@lobb-js/lobb-ext-auth 0.10.4 → 0.11.1

package/extensions/auth/tests/controllers/me.test.ts

@@ -269,4 +269,108 @@ describe("Login", () => {
 
     expect(response3.status).toEqual(200);
   });
+
+  describe("permissions in the /me response", () => {
+    async function login(email: string, password: string): Promise<string> {
+      const res = await fetch(`${baseUrl}/api/collections/auth_sessions`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ data: { email, password } }),
+      });
+      const body = await res.json();
+      return body.data.access_token.token;
+    }
+
+    async function createUser(email: string, password: string, role: string) {
+      await fetch(`${baseUrl}/api/collections/auth_users`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ data: { email, password, role } }),
+      });
+    }
+
+    it("should attach the role's permissions as a sibling of data for the current user via /me", async () => {
+      await createUser("perm_author@example.com", "pw", "author");
+      const token = await login("perm_author@example.com", "pw");
+
+      const res = await fetch(`${baseUrl}/api/collections/auth_users/me`, {
+        headers: { "Authorization": `Bearer ${token}` },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.data.permissions).toBeUndefined();
+      // author role config has auth_users.read/update/delete — function-typed
+      // filters get stripped to plain JSON before being returned.
+      expect(body.permissions).toEqual({
+        auth_users: {
+          read: { filter: {} },
+          update: true,
+          delete: true,
+        },
+        articles: {
+          read: {
+            filter: {},
+            fields: { id: true, title: true, body: true },
+          },
+          create: { fields: { title: true, body: true } },
+        },
+        auth_shares: {
+          create: true,
+        },
+      });
+    });
+
+    it("should not attach permissions when reading another user's row", async () => {
+      // login as admin so we can read other users
+      const adminToken = await login("admin@test.com", "admin");
+
+      // fetch a non-admin user's row by id
+      const otherUser = (await lobb.collectionService.findAll({
+        collectionName: "auth_users",
+        params: { filter: { email: "perm_author@example.com" } },
+      })).data[0];
+
+      const res = await fetch(
+        `${baseUrl}/api/collections/auth_users/${otherUser.id}`,
+        { headers: { "Authorization": `Bearer ${adminToken}` } },
+      );
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.permissions).toBeUndefined();
+    });
+
+    it("should not attach permissions when the current user reads their own row by id (not via /me)", async () => {
+      const token = await login("perm_author@example.com", "pw");
+      const ownUser = (await lobb.collectionService.findAll({
+        collectionName: "auth_users",
+        params: { filter: { email: "perm_author@example.com" } },
+      })).data[0];
+
+      const res = await fetch(
+        `${baseUrl}/api/collections/auth_users/${ownUser.id}`,
+        { headers: { "Authorization": `Bearer ${token}` } },
+      );
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.permissions).toBeUndefined();
+    });
+
+    it("should allow a user whose role has no auth_users.read permission to fetch /me", async () => {
+      // The "reader" role in authConfig has only articles.read — no auth_users
+      // perm at all. /me should still work because the user is reading their
+      // own row, but historically the internal findOne→findAll re-checked the
+      // policy on preFindAll and threw 403 for roles lacking auth_users.read.
+      await createUser("no_auth_perm@example.com", "pw", "reader");
+      const token = await login("no_auth_perm@example.com", "pw");
+
+      const res = await fetch(`${baseUrl}/api/collections/auth_users/me`, {
+        headers: { "Authorization": `Bearer ${token}` },
+      });
+
+      expect(res.status).toEqual(200);
+    });
+  });
 });

package/extensions/auth/tests/permissions.test.ts

@@ -0,0 +1,127 @@
+import { describe, it, expect } from "bun:test";
+import { isActionAllowed } from "../permissions.ts";
+
+// Default-deny is the contract: only explicit `true` or an object that
+// actually lists at least one constraint counts as a grant. Anything empty
+// (`undefined`, `{}`, `null`) at ANY level — role / collection / action —
+// must collapse to "no grant". These tests pin that invariant so a future
+// refactor can't accidentally turn `{}` back into "allow".
+describe("isActionAllowed — empty {} means false at every level", () => {
+  describe("role permissions level", () => {
+    it("returns false for undefined permissions", () => {
+      expect(isActionAllowed("articles", "read", undefined)).toBe(false);
+      expect(isActionAllowed("articles", "create", undefined)).toBe(false);
+      expect(isActionAllowed("articles", "update", undefined)).toBe(false);
+      expect(isActionAllowed("articles", "delete", undefined)).toBe(false);
+    });
+
+    it("returns false for an empty {} permissions object", () => {
+      expect(isActionAllowed("articles", "read", {})).toBe(false);
+      expect(isActionAllowed("articles", "create", {})).toBe(false);
+      expect(isActionAllowed("articles", "update", {})).toBe(false);
+      expect(isActionAllowed("articles", "delete", {})).toBe(false);
+    });
+
+    it("returns true only for the explicit `true` shortcut (admin)", () => {
+      expect(isActionAllowed("articles", "read", true)).toBe(true);
+      expect(isActionAllowed("any_collection_name", "delete", true)).toBe(true);
+    });
+  });
+
+  describe("collection level", () => {
+    it("returns false when the collection is missing from permissions", () => {
+      const perms = { articles: { read: true } };
+      expect(isActionAllowed("auth_users", "read", perms)).toBe(false);
+      expect(isActionAllowed("auth_users", "create", perms)).toBe(false);
+    });
+
+    it("returns false when the collection's value is explicitly undefined", () => {
+      const perms = { articles: undefined };
+      expect(isActionAllowed("articles", "read", perms)).toBe(false);
+      expect(isActionAllowed("articles", "create", perms)).toBe(false);
+    });
+
+    it("returns false when the collection is an empty {}", () => {
+      const perms = { articles: {} };
+      expect(isActionAllowed("articles", "read", perms)).toBe(false);
+      expect(isActionAllowed("articles", "create", perms)).toBe(false);
+      expect(isActionAllowed("articles", "update", perms)).toBe(false);
+      expect(isActionAllowed("articles", "delete", perms)).toBe(false);
+    });
+
+    it("returns true when the collection is explicitly `true`", () => {
+      const perms = { articles: true as const };
+      expect(isActionAllowed("articles", "read", perms)).toBe(true);
+      expect(isActionAllowed("articles", "create", perms)).toBe(true);
+      expect(isActionAllowed("articles", "update", perms)).toBe(true);
+      expect(isActionAllowed("articles", "delete", perms)).toBe(true);
+    });
+  });
+
+  describe("action level", () => {
+    it("returns false when the action is missing from the collection", () => {
+      const perms = { articles: { read: true } };
+      expect(isActionAllowed("articles", "create", perms)).toBe(false);
+      expect(isActionAllowed("articles", "update", perms)).toBe(false);
+      expect(isActionAllowed("articles", "delete", perms)).toBe(false);
+    });
+
+    it("returns false when the action is an empty {} — no constraints listed", () => {
+      // This is the footgun the rule fixes: an empty constraint object used
+      // to count as "conditional grant with no constraints" → effectively
+      // unconditional allow. Now it collapses to no grant.
+      expect(isActionAllowed("articles", "read", { articles: { read: {} } })).toBe(false);
+      expect(isActionAllowed("articles", "create", { articles: { create: {} } })).toBe(false);
+      expect(isActionAllowed("articles", "update", { articles: { update: {} } })).toBe(false);
+      expect(isActionAllowed("articles", "delete", { articles: { delete: {} } })).toBe(false);
+    });
+
+    it("returns false when the action is explicitly undefined", () => {
+      const perms = { articles: { read: undefined, create: undefined } };
+      expect(isActionAllowed("articles", "read", perms)).toBe(false);
+      expect(isActionAllowed("articles", "create", perms)).toBe(false);
+    });
+
+    it("returns true when the action is explicitly `true`", () => {
+      expect(isActionAllowed("articles", "read", { articles: { read: true } })).toBe(true);
+      expect(isActionAllowed("articles", "create", { articles: { create: true } })).toBe(true);
+    });
+
+    it("returns true when the action has at least one real constraint", () => {
+      // `filter` for read
+      expect(
+        isActionAllowed("articles", "read", {
+          articles: { read: { filter: { id: 1 } } },
+        }),
+      ).toBe(true);
+      // `fields` allowlist for read
+      expect(
+        isActionAllowed("articles", "read", {
+          articles: { read: { fields: { title: true } } },
+        }),
+      ).toBe(true);
+      // `fields` allowlist for create
+      expect(
+        isActionAllowed("articles", "create", {
+          articles: { create: { fields: { title: true } } },
+        }),
+      ).toBe(true);
+    });
+  });
+
+  describe("cross-level: only the relevant level needs to grant", () => {
+    it("an empty {} at any single level kills the chain regardless of siblings", () => {
+      // Other collections have grants, but `articles` is `{}` → no articles access.
+      const perms = { auth_users: { read: true }, articles: {} };
+      expect(isActionAllowed("articles", "read", perms)).toBe(false);
+      // Sibling still works.
+      expect(isActionAllowed("auth_users", "read", perms)).toBe(true);
+    });
+
+    it("an empty {} action doesn't bleed into other actions on the same collection", () => {
+      const perms = { articles: { read: true, create: {} } };
+      expect(isActionAllowed("articles", "read", perms)).toBe(true);
+      expect(isActionAllowed("articles", "create", perms)).toBe(false);
+    });
+  });
+});

package/extensions/auth/tests/workflows/shareIntersection.test.ts

@@ -0,0 +1,158 @@
+import { describe, it, expect } from "bun:test";
+import { isShareSubsetOfCreator } from "../../workflows/shareIntersection.ts";
+
+describe("isShareSubsetOfCreator", () => {
+  describe("creator: true (admin)", () => {
+    it("allows any share, including true", () => {
+      expect(isShareSubsetOfCreator(true, true)).toBe(true);
+      expect(isShareSubsetOfCreator({ articles: { read: true } }, true)).toBe(true);
+      expect(
+        isShareSubsetOfCreator(
+          { auth_users: { read: true, update: true } },
+          true,
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("share: true (unconditional)", () => {
+    it("requires creator: true — anything else is broader", () => {
+      expect(isShareSubsetOfCreator(true, { articles: { read: true } })).toBe(false);
+      expect(isShareSubsetOfCreator(true, undefined)).toBe(false);
+      expect(isShareSubsetOfCreator(true, {})).toBe(false);
+    });
+  });
+
+  describe("empty / missing share", () => {
+    it("an empty share is trivially a subset", () => {
+      expect(isShareSubsetOfCreator(undefined, undefined)).toBe(true);
+      expect(isShareSubsetOfCreator({}, undefined)).toBe(true);
+      expect(isShareSubsetOfCreator({}, { articles: { read: true } })).toBe(true);
+    });
+  });
+
+  describe("missing creator collection", () => {
+    it("rejects when share names a collection the creator has no perm for", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { auth_users: { read: true } },
+          { articles: { read: true } },
+        ),
+      ).toBe(false);
+    });
+  });
+
+  describe("creator: true on collection", () => {
+    it("allows any action grant on that collection", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { read: true, create: true } },
+          { articles: true },
+        ),
+      ).toBe(true);
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { read: { filter: { id: 1 } } } },
+          { articles: true },
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("share: true on a collection where creator is conditional", () => {
+    it("rejects — share unconditional > creator conditional", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: true },
+          { articles: { read: true } },
+        ),
+      ).toBe(false);
+    });
+  });
+
+  describe("share: true on an action where creator is conditional", () => {
+    it("rejects — unconditional action > conditional action", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { read: true } },
+          { articles: { read: { filter: { user_id: 1 } } } },
+        ),
+      ).toBe(false);
+    });
+
+    it("accepts when creator is also true on that action", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { read: true } },
+          { articles: { read: true } },
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("missing creator action", () => {
+    it("rejects when share has an action the creator doesn't", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { create: true } },
+          { articles: { read: true } },
+        ),
+      ).toBe(false);
+    });
+  });
+
+  describe("fields allowlist subsetting", () => {
+    it("accepts when share's fields are a subset of creator's", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { create: { fields: { title: true } } } },
+          { articles: { create: { fields: { title: true, body: true } } } },
+        ),
+      ).toBe(true);
+    });
+
+    it("rejects when share's fields include one the creator doesn't allow", () => {
+      expect(
+        isShareSubsetOfCreator(
+          {
+            articles: {
+              create: { fields: { title: true, published: true } },
+            },
+          },
+          { articles: { create: { fields: { title: true, body: true } } } },
+        ),
+      ).toBe(false);
+    });
+
+    it("rejects share that omits fields restriction when creator has one", () => {
+      // No fields key = no restriction = broader than the creator.
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { create: {} } },
+          { articles: { create: { fields: { title: true } } } },
+        ),
+      ).toBe(false);
+    });
+
+    it("allows omitting fields when creator has no fields restriction either", () => {
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { create: {} } },
+          { articles: { create: {} as any } },
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("filter subsetting (intentionally not enforced)", () => {
+    it("accepts any share filter when creator has a conditional read", () => {
+      // Documented limitation — we don't try to prove filter subsets.
+      expect(
+        isShareSubsetOfCreator(
+          { articles: { read: { filter: { id: 42 } } } },
+          { articles: { read: { filter: { user_id: 1 } } } },
+        ),
+      ).toBe(true);
+    });
+  });
+});

package/extensions/auth/workflows/baseWorkflow.ts

@@ -39,45 +39,67 @@ export function getBaseWorkflows(_extensionConfig: ExtensionConfig): Workflow[]
 }
 
 export const baseWorkflows: Workflow[] = [
+  // TODO: we should never use this hook at all. we should totally remove it from the core
+  // and we should instead use the controller level to implement
+  // people can abuse this and start creating custom endpoints with it which should be discouraged totally
+  // and users shouldnt be allowed to do because they they loose all lobb features for nothing. they lose auth, logs, workflows etc...
   {
     name: "auth_BearerTokenHandler",
     eventName: "core.webserver.middlwares.pre",
     handler: async (input, ctx) => {
       const token = getBearerToken(input.context);
-      if (token) {
-        const sessionsResult = await ctx.workflows.collectionService({
+      if (!token) return input;
+
+      const context = input.context as Context;
+
+      // 1) Try the token as a normal user session.
+      const sessionsResult = await ctx.workflows.collectionService({
+        method: "findAll",
+        props: {
+          collectionName: "auth_sessions",
+          params: { filter: { token } },
+        },
+      });
+      const session = sessionsResult.data[0];
+
+      if (session) {
+        const usersResult = await ctx.workflows.collectionService({
           method: "findAll",
           props: {
-            collectionName: "auth_sessions",
-            params: {
-              filter: {
-                token,
-              },
-            },
+            collectionName: "auth_users",
+            params: { filter: { id: session.user_id } },
           },
         });
+        const user = usersResult.data[0];
 
-        const session = sessionsResult.data[0];
-
-        if (session) {
-          const usersResult = await ctx.workflows.collectionService({
-            method: "findAll",
-            props: {
-              collectionName: "auth_users",
-              params: {
-                filter: {
-                  id: session.user_id,
-                },
-              },
-            },
-          });
-          const user = usersResult.data[0];
+        context.set("auth_session", session);
+        context.set("auth_user", user);
+        return input;
+      }
 
-          const context = input.context as Context;
-          context.set("auth_session", session);
-          context.set("auth_user", user);
+      // 2) Otherwise try the token as a share. Shares carry their own
+      //    permissions snapshot and have a fixed expiry — no user identity.
+      const sharesResult = await ctx.workflows.collectionService({
+        method: "findAll",
+        props: {
+          collectionName: "auth_shares",
+          params: { filter: { token } },
+        },
+      });
+      const share = sharesResult.data[0];
+
+      if (share && new Date(share.expires_at) > new Date()) {
+        let permissions: any = {};
+        try {
+          permissions = JSON.parse(share.permissions ?? "{}");
+        } catch {
+          // malformed permissions — treat as no access
+          permissions = {};
         }
+        context.set("auth_share", { ...share, permissions });
       }
+
+      return input;
     },
   },
   // auth_logins workflows

package/extensions/auth/workflows/currentUserPermissionsWorkflow.ts

@@ -0,0 +1,32 @@
+import type { Workflow } from "@lobb-js/core";
+import type { Context } from "hono";
+import type { ExtensionConfig } from "../config/extensionConfigSchema.ts";
+
+// Augment the response of GET /api/collections/auth_users/me with the
+// user's effective permissions, so the studio can gate UI without
+// exposing the full roles map in meta. Other reads of auth_users
+// (another user, or the current user fetching themselves by numeric id)
+// are untouched. Sits at the controller layer so `permissions` is a
+// sibling of `data` in the response wrapper, not mixed into the row.
+export function getCurrentUserPermissionsWorkflow(
+  extensionConfig: ExtensionConfig,
+): Workflow {
+  return {
+    name: "auth_attachCurrentUserPermissions",
+    eventName: "core.controllers.findOne",
+    handler: async (input) => {
+      if (input.collectionName !== "auth_users") return input;
+      const context = input.context as Context | undefined;
+      if (context?.req.param("id") !== "me") return input;
+
+      const role = input.response?.data?.role;
+      // Strip functions (e.g. dynamic filter predicates) — they can't be
+      // serialised to the client.
+      const permissions = JSON.parse(JSON.stringify(
+        extensionConfig.roles?.[role]?.permissions ?? {},
+      ));
+      input.response = { ...input.response, permissions };
+      return input;
+    },
+  };
+}

package/extensions/auth/workflows/index.ts

@@ -2,16 +2,28 @@ import type { Workflow } from "@lobb-js/core";
 import type { ExtensionConfig } from "../config/extensionConfigSchema.ts";
 import { getPoliciesWorkflows } from "./policiesWorkflows.ts";
 import { meAliasWorkflows } from "./meAliasWorkflows.ts";
+import { getCurrentUserPermissionsWorkflow } from "./currentUserPermissionsWorkflow.ts";
 import { getBaseWorkflows } from "./baseWorkflow.ts";
+import { getSharesWorkflows } from "./sharesWorkflows.ts";
+import { init } from "../database/init.ts";
 export function getWorkflows(extensionConfig: ExtensionConfig): Workflow[] {
   return [
+    {
+      name: "auth_init",
+      eventName: "core.init",
+      handler: async (_input, ctx) => {
+        await init(ctx.lobb, extensionConfig);
+      },
+    },
     ...getBaseWorkflows(extensionConfig),
+    ...getSharesWorkflows(extensionConfig),
 
     // TODO: think about putting the below workflows above at the beggining
     // this will give us the ability to specify which roles have the ability to login, register etc
 
     // workflows that handles policies
     ...meAliasWorkflows,
+    getCurrentUserPermissionsWorkflow(extensionConfig),
     ...getPoliciesWorkflows(extensionConfig),
     // TODO: record users activity feed
     // {

package/extensions/auth/workflows/meAliasWorkflows.ts

@@ -25,6 +25,32 @@ export const meAliasWorkflows: Workflow[] = [
     name: "auth_userFindOneMeAlias",
     eventName: "core.store.preFindOne",
     handler: async (input, ctx) => {
+      // Share bearers don't have an auth_users row to fetch — short-circuit
+      // the findOne with the share's permissions snapshot. Studio uses the
+      // same /me endpoint to learn what the current bearer can do regardless
+      // of bearer type. Falls through to resolveMeAlias otherwise (which
+      // handles the session case and throws for unauthenticated requests).
+      if (input.collectionName === "auth_users" && input.id === "me") {
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        if (!user) {
+          const share = context.get("auth_share") as
+            | { permissions: any }
+            | undefined;
+          if (share) {
+            throw new Response(
+              JSON.stringify({
+                data: null,
+                permissions: share.permissions,
+              }),
+              {
+                status: 200,
+                headers: { "Content-Type": "application/json" },
+              },
+            );
+          }
+        }
+      }
       input.id = resolveMeAlias(input, ctx);
       return input;
     },