import { t as IamClient } from "../../client-0N6XNM6z.js"; import { x as IamEngine } from "../../index-DiOdpz0c.js"; import { t as IamRequest } from "../../request-BouexCSW.js"; import { IamAdminAudit } from "../generic/index.js"; //#region src/server/next/index.d.ts /** IamNext.js route handler context with params. */ type RouteContext = { params: Promise> | Record; }; /** IamNext.js App Router route handler signature. */ type RouteHandler = (req: Request, ctx: RouteContext) => Promise; /** IamNext.js server integration types. Type-only namespace - zero bundle cost. */ declare namespace IamNext { /** * Describes options for {@link withIamAccess}. * * Every extractor has a sensible default. * * @template TScope - Constrains valid scope strings. */ interface IWithAccessOptions { /** Extracts the current user ID from the request. */ getUserId?: (req: Request) => string | null | Promise; /** Extracts environment context (IP, user-agent, etc.) from the request. */ getEnvironment?: (req: Request) => IamRequest.IEnvironment; /** Applies a scope to the access check. */ scope?: TScope; /** Handles thrown errors during evaluation (defaults to 500 JSON). */ onError?: (err: Error, req: Request) => Response; } /** * Describes options for {@link createIamNextMiddleware}. * * `rules` and `getUserId` are required. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TScope - Constrains valid scope strings. */ interface IMiddlewareOptions { /** Maps URL patterns to required permissions. */ rules: Array<{ /** Specifies the regex or string prefix used to match the path. */pattern: string | RegExp; /** Specifies the required action; inferred from HTTP method when omitted. */ action?: TAction; /** Specifies the resource type for this route. */ resource: TResource; /** Optional scope applied to the check. */ scope?: TScope; }>; /** Extracts the current user ID from the request. */ getUserId: (req: Request) => string | null | Promise; /** Handles thrown errors during evaluation (defaults to 500 JSON). */ onError?: (err: Error, req: Request) => Response; } /** * Required guard callback for admin Route Handlers. * * Same threat model as the IamExpress `adminRouter`: any handler that writes * policies or roles must be gated. */ type IAdminAuthorize = (req: Request) => boolean | Promise; /** Describes options for {@link createIamAdminHandlers}. `authorize` is required. */ interface IAdminOptions extends IamAdminAudit.IOptions { /** Required. Runs before every admin handler (read or write). */ authorize: IAdminAuthorize; /** Overrides the 401 unauthorized response. */ onUnauthorized?: (req: Request) => Response; /** Overrides the 500 internal error response. */ onError?: (err: Error, req: Request) => Response; /** * Optional audit hook fired AFTER every mutation handler (PUT/POST/ * DELETE/PATCH) completes - success or failure. The hook is * fire-and-forget: a slow or throwing implementation never blocks the * request and can never alter the response. GET handlers do not fire it. * * See {@link IamAdminAudit.IOptions} for additional hardening knobs: * `redactPath`, `onAuditHookError`, and `includeErrorMessage`. */ onAdminMutation?: IamAdminAudit.Hook; } } /** * Wraps a IamNext.js App Router route handler with an access check. * * Returns 401 when no user is present, 403 when denied, and otherwise invokes * the wrapped handler. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine to consult. * @param action - Specifies the action being performed. * @param resourceType - Specifies the resource type required for the check. * @param handler - Provides the downstream route handler invoked on allow. * @param opts - Configures optional extractors and `scope` override. * @returns A wrapped route handler. * @example * ```ts * export const DELETE = withIamAccess(engine, 'delete', 'post', async (req, ctx) => { * const { id } = await ctx.params * return Response.json({ deleted: id }) * }) * ``` */ declare function withIamAccess(engine: IamEngine, action: TAction, resourceType: TResource, handler: RouteHandler, opts?: IamNext.IWithAccessOptions): RouteHandler; /** * Returns whether `subjectId` can perform `(action, resourceType)`. * * Designed for use inside Server Components or server actions. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine to consult. * @param subjectId - Identifies the subject performing the action. * @param action - Specifies the action being performed. * @param resourceType - Specifies the resource type required for the check. * @param resourceId - Optional resource instance ID. * @param scope - Optional scope constraint. * @returns Resolves to `true` when allowed and `false` otherwise. */ declare function checkIamAccess(engine: IamEngine, subjectId: string, action: TAction, resourceType: TResource, resourceId?: string, scope?: TScope): Promise; /** * Builds a {@link IamClient.PermissionMap} for a Server Component or layout. * * Pass the result to the React `AccessProvider` on the client side. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine to consult. * @param subjectId - Identifies the subject whose permissions are computed. * @param checks - Lists the permission tuples to evaluate. * @returns A permission map keyed by `(action, resource, scope)` tuple. */ declare function getIamPermissions(engine: IamEngine, subjectId: string, checks: readonly IamClient.IPermissionCheck[]): Promise>; /** * Builds a IamNext.js Edge Middleware matcher that protects routes by a list of * pattern-keyed rules. * * Returns `null` when the request passes or no rule matches; otherwise returns * a `Response` (401/403/500). * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine to consult. * @param opts - Provides the rule list, user extractor, and optional error handler. * @returns An `async (req) => Response | null` suitable for use inside `middleware.ts`. * @example * ```ts * // NEVER trust user-supplied headers for identity. Derive from a verified * // source: cookie session, JWT, or your auth library. * const mw = createIamNextMiddleware(engine, { * rules: [{ pattern: '/admin', resource: 'admin' }], * getUserId: async (req) => { * const session = await getServerSession(req) * return session?.user?.id ?? null * }, * }) * export const middleware = async (req: Request) => (await mw(req)) ?? NextResponse.next() * ``` */ declare function createIamNextMiddleware(engine: IamEngine, opts: IamNext.IMiddlewareOptions): (req: Request) => Promise; /** * Builds pre-bound admin Route Handlers for IamNext.js App Router. * * Every handler runs `authorize(req)` first; failure replies 401. Throws at * construction time when `opts.authorize` is missing. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine whose `admin` operations are exposed. * @param opts - Must include `authorize`. * @returns Object with `listPolicies`, `listRoles`, `savePolicy`, `saveRole`, `assignRole`, `revokeRole`. * @throws Error when `opts.authorize` is not a function. * @example * ```ts * // app/api/admin/policies/route.ts * const h = createIamAdminHandlers(engine, { * authorize: (req) => isAdminToken(req), * onAdminMutation: (e) => auditLog.write(e), * }) * export const GET = h.listPolicies * export const PUT = h.savePolicy * ``` * @example * Rate limiting is out of scope; compose at the framework layer with the * caller's middleware of choice. Pseudocode: * ```ts * // middleware.ts * export const middleware = async (req: Request) => { * if (req.nextUrl.pathname.startsWith('/api/admin/')) { * const blocked = await adminRateLimit(req) * if (blocked) return blocked * } * } * ``` */ declare function createIamAdminHandlers(engine: IamEngine, opts: IamNext.IAdminOptions): { listPolicies: (req: Request, ctx: { params: unknown; }) => Promise; listRoles: (req: Request, ctx: { params: unknown; }) => Promise; savePolicy: (req: Request, ctx: { params: Record | Promise>; }) => Promise; saveRole: (req: Request, ctx: { params: Record | Promise>; }) => Promise; assignRole: (req: Request, ctx: { params: { id: string; } | Promise<{ id: string; }>; }) => Promise; revokeRole: (req: Request, ctx: { params: { id: string; roleId: string; } | Promise<{ id: string; roleId: string; }>; }) => Promise; }; //#endregion export { IamNext, checkIamAccess, createIamAdminHandlers, createIamNextMiddleware, getIamPermissions, withIamAccess }; //# sourceMappingURL=index.d.ts.map