nest-rs-authz 0.2.0

CASL-style authorization for nestrs: one ability definition driving an access gate, a SeaORM query pre-filter, and response field-masking. Transport bindings (`http`, `graphql`, `mcp`) live behind Cargo features; the database-coupled extractors (`Bind`, `bind`, `LoaderScope`, `WsDataContext`) live in `nest-rs-seaorm` so the engine stays free of a data-layer dependency.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

//! HTTP bindings for [`nest_rs_authz`](crate) (feature `http`).
//!
//! In request order: [`AbilityGuard`] builds the request `Ability` from the
//! actor an authn guard attached; [`Authorize`] gates access (`403` unless `A`
//! on `S` is granted); [`Scope`] hands a handler the row-level `Condition` to
//! build its own query; the `RouteResponseShaper` impl on [`Authorize`]
//! installs the ability as ambient state (data-layer scoping) and masks the
//! response — no `mask` call in the handler.
//!
//! By-id route-model binding lives in `nest_rs_seaorm::Bind` (it `use`s the
//! data layer).

mod extractor;
mod guard;
mod scope;
mod shape;

pub use extractor::Authorize;
pub use guard::AbilityGuard;
pub use scope::Scope;
pub use shape::mask_entity_response;