npm - @standardagents/builder - Versions diffs - 0.10.1-dev.d2d335e → 0.10.1-next.82e11d5 - Mend

@standardagents/builder 0.10.1-dev.d2d335e → 0.10.1-next.82e11d5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/built-in-routes.js +76 -5
package/dist/built-in-routes.js.map +1 -1
package/package.json +2 -2

package/dist/built-in-routes.js CHANGED Viewed

@@ -777,6 +777,11 @@ var providers_get_default = defineController(async ({ env }) => {
 // src/api/threads/index.post.ts
 var index_post_default3 = defineController(async ({ req, env }) => {
+  const authResult = await requireAuth(req, env);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
+  const auth = authResult;
   let body;
   try {
     body = await req.json();
@@ -786,7 +791,8 @@ var index_post_default3 = defineController(async ({ req, env }) => {
       { status: 400 }
     );
   }
-  const { agent_id, user_id, initial_messages, data, tags } = body;
+  const { agent_id, initial_messages, data, tags } = body;
+  const user_id = auth.authType === "super_admin" ? null : auth.user.id;
   if (!agent_id) {
     return Response.json(
       { error: "Missing required field: agent_id" },
@@ -828,7 +834,7 @@ var index_post_default3 = defineController(async ({ req, env }) => {
   try {
     const thread = await agentBuilder.createThread({
       agent_name: agent_id,
-      user_id,
+      user_id: user_id ?? void 0,
       tags
     });
     return Response.json({
@@ -862,13 +868,18 @@ var threads_default = defineController(async ({ req, env }) => {
   if (req.method !== "GET") {
     return new Response("Method Not Allowed", { status: 405 });
   }
+  const authResult = await requireAuth(req, env);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
+  const auth = authResult;
   try {
     const url = new URL(req.url);
     const origin = url.origin;
     const limit = parseInt(url.searchParams.get("limit") || "50", 10);
     const offset = parseInt(url.searchParams.get("offset") || "0", 10);
     const agentName = url.searchParams.get("agent_id");
-    const userId = url.searchParams.get("user_id");
+    const userId = auth.user.role === "admin" ? void 0 : auth.user.id;
     const agentBuilderId = env.AGENT_BUILDER.idFromName("singleton");
     const agentBuilder = env.AGENT_BUILDER.get(agentBuilderId);
     const result = await agentBuilder.listThreads({
@@ -1079,6 +1090,7 @@ var index_get_default2 = defineController(async ({ req, env }) => {
 });
 // src/api/users/index.post.ts
+var VALID_ROLES = ["admin", "user"];
 var index_post_default4 = defineController(async ({ req, env }) => {
   try {
     const authResult = await requireAdmin(req, env);
@@ -1086,7 +1098,7 @@ var index_post_default4 = defineController(async ({ req, env }) => {
       return authResult;
     }
     const body = await req.json();
-    const { username, password, role = "admin" } = body;
+    const { username, password, role = "user" } = body;
     if (!username || !password) {
       return Response.json(
         { error: "Username and password are required" },
@@ -1111,6 +1123,12 @@ var index_post_default4 = defineController(async ({ req, env }) => {
         { status: 400 }
       );
     }
+    if (!VALID_ROLES.includes(role)) {
+      return Response.json(
+        { error: `Invalid role. Must be one of: ${VALID_ROLES.join(", ")}` },
+        { status: 400 }
+      );
+    }
     const agentBuilderId = env.AGENT_BUILDER.idFromName("singleton");
     const agentBuilder = env.AGENT_BUILDER.get(agentBuilderId);
     const existingUser = await agentBuilder.getUserByUsername(username);
@@ -1331,8 +1349,24 @@ var name_get_default2 = defineController(async ({ params, prompts, models, model
   }
 });
+// src/utils/permissions.ts
+function canAccessThread(auth, thread) {
+  if (auth.user.role === "admin") {
+    return true;
+  }
+  if (thread.user_id === null) {
+    return false;
+  }
+  return thread.user_id === auth.user.id;
+}
 // src/api/threads/[id].delete.ts
 var id_delete_default2 = defineController(async ({ req, env, params }) => {
+  const authResult = await requireAuth(req, env);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
+  const auth = authResult;
   const threadId = params.id;
   if (!threadId) {
     return Response.json({ error: "Missing thread ID" }, { status: 400 });
@@ -1346,6 +1380,12 @@ var id_delete_default2 = defineController(async ({ req, env, params }) => {
       { status: 404 }
     );
   }
+  if (!canAccessThread(auth, thread)) {
+    return Response.json(
+      { error: "Forbidden: You don't have access to this thread" },
+      { status: 403 }
+    );
+  }
   try {
     await agentBuilder.deleteThread(threadId);
     const durableId = env.AGENT_BUILDER_THREAD.idFromName(threadId);
@@ -1373,6 +1413,11 @@ var id_patch_default = defineController(async ({ req, env, params }) => {
   if (req.method !== "PATCH") {
     return new Response("Method Not Allowed", { status: 405 });
   }
+  const authResult = await requireAuth(req, env);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
+  const auth = authResult;
   const threadId = params?.id;
   if (!threadId) {
     return Response.json({ error: "Thread ID required" }, { status: 400 });
@@ -1389,6 +1434,12 @@ var id_patch_default = defineController(async ({ req, env, params }) => {
         { status: 404 }
       );
     }
+    if (!canAccessThread(auth, existingThread)) {
+      return Response.json(
+        { error: "Forbidden: You don't have access to this thread" },
+        { status: 403 }
+      );
+    }
     const updates = {};
     if (tags !== void 0) {
       if (!Array.isArray(tags)) {
@@ -1472,11 +1523,31 @@ function resolveIconUrl2(icon, origin) {
   return icon;
 }
 var id_default = defineController(async ({ req, params, env }) => {
+  const authResult = await requireAuth(req, env);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
+  const auth = authResult;
   const threadId = params.id;
   if (!threadId) {
     return Response.json({ error: "Thread ID required" }, { status: 400 });
   }
   try {
+    const agentBuilderId = env.AGENT_BUILDER.idFromName("singleton");
+    const agentBuilder = env.AGENT_BUILDER.get(agentBuilderId);
+    const thread = await agentBuilder.getThread(threadId);
+    if (!thread) {
+      return Response.json(
+        { error: `Thread not found: ${threadId}` },
+        { status: 404 }
+      );
+    }
+    if (!canAccessThread(auth, thread)) {
+      return Response.json(
+        { error: "Forbidden: You don't have access to this thread" },
+        { status: 403 }
+      );
+    }
     const durableId = env.AGENT_BUILDER_THREAD.idFromName(threadId);
     const stub = env.AGENT_BUILDER_THREAD.get(durableId);
     const doData = await stub.getThreadMeta(threadId);
@@ -1652,7 +1723,7 @@ var login_post_default = defineController(async ({ req, env }) => {
         { status: 400 }
       );
     }
-    if (env.SUPER_ADMIN_PASSWORD && password === env.SUPER_ADMIN_PASSWORD) {
+    if (env.SUPER_ADMIN_PASSWORD && username === "admin" && password === env.SUPER_ADMIN_PASSWORD) {
       if (!env.ENCRYPTION_KEY) {
         return Response.json(
           { error: "Server misconfigured: ENCRYPTION_KEY required for super admin" },