aaspai-authx 0.0.3 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/express/index.cjs +73 -59
- package/dist/express/index.cjs.map +1 -1
- package/dist/express/index.js +73 -59
- package/dist/express/index.js.map +1 -1
- package/dist/index.cjs +73 -59
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +19 -19
- package/dist/index.d.ts +19 -19
- package/dist/index.js +73 -59
- package/dist/index.js.map +1 -1
- package/dist/nest/index.cjs +73 -59
- package/dist/nest/index.cjs.map +1 -1
- package/dist/nest/index.js +73 -59
- package/dist/nest/index.js.map +1 -1
- package/package.json +1 -1
package/dist/express/index.js
CHANGED
|
@@ -71,26 +71,15 @@ function isPlainObject(value) {
|
|
|
71
71
|
var PLATFORM_ROLES = [
|
|
72
72
|
{
|
|
73
73
|
role: "platform_admin",
|
|
74
|
-
permissions: [
|
|
75
|
-
"projects.create",
|
|
76
|
-
"projects.read",
|
|
77
|
-
"projects.update",
|
|
78
|
-
"projects.delete",
|
|
79
|
-
"users.manage",
|
|
80
|
-
"api.manage"
|
|
81
|
-
]
|
|
74
|
+
permissions: []
|
|
82
75
|
},
|
|
83
76
|
{
|
|
84
77
|
role: "platform_manager",
|
|
85
|
-
permissions: [
|
|
86
|
-
"projects.read",
|
|
87
|
-
"projects.update",
|
|
88
|
-
"users.read"
|
|
89
|
-
]
|
|
78
|
+
permissions: []
|
|
90
79
|
},
|
|
91
80
|
{
|
|
92
81
|
role: "platform_user",
|
|
93
|
-
permissions: [
|
|
82
|
+
permissions: []
|
|
94
83
|
}
|
|
95
84
|
];
|
|
96
85
|
function getPermissionsForRoles(roles) {
|
|
@@ -148,17 +137,36 @@ function buildSession(payload) {
|
|
|
148
137
|
return session;
|
|
149
138
|
}
|
|
150
139
|
|
|
140
|
+
// src/models/rolePermission.model.ts
|
|
141
|
+
import mongoose, { Schema } from "mongoose";
|
|
142
|
+
var RolePermissionSchema = new Schema(
|
|
143
|
+
{
|
|
144
|
+
orgId: { type: String, default: null, index: true },
|
|
145
|
+
role: { type: String, required: true },
|
|
146
|
+
permissions: { type: [String], default: [] }
|
|
147
|
+
},
|
|
148
|
+
{
|
|
149
|
+
timestamps: true
|
|
150
|
+
}
|
|
151
|
+
);
|
|
152
|
+
RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
|
|
153
|
+
var RolePermissionModel = mongoose.model(
|
|
154
|
+
"RolePermission",
|
|
155
|
+
RolePermissionSchema,
|
|
156
|
+
"role_permissions"
|
|
157
|
+
);
|
|
158
|
+
|
|
151
159
|
// src/models/user.model.ts
|
|
152
|
-
import
|
|
160
|
+
import mongoose2 from "mongoose";
|
|
153
161
|
import { v4 as uuid } from "uuid";
|
|
154
|
-
var MetadataSchema = new
|
|
162
|
+
var MetadataSchema = new mongoose2.Schema(
|
|
155
163
|
{
|
|
156
164
|
key: { type: String, required: true },
|
|
157
|
-
value: { type:
|
|
165
|
+
value: { type: mongoose2.Schema.Types.Mixed, required: true }
|
|
158
166
|
},
|
|
159
167
|
{ _id: false }
|
|
160
168
|
);
|
|
161
|
-
var OrgUserSchema = new
|
|
169
|
+
var OrgUserSchema = new mongoose2.Schema(
|
|
162
170
|
{
|
|
163
171
|
id: { type: String, default: uuid(), index: true },
|
|
164
172
|
email: { type: String, required: true, unique: true },
|
|
@@ -175,7 +183,7 @@ var OrgUserSchema = new mongoose.Schema(
|
|
|
175
183
|
},
|
|
176
184
|
{ timestamps: true, collection: "users" }
|
|
177
185
|
);
|
|
178
|
-
var OrgUser =
|
|
186
|
+
var OrgUser = mongoose2.model("OrgUser", OrgUserSchema);
|
|
179
187
|
|
|
180
188
|
// src/utils/extract.ts
|
|
181
189
|
import { parse as parseCookie } from "cookie";
|
|
@@ -240,14 +248,33 @@ function verifyJwt(token) {
|
|
|
240
248
|
}
|
|
241
249
|
|
|
242
250
|
// src/middlewares/auth.middleware.ts
|
|
251
|
+
async function mergeRolePermissions(session) {
|
|
252
|
+
const roles = Array.isArray(session.roles) ? session.roles : [];
|
|
253
|
+
if (!roles.length) return;
|
|
254
|
+
const orgContexts = /* @__PURE__ */ new Set();
|
|
255
|
+
if (session.orgId) orgContexts.add(session.orgId);
|
|
256
|
+
if (session.org_id) orgContexts.add(session.org_id);
|
|
257
|
+
if (session.projectId) orgContexts.add(session.projectId);
|
|
258
|
+
orgContexts.add(null);
|
|
259
|
+
const docs = await RolePermissionModel.find({
|
|
260
|
+
orgId: { $in: Array.from(orgContexts) },
|
|
261
|
+
role: { $in: roles }
|
|
262
|
+
}).lean().exec();
|
|
263
|
+
const dynamic = /* @__PURE__ */ new Set();
|
|
264
|
+
for (const doc of docs) {
|
|
265
|
+
for (const perm of doc.permissions || []) {
|
|
266
|
+
if (perm) dynamic.add(perm);
|
|
267
|
+
}
|
|
268
|
+
}
|
|
269
|
+
const existing = Array.isArray(session.permissions) ? session.permissions : [];
|
|
270
|
+
session.permissions = Array.from(/* @__PURE__ */ new Set([...existing, ...dynamic]));
|
|
271
|
+
}
|
|
243
272
|
function requireAuth() {
|
|
244
273
|
return async (req, res, next) => {
|
|
245
274
|
try {
|
|
246
275
|
const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
|
|
247
276
|
const userId = req.headers["x-user-id"] || req.headers["x-userId"];
|
|
248
|
-
console.log(apiKey, "apikey", userId, "userId");
|
|
249
277
|
if (apiKey) {
|
|
250
|
-
console.log("inside apikey");
|
|
251
278
|
if (apiKey !== process.env.SERVER_API_KEY) {
|
|
252
279
|
return res.status(401).json({ error: "Invalid API key" });
|
|
253
280
|
}
|
|
@@ -261,14 +288,17 @@ function requireAuth() {
|
|
|
261
288
|
const session = buildSession({
|
|
262
289
|
sub: user.id.toString(),
|
|
263
290
|
email: user.email,
|
|
264
|
-
roles: user.roles || []
|
|
291
|
+
roles: user.roles || [],
|
|
292
|
+
orgId: user.orgId,
|
|
293
|
+
org_id: user.orgId,
|
|
294
|
+
projectId: user.projectId
|
|
265
295
|
});
|
|
266
296
|
session.authType = "api-key";
|
|
267
297
|
session.projectId = readProjectId(req) || user.projectId || void 0;
|
|
298
|
+
await mergeRolePermissions(session);
|
|
268
299
|
req.user = session;
|
|
269
300
|
return next();
|
|
270
301
|
} else {
|
|
271
|
-
console.log("inside token");
|
|
272
302
|
const token = extractToken(req);
|
|
273
303
|
if (!token) {
|
|
274
304
|
return res.status(401).json({ error: "Missing token" });
|
|
@@ -277,6 +307,7 @@ function requireAuth() {
|
|
|
277
307
|
const session = buildSession(claims);
|
|
278
308
|
const pid = readProjectId(req);
|
|
279
309
|
if (pid) session.projectId = pid;
|
|
310
|
+
await mergeRolePermissions(session);
|
|
280
311
|
req.user = session;
|
|
281
312
|
next();
|
|
282
313
|
}
|
|
@@ -333,8 +364,8 @@ function validateSendInvite(req, res, next) {
|
|
|
333
364
|
}
|
|
334
365
|
|
|
335
366
|
// src/models/invite.model.ts
|
|
336
|
-
import
|
|
337
|
-
var InviteSchema = new
|
|
367
|
+
import mongoose3 from "mongoose";
|
|
368
|
+
var InviteSchema = new mongoose3.Schema(
|
|
338
369
|
{
|
|
339
370
|
id: { type: String, required: true, index: true },
|
|
340
371
|
email: { type: String, required: true },
|
|
@@ -352,15 +383,15 @@ var InviteSchema = new mongoose2.Schema(
|
|
|
352
383
|
},
|
|
353
384
|
{ timestamps: true, collection: "invites" }
|
|
354
385
|
);
|
|
355
|
-
var Invite =
|
|
386
|
+
var Invite = mongoose3.model("Invite", InviteSchema);
|
|
356
387
|
|
|
357
388
|
// src/services/auth-admin.service.ts
|
|
358
389
|
import bcrypt from "bcrypt";
|
|
359
390
|
import jwt2 from "jsonwebtoken";
|
|
360
391
|
|
|
361
392
|
// src/models/client.model.ts
|
|
362
|
-
import
|
|
363
|
-
var ClientSchema = new
|
|
393
|
+
import mongoose4, { Schema as Schema2 } from "mongoose";
|
|
394
|
+
var ClientSchema = new Schema2(
|
|
364
395
|
{
|
|
365
396
|
clientId: {
|
|
366
397
|
type: String,
|
|
@@ -388,26 +419,7 @@ var ClientSchema = new Schema(
|
|
|
388
419
|
timestamps: true
|
|
389
420
|
}
|
|
390
421
|
);
|
|
391
|
-
var ClientModel =
|
|
392
|
-
|
|
393
|
-
// src/models/rolePermission.model.ts
|
|
394
|
-
import mongoose4, { Schema as Schema2 } from "mongoose";
|
|
395
|
-
var RolePermissionSchema = new Schema2(
|
|
396
|
-
{
|
|
397
|
-
orgId: { type: String, default: null, index: true },
|
|
398
|
-
role: { type: String, required: true },
|
|
399
|
-
permissions: { type: [String], default: [] }
|
|
400
|
-
},
|
|
401
|
-
{
|
|
402
|
-
timestamps: true
|
|
403
|
-
}
|
|
404
|
-
);
|
|
405
|
-
RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
|
|
406
|
-
var RolePermissionModel = mongoose4.model(
|
|
407
|
-
"RolePermission",
|
|
408
|
-
RolePermissionSchema,
|
|
409
|
-
"role_permissions"
|
|
410
|
-
);
|
|
422
|
+
var ClientModel = mongoose4.models.Client || mongoose4.model("Client", ClientSchema);
|
|
411
423
|
|
|
412
424
|
// src/services/auth-admin.service.ts
|
|
413
425
|
var AuthAdminService = class {
|
|
@@ -457,7 +469,7 @@ var AuthAdminService = class {
|
|
|
457
469
|
return user;
|
|
458
470
|
}
|
|
459
471
|
async assignRealmRole(userId, roleName) {
|
|
460
|
-
const role = await RolePermissionModel.findOne({
|
|
472
|
+
const role = await RolePermissionModel.findOne({ role: roleName });
|
|
461
473
|
if (!role) throw new Error(`Role not found: ${roleName}`);
|
|
462
474
|
await OrgUser.findOneAndUpdate(
|
|
463
475
|
{ id: userId },
|
|
@@ -1001,16 +1013,18 @@ async function sendRateLimitedEmail({
|
|
|
1001
1013
|
return { rateLimited: false };
|
|
1002
1014
|
}
|
|
1003
1015
|
function generateTokens(user) {
|
|
1004
|
-
const
|
|
1005
|
-
|
|
1006
|
-
|
|
1007
|
-
|
|
1008
|
-
|
|
1009
|
-
|
|
1010
|
-
|
|
1011
|
-
|
|
1012
|
-
|
|
1013
|
-
|
|
1016
|
+
const accessPayload = {
|
|
1017
|
+
sub: user.id.toString(),
|
|
1018
|
+
email: user.email,
|
|
1019
|
+
roles: user.roles || [],
|
|
1020
|
+
orgId: user.orgId || null,
|
|
1021
|
+
org_id: user.orgId || null,
|
|
1022
|
+
projectId: user.projectId || null,
|
|
1023
|
+
type: "user"
|
|
1024
|
+
};
|
|
1025
|
+
const accessToken = jwt4.sign(accessPayload, process.env.JWT_SECRET, {
|
|
1026
|
+
expiresIn: "1h"
|
|
1027
|
+
});
|
|
1014
1028
|
const refreshToken = jwt4.sign(
|
|
1015
1029
|
{ sub: user._id.toString() },
|
|
1016
1030
|
process.env.JWT_SECRET,
|