feat: basic debugging

package.json

@@ -1,6 +1,6 @@
 {
   "name": "feathers-casl",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "description": "Add access control with CASL to your feathers application.",
   "author": "fratzinger",
   "homepage": "https://feathers-casl.netlify.app/",

src/hooks/authorize/authorize.hook.after.ts

@@ -148,6 +148,14 @@ export const authorizeAfter = async <H extends HookContext = HookContext>(
     result = pickFieldsForItem(items[0])
     if (method === 'get' && _isEmpty(result)) {
       if (options.actionOnForbidden) options.actionOnForbidden()
+      if (options.debug) {
+        console.error(
+          'Feathers-CASL: authorizeAfter hook - all fields are restricted for this action',
+          method,
+          modelName,
+          items[0],
+        )
+      }
       throw new Forbidden(`You're not allowed to ${method} ${modelName}`)
     }
   }

src/hooks/authorize/authorize.hook.before.ts

@@ -165,7 +165,30 @@ const handleSingle = async <H extends HookContext = HookContext>(
 
     const getMethod = service._get ? '_get' : 'get'
 
-    const item = await service[getMethod](id, paramsGet)
+    const item = await service[getMethod](id, paramsGet).catch((err: any) => {
+      if (options.debug) {
+        console.error(
+          'Feathers-CASL: authorizeBefore hook - error fetching item for single-item authorization check',
+          getMethod,
+          method,
+          id,
+          ability.relevantRuleFor(method, modelName),
+          paramsGet.query,
+          'query from casl',
+          mergeQueryFromAbility(
+            context.app,
+            ability,
+            method,
+            modelName,
+            {},
+            context.service,
+            options,
+          ),
+        )
+      }
+
+      throw err
+    })
 
     const restrictingFields = hasRestrictingFields(
       ability,
@@ -180,6 +203,14 @@ const handleSingle = async <H extends HookContext = HookContext>(
       if (options.actionOnForbidden) {
         options.actionOnForbidden()
       }
+      if (options.debug) {
+        console.error(
+          'Feathers-CASL: authorizeBefore hook - all fields are restricted for this action',
+          method,
+          modelName,
+          id,
+        )
+      }
       throw new Forbidden("You're not allowed to make this request")
     }
 
@@ -198,6 +229,14 @@ const handleSingle = async <H extends HookContext = HookContext>(
       if (options.actionOnForbidden) {
         options.actionOnForbidden()
       }
+      if (options.debug) {
+        console.error(
+          'Feathers-CASL: authorizeBefore hook - no fields are allowed to be changed for this action',
+          method,
+          modelName,
+          id,
+        )
+      }
       throw new Forbidden("You're not allowed to make this request")
     }
 
@@ -222,7 +261,7 @@ const checkData = <H extends HookContext = HookContext>(
   data: Record<string, unknown>,
   options: Pick<
     AuthorizeHookOptions,
-    'actionOnForbidden' | 'usePatchData' | 'useUpdateData' | 'method'
+    'actionOnForbidden' | 'usePatchData' | 'useUpdateData' | 'method' | 'debug'
   >,
 ): void => {
   const method = getMethodName(context, options)
@@ -261,6 +300,13 @@ const handleMulti = async <H extends HookContext = HookContext>(
       if (options.actionOnForbidden) {
         options.actionOnForbidden()
       }
+      if (options.debug) {
+        console.error(
+          'Feathers-CASL: authorizeBefore hook - all fields are restricted for multi-patch action',
+          method,
+          modelName,
+        )
+      }
       throw new Forbidden("You're not allowed to make this request")
     }
     if (fields && fields.length > 0) {

src/hooks/authorize/authorize.hook.utils.ts

@@ -28,7 +28,7 @@ import type {
   ThrowUnlessCanOptions,
 } from '../../types.js'
 import type { Promisable } from 'type-fest'
-import { getMethodName } from '../../utils/getMethodName'
+import { getMethodName } from '../../utils/getMethodName.js'
 
 declare module '@feathersjs/feathers' {
   interface Params {
@@ -146,6 +146,15 @@ export const throwUnlessCan = <T extends ForcedSubject<string>>(
 ): boolean => {
   if (ability.cannot(method, resource)) {
     if (options.actionOnForbidden) options.actionOnForbidden()
+    if (options.debug) {
+      console.error(
+        'Feathers-CASL: throwUnlessCan - permission denied',
+        method,
+        modelName,
+        resource,
+        ability.relevantRuleFor(method, resource),
+      )
+    }
     if (!options.skipThrow) {
       throw new Forbidden(`You are not allowed to ${method} ${modelName}`)
     }

src/hooks/common.ts

@@ -21,6 +21,7 @@ const defaultOptions: HookBaseOptions = {
     return context.path
   },
   notSkippable: false,
+  debug: false,
 }
 
 export const makeDefaultBaseOptions = (): HookBaseOptions => {

src/types.ts

@@ -34,6 +34,7 @@ export interface HookBaseOptions<H extends HookContext = HookContext> {
   modelName: GetModelName
   notSkippable: boolean
   method?: string | ((context: H) => string)
+  debug?: boolean
 }
 
 export interface CheckBasicPermissionHookOptions<
@@ -128,7 +129,7 @@ export interface GetMinimalFieldsOptions {
 export type Path = string | Array<string | number>
 
 export interface ThrowUnlessCanOptions
-  extends Pick<HookBaseOptions, 'actionOnForbidden'> {
+  extends Pick<HookBaseOptions, 'actionOnForbidden' | 'debug'> {
   skipThrow: boolean
 }