@objectstack/plugin-sharing 6.8.1 → 6.9.0

package/dist/index.mjs

@@ -1,5 +1,5 @@
 // src/index.ts
-import { SysRecordShare as SysRecordShare2, SysSharingRule as SysSharingRule2 } from "@objectstack/platform-objects/security";
+import { SysRecordShare as SysRecordShare2, SysSharingRule as SysSharingRule2, SysShareLink as SysShareLink2 } from "@objectstack/platform-objects/security";
 import { SysDepartment as SysDepartment2, SysDepartmentMember as SysDepartmentMember2 } from "@objectstack/platform-objects/identity";
 
 // src/sharing-service.ts
@@ -759,8 +759,435 @@ var SharingRuleService = class {
   }
 };
 
-// src/rule-hooks.ts
+// src/share-link-service.ts
 var SYSTEM_CTX5 = { isSystem: true, roles: [], permissions: [] };
+var TOKEN_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+var TOKEN_LENGTH = 24;
+var DEFAULT_MAX_EXPIRY_DAYS = 365;
+function generateToken(length = TOKEN_LENGTH) {
+  const g = globalThis;
+  const bytes = new Uint8Array(length);
+  if (g.crypto?.getRandomValues) {
+    g.crypto.getRandomValues(bytes);
+  } else {
+    for (let i = 0; i < length; i++) bytes[i] = Math.floor(Math.random() * 256);
+  }
+  let out = "";
+  for (let i = 0; i < length; i++) {
+    out += TOKEN_ALPHABET[bytes[i] % TOKEN_ALPHABET.length];
+  }
+  return out;
+}
+function getPolicy(schema) {
+  const raw = schema?.publicSharing;
+  if (!raw || raw.enabled !== true) {
+    return {
+      enabled: false,
+      allowedAudiences: [],
+      allowedPermissions: [],
+      redactFields: []
+    };
+  }
+  return {
+    enabled: true,
+    allowedAudiences: raw.allowedAudiences ?? ["link_only"],
+    allowedPermissions: raw.allowedPermissions ?? ["view"],
+    maxExpiryDays: typeof raw.maxExpiryDays === "number" ? raw.maxExpiryDays : void 0,
+    redactFields: Array.isArray(raw.redactFields) ? raw.redactFields : []
+  };
+}
+function normaliseExpiresAt(input, maxDays) {
+  if (!input) return null;
+  const now = Date.now();
+  const cap = now + maxDays * 864e5;
+  const m = /^([0-9]+)(s|m|h|d)$/i.exec(input);
+  if (m) {
+    const n = Number(m[1]);
+    const unit = m[2].toLowerCase();
+    const ms = unit === "s" ? n * 1e3 : unit === "m" ? n * 6e4 : unit === "h" ? n * 36e5 : n * 864e5;
+    const at = now + ms;
+    if (at > cap) {
+      throw makeError(422, "EXPIRY_TOO_LONG", `expiresAt exceeds the object's max of ${maxDays} days`);
+    }
+    return new Date(at).toISOString();
+  }
+  const t = Date.parse(input);
+  if (Number.isNaN(t)) {
+    throw makeError(422, "INVALID_EXPIRY", `expiresAt is not a valid ISO timestamp or duration: ${input}`);
+  }
+  if (t > cap) {
+    throw makeError(422, "EXPIRY_TOO_LONG", `expiresAt exceeds the object's max of ${maxDays} days`);
+  }
+  if (t <= now) {
+    throw makeError(422, "EXPIRY_IN_PAST", "expiresAt must be in the future");
+  }
+  return new Date(t).toISOString();
+}
+async function defaultHashPassword(password) {
+  const g = globalThis;
+  const subtle = g.crypto?.subtle;
+  const salt = generateToken(16);
+  if (!subtle) {
+    return `weak$${salt}$${password}`;
+  }
+  const enc = new TextEncoder();
+  const buf = await subtle.digest("SHA-256", enc.encode(salt + ":" + password));
+  const hex = Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `sha256$${salt}$${hex}`;
+}
+async function defaultVerifyPassword(password, hash) {
+  if (hash.startsWith("weak$")) {
+    const [, , stored] = hash.split("$");
+    return stored === password;
+  }
+  if (hash.startsWith("sha256$")) {
+    const [, salt, expected] = hash.split("$");
+    const g = globalThis;
+    const subtle = g.crypto?.subtle;
+    if (!subtle) return false;
+    const enc = new TextEncoder();
+    const buf = await subtle.digest("SHA-256", enc.encode(salt + ":" + password));
+    const hex = Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+    return hex === expected;
+  }
+  return false;
+}
+function makeError(status, code, message) {
+  const err = new Error(message);
+  err.status = status;
+  err.code = code;
+  return err;
+}
+var ShareLinkService = class {
+  constructor(opts) {
+    this.engine = opts.engine;
+    this.permissive = opts.permissive ?? false;
+    this.hashPassword = opts.hashPassword ?? defaultHashPassword;
+    this.verifyPassword = opts.verifyPassword ?? defaultVerifyPassword;
+  }
+  async createLink(input, context) {
+    if (!input.object) throw makeError(400, "VALIDATION_FAILED", "object is required");
+    if (!input.recordId) throw makeError(400, "VALIDATION_FAILED", "recordId is required");
+    const schema = this.engine.getSchema?.(input.object);
+    const policy = getPolicy(schema);
+    if (!policy.enabled && !this.permissive && !context.isSystem) {
+      throw makeError(
+        422,
+        "SHARING_NOT_ENABLED",
+        `Object '${input.object}' has not enabled publicSharing in its schema`
+      );
+    }
+    const permission = input.permission ?? "view";
+    if (policy.enabled && policy.allowedPermissions.length > 0 && !policy.allowedPermissions.includes(permission)) {
+      throw makeError(
+        422,
+        "PERMISSION_NOT_ALLOWED",
+        `Object '${input.object}' does not allow share permission '${permission}'. Allowed: ${policy.allowedPermissions.join(", ")}`
+      );
+    }
+    const audience = input.audience ?? "link_only";
+    if (policy.enabled && policy.allowedAudiences.length > 0 && !policy.allowedAudiences.includes(audience)) {
+      throw makeError(
+        422,
+        "AUDIENCE_NOT_ALLOWED",
+        `Object '${input.object}' does not allow audience '${audience}'. Allowed: ${policy.allowedAudiences.join(", ")}`
+      );
+    }
+    if (audience === "email" && (!input.emailAllowlist || input.emailAllowlist.length === 0)) {
+      throw makeError(400, "VALIDATION_FAILED", "emailAllowlist is required when audience=email");
+    }
+    const exists = await this.engine.find(input.object, {
+      where: { id: input.recordId },
+      fields: ["id"],
+      limit: 1,
+      context: SYSTEM_CTX5
+    });
+    if (!Array.isArray(exists) || exists.length === 0) {
+      throw makeError(404, "RECORD_NOT_FOUND", `${input.object}/${input.recordId} does not exist`);
+    }
+    const maxDays = policy.maxExpiryDays ?? DEFAULT_MAX_EXPIRY_DAYS;
+    const expires_at = normaliseExpiresAt(input.expiresAt, maxDays);
+    const passwordHash = input.password ? await this.hashPassword(input.password) : null;
+    const row = {
+      id: `shl_${generateToken(16)}`,
+      token: generateToken(TOKEN_LENGTH),
+      object_name: input.object,
+      record_id: input.recordId,
+      permission,
+      audience,
+      expires_at,
+      email_allowlist: input.emailAllowlist && input.emailAllowlist.length > 0 ? input.emailAllowlist.map((e) => e.trim().toLowerCase()).filter(Boolean) : null,
+      password_hash: passwordHash,
+      redact_fields: input.redactFields && input.redactFields.length > 0 ? input.redactFields : null,
+      label: input.label ?? null,
+      revoked_at: null,
+      created_by: context.userId ?? null,
+      created_at: (/* @__PURE__ */ new Date()).toISOString(),
+      last_used_at: null,
+      use_count: 0
+    };
+    await this.engine.insert("sys_share_link", row, { context: SYSTEM_CTX5 });
+    return row;
+  }
+  async revokeLink(idOrToken, _context) {
+    if (!idOrToken) throw makeError(400, "VALIDATION_FAILED", "id or token is required");
+    const filter = idOrToken.startsWith("shl_") ? { id: idOrToken } : { token: idOrToken };
+    const rows = await this.engine.find("sys_share_link", {
+      where: filter,
+      fields: ["id", "revoked_at"],
+      limit: 1,
+      context: SYSTEM_CTX5
+    });
+    const row = Array.isArray(rows) ? rows[0] : void 0;
+    if (!row) return;
+    if (row.revoked_at) return;
+    await this.engine.update(
+      "sys_share_link",
+      { id: row.id, revoked_at: (/* @__PURE__ */ new Date()).toISOString() },
+      { context: SYSTEM_CTX5 }
+    );
+  }
+  async listLinks(filter, context) {
+    const where = {};
+    if (filter.object) where.object_name = filter.object;
+    if (filter.recordId) where.record_id = filter.recordId;
+    if (filter.createdBy) where.created_by = filter.createdBy;
+    if (!filter.includeRevoked) where.revoked_at = null;
+    const rows = await this.engine.find("sys_share_link", {
+      where,
+      limit: 200,
+      sort: [{ field: "created_at", order: "desc" }],
+      context: context.isSystem ? SYSTEM_CTX5 : context
+    });
+    return Array.isArray(rows) ? rows : [];
+  }
+  async resolveToken(token, probe = {}) {
+    if (!token || typeof token !== "string" || token.length < 8) return null;
+    const rows = await this.engine.find("sys_share_link", {
+      where: { token },
+      limit: 1,
+      context: SYSTEM_CTX5
+    });
+    const row = Array.isArray(rows) ? rows[0] : void 0;
+    if (!row) return null;
+    if (row.revoked_at) return null;
+    if (row.expires_at && Date.parse(row.expires_at) <= Date.now()) return null;
+    if (row.audience === "signed_in" && !probe.signedInUserId) return null;
+    if (row.audience === "email") {
+      const allow = row.email_allowlist ?? [];
+      const supplied = (probe.recipientEmail ?? "").trim().toLowerCase();
+      if (!supplied || !allow.includes(supplied)) return null;
+    }
+    if (row.password_hash) {
+      if (!probe.providedPassword) return null;
+      const ok = await this.verifyPassword(probe.providedPassword, row.password_hash);
+      if (!ok) return null;
+    }
+    const schema = this.engine.getSchema?.(row.object_name);
+    const policy = getPolicy(schema);
+    const redactFields = Array.from(
+      /* @__PURE__ */ new Set([...policy.redactFields ?? [], ...row.redact_fields ?? []])
+    );
+    try {
+      await this.engine.update(
+        "sys_share_link",
+        {
+          id: row.id,
+          last_used_at: (/* @__PURE__ */ new Date()).toISOString(),
+          use_count: (row.use_count ?? 0) + 1
+        },
+        { context: SYSTEM_CTX5 }
+      );
+    } catch {
+    }
+    return { link: row, redactFields };
+  }
+};
+
+// src/share-link-routes.ts
+var SYSTEM_CTX6 = { isSystem: true, roles: [], permissions: [] };
+var defaultContext = (req) => {
+  const header = (name) => {
+    const v = req.headers?.[name];
+    return Array.isArray(v) ? v[0] : v;
+  };
+  return {
+    userId: header("x-user-id"),
+    tenantId: header("x-tenant-id")
+  };
+};
+function sendError(res, status, code, message) {
+  res.status(status).json({ error: { code, message } });
+}
+function applyRedaction(record, redactFields) {
+  if (!record || typeof record !== "object" || redactFields.length === 0) return record;
+  if (Array.isArray(record)) return record.map((r) => applyRedaction(r, redactFields));
+  const out = {};
+  for (const [k, v] of Object.entries(record)) {
+    if (redactFields.includes(k)) continue;
+    out[k] = v;
+  }
+  return out;
+}
+function registerShareLinkRoutes(http, service, engine, opts = {}) {
+  const base = opts.basePath ?? "/api/v1/share-links";
+  const ctxOf = opts.contextFromRequest ?? defaultContext;
+  http.post(base, (async (req, res) => {
+    try {
+      const ctx = ctxOf(req);
+      const body = req.body ?? {};
+      if (!body.object || !body.recordId) {
+        return sendError(res, 400, "VALIDATION_FAILED", "object and recordId are required");
+      }
+      const link = await service.createLink(
+        {
+          object: body.object,
+          recordId: body.recordId,
+          permission: body.permission,
+          audience: body.audience,
+          expiresAt: body.expiresAt ?? null,
+          emailAllowlist: body.emailAllowlist,
+          password: body.password,
+          redactFields: body.redactFields,
+          label: body.label
+        },
+        ctx
+      );
+      await res.status(201).json({ link });
+    } catch (err) {
+      sendError(res, err?.status ?? 500, err?.code ?? "INTERNAL", err?.message ?? "Failed to create link");
+    }
+  }));
+  http.get(base, (async (req, res) => {
+    try {
+      const ctx = ctxOf(req);
+      const q = req.query ?? {};
+      const link = await service.listLinks(
+        {
+          object: typeof q.object === "string" ? q.object : void 0,
+          recordId: typeof q.recordId === "string" ? q.recordId : void 0,
+          createdBy: typeof q.createdBy === "string" ? q.createdBy : void 0,
+          includeRevoked: q.includeRevoked === "true" || q.includeRevoked === "1"
+        },
+        ctx
+      );
+      await res.json({ links: link });
+    } catch (err) {
+      sendError(res, err?.status ?? 500, err?.code ?? "INTERNAL", err?.message ?? "Failed to list links");
+    }
+  }));
+  http.delete(`${base}/:idOrToken`, (async (req, res) => {
+    try {
+      const ctx = ctxOf(req);
+      await service.revokeLink(req.params.idOrToken, ctx);
+      await res.status(200).json({ ok: true });
+    } catch (err) {
+      sendError(res, err?.status ?? 500, err?.code ?? "INTERNAL", err?.message ?? "Failed to revoke link");
+    }
+  }));
+  http.get(`${base}/:token/resolve`, (async (req, res) => {
+    try {
+      const q = req.query ?? {};
+      const signedInUserId = (() => {
+        const v = req.headers?.["x-user-id"];
+        return Array.isArray(v) ? v[0] : v;
+      })();
+      const recipientEmail = typeof q.email === "string" ? q.email : void 0;
+      const providedPassword = typeof q.password === "string" ? q.password : (() => {
+        const v = req.headers?.["x-share-password"];
+        return Array.isArray(v) ? v[0] : v;
+      })();
+      const resolved = await service.resolveToken(req.params.token, {
+        signedInUserId,
+        recipientEmail,
+        providedPassword
+      });
+      if (!resolved) {
+        const probe = await engine.find("sys_share_link", {
+          where: { token: req.params.token },
+          limit: 1,
+          context: SYSTEM_CTX6
+        });
+        const row = Array.isArray(probe) && probe[0] ? probe[0] : null;
+        if (row && !row.revoked_at && (!row.expires_at || Date.parse(row.expires_at) > Date.now())) {
+          if (row.password_hash) {
+            return sendError(
+              res,
+              401,
+              providedPassword ? "WRONG_PASSWORD" : "NEEDS_PASSWORD",
+              providedPassword ? "Incorrect password" : "This link requires a password"
+            );
+          }
+          if (row.audience === "signed_in" && !signedInUserId) {
+            return sendError(res, 401, "SIGN_IN_REQUIRED", "Please sign in to view this link");
+          }
+        }
+        if (row && (row.revoked_at || row.expires_at && Date.parse(row.expires_at) <= Date.now())) {
+          return sendError(res, 410, "EXPIRED_OR_REVOKED", "Share link has expired or been revoked");
+        }
+        return sendError(res, 404, "INVALID_OR_EXPIRED", "Share link is invalid, expired, or revoked");
+      }
+      const rows = await engine.find(resolved.link.object_name, {
+        where: { id: resolved.link.record_id },
+        limit: 1,
+        context: SYSTEM_CTX6
+      });
+      const record = Array.isArray(rows) && rows[0] ? rows[0] : null;
+      if (!record) {
+        return sendError(res, 410, "RECORD_GONE", "The shared record no longer exists");
+      }
+      await res.json({
+        record: applyRedaction(record, resolved.redactFields),
+        link: {
+          id: resolved.link.id,
+          token: resolved.link.token,
+          object_name: resolved.link.object_name,
+          record_id: resolved.link.record_id,
+          permission: resolved.link.permission,
+          audience: resolved.link.audience,
+          expires_at: resolved.link.expires_at,
+          label: resolved.link.label,
+          created_at: resolved.link.created_at
+        },
+        redactFields: resolved.redactFields
+      });
+    } catch (err) {
+      sendError(res, err?.status ?? 500, err?.code ?? "INTERNAL", err?.message ?? "Failed to resolve link");
+    }
+  }));
+  http.get(`${base}/:token/messages`, (async (req, res) => {
+    try {
+      const password = typeof req.query?.password === "string" ? req.query.password : void 0;
+      const resolved = await service.resolveToken(req.params.token, { providedPassword: password });
+      if (!resolved) {
+        sendError(res, 404, "NOT_FOUND", "Share link not found");
+        return;
+      }
+      if (resolved.link.object_name !== "ai_conversations") {
+        sendError(res, 400, "UNSUPPORTED", "This share link does not expose messages");
+        return;
+      }
+      const SYSTEM_CTX8 = { isSystem: true, roles: [], permissions: [] };
+      const rows = await engine.find("ai_messages", {
+        where: { conversation_id: resolved.link.record_id },
+        sort: [{ field: "created_at", direction: "asc" }],
+        limit: 500,
+        context: SYSTEM_CTX8
+      });
+      res.status(200).json({ data: rows ?? [] });
+    } catch (err) {
+      sendError(
+        res,
+        err?.status ?? 500,
+        err?.code ?? "INTERNAL",
+        err?.message ?? "Failed to load messages"
+      );
+    }
+  }));
+}
+
+// src/rule-hooks.ts
+var SYSTEM_CTX7 = { isSystem: true, roles: [], permissions: [] };
 var SHARING_RULE_HOOK_PACKAGE = "plugin-sharing:rules";
 function bindRuleHooks(engine, service, rules, logger) {
   const objects = /* @__PURE__ */ new Set();
@@ -775,7 +1202,7 @@ function bindRuleHooks(engine, service, rules, logger) {
         const data = ctx?.result ?? ctx?.input?.data ?? {};
         const id = String(data?.id ?? ctx?.input?.id ?? "");
         if (!id) return;
-        await service.evaluateAllForRecord(objectName, id, SYSTEM_CTX5);
+        await service.evaluateAllForRecord(objectName, id, SYSTEM_CTX7);
       } catch (err) {
         logger?.warn?.("[sharing-rule] hook evaluation failed", { object: objectName, error: err?.message });
       }
@@ -790,7 +1217,7 @@ function unbindAllRuleHooks(engine) {
 }
 
 // src/sharing-plugin.ts
-import { SysRecordShare, SysSharingRule } from "@objectstack/platform-objects/security";
+import { SysRecordShare, SysSharingRule, SysShareLink } from "@objectstack/platform-objects/security";
 import { SysDepartment, SysDepartmentMember } from "@objectstack/platform-objects/identity";
 var SharingServicePlugin = class {
   constructor(options = {}) {
@@ -809,7 +1236,7 @@ var SharingServicePlugin = class {
       scope: "system",
       defaultDatasource: "cloud",
       namespace: "sys",
-      objects: [SysRecordShare, SysSharingRule, SysDepartment, SysDepartmentMember]
+      objects: [SysRecordShare, SysSharingRule, SysDepartment, SysDepartmentMember, SysShareLink]
     });
     ctx.logger.info("SharingServicePlugin: schema registered");
   }
@@ -861,6 +1288,31 @@ var SharingServicePlugin = class {
       } catch (err) {
         ctx.logger.warn("SharingServicePlugin: sharing-rule subsystem not started", { error: err?.message });
       }
+      try {
+        this.linkService = new ShareLinkService({ engine });
+        ctx.registerService("shareLinks", this.linkService);
+        if (this.options.registerShareLinkRoutes !== false) {
+          let http = null;
+          try {
+            http = ctx.getService("http-server");
+          } catch {
+          }
+          if (http) {
+            registerShareLinkRoutes(http, this.linkService, engine, {
+              basePath: this.options.shareLinkBasePath
+            });
+            ctx.logger.info(
+              "SharingServicePlugin: share-link routes mounted at " + (this.options.shareLinkBasePath ?? "/api/v1/share-links")
+            );
+          } else {
+            ctx.logger.warn(
+              'SharingServicePlugin: no HTTP server \u2014 share-link REST routes not registered. ShareLinkService is still reachable via kernel.getService("shareLinks").'
+            );
+          }
+        }
+      } catch (err) {
+        ctx.logger.warn("SharingServicePlugin: share-link subsystem not started", { error: err?.message });
+      }
     });
   }
 };
@@ -923,20 +1375,27 @@ function inferTargetId(data, options) {
   }
   return void 0;
 }
+
+// src/index.ts
+import { SHARE_LINK_SERVICE } from "@objectstack/spec/contracts";
 export {
   DepartmentGraphService,
+  SHARE_LINK_SERVICE,
   SHARING_RULE_HOOK_PACKAGE,
+  ShareLinkService,
   SharingRuleService,
   SharingService,
   SharingServicePlugin,
   SysDepartment2 as SysDepartment,
   SysDepartmentMember2 as SysDepartmentMember,
   SysRecordShare2 as SysRecordShare,
+  SysShareLink2 as SysShareLink,
   SysSharingRule2 as SysSharingRule,
   TeamGraphService,
   bindRuleHooks,
   buildSharingMiddleware,
   expandPrincipal,
+  registerShareLinkRoutes,
   unbindAllRuleHooks
 };
 //# sourceMappingURL=index.mjs.map