@objectstack/plugin-security 4.0.5 → 4.1.1

package/dist/index.mjs

@@ -75,7 +75,7 @@ var PermissionEvaluator = class {
    * SecurityPlugin would never resolve the defaults and all enforcement
    * would be silently disabled for authenticated requests.
    */
-  async resolvePermissionSets(identifiers, metadataService, bootstrapPermissionSets = []) {
+  async resolvePermissionSets(identifiers, metadataService, bootstrapPermissionSets = [], dbLoader) {
     if (identifiers.length === 0) return [];
     const result = [];
     const seen = /* @__PURE__ */ new Set();
@@ -100,6 +100,21 @@ var PermissionEvaluator = class {
         result.push(ps);
       }
     }
+    if (dbLoader) {
+      const unresolved = identifiers.filter((n) => !seen.has(n));
+      if (unresolved.length > 0) {
+        try {
+          const dbRows = await dbLoader(unresolved);
+          for (const ps of dbRows ?? []) {
+            if (ps?.name && !seen.has(ps.name)) {
+              seen.add(ps.name);
+              result.push(ps);
+            }
+          }
+        } catch {
+        }
+      }
+    }
     return result;
   }
 };
@@ -239,6 +254,40 @@ var FieldMasker = class {
     }
     return result;
   }
+  /**
+   * Detect which fields in the caller's write payload would touch a
+   * field they are not allowed to edit. Returns the set of offending
+   * field names (no duplicates, sorted for stable error messages).
+   *
+   * Used by the security middleware on insert/update to fail-closed
+   * with an explicit 403 rather than silently dropping fields — a
+   * silent drop hides the security boundary from honest clients
+   * (their update partially "doesn't save") and gives an attacker no
+   * negative signal that the field exists. Throwing makes the
+   * boundary observable in both directions.
+   *
+   * `data` may be a single record or an array of records (bulk insert);
+   * either way the returned list is the union across all rows.
+   *
+   * Fields without a permission entry pass through — permission sets
+   * are an allow-list at the field level only for fields they
+   * explicitly enumerate. Most objects do not declare per-field rules
+   * and remain fully editable.
+   */
+  detectForbiddenWrites(data, fieldPermissions) {
+    if (Object.keys(fieldPermissions).length === 0) return [];
+    const nonEditable = new Set(this.getNonEditableFields(fieldPermissions));
+    if (nonEditable.size === 0) return [];
+    const offenders = /* @__PURE__ */ new Set();
+    const rows = Array.isArray(data) ? data : [data];
+    for (const row of rows) {
+      if (!row || typeof row !== "object") continue;
+      for (const field of Object.keys(row)) {
+        if (nonEditable.has(field)) offenders.add(field);
+      }
+    }
+    return Array.from(offenders).sort();
+  }
   maskRecord(record, hiddenFields) {
     if (!record || typeof record !== "object") return record;
     const result = { ...record };
@@ -430,7 +479,7 @@ var SKIP_COPY_FIELDS = /* @__PURE__ */ new Set([
   "updated_at",
   "organization_id"
 ]);
-var SKIP_COPY_TYPES = /* @__PURE__ */ new Set(["formula", "summary", "autonumber"]);
+var SKIP_COPY_TYPES = /* @__PURE__ */ new Set(["formula", "summary"]);
 function fieldList(schema) {
   const fields = schema?.fields;
   if (!fields) return [];
@@ -569,16 +618,20 @@ async function cloneTenantSeedData(ql, targetOrgId, options = {}) {
       const oldVal = item.record[f.name];
       if (oldVal == null) continue;
       const targetMap = remap[f.reference];
-      if (!targetMap) continue;
       if (Array.isArray(oldVal)) {
-        const next = oldVal.map((v) => typeof v === "string" && targetMap[v] || v);
-        if (next.some((v, i) => v !== oldVal[i])) {
-          patch[f.name] = next;
+        const next = oldVal.map((v) => typeof v === "string" && targetMap?.[v] || null).filter((v) => v != null);
+        if (next.length !== oldVal.length || next.some((v, i) => v !== oldVal[i])) {
+          patch[f.name] = next.length > 0 ? next : null;
+          dirty = true;
+        }
+      } else if (typeof oldVal === "string") {
+        if (targetMap && targetMap[oldVal]) {
+          patch[f.name] = targetMap[oldVal];
+          dirty = true;
+        } else {
+          patch[f.name] = null;
           dirty = true;
         }
-      } else if (typeof oldVal === "string" && targetMap[oldVal]) {
-        patch[f.name] = targetMap[oldVal];
-        dirty = true;
       }
     }
     if (!dirty) continue;
@@ -602,8 +655,18 @@ function genId2(prefix) {
   const ts = Date.now().toString(36);
   return `${prefix}_${ts}${rand}`;
 }
-function slugify(input) {
-  return input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40) || "workspace";
+function slugify(input, fallback = "workspace") {
+  const cleaned = input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40);
+  return cleaned || fallback;
+}
+function deriveSlugFallback(user) {
+  if (user.email) {
+    const local = user.email.split("@")[0] ?? "";
+    const localSlug = local.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40);
+    if (localSlug) return localSlug;
+  }
+  const idTail = user.id.replace(/[^a-z0-9]/gi, "").slice(-8).toLowerCase();
+  return idTail ? `user-${idTail}` : "user";
 }
 function deriveBaseName(user) {
   if (user.name && user.name.trim()) return user.name.trim();
@@ -634,7 +697,8 @@ async function ensureUserHasOrganization(ql, user, options = {}) {
   }
   const base = deriveBaseName(user);
   const orgName = `${base}'s Workspace`;
-  const baseSlug = slugify(base);
+  const slugFallback = deriveSlugFallback(user);
+  const baseSlug = slugify(base, slugFallback);
   let slug = `${baseSlug}-workspace`;
   for (let attempt = 1; attempt <= 5; attempt += 1) {
     const collision = await tryFind2(ql, "sys_organization", { slug }, 1);
@@ -747,6 +811,17 @@ var SecurityPlugin = class {
      * invalidation — a kernel restart drops the cache.
      */
     this.fieldNamesCache = /* @__PURE__ */ new Map();
+    /**
+     * Per-object cache of tenancy opt-out. `true` means the schema
+     * explicitly disabled multi-tenancy (`tenancy.enabled === false` or
+     * `systemFields.tenant === false`). Wildcard policies that target
+     * the conventional tenant column (`organization_id`) are treated as
+     * *not applicable* on these tables instead of triggering the
+     * field-missing deny sentinel — without this, every read of a
+     * cross-org catalog (e.g. `sys_package`, the Marketplace) returns
+     * zero rows.
+     */
+    this.tenancyDisabledCache = /* @__PURE__ */ new Map();
     this.bootstrapPermissionSets = options.defaultPermissionSets ?? securityDefaultPermissionSets;
     this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? "member_default" : options.fallbackPermissionSet;
     this.multiTenant = options.multiTenant !== false;
@@ -756,6 +831,8 @@ var SecurityPlugin = class {
     ctx.registerService("security.permissions", this.permissionEvaluator);
     ctx.registerService("security.rls", this.rlsCompiler);
     ctx.registerService("security.fieldMasker", this.fieldMasker);
+    ctx.registerService("security.bootstrapPermissionSets", this.bootstrapPermissionSets);
+    ctx.registerService("security.fallbackPermissionSet", this.fallbackPermissionSet);
     ctx.getService("manifest").register({
       ...securityPluginManifestHeader,
       objects: securityObjects,
@@ -783,6 +860,25 @@ var SecurityPlugin = class {
       ctx.logger.warn("ObjectQL engine does not support middleware, security middleware not registered");
       return;
     }
+    const dbLoader = ql ? async (names) => {
+      let rows;
+      try {
+        rows = await ql.find(
+          "sys_permission_set",
+          { where: { name: { $in: names } }, limit: names.length },
+          { context: { isSystem: true } }
+        );
+      } catch {
+        rows = [];
+      }
+      const list = Array.isArray(rows) ? rows : rows?.records ?? [];
+      return list.map((r) => ({
+        name: r.name,
+        label: r.label,
+        objects: typeof r.object_permissions === "string" ? JSON.parse(r.object_permissions || "{}") : r.object_permissions ?? {},
+        fields: typeof r.field_permissions === "string" ? JSON.parse(r.field_permissions || "{}") : r.field_permissions ?? {}
+      }));
+    } : void 0;
     ql.registerMiddleware(async (opCtx, next) => {
       if (opCtx.context?.isSystem) {
         return next();
@@ -801,13 +897,15 @@ var SecurityPlugin = class {
         permissionSets = await this.permissionEvaluator.resolvePermissionSets(
           requested,
           metadata,
-          this.bootstrapPermissionSets
+          this.bootstrapPermissionSets,
+          dbLoader
         );
         if (permissionSets.length === 0 && opCtx.context?.userId && this.fallbackPermissionSet) {
           const fallback = await this.permissionEvaluator.resolvePermissionSets(
             [this.fallbackPermissionSet],
             metadata,
-            this.bootstrapPermissionSets
+            this.bootstrapPermissionSets,
+            dbLoader
           );
           permissionSets = fallback;
         }
@@ -827,6 +925,30 @@ var SecurityPlugin = class {
           );
         }
       }
+      if ((opCtx.operation === "insert" || opCtx.operation === "update") && opCtx.data && permissionSets.length > 0) {
+        const fieldPerms = this.permissionEvaluator.getFieldPermissions(
+          opCtx.object,
+          permissionSets
+        );
+        if (Object.keys(fieldPerms).length > 0) {
+          const forbidden = this.fieldMasker.detectForbiddenWrites(
+            opCtx.data,
+            fieldPerms
+          );
+          if (forbidden.length > 0) {
+            throw new PermissionDeniedError(
+              `[Security] Field write denied: not permitted to edit [${forbidden.join(", ")}] on '${opCtx.object}'`,
+              {
+                operation: opCtx.operation,
+                object: opCtx.object,
+                roles,
+                permissionSets: explicitPermissionSets,
+                forbiddenFields: forbidden
+              }
+            );
+          }
+        }
+      }
       if (opCtx.operation === "insert" && opCtx.data && typeof opCtx.data === "object" && !Array.isArray(opCtx.data)) {
         const needsTenant = this.multiTenant && !!opCtx.context?.tenantId;
         const needsOwner = !!opCtx.context?.userId;
@@ -846,12 +968,17 @@ var SecurityPlugin = class {
       const allRlsPolicies = this.collectRLSPolicies(permissionSets, opCtx.object, opCtx.operation);
       if (allRlsPolicies.length > 0 && opCtx.ast) {
         const objectFields = await this.getObjectFieldNames(metadata, opCtx.object, ql);
+        const tenancyDisabled = this.tenancyDisabledCache.get(opCtx.object) === true;
         let dropped = 0;
         const compilable = objectFields ? allRlsPolicies.filter((p) => {
           const targetField = this.extractTargetField(p.using);
-          const ok = targetField ? objectFields.has(targetField) : true;
-          if (!ok) dropped++;
-          return ok;
+          if (!targetField) return true;
+          if (objectFields.has(targetField)) return true;
+          if (tenancyDisabled && targetField === "organization_id") {
+            return false;
+          }
+          dropped++;
+          return false;
         }) : allRlsPolicies;
         let rlsFilter = this.rlsCompiler.compileFilter(compilable, opCtx.context);
         if (rlsFilter == null && dropped > 0) {
@@ -924,6 +1051,14 @@ var SecurityPlugin = class {
         }
         const newOrgId = opCtx?.result?.id ?? opCtx?.data?.id;
         if (!newOrgId) return;
+        const kernel = ctx.kernel ?? ctx;
+        let datasets;
+        try {
+          const raw = kernel?.getService?.("seed-datasets");
+          if (Array.isArray(raw) && raw.length > 0) datasets = raw;
+        } catch {
+        }
+        let orgCount = 0;
         try {
           const allOrgs = await ql.find(
             "sys_organization",
@@ -931,20 +1066,72 @@ var SecurityPlugin = class {
             { context: { isSystem: true } }
           );
           const list = Array.isArray(allOrgs) ? allOrgs : Array.isArray(allOrgs?.records) ? allOrgs.records : [];
-          if (list.length !== 1) return;
-          const claims = await claimOrphanTenantRows(ql, newOrgId, { logger: ctx.logger });
-          if (claims.length > 0) {
-            const total = claims.reduce((s, c) => s + c.count, 0);
+          orgCount = list.length;
+        } catch (e) {
+          ctx.logger.warn("[security] failed to count organizations", {
+            error: e.message
+          });
+        }
+        let replayed = false;
+        try {
+          const replayer = kernel?.getService?.("seed-replayer");
+          if (typeof replayer === "function") {
+            const summary = await replayer(newOrgId);
+            const total = (summary?.inserted ?? 0) + (summary?.updated ?? 0);
             ctx.logger.info(
-              `[security] claimed ${total} orphan seed row(s) for first organization ${newOrgId}`,
-              { breakdown: claims }
+              `[security] per-org seed replay for ${newOrgId}: +${summary?.inserted ?? 0} inserted, ${summary?.updated ?? 0} updated, ${summary?.errors?.length ?? 0} error(s)`,
+              {
+                organizationId: newOrgId,
+                errors: summary?.errors?.slice?.(0, 5)
+              }
             );
+            if (total > 0) replayed = true;
+          } else if (datasets) {
+            ctx.logger.warn("[security] per-org seed: datasets present but no replayer registered", {
+              organizationId: newOrgId
+            });
           }
         } catch (e) {
-          ctx.logger.warn("[security] claim-orphan-tenant-rows failed", {
+          ctx.logger.warn("[security] per-org seed replay failed, falling back", {
+            organizationId: newOrgId,
             error: e.message
           });
         }
+        if (replayed) return;
+        if (orgCount === 1) {
+          try {
+            const claims = await claimOrphanTenantRows(ql, newOrgId, { logger: ctx.logger });
+            if (claims.length > 0) {
+              const total = claims.reduce((s, c) => s + c.count, 0);
+              ctx.logger.info(
+                `[security] claimed ${total} orphan seed row(s) for first organization ${newOrgId}`,
+                { breakdown: claims }
+              );
+              return;
+            }
+          } catch (e) {
+            ctx.logger.warn("[security] claim-orphan-tenant-rows failed", {
+              error: e.message
+            });
+          }
+        }
+        if (orgCount > 1) {
+          try {
+            const summary = await cloneTenantSeedData(ql, newOrgId, { logger: ctx.logger });
+            if (summary.length > 0) {
+              const total = summary.reduce((s, c) => s + c.count, 0);
+              ctx.logger.info(
+                `[security] cloned ${total} seed row(s) for new organization ${newOrgId}`,
+                { breakdown: summary }
+              );
+            }
+          } catch (e) {
+            ctx.logger.warn("[security] clone-tenant-seed-data failed", {
+              organizationId: newOrgId,
+              error: e.message
+            });
+          }
+        }
       });
     }
   }
@@ -988,6 +1175,8 @@ var SecurityPlugin = class {
         obj = await metadata?.get?.("object", objectName);
       }
       if (!obj || !obj.fields) return null;
+      const tenancyDisabled = obj?.tenancy?.enabled === false || obj?.systemFields?.tenant === false;
+      this.tenancyDisabledCache.set(objectName, !!tenancyDisabled);
       const set = /* @__PURE__ */ new Set(["id"]);
       if (Array.isArray(obj.fields)) {
         for (const f of obj.fields) {