@jskit-ai/users-core 0.1.4

package/src/server/workspaceMembers/workspaceMembersService.js

@@ -0,0 +1,210 @@
+import { buildInviteToken, hashInviteToken } from "@jskit-ai/auth-core/server/inviteTokens";
+import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import { OWNER_ROLE_ID, createWorkspaceRoleCatalog, cloneWorkspaceRoleCatalog } from "../../shared/roles.js";
+
+function createService({
+  workspaceMembershipsRepository,
+  workspaceInvitesRepository,
+  inviteExpiresInMs,
+  roleCatalog = null,
+  workspaceInvitationsEnabled = true
+} = {}) {
+  if (!workspaceMembershipsRepository || !workspaceInvitesRepository) {
+    throw new Error("workspaceMembersService requires membership and invite repositories.");
+  }
+  const resolvedInviteExpiresInMs = Number(inviteExpiresInMs);
+  if (!Number.isInteger(resolvedInviteExpiresInMs) || resolvedInviteExpiresInMs < 1) {
+    throw new Error("workspaceMembersService requires inviteExpiresInMs.");
+  }
+
+  const resolvedRoleCatalog = roleCatalog && typeof roleCatalog === "object" ? roleCatalog : createWorkspaceRoleCatalog();
+  const assignableRoleIds = Array.isArray(resolvedRoleCatalog.assignableRoleIds)
+    ? [...resolvedRoleCatalog.assignableRoleIds]
+    : [];
+  const resolvedWorkspaceInvitationsEnabled = workspaceInvitationsEnabled === true;
+
+  function ensureWorkspaceInvitationsEnabled() {
+    if (resolvedWorkspaceInvitationsEnabled) {
+      return;
+    }
+    throw new AppError(403, "Workspace invitations are disabled.");
+  }
+
+  function withRoleCatalog(payload = {}) {
+    return {
+      ...payload,
+      roleCatalog: cloneWorkspaceRoleCatalog({
+        ...resolvedRoleCatalog,
+        assignableRoleIds
+      })
+    };
+  }
+
+  async function listRoles(options = {}) {
+    return cloneWorkspaceRoleCatalog({
+      ...resolvedRoleCatalog,
+      assignableRoleIds
+    });
+  }
+
+  async function listMembersPayload(workspace, options = {}) {
+    const members = await workspaceMembershipsRepository.listActiveByWorkspaceId(workspace.id, options);
+
+    return withRoleCatalog({
+      workspace,
+      members
+    });
+  }
+
+  async function listMembers(workspace, options = {}) {
+    return listMembersPayload(workspace, options);
+  }
+
+  async function updateMemberRole(workspace, payload = {}, options = {}) {
+    const memberUserId = payload.memberUserId;
+    const roleId = payload.roleId;
+    if (!assignableRoleIds.includes(roleId)) {
+      throw new AppError(400, "Validation failed.", {
+        details: {
+          fieldErrors: {
+            roleId: "Role is not assignable."
+          }
+        }
+      });
+    }
+
+    const existingMembership = await workspaceMembershipsRepository.findByWorkspaceIdAndUserId(workspace.id, memberUserId, options);
+    if (!existingMembership || existingMembership.status !== "active") {
+      throw new AppError(404, "Member not found.");
+    }
+    if (Number(memberUserId) === Number(workspace.ownerUserId) || existingMembership.roleId === OWNER_ROLE_ID) {
+      throw new AppError(409, "Cannot change workspace owner role.");
+    }
+
+    await workspaceMembershipsRepository.upsertMembership(
+      workspace.id,
+      memberUserId,
+      {
+        roleId,
+        status: "active"
+      },
+      options
+    );
+
+    return listMembersPayload(workspace, options);
+  }
+
+  async function removeMember(workspace, payload = {}, options = {}) {
+    const memberUserId = payload.memberUserId;
+
+    const existingMembership = await workspaceMembershipsRepository.findByWorkspaceIdAndUserId(workspace.id, memberUserId, options);
+    if (!existingMembership || existingMembership.status !== "active") {
+      throw new AppError(404, "Member not found.");
+    }
+    if (Number(memberUserId) === Number(workspace.ownerUserId) || existingMembership.roleId === OWNER_ROLE_ID) {
+      throw new AppError(409, "Cannot remove workspace owner.");
+    }
+
+    await workspaceMembershipsRepository.upsertMembership(
+      workspace.id,
+      memberUserId,
+      {
+        roleId: existingMembership.roleId,
+        status: "revoked"
+      },
+      options
+    );
+
+    return listMembersPayload(workspace, options);
+  }
+
+  async function listInvitesPayload(workspace, options = {}) {
+    ensureWorkspaceInvitationsEnabled();
+    const invites = await workspaceInvitesRepository.listPendingByWorkspaceIdWithWorkspace(workspace.id, options);
+
+    return withRoleCatalog({
+      workspace,
+      invites
+    });
+  }
+
+  async function listInvites(workspace, options = {}) {
+    return listInvitesPayload(workspace, options);
+  }
+
+  async function createInvite(workspace, user, payload = {}, options = {}) {
+    const email = payload.email;
+    const roleId = payload.roleId;
+    if (!assignableRoleIds.includes(roleId)) {
+      throw new AppError(400, "Validation failed.", {
+        details: {
+          fieldErrors: {
+            roleId: "Role is not assignable."
+          }
+        }
+      });
+    }
+
+    const token = buildInviteToken();
+    const tokenHash = hashInviteToken(token);
+    await workspaceInvitesRepository.expirePendingByWorkspaceIdAndEmail(workspace.id, email, options);
+    const createdInvite = await workspaceInvitesRepository.insert(
+      {
+        workspaceId: workspace.id,
+        email,
+        roleId,
+        status: "pending",
+        tokenHash,
+        invitedByUserId: Number(user?.id || 0) || null,
+        expiresAt: new Date(Date.now() + resolvedInviteExpiresInMs).toISOString()
+      },
+      options
+    );
+    const createdInviteId = Number(createdInvite?.id);
+    if (!Number.isInteger(createdInviteId) || createdInviteId < 1) {
+      throw new Error("workspaceMembersService.createInvite expected repository to return created invite id.");
+    }
+
+    const response = await listInvitesPayload(workspace, options);
+    return {
+      ...response,
+      inviteTokenPreview: token,
+      createdInviteId
+    };
+  }
+
+  async function revokeInvite(workspace, inviteId, options = {}) {
+    const invite = await workspaceInvitesRepository.findPendingByIdForWorkspace(
+      inviteId,
+      workspace.id,
+      options
+    );
+    if (!invite) {
+      throw new AppError(404, "Invite not found.");
+    }
+
+    await workspaceInvitesRepository.revokeById(inviteId, options);
+    const revokedInviteId = Number(invite?.id);
+    if (!Number.isInteger(revokedInviteId) || revokedInviteId < 1) {
+      throw new Error("workspaceMembersService.revokeInvite expected repository to return pending invite id.");
+    }
+
+    const response = await listInvitesPayload(workspace, options);
+    return {
+      ...response,
+      revokedInviteId
+    };
+  }
+
+  return Object.freeze({
+    listRoles,
+    listMembers,
+    updateMemberRole,
+    removeMember,
+    listInvites,
+    createInvite,
+    revokeInvite
+  });
+}
+
+export { createService };

package/src/server/workspacePendingInvitations/bootWorkspacePendingInvitations.js

@@ -0,0 +1,63 @@
+import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { workspaceMembersResource } from "../../shared/resources/workspaceMembersResource.js";
+import { workspacePendingInvitationsResource } from "../../shared/resources/workspacePendingInvitationsResource.js";
+
+function bootWorkspacePendingInvitations(app) {
+  if (!app || typeof app.make !== "function") {
+    throw new Error("bootWorkspacePendingInvitations requires application make().");
+  }
+
+  const router = app.make(KERNEL_TOKENS.HttpRouter);
+
+  router.register(
+    "GET",
+    "/api/workspace/invitations/pending",
+    {
+      auth: "required",
+      meta: {
+        tags: ["workspace"],
+        summary: "List pending workspace invitations for authenticated user"
+      },
+      responseValidators: withStandardErrorResponses({
+        200: workspacePendingInvitationsResource.operations.list.outputValidator
+      })
+    },
+    async function (request, reply) {
+      const response = await request.executeAction({
+        actionId: "workspace.invitations.pending.list"
+      });
+      reply.code(200).send(response);
+    }
+  );
+
+  router.register(
+    "POST",
+    "/api/workspace/invitations/redeem",
+    {
+      auth: "required",
+      meta: {
+        tags: ["workspace"],
+        summary: "Accept or refuse a workspace invitation using an invite token"
+      },
+      bodyValidator: workspaceMembersResource.operations.redeemInvite.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: workspaceMembersResource.operations.redeemInvite.outputValidator
+        },
+        { includeValidation400: true }
+      )
+    },
+    async function (request, reply) {
+      const response = await request.executeAction({
+        actionId: "workspace.invite.redeem",
+        input: {
+          payload: request.input.body
+        }
+      });
+      reply.code(200).send(response);
+    }
+  );
+}
+
+export { bootWorkspacePendingInvitations };

package/src/server/workspacePendingInvitations/registerWorkspacePendingInvitations.js

@@ -0,0 +1,128 @@
+import { withActionDefaults } from "@jskit-ai/kernel/shared/actions";
+import { createService } from "./workspacePendingInvitationsService.js";
+import { workspacePendingInvitationsActions } from "./workspacePendingInvitationsActions.js";
+import {
+  USERS_BOOTSTRAP_CHANGED_EVENT,
+  WORKSPACE_INVITES_CHANGED_EVENT,
+  WORKSPACE_MEMBERS_CHANGED_EVENT,
+  WORKSPACES_CHANGED_EVENT,
+  WORKSPACE_PENDING_INVITATIONS_CHANGED_EVENT
+} from "../../shared/events/usersEvents.js";
+import { deepFreeze } from "../common/support/deepFreeze.js";
+import {
+  USERS_WORKSPACE_PENDING_INVITATIONS_SERVICE_TOKEN
+} from "../common/diTokens.js";
+
+function workspaceAudienceFromEntityId({ event } = {}) {
+  const workspaceId = Number(event?.entityId);
+  if (!Number.isInteger(workspaceId) || workspaceId < 1) {
+    return "none";
+  }
+  return {
+    workspaceId
+  };
+}
+
+function actorUserEntityId({ options } = {}) {
+  return Number(options?.context?.actor?.id || 0);
+}
+
+function createActorUserEvent({ source, entity, realtimeEvent }) {
+  return {
+    type: "entity.changed",
+    source,
+    entity,
+    operation: "updated",
+    entityId: actorUserEntityId,
+    realtime: {
+      event: realtimeEvent,
+      audience: "actor_user"
+    }
+  };
+}
+
+function createWorkspaceAudienceEvent({ entity, realtimeEvent }) {
+  return {
+    type: "entity.changed",
+    source: "workspace",
+    entity,
+    operation: "updated",
+    entityId: ({ result }) => result?.workspaceId,
+    realtime: {
+      event: realtimeEvent,
+      audience: workspaceAudienceFromEntityId
+    }
+  };
+}
+
+function createInviteDecisionEvents({ includeDirectoryAndMembers = false } = {}) {
+  const events = [
+    createActorUserEvent({
+      source: "workspace",
+      entity: "invitation",
+      realtimeEvent: WORKSPACE_PENDING_INVITATIONS_CHANGED_EVENT
+    }),
+    createActorUserEvent({
+      source: "users",
+      entity: "bootstrap",
+      realtimeEvent: USERS_BOOTSTRAP_CHANGED_EVENT
+    })
+  ];
+
+  if (includeDirectoryAndMembers) {
+    events.push(
+      createActorUserEvent({
+        source: "workspace",
+        entity: "directory",
+        realtimeEvent: WORKSPACES_CHANGED_EVENT
+      }),
+      createWorkspaceAudienceEvent({
+        entity: "member",
+        realtimeEvent: WORKSPACE_MEMBERS_CHANGED_EVENT
+      })
+    );
+  }
+
+  events.push(
+    createWorkspaceAudienceEvent({
+      entity: "invite",
+      realtimeEvent: WORKSPACE_INVITES_CHANGED_EVENT
+    })
+  );
+
+  return events;
+}
+
+function registerWorkspacePendingInvitations(app) {
+  if (!app || typeof app.singleton !== "function" || typeof app.service !== "function" || typeof app.actions !== "function") {
+    throw new Error("registerWorkspacePendingInvitations requires application singleton()/service()/actions().");
+  }
+
+  app.service(
+    USERS_WORKSPACE_PENDING_INVITATIONS_SERVICE_TOKEN,
+    (scope) =>
+      createService({
+        workspaceInvitesRepository: scope.make("workspaceInvitesRepository"),
+        workspaceMembershipsRepository: scope.make("workspaceMembershipsRepository")
+      }),
+    {
+      events: deepFreeze({
+        acceptInviteByToken: createInviteDecisionEvents({
+          includeDirectoryAndMembers: true
+        }),
+        refuseInviteByToken: createInviteDecisionEvents()
+      })
+    }
+  );
+
+  app.actions(
+    withActionDefaults(workspacePendingInvitationsActions, {
+      domain: "workspace",
+      dependencies: {
+        workspacePendingInvitationsService: USERS_WORKSPACE_PENDING_INVITATIONS_SERVICE_TOKEN
+      }
+    })
+  );
+}
+
+export { registerWorkspacePendingInvitations };

package/src/server/workspacePendingInvitations/workspacePendingInvitationsActions.js

@@ -0,0 +1,74 @@
+import {
+  EMPTY_INPUT_VALIDATOR
+} from "@jskit-ai/kernel/shared/actions/actionContributorHelpers";
+import { workspaceMembersResource } from "../../shared/resources/workspaceMembersResource.js";
+import { workspacePendingInvitationsResource } from "../../shared/resources/workspacePendingInvitationsResource.js";
+import { resolveActionUser } from "../common/support/resolveActionUser.js";
+
+const workspacePendingInvitationsActions = Object.freeze([
+  {
+    id: "workspace.invitations.pending.list",
+    version: 1,
+    kind: "query",
+    channels: ["api", "automation", "internal"],
+    surfacesFrom: "enabled",
+    permission: {
+      require: "authenticated"
+    },
+    inputValidator: EMPTY_INPUT_VALIDATOR,
+    outputValidator: workspacePendingInvitationsResource.operations.list.outputValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "workspace.invitations.pending.list"
+    },
+    observability: {},
+    async execute(input, context, deps) {
+      return {
+        pendingInvites: await deps.workspacePendingInvitationsService.listPendingInvitesForUser(resolveActionUser(context, input), {
+          context
+        })
+      };
+    }
+  },
+  {
+    id: "workspace.invite.redeem",
+    version: 1,
+    kind: "command",
+    channels: ["api", "automation", "internal"],
+    surfacesFrom: "enabled",
+    permission: {
+      require: "authenticated"
+    },
+    inputValidator: {
+      payload: workspaceMembersResource.operations.redeemInvite.bodyValidator
+    },
+    outputValidator: workspaceMembersResource.operations.redeemInvite.outputValidator,
+    idempotency: "optional",
+    audit: {
+      actionName: "workspace.invite.redeem"
+    },
+    observability: {},
+    async execute(input, context, deps) {
+      const payload = input.payload || {};
+      const user = resolveActionUser(context, input);
+
+      if (payload.decision === "accept") {
+        return deps.workspacePendingInvitationsService.acceptInviteByToken({
+          user,
+          token: payload.token
+        }, {
+          context
+        });
+      }
+
+      return deps.workspacePendingInvitationsService.refuseInviteByToken({
+        user,
+        token: payload.token
+      }, {
+        context
+      });
+    }
+  }
+]);
+
+export { workspacePendingInvitationsActions };

package/src/server/workspacePendingInvitations/workspacePendingInvitationsService.js

@@ -0,0 +1,137 @@
+import { resolveInviteTokenHash } from "@jskit-ai/auth-core/server/inviteTokens";
+import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import { normalizeLowerText, normalizeText } from "@jskit-ai/kernel/shared/actions/textNormalization";
+import { authenticatedUserValidator } from "../common/validators/authenticatedUserValidator.js";
+
+function createService({
+  workspaceInvitesRepository,
+  workspaceMembershipsRepository
+} = {}) {
+  if (!workspaceInvitesRepository || !workspaceMembershipsRepository) {
+    throw new Error("workspacePendingInvitationsService requires invite and membership repositories.");
+  }
+
+  function requireAuthenticatedInviteUser(user) {
+    const normalizedUser = authenticatedUserValidator.normalize(user);
+    if (!normalizedUser) {
+      throw new AppError(401, "Authentication required.");
+    }
+
+    return normalizedUser;
+  }
+
+  function requireInviteTokenHash(token) {
+    const normalizedToken = normalizeText(token);
+    if (!normalizedToken) {
+      throw new AppError(400, "Invite token is required.");
+    }
+
+    const tokenHash = resolveInviteTokenHash(normalizedToken);
+    if (!tokenHash) {
+      throw new AppError(400, "Invite token is invalid.");
+    }
+
+    return tokenHash;
+  }
+
+  async function requirePendingInviteForUserByToken(user, token, options = {}) {
+    const normalizedUser = requireAuthenticatedInviteUser(user);
+    const tokenHash = requireInviteTokenHash(token);
+
+    const invite = await workspaceInvitesRepository.findPendingByTokenHash(tokenHash, options);
+    if (!invite) {
+      throw new AppError(404, "Invitation not found or already handled.");
+    }
+
+    if (normalizeLowerText(invite.email) !== normalizedUser.email) {
+      throw new AppError(403, "Invitation email does not match authenticated user.");
+    }
+
+    return {
+      user: normalizedUser,
+      invite
+    };
+  }
+
+  async function revokeExpiredInviteAndThrow(invite, options = {}) {
+    if (invite.expiresAt && new Date(invite.expiresAt).getTime() < Date.now()) {
+      await workspaceInvitesRepository.revokeById(invite.id, options);
+      throw new AppError(409, "Invitation has expired.");
+    }
+  }
+
+  async function listPendingInvitesForUser(user, options = {}) {
+    const normalizedUser = requireAuthenticatedInviteUser(user);
+    if (!normalizedUser.email) {
+      return [];
+    }
+
+    return workspaceInvitesRepository.listPendingByEmail(normalizedUser.email, options);
+  }
+
+  function requireWorkspaceIdFromInvite(invite, methodName = "workspacePendingInvitationsService") {
+    const workspaceId = Number(invite?.workspaceId);
+    if (!Number.isInteger(workspaceId) || workspaceId < 1) {
+      throw new Error(`${methodName} expected invite workspace id.`);
+    }
+    return workspaceId;
+  }
+
+  async function resolveInviteActionInput(user, token, options = {}, methodName = "workspacePendingInvitationsService") {
+    const resolvedInvite = await requirePendingInviteForUserByToken(user, token, options);
+    await revokeExpiredInviteAndThrow(resolvedInvite.invite, options);
+
+    return {
+      resolvedInvite,
+      workspaceId: requireWorkspaceIdFromInvite(resolvedInvite.invite, methodName)
+    };
+  }
+
+  async function acceptInviteByToken({ user, token } = {}, options = {}) {
+    const { resolvedInvite, workspaceId } = await resolveInviteActionInput(
+      user,
+      token,
+      options,
+      "workspacePendingInvitationsService.acceptInviteByToken"
+    );
+
+    await workspaceMembershipsRepository.upsertMembership(
+      workspaceId,
+      resolvedInvite.user.id,
+      {
+        roleId: resolvedInvite.invite.roleId,
+        status: "active"
+      },
+      options
+    );
+    await workspaceInvitesRepository.markAcceptedById(resolvedInvite.invite.id, options);
+
+    return {
+      decision: "accepted",
+      workspaceId
+    };
+  }
+
+  async function refuseInviteByToken({ user, token } = {}, options = {}) {
+    const { resolvedInvite, workspaceId } = await resolveInviteActionInput(
+      user,
+      token,
+      options,
+      "workspacePendingInvitationsService.refuseInviteByToken"
+    );
+    await workspaceInvitesRepository.revokeById(resolvedInvite.invite.id, options);
+
+    return {
+      decision: "refused",
+      workspaceId
+    };
+  }
+
+  return Object.freeze({
+    listPendingInvitesForUser,
+    acceptInviteByToken,
+    refuseInviteByToken
+  });
+}
+
+export { createService };

package/src/server/workspaceSettings/bootWorkspaceSettings.js

@@ -0,0 +1,77 @@
+import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { workspaceSettingsResource } from "../../shared/resources/workspaceSettingsResource.js";
+import { resolveWorkspaceRoutePath } from "../common/support/workspaceRoutePaths.js";
+import { workspaceSlugParamsValidator } from "../common/validators/routeParamsValidator.js";
+import { resolveDefaultWorkspaceRouteSurfaceIdFromAppConfig } from "../support/workspaceActionSurfaces.js";
+
+function bootWorkspaceSettings(app) {
+  if (!app || typeof app.make !== "function") {
+    throw new Error("bootWorkspaceSettings requires application make().");
+  }
+
+  const router = app.make(KERNEL_TOKENS.HttpRouter);
+  const appConfig = typeof app.has === "function" && app.has("appConfig") ? app.make("appConfig") : {};
+  const workspaceRouteSurfaceId = resolveDefaultWorkspaceRouteSurfaceIdFromAppConfig(appConfig);
+
+  router.register(
+    "GET",
+    resolveWorkspaceRoutePath("/settings"),
+    {
+      auth: "required",
+      surface: workspaceRouteSurfaceId,
+      visibility: "workspace",
+      meta: {
+        tags: ["workspace"],
+        summary: "Get workspace settings and role catalog by workspace slug"
+      },
+      paramsValidator: workspaceSlugParamsValidator,
+      responseValidators: withStandardErrorResponses({
+        200: workspaceSettingsResource.operations.view.outputValidator
+      })
+    },
+    async function (request, reply) {
+      const response = await request.executeAction({
+        actionId: "workspace.settings.read",
+        input: {
+          workspaceSlug: request.input.params.workspaceSlug
+        }
+      });
+      reply.code(200).send(response);
+    }
+  );
+
+  router.register(
+    "PATCH",
+    resolveWorkspaceRoutePath("/settings"),
+    {
+      auth: "required",
+      surface: workspaceRouteSurfaceId,
+      visibility: "workspace",
+      meta: {
+        tags: ["workspace"],
+        summary: "Update workspace settings by workspace slug"
+      },
+      paramsValidator: workspaceSlugParamsValidator,
+      bodyValidator: workspaceSettingsResource.operations.patch.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: workspaceSettingsResource.operations.patch.outputValidator
+        },
+        { includeValidation400: true }
+      )
+    },
+    async function (request, reply) {
+      const response = await request.executeAction({
+        actionId: "workspace.settings.update",
+        input: {
+          workspaceSlug: request.input.params.workspaceSlug,
+          patch: request.input.body
+        }
+      });
+      reply.code(200).send(response);
+    }
+  );
+}
+
+export { bootWorkspaceSettings };