digitaltwin-core 0.14.2 → 1.0.0

package/dist/auth/apisix_parser.d.ts

@@ -0,0 +1,141 @@
+import type { AuthenticatedUser } from './types.js';
+import type { AuthProvider } from './auth_provider.js';
+/**
+ * Parses authentication information from Apache APISIX headers set after Keycloak authentication.
+ *
+ * This class provides a static API for backward compatibility while internally using
+ * the AuthProvider system. It automatically handles:
+ * - Gateway mode (x-user-id, x-user-roles headers)
+ * - JWT mode (Authorization: Bearer token)
+ * - No-auth mode (DIGITALTWIN_DISABLE_AUTH=true)
+ *
+ * For new code, consider using AuthProviderFactory directly:
+ * ```typescript
+ * const authProvider = AuthProviderFactory.fromEnv()
+ * const user = authProvider.parseRequest(req)
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // In an AssetsManager handler
+ * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
+ *   return { status: 401, content: 'Authentication required' }
+ * }
+ *
+ * const authUser = ApisixAuthParser.parseAuthHeaders(req.headers)
+ * const userRecord = await this.userService.findOrCreateUser(authUser!)
+ * ```
+ */
+export declare class ApisixAuthParser {
+    private static _provider;
+    /**
+     * Get the authentication provider instance.
+     * Creates it on first use based on environment configuration.
+     */
+    private static getProvider;
+    /**
+     * Reset the provider instance (useful for testing).
+     * @internal
+     */
+    static _resetProvider(): void;
+    /**
+     * Set a custom provider (useful for testing).
+     * @internal
+     */
+    static _setProvider(provider: AuthProvider): void;
+    /**
+     * Create a request-like object from headers for the AuthProvider.
+     */
+    private static toAuthRequest;
+    /**
+     * Extracts user information from authentication headers.
+     *
+     * Parses the authentication headers (gateway mode) or JWT token (jwt mode):
+     * - Gateway: `x-user-id` and `x-user-roles` headers
+     * - JWT: `Authorization: Bearer <token>` header
+     *
+     * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
+     * returns a default anonymous user.
+     *
+     * @param headers - HTTP request headers
+     * @returns Parsed user authentication data, or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const headers = {
+     *   'x-user-id': '6e06a527-a89d-4390-95cd-10ae63cfc939',
+     *   'x-user-roles': 'default-roles-master,offline_access'
+     * }
+     *
+     * const authUser = ApisixAuthParser.parseAuthHeaders(headers)
+     * // Returns: { id: '6e06a527...', roles: ['default-roles-master', 'offline_access'] }
+     * ```
+     */
+    static parseAuthHeaders(headers: Record<string, string>): AuthenticatedUser | null;
+    /**
+     * Checks if a request has valid authentication.
+     *
+     * Performs a quick validation to determine if the request contains
+     * valid authentication credentials (gateway headers or JWT token).
+     *
+     * When authentication is disabled, this always returns true.
+     *
+     * @param headers - HTTP request headers
+     * @returns true if authentication is valid or disabled, false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
+     *   return { status: 401, content: 'Authentication required' }
+     * }
+     * ```
+     */
+    static hasValidAuth(headers: Record<string, string>): boolean;
+    /**
+     * Extracts just the user ID from headers.
+     *
+     * Convenience method for cases where you only need the user ID.
+     *
+     * @param headers - HTTP request headers
+     * @returns User ID, or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const userId = ApisixAuthParser.getUserId(req.headers)
+     * if (userId) {
+     *   console.log(`Request from user: ${userId}`)
+     * }
+     * ```
+     */
+    static getUserId(headers: Record<string, string>): string | null;
+    /**
+     * Extracts just the user roles from headers.
+     *
+     * @param headers - HTTP request headers
+     * @returns Array of role names, empty array if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const roles = ApisixAuthParser.getUserRoles(req.headers)
+     * if (roles.includes('admin')) {
+     *   console.log('User has admin privileges')
+     * }
+     * ```
+     */
+    static getUserRoles(headers: Record<string, string>): string[];
+    /**
+     * Checks if a user has the admin role.
+     *
+     * @param headers - HTTP request headers
+     * @returns true if user has admin role, false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (ApisixAuthParser.isAdmin(req.headers)) {
+     *   // Admin-only logic
+     * }
+     * ```
+     */
+    static isAdmin(headers: Record<string, string>): boolean;
+}
+//# sourceMappingURL=apisix_parser.d.ts.map

package/dist/auth/apisix_parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apisix_parser.d.ts","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AACnD,OAAO,KAAK,EAAE,YAAY,EAAe,MAAM,oBAAoB,CAAA;AAGnE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,MAAM,CAAC,SAAS,CAA4B;IAEpD;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAO1B;;;OAGG;IACH,MAAM,CAAC,cAAc,IAAI,IAAI;IAI7B;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,YAAY,GAAG,IAAI;IAIjD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;IAI5B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,iBAAiB,GAAG,IAAI;IAIlF;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO;IAI7D;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,IAAI;IAIhE;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE;IAI9D;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO;CAG3D"}

package/dist/auth/apisix_parser.js

@@ -0,0 +1,161 @@
+import { AuthProviderFactory } from './auth_provider_factory.js';
+/**
+ * Parses authentication information from Apache APISIX headers set after Keycloak authentication.
+ *
+ * This class provides a static API for backward compatibility while internally using
+ * the AuthProvider system. It automatically handles:
+ * - Gateway mode (x-user-id, x-user-roles headers)
+ * - JWT mode (Authorization: Bearer token)
+ * - No-auth mode (DIGITALTWIN_DISABLE_AUTH=true)
+ *
+ * For new code, consider using AuthProviderFactory directly:
+ * ```typescript
+ * const authProvider = AuthProviderFactory.fromEnv()
+ * const user = authProvider.parseRequest(req)
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // In an AssetsManager handler
+ * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
+ *   return { status: 401, content: 'Authentication required' }
+ * }
+ *
+ * const authUser = ApisixAuthParser.parseAuthHeaders(req.headers)
+ * const userRecord = await this.userService.findOrCreateUser(authUser!)
+ * ```
+ */
+export class ApisixAuthParser {
+    static { this._provider = null; }
+    /**
+     * Get the authentication provider instance.
+     * Creates it on first use based on environment configuration.
+     */
+    static getProvider() {
+        if (!this._provider) {
+            this._provider = AuthProviderFactory.fromEnv();
+        }
+        return this._provider;
+    }
+    /**
+     * Reset the provider instance (useful for testing).
+     * @internal
+     */
+    static _resetProvider() {
+        this._provider = null;
+    }
+    /**
+     * Set a custom provider (useful for testing).
+     * @internal
+     */
+    static _setProvider(provider) {
+        this._provider = provider;
+    }
+    /**
+     * Create a request-like object from headers for the AuthProvider.
+     */
+    static toAuthRequest(headers) {
+        return { headers };
+    }
+    /**
+     * Extracts user information from authentication headers.
+     *
+     * Parses the authentication headers (gateway mode) or JWT token (jwt mode):
+     * - Gateway: `x-user-id` and `x-user-roles` headers
+     * - JWT: `Authorization: Bearer <token>` header
+     *
+     * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
+     * returns a default anonymous user.
+     *
+     * @param headers - HTTP request headers
+     * @returns Parsed user authentication data, or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const headers = {
+     *   'x-user-id': '6e06a527-a89d-4390-95cd-10ae63cfc939',
+     *   'x-user-roles': 'default-roles-master,offline_access'
+     * }
+     *
+     * const authUser = ApisixAuthParser.parseAuthHeaders(headers)
+     * // Returns: { id: '6e06a527...', roles: ['default-roles-master', 'offline_access'] }
+     * ```
+     */
+    static parseAuthHeaders(headers) {
+        return this.getProvider().parseRequest(this.toAuthRequest(headers));
+    }
+    /**
+     * Checks if a request has valid authentication.
+     *
+     * Performs a quick validation to determine if the request contains
+     * valid authentication credentials (gateway headers or JWT token).
+     *
+     * When authentication is disabled, this always returns true.
+     *
+     * @param headers - HTTP request headers
+     * @returns true if authentication is valid or disabled, false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
+     *   return { status: 401, content: 'Authentication required' }
+     * }
+     * ```
+     */
+    static hasValidAuth(headers) {
+        return this.getProvider().hasValidAuth(this.toAuthRequest(headers));
+    }
+    /**
+     * Extracts just the user ID from headers.
+     *
+     * Convenience method for cases where you only need the user ID.
+     *
+     * @param headers - HTTP request headers
+     * @returns User ID, or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const userId = ApisixAuthParser.getUserId(req.headers)
+     * if (userId) {
+     *   console.log(`Request from user: ${userId}`)
+     * }
+     * ```
+     */
+    static getUserId(headers) {
+        return this.getProvider().getUserId(this.toAuthRequest(headers));
+    }
+    /**
+     * Extracts just the user roles from headers.
+     *
+     * @param headers - HTTP request headers
+     * @returns Array of role names, empty array if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const roles = ApisixAuthParser.getUserRoles(req.headers)
+     * if (roles.includes('admin')) {
+     *   console.log('User has admin privileges')
+     * }
+     * ```
+     */
+    static getUserRoles(headers) {
+        return this.getProvider().getUserRoles(this.toAuthRequest(headers));
+    }
+    /**
+     * Checks if a user has the admin role.
+     *
+     * @param headers - HTTP request headers
+     * @returns true if user has admin role, false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (ApisixAuthParser.isAdmin(req.headers)) {
+     *   // Admin-only logic
+     * }
+     * ```
+     */
+    static isAdmin(headers) {
+        return this.getProvider().isAdmin(this.toAuthRequest(headers));
+    }
+}
+//# sourceMappingURL=apisix_parser.js.map

package/dist/auth/apisix_parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apisix_parser.js","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,gBAAgB;aACV,cAAS,GAAwB,IAAI,CAAA;IAEpD;;;OAGG;IACK,MAAM,CAAC,WAAW;QACtB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClB,IAAI,CAAC,SAAS,GAAG,mBAAmB,CAAC,OAAO,EAAE,CAAA;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAA;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc;QACjB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAA;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,QAAsB;QACtC,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAA;IAC7B,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,aAAa,CAAC,OAA+B;QACxD,OAAO,EAAE,OAAO,EAAE,CAAA;IACtB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAA+B;QACnD,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,SAAS,CAAC,OAA+B;QAC5C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACpE,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,CAAC,OAA+B;QAC1C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IAClE,CAAC"}

package/dist/auth/auth_config.d.ts

@@ -0,0 +1,126 @@
+/**
+ * Authentication configuration for Digital Twin framework.
+ *
+ * Controls whether authentication is required for components that support it.
+ * When authentication is disabled, all requests are treated as authenticated
+ * with a default anonymous user.
+ *
+ * Environment variables:
+ * - DIGITALTWIN_DISABLE_AUTH: Set to "true" or "1" to disable authentication (default: false)
+ * - DIGITALTWIN_ANONYMOUS_USER_ID: User ID to use when auth is disabled (default: "anonymous")
+ * - DIGITALTWIN_ADMIN_ROLE_NAME: Name of the admin role in Keycloak (default: "admin")
+ *
+ * @example
+ * ```bash
+ * # Disable authentication for development
+ * export DIGITALTWIN_DISABLE_AUTH=true
+ * export DIGITALTWIN_ANONYMOUS_USER_ID=dev-user-123
+ *
+ * # Configure admin role name
+ * export DIGITALTWIN_ADMIN_ROLE_NAME=administrator
+ *
+ * # Enable authentication (default)
+ * export DIGITALTWIN_DISABLE_AUTH=false
+ * ```
+ *
+ * @example
+ * ```typescript
+ * import { AuthConfig } from './auth_config.js'
+ *
+ * if (AuthConfig.isAuthDisabled()) {
+ *   console.log('Authentication is disabled')
+ *   const anonymousUser = AuthConfig.getAnonymousUser()
+ *   console.log(`Using anonymous user: ${anonymousUser.id}`)
+ * }
+ *
+ * const adminRole = AuthConfig.getAdminRoleName()
+ * console.log(`Admin role is: ${adminRole}`)
+ * ```
+ */
+export declare class AuthConfig {
+    private static _config;
+    /**
+     * Loads and validates authentication configuration from environment variables.
+     * This is called automatically the first time any method is used.
+     */
+    private static loadConfig;
+    /**
+     * Gets the loaded configuration, ensuring it's initialized.
+     * @private
+     */
+    private static getConfig;
+    /**
+     * Checks if authentication is disabled via environment variables.
+     *
+     * @returns true if DIGITALTWIN_DISABLE_AUTH is set to "true" or "1", false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (AuthConfig.isAuthDisabled()) {
+     *   console.log('Running in no-auth mode')
+     * }
+     * ```
+     */
+    static isAuthDisabled(): boolean;
+    /**
+     * Checks if authentication is enabled (opposite of isAuthDisabled).
+     *
+     * @returns true if authentication should be enforced, false otherwise
+     */
+    static isAuthEnabled(): boolean;
+    /**
+     * Gets the anonymous user ID to use when authentication is disabled.
+     *
+     * @returns The user ID configured for anonymous access
+     *
+     * @example
+     * ```typescript
+     * const userId = AuthConfig.getAnonymousUserId()
+     * console.log(`Anonymous user ID: ${userId}`) // "anonymous" by default
+     * ```
+     */
+    static getAnonymousUserId(): string;
+    /**
+     * Gets a fake authenticated user object for anonymous access.
+     *
+     * @returns An AuthenticatedUser object representing the anonymous user
+     *
+     * @example
+     * ```typescript
+     * import type { AuthenticatedUser } from './types.js'
+     *
+     * const anonymousUser: AuthenticatedUser = AuthConfig.getAnonymousUser()
+     * console.log(anonymousUser) // { id: "anonymous", roles: ["anonymous"] }
+     * ```
+     */
+    static getAnonymousUser(): {
+        id: string;
+        roles: string[];
+    };
+    /**
+     * Gets the name of the admin role configured for the system.
+     *
+     * This role name is used to determine if a user has full administrative
+     * access to all resources, including private assets owned by other users.
+     *
+     * @returns The admin role name (default: "admin")
+     *
+     * @example
+     * ```typescript
+     * const adminRole = AuthConfig.getAdminRoleName()
+     * console.log(`Admin role: ${adminRole}`) // "admin" by default
+     *
+     * // Check if user has admin role
+     * const userRoles = ['user', 'admin', 'moderator']
+     * const isAdmin = userRoles.includes(adminRole)
+     * ```
+     */
+    static getAdminRoleName(): string;
+    /**
+     * Resets the cached configuration (useful for testing).
+     *
+     * @private
+     */
+    static _resetConfig(): void;
+}
+//# sourceMappingURL=auth_config.d.ts.map

package/dist/auth/auth_config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_config.d.ts","sourceRoot":"","sources":["../../src/auth/auth_config.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,UAAU;IACnB,OAAO,CAAC,MAAM,CAAC,OAAO,CAIP;IAEf;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,UAAU;IAqCzB;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,SAAS;IAQxB;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,cAAc,IAAI,OAAO;IAIhC;;;;OAIG;IACH,MAAM,CAAC,aAAa,IAAI,OAAO;IAI/B;;;;;;;;;;OAUG;IACH,MAAM,CAAC,kBAAkB,IAAI,MAAM;IAInC;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,gBAAgB;;;;IAOvB;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,gBAAgB,IAAI,MAAM;IAIjC;;;;OAIG;IACH,MAAM,CAAC,YAAY;CAGtB"}

package/dist/auth/auth_config.js

@@ -0,0 +1,169 @@
+import { Env } from '../env/env.js';
+/**
+ * Authentication configuration for Digital Twin framework.
+ *
+ * Controls whether authentication is required for components that support it.
+ * When authentication is disabled, all requests are treated as authenticated
+ * with a default anonymous user.
+ *
+ * Environment variables:
+ * - DIGITALTWIN_DISABLE_AUTH: Set to "true" or "1" to disable authentication (default: false)
+ * - DIGITALTWIN_ANONYMOUS_USER_ID: User ID to use when auth is disabled (default: "anonymous")
+ * - DIGITALTWIN_ADMIN_ROLE_NAME: Name of the admin role in Keycloak (default: "admin")
+ *
+ * @example
+ * ```bash
+ * # Disable authentication for development
+ * export DIGITALTWIN_DISABLE_AUTH=true
+ * export DIGITALTWIN_ANONYMOUS_USER_ID=dev-user-123
+ *
+ * # Configure admin role name
+ * export DIGITALTWIN_ADMIN_ROLE_NAME=administrator
+ *
+ * # Enable authentication (default)
+ * export DIGITALTWIN_DISABLE_AUTH=false
+ * ```
+ *
+ * @example
+ * ```typescript
+ * import { AuthConfig } from './auth_config.js'
+ *
+ * if (AuthConfig.isAuthDisabled()) {
+ *   console.log('Authentication is disabled')
+ *   const anonymousUser = AuthConfig.getAnonymousUser()
+ *   console.log(`Using anonymous user: ${anonymousUser.id}`)
+ * }
+ *
+ * const adminRole = AuthConfig.getAdminRoleName()
+ * console.log(`Admin role is: ${adminRole}`)
+ * ```
+ */
+export class AuthConfig {
+    static { this._config = null; }
+    /**
+     * Loads and validates authentication configuration from environment variables.
+     * This is called automatically the first time any method is used.
+     */
+    static loadConfig() {
+        if (this._config !== null)
+            return;
+        const config = Env.validate({
+            DIGITALTWIN_DISABLE_AUTH: Env.schema.boolean({
+                optional: true,
+                default: false
+            }),
+            DIGITALTWIN_ANONYMOUS_USER_ID: Env.schema.string({
+                optional: true
+            }),
+            DIGITALTWIN_ADMIN_ROLE_NAME: Env.schema.string({
+                optional: true
+            })
+        });
+        // Set default anonymous user ID if not provided
+        if (!config.DIGITALTWIN_ANONYMOUS_USER_ID) {
+            config.DIGITALTWIN_ANONYMOUS_USER_ID = 'anonymous';
+        }
+        // Set default admin role name if not provided
+        if (!config.DIGITALTWIN_ADMIN_ROLE_NAME) {
+            config.DIGITALTWIN_ADMIN_ROLE_NAME = 'admin';
+        }
+        this._config = config;
+    }
+    /**
+     * Gets the loaded configuration, ensuring it's initialized.
+     * @private
+     */
+    static getConfig() {
+        this.loadConfig();
+        if (this._config === null) {
+            throw new Error('Failed to load authentication configuration');
+        }
+        return this._config;
+    }
+    /**
+     * Checks if authentication is disabled via environment variables.
+     *
+     * @returns true if DIGITALTWIN_DISABLE_AUTH is set to "true" or "1", false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (AuthConfig.isAuthDisabled()) {
+     *   console.log('Running in no-auth mode')
+     * }
+     * ```
+     */
+    static isAuthDisabled() {
+        return this.getConfig().DIGITALTWIN_DISABLE_AUTH;
+    }
+    /**
+     * Checks if authentication is enabled (opposite of isAuthDisabled).
+     *
+     * @returns true if authentication should be enforced, false otherwise
+     */
+    static isAuthEnabled() {
+        return !this.isAuthDisabled();
+    }
+    /**
+     * Gets the anonymous user ID to use when authentication is disabled.
+     *
+     * @returns The user ID configured for anonymous access
+     *
+     * @example
+     * ```typescript
+     * const userId = AuthConfig.getAnonymousUserId()
+     * console.log(`Anonymous user ID: ${userId}`) // "anonymous" by default
+     * ```
+     */
+    static getAnonymousUserId() {
+        return this.getConfig().DIGITALTWIN_ANONYMOUS_USER_ID;
+    }
+    /**
+     * Gets a fake authenticated user object for anonymous access.
+     *
+     * @returns An AuthenticatedUser object representing the anonymous user
+     *
+     * @example
+     * ```typescript
+     * import type { AuthenticatedUser } from './types.js'
+     *
+     * const anonymousUser: AuthenticatedUser = AuthConfig.getAnonymousUser()
+     * console.log(anonymousUser) // { id: "anonymous", roles: ["anonymous"] }
+     * ```
+     */
+    static getAnonymousUser() {
+        return {
+            id: this.getAnonymousUserId(),
+            roles: ['anonymous']
+        };
+    }
+    /**
+     * Gets the name of the admin role configured for the system.
+     *
+     * This role name is used to determine if a user has full administrative
+     * access to all resources, including private assets owned by other users.
+     *
+     * @returns The admin role name (default: "admin")
+     *
+     * @example
+     * ```typescript
+     * const adminRole = AuthConfig.getAdminRoleName()
+     * console.log(`Admin role: ${adminRole}`) // "admin" by default
+     *
+     * // Check if user has admin role
+     * const userRoles = ['user', 'admin', 'moderator']
+     * const isAdmin = userRoles.includes(adminRole)
+     * ```
+     */
+    static getAdminRoleName() {
+        return this.getConfig().DIGITALTWIN_ADMIN_ROLE_NAME;
+    }
+    /**
+     * Resets the cached configuration (useful for testing).
+     *
+     * @private
+     */
+    static _resetConfig() {
+        this._config = null;
+    }
+}
+//# sourceMappingURL=auth_config.js.map

package/dist/auth/auth_config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_config.js","sourceRoot":"","sources":["../../src/auth/auth_config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,eAAe,CAAA;AAEnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,MAAM,OAAO,UAAU;aACJ,YAAO,GAIX,IAAI,CAAA;IAEf;;;OAGG;IACK,MAAM,CAAC,UAAU;QACrB,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI;YAAE,OAAM;QAEjC,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC;YACxB,wBAAwB,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,KAAK;aACjB,CAAC;YACF,6BAA6B,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC;gBAC7C,QAAQ,EAAE,IAAI;aACjB,CAAC;YACF,2BAA2B,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC;gBAC3C,QAAQ,EAAE,IAAI;aACjB,CAAC;SACL,CAIA,CAAA;QAED,gDAAgD;QAChD,IAAI,CAAC,MAAM,CAAC,6BAA6B,EAAE,CAAC;YACxC,MAAM,CAAC,6BAA6B,GAAG,WAAW,CAAA;QACtD,CAAC;QAED,8CAA8C;QAC9C,IAAI,CAAC,MAAM,CAAC,2BAA2B,EAAE,CAAC;YACtC,MAAM,CAAC,2BAA2B,GAAG,OAAO,CAAA;QAChD,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,MAId,CAAA;IACL,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,SAAS;QACpB,IAAI,CAAC,UAAU,EAAE,CAAA;QACjB,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAA;QAClE,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAA;IACvB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,cAAc;QACjB,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC,wBAAwB,CAAA;IACpD,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,aAAa;QAChB,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,CAAA;IACjC,CAAC;IAED;;;;;;;;;;OAUG;IACH,MAAM,CAAC,kBAAkB;QACrB,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC,6BAA6B,CAAA;IACzD,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,gBAAgB;QACnB,OAAO;YACH,EAAE,EAAE,IAAI,CAAC,kBAAkB,EAAE;YAC7B,KAAK,EAAE,CAAC,WAAW,CAAC;SACvB,CAAA;IACL,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,gBAAgB;QACnB,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC,2BAA2B,CAAA;IACvD,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,YAAY;QACf,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;IACvB,CAAC"}