npm - @nixxie-cms/core - Versions diffs - 1.0.3 → 2.0.0 - Mend

@nixxie-cms/core 1.0.3 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/src/session.ts CHANGED Viewed

@@ -1,6 +1,9 @@
 import { randomBytes } from 'node:crypto'
 import * as cookie from 'cookie'
 import Iron from '@hapi/iron'
+import { json } from './fields/types/json'
+import { text } from './fields/types/text'
+import { timestamp } from './fields/types/timestamp'
 import type { NixxieContext, SessionStrategy, SessionStoreFunction } from '../types'
 // TODO: should we also accept httpOnly?
@@ -135,6 +138,194 @@ export function statelessSessions<Session>({
   } satisfies SessionStrategy<Session, any>
 }
+type PersistentSessionsOptions = StatelessSessionsOptions & {
+  /**
+   * Key of the collection that stores sessions (see `sessionCollection()`).
+   * @default 'UserSession'
+   */
+  collection?: string
+}
+function sessionModel(context: NixxieContext, collection: string): any {
+  const delegate = (context.prisma as any)?.[collection[0].toLowerCase() + collection.slice(1)]
+  if (!delegate) {
+    throw new Error(
+      `persistentSessions: collection "${collection}" was not found in the Prisma client. ` +
+        `Add it to your config (e.g. \`collections: { ${collection}: sessionCollection() }\`) and run a migration.`
+    )
+  }
+  return delegate
+}
+/**
+ * Database-backed sessions: the cookie carries only an opaque token; the session itself
+ * lives in a collection, so sessions survive restarts, can be listed per user, and can be
+ * revoked server-side (see `listSessions` / `revokeSession` / `revokeUserSessions`).
+ *
+ * Tracks `lastSeenAt` (refreshed at most once a minute), `userAgent` and `ip` per session.
+ * Pair with a scheduled `pruneSessions()` job to clear expired/revoked rows.
+ */
+export function persistentSessions<Session>({
+  collection = 'UserSession',
+  maxAge = 60 * 60 * 8, // 8 hours
+  ...statelessSessionsOptions
+}: PersistentSessionsOptions = {}) {
+  const stateless = statelessSessions<string>({ ...statelessSessionsOptions, maxAge })
+  return {
+    async get({ context }) {
+      const token = await stateless.get({ context })
+      if (!token) return
+      const row = await sessionModel(context, collection).findUnique({ where: { token } })
+      if (!row || row.revokedAt) return
+      if (row.expiresAt && row.expiresAt.getTime() < Date.now()) return
+      // Refresh activity tracking at most once a minute; never block the request on it.
+      if (!row.lastSeenAt || Date.now() - row.lastSeenAt.getTime() > 60_000) {
+        void sessionModel(context, collection)
+          .update({ where: { token }, data: { lastSeenAt: new Date() } })
+          .catch(() => {})
+      }
+      return row.data as Session
+    },
+    async start({ context, data }) {
+      const token = randomBytes(24).toString('base64url') // 192-bit
+      const req = context.req
+      const forwarded = req?.headers['x-forwarded-for']
+      await sessionModel(context, collection).create({
+        data: {
+          token,
+          data: data as any,
+          itemId: (data as any)?.itemId != null ? String((data as any).itemId) : null,
+          expiresAt: new Date(Date.now() + maxAge * 1000),
+          createdAt: new Date(),
+          lastSeenAt: new Date(),
+          userAgent: (req?.headers['user-agent'] as string | undefined) ?? null,
+          ip:
+            (typeof forwarded === 'string' ? forwarded.split(',')[0]?.trim() : forwarded?.[0]) ??
+            req?.socket?.remoteAddress ??
+            null,
+        },
+      })
+      return (await stateless.start({ context, data: token })) || ''
+    },
+    async end({ context }) {
+      const token = await stateless.get({ context })
+      if (token) {
+        await sessionModel(context, collection).deleteMany({ where: { token } })
+      }
+      await stateless.end({ context })
+    },
+  } satisfies SessionStrategy<Session, any>
+}
+export type SessionInfo = {
+  id: string
+  itemId: string | null
+  createdAt: Date
+  lastSeenAt: Date | null
+  expiresAt: Date | null
+  revokedAt: Date | null
+  userAgent: string | null
+  ip: string | null
+}
+const stripToken = (row: any): SessionInfo => ({
+  id: row.id,
+  itemId: row.itemId ?? null,
+  createdAt: row.createdAt,
+  lastSeenAt: row.lastSeenAt ?? null,
+  expiresAt: row.expiresAt ?? null,
+  revokedAt: row.revokedAt ?? null,
+  userAgent: row.userAgent ?? null,
+  ip: row.ip ?? null,
+})
+/** Active (non-revoked, non-expired) sessions for a user, without their tokens. */
+export async function listSessions(
+  context: NixxieContext,
+  itemId: string,
+  { collection = 'UserSession' }: { collection?: string } = {}
+): Promise<SessionInfo[]> {
+  const rows = await sessionModel(context, collection).findMany({
+    where: { itemId: String(itemId), revokedAt: null, expiresAt: { gte: new Date() } },
+    orderBy: { lastSeenAt: 'desc' },
+  })
+  return rows.map(stripToken)
+}
+/** Revoke a single session by its row id. The next request with its cookie is signed out. */
+export async function revokeSession(
+  context: NixxieContext,
+  sessionId: string,
+  { collection = 'UserSession' }: { collection?: string } = {}
+): Promise<void> {
+  await sessionModel(context, collection).updateMany({
+    where: { id: sessionId },
+    data: { revokedAt: new Date() },
+  })
+}
+/** Revoke every session belonging to a user (e.g. after a password change). */
+export async function revokeUserSessions(
+  context: NixxieContext,
+  itemId: string,
+  { collection = 'UserSession' }: { collection?: string } = {}
+): Promise<number> {
+  const result = await sessionModel(context, collection).updateMany({
+    where: { itemId: String(itemId), revokedAt: null },
+    data: { revokedAt: new Date() },
+  })
+  return result.count
+}
+/** Delete expired and revoked session rows. Run from a scheduled job. */
+export async function pruneSessions(
+  context: NixxieContext,
+  { collection = 'UserSession' }: { collection?: string } = {}
+): Promise<number> {
+  const result = await sessionModel(context, collection).deleteMany({
+    where: { OR: [{ expiresAt: { lt: new Date() } }, { revokedAt: { not: null } }] },
+  })
+  return result.count
+}
+/**
+ * Sign the current user in as another user, recording who is impersonating in the
+ * session (`impersonatedBy`). Works with any session strategy. The caller is
+ * responsible for authorising the action (e.g. an admin-only check).
+ */
+export async function startImpersonation(
+  context: NixxieContext,
+  itemId: string | number
+): Promise<void> {
+  if (!context.sessionStrategy) throw new Error('startImpersonation: no session strategy configured')
+  const current = context.session as { itemId?: string | number; impersonatedBy?: unknown } | undefined
+  if (!current?.itemId) throw new Error('startImpersonation: there is no signed-in session')
+  if (current.impersonatedBy != null) {
+    throw new Error('startImpersonation: already impersonating — end the current impersonation first')
+  }
+  await context.sessionStrategy.start({
+    context,
+    data: { itemId, impersonatedBy: current.itemId } as any,
+  })
+}
+/** Return from an impersonated session to the original user's session. */
+export async function endImpersonation(context: NixxieContext): Promise<void> {
+  if (!context.sessionStrategy) throw new Error('endImpersonation: no session strategy configured')
+  const current = context.session as { impersonatedBy?: string | number } | undefined
+  if (current?.impersonatedBy == null) {
+    throw new Error('endImpersonation: the current session is not impersonating anyone')
+  }
+  await context.sessionStrategy.start({
+    context,
+    data: { itemId: current.impersonatedBy } as any,
+  })
+}
 export function storedSessions<Session>({
   store: storeFn,
   maxAge = 60 * 60 * 8, // 8 hours
@@ -166,3 +357,37 @@ export function storedSessions<Session>({
     },
   } satisfies SessionStrategy<Session, any>
 }
+/**
+ * Ready-made collection definition backing `persistentSessions()`.
+ *
+ * @example
+ * config({
+ *   collections: {
+ *     UserSession: sessionCollection(),
+ *     ...collections,
+ *   },
+ *   session: persistentSessions({ collection: 'UserSession' }),
+ * })
+ */
+export function sessionCollection(): any {
+  return {
+    fields: {
+      token: text({ validation: { isRequired: true }, isIndexed: 'unique' }),
+      data: json(),
+      itemId: text({ isIndexed: true }),
+      expiresAt: timestamp(),
+      createdAt: timestamp({ defaultValue: { kind: 'now' }, db: { isNullable: false } }),
+      lastSeenAt: timestamp(),
+      revokedAt: timestamp(),
+      userAgent: text(),
+      ip: text(),
+    },
+    graphql: {
+      omit: true,
+    },
+    ui: {
+      hideNavigation: true,
+    },
+  }
+}

package/src/types/admin-meta.ts CHANGED Viewed

@@ -1,218 +1,218 @@
-import type { allIcons as KeystarIcons } from '@keystar/ui/icon/all'
-import type { ReactElement } from 'react'
-import type { ConditionalFilter, ConditionalFilterCase, ListSortDescriptor } from './config'
-import type { BaseListTypeInfo } from './type-info'
-import type { GraphQLNames, JSONValue } from './utils'
-export type NavigationProps = {
-  lists: ListMeta[]
-}
-export type AdminConfig = {
-  components?: {
-    Logo?: (props: object) => ReactElement
-    Navigation?: (props: NavigationProps) => ReactElement
-  }
-}
-export type FieldControllerConfig<FieldMeta extends JSONValue | undefined = undefined> = {
-  listKey: string
-  fieldKey: string
-  label: string
-  description: string
-  customViews: Record<string, any>
-  fieldMeta: FieldMeta
-}
-type FilterTypeDeclaration<Value extends JSONValue> = {
-  readonly label: string
-  readonly initialValue: Value
-}
-export type FilterTypeToFormat<Value extends JSONValue> = {
-  readonly type: string
-  readonly label: string
-  readonly value: Value
-}
-export type FieldController<
-  FormState,
-  FilterValue extends JSONValue = never,
-  GraphQLFilterValue = never,
-> = {
-  fieldKey: string
-  label: string
-  description: string
-  defaultValue: FormState
-  deserialize: (item: any) => FormState // TODO: unknown
-  serialize: (formState: FormState) => any // TODO: unknown
-  validate?: (formState: FormState, opts: { isRequired: boolean }) => boolean
-  graphqlSelection: string
-  filter?: {
-    types: Record<string, FilterTypeDeclaration<FilterValue>>
-    parseGraphQL(value: GraphQLFilterValue & {}): { type: string; value: FilterValue }[]
-    graphql(type: { type: string; value: FilterValue }): Record<string, any>
-    Label(type: FilterTypeToFormat<FilterValue>): string | ReactElement | null
-    Filter(props: {
-      autoFocus?: boolean
-      forceValidation?: boolean
-      context: 'add' | 'edit'
-      onChange(value: FilterValue): void
-      type: string
-      // TODO: could be derived `filter.types[type].label`?
-      typeLabel?: string
-      value: FilterValue
-    }): ReactElement | null
-  }
-}
-// TODO: duplicate, reference core/src/lib/admin-meta.ts
-export type FieldMeta = {
-  key: string
-  label: string
-  description: string
-  fieldMeta: JSONValue | null
-  viewsIndex: number
-  customViewsIndex: number | null
-  views: FieldViews[number]
-  controller: FieldController<unknown, JSONValue>
-  isFilterable: boolean
-  isOrderable: boolean
-  search: 'default' | 'insensitive' | null
-  isNonNull: ('read' | 'create' | 'update')[]
-  createView: {
-    fieldMode: ConditionalFilter<'edit' | 'hidden', 'hidden', BaseListTypeInfo>
-    isRequired: ConditionalFilterCase<BaseListTypeInfo>
-  }
-  itemView: {
-    fieldMode: ConditionalFilter<'edit' | 'read' | 'hidden', 'read' | 'hidden', BaseListTypeInfo>
-    fieldPosition: 'form' | 'sidebar'
-    isRequired: ConditionalFilterCase<BaseListTypeInfo>
-  }
-  listView: {
-    fieldMode: 'read' | 'hidden'
-  }
-}
-export type FieldGroupMeta = {
-  label: string
-  description: string
-  fields: FieldMeta[]
-}
-export type ActionMeta = {
-  key: string
-  graphql: {
-    arguments: readonly { name: string; type: string; source: { itemField: string } | null }[]
-    names: {
-      one: string
-      many: string
-    }
-  }
-  label: string
-  icon: keyof typeof KeystarIcons | null
-  messages: {
-    promptTitle: string
-    promptTitleMany: string
-    prompt: string
-    promptMany: string
-    promptConfirmLabel: string
-    promptConfirmLabelMany: string
-    fail: string
-    failMany: string
-    success: string
-    successMany: string
-  }
-  itemView: {
-    actionMode: ConditionalFilter<
-      'enabled' | 'disabled' | 'hidden',
-      'disabled' | 'hidden',
-      BaseListTypeInfo
-    >
-    navigation: 'follow' | 'refetch' | 'return'
-    hidePrompt: boolean
-    hideToast: boolean
-  }
-  listView: {
-    actionMode: ConditionalFilter<
-      'enabled' | 'disabled' | 'hidden',
-      'disabled' | 'hidden',
-      BaseListTypeInfo
-    >
-  }
-}
-export type ListMeta = {
-  key: string
-  label: string
-  singular: string
-  plural: string
-  path: string
-  labelField: string
-  fields: { [key: string]: FieldMeta }
-  groups: FieldGroupMeta[]
-  actions: ActionMeta[]
-  graphql: {
-    names: GraphQLNames
-  }
-  pageSize: number
-  initialColumns: string[]
-  initialSearchFields: string[]
-  initialSort: ListSortDescriptor<string>
-  initialFilter: JSONValue
-  isSingleton: boolean
-  hideNavigation: boolean
-  hideCreate: boolean
-  hideDelete: boolean
-}
-export type Item = {
-  [key: string]: unknown
-}
-export type FieldProps<FieldControllerFn extends (...args: any) => FieldController<any, any>> = {
-  autoFocus?: boolean
-  field: ReturnType<FieldControllerFn>
-  isRequired: boolean
-  /**
-   * Will be true when the user has clicked submit and
-   * the validate function on the field controller has returned false
-   */
-  forceValidation?: boolean
-  onChange?(value: ReturnType<ReturnType<FieldControllerFn>['deserialize']>): void
-  value: ReturnType<ReturnType<FieldControllerFn>['deserialize']>
-  itemValue: Item
-}
-export type FieldViews = Record<
-  string,
-  {
-    Field: (props: FieldProps<any>) => ReactElement | null
-    Cell: CellComponent
-    controller: (args: FieldControllerConfig<any>) => FieldController<unknown, JSONValue>
-    allowedExportsOnCustomViews?: string[]
-  }
->
-export type CellComponent<
-  FieldControllerFn extends (...args: any) => FieldController<any, any> = () => FieldController<
-    any,
-    any
-  >,
-> = {
-  (props: {
-    value: any // TODO: T
-    field: ReturnType<FieldControllerFn>
-    item: Record<string, unknown>
-  }): ReactElement | null
-}
+import type { allIcons as KeystarIcons } from '@keystar/ui/icon/all'
+import type { ReactElement } from 'react'
+import type { ConditionalFilter, ConditionalFilterCase, CollectionSortDescriptor } from './config'
+import type { BaseCollectionTypeInfo } from './type-info'
+import type { GraphQLNames, JSONValue } from './utils'
+export type NavigationProps = {
+  lists: CollectionMeta[]
+}
+export type AdminConfig = {
+  components?: {
+    Logo?: (props: object) => ReactElement
+    Navigation?: (props: NavigationProps) => ReactElement
+  }
+}
+export type FieldControllerConfig<FieldMeta extends JSONValue | undefined = undefined> = {
+  listKey: string
+  fieldKey: string
+  label: string
+  description: string
+  customViews: Record<string, any>
+  fieldMeta: FieldMeta
+}
+type FilterTypeDeclaration<Value extends JSONValue> = {
+  readonly label: string
+  readonly initialValue: Value
+}
+export type FilterTypeToFormat<Value extends JSONValue> = {
+  readonly type: string
+  readonly label: string
+  readonly value: Value
+}
+export type FieldController<
+  FormState,
+  FilterValue extends JSONValue = never,
+  GraphQLFilterValue = never,
+> = {
+  fieldKey: string
+  label: string
+  description: string
+  defaultValue: FormState
+  deserialize: (item: any) => FormState // TODO: unknown
+  serialize: (formState: FormState) => any // TODO: unknown
+  validate?: (formState: FormState, opts: { isRequired: boolean }) => boolean
+  graphqlSelection: string
+  filter?: {
+    types: Record<string, FilterTypeDeclaration<FilterValue>>
+    parseGraphQL(value: GraphQLFilterValue & {}): { type: string; value: FilterValue }[]
+    graphql(type: { type: string; value: FilterValue }): Record<string, any>
+    Label(type: FilterTypeToFormat<FilterValue>): string | ReactElement | null
+    Filter(props: {
+      autoFocus?: boolean
+      forceValidation?: boolean
+      context: 'add' | 'edit'
+      onChange(value: FilterValue): void
+      type: string
+      // TODO: could be derived `filter.types[type].label`?
+      typeLabel?: string
+      value: FilterValue
+    }): ReactElement | null
+  }
+}
+// TODO: duplicate, reference core/src/lib/admin-meta.ts
+export type FieldMeta = {
+  key: string
+  label: string
+  description: string
+  fieldMeta: JSONValue | null
+  viewsIndex: number
+  customViewsIndex: number | null
+  views: FieldViews[number]
+  controller: FieldController<unknown, JSONValue>
+  isFilterable: boolean
+  isOrderable: boolean
+  search: 'default' | 'insensitive' | null
+  isNonNull: ('read' | 'create' | 'update')[]
+  createView: {
+    fieldMode: ConditionalFilter<'edit' | 'hidden', 'hidden', BaseCollectionTypeInfo>
+    isRequired: ConditionalFilterCase<BaseCollectionTypeInfo>
+  }
+  itemView: {
+    fieldMode: ConditionalFilter<'edit' | 'read' | 'hidden', 'read' | 'hidden', BaseCollectionTypeInfo>
+    fieldPosition: 'form' | 'sidebar'
+    isRequired: ConditionalFilterCase<BaseCollectionTypeInfo>
+  }
+  listView: {
+    fieldMode: 'read' | 'hidden'
+  }
+}
+export type FieldGroupMeta = {
+  label: string
+  description: string
+  fields: FieldMeta[]
+}
+export type ActionMeta = {
+  key: string
+  graphql: {
+    arguments: readonly { name: string; type: string; source: { itemField: string } | null }[]
+    names: {
+      one: string
+      many: string
+    }
+  }
+  label: string
+  icon: keyof typeof KeystarIcons | null
+  messages: {
+    promptTitle: string
+    promptTitleMany: string
+    prompt: string
+    promptMany: string
+    promptConfirmLabel: string
+    promptConfirmLabelMany: string
+    fail: string
+    failMany: string
+    success: string
+    successMany: string
+  }
+  itemView: {
+    actionMode: ConditionalFilter<
+      'enabled' | 'disabled' | 'hidden',
+      'disabled' | 'hidden',
+      BaseCollectionTypeInfo
+    >
+    navigation: 'follow' | 'refetch' | 'return'
+    hidePrompt: boolean
+    hideToast: boolean
+  }
+  listView: {
+    actionMode: ConditionalFilter<
+      'enabled' | 'disabled' | 'hidden',
+      'disabled' | 'hidden',
+      BaseCollectionTypeInfo
+    >
+  }
+}
+export type CollectionMeta = {
+  key: string
+  label: string
+  singular: string
+  plural: string
+  path: string
+  labelField: string
+  fields: { [key: string]: FieldMeta }
+  groups: FieldGroupMeta[]
+  actions: ActionMeta[]
+  graphql: {
+    names: GraphQLNames
+  }
+  pageSize: number
+  initialColumns: string[]
+  initialSearchFields: string[]
+  initialSort: CollectionSortDescriptor<string>
+  initialFilter: JSONValue
+  isSingleton: boolean
+  hideNavigation: boolean
+  hideCreate: boolean
+  hideDelete: boolean
+}
+export type Item = {
+  [key: string]: unknown
+}
+export type FieldProps<FieldControllerFn extends (...args: any) => FieldController<any, any>> = {
+  autoFocus?: boolean
+  field: ReturnType<FieldControllerFn>
+  isRequired: boolean
+  /**
+   * Will be true when the user has clicked submit and
+   * the validate function on the field controller has returned false
+   */
+  forceValidation?: boolean
+  onChange?(value: ReturnType<ReturnType<FieldControllerFn>['deserialize']>): void
+  value: ReturnType<ReturnType<FieldControllerFn>['deserialize']>
+  itemValue: Item
+}
+export type FieldViews = Record<
+  string,
+  {
+    Field: (props: FieldProps<any>) => ReactElement | null
+    Cell: CellComponent
+    controller: (args: FieldControllerConfig<any>) => FieldController<unknown, JSONValue>
+    allowedExportsOnCustomViews?: string[]
+  }
+>
+export type CellComponent<
+  FieldControllerFn extends (...args: any) => FieldController<any, any> = () => FieldController<
+    any,
+    any
+  >,
+> = {
+  (props: {
+    value: any // TODO: T
+    field: ReturnType<FieldControllerFn>
+    item: Record<string, unknown>
+  }): ReactElement | null
+}