@morscherlab/mint-sdk 1.0.0-beta.7 → 1.0.0-rc.2

package/src/permissions.ts

@@ -0,0 +1,143 @@
+export const ADMIN_ROLE = 'admin'
+
+export const ADMIN_PANEL_PERMISSIONS = [
+  'users.view',
+  'users.invite',
+  'users.manage',
+  'platform.configure',
+  'platform.view_logs',
+  'plugins.configure',
+  'plugins.install',
+] as const
+
+export type AccessAudience = 'all' | 'admin' | 'user'
+export type AccessAudienceInput = AccessAudience | readonly AccessAudience[]
+
+export interface RoleInfo {
+  id?: number
+  slug: string
+  name?: string
+  color?: string
+  permissions?: readonly string[] | null
+  project_scope?: 'all' | 'assigned' | string
+  plugin_access?: readonly string[] | 'all' | null
+}
+
+export interface PermissionUser {
+  role?: string | null
+  role_obj?: RoleInfo | null
+  roleObj?: RoleInfo | null
+  permissions?: readonly string[] | null
+}
+
+export interface AccessPolicy {
+  audience?: AccessAudienceInput
+  visibleFor?: AccessAudienceInput
+  requiresAuth?: boolean
+  requiresAdmin?: boolean
+  permissions?: readonly string[]
+  anyPermissions?: readonly string[]
+  plugin?: string
+}
+
+export interface AccessControlled {
+  access?: AccessPolicy
+  visibleFor?: AccessAudienceInput
+  requiresAdmin?: boolean
+  permissions?: readonly string[]
+  anyPermissions?: readonly string[]
+}
+
+export function getRoleInfo(user: PermissionUser | null | undefined): RoleInfo | null {
+  return user?.roleObj ?? user?.role_obj ?? null
+}
+
+export function isAdminRole(role: string | null | undefined): boolean {
+  return role === ADMIN_ROLE
+}
+
+export function isAdminUser(user: PermissionUser | null | undefined): boolean {
+  return isAdminRole(user?.role) || getRoleInfo(user)?.slug === ADMIN_ROLE
+}
+
+export function getAccessAudience(user: PermissionUser | null | undefined): Exclude<AccessAudience, 'all'> {
+  return isAdminUser(user) ? 'admin' : 'user'
+}
+
+export function getUserPermissions(user: PermissionUser | null | undefined): string[] {
+  const rolePermissions = getRoleInfo(user)?.permissions
+  if (rolePermissions?.length) return [...rolePermissions]
+  return [...(user?.permissions ?? [])]
+}
+
+export function hasAllPermissions(
+  user: PermissionUser | null | undefined,
+  permissions: readonly string[] = [],
+): boolean {
+  if (permissions.length === 0) return true
+  if (isAdminUser(user)) return true
+  const granted = new Set(getUserPermissions(user))
+  return permissions.every(permission => granted.has(permission))
+}
+
+export function hasAnyPermission(
+  user: PermissionUser | null | undefined,
+  permissions: readonly string[] = [],
+): boolean {
+  if (permissions.length === 0) return true
+  if (isAdminUser(user)) return true
+  const granted = new Set(getUserPermissions(user))
+  return permissions.some(permission => granted.has(permission))
+}
+
+export function canAccessAdmin(user: PermissionUser | null | undefined): boolean {
+  return isAdminUser(user) || hasAnyPermission(user, ADMIN_PANEL_PERMISSIONS)
+}
+
+export function canAccessPlugin(
+  user: PermissionUser | null | undefined,
+  pluginName: string | null | undefined,
+): boolean {
+  if (!pluginName) return true
+  const access = getRoleInfo(user)?.plugin_access
+  if (!access || access === 'all') return true
+  return Array.isArray(access) && access.includes(pluginName)
+}
+
+export function normalizeAccessPolicy(rule: AccessControlled | AccessPolicy | undefined): AccessPolicy {
+  if (!rule) return {}
+  const { access: nested, ...direct } = rule as AccessPolicy & { access?: AccessPolicy }
+  return {
+    ...(nested ?? {}),
+    ...direct,
+    ...('visibleFor' in rule && rule.visibleFor !== undefined ? { visibleFor: rule.visibleFor } : {}),
+    ...('requiresAdmin' in rule && rule.requiresAdmin !== undefined ? { requiresAdmin: rule.requiresAdmin } : {}),
+    ...('permissions' in rule && rule.permissions !== undefined ? { permissions: rule.permissions } : {}),
+    ...('anyPermissions' in rule && rule.anyPermissions !== undefined ? { anyPermissions: rule.anyPermissions } : {}),
+  }
+}
+
+export function canAccessByPolicy(
+  user: PermissionUser | null | undefined,
+  rule: AccessControlled | AccessPolicy | undefined,
+  isAuthenticated = user !== null && user !== undefined,
+): boolean {
+  const policy = normalizeAccessPolicy(rule)
+  if (policy.requiresAuth && !isAuthenticated) return false
+  if (policy.requiresAdmin && !isAdminUser(user)) return false
+  if (!audienceAllowsUser(policy.visibleFor ?? policy.audience, user)) return false
+  if (!hasAllPermissions(user, policy.permissions)) return false
+  if (!hasAnyPermission(user, policy.anyPermissions)) return false
+  if (policy.plugin && !canAccessPlugin(user, policy.plugin)) return false
+  return true
+}
+
+function audienceAllowsUser(
+  audience: AccessAudienceInput | undefined,
+  user: PermissionUser | null | undefined,
+): boolean {
+  if (audience === undefined) return true
+  const allowed = Array.isArray(audience) ? audience : [audience]
+  if (allowed.includes('all')) return true
+  return allowed.includes(getAccessAudience(user))
+}

package/src/stores/auth.ts

@@ -1,11 +1,51 @@
 import { defineStore } from 'pinia'
 import { ref, computed } from 'vue'
 import type { AuthConfig, UserInfo } from '../types'
+import {
+  canAccessAdmin as canUserAccessAdmin,
+  canAccessPlugin as canUserAccessPlugin,
+  getAccessAudience,
+  getUserPermissions,
+  hasAllPermissions,
+  hasAnyPermission,
+  isAdminUser,
+} from '../permissions'
 
 const AUTH_TOKEN_KEY = 'mint-auth-token'
 const AUTH_EXPIRES_KEY = 'mint-auth-expires'
 
-const hasLocalStorage = typeof localStorage !== 'undefined' && typeof localStorage.getItem === 'function'
+function getLocalStorage(): Storage | null {
+  try {
+    const storage = globalThis.localStorage
+    return typeof storage?.getItem === 'function' ? storage : null
+  } catch {
+    return null
+  }
+}
+
+function readStoredItem(key: string): string | null {
+  try {
+    return getLocalStorage()?.getItem(key) ?? null
+  } catch {
+    return null
+  }
+}
+
+function writeStoredItem(key: string, value: string): void {
+  try {
+    getLocalStorage()?.setItem(key, value)
+  } catch {
+    // Keep auth usable in-memory when browser storage is blocked.
+  }
+}
+
+function removeStoredItem(key: string): void {
+  try {
+    getLocalStorage()?.removeItem(key)
+  } catch {
+    // Keep auth cleanup usable in-memory when browser storage is blocked.
+  }
+}
 
 export const useAuthStore = defineStore('mint-auth', () => {
   // State
@@ -42,9 +82,10 @@ export const useAuthStore = defineStore('mint-auth', () => {
     return authConfig.value.authRequired && !isAuthenticated.value
   })
 
-  const isAdmin = computed(() => {
-    return userInfo.value?.role === 'admin'
-  })
+  const isAdmin = computed(() => isAdminUser(userInfo.value))
+  const userType = computed(() => getAccessAudience(userInfo.value))
+  const permissions = computed(() => getUserPermissions(userInfo.value))
+  const canAccessAdmin = computed(() => canUserAccessAdmin(userInfo.value))
 
   const canRegister = computed(() => {
     return authConfig.value.registrationEnabled
@@ -52,20 +93,18 @@ export const useAuthStore = defineStore('mint-auth', () => {
 
   // Actions
   function initialize() {
-    if (hasLocalStorage) {
-      const storedToken = localStorage.getItem(AUTH_TOKEN_KEY)
-      const storedExpires = localStorage.getItem(AUTH_EXPIRES_KEY)
-
-      if (storedToken) {
-        token.value = storedToken
-
-        if (storedExpires) {
-          const expires = new Date(storedExpires)
-          if (expires > new Date()) {
-            tokenExpires.value = expires
-          } else {
-            clearToken()
-          }
+    const storedToken = readStoredItem(AUTH_TOKEN_KEY)
+    const storedExpires = readStoredItem(AUTH_EXPIRES_KEY)
+
+    if (storedToken) {
+      token.value = storedToken
+
+      if (storedExpires) {
+        const expires = new Date(storedExpires)
+        if (expires > new Date()) {
+          tokenExpires.value = expires
+        } else {
+          clearToken()
         }
       }
     }
@@ -78,10 +117,8 @@ export const useAuthStore = defineStore('mint-auth', () => {
     const expires = new Date(Date.now() + expiresIn * 1000)
     tokenExpires.value = expires
 
-    if (hasLocalStorage) {
-      localStorage.setItem(AUTH_TOKEN_KEY, accessToken)
-      localStorage.setItem(AUTH_EXPIRES_KEY, expires.toISOString())
-    }
+    writeStoredItem(AUTH_TOKEN_KEY, accessToken)
+    writeStoredItem(AUTH_EXPIRES_KEY, expires.toISOString())
   }
 
   function clearToken() {
@@ -90,10 +127,8 @@ export const useAuthStore = defineStore('mint-auth', () => {
     username.value = null
     userInfo.value = null
 
-    if (hasLocalStorage) {
-      localStorage.removeItem(AUTH_TOKEN_KEY)
-      localStorage.removeItem(AUTH_EXPIRES_KEY)
-    }
+    removeStoredItem(AUTH_TOKEN_KEY)
+    removeStoredItem(AUTH_EXPIRES_KEY)
   }
 
   function setUserInfo(info: UserInfo) {
@@ -101,6 +136,18 @@ export const useAuthStore = defineStore('mint-auth', () => {
     username.value = info.username
   }
 
+  function hasPermission(...perms: string[]): boolean {
+    return hasAllPermissions(userInfo.value, perms)
+  }
+
+  function hasAnyPermissionForUser(...perms: string[]): boolean {
+    return hasAnyPermission(userInfo.value, perms)
+  }
+
+  function canAccessPlugin(pluginName: string): boolean {
+    return canUserAccessPlugin(userInfo.value, pluginName)
+  }
+
   function setAuthConfig(config: AuthConfig) {
     authConfig.value = config
   }
@@ -136,6 +183,9 @@ export const useAuthStore = defineStore('mint-auth', () => {
     isAuthenticated,
     needsAuth,
     isAdmin,
+    userType,
+    permissions,
+    canAccessAdmin,
     canRegister,
 
     // Actions
@@ -147,6 +197,9 @@ export const useAuthStore = defineStore('mint-auth', () => {
     setUserInfo,
     setError,
     setLoading,
+    hasPermission,
+    hasAnyPermission: hasAnyPermissionForUser,
+    canAccessPlugin,
     logout,
   }
 })

package/src/stores/settings.ts

@@ -24,6 +24,7 @@ export interface SettingsState {
 }
 
 const STORAGE_KEY = 'mint-settings'
+const LEGACY_STORAGE_KEY = 'mld-settings'
 
 function getDefaultServerHost(): string {
   if (typeof window !== 'undefined' && window.location.hostname !== 'localhost') {
@@ -68,6 +69,15 @@ function loadSettings(): SettingsState {
       const parsed = JSON.parse(stored)
       return { ...defaultSettings, ...parsed }
     }
+
+    const legacyStored = localStorage.getItem(LEGACY_STORAGE_KEY)
+    if (legacyStored) {
+      const parsed = JSON.parse(legacyStored)
+      const migrated = { ...defaultSettings, ...parsed }
+      localStorage.setItem(STORAGE_KEY, JSON.stringify(migrated))
+      localStorage.removeItem(LEGACY_STORAGE_KEY)
+      return migrated
+    }
   } catch (e) {
     console.warn('Failed to load settings from localStorage:', e)
   }