@checkstack/auth-backend 0.0.3 → 0.1.0

package/drizzle/meta/_journal.json

@@ -15,6 +15,20 @@
       "when": 1767621359670,
       "tag": "0001_certain_madame_hydra",
       "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "7",
+      "when": 1768325932660,
+      "tag": "0002_lowly_squirrel_girl",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "7",
+      "when": 1768332454744,
+      "tag": "0003_tranquil_sally_floyd",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.0.3",
+  "version": "0.1.0",
   "type": "module",
   "main": "src/index.ts",
   "scripts": {

package/src/index.ts

@@ -402,6 +402,15 @@ export default createBackendPlugin({
                     ];
                   }
 
+                  // Get team memberships for this application
+                  const appTeams = await db
+                    .select({ teamId: schema.applicationTeam.teamId })
+                    .from(schema.applicationTeam)
+                    .where(
+                      eq(schema.applicationTeam.applicationId, applicationId)
+                    );
+                  const teamIds = appTeams.map((t) => t.teamId);
+
                   // Return ApplicationUser
                   return {
                     type: "application" as const,
@@ -409,6 +418,7 @@ export default createBackendPlugin({
                     name: app.name,
                     roles: roleIds,
                     permissions,
+                    teamIds,
                   };
                 }
               }

package/src/router.ts

@@ -1016,6 +1016,423 @@ export const createAuthRouter = (
     }
   );
 
+  // ==========================================================================
+  // TEAM MANAGEMENT HANDLERS
+  // ==========================================================================
+
+  const getTeams = os.getTeams.handler(async ({ context }) => {
+    const teams = await internalDb.select().from(schema.team);
+    const memberCounts = await internalDb
+      .select({ teamId: schema.userTeam.teamId })
+      .from(schema.userTeam);
+
+    const userId = isRealUser(context.user) ? context.user.id : undefined;
+    const managerRows = userId
+      ? await internalDb
+          .select()
+          .from(schema.teamManager)
+          .where(eq(schema.teamManager.userId, userId))
+      : [];
+    const managedTeamIds = new Set(managerRows.map((m) => m.teamId));
+
+    return teams.map((t) => ({
+      id: t.id,
+      name: t.name,
+      description: t.description,
+      memberCount: memberCounts.filter((m) => m.teamId === t.id).length,
+      isManager: managedTeamIds.has(t.id),
+    }));
+  });
+
+  const getTeam = os.getTeam.handler(async ({ input }) => {
+    const teams = await internalDb
+      .select()
+      .from(schema.team)
+      .where(eq(schema.team.id, input.teamId))
+      .limit(1);
+    if (teams.length === 0) return;
+
+    const team = teams[0];
+    const memberRows = await internalDb
+      .select({ userId: schema.userTeam.userId })
+      .from(schema.userTeam)
+      .where(eq(schema.userTeam.teamId, team.id));
+    const managerRows = await internalDb
+      .select({ userId: schema.teamManager.userId })
+      .from(schema.teamManager)
+      .where(eq(schema.teamManager.teamId, team.id));
+
+    const userIds = [
+      ...new Set([
+        ...memberRows.map((m) => m.userId),
+        ...managerRows.map((m) => m.userId),
+      ]),
+    ];
+    const users =
+      userIds.length > 0
+        ? await internalDb
+            .select({
+              id: schema.user.id,
+              name: schema.user.name,
+              email: schema.user.email,
+            })
+            .from(schema.user)
+            .where(inArray(schema.user.id, userIds))
+        : [];
+    const userMap = new Map(users.map((u) => [u.id, u]));
+
+    return {
+      id: team.id,
+      name: team.name,
+      description: team.description,
+      members: memberRows
+        .map((m) => userMap.get(m.userId))
+        .filter((u): u is NonNullable<typeof u> => u !== undefined),
+      managers: managerRows
+        .map((m) => userMap.get(m.userId))
+        .filter((u): u is NonNullable<typeof u> => u !== undefined),
+    };
+  });
+
+  const createTeam = os.createTeam.handler(async ({ input, context }) => {
+    const id = crypto.randomUUID();
+    const now = new Date();
+    await internalDb.insert(schema.team).values({
+      id,
+      name: input.name,
+      description: input.description,
+      createdAt: now,
+      updatedAt: now,
+    });
+    context.logger.info(`[auth-backend] Created team: ${input.name}`);
+    return { id };
+  });
+
+  const updateTeam = os.updateTeam.handler(async ({ input, context }) => {
+    const { id, name, description } = input;
+    // TODO: Check if user is manager or has teamsManage permission
+    const updates: {
+      name?: string;
+      description?: string | null;
+      updatedAt: Date;
+    } = {
+      updatedAt: new Date(),
+    };
+    if (name !== undefined) updates.name = name;
+    if (description !== undefined) updates.description = description;
+    await internalDb
+      .update(schema.team)
+      .set(updates)
+      .where(eq(schema.team.id, id));
+    context.logger.info(`[auth-backend] Updated team: ${id}`);
+  });
+
+  const deleteTeam = os.deleteTeam.handler(async ({ input: id, context }) => {
+    await internalDb.transaction(async (tx) => {
+      await tx.delete(schema.userTeam).where(eq(schema.userTeam.teamId, id));
+      await tx
+        .delete(schema.teamManager)
+        .where(eq(schema.teamManager.teamId, id));
+      await tx
+        .delete(schema.applicationTeam)
+        .where(eq(schema.applicationTeam.teamId, id));
+      await tx
+        .delete(schema.resourceTeamAccess)
+        .where(eq(schema.resourceTeamAccess.teamId, id));
+      await tx.delete(schema.team).where(eq(schema.team.id, id));
+    });
+    context.logger.info(`[auth-backend] Deleted team: ${id}`);
+  });
+
+  const addUserToTeam = os.addUserToTeam.handler(async ({ input }) => {
+    await internalDb
+      .insert(schema.userTeam)
+      .values({ userId: input.userId, teamId: input.teamId })
+      .onConflictDoNothing();
+  });
+
+  const removeUserFromTeam = os.removeUserFromTeam.handler(
+    async ({ input }) => {
+      await internalDb
+        .delete(schema.userTeam)
+        .where(
+          and(
+            eq(schema.userTeam.userId, input.userId),
+            eq(schema.userTeam.teamId, input.teamId)
+          )
+        );
+    }
+  );
+
+  const addTeamManager = os.addTeamManager.handler(async ({ input }) => {
+    await internalDb
+      .insert(schema.teamManager)
+      .values({ userId: input.userId, teamId: input.teamId })
+      .onConflictDoNothing();
+  });
+
+  const removeTeamManager = os.removeTeamManager.handler(async ({ input }) => {
+    await internalDb
+      .delete(schema.teamManager)
+      .where(
+        and(
+          eq(schema.teamManager.userId, input.userId),
+          eq(schema.teamManager.teamId, input.teamId)
+        )
+      );
+  });
+
+  const getResourceTeamAccess = os.getResourceTeamAccess.handler(
+    async ({ input }) => {
+      const rows = await internalDb
+        .select()
+        .from(schema.resourceTeamAccess)
+        .innerJoin(
+          schema.team,
+          eq(schema.resourceTeamAccess.teamId, schema.team.id)
+        )
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, input.resourceType),
+            eq(schema.resourceTeamAccess.resourceId, input.resourceId)
+          )
+        );
+      return rows.map((r) => ({
+        teamId: r.resource_team_access.teamId,
+        teamName: r.team.name,
+        canRead: r.resource_team_access.canRead,
+        canManage: r.resource_team_access.canManage,
+      }));
+    }
+  );
+
+  const setResourceTeamAccess = os.setResourceTeamAccess.handler(
+    async ({ input }) => {
+      const { resourceType, resourceId, teamId, canRead, canManage } = input;
+      await internalDb
+        .insert(schema.resourceTeamAccess)
+        .values({
+          resourceType,
+          resourceId,
+          teamId,
+          canRead: canRead ?? true,
+          canManage: canManage ?? false,
+        })
+        .onConflictDoUpdate({
+          target: [
+            schema.resourceTeamAccess.resourceType,
+            schema.resourceTeamAccess.resourceId,
+            schema.resourceTeamAccess.teamId,
+          ],
+          set: {
+            canRead: canRead ?? true,
+            canManage: canManage ?? false,
+          },
+        });
+    }
+  );
+
+  const removeResourceTeamAccess = os.removeResourceTeamAccess.handler(
+    async ({ input }) => {
+      await internalDb
+        .delete(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, input.resourceType),
+            eq(schema.resourceTeamAccess.resourceId, input.resourceId),
+            eq(schema.resourceTeamAccess.teamId, input.teamId)
+          )
+        );
+    }
+  );
+
+  // Resource-level access settings
+  const getResourceAccessSettings = os.getResourceAccessSettings.handler(
+    async ({ input }) => {
+      const rows = await internalDb
+        .select()
+        .from(schema.resourceAccessSettings)
+        .where(
+          and(
+            eq(schema.resourceAccessSettings.resourceType, input.resourceType),
+            eq(schema.resourceAccessSettings.resourceId, input.resourceId)
+          )
+        )
+        .limit(1);
+      return { teamOnly: rows[0]?.teamOnly ?? false };
+    }
+  );
+
+  const setResourceAccessSettings = os.setResourceAccessSettings.handler(
+    async ({ input }) => {
+      const { resourceType, resourceId, teamOnly } = input;
+      await internalDb
+        .insert(schema.resourceAccessSettings)
+        .values({ resourceType, resourceId, teamOnly })
+        .onConflictDoUpdate({
+          target: [
+            schema.resourceAccessSettings.resourceType,
+            schema.resourceAccessSettings.resourceId,
+          ],
+          set: { teamOnly },
+        });
+    }
+  );
+
+  // S2S Endpoints for middleware
+  const checkResourceTeamAccess = os.checkResourceTeamAccess.handler(
+    async ({ input }) => {
+      const {
+        userId,
+        userType,
+        resourceType,
+        resourceId,
+        action,
+        hasGlobalPermission,
+      } = input;
+
+      const grants = await internalDb
+        .select()
+        .from(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, resourceType),
+            eq(schema.resourceTeamAccess.resourceId, resourceId)
+          )
+        );
+
+      // No grants = global permission applies
+      if (grants.length === 0) return { hasAccess: hasGlobalPermission };
+
+      // Check resource-level settings for teamOnly
+      const settingsRows = await internalDb
+        .select()
+        .from(schema.resourceAccessSettings)
+        .where(
+          and(
+            eq(schema.resourceAccessSettings.resourceType, resourceType),
+            eq(schema.resourceAccessSettings.resourceId, resourceId)
+          )
+        )
+        .limit(1);
+      const isTeamOnly = settingsRows[0]?.teamOnly ?? false;
+
+      if (!isTeamOnly && hasGlobalPermission) return { hasAccess: true };
+
+      // Get user's teams
+      const teamTable =
+        userType === "user" ? schema.userTeam : schema.applicationTeam;
+      const userIdCol =
+        userType === "user"
+          ? schema.userTeam.userId
+          : schema.applicationTeam.applicationId;
+      const userTeams = await internalDb
+        .select({
+          teamId:
+            userType === "user"
+              ? schema.userTeam.teamId
+              : schema.applicationTeam.teamId,
+        })
+        .from(teamTable)
+        .where(eq(userIdCol, userId));
+      const userTeamIds = new Set(userTeams.map((t) => t.teamId));
+
+      const field = action === "manage" ? "canManage" : "canRead";
+      const hasAccess = grants.some(
+        (g) => userTeamIds.has(g.teamId) && g[field]
+      );
+      return { hasAccess };
+    }
+  );
+
+  const getAccessibleResourceIds = os.getAccessibleResourceIds.handler(
+    async ({ input }) => {
+      const {
+        userId,
+        userType,
+        resourceType,
+        resourceIds,
+        action,
+        hasGlobalPermission,
+      } = input;
+      if (resourceIds.length === 0) return [];
+
+      // Get all grants for these resources
+      const grants = await internalDb
+        .select()
+        .from(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, resourceType),
+            inArray(schema.resourceTeamAccess.resourceId, resourceIds)
+          )
+        );
+
+      // Get resource-level settings for teamOnly
+      const settingsRows = await internalDb
+        .select()
+        .from(schema.resourceAccessSettings)
+        .where(
+          and(
+            eq(schema.resourceAccessSettings.resourceType, resourceType),
+            inArray(schema.resourceAccessSettings.resourceId, resourceIds)
+          )
+        );
+      const teamOnlyByResource = new Map(
+        settingsRows.map((s) => [s.resourceId, s.teamOnly])
+      );
+
+      // Get user's teams
+      const teamTable =
+        userType === "user" ? schema.userTeam : schema.applicationTeam;
+      const userIdCol =
+        userType === "user"
+          ? schema.userTeam.userId
+          : schema.applicationTeam.applicationId;
+      const userTeams = await internalDb
+        .select({
+          teamId:
+            userType === "user"
+              ? schema.userTeam.teamId
+              : schema.applicationTeam.teamId,
+        })
+        .from(teamTable)
+        .where(eq(userIdCol, userId));
+      const userTeamIds = new Set(userTeams.map((t) => t.teamId));
+
+      const field = action === "manage" ? "canManage" : "canRead";
+      const grantsByResource = new Map<string, typeof grants>();
+      for (const g of grants) {
+        const existing = grantsByResource.get(g.resourceId) || [];
+        existing.push(g);
+        grantsByResource.set(g.resourceId, existing);
+      }
+
+      return resourceIds.filter((id) => {
+        const resourceGrants = grantsByResource.get(id) || [];
+        if (resourceGrants.length === 0) return hasGlobalPermission;
+        const isTeamOnly = teamOnlyByResource.get(id) ?? false;
+        if (!isTeamOnly && hasGlobalPermission) return true;
+        return resourceGrants.some(
+          (g) => userTeamIds.has(g.teamId) && g[field]
+        );
+      });
+    }
+  );
+
+  const deleteResourceGrants = os.deleteResourceGrants.handler(
+    async ({ input }) => {
+      await internalDb
+        .delete(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, input.resourceType),
+            eq(schema.resourceTeamAccess.resourceId, input.resourceId)
+          )
+        );
+    }
+  );
+
   return os.router({
     getEnabledStrategies,
     permissions,
@@ -1045,6 +1462,24 @@ export const createAuthRouter = (
     updateApplication,
     deleteApplication,
     regenerateApplicationSecret,
+    // Teams
+    getTeams,
+    getTeam,
+    createTeam,
+    updateTeam,
+    deleteTeam,
+    addUserToTeam,
+    removeUserFromTeam,
+    addTeamManager,
+    removeTeamManager,
+    getResourceTeamAccess,
+    setResourceTeamAccess,
+    removeResourceTeamAccess,
+    getResourceAccessSettings,
+    setResourceAccessSettings,
+    checkResourceTeamAccess,
+    getAccessibleResourceIds,
+    deleteResourceGrants,
   });
 };
 

package/src/schema.ts

@@ -171,3 +171,110 @@ export const applicationRole = pgTable(
     pk: primaryKey({ columns: [t.applicationId, t.roleId] }),
   })
 );
+
+// --- Teams Schema ---
+
+/**
+ * Teams for resource-level access control.
+ * Users can be members of multiple teams, and resources can be scoped to teams.
+ */
+export const team = pgTable("team", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  description: text("description"),
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+  updatedAt: timestamp("updated_at").notNull().defaultNow(),
+});
+
+/**
+ * User-to-Team membership (M:N).
+ * Users can belong to multiple teams.
+ */
+export const userTeam = pgTable(
+  "user_team",
+  {
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    teamId: text("team_id")
+      .notNull()
+      .references(() => team.id, { onDelete: "cascade" }),
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.userId, t.teamId] }),
+  })
+);
+
+/**
+ * Application-to-Team membership (M:N).
+ * API keys can belong to teams for resource access.
+ */
+export const applicationTeam = pgTable(
+  "application_team",
+  {
+    applicationId: text("application_id")
+      .notNull()
+      .references(() => application.id, { onDelete: "cascade" }),
+    teamId: text("team_id")
+      .notNull()
+      .references(() => team.id, { onDelete: "cascade" }),
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.applicationId, t.teamId] }),
+  })
+);
+
+/**
+ * Team managers - users who can manage a specific team's membership and resource access.
+ * Team managers cannot delete the team or manage other teams.
+ */
+export const teamManager = pgTable(
+  "team_manager",
+  {
+    teamId: text("team_id")
+      .notNull()
+      .references(() => team.id, { onDelete: "cascade" }),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.teamId, t.userId] }),
+  })
+);
+
+/**
+ * Resource-level access settings.
+ * Controls whether a resource requires team membership (teamOnly) vs allowing global permissions.
+ */
+export const resourceAccessSettings = pgTable(
+  "resource_access_settings",
+  {
+    resourceType: text("resource_type").notNull(), // e.g., "catalog.system"
+    resourceId: text("resource_id").notNull(),
+    teamOnly: boolean("team_only").notNull().default(false), // If true, global permissions don't apply
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.resourceType, t.resourceId] }),
+  })
+);
+
+/**
+ * Centralized resource-level access control.
+ * Stores team grants for all resource types across the platform.
+ */
+export const resourceTeamAccess = pgTable(
+  "resource_team_access",
+  {
+    resourceType: text("resource_type").notNull(), // e.g., "catalog.system"
+    resourceId: text("resource_id").notNull(),
+    teamId: text("team_id")
+      .notNull()
+      .references(() => team.id, { onDelete: "cascade" }),
+    canRead: boolean("can_read").notNull().default(true),
+    canManage: boolean("can_manage").notNull().default(false),
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.resourceType, t.resourceId, t.teamId] }),
+  })
+);