create-forgeon 0.2.5 → 0.2.7

package/templates/module-presets/rbac/packages/rbac/src/forgeon-rbac.guard.ts

@@ -0,0 +1,91 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import {
+  RBAC_PERMISSIONS_HEADER,
+  RBAC_PERMISSIONS_KEY,
+  RBAC_ROLES_HEADER,
+  RBAC_ROLES_KEY,
+} from './rbac.constants';
+import { hasAllPermissions, hasAnyRole } from './rbac.helpers';
+import { Permission, RbacPrincipal, Role } from './rbac.types';
+
+type HeaderValue = string | string[] | undefined;
+
+type HttpRequestLike = {
+  user?: unknown;
+  headers?: Record<string, HeaderValue>;
+};
+
+@Injectable()
+export class ForgeonRbacGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles =
+      this.reflector.getAllAndOverride<Role[]>(RBAC_ROLES_KEY, [
+        context.getHandler(),
+        context.getClass(),
+      ]) ?? [];
+    const requiredPermissions =
+      this.reflector.getAllAndOverride<Permission[]>(RBAC_PERMISSIONS_KEY, [
+        context.getHandler(),
+        context.getClass(),
+      ]) ?? [];
+
+    if (requiredRoles.length === 0 && requiredPermissions.length === 0) {
+      return true;
+    }
+
+    const request = context.switchToHttp().getRequest<HttpRequestLike>();
+    const principal = this.resolvePrincipal(request);
+
+    if (!hasAnyRole(principal, requiredRoles) || !hasAllPermissions(principal, requiredPermissions)) {
+      throw new ForbiddenException({
+        message: 'Access denied',
+        details: {
+          feature: 'rbac',
+          requiredRoles,
+          requiredPermissions,
+        },
+      });
+    }
+
+    return true;
+  }
+
+  private resolvePrincipal(request: HttpRequestLike | undefined): RbacPrincipal {
+    const user = request?.user;
+    if (user && typeof user === 'object') {
+      const principal = user as RbacPrincipal;
+      if (Array.isArray(principal.roles) || Array.isArray(principal.permissions)) {
+        return {
+          roles: Array.isArray(principal.roles) ? principal.roles : [],
+          permissions: Array.isArray(principal.permissions) ? principal.permissions : [],
+        };
+      }
+    }
+
+    const headers = request?.headers;
+    return {
+      roles: this.parseHeaderList(headers?.[RBAC_ROLES_HEADER]),
+      permissions: this.parseHeaderList(headers?.[RBAC_PERMISSIONS_HEADER]),
+    };
+  }
+
+  private parseHeaderList(value: HeaderValue): string[] {
+    const source = Array.isArray(value) ? value.join(',') : value;
+    if (typeof source !== 'string' || source.trim().length === 0) {
+      return [];
+    }
+
+    return source
+      .split(',')
+      .map((item) => item.trim())
+      .filter(Boolean);
+  }
+}

package/templates/module-presets/rbac/packages/rbac/src/forgeon-rbac.module.ts

@@ -0,0 +1,8 @@
+import { Module } from '@nestjs/common';
+import { ForgeonRbacGuard } from './forgeon-rbac.guard';
+
+@Module({
+  providers: [ForgeonRbacGuard],
+  exports: [ForgeonRbacGuard],
+})
+export class ForgeonRbacModule {}

package/templates/module-presets/rbac/packages/rbac/src/index.ts

@@ -0,0 +1,6 @@
+export * from './forgeon-rbac.guard';
+export * from './forgeon-rbac.module';
+export * from './rbac.constants';
+export * from './rbac.decorators';
+export * from './rbac.helpers';
+export * from './rbac.types';

package/templates/module-presets/rbac/packages/rbac/src/rbac.constants.ts

@@ -0,0 +1,4 @@
+export const RBAC_ROLES_KEY = 'forgeon:rbac:roles';
+export const RBAC_PERMISSIONS_KEY = 'forgeon:rbac:permissions';
+export const RBAC_ROLES_HEADER = 'x-forgeon-roles';
+export const RBAC_PERMISSIONS_HEADER = 'x-forgeon-permissions';

package/templates/module-presets/rbac/packages/rbac/src/rbac.decorators.ts

@@ -0,0 +1,11 @@
+import { SetMetadata } from '@nestjs/common';
+import { RBAC_PERMISSIONS_KEY, RBAC_ROLES_KEY } from './rbac.constants';
+import { Permission, Role } from './rbac.types';
+
+export function Roles(...roles: Role[]) {
+  return SetMetadata(RBAC_ROLES_KEY, roles);
+}
+
+export function Permissions(...permissions: Permission[]) {
+  return SetMetadata(RBAC_PERMISSIONS_KEY, permissions);
+}

package/templates/module-presets/rbac/packages/rbac/src/rbac.helpers.ts

@@ -0,0 +1,31 @@
+import { Permission, RbacPrincipal, Role } from './rbac.types';
+
+export function hasRole(principal: RbacPrincipal | null | undefined, role: Role): boolean {
+  const roles = principal?.roles ?? [];
+  return roles.includes(role);
+}
+
+export function hasPermission(
+  principal: RbacPrincipal | null | undefined,
+  permission: Permission,
+): boolean {
+  const permissions = principal?.permissions ?? [];
+  return permissions.includes(permission);
+}
+
+export function hasAnyRole(principal: RbacPrincipal | null | undefined, roles: Role[]): boolean {
+  if (roles.length === 0) {
+    return true;
+  }
+  return roles.some((role) => hasRole(principal, role));
+}
+
+export function hasAllPermissions(
+  principal: RbacPrincipal | null | undefined,
+  permissions: Permission[],
+): boolean {
+  if (permissions.length === 0) {
+    return true;
+  }
+  return permissions.every((permission) => hasPermission(principal, permission));
+}

package/templates/module-presets/rbac/packages/rbac/src/rbac.types.ts

@@ -0,0 +1,7 @@
+export type Role = string;
+export type Permission = string;
+
+export interface RbacPrincipal {
+  roles?: Role[];
+  permissions?: Permission[];
+}

package/templates/module-presets/rbac/packages/rbac/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.node.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"]
+}