@checkstack/auth-backend 0.0.3 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/CHANGELOG.md +174 -0
  2. package/drizzle/0002_lowly_squirrel_girl.sql +43 -0
  3. package/drizzle/0003_tranquil_sally_floyd.sql +8 -0
  4. package/drizzle/0004_lucky_power_man.sql +21 -0
  5. package/drizzle/meta/0002_snapshot.json +1017 -0
  6. package/drizzle/meta/0003_snapshot.json +1050 -0
  7. package/drizzle/meta/0004_snapshot.json +1050 -0
  8. package/drizzle/meta/_journal.json +21 -0
  9. package/package.json +1 -1
  10. package/src/index.ts +176 -162
  11. package/src/router.test.ts +11 -11
  12. package/src/router.ts +525 -90
  13. package/src/schema.ts +125 -18
  14. package/src/teams.test.ts +1985 -0
  15. package/src/utils/user.test.ts +65 -46
  16. package/src/utils/user.ts +21 -13
package/CHANGELOG.md CHANGED
@@ -1,5 +1,179 @@
1
1
  # @checkstack/auth-backend
2
2
 
3
+ ## 0.2.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 9faec1f: # Unified AccessRule Terminology Refactoring
8
+
9
+ This release completes a comprehensive terminology refactoring from "permission" to "accessRule" across the entire codebase, establishing a consistent and modern access control vocabulary.
10
+
11
+ ## Changes
12
+
13
+ ### Core Infrastructure (`@checkstack/common`)
14
+
15
+ - Introduced `AccessRule` interface as the primary access control type
16
+ - Added `accessPair()` helper for creating read/manage access rule pairs
17
+ - Added `access()` builder for individual access rules
18
+ - Replaced `Permission` type with `AccessRule` throughout
19
+
20
+ ### API Changes
21
+
22
+ - `env.registerPermissions()` → `env.registerAccessRules()`
23
+ - `meta.permissions` → `meta.access` in RPC contracts
24
+ - `usePermission()` → `useAccess()` in frontend hooks
25
+ - Route `permission:` field → `accessRule:` field
26
+
27
+ ### UI Changes
28
+
29
+ - "Roles & Permissions" tab → "Roles & Access Rules"
30
+ - "You don't have permission..." → "You don't have access..."
31
+ - All permission-related UI text updated
32
+
33
+ ### Documentation & Templates
34
+
35
+ - Updated 18 documentation files with AccessRule terminology
36
+ - Updated 7 scaffolding templates with `accessPair()` pattern
37
+ - All code examples use new AccessRule API
38
+
39
+ ## Migration Guide
40
+
41
+ ### Backend Plugins
42
+
43
+ ```diff
44
+ - import { permissionList } from "./permissions";
45
+ - env.registerPermissions(permissionList);
46
+ + import { accessRules } from "./access";
47
+ + env.registerAccessRules(accessRules);
48
+ ```
49
+
50
+ ### RPC Contracts
51
+
52
+ ```diff
53
+ - .meta({ userType: "user", permissions: [permissions.read.id] })
54
+ + .meta({ userType: "user", access: [access.read] })
55
+ ```
56
+
57
+ ### Frontend Hooks
58
+
59
+ ```diff
60
+ - const canRead = accessApi.usePermission(permissions.read.id);
61
+ + const canRead = accessApi.useAccess(access.read);
62
+ ```
63
+
64
+ ### Routes
65
+
66
+ ```diff
67
+ - permission: permissions.entityRead.id,
68
+ + accessRule: access.read,
69
+ ```
70
+
71
+ ### Patch Changes
72
+
73
+ - 95eeec7: # Auto-login after credential registration
74
+
75
+ Users are now automatically logged in after successful registration when using the credential (email & password) authentication strategy.
76
+
77
+ ## Changes
78
+
79
+ ### Backend (`@checkstack/auth-backend`)
80
+
81
+ - Added `autoSignIn: true` to the `emailAndPassword` configuration in better-auth
82
+ - Users no longer need to manually log in after registration; a session is created immediately upon successful sign-up
83
+
84
+ ### Frontend (`@checkstack/auth-frontend`)
85
+
86
+ - Updated `RegisterPage` to use full page navigation after registration to ensure the session state refreshes correctly
87
+ - Updated `LoginPage` to use full page navigation after login to ensure fresh permissions state when switching between users
88
+
89
+ - Updated dependencies [9faec1f]
90
+ - Updated dependencies [827b286]
91
+ - Updated dependencies [f533141]
92
+ - Updated dependencies [aa4a8ab]
93
+ - @checkstack/auth-common@0.2.0
94
+ - @checkstack/backend-api@0.3.0
95
+ - @checkstack/command-backend@0.1.0
96
+ - @checkstack/common@0.2.0
97
+ - @checkstack/notification-common@0.1.0
98
+
99
+ ## 0.1.0
100
+
101
+ ### Minor Changes
102
+
103
+ - 8e43507: # Teams and Resource-Level Access Control
104
+
105
+ This release introduces a comprehensive Teams system for organizing users and controlling access to resources at a granular level.
106
+
107
+ ## Features
108
+
109
+ ### Team Management
110
+
111
+ - Create, update, and delete teams with name and description
112
+ - Add/remove users from teams
113
+ - Designate team managers with elevated privileges
114
+ - View team membership and manager status
115
+
116
+ ### Resource-Level Access Control
117
+
118
+ - Grant teams access to specific resources (systems, health checks, incidents, maintenances)
119
+ - Configure read-only or manage permissions per team
120
+ - Resource-level "Team Only" mode that restricts access exclusively to team members
121
+ - Separate `resourceAccessSettings` table for resource-level settings (not per-grant)
122
+ - Automatic cleanup of grants when teams are deleted (database cascade)
123
+
124
+ ### Middleware Integration
125
+
126
+ - Extended `autoAuthMiddleware` to support resource access checks
127
+ - Single-resource pre-handler validation for detail endpoints
128
+ - Automatic list filtering for collection endpoints
129
+ - S2S endpoints for access verification
130
+
131
+ ### Frontend Components
132
+
133
+ - `TeamsTab` component for managing teams in Auth Settings
134
+ - `TeamAccessEditor` component for assigning team access to resources
135
+ - Resource-level "Team Only" toggle in `TeamAccessEditor`
136
+ - Integration into System, Health Check, Incident, and Maintenance editors
137
+
138
+ ## Breaking Changes
139
+
140
+ ### API Response Format Changes
141
+
142
+ List endpoints now return objects with named keys instead of arrays directly:
143
+
144
+ ```typescript
145
+ // Before
146
+ const systems = await catalogApi.getSystems();
147
+
148
+ // After
149
+ const { systems } = await catalogApi.getSystems();
150
+ ```
151
+
152
+ Affected endpoints:
153
+
154
+ - `catalog.getSystems` → `{ systems: [...] }`
155
+ - `healthcheck.getConfigurations` → `{ configurations: [...] }`
156
+ - `incident.listIncidents` → `{ incidents: [...] }`
157
+ - `maintenance.listMaintenances` → `{ maintenances: [...] }`
158
+
159
+ ### User Identity Enrichment
160
+
161
+ `RealUser` and `ApplicationUser` types now include `teamIds: string[]` field with team memberships.
162
+
163
+ ## Documentation
164
+
165
+ See `docs/backend/teams.md` for complete API reference and integration guide.
166
+
167
+ ### Patch Changes
168
+
169
+ - Updated dependencies [97c5a6b]
170
+ - Updated dependencies [8e43507]
171
+ - @checkstack/backend-api@0.2.0
172
+ - @checkstack/auth-common@0.1.0
173
+ - @checkstack/common@0.1.0
174
+ - @checkstack/command-backend@0.0.4
175
+ - @checkstack/notification-common@0.0.4
176
+
3
177
  ## 0.0.3
4
178
 
5
179
  ### Patch Changes
package/drizzle/0002_lowly_squirrel_girl.sql ADDED
@@ -0,0 +1,43 @@
1
+ CREATE TABLE "application_team" (
2
+ "application_id" text NOT NULL,
3
+ "team_id" text NOT NULL,
4
+ CONSTRAINT "application_team_application_id_team_id_pk" PRIMARY KEY("application_id","team_id")
5
+ );
6
+ --> statement-breakpoint
7
+ CREATE TABLE "resource_team_access" (
8
+ "resource_type" text NOT NULL,
9
+ "resource_id" text NOT NULL,
10
+ "team_id" text NOT NULL,
11
+ "team_only" boolean DEFAULT false NOT NULL,
12
+ "can_read" boolean DEFAULT true NOT NULL,
13
+ "can_manage" boolean DEFAULT false NOT NULL,
14
+ CONSTRAINT "resource_team_access_resource_type_resource_id_team_id_pk" PRIMARY KEY("resource_type","resource_id","team_id")
15
+ );
16
+ --> statement-breakpoint
17
+ CREATE TABLE "team" (
18
+ "id" text PRIMARY KEY NOT NULL,
19
+ "name" text NOT NULL,
20
+ "description" text,
21
+ "created_at" timestamp DEFAULT now() NOT NULL,
22
+ "updated_at" timestamp DEFAULT now() NOT NULL
23
+ );
24
+ --> statement-breakpoint
25
+ CREATE TABLE "team_manager" (
26
+ "team_id" text NOT NULL,
27
+ "user_id" text NOT NULL,
28
+ CONSTRAINT "team_manager_team_id_user_id_pk" PRIMARY KEY("team_id","user_id")
29
+ );
30
+ --> statement-breakpoint
31
+ CREATE TABLE "user_team" (
32
+ "user_id" text NOT NULL,
33
+ "team_id" text NOT NULL,
34
+ CONSTRAINT "user_team_user_id_team_id_pk" PRIMARY KEY("user_id","team_id")
35
+ );
36
+ --> statement-breakpoint
37
+ ALTER TABLE "application_team" ADD CONSTRAINT "application_team_application_id_application_id_fk" FOREIGN KEY ("application_id") REFERENCES "application"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
38
+ ALTER TABLE "application_team" ADD CONSTRAINT "application_team_team_id_team_id_fk" FOREIGN KEY ("team_id") REFERENCES "team"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
39
+ ALTER TABLE "resource_team_access" ADD CONSTRAINT "resource_team_access_team_id_team_id_fk" FOREIGN KEY ("team_id") REFERENCES "team"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
40
+ ALTER TABLE "team_manager" ADD CONSTRAINT "team_manager_team_id_team_id_fk" FOREIGN KEY ("team_id") REFERENCES "team"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
41
+ ALTER TABLE "team_manager" ADD CONSTRAINT "team_manager_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
42
+ ALTER TABLE "user_team" ADD CONSTRAINT "user_team_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
43
+ ALTER TABLE "user_team" ADD CONSTRAINT "user_team_team_id_team_id_fk" FOREIGN KEY ("team_id") REFERENCES "team"("id") ON DELETE cascade ON UPDATE no action;
package/drizzle/0003_tranquil_sally_floyd.sql ADDED
@@ -0,0 +1,8 @@
1
+ CREATE TABLE "resource_access_settings" (
2
+ "resource_type" text NOT NULL,
3
+ "resource_id" text NOT NULL,
4
+ "team_only" boolean DEFAULT false NOT NULL,
5
+ CONSTRAINT "resource_access_settings_resource_type_resource_id_pk" PRIMARY KEY("resource_type","resource_id")
6
+ );
7
+ --> statement-breakpoint
8
+ ALTER TABLE "resource_team_access" DROP COLUMN "team_only";
package/drizzle/0004_lucky_power_man.sql ADDED
@@ -0,0 +1,21 @@
1
+ ALTER TABLE "permission" RENAME TO "access_rule";--> statement-breakpoint
2
+ ALTER TABLE "disabled_default_permission" RENAME TO "disabled_default_access_rule";--> statement-breakpoint
3
+ ALTER TABLE "disabled_public_default_permission" RENAME TO "disabled_public_default_access_rule";--> statement-breakpoint
4
+ ALTER TABLE "role_permission" RENAME TO "role_access_rule";--> statement-breakpoint
5
+ ALTER TABLE "disabled_default_access_rule" RENAME COLUMN "permission_id" TO "access_rule_id";--> statement-breakpoint
6
+ ALTER TABLE "disabled_public_default_access_rule" RENAME COLUMN "permission_id" TO "access_rule_id";--> statement-breakpoint
7
+ ALTER TABLE "role_access_rule" RENAME COLUMN "permission_id" TO "access_rule_id";--> statement-breakpoint
8
+ ALTER TABLE "disabled_default_access_rule" DROP CONSTRAINT "disabled_default_permission_permission_id_permission_id_fk";
9
+ --> statement-breakpoint
10
+ ALTER TABLE "disabled_public_default_access_rule" DROP CONSTRAINT "disabled_public_default_permission_permission_id_permission_id_fk";
11
+ --> statement-breakpoint
12
+ ALTER TABLE "role_access_rule" DROP CONSTRAINT "role_permission_role_id_role_id_fk";
13
+ --> statement-breakpoint
14
+ ALTER TABLE "role_access_rule" DROP CONSTRAINT "role_permission_permission_id_permission_id_fk";
15
+ --> statement-breakpoint
16
+ ALTER TABLE "role_access_rule" DROP CONSTRAINT "role_permission_role_id_permission_id_pk";--> statement-breakpoint
17
+ ALTER TABLE "role_access_rule" ADD CONSTRAINT "role_access_rule_role_id_access_rule_id_pk" PRIMARY KEY("role_id","access_rule_id");--> statement-breakpoint
18
+ ALTER TABLE "disabled_default_access_rule" ADD CONSTRAINT "disabled_default_access_rule_access_rule_id_access_rule_id_fk" FOREIGN KEY ("access_rule_id") REFERENCES "access_rule"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
19
+ ALTER TABLE "disabled_public_default_access_rule" ADD CONSTRAINT "disabled_public_default_access_rule_access_rule_id_access_rule_id_fk" FOREIGN KEY ("access_rule_id") REFERENCES "access_rule"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
20
+ ALTER TABLE "role_access_rule" ADD CONSTRAINT "role_access_rule_role_id_role_id_fk" FOREIGN KEY ("role_id") REFERENCES "role"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
21
+ ALTER TABLE "role_access_rule" ADD CONSTRAINT "role_access_rule_access_rule_id_access_rule_id_fk" FOREIGN KEY ("access_rule_id") REFERENCES "access_rule"("id") ON DELETE no action ON UPDATE no action;