permissions-contractx 1.0.0

package/dist/modules/permissions-contractx.module.d.ts

@@ -0,0 +1,41 @@
+import { DynamicModule } from '@nestjs/common';
+import { PermissionsModuleOptions } from '../interfaces';
+/**
+ * ContractX Permissions Module
+ * Provides authentication and authorization for NestJS microservices
+ */
+export declare class PermissionsContractXModule {
+    /**
+     * Register the module with configuration
+     *
+     * @param options - Module configuration options
+     * @returns DynamicModule
+     */
+    static register(options: PermissionsModuleOptions): DynamicModule;
+    /**
+     * Register module asynchronously with factory
+     *
+     * @param options - Async configuration options
+     * @returns DynamicModule
+     */
+    static registerAsync(options: {
+        imports?: any[];
+        useFactory: (...args: any[]) => PermissionsModuleOptions | Promise<PermissionsModuleOptions>;
+        inject?: any[];
+    }): DynamicModule;
+    /**
+     * Quick setup for development with environment variables
+     *
+     * @example
+     * ```typescript
+     * @Module({
+     *   imports: [
+     *     PermissionsContractXModule.forRoot()
+     *   ]
+     * })
+     * export class AppModule {}
+     * ```
+     */
+    static forRoot(): DynamicModule;
+}
+//# sourceMappingURL=permissions-contractx.module.d.ts.map

package/dist/modules/permissions-contractx.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions-contractx.module.d.ts","sourceRoot":"","sources":["../../src/modules/permissions-contractx.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,aAAa,EAAU,MAAM,gBAAgB,CAAC;AAK/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AASzD;;;GAGG;AACH,qBAKa,0BAA0B;IACrC;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,wBAAwB,GAAG,aAAa;IAsEjE;;;;;OAKG;IACH,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE;QAC5B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;QAChB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC7F,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;KAChB,GAAG,aAAa;IAgEjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,IAAI,aAAa;CA2BhC"}

package/dist/modules/permissions-contractx.module.js

@@ -0,0 +1,215 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var PermissionsContractXModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionsContractXModule = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const config_1 = require("@nestjs/config");
+const core_1 = require("@nestjs/core");
+const guards_1 = require("../guards");
+const constants_1 = require("../constants");
+const services_1 = require("../services");
+/**
+ * ContractX Permissions Module
+ * Provides authentication and authorization for NestJS microservices
+ */
+let PermissionsContractXModule = PermissionsContractXModule_1 = class PermissionsContractXModule {
+    /**
+     * Register the module with configuration
+     *
+     * @param options - Module configuration options
+     * @returns DynamicModule
+     */
+    static register(options) {
+        return {
+            module: PermissionsContractXModule_1,
+            imports: [
+                config_1.ConfigModule,
+                jwt_1.JwtModule.register({
+                    secret: options.jwt.secret,
+                    signOptions: {
+                        expiresIn: options.jwt.expiresIn || '15m',
+                        issuer: options.jwt.issuer,
+                        audience: options.jwt.audience,
+                    },
+                    verifyOptions: {
+                        issuer: options.jwt.issuer,
+                        audience: options.jwt.audience,
+                        clockTolerance: options.jwt.clockTolerance || 0,
+                        ignoreExpiration: options.jwt.ignoreExpiration || false,
+                    },
+                }),
+            ],
+            providers: [
+                {
+                    provide: constants_1.MODULE_CONSTANTS.MODULE_OPTIONS_TOKEN,
+                    useValue: options,
+                },
+                services_1.UserContextService,
+                services_1.ContractXValidationService,
+                services_1.ContractXAuthorizationService,
+                guards_1.JwtAuthGuard,
+                guards_1.RolesGuard,
+                guards_1.PermissionsGuard,
+                // Apply global guards if enabled
+                ...(options.guards?.enableGlobalAuth
+                    ? [
+                        {
+                            provide: core_1.APP_GUARD,
+                            useClass: guards_1.JwtAuthGuard,
+                        },
+                    ]
+                    : []),
+                ...(options.guards?.enableGlobalRoles
+                    ? [
+                        {
+                            provide: core_1.APP_GUARD,
+                            useClass: guards_1.RolesGuard,
+                        },
+                    ]
+                    : []),
+                ...(options.guards?.enableGlobalPermissions
+                    ? [
+                        {
+                            provide: core_1.APP_GUARD,
+                            useClass: guards_1.PermissionsGuard,
+                        },
+                    ]
+                    : []),
+            ],
+            exports: [
+                jwt_1.JwtModule,
+                services_1.UserContextService,
+                services_1.ContractXValidationService,
+                services_1.ContractXAuthorizationService,
+                guards_1.JwtAuthGuard,
+                guards_1.RolesGuard,
+                guards_1.PermissionsGuard,
+                constants_1.MODULE_CONSTANTS.MODULE_OPTIONS_TOKEN,
+            ],
+        };
+    }
+    /**
+     * Register module asynchronously with factory
+     *
+     * @param options - Async configuration options
+     * @returns DynamicModule
+     */
+    static registerAsync(options) {
+        return {
+            module: PermissionsContractXModule_1,
+            imports: [
+                config_1.ConfigModule,
+                jwt_1.JwtModule.registerAsync({
+                    imports: options.imports || [],
+                    useFactory: async (...args) => {
+                        const moduleOptions = await options.useFactory(...args);
+                        return {
+                            secret: moduleOptions.jwt.secret,
+                            signOptions: {
+                                expiresIn: moduleOptions.jwt.expiresIn || '15m',
+                                issuer: moduleOptions.jwt.issuer,
+                                audience: moduleOptions.jwt.audience,
+                            },
+                            verifyOptions: {
+                                issuer: moduleOptions.jwt.issuer,
+                                audience: moduleOptions.jwt.audience,
+                                clockTolerance: moduleOptions.jwt.clockTolerance || 0,
+                                ignoreExpiration: moduleOptions.jwt.ignoreExpiration || false,
+                            },
+                        };
+                    },
+                    inject: options.inject || [],
+                }),
+                ...(options.imports || []),
+            ],
+            providers: [
+                {
+                    provide: constants_1.MODULE_CONSTANTS.MODULE_OPTIONS_TOKEN,
+                    useFactory: options.useFactory,
+                    inject: options.inject || [],
+                },
+                services_1.UserContextService,
+                services_1.ContractXValidationService,
+                services_1.ContractXAuthorizationService,
+                guards_1.JwtAuthGuard,
+                guards_1.RolesGuard,
+                guards_1.PermissionsGuard,
+                // Apply global guards conditionally
+                {
+                    provide: 'GLOBAL_AUTH_GUARD',
+                    useFactory: (moduleOptions) => moduleOptions.guards?.enableGlobalAuth,
+                    inject: [constants_1.MODULE_CONSTANTS.MODULE_OPTIONS_TOKEN],
+                },
+                {
+                    provide: core_1.APP_GUARD,
+                    useClass: guards_1.JwtAuthGuard,
+                },
+            ],
+            exports: [
+                jwt_1.JwtModule,
+                services_1.UserContextService,
+                services_1.ContractXValidationService,
+                services_1.ContractXAuthorizationService,
+                guards_1.JwtAuthGuard,
+                guards_1.RolesGuard,
+                guards_1.PermissionsGuard,
+                constants_1.MODULE_CONSTANTS.MODULE_OPTIONS_TOKEN,
+            ],
+        };
+    }
+    /**
+     * Quick setup for development with environment variables
+     *
+     * @example
+     * ```typescript
+     * @Module({
+     *   imports: [
+     *     PermissionsContractXModule.forRoot()
+     *   ]
+     * })
+     * export class AppModule {}
+     * ```
+     */
+    static forRoot() {
+        return this.registerAsync({
+            imports: [config_1.ConfigModule],
+            useFactory: (configService) => ({
+                jwt: {
+                    secret: configService.get('JWT_SECRET') || 'your-secret-key',
+                    issuer: configService.get('JWT_ISSUER') || 'contractx-api',
+                    audience: configService.get('JWT_AUDIENCE') || 'contractx-users',
+                    expiresIn: configService.get('JWT_EXPIRES_IN') || '15m',
+                    clockTolerance: parseInt(configService.get('JWT_CLOCK_TOLERANCE') || '0'),
+                    ignoreExpiration: configService.get('NODE_ENV') === 'development',
+                },
+                guards: {
+                    enableGlobalAuth: configService.get('ENABLE_GLOBAL_AUTH') === 'true',
+                    enableGlobalRoles: configService.get('ENABLE_GLOBAL_ROLES') === 'true',
+                    enableGlobalPermissions: configService.get('ENABLE_GLOBAL_PERMISSIONS') === 'true',
+                },
+                security: {
+                    enableLogging: configService.get('ENABLE_AUTH_LOGGING') === 'true',
+                },
+                development: {
+                    disableAuth: configService.get('DISABLE_AUTH') === 'true',
+                },
+            }),
+            inject: [config_1.ConfigService],
+        });
+    }
+};
+exports.PermissionsContractXModule = PermissionsContractXModule;
+exports.PermissionsContractXModule = PermissionsContractXModule = PermissionsContractXModule_1 = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({
+        providers: [core_1.Reflector],
+        exports: [core_1.Reflector],
+    })
+], PermissionsContractXModule);

package/dist/services/contractx-authorization.service.d.ts

@@ -0,0 +1,107 @@
+import { ContractXValidationService, ValidationResult } from './contractx-validation.service';
+export interface AuthorizationContext {
+    userRoles: string[];
+    userPermissions: string[];
+    organizationId?: string;
+    projectId?: string;
+    tenantType?: 'client' | 'provider';
+    requestedResource?: string;
+    requestedAction?: string;
+}
+export interface AuthorizationResult {
+    granted: boolean;
+    reason: string;
+    level: 'role' | 'permission' | 'system' | 'denied';
+    metadata?: Record<string, any>;
+}
+export interface AccessMatrix {
+    hasSystemAccess: boolean;
+    hasClientAccess: boolean;
+    hasProviderAccess: boolean;
+    hasAdminAccess: boolean;
+    accessibleModules: string[];
+    highestRoleLevel: number;
+    effectivePermissions: string[];
+}
+export declare class ContractXAuthorizationService {
+    private readonly validationService;
+    constructor(validationService: ContractXValidationService);
+    /**
+     * Authorize a user for a specific action on a resource
+     */
+    authorize(context: AuthorizationContext): AuthorizationResult;
+    /**
+     * Check if user has system-level access
+     */
+    private hasSystemLevelAccess;
+    /**
+     * Check role-based access for a resource and action
+     */
+    private checkRoleBasedAccess;
+    /**
+     * Check permission-based access for a resource and action
+     */
+    private checkPermissionBasedAccess;
+    /**
+     * Check if user has any access to a module
+     */
+    private checkModuleAccess;
+    /**
+     * Generate an access matrix for the user
+     */
+    generateAccessMatrix(context: AuthorizationContext): AccessMatrix;
+    /**
+     * Check if user can access a specific tenant
+     */
+    canAccessTenant(userRoles: string[], tenantType: 'client' | 'provider'): boolean;
+    /**
+     * Get user's accessible tenant types
+     */
+    getAccessibleTenants(userRoles: string[]): ('client' | 'provider' | 'system')[];
+    /**
+     * Filter resources based on user permissions
+     */
+    filterAccessibleResources(userPermissions: string[], resources: string[], requiredAction?: string): string[];
+    /**
+     * Get user's permissions for a specific module
+     */
+    getModulePermissions(userPermissions: string[], module: string): string[];
+    /**
+     * Check if user has administrative access to a resource
+     */
+    hasAdministrativeAccess(userRoles: string[], _resource?: string): boolean;
+    /**
+     * Validate user context for multi-tenant environment
+     */
+    validateMultiTenantAccess(context: AuthorizationContext): ValidationResult;
+    /**
+     * Get permission summary for logging/audit purposes
+     */
+    getPermissionSummary(context: AuthorizationContext): Record<string, any>;
+    /**
+     * Check if authorization is required for a resource
+     */
+    isAuthorizationRequired(resource: string, action: string): boolean;
+    /**
+     * Get minimum required role for a resource/action combination
+     */
+    getMinimumRequiredRole(resource: string, action: string): string[];
+    /**
+     * Check permission for a user (simpler interface for admin service)
+     */
+    checkPermission(user: {
+        role: string[];
+        permissions: string[];
+    }, permission: string, context?: {
+        tenantId?: string;
+        resourceId?: string;
+    }): AuthorizationResult;
+    /**
+     * Generate access matrix for a user object (simpler interface)
+     */
+    generateAccessMatrixForUser(user: {
+        role: string[];
+        permissions: string[];
+    }): AccessMatrix;
+}
+//# sourceMappingURL=contractx-authorization.service.d.ts.map

package/dist/services/contractx-authorization.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contractx-authorization.service.d.ts","sourceRoot":"","sources":["../../src/services/contractx-authorization.service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,EACjB,MAAM,gCAAgC,CAAC;AAgBxC,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,QAAQ,GAAG,UAAU,CAAC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACnD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,YAAY;IAC3B,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED,qBACa,6BAA6B;IAE5B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;gBAAjB,iBAAiB,EAAE,0BAA0B;IAE1E;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,mBAAmB;IAmE7D;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAQ5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAkClC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,YAAY;IAkCjE;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO;IAchF;;OAEG;IACH,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC,EAAE;IAmB/E;;OAEG;IACH,yBAAyB,CACvB,eAAe,EAAE,MAAM,EAAE,EACzB,SAAS,EAAE,MAAM,EAAE,EACnB,cAAc,GAAE,MAAe,GAC9B,MAAM,EAAE;IAOX;;OAEG;IACH,oBAAoB,CAAC,eAAe,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAUzE;;OAEG;IACH,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO;IAezE;;OAEG;IACH,yBAAyB,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB;IA6B1E;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAiBxE;;OAEG;IACH,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO;IAYlE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAoBlE;;OAEG;IACH,eAAe,CACb,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAAC,WAAW,EAAE,MAAM,EAAE,CAAA;KAAE,EAC/C,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,GACnD,mBAAmB;IAetB;;OAEG;IACH,2BAA2B,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAAC,WAAW,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,YAAY;CAQ3F"}