aaspai-authx 0.0.3 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/express/index.cjs +73 -59
- package/dist/express/index.cjs.map +1 -1
- package/dist/express/index.js +73 -59
- package/dist/express/index.js.map +1 -1
- package/dist/index.cjs +73 -59
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +19 -19
- package/dist/index.d.ts +19 -19
- package/dist/index.js +73 -59
- package/dist/index.js.map +1 -1
- package/dist/nest/index.cjs +73 -59
- package/dist/nest/index.cjs.map +1 -1
- package/dist/nest/index.js +73 -59
- package/dist/nest/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -161,26 +161,15 @@ function isPlainObject(value) {
|
|
|
161
161
|
var PLATFORM_ROLES = [
|
|
162
162
|
{
|
|
163
163
|
role: "platform_admin",
|
|
164
|
-
permissions: [
|
|
165
|
-
"projects.create",
|
|
166
|
-
"projects.read",
|
|
167
|
-
"projects.update",
|
|
168
|
-
"projects.delete",
|
|
169
|
-
"users.manage",
|
|
170
|
-
"api.manage"
|
|
171
|
-
]
|
|
164
|
+
permissions: []
|
|
172
165
|
},
|
|
173
166
|
{
|
|
174
167
|
role: "platform_manager",
|
|
175
|
-
permissions: [
|
|
176
|
-
"projects.read",
|
|
177
|
-
"projects.update",
|
|
178
|
-
"users.read"
|
|
179
|
-
]
|
|
168
|
+
permissions: []
|
|
180
169
|
},
|
|
181
170
|
{
|
|
182
171
|
role: "platform_user",
|
|
183
|
-
permissions: [
|
|
172
|
+
permissions: []
|
|
184
173
|
}
|
|
185
174
|
];
|
|
186
175
|
function getPermissionsForRoles(roles) {
|
|
@@ -238,17 +227,36 @@ function buildSession(payload) {
|
|
|
238
227
|
return session;
|
|
239
228
|
}
|
|
240
229
|
|
|
241
|
-
// src/models/
|
|
230
|
+
// src/models/rolePermission.model.ts
|
|
242
231
|
var import_mongoose = __toESM(require("mongoose"), 1);
|
|
232
|
+
var RolePermissionSchema = new import_mongoose.Schema(
|
|
233
|
+
{
|
|
234
|
+
orgId: { type: String, default: null, index: true },
|
|
235
|
+
role: { type: String, required: true },
|
|
236
|
+
permissions: { type: [String], default: [] }
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
timestamps: true
|
|
240
|
+
}
|
|
241
|
+
);
|
|
242
|
+
RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
|
|
243
|
+
var RolePermissionModel = import_mongoose.default.model(
|
|
244
|
+
"RolePermission",
|
|
245
|
+
RolePermissionSchema,
|
|
246
|
+
"role_permissions"
|
|
247
|
+
);
|
|
248
|
+
|
|
249
|
+
// src/models/user.model.ts
|
|
250
|
+
var import_mongoose2 = __toESM(require("mongoose"), 1);
|
|
243
251
|
var import_uuid = require("uuid");
|
|
244
|
-
var MetadataSchema = new
|
|
252
|
+
var MetadataSchema = new import_mongoose2.default.Schema(
|
|
245
253
|
{
|
|
246
254
|
key: { type: String, required: true },
|
|
247
|
-
value: { type:
|
|
255
|
+
value: { type: import_mongoose2.default.Schema.Types.Mixed, required: true }
|
|
248
256
|
},
|
|
249
257
|
{ _id: false }
|
|
250
258
|
);
|
|
251
|
-
var OrgUserSchema = new
|
|
259
|
+
var OrgUserSchema = new import_mongoose2.default.Schema(
|
|
252
260
|
{
|
|
253
261
|
id: { type: String, default: (0, import_uuid.v4)(), index: true },
|
|
254
262
|
email: { type: String, required: true, unique: true },
|
|
@@ -265,7 +273,7 @@ var OrgUserSchema = new import_mongoose.default.Schema(
|
|
|
265
273
|
},
|
|
266
274
|
{ timestamps: true, collection: "users" }
|
|
267
275
|
);
|
|
268
|
-
var OrgUser =
|
|
276
|
+
var OrgUser = import_mongoose2.default.model("OrgUser", OrgUserSchema);
|
|
269
277
|
|
|
270
278
|
// src/utils/extract.ts
|
|
271
279
|
var import_cookie = require("cookie");
|
|
@@ -330,14 +338,33 @@ function verifyJwt(token) {
|
|
|
330
338
|
}
|
|
331
339
|
|
|
332
340
|
// src/middlewares/auth.middleware.ts
|
|
341
|
+
async function mergeRolePermissions(session) {
|
|
342
|
+
const roles = Array.isArray(session.roles) ? session.roles : [];
|
|
343
|
+
if (!roles.length) return;
|
|
344
|
+
const orgContexts = /* @__PURE__ */ new Set();
|
|
345
|
+
if (session.orgId) orgContexts.add(session.orgId);
|
|
346
|
+
if (session.org_id) orgContexts.add(session.org_id);
|
|
347
|
+
if (session.projectId) orgContexts.add(session.projectId);
|
|
348
|
+
orgContexts.add(null);
|
|
349
|
+
const docs = await RolePermissionModel.find({
|
|
350
|
+
orgId: { $in: Array.from(orgContexts) },
|
|
351
|
+
role: { $in: roles }
|
|
352
|
+
}).lean().exec();
|
|
353
|
+
const dynamic = /* @__PURE__ */ new Set();
|
|
354
|
+
for (const doc of docs) {
|
|
355
|
+
for (const perm of doc.permissions || []) {
|
|
356
|
+
if (perm) dynamic.add(perm);
|
|
357
|
+
}
|
|
358
|
+
}
|
|
359
|
+
const existing = Array.isArray(session.permissions) ? session.permissions : [];
|
|
360
|
+
session.permissions = Array.from(/* @__PURE__ */ new Set([...existing, ...dynamic]));
|
|
361
|
+
}
|
|
333
362
|
function requireAuth() {
|
|
334
363
|
return async (req, res, next) => {
|
|
335
364
|
try {
|
|
336
365
|
const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
|
|
337
366
|
const userId = req.headers["x-user-id"] || req.headers["x-userId"];
|
|
338
|
-
console.log(apiKey, "apikey", userId, "userId");
|
|
339
367
|
if (apiKey) {
|
|
340
|
-
console.log("inside apikey");
|
|
341
368
|
if (apiKey !== process.env.SERVER_API_KEY) {
|
|
342
369
|
return res.status(401).json({ error: "Invalid API key" });
|
|
343
370
|
}
|
|
@@ -351,14 +378,17 @@ function requireAuth() {
|
|
|
351
378
|
const session = buildSession({
|
|
352
379
|
sub: user.id.toString(),
|
|
353
380
|
email: user.email,
|
|
354
|
-
roles: user.roles || []
|
|
381
|
+
roles: user.roles || [],
|
|
382
|
+
orgId: user.orgId,
|
|
383
|
+
org_id: user.orgId,
|
|
384
|
+
projectId: user.projectId
|
|
355
385
|
});
|
|
356
386
|
session.authType = "api-key";
|
|
357
387
|
session.projectId = readProjectId(req) || user.projectId || void 0;
|
|
388
|
+
await mergeRolePermissions(session);
|
|
358
389
|
req.user = session;
|
|
359
390
|
return next();
|
|
360
391
|
} else {
|
|
361
|
-
console.log("inside token");
|
|
362
392
|
const token = extractToken(req);
|
|
363
393
|
if (!token) {
|
|
364
394
|
return res.status(401).json({ error: "Missing token" });
|
|
@@ -367,6 +397,7 @@ function requireAuth() {
|
|
|
367
397
|
const session = buildSession(claims);
|
|
368
398
|
const pid = readProjectId(req);
|
|
369
399
|
if (pid) session.projectId = pid;
|
|
400
|
+
await mergeRolePermissions(session);
|
|
370
401
|
req.user = session;
|
|
371
402
|
next();
|
|
372
403
|
}
|
|
@@ -438,8 +469,8 @@ function validateSendInvite(req, res, next) {
|
|
|
438
469
|
}
|
|
439
470
|
|
|
440
471
|
// src/models/invite.model.ts
|
|
441
|
-
var
|
|
442
|
-
var InviteSchema = new
|
|
472
|
+
var import_mongoose3 = __toESM(require("mongoose"), 1);
|
|
473
|
+
var InviteSchema = new import_mongoose3.default.Schema(
|
|
443
474
|
{
|
|
444
475
|
id: { type: String, required: true, index: true },
|
|
445
476
|
email: { type: String, required: true },
|
|
@@ -457,15 +488,15 @@ var InviteSchema = new import_mongoose2.default.Schema(
|
|
|
457
488
|
},
|
|
458
489
|
{ timestamps: true, collection: "invites" }
|
|
459
490
|
);
|
|
460
|
-
var Invite =
|
|
491
|
+
var Invite = import_mongoose3.default.model("Invite", InviteSchema);
|
|
461
492
|
|
|
462
493
|
// src/services/auth-admin.service.ts
|
|
463
494
|
var import_bcrypt = __toESM(require("bcrypt"), 1);
|
|
464
495
|
var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
|
|
465
496
|
|
|
466
497
|
// src/models/client.model.ts
|
|
467
|
-
var
|
|
468
|
-
var ClientSchema = new
|
|
498
|
+
var import_mongoose4 = __toESM(require("mongoose"), 1);
|
|
499
|
+
var ClientSchema = new import_mongoose4.Schema(
|
|
469
500
|
{
|
|
470
501
|
clientId: {
|
|
471
502
|
type: String,
|
|
@@ -493,26 +524,7 @@ var ClientSchema = new import_mongoose3.Schema(
|
|
|
493
524
|
timestamps: true
|
|
494
525
|
}
|
|
495
526
|
);
|
|
496
|
-
var ClientModel =
|
|
497
|
-
|
|
498
|
-
// src/models/rolePermission.model.ts
|
|
499
|
-
var import_mongoose4 = __toESM(require("mongoose"), 1);
|
|
500
|
-
var RolePermissionSchema = new import_mongoose4.Schema(
|
|
501
|
-
{
|
|
502
|
-
orgId: { type: String, default: null, index: true },
|
|
503
|
-
role: { type: String, required: true },
|
|
504
|
-
permissions: { type: [String], default: [] }
|
|
505
|
-
},
|
|
506
|
-
{
|
|
507
|
-
timestamps: true
|
|
508
|
-
}
|
|
509
|
-
);
|
|
510
|
-
RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
|
|
511
|
-
var RolePermissionModel = import_mongoose4.default.model(
|
|
512
|
-
"RolePermission",
|
|
513
|
-
RolePermissionSchema,
|
|
514
|
-
"role_permissions"
|
|
515
|
-
);
|
|
527
|
+
var ClientModel = import_mongoose4.default.models.Client || import_mongoose4.default.model("Client", ClientSchema);
|
|
516
528
|
|
|
517
529
|
// src/services/auth-admin.service.ts
|
|
518
530
|
var AuthAdminService = class {
|
|
@@ -562,7 +574,7 @@ var AuthAdminService = class {
|
|
|
562
574
|
return user;
|
|
563
575
|
}
|
|
564
576
|
async assignRealmRole(userId, roleName) {
|
|
565
|
-
const role = await RolePermissionModel.findOne({
|
|
577
|
+
const role = await RolePermissionModel.findOne({ role: roleName });
|
|
566
578
|
if (!role) throw new Error(`Role not found: ${roleName}`);
|
|
567
579
|
await OrgUser.findOneAndUpdate(
|
|
568
580
|
{ id: userId },
|
|
@@ -1106,16 +1118,18 @@ async function sendRateLimitedEmail({
|
|
|
1106
1118
|
return { rateLimited: false };
|
|
1107
1119
|
}
|
|
1108
1120
|
function generateTokens(user) {
|
|
1109
|
-
const
|
|
1110
|
-
|
|
1111
|
-
|
|
1112
|
-
|
|
1113
|
-
|
|
1114
|
-
|
|
1115
|
-
|
|
1116
|
-
|
|
1117
|
-
|
|
1118
|
-
|
|
1121
|
+
const accessPayload = {
|
|
1122
|
+
sub: user.id.toString(),
|
|
1123
|
+
email: user.email,
|
|
1124
|
+
roles: user.roles || [],
|
|
1125
|
+
orgId: user.orgId || null,
|
|
1126
|
+
org_id: user.orgId || null,
|
|
1127
|
+
projectId: user.projectId || null,
|
|
1128
|
+
type: "user"
|
|
1129
|
+
};
|
|
1130
|
+
const accessToken = import_jsonwebtoken4.default.sign(accessPayload, process.env.JWT_SECRET, {
|
|
1131
|
+
expiresIn: "1h"
|
|
1132
|
+
});
|
|
1119
1133
|
const refreshToken = import_jsonwebtoken4.default.sign(
|
|
1120
1134
|
{ sub: user._id.toString() },
|
|
1121
1135
|
process.env.JWT_SECRET,
|