@powerhousedao/reactor-api 6.2.0-dev.4 → 6.2.0-dev.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -2
- package/dist/index.d.mts +32 -93
- package/dist/index.d.mts.map +1 -1
- package/dist/index.mjs +85 -235
- package/dist/index.mjs.map +1 -1
- package/dist/src/packages/vite-loader.mjs +1 -1
- package/dist/{utils-BFkbSO_H.mjs → utils-CtC8sjRo.mjs} +115 -34
- package/dist/utils-CtC8sjRo.mjs.map +1 -0
- package/package.json +13 -13
- package/dist/utils-BFkbSO_H.mjs.map +0 -1
package/dist/index.mjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
|
|
2
|
-
!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="
|
|
3
|
-
import { a as isSubgraphClass, c as loadDocumentModels, d as BaseSubgraph, i as buildGraphqlOperations, l as loadProcessors, n as buildGraphQlDriveDocument, o as debounce, r as buildGraphqlOperation, t as buildGraphQlDocument, u as loadSubgraphs } from "./utils-
|
|
2
|
+
!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="64b14acf-bb9d-528e-b2b6-b3fa2097026f")}catch(e){}}();
|
|
3
|
+
import { a as isSubgraphClass, c as loadDocumentModels, d as BaseSubgraph, f as AuthorizationPolicy, i as buildGraphqlOperations, l as loadProcessors, n as buildGraphQlDriveDocument, o as debounce, p as createAuthorizationService, r as buildGraphqlOperation, t as buildGraphQlDocument, u as loadSubgraphs } from "./utils-CtC8sjRo.mjs";
|
|
4
4
|
import { AnalyticsQueryEngine } from "@powerhousedao/analytics-engine-core";
|
|
5
5
|
import { AnalyticsModel, AnalyticsResolvers, typedefs } from "@powerhousedao/analytics-engine-graphql";
|
|
6
6
|
import { gql } from "graphql-tag";
|
|
@@ -85,18 +85,14 @@ async function documentAccess(service, args) {
|
|
|
85
85
|
async function userDocumentPermissions(service, userAddress) {
|
|
86
86
|
return service.getUserDocuments(userAddress);
|
|
87
87
|
}
|
|
88
|
-
async function grantDocumentPermission(service, args, grantedByAddress
|
|
88
|
+
async function grantDocumentPermission(service, authorizationService, args, grantedByAddress) {
|
|
89
89
|
if (!grantedByAddress) throw new GraphQLError("Authentication required");
|
|
90
|
-
if (!
|
|
91
|
-
if (!await service.canManageDocument(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant permissions");
|
|
92
|
-
}
|
|
90
|
+
if (!await authorizationService.canManage(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant permissions");
|
|
93
91
|
return service.grantPermission(args.documentId, args.userAddress, args.permission, grantedByAddress);
|
|
94
92
|
}
|
|
95
|
-
async function revokeDocumentPermission(service, args, revokedByAddress
|
|
93
|
+
async function revokeDocumentPermission(service, authorizationService, args, revokedByAddress) {
|
|
96
94
|
if (!revokedByAddress) throw new GraphQLError("Authentication required");
|
|
97
|
-
if (!
|
|
98
|
-
if (!await service.canManageDocument(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke permissions");
|
|
99
|
-
}
|
|
95
|
+
if (!await authorizationService.canManage(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke permissions");
|
|
100
96
|
await service.revokePermission(args.documentId, args.userAddress);
|
|
101
97
|
return true;
|
|
102
98
|
}
|
|
@@ -127,18 +123,14 @@ async function removeUserFromGroup(service, args) {
|
|
|
127
123
|
async function getGroupMembers(service, groupId) {
|
|
128
124
|
return service.getGroupMembers(groupId);
|
|
129
125
|
}
|
|
130
|
-
async function grantGroupPermission(service, args, grantedByAddress
|
|
126
|
+
async function grantGroupPermission(service, authorizationService, args, grantedByAddress) {
|
|
131
127
|
if (!grantedByAddress) throw new GraphQLError("Authentication required");
|
|
132
|
-
if (!
|
|
133
|
-
if (!await service.canManageDocument(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant permissions");
|
|
134
|
-
}
|
|
128
|
+
if (!await authorizationService.canManage(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant permissions");
|
|
135
129
|
return service.grantGroupPermission(args.documentId, args.groupId, args.permission, grantedByAddress);
|
|
136
130
|
}
|
|
137
|
-
async function revokeGroupPermission(service, args, revokedByAddress
|
|
131
|
+
async function revokeGroupPermission(service, authorizationService, args, revokedByAddress) {
|
|
138
132
|
if (!revokedByAddress) throw new GraphQLError("Authentication required");
|
|
139
|
-
if (!
|
|
140
|
-
if (!await service.canManageDocument(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke permissions");
|
|
141
|
-
}
|
|
133
|
+
if (!await authorizationService.canManage(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke permissions");
|
|
142
134
|
await service.revokeGroupPermission(args.documentId, args.groupId);
|
|
143
135
|
return true;
|
|
144
136
|
}
|
|
@@ -155,56 +147,40 @@ async function operationPermissions(service, args) {
|
|
|
155
147
|
async function canExecuteOperation(service, args, userAddress) {
|
|
156
148
|
return service.canExecuteOperation(args.documentId, args.operationType, userAddress);
|
|
157
149
|
}
|
|
158
|
-
async function grantOperationPermission(service, args, grantedByAddress
|
|
150
|
+
async function grantOperationPermission(service, authorizationService, args, grantedByAddress) {
|
|
159
151
|
if (!grantedByAddress) throw new GraphQLError("Authentication required");
|
|
160
|
-
if (!
|
|
161
|
-
if (!await service.canManageDocument(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant operation permissions");
|
|
162
|
-
}
|
|
152
|
+
if (!await authorizationService.canManage(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant operation permissions");
|
|
163
153
|
return service.grantOperationPermission(args.documentId, args.operationType, args.userAddress, grantedByAddress);
|
|
164
154
|
}
|
|
165
|
-
async function revokeOperationPermission(service, args, revokedByAddress
|
|
155
|
+
async function revokeOperationPermission(service, authorizationService, args, revokedByAddress) {
|
|
166
156
|
if (!revokedByAddress) throw new GraphQLError("Authentication required");
|
|
167
|
-
if (!
|
|
168
|
-
if (!await service.canManageDocument(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke operation permissions");
|
|
169
|
-
}
|
|
157
|
+
if (!await authorizationService.canManage(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke operation permissions");
|
|
170
158
|
await service.revokeOperationPermission(args.documentId, args.operationType, args.userAddress);
|
|
171
159
|
return true;
|
|
172
160
|
}
|
|
173
|
-
async function grantGroupOperationPermission(service, args, grantedByAddress
|
|
161
|
+
async function grantGroupOperationPermission(service, authorizationService, args, grantedByAddress) {
|
|
174
162
|
if (!grantedByAddress) throw new GraphQLError("Authentication required");
|
|
175
|
-
if (!
|
|
176
|
-
if (!await service.canManageDocument(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant operation permissions");
|
|
177
|
-
}
|
|
163
|
+
if (!await authorizationService.canManage(args.documentId, grantedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to grant operation permissions");
|
|
178
164
|
return service.grantGroupOperationPermission(args.documentId, args.operationType, args.groupId, grantedByAddress);
|
|
179
165
|
}
|
|
180
|
-
async function revokeGroupOperationPermission(service, args, revokedByAddress
|
|
166
|
+
async function revokeGroupOperationPermission(service, authorizationService, args, revokedByAddress) {
|
|
181
167
|
if (!revokedByAddress) throw new GraphQLError("Authentication required");
|
|
182
|
-
if (!
|
|
183
|
-
if (!await service.canManageDocument(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke operation permissions");
|
|
184
|
-
}
|
|
168
|
+
if (!await authorizationService.canManage(args.documentId, revokedByAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to revoke operation permissions");
|
|
185
169
|
await service.revokeGroupOperationPermission(args.documentId, args.operationType, args.groupId);
|
|
186
170
|
return true;
|
|
187
171
|
}
|
|
188
172
|
async function documentProtection(service, args) {
|
|
189
173
|
return service.getDocumentProtection(args.documentId);
|
|
190
174
|
}
|
|
191
|
-
async function setDocumentProtection(service, authorizationService, args, userAddress
|
|
175
|
+
async function setDocumentProtection(service, authorizationService, args, userAddress) {
|
|
192
176
|
if (!userAddress) throw new GraphQLError("Authentication required");
|
|
193
|
-
if (!
|
|
194
|
-
if (authorizationService) {
|
|
195
|
-
if (!await authorizationService.canManage(args.documentId, userAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to change protection");
|
|
196
|
-
} else if (!await service.canManageDocument(args.documentId, userAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to change protection");
|
|
197
|
-
}
|
|
177
|
+
if (!await authorizationService.canManage(args.documentId, userAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to change protection");
|
|
198
178
|
await service.setDocumentProtection(args.documentId, args.protected);
|
|
199
179
|
return service.getDocumentProtection(args.documentId);
|
|
200
180
|
}
|
|
201
|
-
async function transferDocumentOwnership(service, authorizationService, args, userAddress
|
|
181
|
+
async function transferDocumentOwnership(service, authorizationService, args, userAddress) {
|
|
202
182
|
if (!userAddress) throw new GraphQLError("Authentication required");
|
|
203
|
-
if (!
|
|
204
|
-
if (authorizationService) {
|
|
205
|
-
if (!await authorizationService.canManage(args.documentId, userAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to transfer ownership");
|
|
206
|
-
} else if (!await service.canManageDocument(args.documentId, userAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to transfer ownership");
|
|
207
|
-
}
|
|
183
|
+
if (!await authorizationService.canManage(args.documentId, userAddress)) throw new GraphQLError("Forbidden: You must be an admin of this document to transfer ownership");
|
|
208
184
|
const previousOwner = await service.getDocumentOwner(args.documentId);
|
|
209
185
|
if (previousOwner) await service.revokePermission(args.documentId, previousOwner);
|
|
210
186
|
await service.setDocumentOwner(args.documentId, args.newOwnerAddress);
|
|
@@ -322,8 +298,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
322
298
|
this.logger.debug("setDocumentProtection(@args)", args);
|
|
323
299
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
324
300
|
try {
|
|
325
|
-
|
|
326
|
-
return await setDocumentProtection(this.documentPermissionService, this.authorizationService, args, ctx.user?.address, isGlobalAdmin);
|
|
301
|
+
return await setDocumentProtection(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
327
302
|
} catch (error) {
|
|
328
303
|
this.logger.error("Error in setDocumentProtection: @error", error);
|
|
329
304
|
throw error;
|
|
@@ -333,8 +308,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
333
308
|
this.logger.debug("transferDocumentOwnership(@args)", args);
|
|
334
309
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
335
310
|
try {
|
|
336
|
-
|
|
337
|
-
return await transferDocumentOwnership(this.documentPermissionService, this.authorizationService, args, ctx.user?.address, isGlobalAdmin);
|
|
311
|
+
return await transferDocumentOwnership(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
338
312
|
} catch (error) {
|
|
339
313
|
this.logger.error("Error in transferDocumentOwnership: @error", error);
|
|
340
314
|
throw error;
|
|
@@ -344,8 +318,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
344
318
|
this.logger.debug("grantDocumentPermission(@args)", args);
|
|
345
319
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
346
320
|
try {
|
|
347
|
-
|
|
348
|
-
return await grantDocumentPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
321
|
+
return await grantDocumentPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
349
322
|
} catch (error) {
|
|
350
323
|
this.logger.error("Error in grantDocumentPermission: @error", error);
|
|
351
324
|
throw error;
|
|
@@ -355,8 +328,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
355
328
|
this.logger.debug("revokeDocumentPermission(@args)", args);
|
|
356
329
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
357
330
|
try {
|
|
358
|
-
|
|
359
|
-
return await revokeDocumentPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
331
|
+
return await revokeDocumentPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
360
332
|
} catch (error) {
|
|
361
333
|
this.logger.error("Error in revokeDocumentPermission: @error", error);
|
|
362
334
|
throw error;
|
|
@@ -406,8 +378,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
406
378
|
this.logger.debug("grantGroupPermission(@args)", args);
|
|
407
379
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
408
380
|
try {
|
|
409
|
-
|
|
410
|
-
return await grantGroupPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
381
|
+
return await grantGroupPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
411
382
|
} catch (error) {
|
|
412
383
|
this.logger.error("Error in grantGroupPermission: @error", error);
|
|
413
384
|
throw error;
|
|
@@ -417,8 +388,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
417
388
|
this.logger.debug("revokeGroupPermission(@args)", args);
|
|
418
389
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
419
390
|
try {
|
|
420
|
-
|
|
421
|
-
return await revokeGroupPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
391
|
+
return await revokeGroupPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
422
392
|
} catch (error) {
|
|
423
393
|
this.logger.error("Error in revokeGroupPermission: @error", error);
|
|
424
394
|
throw error;
|
|
@@ -428,8 +398,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
428
398
|
this.logger.debug("grantOperationPermission(@args)", args);
|
|
429
399
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
430
400
|
try {
|
|
431
|
-
|
|
432
|
-
return await grantOperationPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
401
|
+
return await grantOperationPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
433
402
|
} catch (error) {
|
|
434
403
|
this.logger.error("Error in grantOperationPermission: @error", error);
|
|
435
404
|
throw error;
|
|
@@ -439,8 +408,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
439
408
|
this.logger.debug("revokeOperationPermission(@args)", args);
|
|
440
409
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
441
410
|
try {
|
|
442
|
-
|
|
443
|
-
return await revokeOperationPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
411
|
+
return await revokeOperationPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
444
412
|
} catch (error) {
|
|
445
413
|
this.logger.error("Error in revokeOperationPermission: @error", error);
|
|
446
414
|
throw error;
|
|
@@ -450,8 +418,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
450
418
|
this.logger.debug("grantGroupOperationPermission(@args)", args);
|
|
451
419
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
452
420
|
try {
|
|
453
|
-
|
|
454
|
-
return await grantGroupOperationPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
421
|
+
return await grantGroupOperationPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
455
422
|
} catch (error) {
|
|
456
423
|
this.logger.error("Error in grantGroupOperationPermission: @error", error);
|
|
457
424
|
throw error;
|
|
@@ -461,8 +428,7 @@ var AuthSubgraph = class extends BaseSubgraph {
|
|
|
461
428
|
this.logger.debug("revokeGroupOperationPermission(@args)", args);
|
|
462
429
|
if (!this.documentPermissionService) throw new GraphQLError("DocumentPermissionService not available");
|
|
463
430
|
try {
|
|
464
|
-
|
|
465
|
-
return await revokeGroupOperationPermission(this.documentPermissionService, args, ctx.user?.address, isGlobalAdmin);
|
|
431
|
+
return await revokeGroupOperationPermission(this.documentPermissionService, this.authorizationService, args, ctx.user?.address);
|
|
466
432
|
} catch (error) {
|
|
467
433
|
this.logger.error("Error in revokeGroupOperationPermission: @error", error);
|
|
468
434
|
throw error;
|
|
@@ -624,24 +590,6 @@ var AuthService = class {
|
|
|
624
590
|
}
|
|
625
591
|
}
|
|
626
592
|
/**
|
|
627
|
-
* Get additional context fields for GraphQL
|
|
628
|
-
*/
|
|
629
|
-
getAdditionalContextFields() {
|
|
630
|
-
if (!this.config.enabled) return { isAdmin: () => true };
|
|
631
|
-
return { isAdmin: (address) => this.config.enabled && this.config.admins?.includes(address.toLowerCase()) };
|
|
632
|
-
}
|
|
633
|
-
/**
|
|
634
|
-
* Get user context for GraphQL
|
|
635
|
-
*/
|
|
636
|
-
getUserContext(user) {
|
|
637
|
-
if (!user) return {};
|
|
638
|
-
return { user: {
|
|
639
|
-
address: user.address.toLowerCase(),
|
|
640
|
-
chainId: user.chainId,
|
|
641
|
-
networkId: user.networkId
|
|
642
|
-
} };
|
|
643
|
-
}
|
|
644
|
-
/**
|
|
645
593
|
* Verify that the credential still exists on the Renown API
|
|
646
594
|
*/
|
|
647
595
|
async verifyCredentialExists(address, chainId, appId) {
|
|
@@ -2847,7 +2795,7 @@ var DocumentModelSubgraph = class extends BaseSubgraph {
|
|
|
2847
2795
|
search: { type: documentType },
|
|
2848
2796
|
paging
|
|
2849
2797
|
});
|
|
2850
|
-
if (!this.
|
|
2798
|
+
if (!this.authorizationService.isSupremeAdmin(ctx.user?.address)) {
|
|
2851
2799
|
const filteredItems = [];
|
|
2852
2800
|
for (const item of result.items) if (await this.canReadDocument(item.id, ctx)) filteredItems.push(item);
|
|
2853
2801
|
return {
|
|
@@ -2868,7 +2816,7 @@ var DocumentModelSubgraph = class extends BaseSubgraph {
|
|
|
2868
2816
|
view,
|
|
2869
2817
|
paging
|
|
2870
2818
|
});
|
|
2871
|
-
if (!this.
|
|
2819
|
+
if (!this.authorizationService.isSupremeAdmin(ctx.user?.address)) {
|
|
2872
2820
|
const filteredItems = [];
|
|
2873
2821
|
for (const item of result.items) if (await this.canReadDocument(item.id, ctx)) filteredItems.push(item);
|
|
2874
2822
|
return {
|
|
@@ -2911,9 +2859,7 @@ var DocumentModelSubgraph = class extends BaseSubgraph {
|
|
|
2911
2859
|
createDocument: async (_, args, ctx) => {
|
|
2912
2860
|
const { parentIdentifier, name, slug, preferredEditor, initialState } = args;
|
|
2913
2861
|
if (parentIdentifier) await this.assertCanWrite(parentIdentifier, ctx);
|
|
2914
|
-
else
|
|
2915
|
-
if (!ctx.user?.address) throw new GraphQLError("Forbidden: authentication required to create documents");
|
|
2916
|
-
} else if (!this.hasGlobalAdminAccess(ctx)) throw new GraphQLError("Forbidden: insufficient permissions to create documents");
|
|
2862
|
+
else this.assertCanCreate(ctx);
|
|
2917
2863
|
let createdDoc;
|
|
2918
2864
|
if (initialState || preferredEditor) createdDoc = await createDocumentWithInitialState(this.reactorClient, {
|
|
2919
2865
|
documentType,
|
|
@@ -2928,27 +2874,24 @@ var DocumentModelSubgraph = class extends BaseSubgraph {
|
|
|
2928
2874
|
parentIdentifier,
|
|
2929
2875
|
name
|
|
2930
2876
|
}, this.graphqlManager.reactorDriveClient);
|
|
2931
|
-
if (
|
|
2877
|
+
if (ctx.user?.address && createdDoc?.id) await this.documentPermissionService?.initializeDocumentProtection(createdDoc.id, ctx.user.address, this.authorizationService.config.defaultProtection);
|
|
2932
2878
|
if (!initialState && !preferredEditor && name && createdDoc.name !== name) return toGqlPhDocument(await this.reactorClient.execute(createdDoc.id, "main", [setName(name)]));
|
|
2933
2879
|
return createdDoc;
|
|
2934
2880
|
},
|
|
2935
2881
|
createEmptyDocument: async (_, args, ctx) => {
|
|
2936
2882
|
const { parentIdentifier } = args;
|
|
2937
2883
|
if (parentIdentifier) await this.assertCanWrite(parentIdentifier, ctx);
|
|
2938
|
-
else
|
|
2939
|
-
if (!ctx.user?.address) throw new GraphQLError("Forbidden: authentication required to create documents");
|
|
2940
|
-
} else if (!this.hasGlobalAdminAccess(ctx)) throw new GraphQLError("Forbidden: insufficient permissions to create documents");
|
|
2884
|
+
else this.assertCanCreate(ctx);
|
|
2941
2885
|
const result = await createEmptyDocument(this.reactorClient, {
|
|
2942
2886
|
documentType,
|
|
2943
2887
|
parentIdentifier
|
|
2944
2888
|
}, this.graphqlManager.reactorDriveClient);
|
|
2945
|
-
if (
|
|
2889
|
+
if (ctx.user?.address && result?.id) await this.documentPermissionService?.initializeDocumentProtection(result.id, ctx.user.address, this.authorizationService.config.defaultProtection);
|
|
2946
2890
|
return result;
|
|
2947
2891
|
},
|
|
2948
2892
|
...operations.reduce((mutations, op) => {
|
|
2949
2893
|
mutations[camelCase(op.name)] = async (_, args, ctx) => {
|
|
2950
2894
|
const { docId, input } = args;
|
|
2951
|
-
if (!this.authorizationService) await this.assertCanWrite(docId, ctx);
|
|
2952
2895
|
await this.assertCanExecuteOperation(docId, op.name, ctx);
|
|
2953
2896
|
if ((await this.reactorClient.get(docId)).header.documentType !== documentType) throw new GraphQLError(`Document with id ${docId} is not of type ${documentType}`);
|
|
2954
2897
|
const action = this.documentModel.actions[camelCase(op.name)];
|
|
@@ -2961,7 +2904,6 @@ var DocumentModelSubgraph = class extends BaseSubgraph {
|
|
|
2961
2904
|
};
|
|
2962
2905
|
mutations[`${camelCase(op.name)}Async`] = async (_, args, ctx) => {
|
|
2963
2906
|
const { docId, input } = args;
|
|
2964
|
-
if (!this.authorizationService) await this.assertCanWrite(docId, ctx);
|
|
2965
2907
|
await this.assertCanExecuteOperation(docId, op.name, ctx);
|
|
2966
2908
|
if ((await this.reactorClient.get(docId)).header.documentType !== documentType) throw new GraphQLError(`Document with id ${docId} is not of type ${documentType}`);
|
|
2967
2909
|
const action = this.documentModel.actions[camelCase(op.name)];
|
|
@@ -3160,6 +3102,7 @@ var GraphQLManager = class {
|
|
|
3160
3102
|
* it for reactor-drive parents.
|
|
3161
3103
|
*/
|
|
3162
3104
|
reactorDriveClient;
|
|
3105
|
+
authorizationService;
|
|
3163
3106
|
constructor(path, httpServer, wsServer, reactorClient, relationalDb, analyticsStore, syncManager, logger, httpAdapter, gatewayAdapter, authConfig, documentPermissionService, featureFlags = DefaultFeatureFlags, port = 4001, authorizationService, reactorDriveClient) {
|
|
3164
3107
|
this.path = path;
|
|
3165
3108
|
this.httpServer = httpServer;
|
|
@@ -3175,6 +3118,7 @@ var GraphQLManager = class {
|
|
|
3175
3118
|
this.documentPermissionService = documentPermissionService;
|
|
3176
3119
|
this.featureFlags = featureFlags;
|
|
3177
3120
|
this.port = port;
|
|
3121
|
+
if (!authorizationService) throw new Error("GraphQLManager requires an authorizationService");
|
|
3178
3122
|
this.authorizationService = authorizationService;
|
|
3179
3123
|
this.reactorDriveClient = reactorDriveClient;
|
|
3180
3124
|
if (this.authConfig) this.authService = new AuthService(this.authConfig);
|
|
@@ -3297,6 +3241,14 @@ var GraphQLManager = class {
|
|
|
3297
3241
|
getBasePath() {
|
|
3298
3242
|
return this.path;
|
|
3299
3243
|
}
|
|
3244
|
+
/**
|
|
3245
|
+
* Get the authorization service shared with subgraphs. Use this when
|
|
3246
|
+
* constructing a subgraph instance externally for
|
|
3247
|
+
* {@link registerSubgraphInstance}.
|
|
3248
|
+
*/
|
|
3249
|
+
getAuthorizationService() {
|
|
3250
|
+
return this.authorizationService;
|
|
3251
|
+
}
|
|
3300
3252
|
async registerSubgraph(subgraph, supergraph = "", core = false) {
|
|
3301
3253
|
const subgraphInstance = new subgraph({
|
|
3302
3254
|
relationalDb: this.relationalDb,
|
|
@@ -3356,8 +3308,7 @@ var GraphQLManager = class {
|
|
|
3356
3308
|
db: this.relationalDb,
|
|
3357
3309
|
...this.getAdditionalContextFields(),
|
|
3358
3310
|
driveId,
|
|
3359
|
-
user: authCtx?.user
|
|
3360
|
-
isAdmin: authCtx ? (addr) => !authCtx.auth_enabled ? true : authCtx.admins.includes(addr.toLowerCase()) : () => true
|
|
3311
|
+
user: authCtx?.user
|
|
3361
3312
|
});
|
|
3362
3313
|
};
|
|
3363
3314
|
}
|
|
@@ -3501,8 +3452,8 @@ var GraphQLManager = class {
|
|
|
3501
3452
|
};
|
|
3502
3453
|
//#endregion
|
|
3503
3454
|
//#region src/graphql/packages/resolvers.ts
|
|
3504
|
-
function requireAdmin(ctx) {
|
|
3505
|
-
if (!
|
|
3455
|
+
function requireAdmin(authorizationService, ctx) {
|
|
3456
|
+
if (!authorizationService.isSupremeAdmin(ctx.user?.address)) throw new GraphQLError("Admin access required");
|
|
3506
3457
|
}
|
|
3507
3458
|
function formatPackageInfo(info) {
|
|
3508
3459
|
return {
|
|
@@ -3520,16 +3471,16 @@ async function installedPackage(service, args) {
|
|
|
3520
3471
|
const pkg = await service.getInstalledPackage(args.name);
|
|
3521
3472
|
return pkg ? formatPackageInfo(pkg) : null;
|
|
3522
3473
|
}
|
|
3523
|
-
async function installPackage(service, args, ctx) {
|
|
3524
|
-
requireAdmin(ctx);
|
|
3474
|
+
async function installPackage(service, authorizationService, args, ctx) {
|
|
3475
|
+
requireAdmin(authorizationService, ctx);
|
|
3525
3476
|
const result = await service.installPackage(args.name, args.registryUrl ?? void 0);
|
|
3526
3477
|
return {
|
|
3527
3478
|
package: formatPackageInfo(result.package),
|
|
3528
3479
|
documentModelsLoaded: result.documentModelsLoaded
|
|
3529
3480
|
};
|
|
3530
3481
|
}
|
|
3531
|
-
async function uninstallPackage(service, args, ctx) {
|
|
3532
|
-
requireAdmin(ctx);
|
|
3482
|
+
async function uninstallPackage(service, authorizationService, args, ctx) {
|
|
3483
|
+
requireAdmin(authorizationService, ctx);
|
|
3533
3484
|
return service.uninstallPackage(args.name);
|
|
3534
3485
|
}
|
|
3535
3486
|
//#endregion
|
|
@@ -3575,7 +3526,7 @@ var PackagesSubgraph = class extends BaseSubgraph {
|
|
|
3575
3526
|
installPackage: async (_parent, args, ctx) => {
|
|
3576
3527
|
this.logger.debug("installPackage(@args)", args);
|
|
3577
3528
|
try {
|
|
3578
|
-
return await installPackage(this.packageManagementService, args, ctx);
|
|
3529
|
+
return await installPackage(this.packageManagementService, this.authorizationService, args, ctx);
|
|
3579
3530
|
} catch (error) {
|
|
3580
3531
|
this.logger.error("Error in installPackage: @error", error);
|
|
3581
3532
|
throw error;
|
|
@@ -3584,7 +3535,7 @@ var PackagesSubgraph = class extends BaseSubgraph {
|
|
|
3584
3535
|
uninstallPackage: async (_parent, args, ctx) => {
|
|
3585
3536
|
this.logger.debug("uninstallPackage(@args)", args);
|
|
3586
3537
|
try {
|
|
3587
|
-
return await uninstallPackage(this.packageManagementService, args, ctx);
|
|
3538
|
+
return await uninstallPackage(this.packageManagementService, this.authorizationService, args, ctx);
|
|
3588
3539
|
} catch (error) {
|
|
3589
3540
|
this.logger.error("Error in uninstallPackage: @error", error);
|
|
3590
3541
|
throw error;
|
|
@@ -4082,7 +4033,7 @@ var ReactorSubgraph = class extends BaseSubgraph {
|
|
|
4082
4033
|
try {
|
|
4083
4034
|
await this.assertCanRead(args.targetIdentifier, ctx);
|
|
4084
4035
|
const result = await documentIncomingRelationships(this.reactorClient, args);
|
|
4085
|
-
if (!this.
|
|
4036
|
+
if (!this.authorizationService.isSupremeAdmin(ctx.user?.address)) {
|
|
4086
4037
|
const filteredItems = [];
|
|
4087
4038
|
for (const item of result.items) if (await this.canReadDocument(item.id, ctx)) filteredItems.push(item);
|
|
4088
4039
|
return {
|
|
@@ -4103,7 +4054,7 @@ var ReactorSubgraph = class extends BaseSubgraph {
|
|
|
4103
4054
|
...args,
|
|
4104
4055
|
search: args.search ?? {}
|
|
4105
4056
|
});
|
|
4106
|
-
if (!this.
|
|
4057
|
+
if (!this.authorizationService.isSupremeAdmin(ctx.user?.address)) {
|
|
4107
4058
|
const filteredItems = [];
|
|
4108
4059
|
for (const item of result.items) if (await this.canReadDocument(item.id, ctx)) filteredItems.push(item);
|
|
4109
4060
|
return {
|
|
@@ -4159,12 +4110,10 @@ var ReactorSubgraph = class extends BaseSubgraph {
|
|
|
4159
4110
|
if (args.parentIdentifier) {
|
|
4160
4111
|
const parent = await document(this.reactorClient, { identifier: args.parentIdentifier });
|
|
4161
4112
|
await this.assertCanWrite(parent.document.id, ctx);
|
|
4162
|
-
} else
|
|
4163
|
-
if (!ctx.user?.address) throw new GraphQLError("Forbidden: authentication required to create documents");
|
|
4164
|
-
} else if (!this.hasGlobalAdminAccess(ctx)) throw new GraphQLError("Forbidden: insufficient permissions to create documents");
|
|
4113
|
+
} else this.assertCanCreate(ctx);
|
|
4165
4114
|
const result = await createDocument(this.reactorClient, args, this.graphqlManager.reactorDriveClient);
|
|
4166
4115
|
if (result?.id && isDriveContainerType(result.documentType)) this.graphqlManager.driveOwnershipCache.add(result.id);
|
|
4167
|
-
if (
|
|
4116
|
+
if (ctx.user?.address && result?.id) await this.documentPermissionService?.initializeDocumentProtection(result.id, ctx.user.address, this.authorizationService.config.defaultProtection);
|
|
4168
4117
|
return result;
|
|
4169
4118
|
} catch (error) {
|
|
4170
4119
|
this.logger.error("Error in createDocument(@args): @Error", args, error);
|
|
@@ -4177,12 +4126,10 @@ var ReactorSubgraph = class extends BaseSubgraph {
|
|
|
4177
4126
|
if (args.parentIdentifier) {
|
|
4178
4127
|
const parent = await document(this.reactorClient, { identifier: args.parentIdentifier });
|
|
4179
4128
|
await this.assertCanWrite(parent.document.id, ctx);
|
|
4180
|
-
} else
|
|
4181
|
-
if (!ctx.user?.address) throw new GraphQLError("Forbidden: authentication required to create documents");
|
|
4182
|
-
} else if (!this.hasGlobalAdminAccess(ctx)) throw new GraphQLError("Forbidden: insufficient permissions to create documents");
|
|
4129
|
+
} else this.assertCanCreate(ctx);
|
|
4183
4130
|
const result = await createEmptyDocument(this.reactorClient, args, this.graphqlManager.reactorDriveClient);
|
|
4184
4131
|
if (result?.id && isDriveContainerType(result.documentType)) this.graphqlManager.driveOwnershipCache.add(result.id);
|
|
4185
|
-
if (
|
|
4132
|
+
if (ctx.user?.address && result?.id) await this.documentPermissionService?.initializeDocumentProtection(result.id, ctx.user.address, this.authorizationService.config.defaultProtection);
|
|
4186
4133
|
return result;
|
|
4187
4134
|
} catch (error) {
|
|
4188
4135
|
this.logger.error("Error in createEmptyDocument(@args): @Error", args, error);
|
|
@@ -4192,7 +4139,6 @@ var ReactorSubgraph = class extends BaseSubgraph {
|
|
|
4192
4139
|
mutateDocument: async (_parent, args, ctx) => {
|
|
4193
4140
|
this.logger.debug("mutateDocument(@args)", args);
|
|
4194
4141
|
try {
|
|
4195
|
-
if (!this.authorizationService) await this.assertCanWrite(args.documentIdentifier, ctx);
|
|
4196
4142
|
await this.assertCanExecuteOperations(args.documentIdentifier, args.actions, ctx);
|
|
4197
4143
|
return await mutateDocument(this.reactorClient, args);
|
|
4198
4144
|
} catch (error) {
|
|
@@ -4203,7 +4149,6 @@ var ReactorSubgraph = class extends BaseSubgraph {
|
|
|
4203
4149
|
mutateDocumentAsync: async (_parent, args, ctx) => {
|
|
4204
4150
|
this.logger.debug("mutateDocumentAsync(@args)", args);
|
|
4205
4151
|
try {
|
|
4206
|
-
if (!this.authorizationService) await this.assertCanWrite(args.documentIdentifier, ctx);
|
|
4207
4152
|
await this.assertCanExecuteOperations(args.documentIdentifier, args.actions, ctx);
|
|
4208
4153
|
return await mutateDocumentAsync(this.reactorClient, args);
|
|
4209
4154
|
} catch (error) {
|
|
@@ -4375,10 +4320,10 @@ const ADMIN_USERS = getAdminUsers();
|
|
|
4375
4320
|
//#endregion
|
|
4376
4321
|
//#region src/graphql/system/version.ts
|
|
4377
4322
|
function getVersion() {
|
|
4378
|
-
return "6.2.0-dev.
|
|
4323
|
+
return "6.2.0-dev.5";
|
|
4379
4324
|
}
|
|
4380
4325
|
function getGitHash() {
|
|
4381
|
-
return "
|
|
4326
|
+
return "23ce3521986ce3f860a9c2fe19790906de027ff2";
|
|
4382
4327
|
}
|
|
4383
4328
|
function getGitUrl() {
|
|
4384
4329
|
return buildTreeUrl(getGitHash());
|
|
@@ -4999,107 +4944,6 @@ async function runMigrations(db) {
|
|
|
4999
4944
|
}
|
|
5000
4945
|
}
|
|
5001
4946
|
//#endregion
|
|
5002
|
-
//#region src/services/authorization.service.ts
|
|
5003
|
-
/**
|
|
5004
|
-
* Central authorization service — single source of truth for all permission checks.
|
|
5005
|
-
*
|
|
5006
|
-
* Authorization model:
|
|
5007
|
-
* 1. Supreme admin (ADMINS env) → ALLOW ALL
|
|
5008
|
-
* 2. Is document protected?
|
|
5009
|
-
* a. NOT protected:
|
|
5010
|
-
* - READ: anyone (even anonymous) → ALLOW
|
|
5011
|
-
* - WRITE: authenticated user → ALLOW
|
|
5012
|
-
* b. PROTECTED:
|
|
5013
|
-
* - READ: requires explicit READ/WRITE/ADMIN grant (direct or via group/parent)
|
|
5014
|
-
* - WRITE: requires explicit WRITE/ADMIN grant (direct or via group/parent)
|
|
5015
|
-
* 3. Operation restricted? → Check OperationUserPermission
|
|
5016
|
-
* 4. Document owner = implicit ADMIN
|
|
5017
|
-
* 5. Drive protected = all children effectively protected
|
|
5018
|
-
*/
|
|
5019
|
-
var AuthorizationService = class {
|
|
5020
|
-
config;
|
|
5021
|
-
constructor(documentPermissionService, config) {
|
|
5022
|
-
this.documentPermissionService = documentPermissionService;
|
|
5023
|
-
this.config = config;
|
|
5024
|
-
}
|
|
5025
|
-
/**
|
|
5026
|
-
* Check if a user is a supreme admin (from ADMINS env var).
|
|
5027
|
-
*/
|
|
5028
|
-
isSupremeAdmin(userAddress) {
|
|
5029
|
-
if (!userAddress) return false;
|
|
5030
|
-
return this.config.admins.includes(userAddress.toLowerCase());
|
|
5031
|
-
}
|
|
5032
|
-
/**
|
|
5033
|
-
* Check if a user can read a document.
|
|
5034
|
-
*
|
|
5035
|
-
* - Supreme admin → yes
|
|
5036
|
-
* - Not protected → anyone can read (even anonymous)
|
|
5037
|
-
* - Protected → requires READ/WRITE/ADMIN grant (direct, group, or parent inheritance)
|
|
5038
|
-
* - Owner → yes (implicit ADMIN)
|
|
5039
|
-
*/
|
|
5040
|
-
async canRead(documentId, userAddress, getParentIds) {
|
|
5041
|
-
if (this.isSupremeAdmin(userAddress)) return true;
|
|
5042
|
-
if (!(getParentIds ? await this.documentPermissionService.isProtectedWithAncestors(documentId, getParentIds) : await this.documentPermissionService.isDocumentProtected(documentId))) return true;
|
|
5043
|
-
if (!userAddress) return false;
|
|
5044
|
-
const owner = await this.documentPermissionService.getDocumentOwner(documentId);
|
|
5045
|
-
if (owner && owner === userAddress.toLowerCase()) return true;
|
|
5046
|
-
if (getParentIds) return this.documentPermissionService.canRead(documentId, userAddress, getParentIds);
|
|
5047
|
-
return this.documentPermissionService.canReadDocument(documentId, userAddress);
|
|
5048
|
-
}
|
|
5049
|
-
/**
|
|
5050
|
-
* Check if a user can write to a document.
|
|
5051
|
-
*
|
|
5052
|
-
* - Supreme admin → yes
|
|
5053
|
-
* - Not protected → anyone can write (even anonymous)
|
|
5054
|
-
* - Protected → requires authentication + WRITE/ADMIN grant
|
|
5055
|
-
* - Owner → yes (implicit ADMIN)
|
|
5056
|
-
*/
|
|
5057
|
-
async canWrite(documentId, userAddress, getParentIds) {
|
|
5058
|
-
if (this.isSupremeAdmin(userAddress)) return true;
|
|
5059
|
-
if (!(getParentIds ? await this.documentPermissionService.isProtectedWithAncestors(documentId, getParentIds) : await this.documentPermissionService.isDocumentProtected(documentId))) return true;
|
|
5060
|
-
if (!userAddress) return false;
|
|
5061
|
-
const owner = await this.documentPermissionService.getDocumentOwner(documentId);
|
|
5062
|
-
if (owner && owner === userAddress.toLowerCase()) return true;
|
|
5063
|
-
if (getParentIds) return this.documentPermissionService.canWrite(documentId, userAddress, getParentIds);
|
|
5064
|
-
return this.documentPermissionService.canWriteDocument(documentId, userAddress);
|
|
5065
|
-
}
|
|
5066
|
-
/**
|
|
5067
|
-
* Check if a user can manage a document (change permissions, protection, transfer ownership).
|
|
5068
|
-
*
|
|
5069
|
-
* - Supreme admin → yes
|
|
5070
|
-
* - Owner → yes
|
|
5071
|
-
* - Has ADMIN grant → yes
|
|
5072
|
-
*/
|
|
5073
|
-
async canManage(documentId, userAddress, _getParentIds) {
|
|
5074
|
-
if (this.isSupremeAdmin(userAddress)) return true;
|
|
5075
|
-
if (!userAddress) return false;
|
|
5076
|
-
const owner = await this.documentPermissionService.getDocumentOwner(documentId);
|
|
5077
|
-
if (owner && owner === userAddress.toLowerCase()) return true;
|
|
5078
|
-
return this.documentPermissionService.canManageDocument(documentId, userAddress);
|
|
5079
|
-
}
|
|
5080
|
-
/**
|
|
5081
|
-
* Check if a user can execute a specific operation.
|
|
5082
|
-
* If the operation is not restricted, falls through to the standard write check.
|
|
5083
|
-
* If the operation is restricted, requires an explicit OperationUserPermission grant.
|
|
5084
|
-
*/
|
|
5085
|
-
async canExecuteOperation(documentId, operationType, userAddress, getParentIds) {
|
|
5086
|
-
if (this.isSupremeAdmin(userAddress)) return true;
|
|
5087
|
-
if (!await this.documentPermissionService.isOperationRestricted(documentId, operationType)) return this.canWrite(documentId, userAddress, getParentIds);
|
|
5088
|
-
return this.documentPermissionService.canExecuteOperation(documentId, operationType, userAddress?.toLowerCase());
|
|
5089
|
-
}
|
|
5090
|
-
/**
|
|
5091
|
-
* Combined check for mutations: can the user write + execute the operation?
|
|
5092
|
-
* This enables READ-only users with operation grants to execute specific operations.
|
|
5093
|
-
* For restricted operations, only the operation grant is checked (bypasses write check),
|
|
5094
|
-
* allowing READ-only users with an explicit operation grant to execute that operation.
|
|
5095
|
-
*/
|
|
5096
|
-
async canMutate(documentId, operationType, userAddress, getParentIds) {
|
|
5097
|
-
if (this.isSupremeAdmin(userAddress)) return true;
|
|
5098
|
-
if (await this.documentPermissionService.isOperationRestricted(documentId, operationType)) return this.documentPermissionService.canExecuteOperation(documentId, operationType, userAddress?.toLowerCase());
|
|
5099
|
-
return this.canWrite(documentId, userAddress, getParentIds);
|
|
5100
|
-
}
|
|
5101
|
-
};
|
|
5102
|
-
//#endregion
|
|
5103
4947
|
//#region src/services/document-permission.service.ts
|
|
5104
4948
|
/**
|
|
5105
4949
|
* Service for managing document-level permissions.
|
|
@@ -5735,6 +5579,13 @@ const initAnalyticsStoreSql = [
|
|
|
5735
5579
|
//#region src/server.ts
|
|
5736
5580
|
const defaultLogger = childLogger(["reactor-api", "server"]);
|
|
5737
5581
|
const DEFAULT_PORT = 4e3;
|
|
5582
|
+
/**
|
|
5583
|
+
* Doc-perms require auth: with auth off no `user` is ever resolved, so every
|
|
5584
|
+
* authorization check fails closed. Refuse to boot rather than run broken.
|
|
5585
|
+
*/
|
|
5586
|
+
function assertAuthRequiredForDocumentPermissions(authEnabled, documentPermissionsRequested) {
|
|
5587
|
+
if (!authEnabled && documentPermissionsRequested) throw new Error("Document permissions require authentication: AUTH_ENABLED is false but document permissions were requested (DOCUMENT_PERMISSIONS_ENABLED=true or a documentPermissionService was provided). Enable authentication (AUTH_ENABLED=true, or auth.enabled in the config file) or disable document permissions.");
|
|
5588
|
+
}
|
|
5738
5589
|
function createReadinessGate() {
|
|
5739
5590
|
let ready = false;
|
|
5740
5591
|
return {
|
|
@@ -5782,7 +5633,7 @@ function makeDbClosers(knexInstance, pglite) {
|
|
|
5782
5633
|
/**
|
|
5783
5634
|
* Sets up the subgraph manager and registers subgraphs
|
|
5784
5635
|
*/
|
|
5785
|
-
async function setupGraphQLManager(httpAdapter, authFetchMiddleware, httpServer, wsServer, client, relationalDb, analyticsStore, syncManager, subgraphs, logger, auth, documentPermissionService, enableDocumentModelSubgraphs, port,
|
|
5636
|
+
async function setupGraphQLManager(httpAdapter, authFetchMiddleware, httpServer, wsServer, client, relationalDb, analyticsStore, syncManager, subgraphs, logger, authorizationService, auth, documentPermissionService, enableDocumentModelSubgraphs, port, reactorDriveClient) {
|
|
5786
5637
|
const graphqlManager = new GraphQLManager(config.basePath, httpServer, wsServer, client, relationalDb, analyticsStore, syncManager, logger, httpAdapter, await createGatewayAdapter("apollo", logger), {
|
|
5787
5638
|
enabled: auth?.enabled ?? false,
|
|
5788
5639
|
admins: auth?.admins ?? []
|
|
@@ -5875,10 +5726,10 @@ async function _setupCommonInfrastructure(options) {
|
|
|
5875
5726
|
if (ADMINS !== void 0) admins = ADMINS.split(",").map((a) => a.toLowerCase());
|
|
5876
5727
|
let defaultProtection = false;
|
|
5877
5728
|
if (DEFAULT_PROTECTION !== void 0) defaultProtection = DEFAULT_PROTECTION.toLowerCase() === "true";
|
|
5878
|
-
const { USERS, GUESTS, FREE_ENTRY } = process.env;
|
|
5879
|
-
if (USERS || GUESTS || FREE_ENTRY) console.warn("[DEPRECATION WARNING] The USERS, GUESTS, and FREE_ENTRY environment variables are no longer supported. Access control is now managed per-document via the DocumentProtection system. Use DEFAULT_PROTECTION=true for strict mode, or manage protection per document via the GraphQL API. See the auth documentation for migration guidance.");
|
|
5880
5729
|
let skipCredentialVerification = false;
|
|
5881
5730
|
if (SKIP_CREDENTIAL_VERIFICATION !== void 0) skipCredentialVerification = SKIP_CREDENTIAL_VERIFICATION === "true";
|
|
5731
|
+
const documentPermissionsRequested = options.documentPermissionService !== void 0 || DOCUMENT_PERMISSIONS_ENABLED === "true";
|
|
5732
|
+
assertAuthRequiredForDocumentPermissions(authEnabled, documentPermissionsRequested);
|
|
5882
5733
|
const logger = options.logger ?? defaultLogger;
|
|
5883
5734
|
httpAdapter.getRoute("/health", () => new Response("OK", { status: 200 }));
|
|
5884
5735
|
const readiness = createReadinessGate();
|
|
@@ -5914,14 +5765,13 @@ async function _setupCommonInfrastructure(options) {
|
|
|
5914
5765
|
documentPermissionService = new DocumentPermissionService(db, { defaultProtection });
|
|
5915
5766
|
logger.info("Document permission service initialized");
|
|
5916
5767
|
}
|
|
5917
|
-
|
|
5918
|
-
|
|
5919
|
-
|
|
5920
|
-
|
|
5921
|
-
|
|
5922
|
-
|
|
5923
|
-
|
|
5924
|
-
}
|
|
5768
|
+
const policy = documentPermissionService ? AuthorizationPolicy.DOCUMENT_PERMISSIONS : authEnabled ? AuthorizationPolicy.ADMIN_ONLY : AuthorizationPolicy.OPEN;
|
|
5769
|
+
const authorizationService = createAuthorizationService({
|
|
5770
|
+
admins,
|
|
5771
|
+
defaultProtection,
|
|
5772
|
+
policy
|
|
5773
|
+
}, documentPermissionService);
|
|
5774
|
+
logger.info(`Authorization service initialized (policy: ${policy})`);
|
|
5925
5775
|
const attachmentStoragePath = resolveAttachmentStoragePath(options);
|
|
5926
5776
|
await mkdir(attachmentStoragePath, { recursive: true });
|
|
5927
5777
|
const { db: attachmentDb, knex: attachmentKnex, pglite: attachmentPglite } = getDbClient(options.dbPath, options.pgliteFactory);
|
|
@@ -6012,7 +5862,7 @@ async function _setupAPI(reactorClient, syncManager, reactorProcessorManager, ht
|
|
|
6012
5862
|
const graphqlManager = await setupGraphQLManager(httpAdapter, authFetchMiddleware, httpServer, wsServer, reactorClient, relationalDb, analyticsStore, syncManager, {
|
|
6013
5863
|
extended: subgraphs,
|
|
6014
5864
|
core: coreSubgraphs
|
|
6015
|
-
}, logger.child(["graphql-manager"]), auth, documentPermissionService, options.enableDocumentModelSubgraphs, port,
|
|
5865
|
+
}, logger.child(["graphql-manager"]), authorizationService, auth, documentPermissionService, options.enableDocumentModelSubgraphs, port, reactorDriveClient);
|
|
6016
5866
|
setupEventListeners(packages, graphqlManager, reactorProcessorManager, hostModule, documentModelRegistry);
|
|
6017
5867
|
if (mcpServerEnabled) {
|
|
6018
5868
|
await setupMcpServer({
|
|
@@ -6193,7 +6043,7 @@ var PackageManagementService = class {
|
|
|
6193
6043
|
}
|
|
6194
6044
|
};
|
|
6195
6045
|
//#endregion
|
|
6196
|
-
export { ADMIN_USERS, ActionContextInputSchema, ActionInputSchema, AddRelationshipDocument, AnalyticsSubgraph, AuthService, AuthSubgraph, BaseSubgraph, ChannelMetaInputSchema, CreateDocumentDocument, CreateEmptyDocumentDocument, DeleteDocumentDocument, DeleteDocumentsDocument, DocumentChangeType, DocumentChangeTypeSchema, DocumentChangesDocument, DocumentOperationsFilterInputSchema, DocumentPermissionService, FindDocumentsDocument, GetDocumentDocument, GetDocumentIncomingRelationshipsDocument, GetDocumentModelsDocument, GetDocumentOperationsDocument, GetDocumentOutgoingRelationshipsDocument, GetDocumentWithOperationsDocument, GetJobStatusDocument, GraphQLManager, HttpDocumentModelLoader, HttpPackageLoader, ImportPackageLoader, InMemoryPackageStorage, JobChangesDocument, MoveRelationshipDocument, MutateDocumentAsyncDocument, MutateDocumentDocument, OperationContextInputSchema, OperationInputSchema, OperationWithContextInputSchema, OperationsFilterInputSchema, PackageManagementService, PackageManager, PackagesSubgraph, PagingInputSchema, PhDocumentFieldsFragmentDoc, PollSyncEnvelopesDocument, PropagationMode, PropagationModeSchema, PushSyncEnvelopesDocument, ReactorSignerAppInputSchema, ReactorSignerInputSchema, ReactorSignerUserInputSchema, ReactorSubgraph, RemoteCursorInputSchema, RemoteFilterInputSchema, RemoveRelationshipDocument, RenameDocumentDocument, SearchFilterInputSchema, SetPreferredEditorDocument, SyncEnvelopeInputSchema, SyncEnvelopeType, SyncEnvelopeTypeSchema, SystemSubgraph, TouchChannelDocument, TouchChannelInputSchema, ViewFilterInputSchema, buildGraphQlDocument, buildGraphQlDriveDocument, buildGraphqlOperation, buildGraphqlOperations, buildSubgraphSchemaModule, createAuthFetchMiddleware, createGatewayAdapter, createHttpAdapter, createMergedSchema, createReactorGraphQLClient, createSchema, definedNonNullAnySchema, driveIdFromUrl, extractSubgraphsFromModule, generateDocumentModelSchema, getAuthContext, getDbClient, getDocumentModelSchemaName, getDocumentModelTypeDefs, getGitHash, getGitUrl, getSdk, getUniqueDocumentModels, getVersion, initAnalyticsStoreSql, initializeAndStartAPI, isDefinedNonNullAny, isExpectedLoaderMiss, isSubgraphClass, parseDriveUrl, renderGraphqlPlayground };
|
|
6046
|
+
export { ADMIN_USERS, ActionContextInputSchema, ActionInputSchema, AddRelationshipDocument, AnalyticsSubgraph, AuthService, AuthSubgraph, BaseSubgraph, ChannelMetaInputSchema, CreateDocumentDocument, CreateEmptyDocumentDocument, DeleteDocumentDocument, DeleteDocumentsDocument, DocumentChangeType, DocumentChangeTypeSchema, DocumentChangesDocument, DocumentOperationsFilterInputSchema, DocumentPermissionService, FindDocumentsDocument, GetDocumentDocument, GetDocumentIncomingRelationshipsDocument, GetDocumentModelsDocument, GetDocumentOperationsDocument, GetDocumentOutgoingRelationshipsDocument, GetDocumentWithOperationsDocument, GetJobStatusDocument, GraphQLManager, HttpDocumentModelLoader, HttpPackageLoader, ImportPackageLoader, InMemoryPackageStorage, JobChangesDocument, MoveRelationshipDocument, MutateDocumentAsyncDocument, MutateDocumentDocument, OperationContextInputSchema, OperationInputSchema, OperationWithContextInputSchema, OperationsFilterInputSchema, PackageManagementService, PackageManager, PackagesSubgraph, PagingInputSchema, PhDocumentFieldsFragmentDoc, PollSyncEnvelopesDocument, PropagationMode, PropagationModeSchema, PushSyncEnvelopesDocument, ReactorSignerAppInputSchema, ReactorSignerInputSchema, ReactorSignerUserInputSchema, ReactorSubgraph, RemoteCursorInputSchema, RemoteFilterInputSchema, RemoveRelationshipDocument, RenameDocumentDocument, SearchFilterInputSchema, SetPreferredEditorDocument, SyncEnvelopeInputSchema, SyncEnvelopeType, SyncEnvelopeTypeSchema, SystemSubgraph, TouchChannelDocument, TouchChannelInputSchema, ViewFilterInputSchema, assertAuthRequiredForDocumentPermissions, buildGraphQlDocument, buildGraphQlDriveDocument, buildGraphqlOperation, buildGraphqlOperations, buildSubgraphSchemaModule, createAuthFetchMiddleware, createGatewayAdapter, createHttpAdapter, createMergedSchema, createReactorGraphQLClient, createSchema, definedNonNullAnySchema, driveIdFromUrl, extractSubgraphsFromModule, generateDocumentModelSchema, getAuthContext, getDbClient, getDocumentModelSchemaName, getDocumentModelTypeDefs, getGitHash, getGitUrl, getSdk, getUniqueDocumentModels, getVersion, initAnalyticsStoreSql, initializeAndStartAPI, isDefinedNonNullAny, isExpectedLoaderMiss, isSubgraphClass, parseDriveUrl, renderGraphqlPlayground };
|
|
6197
6047
|
|
|
6198
6048
|
//# sourceMappingURL=index.mjs.map
|
|
6199
|
-
//# debugId=
|
|
6049
|
+
//# debugId=64b14acf-bb9d-528e-b2b6-b3fa2097026f
|