aaspai-authx 0.0.3 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/express/index.cjs +73 -59
- package/dist/express/index.cjs.map +1 -1
- package/dist/express/index.js +73 -59
- package/dist/express/index.js.map +1 -1
- package/dist/index.cjs +73 -59
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +19 -19
- package/dist/index.d.ts +19 -19
- package/dist/index.js +73 -59
- package/dist/index.js.map +1 -1
- package/dist/nest/index.cjs +73 -59
- package/dist/nest/index.cjs.map +1 -1
- package/dist/nest/index.js +73 -59
- package/dist/nest/index.js.map +1 -1
- package/package.json +1 -1
package/dist/express/index.cjs
CHANGED
|
@@ -111,26 +111,15 @@ function isPlainObject(value) {
|
|
|
111
111
|
var PLATFORM_ROLES = [
|
|
112
112
|
{
|
|
113
113
|
role: "platform_admin",
|
|
114
|
-
permissions: [
|
|
115
|
-
"projects.create",
|
|
116
|
-
"projects.read",
|
|
117
|
-
"projects.update",
|
|
118
|
-
"projects.delete",
|
|
119
|
-
"users.manage",
|
|
120
|
-
"api.manage"
|
|
121
|
-
]
|
|
114
|
+
permissions: []
|
|
122
115
|
},
|
|
123
116
|
{
|
|
124
117
|
role: "platform_manager",
|
|
125
|
-
permissions: [
|
|
126
|
-
"projects.read",
|
|
127
|
-
"projects.update",
|
|
128
|
-
"users.read"
|
|
129
|
-
]
|
|
118
|
+
permissions: []
|
|
130
119
|
},
|
|
131
120
|
{
|
|
132
121
|
role: "platform_user",
|
|
133
|
-
permissions: [
|
|
122
|
+
permissions: []
|
|
134
123
|
}
|
|
135
124
|
];
|
|
136
125
|
function getPermissionsForRoles(roles) {
|
|
@@ -188,17 +177,36 @@ function buildSession(payload) {
|
|
|
188
177
|
return session;
|
|
189
178
|
}
|
|
190
179
|
|
|
191
|
-
// src/models/
|
|
180
|
+
// src/models/rolePermission.model.ts
|
|
192
181
|
var import_mongoose = __toESM(require("mongoose"), 1);
|
|
182
|
+
var RolePermissionSchema = new import_mongoose.Schema(
|
|
183
|
+
{
|
|
184
|
+
orgId: { type: String, default: null, index: true },
|
|
185
|
+
role: { type: String, required: true },
|
|
186
|
+
permissions: { type: [String], default: [] }
|
|
187
|
+
},
|
|
188
|
+
{
|
|
189
|
+
timestamps: true
|
|
190
|
+
}
|
|
191
|
+
);
|
|
192
|
+
RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
|
|
193
|
+
var RolePermissionModel = import_mongoose.default.model(
|
|
194
|
+
"RolePermission",
|
|
195
|
+
RolePermissionSchema,
|
|
196
|
+
"role_permissions"
|
|
197
|
+
);
|
|
198
|
+
|
|
199
|
+
// src/models/user.model.ts
|
|
200
|
+
var import_mongoose2 = __toESM(require("mongoose"), 1);
|
|
193
201
|
var import_uuid = require("uuid");
|
|
194
|
-
var MetadataSchema = new
|
|
202
|
+
var MetadataSchema = new import_mongoose2.default.Schema(
|
|
195
203
|
{
|
|
196
204
|
key: { type: String, required: true },
|
|
197
|
-
value: { type:
|
|
205
|
+
value: { type: import_mongoose2.default.Schema.Types.Mixed, required: true }
|
|
198
206
|
},
|
|
199
207
|
{ _id: false }
|
|
200
208
|
);
|
|
201
|
-
var OrgUserSchema = new
|
|
209
|
+
var OrgUserSchema = new import_mongoose2.default.Schema(
|
|
202
210
|
{
|
|
203
211
|
id: { type: String, default: (0, import_uuid.v4)(), index: true },
|
|
204
212
|
email: { type: String, required: true, unique: true },
|
|
@@ -215,7 +223,7 @@ var OrgUserSchema = new import_mongoose.default.Schema(
|
|
|
215
223
|
},
|
|
216
224
|
{ timestamps: true, collection: "users" }
|
|
217
225
|
);
|
|
218
|
-
var OrgUser =
|
|
226
|
+
var OrgUser = import_mongoose2.default.model("OrgUser", OrgUserSchema);
|
|
219
227
|
|
|
220
228
|
// src/utils/extract.ts
|
|
221
229
|
var import_cookie = require("cookie");
|
|
@@ -280,14 +288,33 @@ function verifyJwt(token) {
|
|
|
280
288
|
}
|
|
281
289
|
|
|
282
290
|
// src/middlewares/auth.middleware.ts
|
|
291
|
+
async function mergeRolePermissions(session) {
|
|
292
|
+
const roles = Array.isArray(session.roles) ? session.roles : [];
|
|
293
|
+
if (!roles.length) return;
|
|
294
|
+
const orgContexts = /* @__PURE__ */ new Set();
|
|
295
|
+
if (session.orgId) orgContexts.add(session.orgId);
|
|
296
|
+
if (session.org_id) orgContexts.add(session.org_id);
|
|
297
|
+
if (session.projectId) orgContexts.add(session.projectId);
|
|
298
|
+
orgContexts.add(null);
|
|
299
|
+
const docs = await RolePermissionModel.find({
|
|
300
|
+
orgId: { $in: Array.from(orgContexts) },
|
|
301
|
+
role: { $in: roles }
|
|
302
|
+
}).lean().exec();
|
|
303
|
+
const dynamic = /* @__PURE__ */ new Set();
|
|
304
|
+
for (const doc of docs) {
|
|
305
|
+
for (const perm of doc.permissions || []) {
|
|
306
|
+
if (perm) dynamic.add(perm);
|
|
307
|
+
}
|
|
308
|
+
}
|
|
309
|
+
const existing = Array.isArray(session.permissions) ? session.permissions : [];
|
|
310
|
+
session.permissions = Array.from(/* @__PURE__ */ new Set([...existing, ...dynamic]));
|
|
311
|
+
}
|
|
283
312
|
function requireAuth() {
|
|
284
313
|
return async (req, res, next) => {
|
|
285
314
|
try {
|
|
286
315
|
const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
|
|
287
316
|
const userId = req.headers["x-user-id"] || req.headers["x-userId"];
|
|
288
|
-
console.log(apiKey, "apikey", userId, "userId");
|
|
289
317
|
if (apiKey) {
|
|
290
|
-
console.log("inside apikey");
|
|
291
318
|
if (apiKey !== process.env.SERVER_API_KEY) {
|
|
292
319
|
return res.status(401).json({ error: "Invalid API key" });
|
|
293
320
|
}
|
|
@@ -301,14 +328,17 @@ function requireAuth() {
|
|
|
301
328
|
const session = buildSession({
|
|
302
329
|
sub: user.id.toString(),
|
|
303
330
|
email: user.email,
|
|
304
|
-
roles: user.roles || []
|
|
331
|
+
roles: user.roles || [],
|
|
332
|
+
orgId: user.orgId,
|
|
333
|
+
org_id: user.orgId,
|
|
334
|
+
projectId: user.projectId
|
|
305
335
|
});
|
|
306
336
|
session.authType = "api-key";
|
|
307
337
|
session.projectId = readProjectId(req) || user.projectId || void 0;
|
|
338
|
+
await mergeRolePermissions(session);
|
|
308
339
|
req.user = session;
|
|
309
340
|
return next();
|
|
310
341
|
} else {
|
|
311
|
-
console.log("inside token");
|
|
312
342
|
const token = extractToken(req);
|
|
313
343
|
if (!token) {
|
|
314
344
|
return res.status(401).json({ error: "Missing token" });
|
|
@@ -317,6 +347,7 @@ function requireAuth() {
|
|
|
317
347
|
const session = buildSession(claims);
|
|
318
348
|
const pid = readProjectId(req);
|
|
319
349
|
if (pid) session.projectId = pid;
|
|
350
|
+
await mergeRolePermissions(session);
|
|
320
351
|
req.user = session;
|
|
321
352
|
next();
|
|
322
353
|
}
|
|
@@ -373,8 +404,8 @@ function validateSendInvite(req, res, next) {
|
|
|
373
404
|
}
|
|
374
405
|
|
|
375
406
|
// src/models/invite.model.ts
|
|
376
|
-
var
|
|
377
|
-
var InviteSchema = new
|
|
407
|
+
var import_mongoose3 = __toESM(require("mongoose"), 1);
|
|
408
|
+
var InviteSchema = new import_mongoose3.default.Schema(
|
|
378
409
|
{
|
|
379
410
|
id: { type: String, required: true, index: true },
|
|
380
411
|
email: { type: String, required: true },
|
|
@@ -392,15 +423,15 @@ var InviteSchema = new import_mongoose2.default.Schema(
|
|
|
392
423
|
},
|
|
393
424
|
{ timestamps: true, collection: "invites" }
|
|
394
425
|
);
|
|
395
|
-
var Invite =
|
|
426
|
+
var Invite = import_mongoose3.default.model("Invite", InviteSchema);
|
|
396
427
|
|
|
397
428
|
// src/services/auth-admin.service.ts
|
|
398
429
|
var import_bcrypt = __toESM(require("bcrypt"), 1);
|
|
399
430
|
var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
|
|
400
431
|
|
|
401
432
|
// src/models/client.model.ts
|
|
402
|
-
var
|
|
403
|
-
var ClientSchema = new
|
|
433
|
+
var import_mongoose4 = __toESM(require("mongoose"), 1);
|
|
434
|
+
var ClientSchema = new import_mongoose4.Schema(
|
|
404
435
|
{
|
|
405
436
|
clientId: {
|
|
406
437
|
type: String,
|
|
@@ -428,26 +459,7 @@ var ClientSchema = new import_mongoose3.Schema(
|
|
|
428
459
|
timestamps: true
|
|
429
460
|
}
|
|
430
461
|
);
|
|
431
|
-
var ClientModel =
|
|
432
|
-
|
|
433
|
-
// src/models/rolePermission.model.ts
|
|
434
|
-
var import_mongoose4 = __toESM(require("mongoose"), 1);
|
|
435
|
-
var RolePermissionSchema = new import_mongoose4.Schema(
|
|
436
|
-
{
|
|
437
|
-
orgId: { type: String, default: null, index: true },
|
|
438
|
-
role: { type: String, required: true },
|
|
439
|
-
permissions: { type: [String], default: [] }
|
|
440
|
-
},
|
|
441
|
-
{
|
|
442
|
-
timestamps: true
|
|
443
|
-
}
|
|
444
|
-
);
|
|
445
|
-
RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
|
|
446
|
-
var RolePermissionModel = import_mongoose4.default.model(
|
|
447
|
-
"RolePermission",
|
|
448
|
-
RolePermissionSchema,
|
|
449
|
-
"role_permissions"
|
|
450
|
-
);
|
|
462
|
+
var ClientModel = import_mongoose4.default.models.Client || import_mongoose4.default.model("Client", ClientSchema);
|
|
451
463
|
|
|
452
464
|
// src/services/auth-admin.service.ts
|
|
453
465
|
var AuthAdminService = class {
|
|
@@ -497,7 +509,7 @@ var AuthAdminService = class {
|
|
|
497
509
|
return user;
|
|
498
510
|
}
|
|
499
511
|
async assignRealmRole(userId, roleName) {
|
|
500
|
-
const role = await RolePermissionModel.findOne({
|
|
512
|
+
const role = await RolePermissionModel.findOne({ role: roleName });
|
|
501
513
|
if (!role) throw new Error(`Role not found: ${roleName}`);
|
|
502
514
|
await OrgUser.findOneAndUpdate(
|
|
503
515
|
{ id: userId },
|
|
@@ -1041,16 +1053,18 @@ async function sendRateLimitedEmail({
|
|
|
1041
1053
|
return { rateLimited: false };
|
|
1042
1054
|
}
|
|
1043
1055
|
function generateTokens(user) {
|
|
1044
|
-
const
|
|
1045
|
-
|
|
1046
|
-
|
|
1047
|
-
|
|
1048
|
-
|
|
1049
|
-
|
|
1050
|
-
|
|
1051
|
-
|
|
1052
|
-
|
|
1053
|
-
|
|
1056
|
+
const accessPayload = {
|
|
1057
|
+
sub: user.id.toString(),
|
|
1058
|
+
email: user.email,
|
|
1059
|
+
roles: user.roles || [],
|
|
1060
|
+
orgId: user.orgId || null,
|
|
1061
|
+
org_id: user.orgId || null,
|
|
1062
|
+
projectId: user.projectId || null,
|
|
1063
|
+
type: "user"
|
|
1064
|
+
};
|
|
1065
|
+
const accessToken = import_jsonwebtoken4.default.sign(accessPayload, process.env.JWT_SECRET, {
|
|
1066
|
+
expiresIn: "1h"
|
|
1067
|
+
});
|
|
1054
1068
|
const refreshToken = import_jsonwebtoken4.default.sign(
|
|
1055
1069
|
{ sub: user._id.toString() },
|
|
1056
1070
|
process.env.JWT_SECRET,
|