npm - @rpcbase/server - Versions diffs - 0.476.0 → 0.478.0 - Mend

@rpcbase/server 0.476.0 → 0.478.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/dist/{handler-DEEir2xV.js → handler-BOTZftAB.js} +29 -29
package/dist/{handler-BITFtEr_.js → handler-B_mMDLBO.js} +80 -39
package/dist/{handler-BYVnU9H-.js → handler-Cl-0-832.js} +1 -1
package/dist/{handler-CHuOXAtH.js → handler-Dd20DHyz.js} +15 -11
package/dist/index.d.ts +0 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +102 -87
package/dist/notifications/api/notifications/handler.d.ts.map +1 -1
package/dist/notifications.js +1 -1
package/dist/rts/api/changes/handler.d.ts.map +1 -1
package/dist/rts/index.d.ts +3 -1
package/dist/rts/index.d.ts.map +1 -1
package/dist/{index-Ckx0UHs6.js → rts/index.js} +107 -39
package/dist/{schemas-DI7ewltq.js → schemas-D5T9tDtI.js} +609 -12
package/dist/{shared-Chfrv8o6.js → shared-UGuDRAKK.js} +16 -30
package/dist/uploads/api/file-uploads/handlers/completeUpload.d.ts.map +1 -1
package/dist/uploads/api/file-uploads/handlers/getStatus.d.ts.map +1 -1
package/dist/uploads/api/file-uploads/handlers/uploadChunk.d.ts.map +1 -1
package/dist/uploads/api/file-uploads/shared.d.ts +3 -0
package/dist/uploads/api/file-uploads/shared.d.ts.map +1 -1
package/dist/uploads.js +1 -1
package/package.json +4 -4
package/dist/passwordHashStorage.test.d.ts +0 -2
package/dist/passwordHashStorage.test.d.ts.map +0 -1
package/dist/rts/api/changes/handler.test.d.ts +0 -2
package/dist/rts/api/changes/handler.test.d.ts.map +0 -1
package/dist/rts/index.ws.test.d.ts +0 -2
package/dist/rts/index.ws.test.d.ts.map +0 -1
package/dist/rts.d.ts +0 -3
package/dist/rts.d.ts.map +0 -1
package/dist/rts.js +0 -13
package/dist/uploads/api/files/handlers/getFile.test.d.ts +0 -2
package/dist/uploads/api/files/handlers/getFile.test.d.ts.map +0 -1

package/dist/{index-Ckx0UHs6.js → rts/index.js} RENAMED Viewed

@@ -1,6 +1,13 @@
 import { randomUUID } from "node:crypto";
-import { loadModel } from "@rpcbase/db";
+import { loadRbModel, loadModel } from "@rpcbase/db";
+import { buildAbilityFromSession, getTenantRolesFromSessionUser, buildAbility, getAccessibleByQuery } from "@rpcbase/db/acl";
 import { WebSocketServer } from "ws";
+const routes = Object.entries({
+  .../* @__PURE__ */ Object.assign({ "./api/changes/handler.ts": () => import("../handler-Dd20DHyz.js") })
+}).reduce((acc, [path, mod]) => {
+  acc[path.replace("./api/", "@rpcbase/server/rts/api/")] = mod;
+  return acc;
+}, {});
 const TENANT_ID_QUERY_PARAM = "rb-tenant-id";
 const USER_ID_HEADER = "rb-user-id";
 const QUERY_KEY_MAX_LEN = 4096;
@@ -150,14 +157,25 @@ const parseUpgradeMeta = async ({
     } else {
       throw new Error("Tenant not authorized for this session");
     }
-    return { tenantId, userId: sessionUserId };
+    const ability2 = buildAbilityFromSession({ tenantId, session: upgradeReq.session });
+    return { tenantId, userId: sessionUserId, ability: ability2 };
   }
   const raw = req.headers[USER_ID_HEADER];
   const headerUserId = Array.isArray(raw) ? raw[0] : raw;
   if (!headerUserId) {
     throw new Error("Missing rb-user-id header (reverse-proxy) and no session middleware configured");
   }
-  return { tenantId, userId: headerUserId };
+  const rbCtx = { req: { session: null } };
+  const User = await loadRbModel("RBUser", rbCtx);
+  const user = await User.findById(headerUserId, { tenants: 1, tenantRoles: 1 }).lean();
+  const tenantsRaw = user?.tenants;
+  const tenants = Array.isArray(tenantsRaw) ? tenantsRaw.map((t) => String(t)) : [];
+  if (!tenants.includes(tenantId)) {
+    throw new Error("Tenant not authorized for this session");
+  }
+  const roles = getTenantRolesFromSessionUser(user, tenantId);
+  const ability = buildAbility({ tenantId, userId: headerUserId, roles: roles.length ? roles : ["owner"] });
+  return { tenantId, userId: headerUserId, ability };
 };
 const getTenantModel = async (tenantId, modelName) => {
   const ctx = {
@@ -208,22 +226,34 @@ const scheduleDispatchSubscriptionsForModel = (tenantId, modelName) => {
 const runAndSendQuery = async ({
   tenantId,
   targetSocketIds,
+  ability,
   modelName,
   queryKey,
   query,
   options
 }) => {
+  if (!ability.can("read", modelName)) {
+    const payload2 = { type: "query-payload", modelName, queryKey, error: "forbidden" };
+    for (const socketId of targetSocketIds) {
+      const ws = sockets.get(socketId);
+      if (!ws) continue;
+      sendWs(ws, payload2);
+    }
+    return;
+  }
   const model = await getTenantModel(tenantId, modelName);
   const projection = options.projection ?? void 0;
   const sort = options.sort;
   const limit = normalizeLimit(options.limit);
-  const queryPromise = model.find(query, projection);
+  const accessQuery = getAccessibleByQuery(ability, "read", modelName);
+  const finalQuery = { $and: [query, accessQuery] };
+  const queryPromise = model.find(finalQuery, projection);
   if (sort && Object.keys(sort).length) {
     queryPromise.sort(sort);
   }
   queryPromise.limit(limit);
   const data = await queryPromise;
-  const payload = { type: "query_payload", modelName, queryKey, data };
+  const payload = { type: "query-payload", modelName, queryKey, data };
   for (const socketId of targetSocketIds) {
     const ws = sockets.get(socketId);
     if (!ws) continue;
@@ -232,27 +262,35 @@ const runAndSendQuery = async ({
 };
 const dispatchSubscriptionsForModel = async (tenantId, modelName) => {
   const tenantSubs = subscriptions.get(tenantId);
-  const modelSubs = tenantSubs?.get(modelName);
-  if (!modelSubs || !modelSubs.size) return;
-  for (const [queryKey, sub] of modelSubs.entries()) {
-    const targetSocketIds = Array.from(sub.socketIds);
-    if (!targetSocketIds.length) continue;
-    try {
-      await runAndSendQuery({
-        tenantId,
-        targetSocketIds,
-        modelName,
-        queryKey,
-        query: sub.query,
-        options: sub.options
-      });
-    } catch (err) {
-      const error = redactErrorMessage(err);
-      const payload = { type: "query_payload", modelName, queryKey, error };
-      for (const socketId of targetSocketIds) {
-        const ws = sockets.get(socketId);
-        if (!ws) continue;
-        sendWs(ws, payload);
+  if (!tenantSubs || !tenantSubs.size) return;
+  for (const userSubs of tenantSubs.values()) {
+    const modelSubs = userSubs.get(modelName);
+    if (!modelSubs || !modelSubs.size) continue;
+    for (const [queryKey, sub] of modelSubs.entries()) {
+      const targetSocketIds = Array.from(sub.socketIds);
+      if (!targetSocketIds.length) continue;
+      const socketId = targetSocketIds[0];
+      const meta = socketMeta.get(socketId);
+      const ability = meta?.ability;
+      if (!ability) continue;
+      try {
+        await runAndSendQuery({
+          tenantId,
+          targetSocketIds,
+          ability,
+          modelName,
+          queryKey,
+          query: sub.query,
+          options: sub.options
+        });
+      } catch (err) {
+        const error = redactErrorMessage(err);
+        const payload = { type: "query-payload", modelName, queryKey, error };
+        for (const socketId2 of targetSocketIds) {
+          const ws = sockets.get(socketId2);
+          if (!ws) continue;
+          sendWs(ws, payload);
+        }
       }
     }
   }
@@ -286,6 +324,7 @@ const ensureChangeStream = async (tenantId, modelName) => {
 const addSocketSubscription = ({
   socketId,
   tenantId,
+  userId,
   modelName,
   queryKey,
   query,
@@ -293,8 +332,10 @@ const addSocketSubscription = ({
 }) => {
   const tenantSubs = subscriptions.get(tenantId) ?? /* @__PURE__ */ new Map();
   subscriptions.set(tenantId, tenantSubs);
-  const modelSubs = tenantSubs.get(modelName) ?? /* @__PURE__ */ new Map();
-  tenantSubs.set(modelName, modelSubs);
+  const userSubs = tenantSubs.get(userId) ?? /* @__PURE__ */ new Map();
+  tenantSubs.set(userId, userSubs);
+  const modelSubs = userSubs.get(modelName) ?? /* @__PURE__ */ new Map();
+  userSubs.set(modelName, modelSubs);
   const existing = modelSubs.get(queryKey);
   if (existing) {
     existing.socketIds.add(socketId);
@@ -314,11 +355,13 @@ const addSocketSubscription = ({
 const removeSocketSubscription = ({
   socketId,
   tenantId,
+  userId,
   modelName,
   queryKey
 }) => {
   const tenantSubs = subscriptions.get(tenantId);
-  const modelSubs = tenantSubs?.get(modelName);
+  const userSubs = tenantSubs?.get(userId);
+  const modelSubs = userSubs?.get(modelName);
   const sub = modelSubs?.get(queryKey);
   if (sub) {
     sub.socketIds.delete(socketId);
@@ -335,7 +378,21 @@ const removeSocketSubscription = ({
     }
   }
   if (modelSubs && modelSubs.size === 0) {
-    tenantSubs?.delete(modelName);
+    userSubs?.delete(modelName);
+  }
+  if (userSubs && userSubs.size === 0) {
+    tenantSubs?.delete(userId);
+  }
+  const hasAnyModelSubs = (() => {
+    const byUser = subscriptions.get(tenantId);
+    if (!byUser) return false;
+    for (const subs of byUser.values()) {
+      const modelSubs2 = subs.get(modelName);
+      if (modelSubs2 && modelSubs2.size > 0) return true;
+    }
+    return false;
+  })();
+  if (!hasAnyModelSubs) {
     const tenantStreams = changeStreams.get(tenantId);
     const stream = tenantStreams?.get(modelName);
     if (stream) {
@@ -361,6 +418,7 @@ const cleanupSocket = (socketId) => {
           removeSocketSubscription({
             socketId,
             tenantId: meta.tenantId,
+            userId: meta.userId,
             modelName,
             queryKey
           });
@@ -395,15 +453,16 @@ const handleClientMessage = async ({
   }
   if (!message.modelName || typeof message.modelName !== "string") return;
   if (!allowInternalModels && INTERNAL_MODEL_NAMES.has(message.modelName)) {
-    sendWs(ws, { type: "query_payload", modelName: message.modelName, queryKey: message.queryKey ?? "", error: "Model not allowed" });
+    sendWs(ws, { type: "query-payload", modelName: message.modelName, queryKey: message.queryKey ?? "", error: "Model not allowed" });
     return;
   }
   if (!message.queryKey || typeof message.queryKey !== "string") return;
   if (message.queryKey.length > QUERY_KEY_MAX_LEN) return;
-  if (message.type === "remove_query") {
+  if (message.type === "remove-query") {
     removeSocketSubscription({
       socketId,
       tenantId: meta.tenantId,
+      userId: meta.userId,
       modelName: message.modelName,
       queryKey: message.queryKey
     });
@@ -411,7 +470,12 @@ const handleClientMessage = async ({
   }
   if (!message.query || typeof message.query !== "object") return;
   const options = normalizeOptions(message.options);
-  if (message.type === "registerQuery") {
+  const ability = meta.ability;
+  if (!ability.can("read", message.modelName)) {
+    sendWs(ws, { type: "query-payload", modelName: message.modelName, queryKey: message.queryKey, error: "forbidden" });
+    return;
+  }
+  if (message.type === "register-query") {
     const existing = socketSubscriptions.get(socketId)?.get(message.modelName)?.has(message.queryKey) ?? false;
     if (!existing) {
       let count = 0;
@@ -420,13 +484,14 @@ const handleClientMessage = async ({
         for (const set of byModel.values()) count += set.size;
       }
       if (count >= maxSubscriptionsPerSocket) {
-        sendWs(ws, { type: "query_payload", modelName: message.modelName, queryKey: message.queryKey, error: "Too many subscriptions" });
+        sendWs(ws, { type: "query-payload", modelName: message.modelName, queryKey: message.queryKey, error: "Too many subscriptions" });
         return;
       }
     }
     addSocketSubscription({
       socketId,
       tenantId: meta.tenantId,
+      userId: meta.userId,
       modelName: message.modelName,
       queryKey: message.queryKey,
       query: message.query,
@@ -436,7 +501,7 @@ const handleClientMessage = async ({
       await ensureChangeStream(meta.tenantId, message.modelName);
     } catch (err) {
       const error = redactErrorMessage(err);
-      sendWs(ws, { type: "query_payload", modelName: message.modelName, queryKey: message.queryKey, error });
+      sendWs(ws, { type: "query-payload", modelName: message.modelName, queryKey: message.queryKey, error });
       return;
     }
   }
@@ -444,6 +509,7 @@ const handleClientMessage = async ({
     await runAndSendQuery({
       tenantId: meta.tenantId,
       targetSocketIds: [socketId],
+      ability,
       modelName: message.modelName,
       queryKey: message.queryKey,
       query: message.query,
@@ -451,7 +517,7 @@ const handleClientMessage = async ({
     });
   } catch (err) {
     const error = redactErrorMessage(err);
-    sendWs(ws, { type: "query_payload", modelName: message.modelName, queryKey: message.queryKey, error });
+    sendWs(ws, { type: "query-payload", modelName: message.modelName, queryKey: message.queryKey, error });
   }
 };
 const initRts = ({
@@ -539,6 +605,7 @@ const initRts = ({
       }
       if (!parsed || typeof parsed !== "object") return;
       const message = parsed;
+      if (message.type !== "event" && message.type !== "run-query" && message.type !== "register-query" && message.type !== "remove-query") return;
       void handleClientMessage({ socketId, meta, message });
     });
     ws.on("close", () => {
@@ -556,7 +623,8 @@ const notifyRtsModelChanged = (tenantId, modelName) => {
   scheduleDispatchSubscriptionsForModel(tenantId, modelName);
 };
 export {
-  initRts as i,
-  notifyRtsModelChanged as n,
-  registerRtsHandler as r
+  initRts,
+  notifyRtsModelChanged,
+  registerRtsHandler,
+  routes
 };