boilerplate/modules/identity/services/access.ts

import { cerbos } from "@platform/cerbos";

import type { Principal } from "../models/principal.ts";

export function getAccessControlMethods(principal: Principal) {
  return {
    /**
     * Check if a principal is allowed to perform an action on a resource.
     *
     * @param resource - Resource which we are validating.
     * @param action   - Action which we are validating.
     *
     * @example
     *
     * await access.isAllowed(
     *   {
     *     kind: "document",
     *     id: "1",
     *     attr: { owner: "user@example.com" },
     *   },
     *   "view"
     * ); // => true
     */
    isAllowed(resource: any, action: string) {
      return cerbos.isAllowed({ principal, resource, action });
    },

    /**
     * Check a principal's permissions on a resource.
     *
     * @param resource - Resource which we are validating.
     * @param actions  - Actions which we are validating.
     *
     * @example
     *
     * const decision = await access.checkResource(
     *   {
     *     kind: "document",
     *     id: "1",
     *     attr: { owner: "user@example.com" },
     *   },
     *   ["view", "edit"],
     * );
     *
     * decision.isAllowed("view"); // => true
     */
    checkResource(resource: any, actions: string[]) {
      return cerbos.checkResource({ principal, resource, actions });
    },

    /**
     * Check a principal's permissions on a set of resources.
     *
     * @param resources - Resources which we are validating.
     *
     * @example
     *
     * const decision = await access.checkResources([
     *   {
     *     resource: {
     *       kind: "document",
     *       id: "1",
     *       attr: { owner: "user@example.com" },
     *     },
     *     actions: ["view", "edit"],
     *   },
     *   {
     *     resource: {
     *       kind: "image",
     *       id: "1",
     *       attr: { owner: "user@example.com" },
     *     },
     *     actions: ["delete"],
     *   },
     * ]);
     *
     * decision.isAllowed({
     *   resource: { kind: "document", id: "1" },
     *   action: "view",
     * }); // => true
     */
    checkResources(resources: { resource: any; actions: string[] }[]) {
      return cerbos.checkResources({ principal, resources });
    },
  };
}

export type AccessControlMethods = ReturnType<typeof getAccessControlMethods>;