feat: encapsulate identity with better-auth

2025-09-25 13:24:32 +02:00
parent 99111b69eb
commit f2ba21a7e3
48 changed files with 718 additions and 766 deletions
--- a/modules/identity/services/access.ts
+++ b/modules/identity/services/access.ts
@@ -0,0 +1,88 @@
+import { cerbos } from "@platform/cerbos";
+
+import { Principal } from "../models/principal.ts";
+
+export function getAccessControlMethods(principal: Principal) {
+  return {
+    /**
+     * Check if a principal is allowed to perform an action on a resource.
+     *
+     * @param resource - Resource which we are validating.
+     * @param action   - Action which we are validating.
+     *
+     * @example
+     *
+     * await access.isAllowed(
+     *   {
+     *     kind: "document",
+     *     id: "1",
+     *     attr: { owner: "user@example.com" },
+     *   },
+     *   "view"
+     * ); // => true
+     */
+    isAllowed(resource: any, action: string) {
+      return cerbos.isAllowed({ principal, resource, action });
+    },
+
+    /**
+     * Check a principal's permissions on a resource.
+     *
+     * @param resource - Resource which we are validating.
+     * @param actions  - Actions which we are validating.
+     *
+     * @example
+     *
+     * const decision = await access.checkResource(
+     *   {
+     *     kind: "document",
+     *     id: "1",
+     *     attr: { owner: "user@example.com" },
+     *   },
+     *   ["view", "edit"],
+     * );
+     *
+     * decision.isAllowed("view"); // => true
+     */
+    checkResource(resource: any, actions: string[]) {
+      return cerbos.checkResource({ principal, resource, actions });
+    },
+
+    /**
+     * Check a principal's permissions on a set of resources.
+     *
+     * @param resources - Resources which we are validating.
+     *
+     * @example
+     *
+     * const decision = await access.checkResources([
+     *   {
+     *     resource: {
+     *       kind: "document",
+     *       id: "1",
+     *       attr: { owner: "user@example.com" },
+     *     },
+     *     actions: ["view", "edit"],
+     *   },
+     *   {
+     *     resource: {
+     *       kind: "image",
+     *       id: "1",
+     *       attr: { owner: "user@example.com" },
+     *     },
+     *     actions: ["delete"],
+     *   },
+     * ]);
+     *
+     * decision.isAllowed({
+     *   resource: { kind: "document", id: "1" },
+     *   action: "view",
+     * }); // => true
+     */
+    checkResources(resources: { resource: any; actions: string[] }[]) {
+      return cerbos.checkResources({ principal, resources });
+    },
+  };
+}
+
+export type AccessControlMethods = ReturnType<typeof getAccessControlMethods>;