Merge pull request #111 from getlarge/110-featketo-client-wrapper-all…

…ow-dynamic-relationtuplecondition

feat(keto-client-wrapper): allow dynamic RelationTupleCondition

package.json

@@ -9,7 +9,7 @@
     "@nestjs/common": "^10.4.4",
     "@nestjs/config": "^3.2.3",
     "@nestjs/core": "^10.4.4",
-    "@ory/client": "^1.15.5",
+    "@ory/client": "^1.15.10",
     "axios": "1.7.7",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",

packages/keto-client-wrapper/src/index.ts

@@ -3,8 +3,11 @@ export {
   OryAuthorizationGuardOptions,
 } from './lib/ory-authorization.guard';
 export {
+  EnhancedRelationTupleFactory,
   getOryPermissionChecks,
   OryPermissionChecks,
+  RelationTupleCondition,
+  RelationTupleFactory,
 } from './lib/ory-permission-checks.decorator';
 export {
   OryPermissionsModule,

packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts

@@ -15,8 +15,9 @@ import { PermissionApiExpandPermissionsRequest } from '@ory/client';
 import type { Observable } from 'rxjs';
 
 import {
-  EnhancedRelationTupleFactory,
   getOryPermissionChecks,
+  RelationTupleCondition,
+  RelationTupleFactory,
 } from './ory-permission-checks.decorator';
 import { OryPermissionsService } from './ory-permissions';
 
@@ -40,7 +41,7 @@ export abstract class IAuthorizationGuard implements CanActivate {
   ): boolean | Promise<boolean> | Observable<boolean>;
 
   abstract evaluateConditions(
-    factory: EnhancedRelationTupleFactory,
+    factory: RelationTupleFactory | RelationTupleCondition,
     context: ExecutionContext
   ): Promise<{
     allowed: boolean;
@@ -72,7 +73,7 @@ export const OryAuthorizationGuard = (
     }
 
     async evaluateConditions(
-      factory: EnhancedRelationTupleFactory,
+      factory: RelationTupleFactory | RelationTupleCondition,
       context: ExecutionContext
     ): Promise<{
       allowed: boolean;
@@ -138,7 +139,11 @@ export const OryAuthorizationGuard = (
         return true;
       }
       const { postCheck, unauthorizedFactory } = this.options;
-      for (const factory of factories) {
+      for (const firstLevelFactory of factories) {
+        const factory =
+          typeof firstLevelFactory === 'function'
+            ? firstLevelFactory(context)
+            : firstLevelFactory;
         const { allowed, relationTuple } = await this.evaluateConditions(
           factory,
           context

packages/keto-client-wrapper/src/lib/ory-permission-checks.decorator.ts

@@ -12,7 +12,8 @@ export type RelationTupleCondition = {
 
 export type EnhancedRelationTupleFactory =
   | RelationTupleFactory
-  | RelationTupleCondition;
+  | RelationTupleCondition
+  | ((ctx: ExecutionContext) => RelationTupleCondition);
 
 /**
  * @description Decorator to add permission checks to a handler, will be consumed by the `OryAuthorizationGuard` {@link OryAuthorizationGuard} using the `getOryPermissionChecks` {@link getOryPermissionChecks} function

packages/keto-client-wrapper/test/app.controller.mock.ts

@@ -110,25 +110,21 @@ export class ExampleController {
     return this.exampleService.getExample();
   }
 
-  @OryPermissionChecks({
-    type: 'OR',
-    conditions: [
-      (ctx) => {
-        const req = ctx.switchToHttp().getRequest();
-        const resourceId = req.params.id;
-        return `Toy:${resourceId}#owners`;
-      },
-      (ctx) => {
-        const req = ctx.switchToHttp().getRequest();
-        const currentUserId = req.headers['x-current-user-id'] as string;
-        const resourceId = req.params.id;
-        return new RelationTupleBuilder()
+  @OryPermissionChecks((ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const resourceId = req.params.id;
+    const currentUserId = req.headers['x-current-user-id'] as string;
+    return {
+      type: 'OR',
+      conditions: [
+        `Toy:${resourceId}#owners`,
+        new RelationTupleBuilder()
           .subject('User', currentUserId)
           .isIn('owners')
           .of('Toy', resourceId)
-          .toString();
-      },
-    ],
+          .toString(),
+      ],
+    };
   })
   @UseGuards(AuthorizationGuard())
   @Get('poly/:id')