realtime/sse_auth_guard.ts

SSE auth guard and convenience factory for audit log SSE.

create_sse_auth_guard bridges audit events to SubscriberRegistry.close_by_identity(), closing SSE streams when a subscriber's access is revoked (role revocation or session invalidation).

create_audit_log_sse is a convenience factory that combines the registry, guard, and broadcaster — making the secure path the easy path for consumers.

Declarations
#

7 declarations

view source

AUDIT_LOG_CHANNEL
#

AUDIT_LOG_EVENT_SPECS
#

AUDIT_LOG_SSE_MAX_PER_SCOPE
#

realtime/sse_auth_guard.ts view source

10

Default max concurrent SSE subscribers per session scope for the audit log.

The audit log SSE subscribes with scope = session_hash and groups = [account_id]. Only scope is capped — so this limits tabs per session. An account's total streams across all sessions is bounded transitively by max_sessions × AUDIT_LOG_SSE_MAX_PER_SCOPE. 10 tabs per session is a comfortable ceiling for normal use; consumers raising it above ~50 should consider server-side connection limits.

AuditLogSse
#

realtime/sse_auth_guard.ts view source

AuditLogSse

Convenience factory result for audit log SSE.

Satisfies AuditLogRouteOptions['stream'] and provides the combined on_audit_event callback (broadcast + guard).

subscribe

Subscribe function — pass as part of stream option to create_audit_log_route_specs.

type (stream: SseStream<SseNotification>, options?: SubscribeOptions) => () => void

log

Logger — pass as part of stream option to create_audit_log_route_specs.

type Logger

on_audit_event

Combined broadcast + guard callback. Pass as on_audit_event on CreateAppBackendOptions.

type (event: AuditLogEvent) => void

registry

The underlying registry — exposed for subscriber count monitoring.

type SubscriberRegistry<SseNotification>

create_audit_log_sse
#

realtime/sse_auth_guard.ts view source

(options: { role?: string | undefined; log: Logger; max_per_scope?: number | null | undefined; }): AuditLogSse

Create a complete audit log SSE setup with broadcasting and auth guard.

Combines SubscriberRegistry, create_sse_auth_guard, and the broadcast call into a single object. The result satisfies AuditLogRouteOptions['stream'] and provides the on_audit_event callback for CreateAppBackendOptions.

options

factory options

type { role?: string | undefined; log: Logger; max_per_scope?: number | null | undefined; }

returns

AuditLogSse

audit log SSE setup (stream options + on_audit_event + registry)

examples

const audit_sse = create_audit_log_sse({log}); // In create_app_backend options: on_audit_event: audit_sse.on_audit_event, // In create_route_specs: create_audit_log_route_specs({stream: audit_sse}); // In create_app_server options: event_specs: AUDIT_LOG_EVENT_SPECS,

create_sse_auth_guard
#

realtime/sse_auth_guard.ts view source

<T>(registry: SubscriberRegistry<T>, required_role: string | null, log: Logger): (event: AuditLogEvent) => void

Create an audit event handler that closes SSE streams on auth changes.

Closes streams when: - role_grant_revoke fires for the required_role targeting a connected subscriber - session_revoke_all targets a connected subscriber (consistent invalidation) - password_change targets a connected subscriber (sessions revoked implicitly)

The registry must use account_id as the identity key when subscribing (passed as the third argument to registry.subscribe()).

registry

the subscriber registry to guard

type SubscriberRegistry<T>

required_role

the role that grants access to the SSE endpoint, or null to skip role_grant_revoke handling entirely (for streams not gated by a specific role_grant)

type string | null

log

logger for disconnect events

type Logger

returns

(event: AuditLogEvent) => void

an on_audit_event callback

DISCONNECT_EVENT_TYPES
#

realtime/sse_auth_guard.ts view source

ReadonlySet<string>

Audit event types that trigger SSE stream disconnection.

role_grant_revoke requires the revoked role to match the guard's required_role (or is skipped entirely when required_role is null — useful for streams not gated by any specific role_grant). session_revoke_all and password_change close every stream for the target account. session_revoke closes only the stream tied to the specific revoked session (matched by the blake3 session hash in event.metadata.session_id) — closing all of a user's streams for a single-session revoke would be over-aggressive.

Depends on
#

Imported by
#