@openneuro/server 4.37.0 → 4.38.0-alpha.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openneuro/server",
-  "version": "4.37.0",
+  "version": "4.38.0-alpha.0",
   "description": "Core service for the OpenNeuro platform.",
   "license": "MIT",
   "main": "src/server.js",
@@ -21,7 +21,7 @@
     "@elastic/elasticsearch": "8.13.1",
     "@graphql-tools/schema": "^10.0.0",
     "@keyv/redis": "^4.5.0",
-    "@openneuro/search": "^4.37.0",
+    "@openneuro/search": "^4.38.0-alpha.0",
     "@sentry/node": "^8.25.0",
     "@sentry/profiling-node": "^8.25.0",
     "base64url": "^3.0.0",
@@ -88,5 +88,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "998a4fa9b988103cebd227483cede442d1b80962"
+  "gitHead": "96bbcd19e83fab719a0976be7747eeabc5036ff3"
 }

package/src/graphql/permissions.ts

@@ -138,13 +138,18 @@ export const checkDatasetWrite = async (
     // Quick path for anonymous writes
     throw new Error(state.errorMessage)
   }
-  if (userId && !(userInfo.email)) {
-    throw new Error("Connect an email to make contributions to OpenNeuro.")
-  }
   if (userId && userInfo.admin) {
     // Always allow site admins
     return true
   }
+  // Allow worker scoped tokens to make admin actions on specific datasets
+  if (userId && userInfo?.worker && datasetId === userInfo?.dataset) {
+    return true
+  }
+  if (userId && !(userInfo.email)) {
+    throw new Error("Connect an email to make contributions to OpenNeuro.")
+  }
+  // Finally check the permissions model if other checks have not returned
   const permission = await Permission.findOne({ datasetId, userId }).exec()
   if (checkPermissionLevel(permission, state)) {
     return true

package/src/graphql/resolvers/fileCheck.ts

@@ -0,0 +1,17 @@
+import FileCheck from "../../models/fileCheck"
+import { checkDatasetAdmin } from "../permissions"
+
+export const updateFileCheck = async (
+  obj,
+  { datasetId, hexsha, refs, remote, annexFsck },
+  { user, userInfo },
+) => {
+  await checkDatasetAdmin(datasetId, user, userInfo)
+  return await FileCheck.findOneAndUpdate(
+    { datasetId, hexsha },
+    { datasetId, hexsha, remote, refs, annexFsck },
+    { upsert: true, new: true },
+  )
+    .lean()
+    .exec()
+}

package/src/graphql/resolvers/mutation.ts

@@ -45,6 +45,7 @@ import {
 } from "./importRemoteDataset"
 import { saveAdminNote } from "./datasetEvents"
 import { createGitEvent } from "./gitEvents"
+import { updateFileCheck } from "./fileCheck"
 
 const Mutation = {
   createDataset,
@@ -93,6 +94,7 @@ const Mutation = {
   updateUser,
   saveAdminNote,
   createGitEvent,
+  updateFileCheck,
 }
 
 export default Mutation

package/src/graphql/schema.ts

@@ -205,6 +205,14 @@ export const typeDefs = `
     saveAdminNote(id: ID, datasetId: ID!, note: String!): DatasetEvent
     # Create a git event log for dataset changes
     createGitEvent(datasetId: ID!, commit: String!, reference: String!): DatasetEvent
+    # Create or update a fileCheck document
+    updateFileCheck(
+      datasetId: ID!
+      hexsha: String!
+      refs: [String!]!
+      annexFsck: [AnnexFsckInput!]!
+      remote: String
+    ): FileCheck
   }
 
   # Anonymous dataset reviewer
@@ -900,6 +908,33 @@ export const typeDefs = `
     # Notes associated with the event
     note: String
   }
+
+  type FileCheck {
+    datasetId: String!
+    hexsha: String!
+    refs: [String!]!
+    annexFsck: [AnnexFsck!]
+    remote: String
+  }
+
+  type AnnexFsck {
+    command: String
+    errorMessages: [String]
+    file: String
+    key: String
+    note: String
+    success: Boolean
+  }
+
+  input AnnexFsckInput {
+    command: String
+    errorMessages: [String]
+    file: String
+    key: String
+    note: String
+    success: Boolean
+  }
+
 `
 
 schemaComposer.addTypeDefs(typeDefs)

package/src/libs/authentication/passport.ts

@@ -120,6 +120,14 @@ export const setupPassportAuth = () => {
       (jwt, done) => {
         if (jwt.scopes?.includes("dataset:indexing")) {
           done(null, { admin: false, blocked: false, indexer: true })
+        } else if (jwt.scopes?.includes("dataset:worker")) {
+          done(null, {
+            id: jwt.sub,
+            admin: false,
+            blocked: false,
+            worker: true,
+            dataset: jwt.dataset,
+          })
         } else if (jwt.scopes?.includes("dataset:reviewer")) {
           done(null, {
             admin: false,

package/src/models/fileCheck.ts

@@ -0,0 +1,37 @@
+import mongoose from "mongoose"
+import type { Document } from "mongoose"
+const { Schema, model } = mongoose
+
+export interface FileCheckDocument extends Document {
+  datasetId: string
+  hexsha: string
+  refs: string[]
+  remote: string
+  annexFsck: {
+    command: string
+    "error-messages": string[]
+    file: string
+    key: string
+    note: string
+    success: boolean
+  }[]
+}
+
+const fileCheckSchema = new Schema({
+  datasetId: { type: String, required: true },
+  hexsha: { type: String, required: true },
+  refs: { type: [String], required: true },
+  remote: { type: String, default: "local", required: true },
+  annexFsck: [{
+    command: String,
+    "error-messages": [String],
+    file: String,
+    key: String,
+    note: String,
+    success: Boolean,
+  }],
+})
+
+const FileCheck = model<FileCheckDocument>("FileCheck", fileCheckSchema)
+
+export default FileCheck