npm - @lobb-js/lobb-ext-auth - Versions diffs - 0.11.0 → 0.11.2 - Mend

@lobb-js/lobb-ext-auth 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/extensions/auth/workflows/policiesWorkflows.ts CHANGED Viewed

@@ -1,7 +1,11 @@
 import type { Lobb, Workflow } from "@lobb-js/core";
 import type { Context } from "hono";
-import type { ExtensionConfig, User } from "../config/extensionConfigSchema.ts";
-import { handlePolicy, handleReadFields } from "./utils.ts";
+import type { ExtensionConfig } from "../config/extensionConfigSchema.ts";
+import {
+  handlePolicy,
+  handleReadFields,
+  resolveRequestPermissions,
+} from "./utils.ts";
 export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow[] {
   return [
@@ -12,22 +16,22 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
         const lobb = context.get("lobb") as Lobb;
-        const user = context.get("auth_user") as User | undefined;
+        const { permissions, user } = resolveRequestPermissions(
+          context,
+          extensionConfig,
+          ctx,
+        );
         const output = handlePolicy({
-          action: "create",
           collectionName: input.collectionName,
-          role: user?.role,
-          user,
-          input,
+          action: "create",
+          permissions,
           lobb,
           ctx,
-          extensionConfig,
+          user,
+          payload: input.data,
         });
-        if (output && output.payload) {
-          input.data = output.payload;
-        }
+        if (output?.payload) input.data = output.payload;
       }
       return input;
     },
@@ -39,55 +43,22 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
         const lobb = context.get("lobb") as Lobb;
-        const user = context.get("auth_user") as User | undefined;
-        const output = handlePolicy({
-          action: "read",
-          collectionName: input.collectionName,
-          role: user?.role,
-          user,
-          input,
-          lobb,
-          ctx,
+        const { permissions, user } = resolveRequestPermissions(
+          context,
           extensionConfig,
-        });
-        if (output && output.filter) {
-          input.filter = output.filter;
-        }
-      }
-      return input;
-    },
-  },
-  {
-    name: "auth_policyPreFindOne",
-    eventName: "core.store.preFindOne",
-    handler: async (input, ctx) => {
-      if (input.triggeredBy === "API") {
-        const context = input.context as Context;
-        const lobb = context.get("lobb") as Lobb;
-        const user = context.get("auth_user") as User | undefined;
-        // pass if the user is effecting himself
-        const currentUser = input.id === user?.id;
-        if (input.collectionName === "auth_users" && currentUser) {
-          return input;
-        }
+          ctx,
+        );
         const output = handlePolicy({
-          action: "read",
           collectionName: input.collectionName,
-          role: user?.role,
-          user,
-          input,
+          action: "read",
+          permissions,
           lobb,
           ctx,
-          extensionConfig,
+          user,
+          filter: input.params?.filter,
         });
-        if (output && output.filter) {
-          input.filter = output.filter;
-        }
+        if (output?.filter) input.filter = output.filter;
       }
       return input;
     },
@@ -99,24 +70,23 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
         const lobb = context.get("lobb") as Lobb;
-        const user = context.get("auth_user") as User | undefined;
-        // pass if the user is effecting himself
-        const currentUser = input.id === user?.id;
-        if (input.collectionName === "auth_users" && currentUser) {
-          return input;
-        }
+        const { permissions, user } = resolveRequestPermissions(
+          context,
+          extensionConfig,
+          ctx,
+        );
-        handlePolicy({
-          action: "update",
+        const output = handlePolicy({
           collectionName: input.collectionName,
-          role: user?.role,
-          user,
-          input,
+          action: "update",
+          permissions,
           lobb,
           ctx,
-          extensionConfig,
+          user,
+          payload: input.data,
+          recordId: input.id,
         });
+        if (output?.payload) input.data = output.payload;
       }
       return input;
     },
@@ -128,42 +98,39 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
         const lobb = context.get("lobb") as Lobb;
-        const user = context.get("auth_user") as User | undefined;
-        // pass if the user is effecting himself
-        const currentUser = input.id === user?.id;
-        if (input.collectionName === "auth_users" && currentUser) {
-          return input;
-        }
+        const { permissions, user } = resolveRequestPermissions(
+          context,
+          extensionConfig,
+          ctx,
+        );
         handlePolicy({
-          action: "delete",
           collectionName: input.collectionName,
-          role: user?.role,
-          user,
-          input,
+          action: "delete",
+          permissions,
           lobb,
           ctx,
-          extensionConfig,
+          user,
+          recordId: input.id,
         });
       }
       return input;
     },
   },
-  // handling read fields property
+  // Post-fetch field-level filtering using the role/share's `read.fields`
+  // allowlist (static — works the same for both sources).
   {
     name: "auth_policyPostQuery",
     eventName: "core.store.findAll",
     handler: async (input, ctx) => {
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
-        const user = context.get("auth_user") as User | undefined;
-        input.data = handleReadFields(
-          user?.role,
-          input.collectionName,
-          input.data,
+        const { permissions } = resolveRequestPermissions(
+          context,
           extensionConfig,
+          ctx,
         );
+        input.data = handleReadFields(permissions, input.collectionName, input.data);
       }
       return input;
     },
@@ -174,13 +141,12 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
     handler: async (input, ctx) => {
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
-        const user = context.get("auth_user") as User | undefined;
-        input.data = handleReadFields(
-          user?.role,
-          input.collectionName,
-          input.data,
+        const { permissions } = resolveRequestPermissions(
+          context,
           extensionConfig,
+          ctx,
         );
+        input.data = handleReadFields(permissions, input.collectionName, input.data);
       }
       return input;
     },
@@ -191,13 +157,12 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
     handler: async (input, ctx) => {
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
-        const user = context.get("auth_user") as User | undefined;
-        input.data = handleReadFields(
-          user?.role,
-          input.collectionName,
-          input.data,
+        const { permissions } = resolveRequestPermissions(
+          context,
           extensionConfig,
+          ctx,
         );
+        input.data = handleReadFields(permissions, input.collectionName, input.data);
       }
       return input;
     },
@@ -208,30 +173,12 @@ export function getPoliciesWorkflows(extensionConfig: ExtensionConfig): Workflow
     handler: async (input, ctx) => {
       if (input.triggeredBy === "API") {
         const context = input.context as Context;
-        const user = context.get("auth_user") as User | undefined;
-        input.data = handleReadFields(
-          user?.role,
-          input.collectionName,
-          input.data,
-          extensionConfig,
-        );
-      }
-      return input;
-    },
-  },
-  {
-    name: "auth_policyPostReadForDelete",
-    eventName: "core.store.updateOne",
-    handler: async (input, ctx) => {
-      if (input.triggeredBy === "API") {
-        const context = input.context as Context;
-        const user = context.get("auth_user") as User | undefined;
-        input.data = handleReadFields(
-          user?.role,
-          input.collectionName,
-          input.data,
+        const { permissions } = resolveRequestPermissions(
+          context,
           extensionConfig,
+          ctx,
         );
+        input.data = handleReadFields(permissions, input.collectionName, input.data);
       }
       return input;
     },

package/extensions/auth/workflows/shareIntersection.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import type {
+  CollectionPermissionsConfig,
+  PermissionsConfig,
+} from "../config/extensionConfigSchema.ts";
+// Returns true if `share` permissions are fully covered by `creator`
+// permissions — i.e. a user with `creator` is allowed to mint a share that
+// grants `share`. Used to enforce that share creators can never grant more
+// than they have themselves.
+//
+// Filter comparison is intentionally not structural: when both sides are
+// conditional reads with their own filter, the share filter is accepted
+// as-is. Statically deciding whether one filter is a subset of another is
+// intractable in the general case; the documented behaviour is that the
+// share's filter applies as written to share-token requests.
+export function isShareSubsetOfCreator(
+  share: PermissionsConfig | undefined,
+  creator: PermissionsConfig | undefined,
+): boolean {
+  if (creator === true) return true;
+  if (share === true) return false;
+  if (!share) return true;
+  for (const [collection, sharePerm] of Object.entries(share)) {
+    if (sharePerm === undefined) continue;
+    if (!isCollectionSubset(sharePerm, creator?.[collection])) return false;
+  }
+  return true;
+}
+function isCollectionSubset(
+  share: CollectionPermissionsConfig,
+  creator: CollectionPermissionsConfig | undefined,
+): boolean {
+  if (creator === true) return true;
+  if (!creator) return false;
+  if (share === true) return false;
+  for (const [action, sharePerm] of Object.entries(share)) {
+    if (sharePerm === undefined) continue;
+    const creatorPerm = (creator as Record<string, unknown>)[action];
+    if (!isActionSubset(sharePerm, creatorPerm)) return false;
+  }
+  return true;
+}
+function isActionSubset(share: unknown, creator: unknown): boolean {
+  if (creator === true) return true;
+  if (creator === undefined || creator === null) return false;
+  if (share === true) return false;
+  // Both conditional — verify the share's fields allowlist is a subset of
+  // the creator's (if the creator has one).
+  const creatorObj = creator as { fields?: Record<string, true> };
+  const shareObj = share as { fields?: Record<string, true> };
+  if (creatorObj.fields) {
+    if (!shareObj.fields) return false;
+    const creatorFields = Object.keys(creatorObj.fields);
+    for (const f of Object.keys(shareObj.fields)) {
+      if (!creatorFields.includes(f)) return false;
+    }
+  }
+  return true;
+}

package/extensions/auth/workflows/sharesWorkflows.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import type { Workflow } from "@lobb-js/core";
+import type { Context } from "hono";
+import type {
+  ExtensionConfig,
+  PermissionsConfig,
+  User,
+} from "../config/extensionConfigSchema.ts";
+import { generateRandomId } from "../utils.ts";
+import { resolveRequestPermissions } from "./utils.ts";
+import { isShareSubsetOfCreator } from "./shareIntersection.ts";
+export function getSharesWorkflows(extensionConfig: ExtensionConfig): Workflow[] {
+  return [
+    // Server-side generates the share's bearer token on create so callers
+    // can't pick a guessable value. The freshly generated token is returned
+    // in the createOne response (since we mutate input.data before the row
+    // is written).
+    {
+      name: "auth_generateShareToken",
+      eventName: "core.store.preCreateOne",
+      handler: async (input) => {
+        if (input.collectionName === "auth_shares") {
+          input.data.token = generateRandomId();
+        }
+        return input;
+      },
+    },
+    // Normalize the two ways a caller can specify share lifetime into the
+    // single `expires_at` column the rest of the system uses. Runs at the
+    // service layer, which fires before the store-level required-field
+    // check — so `expires_at` can stay schema-required while still letting
+    // callers send only `expires_in_seconds`. Keeps an explicit "neither
+    // provided" throw for a friendlier error message than the generic
+    // required-field error.
+    {
+      name: "auth_normalizeShareExpiry",
+      eventName: "core.service.preCreateOne",
+      handler: async (input, ctx) => {
+        if (input.collectionName !== "auth_shares") return input;
+        const seconds = input.data.expires_in_seconds;
+        if (typeof seconds === "number") {
+          if (!Number.isFinite(seconds) || seconds <= 0) {
+            throw new ctx.LobbError({
+              code: "BAD_REQUEST",
+              message: "expires_in_seconds must be a positive number.",
+            });
+          }
+          input.data.expires_at = new Date(Date.now() + seconds * 1000)
+            .toISOString();
+          delete input.data.expires_in_seconds;
+        }
+        if (!input.data.expires_at) {
+          throw new ctx.LobbError({
+            code: "BAD_REQUEST",
+            message:
+              "Must provide either expires_at or expires_in_seconds when creating a share.",
+          });
+        }
+        return input;
+      },
+    },
+    // Auto-set created_by from the authenticated request user so callers
+    // can't forge the field. Internal callers (tests/server code using the
+    // service layer directly) are trusted and must supply created_by
+    // themselves.
+    {
+      name: "auth_setShareCreatedBy",
+      eventName: "core.store.preCreateOne",
+      handler: async (input) => {
+        if (input.collectionName !== "auth_shares") return input;
+        if (input.triggeredBy !== "API") return input;
+        const context = input.context as Context;
+        const user = context.get("auth_user") as User | undefined;
+        if (user) input.data.created_by = user.id;
+        return input;
+      },
+    },
+    // Intersection guard: a share's embedded permissions snapshot must be a
+    // subset of the creator's own permissions. Without this, any user who can
+    // create rows in auth_shares could mint a token that grants admin-level
+    // access. Only runs for API-triggered creates — internal callers (server
+    // code, tests using collectionService directly) are trusted.
+    {
+      name: "auth_validateShareSubset",
+      eventName: "core.store.preCreateOne",
+      handler: async (input, ctx) => {
+        if (input.collectionName !== "auth_shares") return input;
+        if (input.triggeredBy !== "API") return input;
+        const context = input.context as Context;
+        const { permissions: creatorPermissions } = resolveRequestPermissions(
+          context,
+          extensionConfig,
+          ctx,
+        );
+        let sharePermissions: PermissionsConfig;
+        try {
+          sharePermissions = JSON.parse(input.data.permissions);
+        } catch {
+          throw new ctx.LobbError({
+            code: "BAD_REQUEST",
+            message: "Share permissions must be valid JSON.",
+          });
+        }
+        if (!isShareSubsetOfCreator(sharePermissions, creatorPermissions)) {
+          throw new ctx.LobbError({
+            code: "FORBIDDEN",
+            message:
+              "Cannot create a share with broader permissions than your own.",
+          });
+        }
+        return input;
+      },
+    },
+    // Hourly housekeeping: delete shares whose expires_at is in the past.
+    // Expired shares are already rejected at auth time, so this is just to
+    // keep the table from growing unbounded.
+    {
+      name: "auth_cleanupExpiredShares",
+      eventName: "0 3 * * *",
+      handler: async (_input, ctx) => {
+        await ctx.lobb.collectionService.deleteMany({
+          collectionName: "auth_shares",
+          filter: { expires_at: { $lt: new Date().toISOString() } },
+        });
+      },
+    },
+  ];
+}