feat: add cerbos access control

2025-09-19 03:28:00 +02:00
parent d322138502
commit 74a9426bcc
41 changed files with 999 additions and 821 deletions
--- a/api/libraries/auth/auth.ts
+++ b/api/libraries/auth/auth.ts
@@ -1,82 +1,21 @@
-import { Auth, ResolvedSession } from "@valkyr/auth";
-import z from "zod";
-
-import { db } from "~stores/read-store/database.ts";
+import { Auth } from "@valkyr/auth";

+import { access } from "./access.ts";
 import { config } from "./config.ts";
+import { principal } from "./principal.ts";
+import { resources } from "./resources.ts";

-export const auth = new Auth(
-  {
-    settings: {
-      algorithm: "RS256",
-      privateKey: config.privateKey,
-      publicKey: config.publicKey,
-      issuer: "http://localhost",
-      audience: "http://localhost",
-    },
-    session: z.object({
-      accountId: z.string(),
-    }),
-    permissions: {} as const,
-    guards: [],
+export const auth = new Auth({
+  principal,
+  resources,
+  access,
+  jwt: {
+    algorithm: "RS256",
+    privateKey: config.privateKey,
+    publicKey: config.publicKey,
+    issuer: "http://localhost",
+    audience: "http://localhost",
  },
-  {
-    roles: {
-      async add(role) {
-        await db.collection("roles").insertOne(role);
-      },
+});

-      async getById(id) {
-        const role = await db.collection("roles").findOne({ id });
-        if (role === null) {
-          return undefined;
-        }
-        return role;
-      },
-
-      async getBySession({ accountId }) {
-        const account = await db.collection("accounts").findOne({ id: accountId });
-        if (account === null) {
-          return [];
-        }
-        return db
-          .collection("roles")
-          .find({ id: { $in: account.roles } })
-          .toArray();
-      },
-
-      async setPermissions() {
-        throw new Error("MongoRolesProvider > .setPermissions is managed by Role aggregate projections");
-      },
-
-      async delete(id) {
-        await db.collection("roles").deleteOne({ id });
-      },
-
-      async assignAccount(roleId: string, accountId: string): Promise<void> {
-        await db.collection("accounts").updateOne(
-          { id: accountId },
-          {
-            $push: {
-              roles: roleId,
-            },
-          },
-        );
-      },
-
-      async removeAccount(roleId: string, accountId: string): Promise<void> {
-        await db.collection("roles").updateOne(
-          { id: accountId },
-          {
-            $pull: {
-              roles: roleId,
-            },
-          },
-        );
-      },
-    },
-  },
-);
-
-export type Session = ResolvedSession<typeof auth>;
-export type Permissions = (typeof auth)["$permissions"];
+export type Session = typeof auth.$session;