npm - snipe-auth-rbac - Versions diffs - 0.1.0 - Mend

snipe-auth-rbac 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/admin/index.cjs +515 -0
package/dist/admin/index.cjs.map +1 -0
package/dist/admin/index.d.cts +346 -0
package/dist/admin/index.d.ts +346 -0
package/dist/admin/index.js +460 -0
package/dist/admin/index.js.map +1 -0
package/dist/chunk-4WTV6J44.js +67 -0
package/dist/chunk-4WTV6J44.js.map +1 -0
package/dist/chunk-BRCJUCDG.js +55 -0
package/dist/chunk-BRCJUCDG.js.map +1 -0
package/dist/index.cjs +148 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +90 -0
package/dist/index.d.ts +90 -0
package/dist/index.js +15 -0
package/dist/index.js.map +1 -0
package/dist/react/index.cjs +349 -0
package/dist/react/index.cjs.map +1 -0
package/dist/react/index.d.cts +221 -0
package/dist/react/index.d.ts +221 -0
package/dist/react/index.js +227 -0
package/dist/react/index.js.map +1 -0
package/dist/types-BEc5SCIo.d.cts +69 -0
package/dist/types-BEc5SCIo.d.ts +69 -0
package/package.json +68 -0

package/dist/react/index.d.ts ADDED Viewed

@@ -0,0 +1,221 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode, ComponentType } from 'react';
+import { AuthRbacClient, CanOptions } from '../index.js';
+export { createHttpFetcher, createSupabaseFetcher } from '../index.js';
+import { b as AuthRbacFetcher, c as ResourceRegistry, U as UserProfile, A as Action, C as CompanyMembership, F as FrontendConfig, a as ResourceDescriptor } from '../types-BEc5SCIo.js';
+export { P as PermissionGrid, d as PermissionMap, R as ResourceScope, e as RoleSummary } from '../types-BEc5SCIo.js';
+interface AuthRbacContextValue {
+    /**
+     * `null` means we haven't hydrated yet. Components should treat
+     * the not-loaded state as "no permissions" (fail-closed).
+     */
+    profile: UserProfile | null;
+    loading: boolean;
+    error: Error | null;
+    resources: ResourceRegistry;
+    activeCompanyId: string | null;
+    setActiveCompany: (id: string | null) => void;
+    refresh: () => Promise<void>;
+    resolver: AuthRbacClient;
+}
+interface AuthRbacProviderProps {
+    fetcher: AuthRbacFetcher;
+    resources: ResourceRegistry;
+    /**
+     * Initial active company. Common patterns:
+     *  - read from URL query/path
+     *  - read from localStorage
+     *  - omit and let the user pick from the switcher
+     */
+    initialCompanyId?: string | null;
+    /**
+     * Persistence hook. Called every time the active company changes.
+     * Default: writes to `localStorage` under
+     * `auth-rbac:active-company`. Pass `false` to disable.
+     */
+    persistActiveCompany?: ((id: string | null) => void) | false;
+    children: ReactNode;
+}
+declare function AuthRbacProvider(props: AuthRbacProviderProps): react_jsx_runtime.JSX.Element;
+declare function useAuthRbac(): AuthRbacContextValue;
+/**
+ * Boolean permission check.
+ *
+ * @example
+ *   const canEdit = useCan("properties", "update");
+ *   <Button disabled={!canEdit}>Speichern</Button>
+ *
+ * @example explicitly target a non-active company
+ *   const canRead = useCan("payments", "read", { companyId: targetId });
+ */
+declare function useCan(resource: string, action: Action, options?: CanOptions): boolean;
+interface CanProps extends CanOptions {
+    resource: string;
+    action: Action;
+    /** Rendered when the user has the permission. */
+    children: ReactNode;
+    /**
+     * Rendered when the user does NOT have the permission. Defaults
+     * to `null` (silent hide). Pass a `<NoPermissionView />` or a
+     * tooltip-wrapper to surface the denial explicitly.
+     */
+    fallback?: ReactNode;
+}
+/**
+ * Subtree gate. Bails before children render so any data fetching
+ * inside `children` is skipped for users without permission.
+ */
+declare function Can(props: CanProps): react_jsx_runtime.JSX.Element;
+interface RequirePermissionProps extends CanOptions {
+    resource: string;
+    action: Action;
+    /**
+     * What to render while the profile is still loading. Defaults to
+     * `null` (no flash) — pass a spinner if your routes typically
+     * mount before the profile lands.
+     */
+    loadingFallback?: ReactNode;
+    /**
+     * What to render when access is denied. Defaults to a minimal
+     * "Sie haben keinen Zugriff" message; pass your own component to
+     * theme it.
+     */
+    deniedFallback?: ReactNode;
+    /**
+     * For `react-router-dom v6` route-element usage, pass an `<Outlet />`
+     * here — the gate resolves to either the outlet or the denied
+     * fallback. For component-tree usage, pass any children.
+     */
+    children?: ReactNode;
+}
+/**
+ * Route- or component-level guard. Three render branches:
+ *
+ *  - profile not yet loaded → `loadingFallback`
+ *  - permission denied      → `deniedFallback`
+ *  - permission granted     → `children`
+ *
+ * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.
+ *
+ * @example
+ *   // App.tsx route table
+ *   <Route element={
+ *     <RequirePermission resource="payments" action="read">
+ *       <Outlet />
+ *     </RequirePermission>
+ *   }>
+ *     <Route path="/payments" element={<PaymentsPage />} />
+ *   </Route>
+ */
+declare function RequirePermission(props: RequirePermissionProps): react_jsx_runtime.JSX.Element;
+interface ActiveCompany {
+    id: string | null;
+    membership: CompanyMembership | null;
+    memberships: CompanyMembership[];
+    setActive: (id: string | null) => void;
+}
+/**
+ * Read + switch the active company.
+ *
+ * @example
+ *   const { id, memberships, setActive } = useActiveCompany();
+ *
+ *   return (
+ *     <select value={id ?? ""} onChange={(e) => setActive(e.target.value || null)}>
+ *       {memberships.map((m) => (
+ *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>
+ *       ))}
+ *     </select>
+ *   );
+ */
+declare function useActiveCompany(): ActiveCompany;
+/**
+ * Reads the merged `frontend_config` for the user. Sources in
+ * priority order: active company's membership > system roles. Use
+ * this to drive sidebar items, dashboard defaults, and any other
+ * "what should this role see" UX without hardcoded role checks.
+ *
+ * The shape is intentionally `Record<string, unknown>` — your host
+ * project owns the schema. Document your keys (e.g. `sidebar`,
+ * `default_dashboard`) once and stick to them.
+ */
+declare function useFrontendConfig(): FrontendConfig;
+/**
+ * Typed factory — turns a const-asserted resource registry into a
+ * set of hooks/components whose `resource` arg is constrained to
+ * the registered names. Typos become TypeScript errors instead of
+ * silent runtime `false`.
+ *
+ * @example
+ *   // src/auth/resources.ts
+ *   import { defineAuthRbac } from "snipe-auth-rbac/react";
+ *
+ *   export const RESOURCES = [
+ *     { resource: "properties", scope: "company", label: "Liegenschaften", group: "Stammdaten" },
+ *     { resource: "payments",   scope: "company", label: "Zahlungen",     group: "Finanzen" },
+ *     { resource: "system_audit", scope: "system",  label: "Audit-Log",    group: "Plattform" },
+ *   ] as const;
+ *
+ *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);
+ *
+ *   // ----- elsewhere -----
+ *   useCan("properties", "update");       // ✓
+ *   useCan("paymetns", "update");          // ✗ TS error: not assignable to type "properties" | "payments" | "system_audit"
+ */
+/**
+ * Drop-in replacement signatures for the three guards, with a
+ * narrowed `resource` arg.
+ */
+interface TypedGuards<R extends string> {
+    useCan: (resource: R, action: Action, options?: {
+        companyId?: string | null;
+    }) => boolean;
+    Can: ComponentType<{
+        resource: R;
+        action: Action;
+        companyId?: string | null;
+        children: ReactNode;
+        fallback?: ReactNode;
+    }>;
+    RequirePermission: ComponentType<{
+        resource: R;
+        action: Action;
+        companyId?: string | null;
+        loadingFallback?: ReactNode;
+        deniedFallback?: ReactNode;
+        children?: ReactNode;
+    }>;
+    /** The const-asserted registry, re-exported so call-sites can iterate. */
+    resources: ResourceRegistry;
+    /** All registered resource names as a union — handy for typing
+     *  application-side data structures. */
+    resourceNames: ReadonlyArray<R>;
+}
+/**
+ * React + Next.js entry. Import this in browser code:
+ *
+ *   import { AuthRbacProvider, useCan } from "snipe-auth-rbac/react";
+ *
+ * The non-React entry (`snipe-auth-rbac`) re-exports types and the
+ * pure resolver, suitable for Node, edge workers, and tests.
+ */
+/**
+ * Typed factory — pass a const-asserted resource registry and get
+ * back guards whose `resource` arg is constrained to the registered
+ * names. Recommended at the top of every host project.
+ *
+ * See ../define.ts for the full doc + example.
+ */
+declare function defineAuthRbac<const Reg extends ReadonlyArray<ResourceDescriptor>>(resources: Reg): TypedGuards<Reg[number]["resource"]>;
+export { Action, type ActiveCompany, AuthRbacFetcher, AuthRbacProvider, type AuthRbacProviderProps, Can, type CanProps, CompanyMembership, FrontendConfig, RequirePermission, type RequirePermissionProps, ResourceDescriptor, ResourceRegistry, type TypedGuards, UserProfile, defineAuthRbac, useActiveCompany, useAuthRbac, useCan, useFrontendConfig };

package/dist/react/index.js ADDED Viewed

@@ -0,0 +1,227 @@
+import {
+  createHttpFetcher,
+  createSupabaseFetcher
+} from "../chunk-BRCJUCDG.js";
+import {
+  buildPermissionResolver
+} from "../chunk-4WTV6J44.js";
+// src/react/AuthRbacProvider.tsx
+import {
+  createContext,
+  useCallback,
+  useContext,
+  useEffect,
+  useMemo,
+  useState
+} from "react";
+import { jsx } from "react/jsx-runtime";
+var AuthRbacContext = createContext(null);
+var STORAGE_KEY = "auth-rbac:active-company";
+var defaultPersist = (id) => {
+  if (typeof window === "undefined") {
+    return;
+  }
+  try {
+    if (id == null) {
+      window.localStorage.removeItem(STORAGE_KEY);
+    } else {
+      window.localStorage.setItem(STORAGE_KEY, id);
+    }
+  } catch {
+  }
+};
+var readPersisted = () => {
+  if (typeof window === "undefined") {
+    return null;
+  }
+  try {
+    return window.localStorage.getItem(STORAGE_KEY);
+  } catch {
+    return null;
+  }
+};
+function AuthRbacProvider(props) {
+  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;
+  const [profile, setProfile] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const [activeCompanyId, setActiveCompanyState] = useState(
+    initialCompanyId ?? readPersisted()
+  );
+  const persist = useMemo(() => {
+    if (persistActiveCompany === false) {
+      return () => {
+      };
+    }
+    return persistActiveCompany ?? defaultPersist;
+  }, [persistActiveCompany]);
+  const setActiveCompany = useCallback(
+    (id) => {
+      setActiveCompanyState(id);
+      persist(id);
+    },
+    [persist]
+  );
+  const refresh = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const next = await fetcher.fetchProfile();
+      setProfile(next);
+      const stillMember = activeCompanyId != null && next.memberships.some((m) => m.company_id === activeCompanyId);
+      if (!stillMember) {
+        const fallback = next.memberships[0]?.company_id ?? null;
+        setActiveCompanyState(fallback);
+        persist(fallback);
+      }
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)));
+    } finally {
+      setLoading(false);
+    }
+  }, [fetcher]);
+  useEffect(() => {
+    void refresh();
+  }, [refresh]);
+  const resolver = useMemo(() => {
+    if (profile == null) {
+      return {
+        can: () => false,
+        activePermissions: () => ({}),
+        systemPermissions: () => ({})
+      };
+    }
+    return buildPermissionResolver(resources, profile, activeCompanyId);
+  }, [profile, resources, activeCompanyId]);
+  const value = useMemo(
+    () => ({
+      profile,
+      loading,
+      error,
+      resources,
+      activeCompanyId,
+      setActiveCompany,
+      refresh,
+      resolver
+    }),
+    [
+      profile,
+      loading,
+      error,
+      resources,
+      activeCompanyId,
+      setActiveCompany,
+      refresh,
+      resolver
+    ]
+  );
+  return /* @__PURE__ */ jsx(AuthRbacContext.Provider, { value, children: props.children });
+}
+function useAuthRbac() {
+  const ctx = useContext(AuthRbacContext);
+  if (!ctx) {
+    throw new Error(
+      "useAuthRbac must be used within an <AuthRbacProvider> \u2014 wrap your app at the root."
+    );
+  }
+  return ctx;
+}
+// src/react/useCan.ts
+function useCan(resource, action, options) {
+  const { resolver } = useAuthRbac();
+  return resolver.can(resource, action, options);
+}
+// src/react/Can.tsx
+import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
+function Can(props) {
+  const { resource, action, companyId, children, fallback = null } = props;
+  const allowed = useCan(resource, action, { companyId });
+  return /* @__PURE__ */ jsx2(Fragment, { children: allowed ? children : fallback });
+}
+// src/react/RequirePermission.tsx
+import { Fragment as Fragment2, jsx as jsx3 } from "react/jsx-runtime";
+function RequirePermission(props) {
+  const {
+    resource,
+    action,
+    companyId,
+    loadingFallback = null,
+    deniedFallback = /* @__PURE__ */ jsx3("div", { role: "alert", style: { padding: 24 }, children: /* @__PURE__ */ jsx3("strong", { children: "Sie haben keinen Zugriff." }) }),
+    children = null
+  } = props;
+  const { profile, loading } = useAuthRbac();
+  const allowed = useCan(resource, action, { companyId });
+  if (loading || profile == null) {
+    return /* @__PURE__ */ jsx3(Fragment2, { children: loadingFallback });
+  }
+  if (!allowed) {
+    return /* @__PURE__ */ jsx3(Fragment2, { children: deniedFallback });
+  }
+  return /* @__PURE__ */ jsx3(Fragment2, { children });
+}
+// src/react/useActiveCompany.ts
+import { useMemo as useMemo2 } from "react";
+function useActiveCompany() {
+  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();
+  return useMemo2(() => {
+    const memberships = profile?.memberships ?? [];
+    const membership = memberships.find((m) => m.company_id === activeCompanyId) ?? null;
+    return {
+      id: activeCompanyId,
+      membership,
+      memberships,
+      setActive: setActiveCompany
+    };
+  }, [profile, activeCompanyId, setActiveCompany]);
+}
+// src/react/useFrontendConfig.ts
+import { useMemo as useMemo3 } from "react";
+function useFrontendConfig() {
+  const { profile, activeCompanyId } = useAuthRbac();
+  return useMemo3(() => {
+    if (!profile) {
+      return {};
+    }
+    const membershipConfig = profile.memberships.find((m) => m.company_id === activeCompanyId)?.frontend_config ?? {};
+    return { ...profile.system_frontend_config, ...membershipConfig };
+  }, [profile, activeCompanyId]);
+}
+// src/define.ts
+function defineAuthRbac(resources, runtime) {
+  return {
+    useCan: runtime.useCan,
+    Can: runtime.Can,
+    RequirePermission: runtime.RequirePermission,
+    resources,
+    resourceNames: resources.map((r) => r.resource)
+  };
+}
+// src/react/index.ts
+function defineAuthRbac2(resources) {
+  return defineAuthRbac(resources, {
+    useCan,
+    Can,
+    RequirePermission
+  });
+}
+export {
+  AuthRbacProvider,
+  Can,
+  RequirePermission,
+  createHttpFetcher,
+  createSupabaseFetcher,
+  defineAuthRbac2 as defineAuthRbac,
+  useActiveCompany,
+  useAuthRbac,
+  useCan,
+  useFrontendConfig
+};
+//# sourceMappingURL=index.js.map

package/dist/react/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/react/AuthRbacProvider.tsx","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/define.ts","../../src/react/index.ts"],"sourcesContent":["import {\n createContext,\n useCallback,\n useContext,\n useEffect,\n useMemo,\n useState,\n type ReactNode,\n} from \"react\";\n\nimport {\n buildPermissionResolver,\n type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n AuthRbacFetcher,\n PermissionMap,\n ResourceRegistry,\n UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n /**\n * `null` means we haven't hydrated yet. Components should treat\n * the not-loaded state as \"no permissions\" (fail-closed).\n */\n profile: UserProfile | null;\n loading: boolean;\n error: Error | null;\n resources: ResourceRegistry;\n activeCompanyId: string | null;\n setActiveCompany: (id: string | null) => void;\n refresh: () => Promise<void>;\n resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n fetcher: AuthRbacFetcher;\n resources: ResourceRegistry;\n /**\n * Initial active company. Common patterns:\n * - read from URL query/path\n * - read from localStorage\n * - omit and let the user pick from the switcher\n */\n initialCompanyId?: string | null;\n /**\n * Persistence hook. Called every time the active company changes.\n * Default: writes to `localStorage` under\n * `auth-rbac:active-company`. Pass `false` to disable.\n */\n persistActiveCompany?:\n | ((id: string | null) => void)\n | false;\n children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n if (typeof window === \"undefined\") {\n return;\n }\n try {\n if (id == null) {\n window.localStorage.removeItem(STORAGE_KEY);\n } else {\n window.localStorage.setItem(STORAGE_KEY, id);\n }\n } catch {\n // localStorage may be unavailable (private browsing, SSR) —\n // fall back to in-memory only.\n }\n};\n\nconst readPersisted = (): string | null => {\n if (typeof window === \"undefined\") {\n return null;\n }\n try {\n return window.localStorage.getItem(STORAGE_KEY);\n } catch {\n return null;\n }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n const [profile, setProfile] = useState<UserProfile | null>(null);\n const [loading, setLoading] = useState(true);\n const [error, setError] = useState<Error | null>(null);\n\n const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n initialCompanyId ?? readPersisted(),\n );\n\n const persist = useMemo(() => {\n if (persistActiveCompany === false) {\n return () => {};\n }\n return persistActiveCompany ?? defaultPersist;\n }, [persistActiveCompany]);\n\n const setActiveCompany = useCallback(\n (id: string | null) => {\n setActiveCompanyState(id);\n persist(id);\n },\n [persist],\n );\n\n const refresh = useCallback(async () => {\n setLoading(true);\n setError(null);\n try {\n const next = await fetcher.fetchProfile();\n setProfile(next);\n // If the persisted company isn't a membership, fall back to\n // the first one (or null for users with no memberships).\n const stillMember =\n activeCompanyId != null &&\n next.memberships.some((m) => m.company_id === activeCompanyId);\n if (!stillMember) {\n const fallback =\n next.memberships[0]?.company_id ?? null;\n setActiveCompanyState(fallback);\n persist(fallback);\n }\n } catch (e) {\n setError(e instanceof Error ? e : new Error(String(e)));\n } finally {\n setLoading(false);\n }\n // eslint-disable-next-line react-hooks/exhaustive-deps\n }, [fetcher]);\n\n useEffect(() => {\n void refresh();\n }, [refresh]);\n\n const resolver = useMemo<AuthRbacClient>(() => {\n if (profile == null) {\n // Empty resolver until the profile lands. Always returns\n // false → guards fall through to the unauthenticated branch.\n return {\n can: () => false,\n activePermissions: () => ({}) as PermissionMap,\n systemPermissions: () => ({}) as PermissionMap,\n };\n }\n return buildPermissionResolver(resources, profile, activeCompanyId);\n }, [profile, resources, activeCompanyId]);\n\n const value = useMemo<AuthRbacContextValue>(\n () => ({\n profile,\n loading,\n error,\n resources,\n activeCompanyId,\n setActiveCompany,\n refresh,\n resolver,\n }),\n [\n profile,\n loading,\n error,\n resources,\n activeCompanyId,\n setActiveCompany,\n refresh,\n resolver,\n ],\n );\n\n return (\n <AuthRbacContext.Provider value={value}>\n {props.children}\n </AuthRbacContext.Provider>\n );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n const ctx = useContext(AuthRbacContext);\n if (!ctx) {\n throw new Error(\n \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n );\n }\n return ctx;\n}\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n * const canEdit = useCan(\"properties\", \"update\");\n * <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n * const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n resource: string,\n action: Action,\n options?: CanOptions,\n): boolean {\n const { resolver } = useAuthRbac();\n return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n resource: string;\n action: Action;\n /** Rendered when the user has the permission. */\n children: ReactNode;\n /**\n * Rendered when the user does NOT have the permission. Defaults\n * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n * tooltip-wrapper to surface the denial explicitly.\n */\n fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n const { resource, action, companyId, children, fallback = null } = props;\n const allowed = useCan(resource, action, { companyId });\n return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n resource: string;\n action: Action;\n /**\n * What to render while the profile is still loading. Defaults to\n * `null` (no flash) — pass a spinner if your routes typically\n * mount before the profile lands.\n */\n loadingFallback?: ReactNode;\n /**\n * What to render when access is denied. Defaults to a minimal\n * \"Sie haben keinen Zugriff\" message; pass your own component to\n * theme it.\n */\n deniedFallback?: ReactNode;\n /**\n * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n * here — the gate resolves to either the outlet or the denied\n * fallback. For component-tree usage, pass any children.\n */\n children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n * - profile not yet loaded → `loadingFallback`\n * - permission denied → `deniedFallback`\n * - permission granted → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n * // App.tsx route table\n * <Route element={\n * <RequirePermission resource=\"payments\" action=\"read\">\n * <Outlet />\n * </RequirePermission>\n * }>\n * <Route path=\"/payments\" element={<PaymentsPage />} />\n * </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n const {\n resource,\n action,\n companyId,\n loadingFallback = null,\n deniedFallback = (\n <div role=\"alert\" style={{ padding: 24 }}>\n <strong>Sie haben keinen Zugriff.</strong>\n </div>\n ),\n children = null,\n } = props;\n\n const { profile, loading } = useAuthRbac();\n const allowed = useCan(resource, action, { companyId });\n\n if (loading || profile == null) {\n return <>{loadingFallback}</>;\n }\n if (!allowed) {\n return <>{deniedFallback}</>;\n }\n return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n id: string | null;\n membership: CompanyMembership | null;\n memberships: CompanyMembership[];\n setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n * const { id, memberships, setActive } = useActiveCompany();\n *\n * return (\n * <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n * {memberships.map((m) => (\n * <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n * ))}\n * </select>\n * );\n */\nexport function useActiveCompany(): ActiveCompany {\n const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n return useMemo(() => {\n const memberships = profile?.memberships ?? [];\n const membership =\n memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n return {\n id: activeCompanyId,\n membership,\n memberships,\n setActive: setActiveCompany,\n };\n }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n const { profile, activeCompanyId } = useAuthRbac();\n return useMemo(() => {\n if (!profile) {\n return {};\n }\n const membershipConfig =\n profile.memberships.find((m) => m.company_id === activeCompanyId)\n ?.frontend_config ?? {};\n return { ...profile.system_frontend_config, ...membershipConfig };\n }, [profile, activeCompanyId]);\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n * // src/auth/resources.ts\n * import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n * export const RESOURCES = [\n * { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n * { resource: \"payments\", scope: \"company\", label: \"Zahlungen\", group: \"Finanzen\" },\n * { resource: \"system_audit\", scope: \"system\", label: \"Audit-Log\", group: \"Plattform\" },\n * ] as const;\n *\n * export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n * // ----- elsewhere -----\n * useCan(\"properties\", \"update\"); // ✓\n * useCan(\"paymetns\", \"update\"); // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n Action,\n ResourceDescriptor,\n ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n useCan: (\n resource: R,\n action: Action,\n options?: { companyId?: string | null },\n ) => boolean;\n Can: ComponentType<{\n resource: R;\n action: Action;\n companyId?: string | null;\n children: ReactNode;\n fallback?: ReactNode;\n }>;\n RequirePermission: ComponentType<{\n resource: R;\n action: Action;\n companyId?: string | null;\n loadingFallback?: ReactNode;\n deniedFallback?: ReactNode;\n children?: ReactNode;\n }>;\n /** The const-asserted registry, re-exported so call-sites can iterate. */\n resources: ResourceRegistry;\n /** All registered resource names as a union — handy for typing\n * application-side data structures. */\n resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n resources: Reg,\n // The runtime guards live in the React entry; we accept them\n // here as plain refs so this module stays React-free at the type\n // level. The `react` entry calls this factory passing its own\n // exports so adopters never see the wiring.\n runtime: {\n useCan: TypedGuards<string>[\"useCan\"];\n Can: TypedGuards<string>[\"Can\"];\n RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n },\n): TypedGuards<Reg[number][\"resource\"]> {\n type R = Reg[number][\"resource\"];\n return {\n useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n Can: runtime.Can as TypedGuards<R>[\"Can\"],\n RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n resources,\n resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n };\n}\n","/**\n * React + Next.js entry. Import this in browser code:\n *\n * import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n AuthRbacProvider,\n useAuthRbac,\n type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n RequirePermission,\n type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n Action,\n AuthRbacFetcher,\n CompanyMembership,\n FrontendConfig,\n PermissionGrid,\n PermissionMap,\n ResourceDescriptor,\n ResourceRegistry,\n ResourceScope,\n RoleSummary,\n UserProfile,\n} from \"../types.js\";\n\nexport {\n createSupabaseFetcher,\n createHttpFetcher,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n return _defineAuthRbac(resources, {\n useCan,\n Can,\n RequirePermission,\n });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n"],"mappings":";;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AA4KH;AAhJJ,IAAM,kBAAkB,cAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,IAAI,SAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,IAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,UAAU,QAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,mBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,UAAU,YAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,YAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,WAAW,QAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,QAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,0BAAAA,YAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,gBAAAA,KAAA,YAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,SAUG,YAAAC,WAVH,OAAAC,YAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,gBAAAA,KAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,0BAAAA,KAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,gBAAAA,KAAAD,WAAA,EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,gBAAAC,KAAAD,WAAA,EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,gBAAAC,KAAAD,WAAA,EAAG,UAAS;AACrB;;;AC1EA,SAAS,WAAAE,gBAAe;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,SAAOC,SAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,SAAS,WAAAC,gBAAe;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,SAAOC,SAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACwCO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AC9BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["jsx","Fragment","jsx","useMemo","useMemo","useMemo","useMemo","defineAuthRbac"]}

package/dist/types-BEc5SCIo.d.cts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * Core types — used by both the transport-agnostic client and the
+ * React layer. Adopters that don't use React only need to depend on
+ * the `index` entry; the `react` entry's types extend these.
+ */
+type Action = "read" | "write" | "update" | "delete";
+type ResourceScope = "system" | "company";
+interface ResourceDescriptor {
+    resource: string;
+    scope: ResourceScope;
+    label: string;
+    description?: string;
+    group?: string;
+}
+interface RoleSummary {
+    id: string;
+    name: string;
+    is_system?: boolean;
+    is_super?: boolean;
+    frontend_config?: FrontendConfig;
+}
+/**
+ * Free-form per-role config that the host project can interpret as
+ * it sees fit. A typical shape includes `sidebar` (list of section
+ * keys), `default_dashboard` (string), `home_route` (string).
+ */
+type FrontendConfig = Record<string, unknown>;
+interface PermissionGrid {
+    read: boolean;
+    write: boolean;
+    update: boolean;
+    delete: boolean;
+}
+type PermissionMap = Record<string, PermissionGrid>;
+interface CompanyMembership {
+    company_id: string;
+    company_name: string;
+    company_slug?: string | null;
+    roles: RoleSummary[];
+    permissions: PermissionMap;
+    /** Merged frontend_config across all roles the user holds in this company. */
+    frontend_config: FrontendConfig;
+}
+interface UserProfile {
+    user_id: string;
+    is_super_admin: boolean;
+    system_roles: RoleSummary[];
+    system_permissions: PermissionMap;
+    /** Merged frontend_config across all of the user's system roles. */
+    system_frontend_config: FrontendConfig;
+    memberships: CompanyMembership[];
+}
+/**
+ * Adopter-supplied transport. Two flavours are supported out of the
+ * box:
+ *
+ *  1. Pass a Supabase client + a JWT-derived `user_id` and the
+ *     library calls the package's SQL RPC `auth_rbac_user_profile`.
+ *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
+ *     and the library calls that. Use this when your backend serves
+ *     a custom `/api/users/me/profile` endpoint or when you don't
+ *     run Supabase at all.
+ */
+interface AuthRbacFetcher {
+    fetchProfile(): Promise<UserProfile>;
+}
+type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
+export type { Action as A, CompanyMembership as C, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, PermissionMap as d, RoleSummary as e };

package/dist/types-BEc5SCIo.d.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * Core types — used by both the transport-agnostic client and the
+ * React layer. Adopters that don't use React only need to depend on
+ * the `index` entry; the `react` entry's types extend these.
+ */
+type Action = "read" | "write" | "update" | "delete";
+type ResourceScope = "system" | "company";
+interface ResourceDescriptor {
+    resource: string;
+    scope: ResourceScope;
+    label: string;
+    description?: string;
+    group?: string;
+}
+interface RoleSummary {
+    id: string;
+    name: string;
+    is_system?: boolean;
+    is_super?: boolean;
+    frontend_config?: FrontendConfig;
+}
+/**
+ * Free-form per-role config that the host project can interpret as
+ * it sees fit. A typical shape includes `sidebar` (list of section
+ * keys), `default_dashboard` (string), `home_route` (string).
+ */
+type FrontendConfig = Record<string, unknown>;
+interface PermissionGrid {
+    read: boolean;
+    write: boolean;
+    update: boolean;
+    delete: boolean;
+}
+type PermissionMap = Record<string, PermissionGrid>;
+interface CompanyMembership {
+    company_id: string;
+    company_name: string;
+    company_slug?: string | null;
+    roles: RoleSummary[];
+    permissions: PermissionMap;
+    /** Merged frontend_config across all roles the user holds in this company. */
+    frontend_config: FrontendConfig;
+}
+interface UserProfile {
+    user_id: string;
+    is_super_admin: boolean;
+    system_roles: RoleSummary[];
+    system_permissions: PermissionMap;
+    /** Merged frontend_config across all of the user's system roles. */
+    system_frontend_config: FrontendConfig;
+    memberships: CompanyMembership[];
+}
+/**
+ * Adopter-supplied transport. Two flavours are supported out of the
+ * box:
+ *
+ *  1. Pass a Supabase client + a JWT-derived `user_id` and the
+ *     library calls the package's SQL RPC `auth_rbac_user_profile`.
+ *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
+ *     and the library calls that. Use this when your backend serves
+ *     a custom `/api/users/me/profile` endpoint or when you don't
+ *     run Supabase at all.
+ */
+interface AuthRbacFetcher {
+    fetchProfile(): Promise<UserProfile>;
+}
+type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
+export type { Action as A, CompanyMembership as C, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, PermissionMap as d, RoleSummary as e };