realtime/sse_auth_guard.ts

SSE auth guard and convenience factory for audit log SSE.
create_sse_auth_guard bridges audit events to SubscriberRegistry.close_by_identity(),
closing SSE streams when a subscriber's access is revoked (role revocation or
session invalidation).
create_audit_log_sse is a convenience factory that combines the registry,
guard, and broadcaster — making the secure path the easy path for consumers.

Declarations
#

5 declarations

view source

AUDIT_LOG_EVENT_SPECS
#

realtime/sse_auth_guard.ts view source

SseEventSpec[]

SSE event specs for audit log events.
One spec per AUDIT_EVENT_TYPES entry, all sharing the AuditLogEventJson params schema.
Pass to create_app_server's event_specs for surface generation and DEV validation.

AuditLogSse
#

realtime/sse_auth_guard.ts view source

AuditLogSse

Convenience factory result for audit log SSE.
Satisfies AuditLogRouteOptions['stream'] and provides the combined
on_audit_event callback (broadcast + guard).

`subscribe`

Subscribe function — pass as part of stream option to create_audit_log_route_specs.

type

(
		stream: SseStream<SseNotification>,
		channels?: Array<string>,
		identity?: string,
	) => () => void

`log`

Logger — pass as part of stream option to create_audit_log_route_specs.

type Logger

`on_audit_event`

Combined broadcast + guard callback. Pass as on_audit_event on CreateAppBackendOptions.

type (event: AuditLogEvent) => void

`registry`

The underlying registry — exposed for subscriber count monitoring.

type SubscriberRegistry<SseNotification>

create_audit_log_sse
#

realtime/sse_auth_guard.ts view source

(options: { role?: string | undefined; log: Logger; }): AuditLogSse

`options`

type { role?: string | undefined; log: Logger; }

returns

AuditLogSse

create_sse_auth_guard
#

realtime/sse_auth_guard.ts view source

<T>(registry: SubscriberRegistry<T>, required_role: string, log: Logger): (event: AuditLogEvent) => void

Create an audit event handler that closes SSE streams on auth changes.
Closes streams when:
- permit_revoke fires for the required_role targeting a connected subscriber
- session_revoke_all targets a connected subscriber (consistent invalidation)
- password_change targets a connected subscriber (sessions revoked implicitly)
The registry must use account_id as the identity key when subscribing
(passed as the third argument to registry.subscribe()).

`registry`

the subscriber registry to guard

type SubscriberRegistry<T>

`required_role`

the role that grants access to the SSE endpoint

type string

`log`

logger for disconnect events

type Logger

returns

(event: AuditLogEvent) => void

an on_audit_event callback

DISCONNECT_EVENT_TYPES
#

realtime/sse_auth_guard.ts view source

ReadonlySet<string>

Audit event types that trigger SSE stream disconnection.
permit_revoke requires the revoked role to match the guard's required_role.
session_revoke_all and password_change close unconditionally for the target account.

Depends on
#

Imported by
#

server/app_server.ts