npm - @checkstack/auth-backend - Versions diffs - 0.0.2 → 0.1.0 - Mend

@checkstack/auth-backend 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CHANGELOG.md +92 -0
package/drizzle/0002_lowly_squirrel_girl.sql +43 -0
package/drizzle/0003_tranquil_sally_floyd.sql +8 -0
package/drizzle/meta/0002_snapshot.json +1017 -0
package/drizzle/meta/0003_snapshot.json +1050 -0
package/drizzle/meta/_journal.json +14 -0
package/package.json +1 -1
package/src/index.ts +13 -5
package/src/router.ts +435 -0
package/src/schema.ts +107 -0
package/src/teams.test.ts +1230 -0
package/src/utils/auth-error-redirect.ts +2 -3
package/src/utils/user.test.ts +60 -41
package/src/utils/user.ts +9 -1

package/src/utils/auth-error-redirect.ts CHANGED Viewed

@@ -15,15 +15,14 @@ export function encodeAuthError(message: string): string {
 /**
  * Build auth error redirect URL
  * @param errorMessage - User-friendly error message
- * @param frontendUrl - Frontend base URL (defaults to VITE_FRONTEND_URL env var)
+ * @param frontendUrl - Frontend base URL (defaults to BASE_URL env var)
  * @returns The full redirect URL to the error page
  */
 export function buildAuthErrorUrl(
   errorMessage: string,
   frontendUrl?: string
 ): string {
-  const base =
-    frontendUrl || process.env.VITE_FRONTEND_URL || "http://localhost:5173";
+  const base = frontendUrl || process.env.BASE_URL;
   const encoded = encodeAuthError(errorMessage);
   return `${base}/auth/error?error=${encodeURIComponent(encoded)}`;
 }

package/src/utils/user.test.ts CHANGED Viewed

@@ -3,37 +3,38 @@ import { enrichUser } from "./user";
 import { User } from "better-auth/types";
 // Mock Drizzle DB
-const createMockDb = (data: { roles?: unknown[]; permissions?: unknown[] }) => {
-  const mockDb: any = {
+const createMockDb = (data: {
+  roles?: unknown[];
+  permissions?: unknown[];
+  teams?: unknown[];
+}) => {
+  const mockDb: unknown = {
     select: mock(() => mockDb),
     from: mock(() => mockDb),
     innerJoin: mock(() => mockDb),
     where: mock(() => mockDb),
   };
-  // Mock thenable for different chains
-  // eslint-disable-next-line unicorn/no-thenable
-  mockDb.then = (resolve: (arg0: unknown) => void) => {
-    // Determine which call this is based on the 'from' call
-    // const lastFrom =
-    //   mockDb.from.mock.calls[mockDb.from.mock.calls.length - 1][0];
-    // We need to look at the schema name or some identifier.
-    // Since we are mocking the schema as well, we can check equality.
-    // However, for a simple mock, we can just alternate or use a counter.
-    // In enrichUser:
-    // 1. select from userRole (inner join role)
-    // 2. select from rolePermission (inner join permission) -> for each role
-    // Let's use a simpler approach: track call count for this specific mock instance
-    if (!mockDb._callCount) mockDb._callCount = 0;
-    mockDb._callCount++;
+  // Track call count for sequential responses
+  // Call order in enrichUser: 1=roles, 2+=permissions per role, final=teams
+  let callCount = 0;
+  const nonAdminRoles = (data.roles || []).filter(
+    (r) => (r as { roleId: string }).roleId !== "admin"
+  );
-    if (mockDb._callCount === 1) {
+  // eslint-disable-next-line unicorn/no-thenable
+  (mockDb as { then: unknown }).then = (resolve: (arg0: unknown) => void) => {
+    callCount++;
+    if (callCount === 1) {
+      // First call: get roles
       return resolve(data.roles || []);
     }
-    return resolve(data.permissions || []);
+    if (callCount <= 1 + nonAdminRoles.length && nonAdminRoles.length > 0) {
+      // Permission calls for each non-admin role
+      return resolve(data.permissions || []);
+    }
+    // Team memberships (final call)
+    return resolve(data.teams || []);
   };
   return mockDb;
@@ -52,48 +53,66 @@ describe("enrichUser", () => {
   it("should enrich user with admin role and wildcard permission", async () => {
     const mockDb = createMockDb({
       roles: [{ roleId: "admin" }],
+      teams: [{ teamId: "team-1" }],
     });
-    const result = await enrichUser(baseUser, mockDb);
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
     expect(result.roles).toContain("admin");
     expect(result.permissions).toContain("*");
+    expect(result.teamIds).toEqual(["team-1"]);
   });
   it("should enrich user with custom roles and permissions", async () => {
     const mockDb = createMockDb({
-      roles: [{ roleId: "editor" }, { roleId: "viewer" }],
-      permissions: [{ permissionId: "blog.read" }],
+      roles: [{ roleId: "editor" }],
+      permissions: [{ permissionId: "blog.edit" }],
+      teams: [],
     });
-    // Note: Our simple mock returns the same permissions for ALL roles if there are multiple roles.
-    // In enrichUser, it loops through roles.
-    // If we have 2 roles, enrichUser will call select from rolePermission twice.
-    // Our mock needs to handle multiple calls if we want to be precise.
-    let callCount = 0;
-    // eslint-disable-next-line unicorn/no-thenable
-    mockDb.then = (resolve: (arg0: unknown) => void) => {
-      callCount++;
-      if (callCount === 1) return resolve([{ roleId: "editor" }]);
-      if (callCount === 2) return resolve([{ permissionId: "blog.edit" }]);
-      return resolve([]);
-    };
-    const result = await enrichUser(baseUser, mockDb);
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
     expect(result.roles).toContain("editor");
     expect(result.permissions).toContain("blog.edit");
+    expect(result.teamIds).toEqual([]);
   });
   it("should handle user with no roles", async () => {
     const mockDb = createMockDb({
       roles: [],
+      teams: [],
     });
-    const result = await enrichUser(baseUser, mockDb);
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
     expect(result.roles).toEqual([]);
     expect(result.permissions).toEqual([]);
+    expect(result.teamIds).toEqual([]);
+  });
+  it("should include multiple team memberships", async () => {
+    const mockDb = createMockDb({
+      roles: [{ roleId: "admin" }],
+      teams: [{ teamId: "team-1" }, { teamId: "team-2" }, { teamId: "team-3" }],
+    });
+    const result = await enrichUser(
+      baseUser,
+      mockDb as Parameters<typeof enrichUser>[1]
+    );
+    expect(result.teamIds).toHaveLength(3);
+    expect(result.teamIds).toContain("team-1");
+    expect(result.teamIds).toContain("team-2");
+    expect(result.teamIds).toContain("team-3");
   });
 });

package/src/utils/user.ts CHANGED Viewed

@@ -5,7 +5,7 @@ import type { RealUser } from "@checkstack/backend-api";
 import * as schema from "../schema";
 /**
- * Enriches a better-auth User with roles and permissions from the database.
+ * Enriches a better-auth User with roles, permissions, and team memberships from the database.
  * Returns a RealUser type for use in the RPC context.
  */
 export const enrichUser = async (
@@ -48,6 +48,13 @@ export const enrichUser = async (
     }
   }
+  // 3. Get Team memberships
+  const userTeams = await db
+    .select({ teamId: schema.userTeam.teamId })
+    .from(schema.userTeam)
+    .where(eq(schema.userTeam.userId, user.id));
+  const teamIds = userTeams.map((t) => t.teamId);
   return {
     // Spread user first to preserve additional properties
     ...user,
@@ -58,5 +65,6 @@ export const enrichUser = async (
     name: user.name,
     roles,
     permissions: [...permissions],
+    teamIds,
   };
 };