logger.error('Failed to fetch OIDC token:', errorText);
+            throw new Error(`Failed to fetch OIDC token: ${response.statusText}`);
+        }
+        const tokenData = await response.json();
+        this.oidcToken = {
+            accessToken: tokenData.access_token,
+            // Set expiry to 1 minute before actual expiration to be safe
+            expiresAt: Date.now() + (tokenData.expires_in - 60) * 1000,
+        };
+        return this.oidcToken.accessToken;
+    }
+}
+//# sourceMappingURL=OidcTokenProvider.js.map

package/dist/authorization/OidcTokenProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcTokenProvider.js","sourceRoot":"","sources":["../../src/authorization/OidcTokenProvider.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AAGtC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAc/B,MAAM,OAAO,iBAAiB;IAKlB;IAJF,SAAS,CAAa;IACb,OAAO,CAAkB;IAE1C,YACU,MAA+B,EACvC,MAAwB;QADhB,WAAM,GAAN,MAAM,CAAyB;QAGvC,IAAI,CAAC,OAAO,GAAG,MAAM;YACnB,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACtD,CAAC,CAAC,IAAI,MAAM,CAAU,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC;IAEM,KAAK,CAAC,QAAQ;QACnB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5D,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YAClD,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;QACpC,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;aAC/B,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,SAAS,CAAC,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,IAAI,CAAC,SAAS,GAAG;YACf,WAAW,EAAE,SAAS,CAAC,YAAY;YACnC,6DAA6D;YAC7D,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,CAAC,UAAU,GAAG,EAAE,CAAC,GAAG,IAAI;SAC3D,CAAC;QAEF,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;IACpC,CAAC;CACF"}

package/dist/authorization/index.d.ts

@@ -0,0 +1,4 @@
+export * from './ApiAuthPlugin.js';
+export { LocalBypassAuthProvider } from './provider/LocalByPassAuthProvider.js';
+export { OIDCAuthProvider } from './provider/OIDCAuthProvider.js';
+export { OidcTokenProvider } from './OidcTokenProvider.js';

package/dist/authorization/index.js

@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+export * from './ApiAuthPlugin.js';
+export { LocalBypassAuthProvider } from './provider/LocalByPassAuthProvider.js';
+export { OIDCAuthProvider } from './provider/OIDCAuthProvider.js';
+export { OidcTokenProvider } from './OidcTokenProvider.js';
+//# sourceMappingURL=index.js.map

package/dist/authorization/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/authorization/index.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AACtC,cAAc,oBAAoB,CAAC;AACnC,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/authorization/provider/LocalByPassAuthProvider.d.ts

@@ -0,0 +1,34 @@
+import type { FastifyRequest } from 'fastify';
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+import type { IApiAuthProvider, UserInfo } from '@citrineos/base';
+import { ApiAuthenticationResult, ApiAuthorizationResult } from '@citrineos/base';
+/**
+ * A local bypass authentication provider that doesn't perform actual authentication
+ * Only for development and testing environments
+ */
+export declare class LocalBypassAuthProvider implements IApiAuthProvider {
+    private readonly _logger;
+    /**
+     * Creates a new local bypass authentication provider
+     *
+     * @param logger Optional logger instance
+     */
+    constructor(logger?: Logger<ILogObj>);
+    extractToken(_request: FastifyRequest): Promise<string>;
+    /**
+     * Always returns a successful authentication with admin user
+     *
+     * @param token Ignored, can be any string
+     * @returns Authentication result with admin user info
+     */
+    authenticateToken(_token: string): Promise<ApiAuthenticationResult>;
+    /**
+     * Always returns a successful authorization
+     *
+     * @param user Ignored, can be any user
+     * @param request Ignored, can be any request
+     * @returns Always successful authorization
+     */
+    authorizeUser(user: UserInfo, request: FastifyRequest): Promise<ApiAuthorizationResult>;
+}

package/dist/authorization/provider/LocalByPassAuthProvider.js

@@ -0,0 +1,62 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+import { Logger } from 'tslog';
+import { ApiAuthenticationResult, ApiAuthorizationResult } from '@citrineos/base';
+/**
+ * A local bypass authentication provider that doesn't perform actual authentication
+ * Only for development and testing environments
+ */
+export class LocalBypassAuthProvider {
+    _logger;
+    /**
+     * Creates a new local bypass authentication provider
+     *
+     * @param logger Optional logger instance
+     */
+    constructor(logger) {
+        this._logger = logger
+            ? logger.getSubLogger({ name: this.constructor.name })
+            : new Logger({ name: this.constructor.name });
+        this._logger.warn('⚠️ WARNING: Using LocalBypassAuthProvider - This should only be used in development environments');
+    }
+    async extractToken(_request) {
+        // Always return a dummy token for local bypass
+        this._logger.debug('LocalBypassAuthProvider.authenticateToken: Returning dummy token');
+        return 'local-bypass-token';
+    }
+    /**
+     * Always returns a successful authentication with admin user
+     *
+     * @param token Ignored, can be any string
+     * @returns Authentication result with admin user info
+     */
+    async authenticateToken(_token) {
+        this._logger.debug('LocalBypassAuthProvider.authenticateToken: Bypassing authentication, using dummy user');
+        // Create a default admin user
+        const user = {
+            id: 'local-admin',
+            name: 'Local Admin',
+            email: 'admin@local',
+            roles: ['admin', 'user'],
+            groups: ['administrators'],
+            tenantId: '1',
+            metadata: {
+                isLocalBypass: true,
+            },
+        };
+        return ApiAuthenticationResult.success(user);
+    }
+    /**
+     * Always returns a successful authorization
+     *
+     * @param user Ignored, can be any user
+     * @param request Ignored, can be any request
+     * @returns Always successful authorization
+     */
+    async authorizeUser(user, request) {
+        this._logger.debug(`LocalBypassAuthProvider.authorizeUser: Bypassing authorization for ${request.method} ${request.url}`);
+        return ApiAuthorizationResult.success();
+    }
+}
+//# sourceMappingURL=LocalByPassAuthProvider.js.map

package/dist/authorization/provider/LocalByPassAuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalByPassAuthProvider.js","sourceRoot":"","sources":["../../../src/authorization/provider/LocalByPassAuthProvider.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AAItC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAE/B,OAAO,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAElF;;;GAGG;AACH,MAAM,OAAO,uBAAuB;IACjB,OAAO,CAAkB;IAE1C;;;;OAIG;IACH,YAAY,MAAwB;QAClC,IAAI,CAAC,OAAO,GAAG,MAAM;YACnB,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACtD,CAAC,CAAC,IAAI,MAAM,CAAU,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;QAEzD,IAAI,CAAC,OAAO,CAAC,IAAI,CACf,kGAAkG,CACnG,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,QAAwB;QACzC,+CAA+C;QAC/C,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;QACvF,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CAAC,MAAc;QACpC,IAAI,CAAC,OAAO,CAAC,KAAK,CAChB,uFAAuF,CACxF,CAAC;QAEF,8BAA8B;QAC9B,MAAM,IAAI,GAAa;YACrB,EAAE,EAAE,aAAa;YACjB,IAAI,EAAE,aAAa;YACnB,KAAK,EAAE,aAAa;YACpB,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YACxB,MAAM,EAAE,CAAC,gBAAgB,CAAC;YAC1B,QAAQ,EAAE,GAAG;YACb,QAAQ,EAAE;gBACR,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;QAEF,OAAO,uBAAuB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,aAAa,CAAC,IAAc,EAAE,OAAuB;QACzD,IAAI,CAAC,OAAO,CAAC,KAAK,CAChB,sEAAsE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CACtG,CAAC;QAEF,OAAO,sBAAsB,CAAC,OAAO,EAAE,CAAC;IAC1C,CAAC;CACF"}

package/dist/authorization/provider/OIDCAuthProvider.d.ts

@@ -0,0 +1,62 @@
+import type { FastifyRequest } from 'fastify';
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+import type { IApiAuthProvider, UserInfo } from '@citrineos/base';
+import { ApiAuthenticationResult, ApiAuthorizationResult } from '@citrineos/base';
+export interface OIDCConfig {
+    jwksUri: string;
+    issuer: string;
+    audience?: string;
+    cacheTime?: number;
+    rateLimit?: boolean;
+}
+/**
+ * OIDC authentication provider implementation
+ */
+export declare class OIDCAuthProvider implements IApiAuthProvider {
+    private readonly _config;
+    private readonly _logger;
+    private readonly _jkwsClient;
+    private readonly _rulesLoader;
+    private readonly _defaultTenantId;
+    /**
+     * Creates a new Keycloak authentication provider
+     *
+     * @param config OIDC configuration
+     * @param logger Optional logger instance
+     */
+    constructor(config: OIDCConfig, logger?: Logger<ILogObj>);
+    extractToken(request: FastifyRequest): Promise<string | null>;
+    /**
+     * Authenticates a JWT token from and OIDC provider
+     *
+     * @param token JWT token to authenticate
+     * @returns Authentication result with user info if successful
+     */
+    authenticateToken(token: string): Promise<ApiAuthenticationResult>;
+    /**
+     * Authorizes a user for a specific request
+     * This implementation checks if the user has the required permissions
+     * for the requested URL and method
+     *
+     * @param user User information
+     * @param request Fastify request
+     * @returns Authorization result
+     */
+    authorizeUser(user: UserInfo, request: FastifyRequest): Promise<ApiAuthorizationResult>;
+    /**
+     * Fetches the public key from OIDC provider
+     * @param {string} kid Key ID from the JWT header
+     * @returns {Promise<string>} Public key as a string
+     * @private
+     */
+    private fetchPublicKey;
+    /**
+     * Check if a user has any of the required roles for a specific tenant
+     *
+     * @param user User with roles
+     * @param requiredRoles Array of role names (without tenant prefix)
+     * @returns True if user has any of the required roles
+     */
+    private userHasRequiredRole;
+}

package/dist/authorization/provider/OIDCAuthProvider.js

@@ -0,0 +1,173 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+import { Logger } from 'tslog';
+import jwt from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+import JwksRsa from 'jwks-rsa';
+import { ApiAuthenticationResult, ApiAuthorizationResult } from '@citrineos/base';
+import { createPublicKey } from 'crypto';
+import { RbacRulesLoader } from '../rbac/RbacRulesLoader.js';
+/**
+ * OIDC authentication provider implementation
+ */
+export class OIDCAuthProvider {
+    _config;
+    _logger;
+    _jkwsClient;
+    _rulesLoader;
+    _defaultTenantId = '1'; //TODO get default from config
+    /**
+     * Creates a new Keycloak authentication provider
+     *
+     * @param config OIDC configuration
+     * @param logger Optional logger instance
+     */
+    constructor(config, logger) {
+        this._config = {
+            cacheTime: 60 * 60 * 1000, // Default 1 hour cache
+            rateLimit: true,
+            ...config,
+        };
+        this._logger = logger
+            ? logger.getSubLogger({ name: this.constructor.name })
+            : new Logger({ name: this.constructor.name });
+        this._logger.info('OIDC auth provider config', this._config);
+        // Create the JWKS client
+        this._jkwsClient = jwksClient({
+            jwksUri: this._config.jwksUri,
+            cache: true,
+            cacheMaxAge: this._config.cacheTime,
+            rateLimit: this._config.rateLimit,
+            jwksRequestsPerMinute: 5, // Limit requests to JWKS endpoint
+        });
+        this._rulesLoader = new RbacRulesLoader('rbac-rules.json', this._logger);
+        this._logger.info(`OIDC auth provider setup with jwksUri: ${this._config.jwksUri}`);
+    }
+    async extractToken(request) {
+        // Extract the Authorization header
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            this._logger.warn('No Bearer token found in request headers');
+            return null;
+        }
+        // Return the token without the "Bearer " prefix
+        const token = authHeader.slice(7).trim();
+        this._logger.debug('Extracted token from request:', token);
+        return token;
+    }
+    /**
+     * Authenticates a JWT token from and OIDC provider
+     *
+     * @param token JWT token to authenticate
+     * @returns Authentication result with user info if successful
+     */
+    async authenticateToken(token) {
+        try {
+            const decoded = jwt.decode(token, { complete: true });
+            if (!decoded || typeof decoded !== 'object' || !decoded.header || !decoded.header.kid) {
+                throw new Error('Invalid token format');
+            }
+            const publicKey = await this.fetchPublicKey(decoded.header.kid);
+            // Verify the token with the public key
+            const payload = jwt.verify(token, createPublicKey(publicKey));
+            // Extract user info from the decoded token
+            const user = {
+                id: payload.sub,
+                name: payload.preferred_username || payload.name || payload.sub,
+                email: payload.email || '',
+                roles: payload.resource_access.citrineos?.roles,
+                tenantId: payload.tenant_id || this._defaultTenantId,
+                metadata: {
+                    firstName: payload.given_name,
+                    lastName: payload.family_name,
+                    fullName: payload.name,
+                    emailVerified: payload.email_verified,
+                    locale: payload.locale || 'en-US',
+                },
+            };
+            return ApiAuthenticationResult.success(user);
+        }
+        catch (error) {
+            this._logger.error('Token authentication failed:', error);
+            return ApiAuthenticationResult.failure(error instanceof Error ? error.message : 'Invalid token');
+        }
+    }
+    /**
+     * Authorizes a user for a specific request
+     * This implementation checks if the user has the required permissions
+     * for the requested URL and method
+     *
+     * @param user User information
+     * @param request Fastify request
+     * @returns Authorization result
+     */
+    async authorizeUser(user, request) {
+        try {
+            // Get the requested resource and method
+            const url = request.url;
+            const method = request.method;
+            const tenantId = request.query.tenantId || this._defaultTenantId;
+            const requiredRoles = this._rulesLoader.getRequiredRoles(tenantId, url, method);
+            //If no role is found for the requested resource and tenant, decline access
+            if (!requiredRoles || requiredRoles.length === 0) {
+                return ApiAuthorizationResult.failure(`Tenant does not have access to this resource ${url}`);
+            }
+            if (this.userHasRequiredRole(user, requiredRoles)) {
+                return ApiAuthorizationResult.success();
+            }
+            return ApiAuthorizationResult.failure(`Missing required roles. Need one of: ${requiredRoles.join(', ')} for tenant ${tenantId}`);
+        }
+        catch (error) {
+            this._logger.error('Authorization error:', error);
+            return ApiAuthorizationResult.failure(`Authorization error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Fetches the public key from OIDC provider
+     * @param {string} kid Key ID from the JWT header
+     * @returns {Promise<string>} Public key as a string
+     * @private
+     */
+    async fetchPublicKey(kid) {
+        try {
+            return new Promise((resolve, reject) => {
+                this._jkwsClient.getSigningKey(kid, (err, key) => {
+                    if (err) {
+                        this._logger.error(`Error fetching signing key for kid: ${kid}`, err);
+                        return reject(err);
+                    }
+                    if (!key) {
+                        const error = new Error(`No signing key found for kid: ${kid}`);
+                        this._logger.error(error.message);
+                        return reject(error);
+                    }
+                    try {
+                        // Get the public key
+                        const signingKey = key.getPublicKey();
+                        resolve(signingKey);
+                    }
+                    catch (keyError) {
+                        this._logger.error('Error extracting public key:', keyError);
+                        reject(keyError);
+                    }
+                });
+            });
+        }
+        catch (error) {
+            this._logger.error('Failed to fetch public key:', error);
+            throw error;
+        }
+    }
+    /**
+     * Check if a user has any of the required roles for a specific tenant
+     *
+     * @param user User with roles
+     * @param requiredRoles Array of role names (without tenant prefix)
+     * @returns True if user has any of the required roles
+     */
+    userHasRequiredRole(user, requiredRoles) {
+        return user.roles.some((userRole) => requiredRoles.includes(userRole));
+    }
+}
+//# sourceMappingURL=OIDCAuthProvider.js.map

package/dist/authorization/provider/OIDCAuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OIDCAuthProvider.js","sourceRoot":"","sources":["../../../src/authorization/provider/OIDCAuthProvider.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AAItC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAE/B,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,UAAU,MAAM,UAAU,CAAC;AAClC,OAAO,OAAO,MAAM,UAAU,CAAC;AAE/B,OAAO,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAmB7D;;GAEG;AACH,MAAM,OAAO,gBAAgB;IACV,OAAO,CAAa;IACpB,OAAO,CAAkB;IACzB,WAAW,CAAqB;IAChC,YAAY,CAAkB;IAC9B,gBAAgB,GAAW,GAAG,CAAC,CAAC,8BAA8B;IAE/E;;;;;OAKG;IACH,YAAY,MAAkB,EAAE,MAAwB;QACtD,IAAI,CAAC,OAAO,GAAG;YACb,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,uBAAuB;YAClD,SAAS,EAAE,IAAI;YACf,GAAG,MAAM;SACV,CAAC;QAEF,IAAI,CAAC,OAAO,GAAG,MAAM;YACnB,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACtD,CAAC,CAAC,IAAI,MAAM,CAAU,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;QAEzD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7D,yBAAyB;QACzB,IAAI,CAAC,WAAW,GAAG,UAAU,CAAC;YAC5B,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;YAC7B,KAAK,EAAE,IAAI;YACX,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACnC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,qBAAqB,EAAE,CAAC,EAAE,kCAAkC;SAC7D,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,GAAG,IAAI,eAAe,CAAC,iBAAiB,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,0CAA0C,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAuB;QACxC,mCAAmC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,gDAAgD;QAChD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YAEtD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBACtF,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,uCAAuC;YACvC,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,eAAe,CAAC,SAAS,CAAC,CAAe,CAAC;YAE5E,2CAA2C;YAC3C,MAAM,IAAI,GAAa;gBACrB,EAAE,EAAE,OAAO,CAAC,GAAa;gBACzB,IAAI,EAAE,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG;gBAC/D,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;gBAC1B,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,SAAS,EAAE,KAAK;gBAC/C,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB;gBACpD,QAAQ,EAAE;oBACR,SAAS,EAAE,OAAO,CAAC,UAAU;oBAC7B,QAAQ,EAAE,OAAO,CAAC,WAAW;oBAC7B,QAAQ,EAAE,OAAO,CAAC,IAAI;oBACtB,aAAa,EAAE,OAAO,CAAC,cAAc;oBACrC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO;iBAClC;aACF,CAAC;YACF,OAAO,uBAAuB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YAC1D,OAAO,uBAAuB,CAAC,OAAO,CACpC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CACzD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,aAAa,CAAC,IAAc,EAAE,OAAuB;QACzD,IAAI,CAAC;YACH,wCAAwC;YACxC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAC9B,MAAM,QAAQ,GAAI,OAAO,CAAC,KAA+B,CAAC,QAAQ,IAAI,IAAI,CAAC,gBAAgB,CAAC;YAE5F,MAAM,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YAEhF,2EAA2E;YAC3E,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjD,OAAO,sBAAsB,CAAC,OAAO,CACnC,gDAAgD,GAAG,EAAE,CACtD,CAAC;YACJ,CAAC;YACD,IAAI,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,CAAC;gBAClD,OAAO,sBAAsB,CAAC,OAAO,EAAE,CAAC;YAC1C,CAAC;YAED,OAAO,sBAAsB,CAAC,OAAO,CACnC,wCAAwC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,QAAQ,EAAE,CAC1F,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;YAClD,OAAO,sBAAsB,CAAC,OAAO,CACnC,wBAAwB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,cAAc,CAAC,GAAW;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC7C,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,uCAAuC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;wBACtE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;oBACrB,CAAC;oBAED,IAAI,CAAC,GAAG,EAAE,CAAC;wBACT,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;wBAChE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;wBAClC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;oBACvB,CAAC;oBAED,IAAI,CAAC;wBACH,qBAAqB;wBACrB,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC;wBACtC,OAAO,CAAC,UAAU,CAAC,CAAC;oBACtB,CAAC;oBAAC,OAAO,QAAQ,EAAE,CAAC;wBAClB,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,QAAQ,CAAC,CAAC;wBAC7D,MAAM,CAAC,QAAQ,CAAC,CAAC;oBACnB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;YACzD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,mBAAmB,CAAC,IAAc,EAAE,aAAuB;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzE,CAAC;CACF"}

package/dist/authorization/rbac/RbacRulesLoader.d.ts

@@ -0,0 +1,32 @@
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+/**
+ * Class to load and validate RBAC rules
+ */
+export declare class RbacRulesLoader {
+    private _rules;
+    private readonly _logger;
+    /**
+     * Creates a new RBAC rules loader
+     *
+     * @param rulesFilePath Path to the JSON rules file
+     * @param logger Logger instance
+     */
+    constructor(rulesFilePath: string, logger: Logger<ILogObj>);
+    /**
+     * Load and validate rules from a JSON file
+     *
+     * @param filePath Path to the JSON rules file
+     */
+    private loadRules;
+    /**
+     * Get the required roles for a specific tenant, URL, and HTTP method
+     *
+     * @param tenantId Tenant identifier
+     * @param url URL path
+     * @param method HTTP method
+     * @returns Array of required roles or null if no matching rule
+     */
+    getRequiredRoles(tenantId: string, url: string, method: string): string[] | null;
+    private normalizeUrl;
+}