snipe-auth-rbac 0.3.1 → 0.4.0

package/dist/chunk-NRDW233A.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/fetchers.ts"],"sourcesContent":["/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `rbac.user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * The function lives in the dedicated `rbac` Postgres schema, so the\n * adopter must add `rbac` to their PostgREST exposed-schemas list\n * (Supabase Studio → Settings → API → Exposed schemas) for the\n * `.schema('rbac')` call below to reach it.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    schema: (name: string) => {\n      rpc: (\n        fn: string,\n        args: Record<string, unknown>,\n      ) => Promise<{ data: unknown; error: { message: string } | null }>;\n    };\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.schema(\"rbac\").rpc(\n        \"user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Cheap probe — returns true if the package's `rbac` schema looks\n * reachable. Useful at app start to fail loudly if the migration\n * hasn't been applied OR if `rbac` isn't in the project's PostgREST\n * exposed-schemas list.\n *\n * @example\n * if (!(await detectRbacSchema(supabase))) {\n *   console.error(\"rbac schema not reachable — apply 0001_initial.sql\");\n * }\n */\nexport async function detectRbacSchema(supabase: {\n  schema: (name: string) => {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n}): Promise<boolean> {\n  try {\n    const { error } = await supabase.schema(\"rbac\").rpc(\"user_can\", {\n      p_user_id: \"00000000-0000-0000-0000-000000000000\",\n      p_resource: \"__rbac_self_check__\",\n      p_action: \"read\",\n      p_company_id: null,\n    });\n    return error === null;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n"],"mappings":";AAoBO,SAAS,sBAAsB,MAUlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS,OAAO,MAAM,EAAE;AAAA,QACzD;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAaA,eAAsB,iBAAiB,UAOlB;AACnB,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,OAAO,MAAM,EAAE,IAAI,YAAY;AAAA,MAC9D,WAAW;AAAA,MACX,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,UAAU;AAAA,EACnB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;","names":[]}

package/dist/types-DxvFudPF.d.cts

@@ -1,69 +0,0 @@
-/**
- * Core types — used by both the transport-agnostic client and the
- * React layer. Adopters that don't use React only need to depend on
- * the `index` entry; the `react` entry's types extend these.
- */
-type Action = "read" | "write" | "update" | "delete";
-type ResourceScope = "system" | "company";
-interface ResourceDescriptor {
-    resource: string;
-    scope: ResourceScope;
-    label: string;
-    description?: string;
-    group?: string;
-}
-interface RoleSummary {
-    id: string;
-    name: string;
-    is_system?: boolean;
-    is_super?: boolean;
-    frontend_config?: FrontendConfig;
-}
-/**
- * Free-form per-role config that the host project can interpret as
- * it sees fit. A typical shape includes `sidebar` (list of section
- * keys), `default_dashboard` (string), `home_route` (string).
- */
-type FrontendConfig = Record<string, unknown>;
-interface PermissionGrid {
-    read: boolean;
-    write: boolean;
-    update: boolean;
-    delete: boolean;
-}
-type PermissionMap = Record<string, PermissionGrid>;
-interface CompanyMembership {
-    company_id: string;
-    company_name: string;
-    company_slug?: string | null;
-    roles: RoleSummary[];
-    permissions: PermissionMap;
-    /** Merged frontend_config across all roles the user holds in this company. */
-    frontend_config: FrontendConfig;
-}
-interface UserProfile {
-    user_id: string;
-    is_super_admin: boolean;
-    system_roles: RoleSummary[];
-    system_permissions: PermissionMap;
-    /** Merged frontend_config across all of the user's system roles. */
-    system_frontend_config: FrontendConfig;
-    memberships: CompanyMembership[];
-}
-/**
- * Adopter-supplied transport. Two flavours are supported out of the
- * box:
- *
- *  1. Pass a Supabase client + a JWT-derived `user_id` and the
- *     library calls the package's SQL RPC `rbac.user_profile`.
- *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
- *     and the library calls that. Use this when your backend serves
- *     a custom `/api/users/me/profile` endpoint or when you don't
- *     run Supabase at all.
- */
-interface AuthRbacFetcher {
-    fetchProfile(): Promise<UserProfile>;
-}
-type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
-
-export type { Action as A, CompanyMembership as C, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, PermissionMap as d, RoleSummary as e };

package/dist/types-DxvFudPF.d.ts

@@ -1,69 +0,0 @@
-/**
- * Core types — used by both the transport-agnostic client and the
- * React layer. Adopters that don't use React only need to depend on
- * the `index` entry; the `react` entry's types extend these.
- */
-type Action = "read" | "write" | "update" | "delete";
-type ResourceScope = "system" | "company";
-interface ResourceDescriptor {
-    resource: string;
-    scope: ResourceScope;
-    label: string;
-    description?: string;
-    group?: string;
-}
-interface RoleSummary {
-    id: string;
-    name: string;
-    is_system?: boolean;
-    is_super?: boolean;
-    frontend_config?: FrontendConfig;
-}
-/**
- * Free-form per-role config that the host project can interpret as
- * it sees fit. A typical shape includes `sidebar` (list of section
- * keys), `default_dashboard` (string), `home_route` (string).
- */
-type FrontendConfig = Record<string, unknown>;
-interface PermissionGrid {
-    read: boolean;
-    write: boolean;
-    update: boolean;
-    delete: boolean;
-}
-type PermissionMap = Record<string, PermissionGrid>;
-interface CompanyMembership {
-    company_id: string;
-    company_name: string;
-    company_slug?: string | null;
-    roles: RoleSummary[];
-    permissions: PermissionMap;
-    /** Merged frontend_config across all roles the user holds in this company. */
-    frontend_config: FrontendConfig;
-}
-interface UserProfile {
-    user_id: string;
-    is_super_admin: boolean;
-    system_roles: RoleSummary[];
-    system_permissions: PermissionMap;
-    /** Merged frontend_config across all of the user's system roles. */
-    system_frontend_config: FrontendConfig;
-    memberships: CompanyMembership[];
-}
-/**
- * Adopter-supplied transport. Two flavours are supported out of the
- * box:
- *
- *  1. Pass a Supabase client + a JWT-derived `user_id` and the
- *     library calls the package's SQL RPC `rbac.user_profile`.
- *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
- *     and the library calls that. Use this when your backend serves
- *     a custom `/api/users/me/profile` endpoint or when you don't
- *     run Supabase at all.
- */
-interface AuthRbacFetcher {
-    fetchProfile(): Promise<UserProfile>;
-}
-type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
-
-export type { Action as A, CompanyMembership as C, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, PermissionMap as d, RoleSummary as e };