@lobb-js/lobb-ext-auth 0.10.4 → 0.11.1

package/extensions/auth/workflows/utils.ts

@@ -1,286 +1,194 @@
 import type { EventContext, Filter, Lobb } from "@lobb-js/core";
+import type { Context } from "hono";
 import type {
   CollectionPermissionActionsKeys,
   ExtensionConfig,
+  PermissionsConfig,
   User,
 } from "../config/extensionConfigSchema.ts";
-import { LobbError } from "@lobb-js/core";
+import { isActionAllowed } from "../permissions.ts";
+
+interface HandlePolicyOutput {
+  filter?: Filter;
+  payload?: Record<string, unknown>;
+}
 
 interface HandlePolicyProps {
   ctx: EventContext;
   collectionName: string;
   action: CollectionPermissionActionsKeys;
-  user: User | undefined;
-  input: any | undefined;
-  role?: string;
+  permissions: PermissionsConfig | undefined;
   lobb: Lobb;
-  extensionConfig: ExtensionConfig;
-}
-
-interface HandlePolicyOutput {
+  // Used by both filter-template rendering (for reads) and as the `user`
+  // argument passed into guard / mutate callbacks (for writes).
+  user?: User | undefined;
+  // Payload for create/update — passed to fields allowlist, guard, mutate.
   payload?: Record<string, unknown>;
-  filter?: Filter;
+  // Target id for findOne/update/delete — used by the self-read bypass.
+  recordId?: string | number;
+  // Query filter for findAll — used by the self-read bypass.
+  filter?: Record<string, unknown>;
 }
 
+// Permission decision for a request, regardless of where the permissions
+// came from (role config or share's embedded snapshot). Walks the tree,
+// throws FORBIDDEN if denied, returns void when unconditionally allowed,
+// returns { filter? } for conditional reads, returns { payload? } when
+// create/update mutators were applied. Static features (filter, fields
+// allowlist) work for both roles and shares; dynamic features (payload
+// guard, mutators) only fire when their function values exist in the
+// permissions object — for shares they're absent (stripped by JSON
+// serialisation) so those branches naturally no-op.
 export function handlePolicy({
   ctx,
   collectionName,
   action,
-  user,
-  input,
+  permissions,
   lobb,
-  role = "public",
-  extensionConfig,
+  user,
+  payload,
+  recordId,
+  filter,
 }: HandlePolicyProps): HandlePolicyOutput | void {
-  if (role === "admin") {
-    return;
-  }
-
-  const config = extensionConfig;
-  const currentRole = config.roles?.[role];
-
-  if (typeof currentRole === "undefined") {
-    if (role === "public") {
-      throw new ctx.LobbError({
-        code: "FORBIDDEN",
-        message: "You do not have permission to perform this action.",
-      });
+  // Self-row bypass: an authenticated user can always read/update/delete
+  // their own auth_users row regardless of role. Share requests have
+  // `user === undefined`, so they never hit this branch — they only get
+  // what their embedded permissions explicitly grant.
+  if (user && collectionName === "auth_users") {
+    if (action === "read" && filter && Object.keys(filter).length === 1 && filter.id === user.id) {
+      return;
+    }
+    if ((action === "update" || action === "delete") && recordId !== undefined && recordId === user.id) {
+      return;
     }
-    throw new ctx.LobbError({
-      code: "FORBIDDEN",
-      message: "Your role is not recognized by the system.",
-    });
-  }
-
-  const currentRolePermission = currentRole.permissions;
-
-  if (currentRolePermission === true) {
-    return;
   }
 
-  const collectionPermission = currentRolePermission[collectionName];
-
-  if (typeof collectionPermission === "undefined") {
+  if (!isActionAllowed(collectionName, action, permissions)) {
     throw new ctx.LobbError({
       code: "FORBIDDEN",
       message: "You do not have permission to perform this action.",
     });
   }
 
-  if (collectionPermission === true) {
-    return;
-  }
-
-  const permissionAction = collectionPermission[action];
+  const collPerm = permissions === true ? true : permissions![collectionName];
+  const actionPerm = collPerm === true ? true : collPerm![action];
 
-  if (typeof permissionAction === "undefined") {
-    throw new ctx.LobbError({
-      code: "FORBIDDEN",
-      message: "You do not have permission to perform this action.",
-    });
-  }
-
-  if (typeof permissionAction === "boolean") {
-    if (permissionAction === false) {
-      throw new ctx.LobbError({
-        code: "FORBIDDEN",
-        message: "You do not have permission to perform this action.",
-      });
+  if (action === "read") {
+    if (
+      typeof actionPerm === "object" && actionPerm !== null && actionPerm.filter
+    ) {
+      return {
+        filter: lobb.utils.renderTemplateDeep(actionPerm.filter, { user }),
+      };
     }
-
     return;
   }
 
-  if (action === "create") {
-    runGuard(user?.role, input.collectionName, "create", {
-      payload: input.data,
-      user: user,
-    }, extensionConfig);
-
-    handleFields(user?.role, input.collectionName, "create", input.data, extensionConfig);
-
-    const data = handleMutate(
-      user?.role,
-      input.collectionName,
-      "create",
-      input.data,
-      user,
-      extensionConfig,
-    );
-
-    return {
-      payload: data,
-    };
-  } else if (action === "read") {
-    const readFilter = getFilter(user?.role, input.collectionName, "read", extensionConfig);
-    const filter = lobb.utils.renderTemplateDeep(
-      readFilter,
-      {
-        user,
-      },
-    );
-
-    return {
-      filter,
-    };
-  } else if (action === "update") {
-    runGuard(user?.role, input.collectionName, "update", {
-      payload: input.data,
-      user: user,
-    }, extensionConfig);
-
-    handleFields(user?.role, input.collectionName, "update", input.data, extensionConfig);
-
-    const data = handleMutate(
-      user?.role,
-      input.collectionName,
-      "update",
-      input.data,
-      user,
-      extensionConfig,
-    );
-
-    return {
-      payload: data,
-    };
-  } else if (action === "delete") {
-  } else {
-    throw new Error(
-      `The (${action}) action is not implemented in the (auth) extension (handlePolicy) function`,
-    );
-  }
-}
-
-export function getFilter(
-  role: string = "public",
-  collectionName: string,
-  action: "read",
-  extensionConfig: ExtensionConfig,
-) {
-  const config = extensionConfig;
-  const permissions = config.roles[role]?.permissions;
-
-  if (permissions && permissions !== true) {
-    const collectionPermission = permissions[collectionName];
-    if (collectionPermission && collectionPermission !== true) {
-      const permission = collectionPermission[action];
-      if (permission && permission !== true) {
-        return permission.filter;
+  if (action === "create" || action === "update") {
+    // Field allowlist — static, works for both roles and shares.
+    if (actionPerm.fields && payload) {
+      const allowedFields = Object.keys(actionPerm.fields);
+      for (const fieldName of Object.keys(payload)) {
+        if (!allowedFields.includes(fieldName)) {
+          throw new ctx.LobbError({
+            code: "FORBIDDEN",
+            message:
+              `You do not have permission to modify the field (${fieldName}).`,
+          });
+        }
       }
     }
-  }
-}
 
-export function runGuard(
-  role: string = "public",
-  collectionName: string,
-  action: "create" | "update",
-  context: { payload: Record<string, unknown>; user?: User },
-  extensionConfig: ExtensionConfig,
-) {
-  const config = extensionConfig;
-  const permissions = config.roles[role]?.permissions;
-
-  if (permissions && permissions !== true) {
-    const collectionPermission = permissions[collectionName];
-    if (collectionPermission && collectionPermission !== true) {
-      const permission = collectionPermission[action];
-      if (permission && permission !== true) {
-        if (permission.payloadGuard) {
-          const result = permission.payloadGuard(context);
-          if (!result) {
-            throw new LobbError({
-              code: "FORBIDDEN",
-              message: "You do not have permission to perform this action.",
-            });
-          }
-        }
+    // Payload guard — dynamic function; absent for shares.
+    if (actionPerm.payloadGuard && payload) {
+      const allowed = actionPerm.payloadGuard({ payload, user });
+      if (!allowed) {
+        throw new ctx.LobbError({
+          code: "FORBIDDEN",
+          message: "You do not have permission to perform this action.",
+        });
       }
     }
-  }
-}
 
-export function handleFields(
-  role: string = "public",
-  collectionName: string,
-  action: "create" | "update",
-  payload: Record<string, unknown>,
-  extensionConfig: ExtensionConfig,
-) {
-  const config = extensionConfig;
-  const permissions = config.roles[role]?.permissions;
-
-  if (permissions && permissions !== true) {
-    const collectionPermission = permissions[collectionName];
-    if (collectionPermission && collectionPermission !== true) {
-      const permission = collectionPermission[action];
-      if (permission && permission !== true) {
-        if (permission.fields) {
-          const fields = permission.fields;
-          const allowedFields = Object.keys(fields);
-          const existingFields = Object.keys(payload);
-          // add the handler logic of the fields
-          for (const fieldName of existingFields) {
-            if (!allowedFields.includes(fieldName)) {
-              throw new LobbError({
-                code: "FORBIDDEN",
-                message:
-                  `You do not have permission to modify the field (${fieldName}).`,
-              });
-            }
-          }
-        }
+    // Mutators — dynamic functions; absent for shares.
+    if (actionPerm.mutate && payload) {
+      const mutated: Record<string, unknown> = structuredClone(payload);
+      for (
+        const [fieldName, mutateFn] of Object.entries(actionPerm.mutate) as [
+          string,
+          (
+            ctx: { value: unknown; payload: Record<string, unknown>; user?: User },
+          ) => unknown,
+        ][]
+      ) {
+        mutated[fieldName] = mutateFn({
+          value: payload[fieldName],
+          payload,
+          user,
+        });
       }
+      return { payload: mutated };
     }
   }
+
+  // delete and other actions with conditional perms have nothing extra to apply.
 }
 
-export function handleMutate(
-  role: string = "public",
-  collectionName: string,
-  action: "create" | "update",
-  payload: Record<string, unknown>,
-  user: User | undefined,
+interface ResolvedPermissions {
+  permissions: PermissionsConfig | undefined;
+  user: User | undefined;
+}
+
+// Picks the permission set for a request based on its bearer credential:
+// share token → share's embedded permissions; otherwise the user's role
+// in the extension config. Admin gets `permissions: true` which downstream
+// (handlePolicy, handleReadFields) treats as unconditional pass-through.
+// Throws FORBIDDEN when the role is unknown.
+export function resolveRequestPermissions(
+  context: Context,
   extensionConfig: ExtensionConfig,
-) {
-  const config = extensionConfig;
-  const permissions = config.roles[role]?.permissions;
-  const returnedPayload: Record<string, unknown> = structuredClone(payload);
+  ctx: EventContext,
+): ResolvedPermissions {
+  const share = context.get("auth_share") as
+    | { permissions: PermissionsConfig }
+    | undefined;
+  if (share) {
+    return { permissions: share.permissions, user: undefined };
+  }
 
-  if (permissions && permissions !== true) {
-    const collectionPermission = permissions[collectionName];
-    if (collectionPermission && collectionPermission !== true) {
-      const permission = collectionPermission[action];
-      if (permission && permission !== true) {
-        if (permission.mutate) {
-          for (
-            const [fieldName, mutateFn] of Object.entries(permission.mutate)
-          ) {
-            returnedPayload[fieldName] = mutateFn({
-              value: payload[fieldName],
-              payload,
-              user,
-            });
-          }
-        }
-      }
+  const user = context.get("auth_user") as User | undefined;
+  const role = user?.role ?? "public";
+
+  if (role === "admin") {
+    return { permissions: true, user };
+  }
+
+  const currentRole = extensionConfig.roles?.[role];
+  if (typeof currentRole === "undefined") {
+    if (role === "public") {
+      throw new ctx.LobbError({
+        code: "FORBIDDEN",
+        message: "You do not have permission to perform this action.",
+      });
     }
+    throw new ctx.LobbError({
+      code: "FORBIDDEN",
+      message: "Your role is not recognized by the system.",
+    });
   }
 
-  return returnedPayload;
+  return { permissions: currentRole.permissions, user };
 }
 
+// Post-read field allowlist. Filters out fields not in the role's
+// `read.fields` allowlist. Static feature — works for both roles and shares.
 export function handleReadFields(
-  role = "public",
+  permissions: PermissionsConfig | undefined,
   collectionName: string,
   payload: Record<string, unknown> | Record<string, unknown>[],
-  extensionConfig: ExtensionConfig,
 ) {
-  // filter the payload based on fields
-  const config = extensionConfig;
   let clonedPayload = structuredClone(payload);
 
-  const permissions = config.roles[role]?.permissions;
   if (permissions && typeof permissions !== "boolean") {
     const collectionPermission = permissions[collectionName];
     if (collectionPermission && typeof collectionPermission !== "boolean") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobb-js/lobb-ext-auth",
-  "version": "0.10.4",
+  "version": "0.11.1",
   "license": "UNLICENSED",
   "type": "module",
   "publishConfig": {
@@ -18,9 +18,8 @@
     }
   },
   "scripts": {
-    "test": "bun run test:lobb && bun run test:studio",
+    "test": "bun test extensions/auth/tests",
     "test:lobb": "bun test extensions/auth/tests",
-    "test:studio": "bun --bun playwright test --config extensions/auth/studio/tests/playwright.config.cjs",
     "dev": "bun run --watch lobb.ts",
     "dev:studio": "vite dev",
     "build": "vite build",
@@ -33,14 +32,13 @@
     "package": "svelte-package --input extensions/auth/studio"
   },
   "dependencies": {
-    "@lobb-js/core": "^0.31.9",
+    "@lobb-js/core": "^0.32.1",
     "argon2": "^0.40.3",
     "hono": "^4.7.0"
   },
   "devDependencies": {
-    "@lobb-js/studio": "^0.28.5",
+    "@lobb-js/studio": "^0.29.1",
     "@lucide/svelte": "^0.563.1",
-    "@playwright/test": "^1.58.2",
     "@sveltejs/adapter-node": "^5.5.4",
     "@sveltejs/kit": "^2.60.1",
     "@sveltejs/package": "^2.5.7",

package/dist/lib/components/pages/userSettings/components/account.svelte

@@ -1,106 +0,0 @@
-<script lang="ts">
-	import type { ExtensionProps } from "@lobb-js/studio";
-	import { onMount } from "svelte";
-
-	const { utils }: ExtensionProps = $props();
-
-	let user = $state({
-		old_password: "",
-		new_password: "",
-	});
-	const icons = utils.components.Icons;
-
-	// @ts-ignore: Im sure the session object exist
-	const currentUserId = utils.ctx.extensions.auth.session.user.id;
-	let loaded = $state(false);
-	onMount(async () => {
-		const response = await utils.lobb.findOne("auth_users", currentUserId);
-		const result = await response.json();
-		user = result.data;
-		loaded = true;
-	});
-
-	async function onUpdateCLick() {
-		if (!user.new_password) {
-			utils.toast.error("Make sure you fill the new password");
-			return;
-		} else if (!user.old_password) {
-			utils.toast.error("Make sure you fill the old password");
-			return;
-		}
-
-		const result = await utils.lobb.request({
-			method: "POST",
-			route: "/api/extensions/auth/change_password",
-			payload: {
-				old_password: user.old_password,
-				new_password: user.new_password,
-			},
-		});
-
-		if (result.status >= 400) {
-			return;
-		}
-
-		utils.toast.success("Account updated successfully.");
-	}
-</script>
-
-{#if loaded}
-	<div class="flex max-w-[40rem] flex-1 flex-col gap-4 overflow-y-visible">
-		<div>
-			<div class="text-lg font-semibold">Account</div>
-			<div class="text-sm text-muted-foreground">
-				Update your account settings.
-			</div>
-		</div>
-		<utils.components.Separator />
-		<!-- TODO: add prefered language here too -->
-		<div class="flex flex-col gap-2">
-			<div class="text-sm">Change Password</div>
-			<div class="flex gap-4">
-				<utils.components.Input
-					bind:value={user.old_password}
-					placeholder="Old password"
-					type="password"
-				/>
-				<utils.components.Input
-					bind:value={user.new_password}
-					placeholder="New password"
-					type="password"
-				/>
-			</div>
-			<div class="text-xs text-muted-foreground">
-				This is where you can change your password.
-			</div>
-		</div>
-		<utils.components.Button
-			class="self-start"
-			onclick={onUpdateCLick}
-			Icon={icons.Pencil}
-		>
-			Update Account
-		</utils.components.Button>
-	</div>
-{:else}
-	<div class="flex max-w-[40rem] flex-1 flex-col gap-8 overflow-y-visible">
-		<div class="grid gap-2">
-			<utils.components.Skeleton class="h-8 w-full max-w-60" />
-			<utils.components.Skeleton class="h-4 w-full max-w-96" />
-		</div>
-		<utils.components.Separator />
-		<div class="flex flex-col gap-2">
-			<utils.components.Skeleton class="h-4 w-full max-w-36" />
-			<utils.components.Skeleton class="h-8 w-full max-w-60" />
-			<utils.components.Skeleton class="h-4 w-full max-w-96" />
-		</div>
-		<div class="flex flex-col gap-2">
-			<utils.components.Skeleton class="h-4 w-full max-w-36" />
-			<div class="flex gap-4">
-				<utils.components.Skeleton class="h-8 w-full max-w-60" />
-				<utils.components.Skeleton class="h-8 w-full max-w-60" />
-			</div>
-			<utils.components.Skeleton class="h-4 w-full max-w-96" />
-		</div>
-	</div>
-{/if}

package/dist/lib/components/pages/userSettings/components/account.svelte.d.ts

@@ -1,14 +0,0 @@
-import { SvelteComponentTyped } from "svelte";
-declare const __propDef: {
-    props: Record<string, never>;
-    events: {
-        [evt: string]: CustomEvent<any>;
-    };
-    slots: {};
-};
-export type AccountProps = typeof __propDef.props;
-export type AccountEvents = typeof __propDef.events;
-export type AccountSlots = typeof __propDef.slots;
-export default class Account extends SvelteComponentTyped<AccountProps, AccountEvents, AccountSlots> {
-}
-export {};

package/dist/lib/components/pages/userSettings/components/profile.svelte

@@ -1,87 +0,0 @@
-<script lang="ts">
-	import type { ExtensionProps } from "@lobb-js/studio";
-	import { onMount } from "svelte";
-
-	const { utils }: ExtensionProps = $props();
-
-	let user = $state({
-		name: "",
-	});
-	const icons = utils.components.Icons;
-
-	// @ts-ignore: Im sure the session object exist
-	const currentUserId = utils.ctx.extensions.auth.session.user.id;
-	let loaded = $state(false);
-	onMount(async () => {
-		const response = await utils.lobb.findOne("auth_users", currentUserId);
-		const result = await response.json();
-		user = result.data;
-		loaded = true;
-	});
-
-	async function onUpdateCLick() {
-		// TODO: add the logic of updating some of the current user's information
-		const updateObject: any = {};
-		updateObject["name"] = user.name;
-		const response = await utils.lobb.updateOne(
-			"auth_users",
-			currentUserId,
-			updateObject,
-		);
-		if (response.status >= 400) {
-			const result = await response.json();
-			utils.toast.error(result.message);
-			return;
-		}
-		utils.toast.success("Profile updated successfully.");
-	}
-</script>
-
-{#if loaded}
-	<div class="flex max-w-[40rem] flex-1 flex-col gap-4 overflow-y-visible">
-		<div>
-			<div class="text-lg font-semibold">Profile</div>
-			<div class="text-sm text-muted-foreground">
-				Edit information that others will see.
-			</div>
-		</div>
-		<utils.components.Separator />
-		<!-- TODO: you should add name and other stuff like phone number and stuff like that -->
-		<div class="flex flex-col gap-2">
-			<div class="text-sm">Full Name</div>
-			<utils.components.Input
-				placeholder="Full Name"
-				bind:value={user.name}
-			/>
-			<div class="text-xs text-muted-foreground">
-				This is your public display name. It can be your real name or a
-				pseudonym.
-			</div>
-		</div>
-		<utils.components.Button
-			class="self-start"
-			onclick={onUpdateCLick}
-			Icon={icons.Pencil}
-		>
-			Update Profile
-		</utils.components.Button>
-	</div>
-{:else}
-	<div class="flex max-w-[40rem] flex-1 flex-col gap-8 overflow-y-visible">
-		<div class="grid gap-2">
-			<utils.components.Skeleton class="h-8 w-full max-w-60" />
-			<utils.components.Skeleton class="h-4 w-full max-w-96" />
-		</div>
-		<utils.components.Separator />
-		<div class="flex flex-col gap-2">
-			<utils.components.Skeleton class="h-4 w-full max-w-36" />
-			<utils.components.Skeleton class="h-8 w-full max-w-60" />
-			<utils.components.Skeleton class="h-4 w-full max-w-96" />
-		</div>
-		<div class="flex flex-col gap-2">
-			<utils.components.Skeleton class="h-4 w-full max-w-36" />
-			<utils.components.Skeleton class="h-8 w-full max-w-60" />
-			<utils.components.Skeleton class="h-4 w-full max-w-96" />
-		</div>
-	</div>
-{/if}

package/dist/lib/components/pages/userSettings/components/profile.svelte.d.ts

@@ -1,14 +0,0 @@
-import { SvelteComponentTyped } from "svelte";
-declare const __propDef: {
-    props: Record<string, never>;
-    events: {
-        [evt: string]: CustomEvent<any>;
-    };
-    slots: {};
-};
-export type ProfileProps = typeof __propDef.props;
-export type ProfileEvents = typeof __propDef.events;
-export type ProfileSlots = typeof __propDef.slots;
-export default class Profile extends SvelteComponentTyped<ProfileProps, ProfileEvents, ProfileSlots> {
-}
-export {};