@lobb-js/lobb-ext-auth 0.1.67 → 0.2.2

package/extensions/auth/workflows/policiesWorkflows.ts

@@ -0,0 +1,240 @@
+import type { Lobb, Workflow } from "@lobb-js/core";
+import type { Context } from "hono";
+import type { ExtensionConfig, User } from "../config/extensionConfigSchema.ts";
+import { handlePolicy, handleReadFields } from "./utils.ts";
+
+export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow[] {
+  return [
+  {
+    name: "auth_policyPreCreate",
+    eventName: "core.store.preCreateOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const lobb = context.get("lobb") as Lobb;
+        const user = context.get("auth_user") as User | undefined;
+
+        const output = handlePolicy({
+          action: "create",
+          collectionName: input.collectionName,
+          role: user?.role,
+          user,
+          input,
+          lobb,
+          ctx,
+          extensionConfig,
+        });
+
+        if (output && output.payload) {
+          input.data = output.payload;
+        }
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPreFindAll",
+    eventName: "core.store.preFindAll",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const lobb = context.get("lobb") as Lobb;
+        const user = context.get("auth_user") as User | undefined;
+
+        const output = handlePolicy({
+          action: "read",
+          collectionName: input.collectionName,
+          role: user?.role,
+          user,
+          input,
+          lobb,
+          ctx,
+          extensionConfig,
+        });
+
+        if (output && output.filter) {
+          input.filter = output.filter;
+        }
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPreFindOne",
+    eventName: "core.store.preFindOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const lobb = context.get("lobb") as Lobb;
+        const user = context.get("auth_user") as User | undefined;
+
+        // pass if the user is effecting himself
+        const currentUser = input.id === user?.id;
+        if (input.collectionName === "auth_users" && currentUser) {
+          return input;
+        }
+
+        const output = handlePolicy({
+          action: "read",
+          collectionName: input.collectionName,
+          role: user?.role,
+          user,
+          input,
+          lobb,
+          ctx,
+          extensionConfig,
+        });
+
+        if (output && output.filter) {
+          input.filter = output.filter;
+        }
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPreUpdate",
+    eventName: "core.store.preUpdateOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const lobb = context.get("lobb") as Lobb;
+        const user = context.get("auth_user") as User | undefined;
+
+        // pass if the user is effecting himself
+        const currentUser = input.id === user?.id;
+        if (input.collectionName === "auth_users" && currentUser) {
+          return input;
+        }
+
+        handlePolicy({
+          action: "update",
+          collectionName: input.collectionName,
+          role: user?.role,
+          user,
+          input,
+          lobb,
+          ctx,
+          extensionConfig,
+        });
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPreDelete",
+    eventName: "core.store.preDeleteOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const lobb = context.get("lobb") as Lobb;
+        const user = context.get("auth_user") as User | undefined;
+
+        // pass if the user is effecting himself
+        const currentUser = input.id === user?.id;
+        if (input.collectionName === "auth_users" && currentUser) {
+          return input;
+        }
+
+        handlePolicy({
+          action: "delete",
+          collectionName: input.collectionName,
+          role: user?.role,
+          user,
+          input,
+          lobb,
+          ctx,
+          extensionConfig,
+        });
+      }
+      return input;
+    },
+  },
+  // handling read fields property
+  {
+    name: "auth_policyPostQuery",
+    eventName: "core.store.findAll",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        input.data = handleReadFields(
+          user?.role,
+          input.collectionName,
+          input.data,
+          extensionConfig,
+        );
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPostRead",
+    eventName: "core.store.findOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        input.data = handleReadFields(
+          user?.role,
+          input.collectionName,
+          input.data,
+          extensionConfig,
+        );
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPostReadForCreate",
+    eventName: "core.store.createOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        input.data = handleReadFields(
+          user?.role,
+          input.collectionName,
+          input.data,
+          extensionConfig,
+        );
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPostReadForUpdate",
+    eventName: "core.store.updateOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        input.data = handleReadFields(
+          user?.role,
+          input.collectionName,
+          input.data,
+          extensionConfig,
+        );
+      }
+      return input;
+    },
+  },
+  {
+    name: "auth_policyPostReadForDelete",
+    eventName: "core.store.updateOne",
+    handler: async (input, ctx) => {
+      if (input.triggeredBy === "API") {
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        input.data = handleReadFields(
+          user?.role,
+          input.collectionName,
+          input.data,
+          extensionConfig,
+        );
+      }
+      return input;
+    },
+  },
+  ];
+}

package/extensions/auth/workflows/utils.ts

@@ -0,0 +1,306 @@
+import type { EventContext, Filter, Lobb } from "@lobb-js/core";
+import type {
+  CollectionPermissionActionsKeys,
+  ExtensionConfig,
+  User,
+} from "../config/extensionConfigSchema.ts";
+import { LobbError } from "@lobb-js/core";
+
+interface HandlePolicyProps {
+  ctx: EventContext;
+  collectionName: string;
+  action: CollectionPermissionActionsKeys;
+  user: User | undefined;
+  input: any | undefined;
+  role?: string;
+  lobb: Lobb;
+  extensionConfig: ExtensionConfig;
+}
+
+interface HandlePolicyOutput {
+  payload?: Record<string, unknown>;
+  filter?: Filter;
+}
+
+export function handlePolicy({
+  ctx,
+  collectionName,
+  action,
+  user,
+  input,
+  lobb,
+  role = "public",
+  extensionConfig,
+}: HandlePolicyProps): HandlePolicyOutput | void {
+  if (role === "admin") {
+    return;
+  }
+
+  const config = extensionConfig;
+  const currentRole = config.roles[role];
+
+  if (typeof currentRole === "undefined") {
+    throw new ctx.LobbError({
+      code: "FORBIDDEN",
+      message: "Your role is not recognized by the system.",
+    });
+  }
+
+  const currentRolePermission = currentRole.permissions;
+
+  if (currentRolePermission === true) {
+    return;
+  }
+
+  const collectionPermission = currentRolePermission[collectionName];
+
+  if (typeof collectionPermission === "undefined") {
+    throw new ctx.LobbError({
+      code: "FORBIDDEN",
+      message: "You do not have permission to perform this action.",
+    });
+  }
+
+  if (collectionPermission === true) {
+    return;
+  }
+
+  const permissionAction = collectionPermission[action];
+
+  if (typeof permissionAction === "undefined") {
+    throw new ctx.LobbError({
+      code: "FORBIDDEN",
+      message: "You do not have permission to perform this action.",
+    });
+  }
+
+  if (typeof permissionAction === "boolean") {
+    if (permissionAction === false) {
+      throw new ctx.LobbError({
+        code: "FORBIDDEN",
+        message: "You do not have permission to perform this action.",
+      });
+    }
+
+    return;
+  }
+
+  if (action === "create") {
+    runGuard(user?.role, input.collectionName, "create", {
+      payload: input.data,
+      user: user,
+    }, extensionConfig);
+
+    handleFields(user?.role, input.collectionName, "create", input.data, extensionConfig);
+
+    const data = handleMutate(
+      user?.role,
+      input.collectionName,
+      "create",
+      input.data,
+      user,
+      extensionConfig,
+    );
+
+    return {
+      payload: data,
+    };
+  } else if (action === "read") {
+    const readFilter = getFilter(user?.role, input.collectionName, "read", extensionConfig);
+    const filter = lobb.utils.renderTemplateDeep(
+      readFilter,
+      {
+        user,
+      },
+    );
+
+    return {
+      filter,
+    };
+  } else if (action === "update") {
+    runGuard(user?.role, input.collectionName, "update", {
+      payload: input.data,
+      user: user,
+    }, extensionConfig);
+
+    handleFields(user?.role, input.collectionName, "update", input.data, extensionConfig);
+
+    const data = handleMutate(
+      user?.role,
+      input.collectionName,
+      "update",
+      input.data,
+      user,
+      extensionConfig,
+    );
+
+    return {
+      payload: data,
+    };
+  } else if (action === "delete") {
+  } else {
+    throw new Error(
+      `The (${action}) action is not implemented in the (auth) extension (handlePolicy) function`,
+    );
+  }
+}
+
+export function getFilter(
+  role: string = "public",
+  collectionName: string,
+  action: "read",
+  extensionConfig: ExtensionConfig,
+) {
+  const config = extensionConfig;
+  const permissions = config.roles[role]?.permissions;
+
+  if (permissions && permissions !== true) {
+    const collectionPermission = permissions[collectionName];
+    if (collectionPermission && collectionPermission !== true) {
+      const permission = collectionPermission[action];
+      if (permission && permission !== true) {
+        return permission.filter;
+      }
+    }
+  }
+}
+
+export function runGuard(
+  role: string = "public",
+  collectionName: string,
+  action: "create" | "update",
+  context: { payload: Record<string, unknown>; user?: User },
+  extensionConfig: ExtensionConfig,
+) {
+  const config = extensionConfig;
+  const permissions = config.roles[role]?.permissions;
+
+  if (permissions && permissions !== true) {
+    const collectionPermission = permissions[collectionName];
+    if (collectionPermission && collectionPermission !== true) {
+      const permission = collectionPermission[action];
+      if (permission && permission !== true) {
+        if (permission.payloadGuard) {
+          const result = permission.payloadGuard(context);
+          if (!result) {
+            throw new LobbError({
+              code: "FORBIDDEN",
+              message: "You do not have permission to perform this action.",
+            });
+          }
+        }
+      }
+    }
+  }
+}
+
+export function handleFields(
+  role: string = "public",
+  collectionName: string,
+  action: "create" | "update",
+  payload: Record<string, unknown>,
+  extensionConfig: ExtensionConfig,
+) {
+  const config = extensionConfig;
+  const permissions = config.roles[role]?.permissions;
+
+  if (permissions && permissions !== true) {
+    const collectionPermission = permissions[collectionName];
+    if (collectionPermission && collectionPermission !== true) {
+      const permission = collectionPermission[action];
+      if (permission && permission !== true) {
+        if (permission.fields) {
+          const fields = permission.fields;
+          const allowedFields = Object.keys(fields);
+          const existingFields = Object.keys(payload);
+          // add the handler logic of the fields
+          for (const fieldName of existingFields) {
+            if (!allowedFields.includes(fieldName)) {
+              throw new LobbError({
+                code: "FORBIDDEN",
+                message:
+                  `You do not have permission to modify the field (${fieldName}).`,
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+export function handleMutate(
+  role: string = "public",
+  collectionName: string,
+  action: "create" | "update",
+  payload: Record<string, unknown>,
+  user: User | undefined,
+  extensionConfig: ExtensionConfig,
+) {
+  const config = extensionConfig;
+  const permissions = config.roles[role]?.permissions;
+  const returnedPayload: Record<string, unknown> = structuredClone(payload);
+
+  if (permissions && permissions !== true) {
+    const collectionPermission = permissions[collectionName];
+    if (collectionPermission && collectionPermission !== true) {
+      const permission = collectionPermission[action];
+      if (permission && permission !== true) {
+        if (permission.mutate) {
+          for (
+            const [fieldName, mutateFn] of Object.entries(permission.mutate)
+          ) {
+            returnedPayload[fieldName] = mutateFn({
+              value: payload[fieldName],
+              payload,
+              user,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return returnedPayload;
+}
+
+export function handleReadFields(
+  role = "public",
+  collectionName: string,
+  payload: Record<string, unknown> | Record<string, unknown>[],
+  extensionConfig: ExtensionConfig,
+) {
+  // filter the payload based on fields
+  const config = extensionConfig;
+  let clonedPayload = structuredClone(payload);
+
+  const permissions = config.roles[role]?.permissions;
+  if (permissions && typeof permissions !== "boolean") {
+    const collectionPermission = permissions[collectionName];
+    if (collectionPermission && typeof collectionPermission !== "boolean") {
+      const readPermission = collectionPermission.read;
+      if (readPermission && typeof readPermission !== "boolean") {
+        if (readPermission.fields) {
+          const allowedFields = Object.keys(readPermission.fields);
+          if (Array.isArray(payload)) {
+            clonedPayload = payload.map((item: Record<string, unknown>) =>
+              Object.fromEntries(
+                Object.entries(item).filter(([key]) =>
+                  allowedFields.includes(key)
+                ),
+              )
+            );
+          } else {
+            clonedPayload = Object.fromEntries(
+              Object.entries(payload).filter(([key]) =>
+                allowedFields.includes(key)
+              ),
+            );
+          }
+        }
+      }
+    }
+  }
+
+  return clonedPayload;
+}

package/lobb.ts

@@ -0,0 +1,108 @@
+import { Lobb } from "@lobb-js/core";
+import { auth } from "./extensions/auth/index.ts";
+
+Lobb.init({
+  project: {
+    name: "Social To Courier",
+    force_sync: true,
+  },
+  database: {
+    host: "localhost",
+    port: 5432,
+    username: "test",
+    password: "test",
+    database: "social_to_courier",
+  },
+  web_server: {
+    host: "0.0.0.0",
+    port: 3000,
+    cors: {
+      origin: "*",
+    },
+  },
+  extensions: [
+    auth({
+      admin: {
+        email: "admin@example.com",
+        password: "admin",
+      },
+      extend_users: {
+        fields: {
+          instagram_user_id: {
+            type: "string",
+            length: 255,
+          },
+          instagram_token: {
+            type: "string",
+            length: 255,
+          },
+        },
+      },
+      roles: {
+        public: {
+          permissions: true,
+        },
+      },
+    }),
+  ],
+  collections: {
+    articles: {
+      indexes: {},
+      fields: {
+        id: {
+          type: "integer",
+        },
+        image: {
+          type: "string",
+          length: 255,
+        },
+        title: {
+          type: "string",
+          length: 255,
+          validators: {
+            required: true,
+          },
+        },
+        description: {
+          type: "string",
+          length: 255,
+        },
+        body: {
+          type: "string",
+          length: 255,
+          validators: {
+            required: true,
+          },
+        },
+        status: {
+          type: "string",
+          length: 255,
+          validators: {
+            enum: ["public", "private"],
+          },
+        },
+      },
+    },
+    comments: {
+      indexes: {},
+      fields: {
+        id: {
+          type: "integer",
+        },
+        body: {
+          type: "string",
+          length: 255,
+          validators: {
+            required: true,
+          },
+        },
+        article_id: {
+          type: "integer",
+          validators: {
+            required: true,
+          },
+        },
+      },
+    },
+  },
+});

package/package.json

@@ -1,23 +1,50 @@
 {
   "name": "@lobb-js/lobb-ext-auth",
-  "version": "0.1.67",
+  "version": "0.2.2",
+  "license": "AGPL-3.0-only",
   "type": "module",
+  "publishConfig": {
+    "access": "public"
+  },
   "exports": {
-    ".": "./src/index.ts"
+    ".": "./extensions/auth/index.ts",
+    "./studio": {
+      "svelte": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
   },
   "scripts": {
-    "dev": "vite",
-    "build": "vite build",
+    "test": "bun run test:lobb && bun run test:studio",
+    "test:lobb": "bun test extensions/auth/tests",
+    "test:studio": "bun --bun playwright test --config extensions/auth/studio/tests/playwright.config.cjs",
+    "dev": "bun run lobb.ts",
+    "start": "LOBB_MODE=prod bun run lobb.ts",
+    "prepare": "svelte-kit sync || echo ''",
     "preview": "vite preview",
-    "check": "svelte-check --tsconfig ./tsconfig.app.json && tsc -p tsconfig.node.json"
+    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "prepublishOnly": "./scripts/prepublish.sh",
+    "postpublish": "./scripts/postpublish.sh",
+    "package": "svelte-package --input extensions/auth/studio",
+    "dev:studio": "vite dev",
+    "build:studio": "vite build"
+  },
+  "dependencies": {
+    "@lobb-js/core": "^0.13.3",
+    "argon2": "^0.40.3",
+    "hono": "^4.7.0"
   },
   "devDependencies": {
-    "@lobb-js/studio": "0.6.0",
+    "@lobb-js/studio": "^0.7.2",
     "@lucide/svelte": "^0.563.1",
+    "@playwright/test": "^1.58.2",
+    "@sveltejs/adapter-node": "^5.5.4",
+    "@sveltejs/kit": "^2.55.0",
     "@sveltejs/vite-plugin-svelte": "6.2.1",
+    "@sveltejs/package": "^2.5.7",
     "@tailwindcss/vite": "^4.1.18",
     "@tsconfig/svelte": "^5.0.6",
     "@types/node": "^24.10.1",
+    "bun-types": "latest",
     "clsx": "^2.1.1",
     "svelte": "^5.49.1",
     "svelte-check": "^4.3.4",