fix(api): derive secure sse subscriptions

2026-03-30 14:20:18 +02:00
parent 27b0e38b93
commit 82466a4e34
7 changed files with 281 additions and 29 deletions
@@ -0,0 +1,45 @@
+import { resolvePermissions, type PermissionKey, type PermissionOverrides, SystemRole } from "@capakraken/shared";
+import {
+  canonicalizeSseAudiences,
+  permissionAudience,
+  resourceAudience,
+  roleAudience,
+  type SseAudience,
+  type SseSubscriptionOptions,
+  userAudience,
+} from "./event-bus.js";
+
+export interface SseSubscriberIdentity {
+  userId: string;
+  systemRole: SystemRole;
+  permissionOverrides?: PermissionOverrides | null;
+  resourceId?: string | null;
+}
+
+export interface DerivedSseSubscription extends SseSubscriptionOptions {
+  audiences: SseAudience[];
+  permissions: Set<PermissionKey>;
+  includeUnscoped: false;
+}
+
+export function deriveUserSseSubscription(
+  identity: SseSubscriberIdentity,
+  roleDefaults?: Record<string, PermissionKey[]>,
+): DerivedSseSubscription {
+  const permissions = resolvePermissions(
+    identity.systemRole,
+    identity.permissionOverrides ?? null,
+    roleDefaults,
+  );
+
+  return {
+    audiences: canonicalizeSseAudiences([
+      userAudience(identity.userId),
+      roleAudience(identity.systemRole),
+      ...(identity.resourceId ? [resourceAudience(identity.resourceId)] : []),
+      ...Array.from(permissions, (permission) => permissionAudience(permission)),
+    ]),
+    permissions,
+    includeUnscoped: false,
+  };
+}