@goplusvn/core 0.1.6 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +13 -1
- package/package.json +1 -1
- package/src/auth/index.ts +10 -6
package/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,18 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
-
##
|
|
3
|
+
## 0.1.7 — auth hardening
|
|
4
|
+
|
|
5
|
+
Hardened `@goerp/core/auth` so the Vinh Hoa app (and others) can consolidate
|
|
6
|
+
their hand-copied RBAC clones onto core without regressing two safety behaviors:
|
|
7
|
+
|
|
8
|
+
- **Bypass is dev-only.** `BYPASS_AUTH` now requires `NODE_ENV !== "production"`,
|
|
9
|
+
so a `BYPASS_AUTH=1` env left set on a prod deploy can no longer disable all
|
|
10
|
+
permission checks.
|
|
11
|
+
- **Admin-before-empty-permissions.** `checkPermission` now evaluates the
|
|
12
|
+
admin-role bypass BEFORE the empty-permissions guard, so an admin who relies on
|
|
13
|
+
their role (no explicit permission rows) is no longer denied everything.
|
|
14
|
+
|
|
15
|
+
## 0.1.6 — platform foundation extraction
|
|
4
16
|
|
|
5
17
|
Promoted the cross-cutting platform layer out of the Vinh Hoa reference app into
|
|
6
18
|
core so every app inherits the same design system + infrastructure and only
|
package/package.json
CHANGED
package/src/auth/index.ts
CHANGED
|
@@ -43,8 +43,11 @@ export interface CrudPermissionResult {
|
|
|
43
43
|
// ============================================================================
|
|
44
44
|
|
|
45
45
|
const ADMIN_ROLE_CODE = "admin";
|
|
46
|
+
// Auth bypass is a DEV-ONLY escape hatch — never allow it in production, even if
|
|
47
|
+
// the env var is accidentally left set on a prod deploy.
|
|
46
48
|
const BYPASS_AUTH =
|
|
47
|
-
process.env.
|
|
49
|
+
process.env.NODE_ENV !== "production" &&
|
|
50
|
+
(process.env.BYPASS_AUTH === "true" || process.env.BYPASS_AUTH === "1");
|
|
48
51
|
|
|
49
52
|
// Action code mapping
|
|
50
53
|
const ACTION_CODES: Record<string, string> = {
|
|
@@ -186,11 +189,8 @@ export function checkPermission(
|
|
|
186
189
|
if (!session?.user) return false;
|
|
187
190
|
const user = session.user as ExtendedUser;
|
|
188
191
|
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
}
|
|
192
|
-
|
|
193
|
-
// Admin role bypass
|
|
192
|
+
// Admin role bypass — checked BEFORE the empty-permissions guard so an admin
|
|
193
|
+
// who relies on their role (no explicit permission rows) is not locked out.
|
|
194
194
|
if (
|
|
195
195
|
user.roles?.includes(ADMIN_ROLE_CODE) ||
|
|
196
196
|
user.roles?.includes("SUPER_ADMIN")
|
|
@@ -198,6 +198,10 @@ export function checkPermission(
|
|
|
198
198
|
return true;
|
|
199
199
|
}
|
|
200
200
|
|
|
201
|
+
if (!user.permissions || user.permissions.length === 0) {
|
|
202
|
+
return false;
|
|
203
|
+
}
|
|
204
|
+
|
|
201
205
|
return user.permissions.some(
|
|
202
206
|
(p) => p.resourceCode === resourceCode && p.actionCode === actionCode,
|
|
203
207
|
);
|