@nu-art/permissions-backend 0.401.8 → 0.500.0

package/_entity/permission-user/ModuleBE_PermissionUserDB.js

@@ -1,10 +1,11 @@
-import { MemKey_ServerApi, ModuleBE_BaseDB, Storm, } from '@nu-art/thunderstorm-backend';
-import { DBDef_PermissionUser } from '@nu-art/permissions-shared';
-import { _keys, ApiException, asOptionalArray, batchActionParallel, dbObjectToId, exists, filterDuplicates, filterInstances, filterKeys, flatArray, JwtTools, merge, Year } from '@nu-art/ts-common';
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { MemKey_ServerApi } from '@nu-art/http-server';
+import { DBDef_PermissionUser, toPermissionGroupId } from '@nu-art/permissions-shared';
+import { getGlobalEnvConfigRef, getServiceAccountsProvider } from '../../permissions-wire.js';
+import { _keys, ApiException, batchAction, batchActionParallel, dbObjectToId, exists, filterDuplicates, filterInstances, filterKeys, JwtTools, merge, Year } from '@nu-art/ts-common';
 import { ModuleBE_PermissionGroupDB } from '../permission-group/ModuleBE_PermissionGroupDB.js';
 import { MemKey_AccountId, ModuleBE_AccountDB, ModuleBE_SessionDB } from '@nu-art/user-account-backend';
 import { MemKey_UserPermissions } from '../../consts.js';
-import { dispatcher_collectServiceAccounts } from '@nu-art/thunderstorm-backend/modules/_tdb/service-accounts';
 export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
     defaultPermissionGroups;
     constructor() {
@@ -12,14 +13,17 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
     }
     __performProjectSetup() {
         return {
-            priority: 4,
+            priority: 200,
             processor: async () => {
                 const accounts = await ModuleBE_AccountDB.query.where({});
-                const permissionsUser = await this.query.all(accounts.map(dbObjectToId));
+                // Permission user _id is 1:1 with account _id; query.all expects permission user ids.
+                const permissionUserIds = accounts.map(dbObjectToId);
+                const permissionsUser = await this.query.all(permissionUserIds);
                 const usersToUpsert = [];
                 const usersToDelete = [];
                 permissionsUser.forEach((user, index) => {
                     if (exists(user)) {
+                        // Same 1:1 design: account id and permission user id are the same value.
                         if (!exists(accounts.find(account => account._id === user._id)))
                             usersToDelete.push(user);
                         return;
@@ -32,7 +36,8 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
                 await this.set.all(usersToUpsert);
                 await this.delete.all(usersToDelete);
                 // This stage updates the rtdb's config- which is why it's last. Changing the rtdb's config kills the server.
-                const serviceAccounts = flatArray(dispatcher_collectServiceAccounts.dispatchModule());
+                const provider = getServiceAccountsProvider();
+                const serviceAccounts = provider ? await provider() : [];
                 await this.createSystemServiceAccount(serviceAccounts);
             }
         };
@@ -74,10 +79,11 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
         //todo check for duplications in data
     }
     async postWriteProcessing(data, actionType) {
-        const deleted = asOptionalArray(data.deleted) ?? [];
-        const updated = asOptionalArray(data.updated) ?? [];
-        const beforeIds = (asOptionalArray(data.before) ?? []).map(before => before?._id);
-        const accountIdToInvalidate = filterDuplicates(filterInstances([...deleted, ...updated].map(i => i?._id))).filter(id => beforeIds.includes(id));
+        const deleted = data.deleted ? (Array.isArray(data.deleted) ? data.deleted : [data.deleted]) : [];
+        const updated = data.updated ? (Array.isArray(data.updated) ? data.updated : [data.updated]) : [];
+        const before = data.before ? (Array.isArray(data.before) ? data.before : [data.before]) : [];
+        const beforeIds = before.map(b => b._id);
+        const accountIdToInvalidate = filterDuplicates(filterInstances([...deleted, ...updated].map(i => i._id))).filter(id => beforeIds.includes(id));
         await this.rotateSession(accountIdToInvalidate);
     }
     insertIfNotExist = async (uiAccount, transaction) => {
@@ -87,8 +93,10 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
                 ? filterInstances(await ModuleBE_PermissionGroupDB.query.all(defaultPermissionGroups.map(item => item.groupId)))
                 : [];
             this.logInfo(`Received ${defaultPermissionGroups.length} groups to assign, ${permissionGroups.length} of which exist`);
+            // Permission user _id is 1:1 with account _id (design); cast required across brands.
+            const permissionUserId = uiAccount._id;
             const permissionsUserToCreate = {
-                _id: uiAccount._id,
+                _id: permissionUserId,
                 groups: permissionGroups.map(group => ({ groupId: group._id })),
                 _auditorId: MemKey_AccountId.get()
             };
@@ -99,7 +107,9 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
     async assignPermissions(body) {
         if (!body.targetAccountIds.length)
             throw new ApiException(400, `Asked to modify permissions but provided no users to modify permissions of.`);
-        const usersToGiveTo = filterInstances(await this.query.all(body.targetAccountIds));
+        // Permission user id is 1:1 with account id (design); cast required across brands.
+        const permissionUserIds = body.targetAccountIds;
+        const usersToGiveTo = filterInstances(await this.query.all(permissionUserIds));
         // console.log('assignPermissions target accounts ');
         // console.log(await this.query.custom(_EmptyQuery));
         if (!usersToGiveTo.length || usersToGiveTo.length !== body.targetAccountIds.length) {
@@ -154,7 +164,7 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
         this.logInfoBold('Creating Service Accounts: ', serviceAccounts);
         // @ts-ignore
         const tokenCreator = ModuleBE_AccountDB.token.create;
-        const envConfigRef = Storm.getInstance().getGlobalEnvConfigRef();
+        const envConfigRef = getGlobalEnvConfigRef();
         const updatedConfig = {};
         //Run over all service accounts
         for (const serviceAccount of serviceAccounts) {
@@ -173,9 +183,9 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
                 this.logInfo('NOTICE: querySafeAccount failed, creating accounts');
                 account = await ModuleBE_AccountDB.account.create(accountsToRequest);
             }
-            // Assign permissions groups to service account
+            // Assign permissions groups to service account; permission user _id is 1:1 with account _id
             const permissionsUser = await ModuleBE_PermissionUserDB.query.uniqueAssert({ _id: account._id });
-            permissionsUser.groups = serviceAccount.groupIds?.map(groupId => ({ groupId })) || [];
+            permissionsUser.groups = serviceAccount.groupIds?.map(gid => ({ groupId: toPermissionGroupId(gid) })) || [];
             await ModuleBE_PermissionUserDB.set.item(permissionsUser);
             //Service accounts are only allowed to have one session... but this isn't the defined place to be a cop about it
             const sessions = await ModuleBE_AccountDB.account.getSessions(account);
@@ -201,7 +211,7 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
                 })
             };
         }
-        if (_keys(updatedConfig).length > 0)
+        if (_keys(updatedConfig).length > 0 && envConfigRef)
             MemKey_ServerApi.get().addPostCallAction(async () => {
                 const currentConfig = await envConfigRef.get({});
                 await envConfigRef.set(merge(currentConfig, updatedConfig));
@@ -220,7 +230,12 @@ export class ModuleBE_PermissionUserDB_Class extends ModuleBE_BaseDB {
             return isExpired ? undefined : session;
         })));
         //TODO END
-        await this.runTransaction(async (t) => Promise.all(validSessions.map(session => ModuleBE_SessionDB._session.rotate.reissue.bySession(session, t))));
+        this.logWarning(`#### Rotating ${validSessions.length} Sessions! ####`);
+        await batchAction(validSessions, 500, async (sessions) => {
+            await this.runTransaction(async (t) => {
+                await Promise.all(sessions.map(session => ModuleBE_SessionDB._session.rotate.reissue.bySession(session, t)));
+            });
+        });
     }
 }
 export const ModuleBE_PermissionUserDB = new ModuleBE_PermissionUserDB_Class();

package/core/external-api-paths.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Path strings for external APIs referenced in permission domains.
+ * Replaces imports from thunderstorm-shared (ApiDef_ActionProcessing, ApiDef_CollectionActions, ApiDef_SyncEnv).
+ * Update these if the corresponding v2 packages change their routes.
+ */
+export declare const Path_ActionProcessor_List = "v1/action-processor/list";
+export declare const Path_ActionProcessor_Execute = "v1/action-processor/execute";
+export declare const Path_CollectionActions_UpgradeAll = "v1/collection-actions/upgrade/all";
+export declare const Path_SyncEnv_FetchBackupMetadata = "v1/sync-env/fetch-backup-metadata";
+export declare const Path_SyncEnv_CreateBackup = "v1/sync-env/create-backup-v2";
+export declare const Path_SyncEnv_SyncFromEnvBackup = "v1/sync-env/fetch-from-env-v2";
+export declare const Path_SyncEnv_SyncFirebaseFromBackup = "v1/sync-env/fetch-firebase-backup";
+export declare const Path_SyncEnv_SyncToEnv = "v1/sync-env/sync-to-env";

package/core/external-api-paths.js

@@ -0,0 +1,13 @@
+/**
+ * Path strings for external APIs referenced in permission domains.
+ * Replaces imports from thunderstorm-shared (ApiDef_ActionProcessing, ApiDef_CollectionActions, ApiDef_SyncEnv).
+ * Update these if the corresponding v2 packages change their routes.
+ */
+export const Path_ActionProcessor_List = 'v1/action-processor/list';
+export const Path_ActionProcessor_Execute = 'v1/action-processor/execute';
+export const Path_CollectionActions_UpgradeAll = 'v1/collection-actions/upgrade/all';
+export const Path_SyncEnv_FetchBackupMetadata = 'v1/sync-env/fetch-backup-metadata';
+export const Path_SyncEnv_CreateBackup = 'v1/sync-env/create-backup-v2';
+export const Path_SyncEnv_SyncFromEnvBackup = 'v1/sync-env/fetch-from-env-v2';
+export const Path_SyncEnv_SyncFirebaseFromBackup = 'v1/sync-env/fetch-firebase-backup';
+export const Path_SyncEnv_SyncToEnv = 'v1/sync-env/sync-to-env';

package/core/function-permission-registry.d.ts

@@ -0,0 +1,25 @@
+import type { PermissionScope } from '@nu-art/permissions-shared';
+export type FunctionPermissionDef = {
+    id: string;
+    scopeKey: string;
+    value: string;
+    /** Set on server load when domains/levels are created from registry. */
+    domainId?: string;
+    /** Set on server load when domains/levels are created from registry. */
+    levelId?: string;
+    /** Numeric level value for assert (user level >= required). Set on server load. */
+    levelValue?: number;
+};
+/**
+ * Registers a function permission (scope + value). Called from @RequirePermission decorator init.
+ * Returns the same def if (scopeKey, value) was already registered (stable id).
+ */
+export declare function registerFunctionPermission(scope: PermissionScope, value: string): FunctionPermissionDef;
+/**
+ * Returns all registered function permissions for server load (create domains/levels in DB).
+ */
+export declare function getRegisteredFunctionPermissions(): FunctionPermissionDef[];
+/**
+ * Returns the def for a given (scopeKey, value), or undefined if not registered.
+ */
+export declare function getFunctionPermissionDef(scopeKey: string, value: string): FunctionPermissionDef | undefined;

package/core/function-permission-registry.js

@@ -0,0 +1,50 @@
+/*
+ * Permissions management system, define access level for each of
+ * your server apis, and restrict users by giving them access levels
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { md5 } from '@nu-art/ts-common';
+const registry = new Map();
+function compositeKey(scopeKey, value) {
+    return `${scopeKey}\0${value}`;
+}
+/**
+ * Registers a function permission (scope + value). Called from @RequirePermission decorator init.
+ * Returns the same def if (scopeKey, value) was already registered (stable id).
+ */
+export function registerFunctionPermission(scope, value) {
+    const scopeKey = scope.key;
+    const key = compositeKey(scopeKey, value);
+    const existing = registry.get(key);
+    if (existing)
+        return existing;
+    const id = md5(`function-permission/${scopeKey}/${value}`);
+    const def = { id, scopeKey, value };
+    registry.set(key, def);
+    return def;
+}
+/**
+ * Returns all registered function permissions for server load (create domains/levels in DB).
+ */
+export function getRegisteredFunctionPermissions() {
+    return [...registry.values()];
+}
+/**
+ * Returns the def for a given (scopeKey, value), or undefined if not registered.
+ */
+export function getFunctionPermissionDef(scopeKey, value) {
+    return registry.get(compositeKey(scopeKey, value));
+}

package/core/utils.d.ts

@@ -1,15 +1,15 @@
-import { TypedMap, UniqueId } from '@nu-art/ts-common';
-import { DefaultDef_Group, PreDBAccessLevel } from '@nu-art/permissions-shared';
+import { TypedMap } from '@nu-art/ts-common';
+import { DatabaseDef_PermissionDomain, DefaultDef_Group, PreDBAccessLevel } from '@nu-art/permissions-shared';
 import { PermissionKey_BE } from '../PermissionKey_BE.js';
 import { DefaultDef_Domain, DefaultDef_Package } from '../types.js';
-export declare const Permissions_abTest: (seed: UniqueId, namespace: string, permutations: string[]) => DefaultDef_Package;
+export declare const Permissions_abTest: (seed: string, namespace: string, permutations: string[]) => DefaultDef_Package;
 /**
  * Generate automatic BE permission keys for a domain
  * @param accessLevels the relevant access levels to generate keys for
  * @param keyByLevelMapper the key name mapper by access level name
  * @param domainId the domain id to apply in the resolver
  */
-export declare const generatePermissionKeys: <Key extends string | number | symbol>(accessLevels: PreDBAccessLevel[], keyByLevelMapper: TypedMap<string>, domainId: UniqueId) => { [key in Key]: PermissionKey_BE<string>; };
+export declare const generatePermissionKeys: <Key extends string | number | symbol>(accessLevels: PreDBAccessLevel[], keyByLevelMapper: TypedMap<string>, domainId: DatabaseDef_PermissionDomain["id"]) => { [key in Key]: PermissionKey_BE<string>; };
 /**
  * Automatic generator for domain default definitions,
  * @param key MUST NEVER CHANGE! the key is the "key" to uniqueness of the entire permission decleration

package/core/utils.js

@@ -1,11 +1,11 @@
 import { _values, md5 } from '@nu-art/ts-common';
-import { CreateDefaultAccessLevels, DefaultAccessLevel_NoAccess, DefaultAccessLevel_Read } from '@nu-art/permissions-shared';
+import { CreateDefaultAccessLevels, DefaultAccessLevel_NoAccess, DefaultAccessLevel_Read, toPermissionDomainId, toPermissionGroupId } from '@nu-art/permissions-shared';
 import { defaultValueResolverV2, PermissionKey_BE } from '../PermissionKey_BE.js';
 export const Permissions_abTest = (seed, namespace, permutations) => {
     const domains = permutations.map(permutation => {
         const name = `${namespace}/${permutation}`;
         const domain = {
-            _id: md5(`${seed}${name}`),
+            _id: toPermissionDomainId(md5(`${seed}${name}`)),
             namespace: name,
             permissionKeys: permutations.map(permutation => {
                 const initialDataResolver = () => defaultValueResolverV2(domain._id, DefaultAccessLevel_Read.name);
@@ -19,11 +19,11 @@ export const Permissions_abTest = (seed, namespace, permutations) => {
         const name = `${namespace}/${permutation}`;
         const domain = domains[index];
         const group = {
-            _id: md5(`${domain._id}/${name}`),
+            _id: toPermissionGroupId(md5(`${domain._id}/${name}`)),
             name,
             uiLabel: name,
             accessLevels: {
-                [domain._id]: DefaultAccessLevel_Read.name,
+                [domain.namespace]: DefaultAccessLevel_Read.name,
             }
         };
         return group;
@@ -60,9 +60,9 @@ export const generatePermissionKeys = (accessLevels, keyByLevelMapper, domainId)
  */
 export const generateDomainDefaults = (key, namespace, preDBAccessLevels, permissionKeysByLevel, dbNames) => {
     // Generate the new domain id
-    const newDomainId = md5(`domain/${key}`);
+    const newDomainId = toPermissionDomainId(md5(`domain/${key}`));
     // Get all default db ready access levels using the provided ones
-    const accessLevels = CreateDefaultAccessLevels(newDomainId, preDBAccessLevels);
+    const accessLevels = CreateDefaultAccessLevels(md5(`domain/${key}`), preDBAccessLevels);
     const keyDefinitions = generatePermissionKeys(preDBAccessLevels, permissionKeysByLevel, newDomainId);
     return {
         domain: {
@@ -73,7 +73,7 @@ export const generateDomainDefaults = (key, namespace, preDBAccessLevels, permis
             dbNames
         },
         groups: accessLevels.map(accessLevel => ({
-            _id: md5(`${key}/${accessLevel.name}`),
+            _id: toPermissionGroupId(md5(`${key}/${accessLevel.name}`)),
             name: `${namespace}/${accessLevel.name}`,
             uiLabel: `${namespace}/${accessLevel.name}`,
             accessLevels: {

package/index.d.ts

@@ -1,4 +1,9 @@
+export * from './consts.js';
 export * from './core/module-pack.js';
+export * from './permissions-wire.js';
+export * from './core/function-permission-registry.js';
+export * from './RequirePermission.js';
 export * from './modules/index.js';
+export * from './permissions.js';
 export * from './_entity.js';
 export * from './types.js';

package/index.js

@@ -16,7 +16,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+export * from './consts.js';
 export * from './core/module-pack.js';
+export * from './permissions-wire.js';
+export * from './core/function-permission-registry.js';
+export * from './RequirePermission.js';
 export * from './modules/index.js';
+export * from './permissions.js';
 export * from './_entity.js';
 export * from './types.js';

package/modules/ModuleBE_Permissions.d.ts

@@ -1,7 +1,7 @@
 import { Module, TypedMap } from '@nu-art/ts-common';
+import type { PerformProjectSetup } from '@nu-art/permissions-shared';
 import { DB_PermissionGroup, DB_PermissionProject, DefaultDef_Group, SessionData_Permissions } from '@nu-art/permissions-shared';
 import { BaseSessionClaims, CollectSessionData } from '@nu-art/user-account-backend';
-import { PerformProjectSetup } from '@nu-art/thunderstorm-backend/modules/action-processor/Action_SetupProject';
 import { DefaultDef_Project } from '../types.js';
 export interface CollectPermissionsProjects {
     __collectPermissionsProjects(): DefaultDef_Project;
@@ -16,13 +16,19 @@ export declare const PermissionGroups_Permissions: DefaultDef_Group[];
 export declare const PermissionProject_Permissions: DefaultDef_Project;
 declare class ModuleBE_Permissions_Class extends Module implements CollectSessionData<SessionData_Permissions>, PerformProjectSetup {
     protected init(): void;
+    toggleStrictMode(_params?: unknown): Promise<void>;
+    createProject(_params?: unknown): Promise<void>;
     __collectSessionData(data: BaseSessionClaims): Promise<SessionData_Permissions>;
     getUserPermissionMap: (userGroups: DB_PermissionGroup[]) => Promise<TypedMap<number>>;
-    toggleStrictMode: () => Promise<void>;
     __performProjectSetup(): {
         priority: number;
         processor: () => Promise<void>;
     };
+    /**
+     * Creates domains and access levels from the function-permission registry (populated by @RequirePermission decorators).
+     * New (scopeKey, value) pairs get domains/levels created; not assigned to anyone until explicitly assigned.
+     */
+    private createDomainsAndLevelsFromFunctionPermissionRegistry;
     createPermissionProjects(projects: DefaultDef_Project[]): Promise<void>;
     /**
      * Creates All the DB_PermissionProject
@@ -53,8 +59,8 @@ declare class ModuleBE_Permissions_Class extends Module implements CollectSessio
      */
     private createGroups;
     /**
-     * Creates All the DB_PermissionApi
-     *
+     * Creates All the DB_PermissionApi (path-based).
+     * @deprecated API collection deprecated; use function-based permissions and @RequirePermission. Domains/levels from function-permission registry instead.
      * @param projects - predefined permissions projects
      * @param domainNameToLevelNameToDBAccessLevel
      */