npm - @lobb-js/lobb-ext-auth - Versions diffs - 0.10.4 → 0.11.1 - Mend

@lobb-js/lobb-ext-auth 0.10.4 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/README.md CHANGED Viewed

	@@ -1,2 +1,3 @@
1 1	# @lobb-js/lobb-ext-auth
2 2
3	+

package/dist/auth.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { ExtensionUtils } from "@lobb-js/studio";
+import { type ExtensionUtils } from "@lobb-js/studio";
 interface LoginPayload {
     email: string;
     password: string;
@@ -9,5 +9,6 @@ export declare class Auth {
     getSession(): any;
     login(payload: LoginPayload): Promise<void>;
     logout(): Promise<void>;
+    fetchMe(): Promise<void>;
 }
 export {};

package/dist/auth.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { remountStudio } from "@lobb-js/studio";
 export class Auth {
     utils;
     constructor(utils) {
@@ -27,12 +28,16 @@ export class Auth {
         const result = await response.json();
         const session = result.data;
         localStorage.setItem("lobb_session", JSON.stringify(session));
-        this.utils.ctx.extensions.auth.session = session;
         this.utils.lobb.setHeaders({
             Authorization: `Bearer ${session.access_token.token}`,
         });
         const redirectTo = new URLSearchParams(window.location.search).get("redirect");
-        this.utils.location.navigate(redirectTo || "/studio");
+        this.utils.goto(redirectTo || "/studio");
+        // Remount the Studio so onStartup re-runs and populates ctx with the
+        // freshly logged-in user's /me data. Everything inside Studio (sidebar,
+        // extensions, etc.) then initialises against the new session without
+        // needing per-component reactivity on auth state.
+        remountStudio();
     }
     async logout() {
         await this.utils.lobb.request({
@@ -43,10 +48,24 @@ export class Auth {
         const currentPath = window.location.pathname;
         const loginPath = "/studio/extensions/auth/login_page";
         if (currentPath !== loginPath && currentPath !== "/studio") {
-            this.utils.location.navigate(`${loginPath}?redirect=${encodeURIComponent(currentPath)}`);
+            this.utils.goto(`${loginPath}?redirect=${encodeURIComponent(currentPath)}`);
         }
         else {
-            this.utils.location.navigate(loginPath);
+            this.utils.goto(loginPath);
         }
+        // Remount so onStartup re-runs against the cleared session — clears any
+        // stale ctx.extensions.auth.user / permissions from the previous user.
+        remountStudio();
+    }
+    async fetchMe() {
+        const response = await this.utils.lobb.request({
+            method: "GET",
+            route: "/api/collections/auth_users/me",
+        });
+        if (response.status >= 400)
+            throw new Error("Failed to fetch /me");
+        const result = await response.json();
+        this.utils.ctx.extensions.auth.user = result.data;
+        this.utils.ctx.extensions.auth.permissions = result.permissions ?? {};
     }
 }

package/dist/index.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { onStartup, onRouteChange } from "./onStartup";
 import LoginPage from "./lib/components/pages/loginPage/index.svelte";
 import UserSettings from "./lib/components/pages/userSettings/index.svelte";
 import Settings from "./lib/components/pages/settings/index.svelte";
+import { isActionAllowed } from "../permissions";
 // TODO we should export the extension object directly without a function at all. because we dont set configuration in here
 export default function extension(utils) {
     return {
@@ -14,12 +15,50 @@ export default function extension(utils) {
             "pages.user_settings": UserSettings,
             "pages.settings": Settings,
         },
+        workflows: [
+            {
+                // Generic auth primitive: callers ask "can the current user access X?"
+                // and pass any combination of { collection, action, role }. The handler
+                // returns a boolean directly; callers read that and decide what to render.
+                // Note: returning a boolean means downstream handlers can't read the
+                // original request — if you ever need multiple extensions to influence
+                // this decision, switch back to a `{ ...input, allowed }` object shape.
+                eventName: "auth.canAccess",
+                handler: async (input) => {
+                    // Admin shortcut — admins bypass everything, regardless of how
+                    // their permissions snapshot was populated.
+                    const user = utils.ctx.extensions.auth?.user;
+                    if (user?.role === "admin")
+                        return true;
+                    // Walk the permissions snapshot. Works for both logged-in non-admin
+                    // users (snapshot from their role) and share-token recipients
+                    // (snapshot from the share's embedded permissions). If nothing
+                    // is populated — anonymous viewer — default to deny.
+                    const permissions = utils.ctx.extensions.auth?.permissions;
+                    if (permissions === undefined || permissions === null)
+                        return false;
+                    if (permissions === true)
+                        return true;
+                    const action = input.action ?? "read";
+                    const requiredCollections = Array.isArray(input.collection)
+                        ? input.collection
+                        : input.collection ? [input.collection] : [];
+                    for (const collectionName of requiredCollections) {
+                        if (!isActionAllowed(collectionName, action, permissions)) {
+                            return false;
+                        }
+                    }
+                    return true;
+                },
+            },
+        ],
         dashboardNavs: {
             middle: [
                 {
                     label: "Auth",
                     icon: utils.components.Icons.Key,
                     href: "/studio/extensions/auth/settings/users",
+                    represents: "auth_users",
                 },
             ],
             bottom: [
@@ -27,14 +66,14 @@ export default function extension(utils) {
                     label: "My User",
                     icon: utils.components.Icons.User,
                     onclick: () => {
-                        utils.location.navigate("/studio/extensions/auth/user_settings");
+                        utils.goto("/studio/extensions/auth/user_settings");
                     },
                     navs: [
                         {
                             label: "User Settings",
                             icon: utils.components.Icons.Settings,
                             onclick: () => {
-                                utils.location.navigate("/studio/extensions/auth/user_settings");
+                                utils.goto("/studio/extensions/auth/user_settings");
                             },
                         },
                         {

package/dist/lib/components/pages/settings/index.svelte CHANGED Viewed

@@ -8,7 +8,7 @@
 	const components = props.utils.components;
 	const { Sidebar } = components;
 	const { Icons } = components;
-	const auth_settings_page = $derived(props.utils.location.url.pathname.split("/")[5]);
+	const auth_settings_page = $derived(props.utils.page.url.pathname.split("/")[5]);
 	const isSmall = $derived(!props.utils.mediaQueries.sm.current);
 </script>

package/dist/lib/components/pages/settings/pages/activityFeed.svelte CHANGED Viewed

@@ -13,7 +13,7 @@
 		</div>
 	</div>
 	<components.Separator />
-	<div class="flex gap-4 border rounded-md overflow-hidden h-full bg-muted/30">
+	<div class="flex gap-4 border rounded-md overflow-hidden h-full bg-muted-soft">
         <components.DataTable
             collectionName="auth_activity_feed"
         />

package/dist/lib/components/pages/settings/pages/rolesAndPermissions.svelte CHANGED Viewed

@@ -13,7 +13,7 @@
 		</div>
 	</div>
 	<components.Separator />
-	<div class="flex gap-4 border rounded-md overflow-hidden h-full bg-muted/30">
+	<div class="flex gap-4 border rounded-md overflow-hidden h-full bg-muted-soft">
         <components.DataTable
             collectionName="auth_roles"
         />

package/dist/lib/components/pages/settings/pages/users.svelte CHANGED Viewed

@@ -13,7 +13,7 @@
 		</div>
 	</div>
 	<components.Separator />
-	<div class="flex gap-4 border rounded-md overflow-hidden h-full bg-muted/30">
+	<div class="flex gap-4 border rounded-md overflow-hidden h-full bg-muted-soft">
         <components.DataTable
             collectionName="auth_users"
         />

package/dist/lib/components/pages/userSettings/index.svelte CHANGED Viewed

@@ -1,13 +1,32 @@
 <script lang="ts">
 	import type { ExtensionProps } from "@lobb-js/studio";
-	import Profile from "./components/profile.svelte";
-	import Account from "./components/account.svelte";
+	import { DetailView } from "@lobb-js/studio";
+	import { onMount } from "svelte";
-	const props: ExtensionProps = $props();
-	const components = props.utils.components;
-	const isSmall = $derived(!props.utils.mediaQueries.sm.current);
+	const { utils }: ExtensionProps = $props();
+	const { Button, Separator, Skeleton, Icons } = utils.components;
-	let selectedView: "profile" | "account" = $state("profile");
+	let entry = $state<Record<string, any>>({});
+	let loading = $state(true);
+	onMount(async () => {
+		// /me is the only auth_users path a role without explicit auth_users
+		// read perms can reach (self-bypass at the policy layer).
+		const response = await utils.lobb.findOne("auth_users", "me");
+		const result = await response.json();
+		entry = result.data;
+		loading = false;
+	});
+	async function handleSave() {
+		const response = await utils.lobb.updateOne("auth_users", "me", entry);
+		if (response.status >= 400) {
+			const result = await response.json();
+			utils.toast.error(result.message);
+			return;
+		}
+		utils.toast.success("Profile updated successfully.");
+	}
 </script>
 <div class="flex flex-col gap-4 p-4">
@@ -17,32 +36,26 @@
 			Manage your user settings.
 		</div>
 	</div>
-	<components.Separator />
-	<div class="flex gap-4 {isSmall ? "flex-col" : ""}">
-		<div class="flex w-64 {isSmall ? "" : "flex-col"}">
-			<components.Button
-				onclick={() => (selectedView = "profile")}
-				variant="ghost"
-				class="flex justify-start text-muted-foreground hover:underline"
-			>
-				Profile
-			</components.Button>
-			<components.Button
-				onclick={() => (selectedView = "account")}
-				variant="ghost"
-				class="flex justify-start text-muted-foreground hover:underline"
-			>
-				Account
-			</components.Button>
+	<Separator />
+	{#if loading}
+		<div class="flex max-w-xl flex-col gap-2">
+			<Skeleton class="h-8 w-full" />
+			<Skeleton class="h-8 w-[80%]" />
+			<Skeleton class="h-8 w-[60%]" />
 		</div>
-		{#if selectedView === "profile"}
-			<Profile {...props} />
-		{:else if selectedView === "account"}
-			<Account {...props} />
-		{:else}
-			<div class="font-bold text-red-500">
-				The "{selectedView}" view doesnt exist
+	{:else}
+		<div class="max-w-xl">
+			<DetailView collectionName="auth_users" bind:entry />
+			<div class="px-4 pt-2">
+				<Button
+					class="self-start"
+					Icon={Icons.Pencil}
+					onclick={handleSave}
+				>
+					Save
+				</Button>
 			</div>
-		{/if}
-	</div>
+		</div>
+	{/if}
 </div>

package/dist/onStartup.js CHANGED Viewed

@@ -1,7 +1,16 @@
 import { Auth } from "./auth";
 const loginPath = "/studio/extensions/auth/login_page";
+const publicPagesPrefix = "/studio/public/";
 function isPublicPath(path, publicPaths) {
-    return path === loginPath || publicPaths.some(p => path.startsWith(p));
+    // Anything under /studio/public/ is a publicPages.* route — registered by
+    // an extension and intentionally exposed without auth (e.g. share-recipient
+    // views). Falls through to the app-level publicPaths config for legacy
+    // overrides.
+    if (path === loginPath)
+        return true;
+    if (path.startsWith(publicPagesPrefix))
+        return true;
+    return publicPaths.some(p => path.startsWith(p));
 }
 export async function onStartup(utils) {
     const auth = new Auth(utils);
@@ -18,6 +27,12 @@ export async function onStartup(utils) {
     const session = auth.getSession();
     if (session) {
         utils.ctx.extensions.auth.session = session;
+        try {
+            await auth.fetchMe();
+        }
+        catch {
+            await auth.logout();
+        }
         return;
     }
     const publicPaths = utils.ctx.meta?.extensions?.auth?.studio?.publicPaths ?? [];
@@ -32,6 +47,6 @@ export function onRouteChange(utils, path) {
         return;
     const publicPaths = utils.ctx.meta?.extensions?.auth?.studio?.publicPaths ?? [];
     if (!isPublicPath(path, publicPaths)) {
-        utils.location.navigate(`${loginPath}?redirect=${encodeURIComponent(path)}`);
+        utils.goto(`${loginPath}?redirect=${encodeURIComponent(path)}`);
     }
 }

package/extensions/auth/collections/collections.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { CollectionConfig, Lobb } from "@lobb-js/core";
 import { usersCollection } from "./users.ts";
 import { sessionsCollection } from "./sessions.ts";
+import { sharesCollection } from "./shares.ts";
 import type { ExtensionConfig } from "../config/extensionConfigSchema.ts";
 import { activityFeedCollection } from "./activityFeed.ts";
@@ -11,6 +12,7 @@ export function collections(
   const collectionsSchemas: Record<string, CollectionConfig> = {};
   collectionsSchemas["auth_users"] = usersCollection;
   collectionsSchemas["auth_sessions"] = sessionsCollection;
+  collectionsSchemas["auth_shares"] = sharesCollection;
   // Convert the role field to an enum based on configured roles
   const roleNames = Object.keys(extensionConfig.roles ?? {}).filter(r => r !== "public");

package/extensions/auth/collections/shares.ts ADDED Viewed

@@ -0,0 +1,60 @@
+import type { CollectionConfig } from "@lobb-js/core";
+// A share is a bearer credential that grants its holder a specific snapshot
+// of permissions until a fixed expiry. Unlike a session it isn't tied to a
+// user identity — anyone with the token gets exactly the listed permissions.
+//
+// `permissions` is stored as text holding a JSON-serialised PermissionsConfig
+// (same shape as a role's permissions in the auth extension config).
+export const sharesCollection: CollectionConfig = {
+  indexes: {},
+  fields: {
+    id: {
+      type: "integer",
+    },
+    // Auto-generated server-side by the auth_generateShareToken workflow on
+    // create — clients should not supply this; the generated token comes
+    // back in the create response.
+    token: {
+      type: "string",
+      length: 255,
+      unique: true,
+    },
+    label: {
+      type: "string",
+      length: 255,
+    },
+    permissions: {
+      type: "text",
+      required: true,
+    },
+    // Absolute expiry timestamp — the source of truth stored in the DB and
+    // used by every-request validity checks and the periodic cleanup.
+    // Required at the schema level; callers can pass `expires_in_seconds`
+    // instead, which the auth_normalizeShareExpiry workflow converts to
+    // this field at the service layer (before the store-level required
+    // check fires).
+    expires_at: {
+      type: "datetime",
+      required: true,
+    },
+    // Convenience write-only field: instead of computing an absolute
+    // timestamp, callers can pass a duration in seconds. Declared as a
+    // virtual integer so it shows up in the OpenAPI schema for documentation
+    // but never gets a database column — the workflow converts it to
+    // expires_at and strips it before insert.
+    expires_in_seconds: {
+      type: "integer",
+      virtual: true,
+      ui: { hidden: true },
+    },
+    created_by: {
+      type: "integer",
+      references: {
+        collection: "auth_users",
+        field: "id",
+      },
+      required: true,
+    },
+  },
+};

package/extensions/auth/config/extensionConfigSchema.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import type { CollectionConfig } from "@lobb-js/core";
+import type { CreatePermissionAction } from "./permissionsAction/create.ts";
+import type { ReadPermissionAction } from "./permissionsAction/read.ts";
+import type { UpdatePermissionAction } from "./permissionsAction/update.ts";
+import type { DeletePermissionAction } from "./permissionsAction/delete.ts";
+export interface User {
+    id: number;
+    email: string;
+    password: string;
+    role: string;
+}
+export interface PermissionAction {
+}
+export type CollectionPermissionsActions = {
+    create?: true | CreatePermissionAction;
+    read?: true | ReadPermissionAction;
+    update?: true | UpdatePermissionAction;
+    delete?: true | DeletePermissionAction;
+};
+export type CollectionPermissionActionsKeys = keyof CollectionPermissionsActions;
+export type CollectionPermissionsConfig = true | CollectionPermissionsActions;
+export type PermissionsConfig = true | Record<string, CollectionPermissionsConfig | undefined>;
+export type RolesConfig = {
+    permissions: PermissionsConfig;
+};
+export type ExtensionConfig = {
+    admin: {
+        password: string;
+        email: string;
+        [key: string]: any;
+    };
+    dashboard_access_roles?: string[];
+    roles?: Record<string, RolesConfig | undefined>;
+    extend_users?: {
+        indexes?: CollectionConfig["indexes"];
+        fields?: Omit<CollectionConfig["fields"], "id">;
+    };
+    studio?: {
+        publicPaths?: string[];
+    };
+};

package/extensions/auth/config/permissionsAction/create.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { PermissionAction, User } from "../extensionConfigSchema.ts";
+interface FieldTrasnsformerFnParams {
+    value: unknown;
+    payload: Record<string, unknown>;
+    user?: User;
+}
+type FieldTrasnsformerFn = (params: FieldTrasnsformerFnParams) => unknown;
+interface CreateGuardProps {
+    payload: Record<string, unknown>;
+    user?: User;
+}
+type CreateGuardFn = (props: CreateGuardProps) => true | void;
+export interface CreatePermissionAction extends PermissionAction {
+    payloadGuard?: CreateGuardFn;
+    fields?: Record<string, true>;
+    mutate?: Record<string, FieldTrasnsformerFn>;
+}
+export {};

package/extensions/auth/config/permissionsAction/delete.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { PermissionAction } from "../extensionConfigSchema.ts";
+export interface DeletePermissionAction extends PermissionAction {
+}

package/extensions/auth/config/permissionsAction/read.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { Filter } from "@lobb-js/core";
+import type { PermissionAction, User } from "../extensionConfigSchema.ts";
+export interface ReadPermissionAction extends PermissionAction {
+    /**
+     * Filter that gets passed to the db select query condition
+     */
+    filter?: Filter<{
+        user?: User;
+    }>;
+    fields?: Record<string, true>;
+}

package/extensions/auth/config/permissionsAction/update.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { PermissionAction, User } from "../extensionConfigSchema.ts";
+interface FieldTrasnsformerFnParams {
+    value: unknown;
+    payload: Record<string, unknown>;
+    user?: User;
+}
+type FieldTrasnsformerFn = (params: FieldTrasnsformerFnParams) => unknown;
+interface UpdateGuardProps {
+    payload: Record<string, unknown>;
+    user?: User;
+}
+type UpdateGuardFn = (props: UpdateGuardProps) => true | void;
+export interface UpdatePermissionAction extends PermissionAction {
+    payloadGuard?: UpdateGuardFn;
+    fields?: Record<string, true>;
+    mutate?: Record<string, FieldTrasnsformerFn>;
+}
+export {};

package/extensions/auth/index.ts CHANGED Viewed

@@ -1,7 +1,6 @@
 import type { Extension } from "@lobb-js/core";
 import type { ExtensionConfig } from "./config/extensionConfigSchema.ts";
-import { init } from "./database/init.ts";
 import { collections } from "./collections/collections.ts";
 import { meta } from "./meta/meta.ts";
 import { migrations } from "./database/migrations.ts";
@@ -11,7 +10,6 @@ export default function auth(extensionConfig: ExtensionConfig): Extension {
   return {
     name: "auth",
     icon: "Key",
-    init: (lobb) => init(lobb, extensionConfig),
     collections: (lobb) => collections(lobb, extensionConfig),
     migrations: migrations,
     meta: (lobb) => meta(lobb, extensionConfig),

package/extensions/auth/permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { CollectionPermissionActionsKeys, PermissionsConfig } from "./config/extensionConfigSchema.ts";
2	+ export declare function isActionAllowed(collection: string, action: CollectionPermissionActionsKeys, permissions: PermissionsConfig \| undefined): boolean;

package/extensions/auth/permissions.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type {
+  CollectionPermissionActionsKeys,
+  PermissionsConfig,
+} from "./config/extensionConfigSchema.ts";
+// Pure permission check shared by the server-side handlePolicy and the
+// studio's auth.canAccess workflow. Walks the permissions tree and returns
+// a yes/no — server-side then layers on guards/filters/error-throwing,
+// client-side uses the answer to decide whether to render UI.
+//
+// An object value for action permission means "conditional access" (filter
+// and/or fields restrictions). For UI gating that counts as allowed; the
+// server enforces the actual restrictions on real requests.
+export function isActionAllowed(
+  collection: string,
+  action: CollectionPermissionActionsKeys,
+  permissions: PermissionsConfig | undefined,
+): boolean {
+  if (permissions === true) return true;
+  if (!permissions) return false;
+  const collPerm = permissions[collection];
+  if (collPerm === true) return true;
+  if (!collPerm) return false;
+  const actionPerm = collPerm[action];
+  if (actionPerm === true) return true;
+  // A conditional grant must actually list at least one constraint
+  // (filter / fields / payloadGuard / mutate). Empty `{}` collapses back
+  // to "no grant" — explicit `true` is required for unconditional access.
+  return (
+    typeof actionPerm === "object" &&
+    actionPerm !== null &&
+    Object.keys(actionPerm).length > 0
+  );
+}

package/extensions/auth/studio/auth.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { ExtensionUtils } from "@lobb-js/studio";
+import { remountStudio, type ExtensionUtils } from "@lobb-js/studio";
 interface LoginPayload {
   email: string;
@@ -39,12 +39,18 @@ export class Auth {
     const session = result.data;
     localStorage.setItem("lobb_session", JSON.stringify(session));
-    this.utils.ctx.extensions.auth.session = session;
     this.utils.lobb.setHeaders({
       Authorization: `Bearer ${session.access_token.token}`,
     });
     const redirectTo = new URLSearchParams(window.location.search).get("redirect");
-    this.utils.location.navigate(redirectTo || "/studio");
+    this.utils.goto(redirectTo || "/studio");
+    // Remount the Studio so onStartup re-runs and populates ctx with the
+    // freshly logged-in user's /me data. Everything inside Studio (sidebar,
+    // extensions, etc.) then initialises against the new session without
+    // needing per-component reactivity on auth state.
+    remountStudio();
   }
   public async logout() {
@@ -56,9 +62,23 @@ export class Auth {
     const currentPath = window.location.pathname;
     const loginPath = "/studio/extensions/auth/login_page";
     if (currentPath !== loginPath && currentPath !== "/studio") {
-      this.utils.location.navigate(`${loginPath}?redirect=${encodeURIComponent(currentPath)}`);
+      this.utils.goto(`${loginPath}?redirect=${encodeURIComponent(currentPath)}`);
     } else {
-      this.utils.location.navigate(loginPath);
+      this.utils.goto(loginPath);
     }
+    // Remount so onStartup re-runs against the cleared session — clears any
+    // stale ctx.extensions.auth.user / permissions from the previous user.
+    remountStudio();
+  }
+  public async fetchMe(): Promise<void> {
+    const response = await this.utils.lobb.request({
+      method: "GET",
+      route: "/api/collections/auth_users/me",
+    });
+    if (response.status >= 400) throw new Error("Failed to fetch /me");
+    const result = await response.json();
+    this.utils.ctx.extensions.auth.user = result.data;
+    this.utils.ctx.extensions.auth.permissions = result.permissions ?? {};
   }
 }