feat(auth): initial draft of @nestjs-cls/auth plugin

Author: Papooch

packages/auth/README.md

@@ -0,0 +1,7 @@
+# @nestjs-cls/auth
+
+An "Auth" plugin for `nestjs-cls` that simplifies verifying permissions by storing the authorization object in the CLS context.
+
+The authorization object can be retrieved in any other service and used to verify permissions without having to pass it around. It can also be queried using the handy `RequirePermission` decorator.
+
+### ➡️ [Go to the documentation website](https://papooch.github.io/nestjs-cls/plugins/available-plugins/auth) 📖

packages/auth/jest.config.js

@@ -0,0 +1,9 @@
+module.exports = {
+    moduleFileExtensions: ['js', 'json', 'ts'],
+    rootDir: '.',
+    testRegex: '.*\\.spec\\.ts$',
+    preset: 'ts-jest',
+    collectCoverageFrom: ['src/**/*.ts'],
+    coverageDirectory: '../coverage',
+    testEnvironment: 'node',
+};

packages/auth/package.json

@@ -0,0 +1,70 @@
+{
+  "name": "@nestjs-cls/auth",
+  "version": "0.0.1",
+  "description": "A nestjs-cls plugin for authorization",
+  "author": "papooch",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Papooch/nestjs-cls.git"
+  },
+  "homepage": "https://papooch.github.io/nestjs-cls/",
+  "keywords": [
+    "nest",
+    "nestjs",
+    "cls",
+    "continuation-local-storage",
+    "als",
+    "AsyncLocalStorage",
+    "async_hooks",
+    "request context",
+    "async context",
+    "auth",
+    "authorization"
+  ],
+  "main": "dist/src/index.js",
+  "types": "dist/src/index.d.ts",
+  "files": [
+    "dist/src/**/!(*.spec).d.ts",
+    "dist/src/**/!(*.spec).js"
+  ],
+  "scripts": {
+    "prepack": "cp ../../../LICENSE ./LICENSE",
+    "prebuild": "rimraf dist",
+    "build": "tsc",
+    "test": "jest",
+    "test:watch": "jest --watch",
+    "test:cov": "jest --coverage"
+  },
+  "peerDependencies": {
+    "@nestjs/common": ">= 10 < 12",
+    "@nestjs/core": ">= 10 < 12",
+    "nestjs-cls": "workspace:^5.4.3",
+    "reflect-metadata": "*",
+    "rxjs": ">= 7"
+  },
+  "devDependencies": {
+    "@nestjs/cli": "^11.0.7",
+    "@nestjs/common": "^11.1.0",
+    "@nestjs/core": "^11.1.0",
+    "@nestjs/testing": "^11.1.0",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^22.15.12",
+    "jest": "^29.7.0",
+    "nestjs-cls": "workspace:^5.4.3",
+    "reflect-metadata": "^0.2.2",
+    "rimraf": "^6.0.1",
+    "rxjs": "^7.8.1",
+    "ts-jest": "^29.3.1",
+    "ts-loader": "^9.5.2",
+    "ts-node": "^10.9.2",
+    "tsconfig-paths": "^4.2.0",
+    "typescript": "5.8.2"
+  }
+}

packages/auth/src/index.ts

@@ -0,0 +1,4 @@
+export * from './lib/auth-host';
+export * from './lib/plugin-auth';
+export * from './lib/require-permission.decorator';
+export * from './lib/permission-denied.exception';

packages/auth/src/lib/auth-host.ts

@@ -0,0 +1,61 @@
+import { Logger } from '@nestjs/common';
+import { ClsServiceManager } from 'nestjs-cls';
+import { getAuthClsKey } from './auth.symbols';
+import { PermissionDeniedException } from './permission-denied.exception';
+import { RequirePermissionOptions } from './auth.interfaces';
+
+export class AuthHost<TAuth = never> {
+    private readonly cls = ClsServiceManager.getClsService();
+    private readonly logger = new Logger(AuthHost.name);
+    private readonly authInstanceSymbol: symbol;
+
+    private static _instanceMap = new Map<symbol, AuthHost<any>>();
+
+    static getInstance<TAuth = never>(authName?: string): AuthHost<TAuth> {
+        const instanceSymbol = getAuthClsKey(authName);
+        const instance = this._instanceMap.get(instanceSymbol);
+
+        if (!instance) {
+            throw new Error(
+                'AuthHost not initialized, Make sure that the `ClsPluginAuth` is properly registered and that the correct `authName` is used.',
+            );
+        }
+        return instance;
+    }
+
+    constructor() {
+        this.authInstanceSymbol = getAuthClsKey();
+        AuthHost._instanceMap.set(this.authInstanceSymbol, this);
+    }
+
+    get auth(): TAuth {
+        if (!this.cls.isActive()) {
+            throw new Error(
+                'CLS context is not active, cannot retrieve auth instance.',
+            );
+        }
+        return this.cls.get(this.authInstanceSymbol) as TAuth;
+    }
+
+    setAuth(auth: TAuth): void {
+        this.cls.set(this.authInstanceSymbol, auth);
+    }
+
+    hasPermission(predicate: (auth: TAuth) => boolean): boolean {
+        if (!predicate(this.auth)) {
+            return false;
+        }
+        return true;
+    }
+
+    requirePermission(
+        predicate: (auth: TAuth) => boolean,
+        options?: RequirePermissionOptions,
+    ): void {
+        if (!this.hasPermission(predicate)) {
+            throw new PermissionDeniedException(
+                options?.exceptionMessage ?? 'Permission denied',
+            );
+        }
+    }
+}

packages/auth/src/lib/auth.interfaces.ts

@@ -0,0 +1,3 @@
+export interface RequirePermissionOptions {
+    exceptionMessage?: string;
+}

packages/auth/src/lib/auth.symbols.ts

@@ -0,0 +1,8 @@
+export const AUTH_HOST_OPTIONS = Symbol('AUTH_HOST_OPTIONS');
+
+const AUTH_CLS_KEY = Symbol('AUTH_CLS_KEY');
+
+export const getAuthClsKey = (authName?: string) =>
+    authName
+        ? Symbol.for(`${AUTH_CLS_KEY.description}_${authName}`)
+        : AUTH_CLS_KEY;

packages/auth/src/lib/permission-denied.exception.ts

@@ -0,0 +1,6 @@
+export class PermissionDeniedException extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = 'PermissionDeniedException';
+    }
+}

packages/auth/src/lib/plugin-auth.ts

@@ -0,0 +1,46 @@
+import { ClsPluginBase, ClsService } from 'nestjs-cls';
+import { AuthHost } from './auth-host';
+import { getAuthClsKey } from './auth.symbols';
+
+const CLS_AUTH_OPTIONS = Symbol('CLS_AUTH_OPTIONS');
+
+interface ClsAuthCallbacks<T> {
+    authObjectFactory: (cls: ClsService) => T;
+    permissionResolutionStrategy?: (authObject: T, cls: ClsService) => boolean;
+}
+
+export interface ClsPluginAuthOptions<T> {
+    imports?: any[];
+    inject?: any[];
+    useFactory?: (...args: any[]) => ClsAuthCallbacks<T>;
+}
+
+export class ClsPluginAuth extends ClsPluginBase {
+    constructor(options: ClsPluginAuthOptions<any>) {
+        super('cls-plugin-auth');
+        this.imports.push(...(options.imports ?? []));
+        this.providers = [
+            {
+                provide: CLS_AUTH_OPTIONS,
+                inject: options.inject,
+                useFactory: options.useFactory ?? (() => ({})),
+            },
+            {
+                provide: AuthHost,
+                useClass: AuthHost,
+            },
+        ];
+
+        this.registerHooks({
+            inject: [CLS_AUTH_OPTIONS],
+            useFactory: (options: ClsAuthCallbacks<any>) => ({
+                afterSetup: (cls: ClsService) => {
+                    const authObject = options.authObjectFactory(cls);
+                    cls.setIfUndefined(getAuthClsKey(), authObject);
+                },
+            }),
+        });
+
+        this.exports = [AuthHost];
+    }
+}

packages/auth/src/lib/require-permission.decorator.ts

@@ -0,0 +1,60 @@
+import { copyMethodMetadata } from 'nestjs-cls';
+import { AuthHost } from './auth-host';
+import { RequirePermissionOptions } from './auth.interfaces';
+
+export function RequirePermission<TAuth = any>(
+    predicate: (auth: TAuth) => boolean,
+    options?: RequirePermissionOptions,
+): MethodDecorator;
+
+export function RequirePermission<TAuth = any>(
+    authName: string,
+    predicate: (auth: TAuth) => boolean,
+    options?: RequirePermissionOptions,
+): MethodDecorator;
+
+export function RequirePermission<TAuth = any>(
+    firstParam: any,
+    secondParam?: any,
+    thirdParam?: any,
+): MethodDecorator {
+    let authName: string | undefined;
+    let predicate: (auth: TAuth) => boolean;
+    let options: RequirePermissionOptions | undefined;
+
+    if (typeof firstParam === 'string') {
+        authName = firstParam;
+        predicate = secondParam as (auth: TAuth) => boolean;
+        options = thirdParam;
+    } else {
+        authName = undefined;
+        predicate = firstParam as (auth: TAuth) => boolean;
+        options = secondParam;
+    }
+    options ??= {
+        exceptionMessage: 'Permission denied',
+    };
+
+    return ((
+        _target: any,
+        propertyKey: string | symbol,
+        descriptor: TypedPropertyDescriptor<(...args: any) => any>,
+    ) => {
+        const original = descriptor.value;
+        if (typeof original !== 'function') {
+            throw new Error(
+                `The @RequirePermission decorator can be only used on functions, but ${propertyKey.toString()} is not a function.`,
+            );
+        }
+        descriptor.value = new Proxy(original, {
+            apply: function (_, outerThis, args: any[]) {
+                const authHost = AuthHost.getInstance(authName);
+
+                authHost.requirePermission(predicate, options);
+
+                return original.call(outerThis, ...args);
+            },
+        });
+        copyMethodMetadata(original, descriptor.value);
+    }) as MethodDecorator;
+}