feat: modular domain driven boilerplate

modules/identity/auth/access.ts

@@ -0,0 +1,89 @@
+import { cerbos } from "@platform/cerbos/client.ts";
+import { Resource } from "@platform/cerbos/resources.ts";
+
+import type { Principal } from "./principal.ts";
+
+export function access(principal: Principal) {
+  return {
+    /**
+     * Check if a principal is allowed to perform an action on a resource.
+     *
+     * @param resource - Resource which we are validating.
+     * @param action   - Action which we are validating.
+     *
+     * @example
+     *
+     * await access.isAllowed(
+     *   {
+     *     kind: "document",
+     *     id: "1",
+     *     attr: { owner: "user@example.com" },
+     *   },
+     *   "view"
+     * ); // => true
+     */
+    isAllowed(resource: Resource, action: string) {
+      return cerbos.isAllowed({ principal, resource, action });
+    },
+
+    /**
+     * Check a principal's permissions on a resource.
+     *
+     * @param resource - Resource which we are validating.
+     * @param actions  - Actions which we are validating.
+     *
+     * @example
+     *
+     * const decision = await access.checkResource(
+     *   {
+     *     kind: "document",
+     *     id: "1",
+     *     attr: { owner: "user@example.com" },
+     *   },
+     *   ["view", "edit"],
+     * );
+     *
+     * decision.isAllowed("view"); // => true
+     */
+    checkResource(resource: Resource, actions: string[]) {
+      return cerbos.checkResource({ principal, resource, actions });
+    },
+
+    /**
+     * Check a principal's permissions on a set of resources.
+     *
+     * @param resources - Resources which we are validating.
+     *
+     * @example
+     *
+     * const decision = await access.checkResources([
+     *   {
+     *     resource: {
+     *       kind: "document",
+     *       id: "1",
+     *       attr: { owner: "user@example.com" },
+     *     },
+     *     actions: ["view", "edit"],
+     *   },
+     *   {
+     *     resource: {
+     *       kind: "image",
+     *       id: "1",
+     *       attr: { owner: "user@example.com" },
+     *     },
+     *     actions: ["delete"],
+     *   },
+     * ]);
+     *
+     * decision.isAllowed({
+     *   resource: { kind: "document", id: "1" },
+     *   action: "view",
+     * }); // => true
+     */
+    checkResources(resources: { resource: Resource; actions: string[] }[]) {
+      return cerbos.checkResources({ principal, resources });
+    },
+  };
+}
+
+export type Access = ReturnType<typeof access>;

modules/identity/auth/jwt.ts

@@ -0,0 +1,9 @@
+import { config } from "../config.ts";
+
+export const jwt = {
+  algorithm: "RS256",
+  privateKey: config.auth.privateKey,
+  publicKey: config.auth.publicKey,
+  issuer: "http://localhost",
+  audience: "http://localhost",
+};

modules/identity/auth/principal.ts

@@ -0,0 +1,32 @@
+import { HttpAdapter, makeClient } from "@platform/relay";
+import { PrincipalProvider } from "@valkyr/auth";
+
+import { config } from "../config.ts";
+import resolve from "../routes/identities/resolve/spec.ts";
+import { RoleSchema } from "../schemas/role.ts";
+
+export const identity = makeClient(
+  {
+    adapter: new HttpAdapter({
+      url: config.url,
+    }),
+  },
+  {
+    resolve: resolve.crypto({
+      publicKey: config.internal.publicKey,
+    }),
+  },
+);
+
+export const principal = new PrincipalProvider(RoleSchema, {}, async function (id: string) {
+  const response = await identity.resolve({ params: { id } });
+  if ("data" in response) {
+    return {
+      id,
+      roles: response.data.roles,
+      attributes: {},
+    };
+  }
+});
+
+export type Principal = typeof principal.$principal;