npm - najm-auth - Versions diffs - 1.1.6 → 1.1.8 - Mend

najm-auth 1.1.6 → 1.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -807,13 +807,23 @@ declare class AuthController {
 }
 declare class AuthGuard {
-    private tokenService;
-    private log;
-    canActivate(auth: string): Promise<GuardResult | false>;
+    canActivate(user: any): boolean;
 }
 declare const isAuth: () => ClassDecorator & MethodDecorator;
-declare const AUTH_MODULE: readonly [typeof AuthService, typeof CookieManager, typeof EncryptionService, typeof AuthGuard, typeof AuthController];
+declare class AuthResolver {
+    private container;
+    private app;
+    private log;
+    resolve(token: string): Promise<{
+        user: any;
+        role?: string;
+        permissions?: string[];
+    } | false>;
+    activate(): Promise<void>;
+}
+declare const AUTH_MODULE: readonly [typeof AuthService, typeof CookieManager, typeof EncryptionService, typeof AuthGuard, typeof AuthController, typeof AuthResolver];
 declare class PermissionRepository {
     db: TDb;
@@ -1267,14 +1277,14 @@ type OwnershipStep = JoinStep | OwnerStep;
 /**
  * JOIN step — links two columns across tables.
  * The target table is inferred from the right column.
- * Use aliased tables (`alias(table, '_sc_name')`) to avoid conflicts with display JOINs.
+ * Raw tables are auto-aliased when needed; already-aliased tables are preserved.
  *
- * @example join(grades.studentId, _students.id)
+ * @example join(grades.studentId, students.id)
  */
 declare function join(left: any, right: any): JoinStep;
 /**
  * WHERE step — terminal column that holds the user id.
- * @example where(_teachers.userId)
+ * @example where(teachers.userId)
  */
 declare function where(col: any): OwnerStep;
 type ScopeResult = {
@@ -1318,13 +1328,13 @@ declare class OwnershipToken {
  *
  * @example
  * export const Grade = own(grades)
- *   .for('teacher', join(grades.studentId, _s.id), where(_t.userId))
- *   .for('parent',  join(grades.studentId, _s.id), where(_p.userId))
+ *   .for('teacher', join(grades.studentId, students.id), where(teachers.userId))
+ *   .for('parent',  join(grades.studentId, students.id), where(parents.userId))
  *   .writeBy(grades.studentId);
  *
  * // With explicit admin roles (avoids global state):
  * export const Grade = own(grades, { adminRoles: ['admin', 'principal'] })
- *   .for('teacher', join(grades.studentId, _s.id), where(_t.userId));
+ *   .for('teacher', join(grades.studentId, students.id), where(teachers.userId));
  */
 declare function own(table: any, opts?: OwnershipTokenOptions): OwnershipToken;
@@ -1686,4 +1696,4 @@ declare const authSeed: (config: AuthSeedConfig) => Record<string, SeedEntry>;
  */
 declare function seedAuthData(config: SeedAuthDataConfig): Promise<SeedAuthDataResult>;
-export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };
+export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, AuthResolver, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, CanCreate, CanDelete, CanList, CanRead, CanUpdate, type ChainableGuard, type ChangePasswordDto, type CheckPermissionDto, type ConfiguredOwnership, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Owned, type OwnedMethods, type OwnershipConfig, type OwnershipProvider, type OwnershipRule, OwnershipToken, type OwnershipTokenOptions, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, Policy, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type ResourceAccessor, type ResourceGuards, type ResourceGuardsOptions, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, ScopeContext, type ScopeResult, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, changePasswordDto, checkPermissionDto, clean, configureOwnership, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, defineRoles, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, join, languageParam, loginDto, own, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto, where };

package/dist/index.js CHANGED Viewed

@@ -194,6 +194,7 @@ __export(auth_exports, {
   AUTH_MODULE: () => AUTH_MODULE,
   AuthController: () => AuthController,
   AuthGuard: () => AuthGuard,
+  AuthResolver: () => AuthResolver,
   AuthService: () => AuthService,
   CookieManager: () => CookieManager,
   EncryptionService: () => EncryptionService,
@@ -285,7 +286,7 @@ CookieManager = __decorate2([
 // src/auth/AuthController.ts
 import { Controller } from "najm-core";
 import { Get, Post, ResMsg } from "najm-core";
-import { Body, User, Headers as Headers2 } from "najm-core";
+import { Body, User as User2, Headers } from "najm-core";
 // src/auth/AuthService.ts
 import { Injectable as Injectable7, Inject as Inject7 } from "najm-core";
@@ -1586,9 +1587,7 @@ AuthService = AuthService_1 = __decorate11([
 ], AuthService);
 // src/auth/AuthGuard.ts
-import { Service as Service2, Inject as Inject8 } from "najm-core";
-import { Headers } from "najm-core";
-import { LOGGER } from "najm-core";
+import { Service as Service2, User } from "najm-core";
 import { createGuard } from "najm-guard";
 var __decorate12 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -1604,41 +1603,19 @@ var __param2 = function(paramIndex, decorator) {
     decorator(target, key, paramIndex);
   };
 };
-var _a8;
-var _b6;
 var AuthGuard = class AuthGuard2 {
   static {
     __name(this, "AuthGuard");
   }
-  tokenService;
-  log;
-  async canActivate(auth2) {
-    if (!auth2)
-      return false;
-    try {
-      const user = await this.tokenService.getUser(auth2);
-      if (!user)
-        return false;
-      return { user };
-    } catch (error) {
-      this.log.warn("Auth guard token verification failed", error);
-      return false;
-    }
+  canActivate(user) {
+    return !!user;
   }
 };
 __decorate12([
-  Inject8(TokenService),
-  __metadata12("design:type", typeof (_a8 = typeof TokenService !== "undefined" && TokenService) === "function" ? _a8 : Object)
-], AuthGuard.prototype, "tokenService", void 0);
-__decorate12([
-  Inject8(LOGGER),
-  __metadata12("design:type", Object)
-], AuthGuard.prototype, "log", void 0);
-__decorate12([
-  __param2(0, Headers("authorization")),
+  __param2(0, User()),
   __metadata12("design:type", Function),
-  __metadata12("design:paramtypes", [String]),
-  __metadata12("design:returntype", typeof (_b6 = typeof Promise !== "undefined" && Promise) === "function" ? _b6 : Object)
+  __metadata12("design:paramtypes", [Object]),
+  __metadata12("design:returntype", Boolean)
 ], AuthGuard.prototype, "canActivate", null);
 AuthGuard = __decorate12([
   Service2()
@@ -1712,7 +1689,7 @@ var __param3 = function(paramIndex, decorator) {
     decorator(target, key, paramIndex);
   };
 };
-var _a9;
+var _a8;
 var AuthController = class AuthController2 {
   static {
     __name(this, "AuthController");
@@ -1775,8 +1752,8 @@ __decorate13([
   Get("/logout"),
   isAuth(),
   RateLimit({ limit: 10, window: "15m", key: "user" }),
-  __param3(0, User("id")),
-  __param3(1, Headers2("authorization")),
+  __param3(0, User2("id")),
+  __param3(1, Headers("authorization")),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [String, String]),
   __metadata13("design:returntype", Promise)
@@ -1786,7 +1763,7 @@ __decorate13([
   isAuth(),
   RateLimit({ limit: 30, window: "1m", key: "user" }),
   ResMsg("auth.users.success.retrieved"),
-  __param3(0, User()),
+  __param3(0, User2()),
   __metadata13("design:type", Function),
   __metadata13("design:paramtypes", [Object]),
   __metadata13("design:returntype", Promise)
@@ -1813,16 +1790,111 @@ __decorate13([
 ], AuthController.prototype, "resetPassword", null);
 AuthController = __decorate13([
   Controller("/auth"),
-  __metadata13("design:paramtypes", [typeof (_a9 = typeof AuthService !== "undefined" && AuthService) === "function" ? _a9 : Object])
+  __metadata13("design:paramtypes", [typeof (_a8 = typeof AuthService !== "undefined" && AuthService) === "function" ? _a8 : Object])
 ], AuthController);
+// src/auth/AuthResolver.ts
+import { APP, Container, DI, Inject as Inject8, LOGGER, Meta, Service as Service3 } from "najm-core";
+import { USER, ROLE, PERMISSIONS } from "najm-guard";
+var __decorate14 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata14 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a9;
+var AuthResolver = class AuthResolver2 {
+  static {
+    __name(this, "AuthResolver");
+  }
+  container;
+  app;
+  log;
+  async resolve(token) {
+    if (!token)
+      return false;
+    try {
+      const authHeader = token.startsWith("Bearer ") ? token : `Bearer ${token}`;
+      const tokenService = await this.container.resolve(TokenService);
+      const user = await tokenService.getUser(authHeader);
+      if (!user)
+        return false;
+      return {
+        user,
+        role: user.role,
+        permissions: user.permissions
+      };
+    } catch (error) {
+      this.log.warn("Token verification failed", error);
+      return false;
+    }
+  }
+  async activate() {
+    this.app.use("*", async (c, next) => {
+      const raw = c.req.header("authorization") ?? "";
+      const token = raw.replace(/^Bearer\s+/i, "").trim();
+      if (token) {
+        const result = await this.resolve(token);
+        if (result) {
+          if (this.container.isActive()) {
+            this.container.set(USER, result.user);
+            if (result.role !== void 0)
+              this.container.set(ROLE, result.role);
+            if (result.permissions !== void 0)
+              this.container.set(PERMISSIONS, result.permissions);
+          } else {
+            const als = this.container.store?.als;
+            if (als && typeof als.getStore === "function") {
+              const previousStore = als.getStore();
+              const nextStore = new Map(previousStore);
+              nextStore.set(USER.key, result.user);
+              if (result.role !== void 0)
+                nextStore.set(ROLE.key, result.role);
+              if (result.permissions !== void 0)
+                nextStore.set(PERMISSIONS.key, result.permissions);
+              als.store = nextStore;
+              try {
+                await next();
+                return;
+              } finally {
+                als.store = previousStore;
+              }
+            }
+          }
+        }
+      }
+      await next();
+    });
+  }
+};
+__decorate14([
+  DI(),
+  __metadata14("design:type", typeof (_a9 = typeof Container !== "undefined" && Container) === "function" ? _a9 : Object)
+], AuthResolver.prototype, "container", void 0);
+__decorate14([
+  Inject8(APP),
+  __metadata14("design:type", Object)
+], AuthResolver.prototype, "app", void 0);
+__decorate14([
+  Inject8(LOGGER),
+  __metadata14("design:type", Object)
+], AuthResolver.prototype, "log", void 0);
+AuthResolver = __decorate14([
+  Service3(),
+  Meta({ layer: "plugin", order: 30 })
+], AuthResolver);
 // src/auth/index.ts
 var AUTH_MODULE = [
   AuthService,
   CookieManager,
   EncryptionService,
   AuthGuard,
-  AuthController
+  AuthController,
+  AuthResolver
 ];
 // src/users/index.ts
@@ -1874,16 +1946,16 @@ __export(roles_exports, {
 import { composeGuards as composeGuards2, createGuard as createGuard3 } from "najm-guard";
 // src/roles/RoleGuards.ts
-import { Service as Service3 } from "najm-core";
-import { GuardParams, User as User2 } from "najm-core";
+import { Service as Service4 } from "najm-core";
+import { GuardParams, User as User3 } from "najm-core";
 import { composeGuards, createGuard as createGuard2 } from "najm-guard";
-var __decorate14 = function(decorators, target, key, desc) {
+var __decorate15 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata14 = function(k, v) {
+var __metadata15 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var __param4 = function(paramIndex, decorator) {
@@ -1906,15 +1978,15 @@ var RoleGuard = class RoleGuard2 {
     return false;
   }
 };
-__decorate14([
+__decorate15([
   __param4(0, GuardParams()),
-  __param4(1, User2("role")),
-  __metadata14("design:type", Function),
-  __metadata14("design:paramtypes", [Object, String]),
-  __metadata14("design:returntype", void 0)
+  __param4(1, User3("role")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [Object, String]),
+  __metadata15("design:returntype", void 0)
 ], RoleGuard.prototype, "canActivate", null);
-RoleGuard = __decorate14([
-  Service3()
+RoleGuard = __decorate15([
+  Service4()
 ], RoleGuard);
 var Role = createGuard2(RoleGuard);
 var isAdmin = composeGuards(isAuth(), Role(ROLES.ADMIN));
@@ -1973,13 +2045,13 @@ var assignRoleDto = z2.object({
 });
 // src/roles/RoleController.ts
-var __decorate15 = function(decorators, target, key, desc) {
+var __decorate16 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata15 = function(k, v) {
+var __metadata16 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var __param5 = function(paramIndex, decorator) {
@@ -2012,35 +2084,35 @@ var RoleController = class RoleController2 {
     return this.roleService.delete(params.id);
   }
 };
-__decorate15([
+__decorate16([
   Get2(),
   isAdmin(),
   ResMsg2("roles.success.retrieved"),
-  __metadata15("design:type", Function),
-  __metadata15("design:paramtypes", []),
-  __metadata15("design:returntype", Promise)
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", []),
+  __metadata16("design:returntype", Promise)
 ], RoleController.prototype, "getRoles", null);
-__decorate15([
+__decorate16([
   Get2("/:id"),
   isAdmin(),
   Validate2({ params: roleIdParam }),
   ResMsg2("roles.success.retrieved"),
   __param5(0, Params()),
-  __metadata15("design:type", Function),
-  __metadata15("design:paramtypes", [Object]),
-  __metadata15("design:returntype", Promise)
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
 ], RoleController.prototype, "getRole", null);
-__decorate15([
+__decorate16([
   Post2(),
   isAdmin(),
   Validate2(createRoleDto),
   ResMsg2("roles.success.created"),
   __param5(0, Body2()),
-  __metadata15("design:type", Function),
-  __metadata15("design:paramtypes", [Object]),
-  __metadata15("design:returntype", Promise)
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
 ], RoleController.prototype, "createRole", null);
-__decorate15([
+__decorate16([
   Put("/:id"),
   isAdmin(),
   Validate2({
@@ -2050,34 +2122,34 @@ __decorate15([
   ResMsg2("roles.success.updated"),
   __param5(0, Params()),
   __param5(1, Body2()),
-  __metadata15("design:type", Function),
-  __metadata15("design:paramtypes", [Object, Object]),
-  __metadata15("design:returntype", Promise)
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object, Object]),
+  __metadata16("design:returntype", Promise)
 ], RoleController.prototype, "updateRole", null);
-__decorate15([
+__decorate16([
   Delete("/:id"),
   isAdmin(),
   Validate2({ params: roleIdParam }),
   ResMsg2("roles.success.deleted"),
   __param5(0, Params()),
-  __metadata15("design:type", Function),
-  __metadata15("design:paramtypes", [Object]),
-  __metadata15("design:returntype", Promise)
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
 ], RoleController.prototype, "deleteRole", null);
-RoleController = __decorate15([
+RoleController = __decorate16([
   Controller2("/roles"),
-  __metadata15("design:paramtypes", [typeof (_a10 = typeof RoleService !== "undefined" && RoleService) === "function" ? _a10 : Object])
+  __metadata16("design:paramtypes", [typeof (_a10 = typeof RoleService !== "undefined" && RoleService) === "function" ? _a10 : Object])
 ], RoleController);
 // src/users/UserController.ts
 import { Validate as Validate3 } from "najm-validation";
-var __decorate16 = function(decorators, target, key, desc) {
+var __decorate17 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata16 = function(k, v) {
+var __metadata17 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var __param6 = function(paramIndex, decorator) {
@@ -2132,73 +2204,73 @@ var UserController = class UserController2 {
     return this.userService.removeRole(params.userId);
   }
 };
-__decorate16([
+__decorate17([
   Get3(),
   isAdmin(),
   ResMsg3("users.success.retrieved"),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", []),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", []),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "getUsers", null);
-__decorate16([
+__decorate17([
   Get3("/lang"),
   isAuth(),
   ResMsg3("users.success.retrieved"),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", []),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", []),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "getLang", null);
-__decorate16([
+__decorate17([
   Post3("/lang/:language"),
   isAuth(),
   Validate3({ params: languageParam }),
   ResMsg3("users.success.updated"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "updateLang", null);
-__decorate16([
+__decorate17([
   Get3("/:id"),
   isAdmin(),
   Validate3({ params: userIdParam }),
   ResMsg3("users.success.retrieved"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "getUser", null);
-__decorate16([
+__decorate17([
   Get3("/email/:email"),
   isAdmin(),
   Validate3({ params: emailParam }),
   ResMsg3("users.success.retrieved"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "getByEmail", null);
-__decorate16([
+__decorate17([
   Get3("/role/:userId"),
   isAdmin(),
   Validate3({ params: userIdInParam }),
   ResMsg3("users.success.retrieved"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "getRole", null);
-__decorate16([
+__decorate17([
   Post3(),
   isAdmin(),
   Validate3(createUserDto),
   ResMsg3("users.success.created"),
   __param6(0, Body3()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "create", null);
-__decorate16([
+__decorate17([
   Put2("/:id"),
   isAdmin(),
   Validate3({
@@ -2208,51 +2280,51 @@ __decorate16([
   ResMsg3("users.success.updated"),
   __param6(0, Params2()),
   __param6(1, Body3()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object, Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object, Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "update", null);
-__decorate16([
+__decorate17([
   Delete2("/:id"),
   isAdmin(),
   Validate3({ params: userIdParam }),
   ResMsg3("users.success.deleted"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "delete", null);
-__decorate16([
+__decorate17([
   Delete2(),
   isAdmin(),
   ResMsg3("users.success.allDeleted"),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", []),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", []),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "deleteAll", null);
-__decorate16([
+__decorate17([
   Post3("/assign/:userId/:roleId"),
   isAdmin(),
   Validate3({ params: assignRoleParams }),
   ResMsg3("users.success.updated"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "assignRole", null);
-__decorate16([
+__decorate17([
   Delete2("/remove/:userId"),
   isAdmin(),
   Validate3({ params: userIdInParam }),
   ResMsg3("users.success.updated"),
   __param6(0, Params2()),
-  __metadata16("design:type", Function),
-  __metadata16("design:paramtypes", [Object]),
-  __metadata16("design:returntype", Promise)
+  __metadata17("design:type", Function),
+  __metadata17("design:paramtypes", [Object]),
+  __metadata17("design:returntype", Promise)
 ], UserController.prototype, "removeRole", null);
-UserController = __decorate16([
+UserController = __decorate17([
   Controller3("/users"),
-  __metadata16("design:paramtypes", [typeof (_a11 = typeof UserService !== "undefined" && UserService) === "function" ? _a11 : Object])
+  __metadata17("design:paramtypes", [typeof (_a11 = typeof UserService !== "undefined" && UserService) === "function" ? _a11 : Object])
 ], UserController);
 // src/permissions/index.ts
@@ -2275,13 +2347,13 @@ __export(permissions_exports, {
 import { eq as eq5, and } from "drizzle-orm";
 import { Repository as Repository4, Inject as Inject9 } from "najm-core";
 import { DB as DB4 } from "najm-database";
-var __decorate17 = function(decorators, target, key, desc) {
+var __decorate18 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata17 = function(k, v) {
+var __metadata18 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var PermissionRepository = class PermissionRepository2 {
@@ -2359,29 +2431,29 @@ var PermissionRepository = class PermissionRepository2 {
     return deletedPermissions;
   }
 };
-__decorate17([
+__decorate18([
   DB4(),
-  __metadata17("design:type", Object)
+  __metadata18("design:type", Object)
 ], PermissionRepository.prototype, "db", void 0);
-__decorate17([
+__decorate18([
   Inject9(AUTH_SCHEMA),
-  __metadata17("design:type", Object)
+  __metadata18("design:type", Object)
 ], PermissionRepository.prototype, "schema", void 0);
-PermissionRepository = __decorate17([
+PermissionRepository = __decorate18([
   Repository4()
 ], PermissionRepository);
 // src/permissions/PermissionGuards.ts
 import { Injectable as Injectable8 } from "najm-core";
-import { GuardParams as GuardParams2, User as User3 } from "najm-core";
+import { GuardParams as GuardParams2, User as User4 } from "najm-core";
 import { createGuard as createGuard4, composeGuards as composeGuards3 } from "najm-guard";
-var __decorate18 = function(decorators, target, key, desc) {
+var __decorate19 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata18 = function(k, v) {
+var __metadata19 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var __param7 = function(paramIndex, decorator) {
@@ -2417,14 +2489,14 @@ var PermissionGuard = class PermissionGuard2 {
     return false;
   }
 };
-__decorate18([
+__decorate19([
   __param7(0, GuardParams2()),
-  __param7(1, User3("permissions")),
-  __metadata18("design:type", Function),
-  __metadata18("design:paramtypes", [String, Array]),
-  __metadata18("design:returntype", Object)
+  __param7(1, User4("permissions")),
+  __metadata19("design:type", Function),
+  __metadata19("design:paramtypes", [String, Array]),
+  __metadata19("design:returntype", Object)
 ], PermissionGuard.prototype, "canActivate", null);
-PermissionGuard = __decorate18([
+PermissionGuard = __decorate19([
   Injectable8()
 ], PermissionGuard);
 var Permission = createGuard4(PermissionGuard);
@@ -2442,17 +2514,17 @@ import { Injectable as Injectable10 } from "najm-core";
 import { Injectable as Injectable9 } from "najm-core";
 import { I18n as I18n5 } from "najm-i18n";
 import { Err as Err7 } from "najm-core";
-var __decorate19 = function(decorators, target, key, desc) {
+var __decorate20 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata19 = function(k, v) {
+var __metadata20 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var _a12;
-var _b7;
+var _b6;
 var PermissionValidator = class PermissionValidator2 {
   static {
     __name(this, "PermissionValidator");
@@ -2519,27 +2591,27 @@ var PermissionValidator = class PermissionValidator2 {
     }
   }
 };
-__decorate19([
+__decorate20([
   I18n5("permissions"),
-  __metadata19("design:type", Object)
+  __metadata20("design:type", Object)
 ], PermissionValidator.prototype, "t", void 0);
-PermissionValidator = __decorate19([
+PermissionValidator = __decorate20([
   Injectable9(),
-  __metadata19("design:paramtypes", [typeof (_a12 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a12 : Object, typeof (_b7 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _b7 : Object])
+  __metadata20("design:paramtypes", [typeof (_a12 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a12 : Object, typeof (_b6 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _b6 : Object])
 ], PermissionValidator);
 // src/permissions/PermissionService.ts
-var __decorate20 = function(decorators, target, key, desc) {
+var __decorate21 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata20 = function(k, v) {
+var __metadata21 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var _a13;
-var _b8;
+var _b7;
 var _c4;
 var PermissionService = class PermissionService2 {
   static {
@@ -2645,9 +2717,9 @@ var PermissionService = class PermissionService2 {
     return await this.permissionRepository.deleteAll();
   }
 };
-PermissionService = __decorate20([
+PermissionService = __decorate21([
   Injectable10(),
-  __metadata20("design:paramtypes", [typeof (_a13 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a13 : Object, typeof (_b8 = typeof PermissionValidator !== "undefined" && PermissionValidator) === "function" ? _b8 : Object, typeof (_c4 = typeof RoleService !== "undefined" && RoleService) === "function" ? _c4 : Object])
+  __metadata21("design:paramtypes", [typeof (_a13 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a13 : Object, typeof (_b7 = typeof PermissionValidator !== "undefined" && PermissionValidator) === "function" ? _b7 : Object, typeof (_c4 = typeof RoleService !== "undefined" && RoleService) === "function" ? _c4 : Object])
 ], PermissionService);
 // src/permissions/PermissionController.ts
@@ -2680,13 +2752,13 @@ var checkPermissionDto = z3.object({
 });
 // src/permissions/PermissionController.ts
-var __decorate21 = function(decorators, target, key, desc) {
+var __decorate22 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata21 = function(k, v) {
+var __metadata22 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var __param8 = function(paramIndex, decorator) {
@@ -2740,32 +2812,32 @@ var PermissionController = class PermissionController2 {
     return this.permissionService.deleteAll();
   }
 };
-__decorate21([
+__decorate22([
   Get4(),
   ResMsg4("permissions.success.retrieved"),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", []),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", []),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "getPermissions", null);
-__decorate21([
+__decorate22([
   Get4("/:id"),
   Validate4({ params: permissionIdParam }),
   ResMsg4("permissions.success.retrieved"),
   __param8(0, Params3()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "getPermission", null);
-__decorate21([
+__decorate22([
   Post4(),
   Validate4(createPermissionDto),
   ResMsg4({ message: "Permission created successfully", status: 201 }),
   __param8(0, Body4()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "create", null);
-__decorate21([
+__decorate22([
   Put3("/:id"),
   Validate4({
     params: permissionIdParam,
@@ -2774,67 +2846,67 @@ __decorate21([
   ResMsg4("permissions.success.updated"),
   __param8(0, Params3()),
   __param8(1, Body4()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object, Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object, Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "update", null);
-__decorate21([
+__decorate22([
   Delete3("/:id"),
   Validate4({ params: permissionIdParam }),
   ResMsg4("permissions.success.deleted"),
   __param8(0, Params3()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "delete", null);
-__decorate21([
+__decorate22([
   Get4("/role/:id"),
   Validate4({ params: roleIdParam }),
   ResMsg4("permissions.success.retrieved"),
   __param8(0, Params3()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "getByRole", null);
-__decorate21([
+__decorate22([
   Get4("/roles/:id"),
   Validate4({ params: permissionIdParam }),
   ResMsg4("permissions.success.retrieved"),
   __param8(0, Params3()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "getRolesByPermission", null);
-__decorate21([
+__decorate22([
   Post4("/assign/:roleId/:permissionId"),
   Validate4({ params: assignPermissionDto }),
   ResMsg4("permissions.success.assigned"),
   __param8(0, Params3()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "assignToRole", null);
-__decorate21([
+__decorate22([
   Delete3("/remove/:roleId/:permissionId"),
   Validate4({ params: assignPermissionDto }),
   ResMsg4("permissions.success.removed"),
   __param8(0, Params3()),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", [Object]),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", [Object]),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "removeFromRole", null);
-__decorate21([
+__decorate22([
   Delete3(),
   isAdmin(),
   ResMsg4("permissions.success.allDeleted"),
-  __metadata21("design:type", Function),
-  __metadata21("design:paramtypes", []),
-  __metadata21("design:returntype", Promise)
+  __metadata22("design:type", Function),
+  __metadata22("design:paramtypes", []),
+  __metadata22("design:returntype", Promise)
 ], PermissionController.prototype, "deleteAll", null);
-PermissionController = __decorate21([
+PermissionController = __decorate22([
   Controller4("/permissions"),
   isAdmin(),
-  __metadata21("design:paramtypes", [typeof (_a14 = typeof PermissionService !== "undefined" && PermissionService) === "function" ? _a14 : Object])
+  __metadata22("design:paramtypes", [typeof (_a14 = typeof PermissionService !== "undefined" && PermissionService) === "function" ? _a14 : Object])
 ], PermissionController);
 // src/tokens/index.ts
@@ -3019,12 +3091,15 @@ var selectSchema = /* @__PURE__ */ __name((config) => {
 var auth = /* @__PURE__ */ __name((config) => plugin("auth").version("1.0.0").depends(cache(), cookies(), i18n(), guards(), validation(config?.validation), rateLimit(config?.rateLimit), email()).requires("database").contributes(I18N_CONTRIBUTIONS, AUTH_LOCALES).services(auth_exports, users_exports, roles_exports, permissions_exports, tokens_exports).config(AUTH_CONFIG, mergeConfig(config)).set(AUTH_SCHEMA, selectSchema(config)).build(), "auth");
 // src/ownership/scopedOwnership.ts
-import { eq as eq6, sql as sql4 } from "drizzle-orm";
+import { aliasedTable, eq as eq6, getTableColumns, sql as sql4 } from "drizzle-orm";
 var DEFAULT_ADMIN_ROLES = ["admin", "principal"];
+var DRIZZLE_NAME = /* @__PURE__ */ Symbol.for("drizzle:Name");
+var DRIZZLE_BASE_NAME = /* @__PURE__ */ Symbol.for("drizzle:BaseName");
+var DRIZZLE_IS_ALIAS = /* @__PURE__ */ Symbol.for("drizzle:IsAlias");
 function join2(left, right) {
   const table = right.table;
   if (!table)
-    throw new Error(`join(): cannot infer table from right column. Use drizzle alias().`);
+    throw new Error("join(): cannot infer table from right column.");
   return { type: "join", left, right, table };
 }
 __name(join2, "join");
@@ -3032,9 +3107,72 @@ function where(col) {
   return { type: "owner", col };
 }
 __name(where, "where");
+function isAliased(table) {
+  return table?.[DRIZZLE_IS_ALIAS] === true;
+}
+__name(isAliased, "isAliased");
+function autoAlias(table, suffix) {
+  if (isAliased(table))
+    return table;
+  const name = table?.[DRIZZLE_BASE_NAME] ?? table?.[DRIZZLE_NAME] ?? "table";
+  return aliasedTable(table, `_sc_${String(name)}_${suffix}`);
+}
+__name(autoAlias, "autoAlias");
+function getColumns(table) {
+  try {
+    return getTableColumns(table) ?? null;
+  } catch {
+    return null;
+  }
+}
+__name(getColumns, "getColumns");
+function buildColumnMap(rawTable, aliased) {
+  const rawCols = getColumns(rawTable);
+  const aliasedCols = getColumns(aliased);
+  const map = /* @__PURE__ */ new Map();
+  if (!rawCols || !aliasedCols)
+    return map;
+  for (const key of Object.keys(rawCols)) {
+    map.set(rawCols[key], aliasedCols[key]);
+  }
+  return map;
+}
+__name(buildColumnMap, "buildColumnMap");
 function compile(steps) {
-  const joins = steps.filter((s) => s.type === "join");
-  const owner = steps.find((s) => s.type === "owner");
+  const tableMap = /* @__PURE__ */ new Map();
+  const colMap = /* @__PURE__ */ new Map();
+  let aliasIndex = 0;
+  for (const step of steps) {
+    if (step.type !== "join")
+      continue;
+    const rawTable = step.right.table;
+    if (isAliased(rawTable) || tableMap.has(rawTable) || !getColumns(rawTable))
+      continue;
+    const aliased = autoAlias(rawTable, ++aliasIndex);
+    tableMap.set(rawTable, aliased);
+    for (const [rawCol, aliasedCol] of buildColumnMap(rawTable, aliased)) {
+      colMap.set(rawCol, aliasedCol);
+    }
+  }
+  const remapped = steps.map((step) => {
+    if (step.type === "join") {
+      return {
+        ...step,
+        left: colMap.get(step.left) ?? step.left,
+        right: colMap.get(step.right) ?? step.right,
+        table: tableMap.get(step.right.table) ?? step.right.table
+      };
+    }
+    if (step.type === "owner") {
+      return {
+        ...step,
+        col: colMap.get(step.col) ?? step.col
+      };
+    }
+    return step;
+  });
+  const joins = remapped.filter((s) => s.type === "join");
+  const owner = remapped.find((s) => s.type === "owner");
   if (!owner)
     throw new Error("Ownership chain must end with where()");
   return (uid, query) => {
@@ -3056,7 +3194,7 @@ var OwnershipToken = class {
   _writeScopeCol;
   _adminRoles;
   constructor(table, opts) {
-    const name = table[/* @__PURE__ */ Symbol.for("drizzle:Name")] ?? table?._.baseName ?? table?._.name ?? "resource";
+    const name = table[DRIZZLE_NAME] ?? table?._.baseName ?? table?._.name ?? "resource";
     this.name = name;
     this.table = table;
     this.symbol = Symbol(name);
@@ -3115,15 +3253,15 @@ function own(table, opts) {
 __name(own, "own");
 // src/ownership/configureOwnership.ts
-import { Injectable as Injectable11, Inject as Inject10, User as User4, Body as Body5, Params as Params4 } from "najm-core";
+import { Injectable as Injectable11, Inject as Inject10, User as User5, Body as Body5, Params as Params4 } from "najm-core";
 import { createGuard as createGuard5, composeGuards as composeGuards4 } from "najm-guard";
-var __decorate22 = function(decorators, target, key, desc) {
+var __decorate23 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata22 = function(k, v) {
+var __metadata23 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var __param9 = function(paramIndex, decorator) {
@@ -3143,7 +3281,7 @@ function toSingular(plural) {
 }
 __name(toSingular, "toSingular");
 function createResourceGuards(ownershipClass, resourceType, resource, options) {
-  var _a16, _b9;
+  var _a16, _b8;
   const writeGuard = options?.adminGuard ?? isAdmin;
   let AccessGuard = class AccessGuard {
     static {
@@ -3155,18 +3293,18 @@ function createResourceGuards(ownershipClass, resourceType, resource, options) {
       return allowed ? { owner: user } : false;
     }
   };
-  __decorate22([
+  __decorate23([
     Inject10(ownershipClass),
-    __metadata22("design:type", Object)
+    __metadata23("design:type", Object)
   ], AccessGuard.prototype, "ownership", void 0);
-  __decorate22([
-    __param9(0, User4()),
+  __decorate23([
+    __param9(0, User5()),
     __param9(1, Params4("id")),
-    __metadata22("design:type", Function),
-    __metadata22("design:paramtypes", [Object, String]),
-    __metadata22("design:returntype", typeof (_a16 = typeof Promise !== "undefined" && Promise) === "function" ? _a16 : Object)
+    __metadata23("design:type", Function),
+    __metadata23("design:paramtypes", [Object, String]),
+    __metadata23("design:returntype", typeof (_a16 = typeof Promise !== "undefined" && Promise) === "function" ? _a16 : Object)
   ], AccessGuard.prototype, "canActivate", null);
-  AccessGuard = __decorate22([
+  AccessGuard = __decorate23([
     Injectable11()
   ], AccessGuard);
   let ListGuard = class ListGuard {
@@ -3179,17 +3317,17 @@ function createResourceGuards(ownershipClass, resourceType, resource, options) {
       return { filter: ids };
     }
   };
-  __decorate22([
+  __decorate23([
     Inject10(ownershipClass),
-    __metadata22("design:type", Object)
+    __metadata23("design:type", Object)
   ], ListGuard.prototype, "ownership", void 0);
-  __decorate22([
-    __param9(0, User4()),
-    __metadata22("design:type", Function),
-    __metadata22("design:paramtypes", [Object]),
-    __metadata22("design:returntype", typeof (_b9 = typeof Promise !== "undefined" && Promise) === "function" ? _b9 : Object)
+  __decorate23([
+    __param9(0, User5()),
+    __metadata23("design:type", Function),
+    __metadata23("design:paramtypes", [Object]),
+    __metadata23("design:returntype", typeof (_b8 = typeof Promise !== "undefined" && Promise) === "function" ? _b8 : Object)
   ], ListGuard.prototype, "canActivate", null);
-  ListGuard = __decorate22([
+  ListGuard = __decorate23([
     Injectable11()
   ], ListGuard);
   const access = createGuard5(AccessGuard);
@@ -3321,7 +3459,7 @@ function configureOwnership(config) {
       }
     }
   };
-  GeneratedOwnershipService = __decorate22([
+  GeneratedOwnershipService = __decorate23([
     Injectable11()
   ], GeneratedOwnershipService);
   function bodyGuard(resourceType, bodyField, optional = false) {
@@ -3338,18 +3476,18 @@ function configureOwnership(config) {
         return this.ownership.canAccess(user, resourceType, id);
       }
     };
-    __decorate22([
+    __decorate23([
       Inject10(GeneratedOwnershipService),
-      __metadata22("design:type", GeneratedOwnershipService)
+      __metadata23("design:type", GeneratedOwnershipService)
     ], BodyAccessGuard.prototype, "ownership", void 0);
-    __decorate22([
-      __param9(0, User4()),
+    __decorate23([
+      __param9(0, User5()),
       __param9(1, Body5()),
-      __metadata22("design:type", Function),
-      __metadata22("design:paramtypes", [Object, Object]),
-      __metadata22("design:returntype", typeof (_a16 = typeof Promise !== "undefined" && Promise) === "function" ? _a16 : Object)
+      __metadata23("design:type", Function),
+      __metadata23("design:paramtypes", [Object, Object]),
+      __metadata23("design:returntype", typeof (_a16 = typeof Promise !== "undefined" && Promise) === "function" ? _a16 : Object)
     ], BodyAccessGuard.prototype, "canActivate", null);
-    BodyAccessGuard = __decorate22([
+    BodyAccessGuard = __decorate23([
       Injectable11()
     ], BodyAccessGuard);
     return createGuard5(BodyAccessGuard);
@@ -3465,15 +3603,15 @@ __name(Policy, "Policy");
 // src/ownership/OwnedDecorator.ts
 import "reflect-metadata";
 import { sql as sql5, and as and2 } from "drizzle-orm";
-import { Injectable as Injectable12, Inject as Inject11, DI, Container, REQUEST_ID } from "najm-core";
-import { USER } from "najm-guard";
-var __decorate23 = function(decorators, target, key, desc) {
+import { Injectable as Injectable12, Inject as Inject11, DI as DI2, Container as Container2, REQUEST_ID } from "najm-core";
+import { USER as USER2 } from "najm-guard";
+var __decorate24 = function(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata23 = function(k, v) {
+var __metadata24 = function(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 var _a15;
@@ -3490,7 +3628,7 @@ var ScopeContext = class ScopeContext2 {
       const requestId = this.container?.get?.(REQUEST_ID) ?? null;
       if (requestId && requestId === this._cachedRequestId)
         return this._cachedUser;
-      const user = this.container?.get?.(USER) ?? null;
+      const user = this.container?.get?.(USER2) ?? null;
       this._cachedRequestId = requestId;
       this._cachedUser = user;
       return user;
@@ -3499,11 +3637,11 @@ var ScopeContext = class ScopeContext2 {
     }
   }
 };
-__decorate23([
-  DI(),
-  __metadata23("design:type", typeof (_a15 = typeof Container !== "undefined" && Container) === "function" ? _a15 : Object)
+__decorate24([
+  DI2(),
+  __metadata24("design:type", typeof (_a15 = typeof Container2 !== "undefined" && Container2) === "function" ? _a15 : Object)
 ], ScopeContext.prototype, "container", void 0);
-ScopeContext = __decorate23([
+ScopeContext = __decorate24([
   Injectable12()
 ], ScopeContext);
 function Owned(token) {
@@ -3694,6 +3832,7 @@ export {
   AuthController,
   AuthGuard,
   AuthQueries,
+  AuthResolver,
   AuthService,
   Can,
   CanCreate,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "najm-auth",
-  "version": "1.1.6",
+  "version": "1.1.8",
   "description": "Authentication and authorization library for najm framework",
   "type": "module",
   "files": [
@@ -10,25 +10,21 @@
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "bun": "./src/index.ts",
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js",
       "default": "./dist/index.js"
     },
     "./pg": {
-      "bun": "./src/schema/pg.ts",
       "types": "./dist/schema/pg.d.ts",
       "import": "./dist/schema/pg.js",
       "default": "./dist/schema/pg.js"
     },
     "./sqlite": {
-      "bun": "./src/schema/sqlite.ts",
       "types": "./dist/schema/sqlite.d.ts",
       "import": "./dist/schema/sqlite.js",
       "default": "./dist/schema/sqlite.js"
     },
     "./mysql": {
-      "bun": "./src/schema/mysql.ts",
       "types": "./dist/schema/mysql.d.ts",
       "import": "./dist/schema/mysql.js",
       "default": "./dist/schema/mysql.js"
@@ -62,15 +58,15 @@
     "typescript": "^5.9.3"
   },
   "dependencies": {
-    "najm-cookies": "^1.1.1",
-    "najm-core": "^1.1.1",
-    "najm-database": "^1.1.2",
-    "najm-guard": "^1.1.1",
-    "najm-i18n": "^1.1.1",
-    "najm-cache": "^1.1.1",
-    "najm-email": "^1.1.1",
-    "najm-rate": "^1.1.1",
-    "najm-validation": "^1.1.1",
+    "najm-cookies": "^1.1.2",
+    "najm-core": "^1.1.2",
+    "najm-database": "^1.1.3",
+    "najm-guard": "^1.1.2",
+    "najm-i18n": "^1.1.2",
+    "najm-cache": "^1.1.2",
+    "najm-email": "^1.1.2",
+    "najm-rate": "^1.1.2",
+    "najm-validation": "^1.1.2",
     "bcryptjs": "^3.0.3",
     "hono": "^4.0.0",
     "jsonwebtoken": "^9.0.3",