@lobb-js/lobb-ext-auth 0.11.1 → 0.11.3

package/dist/index.js

@@ -3,7 +3,7 @@ import { onStartup, onRouteChange } from "./onStartup";
 import LoginPage from "./lib/components/pages/loginPage/index.svelte";
 import UserSettings from "./lib/components/pages/userSettings/index.svelte";
 import Settings from "./lib/components/pages/settings/index.svelte";
-import { isActionAllowed } from "../permissions";
+import { isActionAllowed } from "./shared/permissions";
 // TODO we should export the extension object directly without a function at all. because we dont set configuration in here
 export default function extension(utils) {
     return {
@@ -57,7 +57,7 @@ export default function extension(utils) {
                 {
                     label: "Auth",
                     icon: utils.components.Icons.Key,
-                    href: "/studio/extensions/auth/settings/users",
+                    href: "/studio/extensions/auth/settings",
                     represents: "auth_users",
                 },
             ],

package/dist/lib/components/pages/settings/index.svelte

@@ -10,6 +10,15 @@
 	const { Icons } = components;
 	const auth_settings_page = $derived(props.utils.page.url.pathname.split("/")[5]);
 	const isSmall = $derived(!props.utils.mediaQueries.sm.current);
+
+	// Bare /studio/extensions/auth/settings has no sub-page to render, which
+	// would leave the page blank. Redirect to the first sub-page (Users) so
+	// landing on the settings root always shows something useful.
+	$effect(() => {
+		if (!auth_settings_page) {
+			props.utils.goto("/studio/extensions/auth/settings/users");
+		}
+	});
 </script>
 
 <!-- TODO: add the sidebar in here to add these pages

package/{extensions/auth → dist/shared}/permissions.d.ts

@@ -1,2 +1,2 @@
-import type { CollectionPermissionActionsKeys, PermissionsConfig } from "./config/extensionConfigSchema.ts";
+import type { CollectionPermissionActionsKeys, PermissionsConfig } from "../../config/extensionConfigSchema.ts";
 export declare function isActionAllowed(collection: string, action: CollectionPermissionActionsKeys, permissions: PermissionsConfig | undefined): boolean;

package/dist/shared/permissions.js

@@ -0,0 +1,35 @@
+// Lives under studio/ for packaging reasons — `svelte-package` only bundles
+// files inside its `--input` root, so anything the studio entry imports has
+// to be reachable from there. The backend imports this same file via
+// `../studio/shared/permissions` so there's still one source of truth.
+//
+// Anything in this folder must stay environment-neutral (no DOM, no Node-only
+// APIs, no top-level side effects) so it runs the same way on both sides.
+// Pure permission check shared by the server-side handlePolicy and the
+// studio's auth.canAccess workflow. Walks the permissions tree and returns
+// a yes/no — server-side then layers on guards/filters/error-throwing,
+// client-side uses the answer to decide whether to render UI.
+//
+// An object value for action permission means "conditional access" (filter
+// and/or fields restrictions). For UI gating that counts as allowed; the
+// server enforces the actual restrictions on real requests.
+export function isActionAllowed(collection, action, permissions) {
+    if (permissions === true)
+        return true;
+    if (!permissions)
+        return false;
+    const collPerm = permissions[collection];
+    if (collPerm === true)
+        return true;
+    if (!collPerm)
+        return false;
+    const actionPerm = collPerm[action];
+    if (actionPerm === true)
+        return true;
+    // A conditional grant must actually list at least one constraint
+    // (filter / fields / payloadGuard / mutate). Empty `{}` collapses back
+    // to "no grant" — explicit `true` is required for unconditional access.
+    return (typeof actionPerm === "object" &&
+        actionPerm !== null &&
+        Object.keys(actionPerm).length > 0);
+}

package/extensions/auth/studio/index.ts

@@ -4,7 +4,7 @@ import { onStartup, onRouteChange } from "./onStartup";
 import LoginPage from "./lib/components/pages/loginPage/index.svelte";
 import UserSettings from "./lib/components/pages/userSettings/index.svelte";
 import Settings from "./lib/components/pages/settings/index.svelte";
-import { isActionAllowed } from "../permissions";
+import { isActionAllowed } from "./shared/permissions";
 import type { CollectionPermissionActionsKeys } from "../config/extensionConfigSchema";
 
 // TODO we should export the extension object directly without a function at all. because we dont set configuration in here
@@ -62,7 +62,7 @@ export default function extension(utils: ExtensionUtils): Extension {
         {
           label: "Auth",
           icon: utils.components.Icons.Key,
-          href: "/studio/extensions/auth/settings/users",
+          href: "/studio/extensions/auth/settings",
           represents: "auth_users",
         },
       ],

package/extensions/auth/studio/lib/components/pages/settings/index.svelte

@@ -10,6 +10,15 @@
 	const { Icons } = components;
 	const auth_settings_page = $derived(props.utils.page.url.pathname.split("/")[5]);
 	const isSmall = $derived(!props.utils.mediaQueries.sm.current);
+
+	// Bare /studio/extensions/auth/settings has no sub-page to render, which
+	// would leave the page blank. Redirect to the first sub-page (Users) so
+	// landing on the settings root always shows something useful.
+	$effect(() => {
+		if (!auth_settings_page) {
+			props.utils.goto("/studio/extensions/auth/settings/users");
+		}
+	});
 </script>
 
 <!-- TODO: add the sidebar in here to add these pages

package/extensions/auth/{permissions.ts → studio/shared/permissions.ts}

@@ -1,7 +1,15 @@
+// Lives under studio/ for packaging reasons — `svelte-package` only bundles
+// files inside its `--input` root, so anything the studio entry imports has
+// to be reachable from there. The backend imports this same file via
+// `../studio/shared/permissions` so there's still one source of truth.
+//
+// Anything in this folder must stay environment-neutral (no DOM, no Node-only
+// APIs, no top-level side effects) so it runs the same way on both sides.
+
 import type {
   CollectionPermissionActionsKeys,
   PermissionsConfig,
-} from "./config/extensionConfigSchema.ts";
+} from "../../config/extensionConfigSchema.ts";
 
 // Pure permission check shared by the server-side handlePolicy and the
 // studio's auth.canAccess workflow. Walks the permissions tree and returns

package/extensions/auth/tests/permissions.test.ts

@@ -1,5 +1,5 @@
 import { describe, it, expect } from "bun:test";
-import { isActionAllowed } from "../permissions.ts";
+import { isActionAllowed } from "../studio/shared/permissions.ts";
 
 // Default-deny is the contract: only explicit `true` or an object that
 // actually lists at least one constraint counts as a grant. Anything empty

package/extensions/auth/workflows/utils.ts

@@ -6,7 +6,7 @@ import type {
   PermissionsConfig,
   User,
 } from "../config/extensionConfigSchema.ts";
-import { isActionAllowed } from "../permissions.ts";
+import { isActionAllowed } from "../studio/shared/permissions.ts";
 
 interface HandlePolicyOutput {
   filter?: Filter;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobb-js/lobb-ext-auth",
-  "version": "0.11.1",
+  "version": "0.11.3",
   "license": "UNLICENSED",
   "type": "module",
   "publishConfig": {
@@ -32,12 +32,12 @@
     "package": "svelte-package --input extensions/auth/studio"
   },
   "dependencies": {
-    "@lobb-js/core": "^0.32.1",
+    "@lobb-js/core": "^0.33.0",
     "argon2": "^0.40.3",
     "hono": "^4.7.0"
   },
   "devDependencies": {
-    "@lobb-js/studio": "^0.29.1",
+    "@lobb-js/studio": "^0.31.0",
     "@lucide/svelte": "^0.563.1",
     "@sveltejs/adapter-node": "^5.5.4",
     "@sveltejs/kit": "^2.60.1",