@accounter/server
Version:
Accounter GraphQL server
45 lines • 1.7 kB
JavaScript
import { __decorate, __metadata, __param } from "tslib";
import { GraphQLError } from 'graphql';
import { Inject, Injectable, Scope } from 'graphql-modules';
import { AuthContextProvider } from './auth-context.provider.js';
let AuthorizationProvider = class AuthorizationProvider {
authProvider;
constructor(authProvider) {
this.authProvider = authProvider;
}
async requireAuth() {
const auth = await this.authProvider.getAuthContext();
if (!auth?.user) {
throw new GraphQLError('Authentication required', {
extensions: { code: 'UNAUTHENTICATED' },
});
}
return auth.user;
}
async requireRole(allowedRoles) {
const user = await this.requireAuth();
if (!allowedRoles.includes(user.roleId)) {
throw new GraphQLError(`Access denied. Required roles: ${allowedRoles.join(', ')}`, {
extensions: { code: 'FORBIDDEN' },
});
}
return user;
}
async requireBusinessOwner() {
return this.requireRole(['business_owner']);
}
async canWrite() {
// Employee is read-only; scraper is excluded unless a domain service explicitly allows it.
return this.requireRole(['business_owner', 'accountant']);
}
async canManageUsers() {
return this.requireRole(['business_owner']);
}
};
AuthorizationProvider = __decorate([
Injectable({ scope: Scope.Operation, global: true }),
__param(0, Inject(AuthContextProvider)),
__metadata("design:paramtypes", [AuthContextProvider])
], AuthorizationProvider);
export { AuthorizationProvider };
//# sourceMappingURL=authorization.provider.js.map