@jskit-ai/users-core 0.1.48 → 0.1.50

package/src/server/workspaceMembers/workspaceMembersService.js

@@ -1,222 +0,0 @@
-import { normalizeRecordId } from "@jskit-ai/kernel/shared/support/normalize";
-import { buildInviteToken, hashInviteToken } from "@jskit-ai/auth-core/server/inviteTokens";
-import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
-import { OWNER_ROLE_ID, createWorkspaceRoleCatalog, cloneWorkspaceRoleCatalog } from "../../shared/roles.js";
-
-function createService({
-  workspaceMembershipsRepository,
-  workspaceInvitesRepository,
-  inviteExpiresInMs,
-  roleCatalog = null,
-  workspaceInvitationsEnabled = true
-} = {}) {
-  if (!workspaceMembershipsRepository || !workspaceInvitesRepository) {
-    throw new Error("workspaceMembersService requires membership and invite repositories.");
-  }
-  const resolvedInviteExpiresInMs = Number(inviteExpiresInMs);
-  if (!Number.isInteger(resolvedInviteExpiresInMs) || resolvedInviteExpiresInMs < 1) {
-    throw new Error("workspaceMembersService requires inviteExpiresInMs.");
-  }
-
-  const resolvedRoleCatalog = roleCatalog && typeof roleCatalog === "object" ? roleCatalog : createWorkspaceRoleCatalog();
-  const assignableRoleIds = Array.isArray(resolvedRoleCatalog.assignableRoleIds)
-    ? [...resolvedRoleCatalog.assignableRoleIds]
-    : [];
-  const resolvedWorkspaceInvitationsEnabled = workspaceInvitationsEnabled === true;
-
-  function ensureWorkspaceInvitationsEnabled() {
-    if (resolvedWorkspaceInvitationsEnabled) {
-      return;
-    }
-    throw new AppError(403, "Workspace invitations are disabled.");
-  }
-
-  function withRoleCatalog(payload = {}) {
-    return {
-      ...payload,
-      roleCatalog: cloneWorkspaceRoleCatalog({
-        ...resolvedRoleCatalog,
-        assignableRoleIds
-      })
-    };
-  }
-
-  async function listRoles(options = {}) {
-    return cloneWorkspaceRoleCatalog({
-      ...resolvedRoleCatalog,
-      assignableRoleIds
-    });
-  }
-
-  async function listMembersPayload(workspace, options = {}) {
-    const members = await workspaceMembershipsRepository.listActiveByWorkspaceId(workspace.id, options);
-
-    return withRoleCatalog({
-      workspace,
-      members
-    });
-  }
-
-  async function listMembers(workspace, options = {}) {
-    return listMembersPayload(workspace, options);
-  }
-
-  async function updateMemberRole(workspace, payload = {}, options = {}) {
-    const memberUserId = normalizeRecordId(payload.memberUserId, { fallback: null });
-    const roleSid = payload.roleSid;
-    if (!memberUserId) {
-      throw new AppError(400, "Validation failed.");
-    }
-    if (!assignableRoleIds.includes(roleSid)) {
-      throw new AppError(400, "Validation failed.", {
-        details: {
-          fieldErrors: {
-            roleSid: "Role is not assignable."
-          }
-        }
-      });
-    }
-
-    const existingMembership = await workspaceMembershipsRepository.findByWorkspaceIdAndUserId(workspace.id, memberUserId, options);
-    if (!existingMembership || existingMembership.status !== "active") {
-      throw new AppError(404, "Member not found.");
-    }
-    if (memberUserId === normalizeRecordId(workspace.ownerUserId, { fallback: null }) || existingMembership.roleSid === OWNER_ROLE_ID) {
-      throw new AppError(409, "Cannot change workspace owner role.");
-    }
-
-    await workspaceMembershipsRepository.upsertMembership(
-      workspace.id,
-      memberUserId,
-      {
-        roleSid,
-        status: "active"
-      },
-      options
-    );
-
-    return listMembersPayload(workspace, options);
-  }
-
-  async function removeMember(workspace, payload = {}, options = {}) {
-    const memberUserId = normalizeRecordId(payload.memberUserId, { fallback: null });
-    if (!memberUserId) {
-      throw new AppError(400, "Validation failed.");
-    }
-
-    const existingMembership = await workspaceMembershipsRepository.findByWorkspaceIdAndUserId(workspace.id, memberUserId, options);
-    if (!existingMembership || existingMembership.status !== "active") {
-      throw new AppError(404, "Member not found.");
-    }
-    if (memberUserId === normalizeRecordId(workspace.ownerUserId, { fallback: null }) || existingMembership.roleSid === OWNER_ROLE_ID) {
-      throw new AppError(409, "Cannot remove workspace owner.");
-    }
-
-    await workspaceMembershipsRepository.upsertMembership(
-      workspace.id,
-      memberUserId,
-      {
-        roleSid: existingMembership.roleSid,
-        status: "revoked"
-      },
-      options
-    );
-
-    return listMembersPayload(workspace, options);
-  }
-
-  async function listInvitesPayload(workspace, options = {}) {
-    ensureWorkspaceInvitationsEnabled();
-    const invites = await workspaceInvitesRepository.listPendingByWorkspaceIdWithWorkspace(workspace.id, options);
-
-    return withRoleCatalog({
-      workspace,
-      invites
-    });
-  }
-
-  async function listInvites(workspace, options = {}) {
-    return listInvitesPayload(workspace, options);
-  }
-
-  async function createInvite(workspace, user, payload = {}, options = {}) {
-    const email = payload.email;
-    const roleSid = payload.roleSid;
-    if (!assignableRoleIds.includes(roleSid)) {
-      throw new AppError(400, "Validation failed.", {
-        details: {
-          fieldErrors: {
-            roleSid: "Role is not assignable."
-          }
-        }
-      });
-    }
-
-    const token = buildInviteToken();
-    const tokenHash = hashInviteToken(token);
-    await workspaceInvitesRepository.expirePendingByWorkspaceIdAndEmail(workspace.id, email, options);
-    const createdInvite = await workspaceInvitesRepository.insert(
-      {
-        workspaceId: workspace.id,
-        email,
-        roleSid,
-        status: "pending",
-        tokenHash,
-        invitedByUserId: normalizeRecordId(user?.id, { fallback: null }),
-        expiresAt: new Date(Date.now() + resolvedInviteExpiresInMs).toISOString()
-      },
-      options
-    );
-    const createdInviteId = normalizeRecordId(createdInvite?.id, { fallback: null });
-    if (!createdInviteId) {
-      throw new Error("workspaceMembersService.createInvite expected repository to return created invite id.");
-    }
-
-    const response = await listInvitesPayload(workspace, options);
-    return {
-      ...response,
-      inviteTokenPreview: token,
-      createdInviteId
-    };
-  }
-
-  async function revokeInvite(workspace, inviteId, options = {}) {
-    const normalizedInviteId = normalizeRecordId(inviteId, { fallback: null });
-    if (!normalizedInviteId) {
-      throw new AppError(400, "Validation failed.");
-    }
-
-    const invite = await workspaceInvitesRepository.findPendingByIdForWorkspace(
-      normalizedInviteId,
-      workspace.id,
-      options
-    );
-    if (!invite) {
-      throw new AppError(404, "Invite not found.");
-    }
-
-    await workspaceInvitesRepository.revokeById(normalizedInviteId, options);
-    const revokedInviteId = normalizeRecordId(invite?.id, { fallback: null });
-    if (!revokedInviteId) {
-      throw new Error("workspaceMembersService.revokeInvite expected repository to return pending invite id.");
-    }
-
-    const response = await listInvitesPayload(workspace, options);
-    return {
-      ...response,
-      revokedInviteId
-    };
-  }
-
-  return Object.freeze({
-    listRoles,
-    listMembers,
-    updateMemberRole,
-    removeMember,
-    listInvites,
-    createInvite,
-    revokeInvite
-  });
-}
-
-export { createService };

package/src/server/workspacePendingInvitations/bootWorkspacePendingInvitations.js

@@ -1,62 +0,0 @@
-import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
-import { workspaceMembersResource } from "../../shared/resources/workspaceMembersResource.js";
-import { workspacePendingInvitationsResource } from "../../shared/resources/workspacePendingInvitationsResource.js";
-
-function bootWorkspacePendingInvitations(app) {
-  if (!app || typeof app.make !== "function") {
-    throw new Error("bootWorkspacePendingInvitations requires application make().");
-  }
-
-  const router = app.make("jskit.http.router");
-
-  router.register(
-    "GET",
-    "/api/workspace/invitations/pending",
-    {
-      auth: "required",
-      meta: {
-        tags: ["workspace"],
-        summary: "List pending workspace invitations for authenticated user"
-      },
-      responseValidators: withStandardErrorResponses({
-        200: workspacePendingInvitationsResource.operations.list.outputValidator
-      })
-    },
-    async function (request, reply) {
-      const response = await request.executeAction({
-        actionId: "workspace.invitations.pending.list"
-      });
-      reply.code(200).send(response);
-    }
-  );
-
-  router.register(
-    "POST",
-    "/api/workspace/invitations/redeem",
-    {
-      auth: "required",
-      meta: {
-        tags: ["workspace"],
-        summary: "Accept or refuse a workspace invitation using an invite token"
-      },
-      bodyValidator: workspaceMembersResource.operations.redeemInvite.bodyValidator,
-      responseValidators: withStandardErrorResponses(
-        {
-          200: workspaceMembersResource.operations.redeemInvite.outputValidator
-        },
-        { includeValidation400: true }
-      )
-    },
-    async function (request, reply) {
-      const response = await request.executeAction({
-        actionId: "workspace.invite.redeem",
-        input: {
-          payload: request.input.body
-        }
-      });
-      reply.code(200).send(response);
-    }
-  );
-}
-
-export { bootWorkspacePendingInvitations };

package/src/server/workspacePendingInvitations/registerWorkspacePendingInvitations.js

@@ -1,119 +0,0 @@
-import { withActionDefaults } from "@jskit-ai/kernel/shared/actions";
-import { normalizeRecordId } from "@jskit-ai/kernel/shared/support/normalize";
-import { createService } from "./workspacePendingInvitationsService.js";
-import { workspacePendingInvitationsActions } from "./workspacePendingInvitationsActions.js";
-import { deepFreeze } from "../common/support/deepFreeze.js";
-
-function workspaceAudienceFromEntityId({ event } = {}) {
-  const workspaceId = normalizeRecordId(event?.entityId, { fallback: null });
-  if (!workspaceId) {
-    return "none";
-  }
-  return {
-    workspaceId
-  };
-}
-
-function actorUserEntityId({ options } = {}) {
-  return normalizeRecordId(options?.context?.actor?.id, { fallback: "" });
-}
-
-function createActorUserEvent({ source, entity, realtimeEvent }) {
-  return {
-    type: "entity.changed",
-    source,
-    entity,
-    operation: "updated",
-    entityId: actorUserEntityId,
-    realtime: {
-      event: realtimeEvent,
-      audience: "actor_user"
-    }
-  };
-}
-
-function createWorkspaceAudienceEvent({ entity, realtimeEvent }) {
-  return {
-    type: "entity.changed",
-    source: "workspace",
-    entity,
-    operation: "updated",
-    entityId: ({ result }) => normalizeRecordId(result?.workspaceId, { fallback: "" }),
-    realtime: {
-      event: realtimeEvent,
-      audience: workspaceAudienceFromEntityId
-    }
-  };
-}
-
-function createInviteDecisionEvents({ includeDirectoryAndMembers = false } = {}) {
-  const events = [
-    createActorUserEvent({
-      source: "workspace",
-      entity: "invitation",
-      realtimeEvent: "workspace.invitations.pending.changed"
-    }),
-    createActorUserEvent({
-      source: "users",
-      entity: "bootstrap",
-      realtimeEvent: "users.bootstrap.changed"
-    })
-  ];
-
-  if (includeDirectoryAndMembers) {
-    events.push(
-      createActorUserEvent({
-        source: "workspace",
-        entity: "directory",
-        realtimeEvent: "workspaces.changed"
-      }),
-      createWorkspaceAudienceEvent({
-        entity: "member",
-        realtimeEvent: "workspace.members.changed"
-      })
-    );
-  }
-
-  events.push(
-    createWorkspaceAudienceEvent({
-      entity: "invite",
-      realtimeEvent: "workspace.invites.changed"
-    })
-  );
-
-  return events;
-}
-
-function registerWorkspacePendingInvitations(app) {
-  if (!app || typeof app.singleton !== "function" || typeof app.service !== "function" || typeof app.actions !== "function") {
-    throw new Error("registerWorkspacePendingInvitations requires application singleton()/service()/actions().");
-  }
-
-  app.service(
-    "users.workspace.pending-invitations.service",
-    (scope) =>
-      createService({
-        workspaceInvitesRepository: scope.make("workspaceInvitesRepository"),
-        workspaceMembershipsRepository: scope.make("workspaceMembershipsRepository")
-      }),
-    {
-      events: deepFreeze({
-        acceptInviteByToken: createInviteDecisionEvents({
-          includeDirectoryAndMembers: true
-        }),
-        refuseInviteByToken: createInviteDecisionEvents()
-      })
-    }
-  );
-
-  app.actions(
-    withActionDefaults(workspacePendingInvitationsActions, {
-      domain: "workspace",
-      dependencies: {
-        workspacePendingInvitationsService: "users.workspace.pending-invitations.service"
-      }
-    })
-  );
-}
-
-export { registerWorkspacePendingInvitations };

package/src/server/workspacePendingInvitations/workspacePendingInvitationsActions.js

@@ -1,74 +0,0 @@
-import {
-  EMPTY_INPUT_VALIDATOR
-} from "@jskit-ai/kernel/shared/actions/actionContributorHelpers";
-import { workspaceMembersResource } from "../../shared/resources/workspaceMembersResource.js";
-import { workspacePendingInvitationsResource } from "../../shared/resources/workspacePendingInvitationsResource.js";
-import { resolveActionUser } from "../common/support/resolveActionUser.js";
-
-const workspacePendingInvitationsActions = Object.freeze([
-  {
-    id: "workspace.invitations.pending.list",
-    version: 1,
-    kind: "query",
-    channels: ["api", "automation", "internal"],
-    surfacesFrom: "enabled",
-    permission: {
-      require: "authenticated"
-    },
-    inputValidator: EMPTY_INPUT_VALIDATOR,
-    outputValidator: workspacePendingInvitationsResource.operations.list.outputValidator,
-    idempotency: "none",
-    audit: {
-      actionName: "workspace.invitations.pending.list"
-    },
-    observability: {},
-    async execute(input, context, deps) {
-      return {
-        pendingInvites: await deps.workspacePendingInvitationsService.listPendingInvitesForUser(resolveActionUser(context, input), {
-          context
-        })
-      };
-    }
-  },
-  {
-    id: "workspace.invite.redeem",
-    version: 1,
-    kind: "command",
-    channels: ["api", "automation", "internal"],
-    surfacesFrom: "enabled",
-    permission: {
-      require: "authenticated"
-    },
-    inputValidator: {
-      payload: workspaceMembersResource.operations.redeemInvite.bodyValidator
-    },
-    outputValidator: workspaceMembersResource.operations.redeemInvite.outputValidator,
-    idempotency: "optional",
-    audit: {
-      actionName: "workspace.invite.redeem"
-    },
-    observability: {},
-    async execute(input, context, deps) {
-      const payload = input.payload || {};
-      const user = resolveActionUser(context, input);
-
-      if (payload.decision === "accept") {
-        return deps.workspacePendingInvitationsService.acceptInviteByToken({
-          user,
-          token: payload.token
-        }, {
-          context
-        });
-      }
-
-      return deps.workspacePendingInvitationsService.refuseInviteByToken({
-        user,
-        token: payload.token
-      }, {
-        context
-      });
-    }
-  }
-]);
-
-export { workspacePendingInvitationsActions };

package/src/server/workspacePendingInvitations/workspacePendingInvitationsService.js

@@ -1,138 +0,0 @@
-import { resolveInviteTokenHash } from "@jskit-ai/auth-core/server/inviteTokens";
-import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
-import { normalizeLowerText, normalizeText } from "@jskit-ai/kernel/shared/actions/textNormalization";
-import { normalizeRecordId } from "@jskit-ai/kernel/shared/support/normalize";
-import { authenticatedUserValidator } from "../common/validators/authenticatedUserValidator.js";
-
-function createService({
-  workspaceInvitesRepository,
-  workspaceMembershipsRepository
-} = {}) {
-  if (!workspaceInvitesRepository || !workspaceMembershipsRepository) {
-    throw new Error("workspacePendingInvitationsService requires invite and membership repositories.");
-  }
-
-  function requireAuthenticatedInviteUser(user) {
-    const normalizedUser = authenticatedUserValidator.normalize(user);
-    if (!normalizedUser) {
-      throw new AppError(401, "Authentication required.");
-    }
-
-    return normalizedUser;
-  }
-
-  function requireInviteTokenHash(token) {
-    const normalizedToken = normalizeText(token);
-    if (!normalizedToken) {
-      throw new AppError(400, "Invite token is required.");
-    }
-
-    const tokenHash = resolveInviteTokenHash(normalizedToken);
-    if (!tokenHash) {
-      throw new AppError(400, "Invite token is invalid.");
-    }
-
-    return tokenHash;
-  }
-
-  async function requirePendingInviteForUserByToken(user, token, options = {}) {
-    const normalizedUser = requireAuthenticatedInviteUser(user);
-    const tokenHash = requireInviteTokenHash(token);
-
-    const invite = await workspaceInvitesRepository.findPendingByTokenHash(tokenHash, options);
-    if (!invite) {
-      throw new AppError(404, "Invitation not found or already handled.");
-    }
-
-    if (normalizeLowerText(invite.email) !== normalizedUser.email) {
-      throw new AppError(403, "Invitation email does not match authenticated user.");
-    }
-
-    return {
-      user: normalizedUser,
-      invite
-    };
-  }
-
-  async function revokeExpiredInviteAndThrow(invite, options = {}) {
-    if (invite.expiresAt && new Date(invite.expiresAt).getTime() < Date.now()) {
-      await workspaceInvitesRepository.revokeById(invite.id, options);
-      throw new AppError(409, "Invitation has expired.");
-    }
-  }
-
-  async function listPendingInvitesForUser(user, options = {}) {
-    const normalizedUser = requireAuthenticatedInviteUser(user);
-    if (!normalizedUser.email) {
-      return [];
-    }
-
-    return workspaceInvitesRepository.listPendingByEmail(normalizedUser.email, options);
-  }
-
-  function requireWorkspaceIdFromInvite(invite, methodName = "workspacePendingInvitationsService") {
-    const workspaceId = normalizeRecordId(invite?.workspaceId, { fallback: null });
-    if (!workspaceId) {
-      throw new Error(`${methodName} expected invite workspace id.`);
-    }
-    return workspaceId;
-  }
-
-  async function resolveInviteActionInput(user, token, options = {}, methodName = "workspacePendingInvitationsService") {
-    const resolvedInvite = await requirePendingInviteForUserByToken(user, token, options);
-    await revokeExpiredInviteAndThrow(resolvedInvite.invite, options);
-
-    return {
-      resolvedInvite,
-      workspaceId: requireWorkspaceIdFromInvite(resolvedInvite.invite, methodName)
-    };
-  }
-
-  async function acceptInviteByToken({ user, token } = {}, options = {}) {
-    const { resolvedInvite, workspaceId } = await resolveInviteActionInput(
-      user,
-      token,
-      options,
-      "workspacePendingInvitationsService.acceptInviteByToken"
-    );
-
-    await workspaceMembershipsRepository.upsertMembership(
-      workspaceId,
-      resolvedInvite.user.id,
-      {
-        roleSid: resolvedInvite.invite.roleSid,
-        status: "active"
-      },
-      options
-    );
-    await workspaceInvitesRepository.markAcceptedById(resolvedInvite.invite.id, options);
-
-    return {
-      decision: "accepted",
-      workspaceId
-    };
-  }
-
-  async function refuseInviteByToken({ user, token } = {}, options = {}) {
-    const { resolvedInvite, workspaceId } = await resolveInviteActionInput(
-      user,
-      token,
-      options,
-      "workspacePendingInvitationsService.refuseInviteByToken"
-    );
-    await workspaceInvitesRepository.revokeById(resolvedInvite.invite.id, options);
-
-    return {
-      decision: "refused",
-      workspaceId
-    };
-  }
-
-  return Object.freeze({
-    listPendingInvitesForUser,
-    acceptInviteByToken,
-    refuseInviteByToken
-  });
-}
-
-export { createService };

package/src/server/workspaceSettings/bootWorkspaceSettings.js

@@ -1,76 +0,0 @@
-import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
-import { workspaceSettingsResource } from "../../shared/resources/workspaceSettingsResource.js";
-import { resolveWorkspaceRoutePath } from "../common/support/workspaceRoutePaths.js";
-import { workspaceSlugParamsValidator } from "../common/validators/routeParamsValidator.js";
-import { resolveDefaultWorkspaceRouteSurfaceIdFromAppConfig } from "../support/workspaceActionSurfaces.js";
-
-function bootWorkspaceSettings(app) {
-  if (!app || typeof app.make !== "function") {
-    throw new Error("bootWorkspaceSettings requires application make().");
-  }
-
-  const router = app.make("jskit.http.router");
-  const appConfig = typeof app.has === "function" && app.has("appConfig") ? app.make("appConfig") : {};
-  const workspaceRouteSurfaceId = resolveDefaultWorkspaceRouteSurfaceIdFromAppConfig(appConfig);
-
-  router.register(
-    "GET",
-    resolveWorkspaceRoutePath("/settings"),
-    {
-      auth: "required",
-      surface: workspaceRouteSurfaceId,
-      visibility: "workspace",
-      meta: {
-        tags: ["workspace"],
-        summary: "Get workspace settings and role catalog by workspace slug"
-      },
-      paramsValidator: workspaceSlugParamsValidator,
-      responseValidators: withStandardErrorResponses({
-        200: workspaceSettingsResource.operations.view.outputValidator
-      })
-    },
-    async function (request, reply) {
-      const response = await request.executeAction({
-        actionId: "workspace.settings.read",
-        input: {
-          workspaceSlug: request.input.params.workspaceSlug
-        }
-      });
-      reply.code(200).send(response);
-    }
-  );
-
-  router.register(
-    "PATCH",
-    resolveWorkspaceRoutePath("/settings"),
-    {
-      auth: "required",
-      surface: workspaceRouteSurfaceId,
-      visibility: "workspace",
-      meta: {
-        tags: ["workspace"],
-        summary: "Update workspace settings by workspace slug"
-      },
-      paramsValidator: workspaceSlugParamsValidator,
-      bodyValidator: workspaceSettingsResource.operations.patch.bodyValidator,
-      responseValidators: withStandardErrorResponses(
-        {
-          200: workspaceSettingsResource.operations.patch.outputValidator
-        },
-        { includeValidation400: true }
-      )
-    },
-    async function (request, reply) {
-      const response = await request.executeAction({
-        actionId: "workspace.settings.update",
-        input: {
-          workspaceSlug: request.input.params.workspaceSlug,
-          patch: request.input.body
-        }
-      });
-      reply.code(200).send(response);
-    }
-  );
-}
-
-export { bootWorkspaceSettings };