@paroicms/server 1.109.6 → 1.110.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ddl/main.ddl.sql +51 -10
- package/dist/admin-backend/account/account-role.queries.d.ts +3 -0
- package/dist/admin-backend/account/account-role.queries.js +18 -0
- package/dist/admin-backend/account/account-role.queries.js.map +1 -0
- package/dist/admin-backend/account/account-role.resolver.d.ts +3 -0
- package/dist/admin-backend/account/account-role.resolver.js +49 -0
- package/dist/admin-backend/account/account-role.resolver.js.map +1 -0
- package/dist/admin-backend/account/account.queries.d.ts +11 -2
- package/dist/admin-backend/account/account.queries.js +114 -25
- package/dist/admin-backend/account/account.queries.js.map +1 -1
- package/dist/admin-backend/account/account.resolver.js +126 -10
- package/dist/admin-backend/account/account.resolver.js.map +1 -1
- package/dist/admin-backend/account/author-account.queries.d.ts +12 -0
- package/dist/admin-backend/account/author-account.queries.js +110 -0
- package/dist/admin-backend/account/author-account.queries.js.map +1 -0
- package/dist/admin-backend/account/author-account.resolver.d.ts +3 -0
- package/dist/admin-backend/account/author-account.resolver.js +39 -0
- package/dist/admin-backend/account/author-account.resolver.js.map +1 -0
- package/dist/admin-backend/auth/auth.helper.d.ts +2 -0
- package/dist/admin-backend/auth/auth.helper.js +10 -2
- package/dist/admin-backend/auth/auth.helper.js.map +1 -1
- package/dist/admin-backend/auth/auth.service.d.ts +1 -1
- package/dist/admin-backend/auth/auth.service.js +145 -65
- package/dist/admin-backend/auth/auth.service.js.map +1 -1
- package/dist/admin-backend/auth/auth.types.d.ts +3 -1
- package/dist/admin-backend/auth/authorization.helper.d.ts +11 -0
- package/dist/admin-backend/auth/authorization.helper.js +37 -0
- package/dist/admin-backend/auth/authorization.helper.js.map +1 -0
- package/dist/admin-backend/auth/special-account.helper.d.ts +10 -0
- package/dist/admin-backend/auth/special-account.helper.js +38 -0
- package/dist/admin-backend/auth/special-account.helper.js.map +1 -0
- package/dist/admin-backend/backup/backup.resolver.js +2 -2
- package/dist/admin-backend/backup/backup.resolver.js.map +1 -1
- package/dist/admin-backend/document/document.resolver.extend.js +1 -3
- package/dist/admin-backend/document/document.resolver.extend.js.map +1 -1
- package/dist/admin-backend/document/document.resolver.js +95 -13
- package/dist/admin-backend/document/document.resolver.js.map +1 -1
- package/dist/admin-backend/event-log/event-log.queries.d.ts +24 -0
- package/dist/admin-backend/event-log/event-log.queries.js +84 -0
- package/dist/admin-backend/event-log/event-log.queries.js.map +1 -0
- package/dist/admin-backend/event-log/event-log.resolver.d.ts +3 -0
- package/dist/admin-backend/event-log/event-log.resolver.js +21 -0
- package/dist/admin-backend/event-log/event-log.resolver.js.map +1 -0
- package/dist/admin-backend/event-log/event-log.service.d.ts +11 -0
- package/dist/admin-backend/event-log/event-log.service.js +290 -0
- package/dist/admin-backend/event-log/event-log.service.js.map +1 -0
- package/dist/admin-backend/event-log/event-log.types.d.ts +142 -0
- package/dist/admin-backend/event-log/event-log.types.js +2 -0
- package/dist/admin-backend/event-log/event-log.types.js.map +1 -0
- package/dist/admin-backend/fields/fields.resolver.js +3 -2
- package/dist/admin-backend/fields/fields.resolver.js.map +1 -1
- package/dist/admin-backend/lnode/lnode-wrap.resolver.js +6 -6
- package/dist/admin-backend/lnode/lnode-wrap.resolver.js.map +1 -1
- package/dist/admin-backend/login/login.controller.js +32 -3
- package/dist/admin-backend/login/login.controller.js.map +1 -1
- package/dist/admin-backend/media/media-upload.controller.js +15 -0
- package/dist/admin-backend/media/media-upload.controller.js.map +1 -1
- package/dist/admin-backend/media/media.resolver.extend.js +1 -3
- package/dist/admin-backend/media/media.resolver.extend.js.map +1 -1
- package/dist/admin-backend/media/media.resolver.js +70 -11
- package/dist/admin-backend/media/media.resolver.js.map +1 -1
- package/dist/admin-backend/migration/migration.resolver.js +3 -3
- package/dist/admin-backend/migration/migration.resolver.js.map +1 -1
- package/dist/admin-backend/node/node.resolver.extend.js +1 -3
- package/dist/admin-backend/node/node.resolver.extend.js.map +1 -1
- package/dist/admin-backend/node/node.resolver.js +6 -5
- package/dist/admin-backend/node/node.resolver.js.map +1 -1
- package/dist/admin-backend/part/part.resolver.extend.js +2 -5
- package/dist/admin-backend/part/part.resolver.extend.js.map +1 -1
- package/dist/admin-backend/part/part.resolver.js +56 -10
- package/dist/admin-backend/part/part.resolver.js.map +1 -1
- package/dist/admin-backend/routing-cluster/routing-cluster.resolver.js +7 -7
- package/dist/admin-backend/routing-cluster/routing-cluster.resolver.js.map +1 -1
- package/dist/common/data-format.d.ts +5 -1
- package/dist/common/data-format.js +3 -1
- package/dist/common/data-format.js.map +1 -1
- package/dist/connector/app-conf/app-conf-formatter.js +4 -1
- package/dist/connector/app-conf/app-conf-formatter.js.map +1 -1
- package/dist/connector/app-conf/app-conf.types.d.ts +3 -3
- package/dist/connector/db-init/db-constants.d.ts +1 -1
- package/dist/connector/db-init/db-constants.js +1 -1
- package/dist/connector/db-init/ddl-migration.js +60 -0
- package/dist/connector/db-init/ddl-migration.js.map +1 -1
- package/dist/connector/row-types.d.ts +5 -3
- package/dist/connector/site-schema/site-schema-factory.js +76 -0
- package/dist/connector/site-schema/site-schema-factory.js.map +1 -1
- package/dist/graphql/apollo-server-init.js +6 -0
- package/dist/graphql/apollo-server-init.js.map +1 -1
- package/dist/maintenance/maintenance-task.d.ts +1 -1
- package/dist/maintenance/maintenance-task.js +5 -0
- package/dist/maintenance/maintenance-task.js.map +1 -1
- package/dist/protected-site/protected-access-token.d.ts +3 -3
- package/dist/protected-site/protected-access-token.js +3 -3
- package/dist/protected-site/protected-access-token.js.map +1 -1
- package/dist/protected-site/protected-site.req-handler.js +4 -4
- package/dist/protected-site/protected-site.req-handler.js.map +1 -1
- package/dist/public-api/password-reset/password-reset.service.js +9 -6
- package/dist/public-api/password-reset/password-reset.service.js.map +1 -1
- package/dist/rendered-site/feed/feed-generator.js +2 -2
- package/dist/rendered-site/feed/feed-generator.js.map +1 -1
- package/dist/site-context/load-site-context.js +1 -3
- package/dist/site-context/load-site-context.js.map +1 -1
- package/dist/tsconfig.tsbuildinfo +1 -1
- package/package.json +28 -28
- package/schema.graphql +43 -0
- package/dist/helpers/special-account.helpers.d.ts +0 -9
- package/dist/helpers/special-account.helpers.js +0 -36
- package/dist/helpers/special-account.helpers.js.map +0 -1
|
@@ -1,39 +1,56 @@
|
|
|
1
|
+
import { messageOf } from "@paroicms/public-anywhere-lib";
|
|
1
2
|
import { ApiError } from "@paroicms/public-server-lib";
|
|
2
|
-
import { type } from "arktype";
|
|
3
3
|
import { AccountPreferencesAT } from "../../common/data-format.js";
|
|
4
4
|
import { appConf } from "../../context.js";
|
|
5
5
|
import { comparePassword } from "../../helpers/passwordEncrypt-helper.js";
|
|
6
|
-
import {
|
|
7
|
-
import {
|
|
8
|
-
import {
|
|
6
|
+
import { generateAdminUiToken } from "../../protected-site/protected-access-token.js";
|
|
7
|
+
import { findAccountByEmail, findAccountByIdAndEmail, insertSpecialAccount, updateAccountActive, updateAccountLoginMethod, } from "../account/account.queries.js";
|
|
8
|
+
import { recordEvent } from "../event-log/event-log.service.js";
|
|
9
9
|
import { generateAccessToken, verifyAccessToken, verifyPlatformToken, } from "./auth.helper.js";
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
email: "string",
|
|
13
|
-
"+": "reject",
|
|
14
|
-
});
|
|
15
|
-
export async function loginUser(siteContext, options) {
|
|
10
|
+
import { isSpecialAccountEmail } from "./special-account.helper.js";
|
|
11
|
+
export async function loginLocalUser(siteContext, options) {
|
|
16
12
|
const { user, defaultLanguage } = options;
|
|
13
|
+
const normalizedEmail = user.email.trim().toLowerCase();
|
|
14
|
+
const isLocalDevAccount = appConf.localDevAccount?.email === normalizedEmail;
|
|
17
15
|
let account;
|
|
18
|
-
if (
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
16
|
+
if (isLocalDevAccount) {
|
|
17
|
+
if (appConf.localDevAccount?.password !== user.password) {
|
|
18
|
+
return { message: "Unauthorized", statusCode: 401 };
|
|
19
|
+
}
|
|
20
|
+
account = await findAccountByEmail(siteContext, normalizedEmail);
|
|
21
|
+
if (!account) {
|
|
22
|
+
account = await createLocalDevAccountInDatabase(siteContext, normalizedEmail);
|
|
23
|
+
}
|
|
24
|
+
if (account.loginMethod !== "localDev") {
|
|
25
|
+
return { message: "Login method mismatch", statusCode: 401 };
|
|
26
|
+
}
|
|
23
27
|
}
|
|
24
28
|
else {
|
|
25
|
-
|
|
29
|
+
const localAccount = await findAccountByEmail(siteContext, normalizedEmail);
|
|
30
|
+
if (localAccount?.loginMethod === "localDev" && !isSpecialAccountEmail(localAccount.email)) {
|
|
31
|
+
return await deactivateLegacySpecialAccount(siteContext, localAccount);
|
|
32
|
+
}
|
|
33
|
+
if (localAccount?.passwordHash) {
|
|
34
|
+
if (!(await comparePassword(user.password, localAccount.passwordHash))) {
|
|
35
|
+
return { message: "Unauthorized", statusCode: 401 };
|
|
36
|
+
}
|
|
37
|
+
account = localAccount;
|
|
38
|
+
}
|
|
26
39
|
}
|
|
27
40
|
if (!account) {
|
|
28
|
-
return {
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
};
|
|
41
|
+
return { message: "Unauthorized", statusCode: 401 };
|
|
42
|
+
}
|
|
43
|
+
if (!account.active) {
|
|
44
|
+
return { message: "Account is not active", statusCode: 401 };
|
|
45
|
+
}
|
|
46
|
+
const loginMethod = isLocalDevAccount ? "localDev" : "local";
|
|
47
|
+
if (account.loginMethod === undefined) {
|
|
48
|
+
await updateAccountLoginMethod(siteContext, account.id, loginMethod);
|
|
32
49
|
}
|
|
33
50
|
const parsedPreferences = account.preferences
|
|
34
51
|
? AccountPreferencesAT.assert(JSON.parse(account.preferences))
|
|
35
52
|
: undefined;
|
|
36
|
-
const
|
|
53
|
+
const adminUiToken = await generateAdminUiToken();
|
|
37
54
|
return {
|
|
38
55
|
id: account.id,
|
|
39
56
|
email: account.email,
|
|
@@ -43,8 +60,10 @@ export async function loginUser(siteContext, options) {
|
|
|
43
60
|
email: account.email,
|
|
44
61
|
id: account.id,
|
|
45
62
|
fqdn: siteContext.fqdn,
|
|
63
|
+
loginMethod,
|
|
46
64
|
}),
|
|
47
|
-
|
|
65
|
+
adminUiToken,
|
|
66
|
+
loginMethod,
|
|
48
67
|
};
|
|
49
68
|
}
|
|
50
69
|
export async function getVerifiedAccountFromToken(siteContext, options) {
|
|
@@ -55,34 +74,30 @@ export async function getVerifiedAccountFromToken(siteContext, options) {
|
|
|
55
74
|
if (payload.fqdn !== siteContext.fqdn) {
|
|
56
75
|
throw new ApiError("Not the right token", 403);
|
|
57
76
|
}
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
account = getPlatformAdminAccount(parsedPlatformAccountId);
|
|
65
|
-
}
|
|
66
|
-
else {
|
|
67
|
-
const validated = JwtPayloadAT.assert(payload);
|
|
68
|
-
account = await findAccountByIdAndEmail(siteContext, validated);
|
|
77
|
+
const account = await findAccountByIdAndEmail(siteContext, {
|
|
78
|
+
id: payload.id,
|
|
79
|
+
email: payload.email,
|
|
80
|
+
});
|
|
81
|
+
if (account.loginMethod !== payload.loginMethod) {
|
|
82
|
+
throw new ApiError("Login method mismatch", 403);
|
|
69
83
|
}
|
|
70
84
|
const parsedPreferences = account.preferences
|
|
71
85
|
? AccountPreferencesAT.assert(JSON.parse(account.preferences))
|
|
72
86
|
: undefined;
|
|
73
|
-
const
|
|
87
|
+
const adminUiToken = await generateAdminUiToken();
|
|
74
88
|
return {
|
|
75
89
|
email: account.email,
|
|
76
90
|
id: account.id,
|
|
77
91
|
language: parsedPreferences?.language ?? defaultLanguage,
|
|
78
92
|
name: account.name,
|
|
79
93
|
token,
|
|
80
|
-
|
|
94
|
+
adminUiToken,
|
|
95
|
+
loginMethod: payload.loginMethod,
|
|
81
96
|
};
|
|
82
97
|
}
|
|
83
|
-
catch {
|
|
98
|
+
catch (error) {
|
|
84
99
|
if (payload) {
|
|
85
|
-
siteContext.logger.warn(`Invalid token: ${JSON.stringify(payload)}
|
|
100
|
+
siteContext.logger.warn(`Invalid token: ${JSON.stringify(payload)}:`, messageOf(error));
|
|
86
101
|
}
|
|
87
102
|
return {
|
|
88
103
|
statusCode: 401,
|
|
@@ -94,33 +109,52 @@ export async function loginByPlatformToken(siteContext, options) {
|
|
|
94
109
|
try {
|
|
95
110
|
const { token, defaultLanguage } = options;
|
|
96
111
|
const payload = verifyPlatformToken(token);
|
|
112
|
+
const normalizedEmail = payload.email.trim().toLowerCase();
|
|
113
|
+
const platAdmAccountIndex = (appConf.platformAdminAccounts ?? []).findIndex((acc) => acc.email.trim().toLowerCase() === normalizedEmail);
|
|
114
|
+
const isPlatformAdmin = platAdmAccountIndex !== -1;
|
|
97
115
|
let account;
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
account
|
|
116
|
+
if (isPlatformAdmin) {
|
|
117
|
+
account = await findAccountByEmail(siteContext, normalizedEmail);
|
|
118
|
+
if (!account) {
|
|
119
|
+
account = await createPlatformAdminAccountInDatabase(siteContext, normalizedEmail, platAdmAccountIndex);
|
|
120
|
+
}
|
|
121
|
+
if (account.loginMethod !== "platformAdmin") {
|
|
122
|
+
return { message: "Login method mismatch", statusCode: 401 };
|
|
123
|
+
}
|
|
101
124
|
}
|
|
102
125
|
else {
|
|
103
|
-
|
|
104
|
-
if (!
|
|
126
|
+
account = await findAccountByEmail(siteContext, normalizedEmail);
|
|
127
|
+
if (!account) {
|
|
105
128
|
throw new ApiError("Account not found", 404);
|
|
106
129
|
}
|
|
107
|
-
account
|
|
130
|
+
if (account.loginMethod === "platformAdmin" && !isSpecialAccountEmail(account.email)) {
|
|
131
|
+
return await deactivateLegacySpecialAccount(siteContext, account);
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
if (!account.active) {
|
|
135
|
+
return { message: "Account is not active", statusCode: 401 };
|
|
136
|
+
}
|
|
137
|
+
const loginMethod = isPlatformAdmin ? "platformAdmin" : "platform";
|
|
138
|
+
if (account.loginMethod === undefined) {
|
|
139
|
+
await updateAccountLoginMethod(siteContext, account.id, loginMethod);
|
|
108
140
|
}
|
|
109
141
|
const parsedPreferences = account.preferences
|
|
110
142
|
? AccountPreferencesAT.assert(JSON.parse(account.preferences))
|
|
111
143
|
: undefined;
|
|
112
|
-
const
|
|
144
|
+
const adminUiToken = await generateAdminUiToken();
|
|
113
145
|
return {
|
|
114
146
|
id: account.id,
|
|
115
|
-
email:
|
|
147
|
+
email: normalizedEmail,
|
|
116
148
|
language: parsedPreferences?.language ?? defaultLanguage,
|
|
117
149
|
name: account.name,
|
|
118
150
|
token: generateAccessToken({
|
|
119
|
-
email:
|
|
151
|
+
email: normalizedEmail,
|
|
120
152
|
id: account.id,
|
|
121
153
|
fqdn: siteContext.fqdn,
|
|
154
|
+
loginMethod,
|
|
122
155
|
}),
|
|
123
|
-
|
|
156
|
+
adminUiToken,
|
|
157
|
+
loginMethod,
|
|
124
158
|
};
|
|
125
159
|
}
|
|
126
160
|
catch (error) {
|
|
@@ -131,24 +165,70 @@ export async function loginByPlatformToken(siteContext, options) {
|
|
|
131
165
|
};
|
|
132
166
|
}
|
|
133
167
|
}
|
|
134
|
-
async function
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
168
|
+
async function deactivateLegacySpecialAccount(siteContext, account) {
|
|
169
|
+
await updateAccountActive(siteContext, account.id, false);
|
|
170
|
+
recordEvent(siteContext, {
|
|
171
|
+
eventType: "account.deactivated",
|
|
172
|
+
actorId: account.id,
|
|
173
|
+
targetType: "account",
|
|
174
|
+
targetId: account.id,
|
|
175
|
+
eventData: {
|
|
176
|
+
accountId: account.id,
|
|
177
|
+
email: account.email,
|
|
178
|
+
reason: "This email is not a special account",
|
|
179
|
+
},
|
|
180
|
+
});
|
|
181
|
+
return { message: "Account deactivated", statusCode: 401 };
|
|
144
182
|
}
|
|
145
|
-
function
|
|
146
|
-
if (
|
|
147
|
-
|
|
148
|
-
const
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
};
|
|
183
|
+
async function createLocalDevAccountInDatabase(siteContext, email) {
|
|
184
|
+
if (!appConf.localDevAccount)
|
|
185
|
+
throw new ApiError("Local dev account not configured", 500);
|
|
186
|
+
const accountId = await insertSpecialAccount(siteContext, {
|
|
187
|
+
email: appConf.localDevAccount.email,
|
|
188
|
+
name: appConf.localDevAccount.name,
|
|
189
|
+
loginMethod: "localDev",
|
|
190
|
+
});
|
|
191
|
+
siteContext.logger.info(`Local dev account created: ${email}`);
|
|
192
|
+
recordEvent(siteContext, {
|
|
193
|
+
eventType: "account.create",
|
|
194
|
+
actorId: accountId,
|
|
195
|
+
targetType: "account",
|
|
196
|
+
targetId: accountId,
|
|
197
|
+
eventData: {
|
|
198
|
+
accountId,
|
|
199
|
+
email: appConf.localDevAccount.email,
|
|
200
|
+
name: appConf.localDevAccount.name,
|
|
201
|
+
},
|
|
202
|
+
});
|
|
203
|
+
const account = await findAccountByIdAndEmail(siteContext, { id: accountId, email });
|
|
204
|
+
if (!account)
|
|
205
|
+
throw new ApiError("Failed to create special account", 500);
|
|
206
|
+
return account;
|
|
207
|
+
}
|
|
208
|
+
async function createPlatformAdminAccountInDatabase(siteContext, email, accountIndex) {
|
|
209
|
+
const platformAdminAccounts = appConf.platformAdminAccounts;
|
|
210
|
+
if (!platformAdminAccounts)
|
|
211
|
+
throw new ApiError("Platform admin accounts not configured", 500);
|
|
212
|
+
const accountId = await insertSpecialAccount(siteContext, {
|
|
213
|
+
email,
|
|
214
|
+
name: platformAdminAccounts[accountIndex].name,
|
|
215
|
+
loginMethod: "platformAdmin",
|
|
216
|
+
});
|
|
217
|
+
siteContext.logger.info(`Platform admin account created: ${email}`);
|
|
218
|
+
recordEvent(siteContext, {
|
|
219
|
+
eventType: "account.create",
|
|
220
|
+
actorId: accountId,
|
|
221
|
+
targetType: "account",
|
|
222
|
+
targetId: accountId,
|
|
223
|
+
eventData: {
|
|
224
|
+
accountId,
|
|
225
|
+
email,
|
|
226
|
+
name: platformAdminAccounts[accountIndex].name,
|
|
227
|
+
},
|
|
228
|
+
});
|
|
229
|
+
const account = await findAccountByIdAndEmail(siteContext, { id: accountId, email });
|
|
230
|
+
if (!account)
|
|
231
|
+
throw new ApiError("Failed to create special account", 500);
|
|
232
|
+
return account;
|
|
153
233
|
}
|
|
154
234
|
//# sourceMappingURL=auth.service.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../../../src/admin-backend/auth/auth.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../../../src/admin-backend/auth/auth.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAEnE,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,yCAAyC,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,gDAAgD,CAAC;AAEtF,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AAKhE,OAAO,EAEL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAEpE,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAwD,EACxD,OAGC;IAED,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IAE1C,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACxD,MAAM,iBAAiB,GAAG,OAAO,CAAC,eAAe,EAAE,KAAK,KAAK,eAAe,CAAC;IAC7E,IAAI,OAA+B,CAAC;IAEpC,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,OAAO,CAAC,eAAe,EAAE,QAAQ,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxD,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QACtD,CAAC;QAED,OAAO,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAEjE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,MAAM,+BAA+B,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAChF,CAAC;QAED,IAAI,OAAO,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YACvC,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QAC/D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAE5E,IAAI,YAAY,EAAE,WAAW,KAAK,UAAU,IAAI,CAAC,qBAAqB,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3F,OAAO,MAAM,8BAA8B,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,YAAY,EAAE,YAAY,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;gBACvE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YACtD,CAAC;YAED,OAAO,GAAG,YAAY,CAAC;QACzB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IACtD,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACpB,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IAC/D,CAAC;IAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,wBAAwB,CAAC,WAAW,EAAE,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW;QAC3C,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC;IAEd,MAAM,YAAY,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAElD,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,IAAI,eAAe;QACxD,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,KAAK,EAAE,mBAAmB,CAAC;YACzB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,IAAI,EAAE,WAAW,CAAC,IAAI;YACtB,WAAW;SACZ,CAAC;QACF,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,WAAwD,EACxD,OAGC;IAED,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IAC3C,IAAI,OAAuC,CAAC;IAE5C,IAAI,CAAC;QACH,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC;YACtC,MAAM,IAAI,QAAQ,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAuB,CAAC,WAAW,EAAE;YACzD,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,WAAW,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;YAChD,MAAM,IAAI,QAAQ,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW;YAC3C,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9D,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,YAAY,GAAG,MAAM,oBAAoB,EAAE,CAAC;QAElD,OAAO;YACL,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,IAAI,eAAe;YACxD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK;YACL,YAAY;YACZ,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,OAAO,EAAE,CAAC;YACZ,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,cAAc;SACxB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,WAAwD,EACxD,OAGC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;QAC3C,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAE3C,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE3D,MAAM,mBAAmB,GAAG,CAAC,OAAO,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC,SAAS,CACzE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,eAAe,CAC5D,CAAC;QACF,MAAM,eAAe,GAAG,mBAAmB,KAAK,CAAC,CAAC,CAAC;QAEnD,IAAI,OAA+B,CAAC;QAEpC,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;YAEjE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,MAAM,oCAAoC,CAClD,WAAW,EACX,eAAe,EACf,mBAAmB,CACpB,CAAC;YACJ,CAAC;YAED,IAAI,OAAO,CAAC,WAAW,KAAK,eAAe,EAAE,CAAC;gBAC5C,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YAC/D,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;YAEjE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,QAAQ,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,OAAO,CAAC,WAAW,KAAK,eAAe,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACrF,OAAO,MAAM,8BAA8B,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QAC/D,CAAC;QAED,MAAM,WAAW,GAAG,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC;QACnE,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,wBAAwB,CAAC,WAAW,EAAE,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW;YAC3C,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9D,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,YAAY,GAAG,MAAM,oBAAoB,EAAE,CAAC;QAElD,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,KAAK,EAAE,eAAe;YACtB,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,IAAI,eAAe;YACxD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK,EAAE,mBAAmB,CAAC;gBACzB,KAAK,EAAE,eAAe;gBACtB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,IAAI,EAAE,WAAW,CAAC,IAAI;gBACtB,WAAW;aACZ,CAAC;YACF,YAAY;YACZ,WAAW;SACZ,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,iBAAiB;SAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,WAA+C,EAC/C,OAAmB;IAEnB,MAAM,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAE1D,WAAW,CAAC,WAAW,EAAE;QACvB,SAAS,EAAE,qBAAqB;QAChC,OAAO,EAAE,OAAO,CAAC,EAAE;QACnB,UAAU,EAAE,SAAS;QACrB,QAAQ,EAAE,OAAO,CAAC,EAAE;QACpB,SAAS,EAAE;YACT,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,qCAAqC;SACR;KACxC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AAC7D,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,WAA+C,EAC/C,KAAa;IAEb,IAAI,CAAC,OAAO,CAAC,eAAe;QAAE,MAAM,IAAI,QAAQ,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAC;IAE1F,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,WAAW,EAAE;QACxD,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,KAAK;QACpC,IAAI,EAAE,OAAO,CAAC,eAAe,CAAC,IAAI;QAClC,WAAW,EAAE,UAAU;KACxB,CAAC,CAAC;IAEH,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,KAAK,EAAE,CAAC,CAAC;IAE/D,WAAW,CAAC,WAAW,EAAE;QACvB,SAAS,EAAE,gBAAgB;QAC3B,OAAO,EAAE,SAAS;QAClB,UAAU,EAAE,SAAS;QACrB,QAAQ,EAAE,SAAS;QACnB,SAAS,EAAE;YACT,SAAS;YACT,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,KAAK;YACpC,IAAI,EAAE,OAAO,CAAC,eAAe,CAAC,IAAI;SACD;KACpC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,uBAAuB,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,QAAQ,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAC;IAC1E,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,oCAAoC,CACjD,WAA+C,EAC/C,KAAa,EACb,YAAoB;IAEpB,MAAM,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAC5D,IAAI,CAAC,qBAAqB;QAAE,MAAM,IAAI,QAAQ,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;IAE9F,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,WAAW,EAAE;QACxD,KAAK;QACL,IAAI,EAAE,qBAAqB,CAAC,YAAY,CAAC,CAAC,IAAI;QAC9C,WAAW,EAAE,eAAe;KAC7B,CAAC,CAAC;IAEH,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,KAAK,EAAE,CAAC,CAAC;IAEpE,WAAW,CAAC,WAAW,EAAE;QACvB,SAAS,EAAE,gBAAgB;QAC3B,OAAO,EAAE,SAAS;QAClB,UAAU,EAAE,SAAS;QACrB,QAAQ,EAAE,SAAS;QACnB,SAAS,EAAE;YACT,SAAS;YACT,KAAK;YACL,IAAI,EAAE,qBAAqB,CAAC,YAAY,CAAC,CAAC,IAAI;SACb;KACpC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,uBAAuB,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,QAAQ,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAC;IAC1E,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import type { LoginMethod } from "@paroicms/public-anywhere-lib";
|
|
1
2
|
export type LoginAction = SignInLoginAction | VerifyLoginAction;
|
|
2
3
|
export interface SignInLoginAction {
|
|
3
4
|
action: "signIn";
|
|
@@ -20,7 +21,8 @@ export interface LoginSuccess extends OAuthSuccess {
|
|
|
20
21
|
name?: string;
|
|
21
22
|
language: string;
|
|
22
23
|
token: string;
|
|
23
|
-
|
|
24
|
+
adminUiToken?: string;
|
|
25
|
+
loginMethod: LoginMethod;
|
|
24
26
|
}
|
|
25
27
|
export interface LoginFailed {
|
|
26
28
|
statusCode: 401;
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { type PaHttpContext } from "@paroicms/public-server-lib";
|
|
2
|
+
import type { MigrationSiteContext, SiteContext } from "../../site-context/site-context.types.js";
|
|
3
|
+
import { type BearerTokenPayload } from "./auth.helper.js";
|
|
4
|
+
export declare const ADMIN_PERMISSIONS: readonly ["document.edit", "site.editProperties", "site.manageUsers", "site.backup", "site.eventLog", "maintenance"];
|
|
5
|
+
export declare const EDITOR_PERMISSIONS: readonly ["document.edit"];
|
|
6
|
+
export interface AuthorizedAccount extends BearerTokenPayload {
|
|
7
|
+
accountId: string;
|
|
8
|
+
roles: string[];
|
|
9
|
+
permissions: string[];
|
|
10
|
+
}
|
|
11
|
+
export declare function permissionGuard(siteContext: SiteContext | MigrationSiteContext, httpContext: PaHttpContext, requiredPermission: string): Promise<AuthorizedAccount>;
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import { ApiError } from "@paroicms/public-server-lib";
|
|
2
|
+
import { authGuard } from "./auth.helper.js";
|
|
3
|
+
import { loadAccountRoles } from "./special-account.helper.js";
|
|
4
|
+
export const ADMIN_PERMISSIONS = [
|
|
5
|
+
"document.edit",
|
|
6
|
+
"site.editProperties",
|
|
7
|
+
"site.manageUsers",
|
|
8
|
+
"site.backup",
|
|
9
|
+
"site.eventLog",
|
|
10
|
+
"maintenance",
|
|
11
|
+
];
|
|
12
|
+
export const EDITOR_PERMISSIONS = ["document.edit"];
|
|
13
|
+
function getRolePermissions(role) {
|
|
14
|
+
switch (role) {
|
|
15
|
+
case "admin":
|
|
16
|
+
return ADMIN_PERMISSIONS;
|
|
17
|
+
case "editor":
|
|
18
|
+
return EDITOR_PERMISSIONS;
|
|
19
|
+
default:
|
|
20
|
+
return [];
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
export async function permissionGuard(siteContext, httpContext, requiredPermission) {
|
|
24
|
+
const payload = authGuard(httpContext);
|
|
25
|
+
const roles = await loadAccountRoles(siteContext, payload);
|
|
26
|
+
const permissions = [...new Set(roles.flatMap((role) => getRolePermissions(role)))];
|
|
27
|
+
if (!permissions.includes(requiredPermission)) {
|
|
28
|
+
throw new ApiError("Forbidden: insufficient permissions", 403);
|
|
29
|
+
}
|
|
30
|
+
return {
|
|
31
|
+
accountId: payload.id,
|
|
32
|
+
roles,
|
|
33
|
+
permissions,
|
|
34
|
+
...payload,
|
|
35
|
+
};
|
|
36
|
+
}
|
|
37
|
+
//# sourceMappingURL=authorization.helper.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authorization.helper.js","sourceRoot":"","sources":["../../../src/admin-backend/auth/authorization.helper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAsB,MAAM,6BAA6B,CAAC;AAE3E,OAAO,EAAE,SAAS,EAA2B,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAE/D,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,eAAe;IACf,qBAAqB;IACrB,kBAAkB;IAClB,aAAa;IACb,eAAe;IACf,aAAa;CACL,CAAC;AAEX,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,eAAe,CAAU,CAAC;AAE7D,SAAS,kBAAkB,CAAC,IAAY;IACtC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,iBAAiB,CAAC;QAC3B,KAAK,QAAQ;YACX,OAAO,kBAAkB,CAAC;QAC5B;YACE,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,WAA+C,EAC/C,WAA0B,EAC1B,kBAA0B;IAE1B,MAAM,OAAO,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;IAEvC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpF,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;IACjE,CAAC;IAED,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,KAAK;QACL,WAAW;QACX,GAAG,OAAO;KACX,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import type { SiteContext } from "../../site-context/site-context.types.js";
|
|
2
|
+
export declare function isSpecialAccountEmail(email: string): boolean;
|
|
3
|
+
export declare function loadAccountRoles(siteContext: Pick<SiteContext, "cn">, account: {
|
|
4
|
+
id: string;
|
|
5
|
+
email: string;
|
|
6
|
+
}): Promise<string[]>;
|
|
7
|
+
export declare function loadAccountPermissions(siteContext: Pick<SiteContext, "cn">, account: {
|
|
8
|
+
id: string;
|
|
9
|
+
email: string;
|
|
10
|
+
}): Promise<string[]>;
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import { type } from "arktype";
|
|
2
|
+
import { appConf } from "../../context.js";
|
|
3
|
+
import { ADMIN_PERMISSIONS, EDITOR_PERMISSIONS } from "./authorization.helper.js";
|
|
4
|
+
const permissionMap = {
|
|
5
|
+
admin: ADMIN_PERMISSIONS,
|
|
6
|
+
editor: EDITOR_PERMISSIONS,
|
|
7
|
+
};
|
|
8
|
+
const RoleRowAT = type({
|
|
9
|
+
role: "string",
|
|
10
|
+
"+": "reject",
|
|
11
|
+
});
|
|
12
|
+
export function isSpecialAccountEmail(email) {
|
|
13
|
+
if (appConf.localDevAccount?.email === email) {
|
|
14
|
+
return true;
|
|
15
|
+
}
|
|
16
|
+
if (appConf.platformAdminAccounts?.some((acc) => acc.email === email)) {
|
|
17
|
+
return true;
|
|
18
|
+
}
|
|
19
|
+
return false;
|
|
20
|
+
}
|
|
21
|
+
export async function loadAccountRoles(siteContext, account) {
|
|
22
|
+
const roleRows = await siteContext
|
|
23
|
+
.cn("PaAccountRole")
|
|
24
|
+
.select("role")
|
|
25
|
+
.where("accountId", account.id);
|
|
26
|
+
const dbRoles = roleRows.map((row) => RoleRowAT.assert(row).role);
|
|
27
|
+
if (isSpecialAccountEmail(account.email)) {
|
|
28
|
+
const rolesSet = new Set([...dbRoles, "admin"]);
|
|
29
|
+
return Array.from(rolesSet);
|
|
30
|
+
}
|
|
31
|
+
return dbRoles;
|
|
32
|
+
}
|
|
33
|
+
export async function loadAccountPermissions(siteContext, account) {
|
|
34
|
+
const roles = await loadAccountRoles(siteContext, account);
|
|
35
|
+
const permissions = [...new Set(roles.flatMap((role) => permissionMap[role] ?? []))];
|
|
36
|
+
return permissions;
|
|
37
|
+
}
|
|
38
|
+
//# sourceMappingURL=special-account.helper.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"special-account.helper.js","sourceRoot":"","sources":["../../../src/admin-backend/auth/special-account.helper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAC/B,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAE3C,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAElF,MAAM,aAAa,GAAsC;IACvD,KAAK,EAAE,iBAAiB;IACxB,MAAM,EAAE,kBAAkB;CAC3B,CAAC;AAEF,MAAM,SAAS,GAAG,IAAI,CAAC;IACrB,IAAI,EAAE,QAAQ;IACd,GAAG,EAAE,QAAQ;CACd,CAAC,CAAC;AAMH,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,IAAI,OAAO,CAAC,eAAe,EAAE,KAAK,KAAK,KAAK,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,qBAAqB,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,KAAK,KAAK,CAAC,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAoC,EACpC,OAAsC;IAEtC,MAAM,QAAQ,GAAG,MAAM,WAAW;SAC/B,EAAE,CAAC,eAAe,CAAC;SACnB,MAAM,CAAC,MAAM,CAAC;SACd,KAAK,CAAC,WAAW,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IAElC,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IAElE,IAAI,qBAAqB,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,WAAoC,EACpC,OAAsC;IAEtC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACrF,OAAO,WAAW,CAAC;AACrB,CAAC"}
|
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
import { siteReadyGuard } from "../../graphql/graphql.types.js";
|
|
2
|
-
import {
|
|
2
|
+
import { permissionGuard } from "../auth/authorization.helper.js";
|
|
3
3
|
import { createDownloadToken } from "./backup.helper.js";
|
|
4
4
|
import { executeHardenedBackup } from "./hardened-backup.service.js";
|
|
5
5
|
export const backupResolvers = {
|
|
6
6
|
Mutation: {
|
|
7
7
|
initializeBackup: async (_parent, _values, { siteContext, httpContext }) => {
|
|
8
|
-
authGuard(httpContext);
|
|
9
8
|
siteReadyGuard(siteContext);
|
|
9
|
+
await permissionGuard(siteContext, httpContext, "site.backup");
|
|
10
10
|
const { zipFileWeight, zipFileName } = await executeHardenedBackup(siteContext);
|
|
11
11
|
const accessToken = createDownloadToken({
|
|
12
12
|
backupFile: zipFileName,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"backup.resolver.js","sourceRoot":"","sources":["../../../src/admin-backend/backup/backup.resolver.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAuB,MAAM,gCAAgC,CAAC;AACrF,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"backup.resolver.js","sourceRoot":"","sources":["../../../src/admin-backend/backup/backup.resolver.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAuB,MAAM,gCAAgC,CAAC;AACrF,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAOrE,MAAM,CAAC,MAAM,eAAe,GAAiC;IAC3D,QAAQ,EAAE;QACR,gBAAgB,EAAE,KAAK,EACrB,OAAO,EACP,OAAO,EACP,EAAE,WAAW,EAAE,WAAW,EAAE,EACP,EAAE;YACvB,cAAc,CAAC,WAAW,CAAC,CAAC;YAC5B,MAAM,eAAe,CAAC,WAAW,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;YAC/D,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,GAAG,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAChF,MAAM,WAAW,GAAG,mBAAmB,CAAC;gBACtC,UAAU,EAAE,WAAW;gBACvB,WAAW,EAAE,iBAAiB;aAC/B,CAAC,CAAC;YACH,MAAM,WAAW,GAAG,uBAAuB,WAAW,OAAO,WAAW,EAAE,CAAC;YAE3E,OAAO;gBACL,WAAW;gBACX,UAAU,EAAE,aAAa;aAC1B,CAAC;QACJ,CAAC;KACF;CACF,CAAC"}
|
|
@@ -1,11 +1,9 @@
|
|
|
1
1
|
import { toDocumentSeed } from "../../common/data-format.js";
|
|
2
2
|
import { siteReadyGuard } from "../../graphql/graphql.types.js";
|
|
3
|
-
import { authGuard } from "../auth/auth.helper.js";
|
|
4
3
|
import { findOneDocument } from "./load-documents.queries.js";
|
|
5
4
|
export const extendWithDocumentResolver = {
|
|
6
5
|
LNodeWrap: {
|
|
7
|
-
document: async (parent, _args, { siteContext
|
|
8
|
-
authGuard(httpContext);
|
|
6
|
+
document: async (parent, _args, { siteContext }) => {
|
|
9
7
|
siteReadyGuard(siteContext);
|
|
10
8
|
const document = await findOneDocument(siteContext, {
|
|
11
9
|
nodeId: parent.nodeId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"document.resolver.extend.js","sourceRoot":"","sources":["../../../src/admin-backend/document/document.resolver.extend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,cAAc,EAAuB,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"document.resolver.extend.js","sourceRoot":"","sources":["../../../src/admin-backend/document/document.resolver.extend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,cAAc,EAAuB,MAAM,gCAAgC,CAAC;AAErF,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,CAAC,MAAM,0BAA0B,GAAiC;IACtE,SAAS,EAAE;QACT,QAAQ,EAAE,KAAK,EAAE,MAAqB,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;YAChE,cAAc,CAAC,WAAW,CAAC,CAAC;YAC5B,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE;gBAClD,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpD,CAAC;KACF;CACF,CAAC"}
|