@lobb-js/lobb-ext-auth 0.6.0 → 0.8.0

package/dist/index.js

@@ -1,5 +1,5 @@
 import { Auth } from "./auth";
-import { onStartup } from "./onStartup";
+import { onStartup, onRouteChange } from "./onStartup";
 import LoginPage from "./lib/components/pages/loginPage/index.svelte";
 import UserSettings from "./lib/components/pages/userSettings/index.svelte";
 import Settings from "./lib/components/pages/settings/index.svelte";
@@ -8,6 +8,7 @@ export default function extension(utils) {
     return {
         name: "auth",
         onStartup: onStartup,
+        onRouteChange: onRouteChange,
         components: {
             "pages.login_page": LoginPage,
             "pages.user_settings": UserSettings,

package/dist/onStartup.d.ts

@@ -1,2 +1,3 @@
 import type { ExtensionUtils } from "@lobb-js/studio";
 export declare function onStartup(utils: ExtensionUtils): Promise<void>;
+export declare function onRouteChange(utils: ExtensionUtils, path: string): void;

package/dist/onStartup.js

@@ -1,7 +1,11 @@
 import { Auth } from "./auth";
+const loginPath = "/studio/extensions/auth/login_page";
+function isPublicPath(path, publicPaths) {
+    return path === loginPath || publicPaths.some(p => path.startsWith(p));
+}
 export async function onStartup(utils) {
-    // logout if we got an Unauthorized response
     const auth = new Auth(utils);
+    // Logout if we got an Unauthorized response
     utils.lobb.onResponse(async (response) => {
         if (response.status === 401) {
             const body = await response.json();
@@ -12,10 +16,22 @@ export async function onStartup(utils) {
         }
     });
     const session = auth.getSession();
-    // if user is logged in
     if (session) {
         utils.ctx.extensions.auth.session = session;
         return;
     }
+    const publicPaths = utils.ctx.meta?.extensions?.auth?.studio?.publicPaths ?? [];
+    if (isPublicPath(window.location.pathname, publicPaths)) {
+        return;
+    }
     await auth.logout();
 }
+export function onRouteChange(utils, path) {
+    const auth = new Auth(utils);
+    if (auth.getSession())
+        return;
+    const publicPaths = utils.ctx.meta?.extensions?.auth?.studio?.publicPaths ?? [];
+    if (!isPublicPath(path, publicPaths)) {
+        utils.location.navigate(`${loginPath}?redirect=${encodeURIComponent(path)}`);
+    }
+}

package/extensions/auth/collections/collections.ts

@@ -12,6 +12,12 @@ export function collections(
   collectionsSchemas["auth_users"] = usersCollection;
   collectionsSchemas["auth_sessions"] = sessionsCollection;
 
+  // Convert the role field to an enum based on configured roles
+  const roleNames = Object.keys(extensionConfig.roles ?? {}).filter(r => r !== "public");
+  if (roleNames.length > 0) {
+    (usersCollection.fields.role as any).enum = [{ value: "admin" }, ...roleNames.map(r => ({ value: r }))];
+  }
+
   // adding the additional fields and indexes if the extend_users property exists
   if (extensionConfig.extend_users) {
     collectionsSchemas["auth_users"].indexes = {

package/extensions/auth/collections/users.ts

@@ -1,7 +1,7 @@
-import type { CollectionConfig } from "@lobb-js/core";
+import type { NormalCollectionConfig } from "@lobb-js/core";
 import { hash } from "argon2";
 
-export const usersCollection: CollectionConfig = {
+export const usersCollection: NormalCollectionConfig = {
   indexes: {
     auth_users_email_index: {
       unique: true,

package/extensions/auth/config/extensionConfigSchema.ts

@@ -45,4 +45,7 @@ export type ExtensionConfig = {
     indexes?: CollectionConfig["indexes"];
     fields?: Omit<CollectionConfig["fields"], "id">;
   };
+  studio?: {
+    publicPaths?: string[];
+  };
 };

package/extensions/auth/meta/meta.ts

@@ -6,6 +6,7 @@ export async function meta(lobb: Lobb, extensionConfig: ExtensionConfig) {
   const meta: any = {};
 
   meta["dashboard_access_roles"] = config.dashboard_access_roles ?? ["admin"];
+  meta["studio"] = { publicPaths: config.studio?.publicPaths ?? [] };
 
   return meta;
 }

package/extensions/auth/studio/index.ts

@@ -1,6 +1,6 @@
 import type { Extension, ExtensionUtils } from "@lobb-js/studio";
 import { Auth } from "./auth";
-import { onStartup } from "./onStartup";
+import { onStartup, onRouteChange } from "./onStartup";
 import LoginPage from "./lib/components/pages/loginPage/index.svelte";
 import UserSettings from "./lib/components/pages/userSettings/index.svelte";
 import Settings from "./lib/components/pages/settings/index.svelte";
@@ -10,6 +10,7 @@ export default function extension(utils: ExtensionUtils): Extension {
   return {
     name: "auth",
     onStartup: onStartup,
+    onRouteChange: onRouteChange,
     components: {
       "pages.login_page": LoginPage,
       "pages.user_settings": UserSettings,

package/extensions/auth/studio/onStartup.ts

@@ -1,9 +1,16 @@
 import type { ExtensionUtils } from "@lobb-js/studio";
 import { Auth } from "./auth";
 
+const loginPath = "/studio/extensions/auth/login_page";
+
+function isPublicPath(path: string, publicPaths: string[]) {
+    return path === loginPath || publicPaths.some(p => path.startsWith(p));
+}
+
 export async function onStartup(utils: ExtensionUtils) {
-    // logout if we got an Unauthorized response
     const auth = new Auth(utils);
+
+    // Logout if we got an Unauthorized response
     utils.lobb.onResponse(async (response) => {
         if (response.status === 401) {
             const body = await response.json();
@@ -15,11 +22,27 @@ export async function onStartup(utils: ExtensionUtils) {
             }
         }
     });
+
     const session = auth.getSession();
-    // if user is logged in
     if (session) {
         utils.ctx.extensions.auth.session = session;
         return;
     }
+
+    const publicPaths: string[] = utils.ctx.meta?.extensions?.auth?.studio?.publicPaths ?? [];
+    if (isPublicPath(window.location.pathname, publicPaths)) {
+        return;
+    }
+
     await auth.logout()
 }
+
+export function onRouteChange(utils: ExtensionUtils, path: string) {
+    const auth = new Auth(utils);
+    if (auth.getSession()) return;
+
+    const publicPaths: string[] = utils.ctx.meta?.extensions?.auth?.studio?.publicPaths ?? [];
+    if (!isPublicPath(path, publicPaths)) {
+        utils.location.navigate(`${loginPath}?redirect=${encodeURIComponent(path)}`);
+    }
+}

package/extensions/auth/tests/configs/auth.ts

@@ -41,6 +41,17 @@ export const authConfig: Config = {
             },
           },
         },
+        author: {
+          permissions: {
+            auth_users: {
+              read: {
+                filter: { id: ({ user }: any) => user?.id ?? null },
+              },
+              update: true,
+              delete: true,
+            },
+          },
+        },
       },
     }),
   ],

package/extensions/auth/tests/controllers/me.test.ts

@@ -166,7 +166,7 @@ describe("Login", () => {
     );
     await response2.json();
 
-    expect(response2.status).toEqual(403);
+    expect(response2.status).not.toEqual(200);
   });
 
   it("should prevent the test user to mutate another user", async () => {
@@ -248,7 +248,7 @@ describe("Login", () => {
         },
         body: JSON.stringify({
           data: {
-            role: "test",
+            role: "author",
           },
         }),
       },

package/extensions/auth/tests/middlewares/adminProtection.test.ts

@@ -0,0 +1,59 @@
+import { Lobb } from "@lobb-js/core";
+import { afterAll, beforeAll, describe, it, expect } from "bun:test";
+import { authNoRolesConfig } from "../configs/auth_no_roles.ts";
+
+describe("Admin user protection", () => {
+  let lobb: Lobb;
+  let baseUrl: string;
+  const authHeader = new Headers();
+
+  beforeAll(async () => {
+    lobb = await Lobb.init(authNoRolesConfig);
+    baseUrl = `http://127.0.0.1:${lobb.webServer.port}`;
+
+    const response = await fetch(
+      `${baseUrl}/api/collections/auth_sessions`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          data: { email: "admin@test.com", password: "admin" },
+        }),
+      },
+    );
+    const result = await response.json();
+    authHeader.append("Authorization", `Bearer ${result.data.access_token.token}`);
+  });
+
+  afterAll(async () => {
+    await lobb.close();
+  });
+
+  it("should prevent deleting the admin user", async () => {
+    const response = await fetch(
+      `${baseUrl}/api/collections/auth_users/1`,
+      { method: "DELETE", headers: authHeader },
+    );
+    const result = await response.json();
+
+    expect(response.status).toEqual(403);
+    expect(result.message).toEqual("The admin user cannot be deleted.");
+  });
+
+  it("should prevent updating the admin user", async () => {
+    const response = await fetch(
+      `${baseUrl}/api/collections/auth_users/1`,
+      {
+        method: "PATCH",
+        headers: authHeader,
+        body: JSON.stringify({
+          data: { email: "hacked@example.com" },
+        }),
+      },
+    );
+    const result = await response.json();
+
+    expect(response.status).toEqual(403);
+    expect(result.message).toEqual("The admin user cannot be updated.");
+  });
+});

package/extensions/auth/tests/middlewares/publicPreventBasic.test.ts

@@ -38,7 +38,7 @@ describe("Prevent Guard For Public Users", () => {
 
     expect(
       result.message,
-    ).toEqual("Your role is not recognized by the system.");
+    ).toEqual("You do not have permission to perform this action.");
     expect(response.status).toEqual(403);
   });
 
@@ -54,7 +54,7 @@ describe("Prevent Guard For Public Users", () => {
 
     expect(
       result.message,
-    ).toEqual("Your role is not recognized by the system.");
+    ).toEqual("You do not have permission to perform this action.");
     expect(response.status).toEqual(403);
   });
 
@@ -81,7 +81,7 @@ describe("Prevent Guard For Public Users", () => {
     ).toEqual({
         status: 403,
         code: "FORBIDDEN",
-        message: "Your role is not recognized by the system.",
+        message: "You do not have permission to perform this action.",
     });
     expect(response.status).toEqual(403);
   });
@@ -100,7 +100,7 @@ describe("Prevent Guard For Public Users", () => {
       result,
     ).toEqual({
         code: "FORBIDDEN",
-        message: "Your role is not recognized by the system.",
+        message: "You do not have permission to perform this action.",
         status: 403,
     });
     expect(response.status).toEqual(403);

package/extensions/auth/workflows/baseWorkflow.ts

@@ -8,10 +8,9 @@ export function getBaseWorkflows(_extensionConfig: ExtensionConfig): Workflow[]
   return [
   {
     name: "auth_preventAdminUserDeletion",
-    eventName: "core.store.preDeleteOne",
+    eventName: "core.service.preDeleteOne",
     handler: async (input, ctx) => {
       if (input.collectionName !== "auth_users") return;
-      if (input.triggeredBy !== "API") return;
 
       if (Number(input.id) === 1) {
         throw new ctx.LobbError({
@@ -21,6 +20,20 @@ export function getBaseWorkflows(_extensionConfig: ExtensionConfig): Workflow[]
       }
     },
   },
+  {
+    name: "auth_preventAdminUserUpdate",
+    eventName: "core.service.preUpdateOne",
+    handler: async (input, ctx) => {
+      if (input.collectionName !== "auth_users") return;
+
+      if (Number(input.id) === 1) {
+        throw new ctx.LobbError({
+          code: "FORBIDDEN",
+          message: "The admin user cannot be updated.",
+        });
+      }
+    },
+  },
   ...baseWorkflows,
   ];
 }

package/extensions/auth/workflows/utils.ts

@@ -40,6 +40,12 @@ export function handlePolicy({
   const currentRole = config.roles?.[role];
 
   if (typeof currentRole === "undefined") {
+    if (role === "public") {
+      throw new ctx.LobbError({
+        code: "FORBIDDEN",
+        message: "You do not have permission to perform this action.",
+      });
+    }
     throw new ctx.LobbError({
       code: "FORBIDDEN",
       message: "Your role is not recognized by the system.",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobb-js/lobb-ext-auth",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "license": "UNLICENSED",
   "type": "module",
   "publishConfig": {
@@ -33,12 +33,12 @@
     "package": "svelte-package --input extensions/auth/studio"
   },
   "dependencies": {
-    "@lobb-js/core": "^0.26.2",
+    "@lobb-js/core": "^0.28.0",
     "argon2": "^0.40.3",
     "hono": "^4.7.0"
   },
   "devDependencies": {
-    "@lobb-js/studio": "^0.24.1",
+    "@lobb-js/studio": "^0.25.0",
     "@lucide/svelte": "^0.563.1",
     "@playwright/test": "^1.58.2",
     "@sveltejs/adapter-node": "^5.5.4",