@webstudio-is/trpc-interface 0.90.0 → 0.260.2

package/src/authorize/project.server.ts

@@ -1,129 +1,321 @@
-import type { Project } from "@webstudio-is/prisma-client";
-import type { AuthPermit } from "../shared/authorization-router";
 import type { AppContext } from "../context/context.server";
+import type { Role } from "./role";
+import memoize from "memoize";
 
-/**
- * For 3rd party authorization systems like Ory we need to register the project owner.
- *
- * We do that before the project create (and out of the transaction),
- * so in case of an error we will have just stale records of non existed projects in authorization system.
- */
-export const registerProjectOwner = async (
-  props: { projectId: string },
-  context: AppContext
-) => {
-  const { authorization } = context;
-  const { userId, authorizeTrpc } = authorization;
+type Relation = Role;
 
-  if (userId === undefined) {
-    throw new Error("The user must be authenticated to create a project");
-  }
+export type AuthPermit = "view" | "edit" | "build" | "admin" | "own";
 
-  await authorizeTrpc.create.mutate({
-    namespace: "Project",
-    id: props.projectId,
-    relation: "owners",
-    subjectSet: {
-      namespace: "User",
-      id: userId,
-    },
-  });
+type TokenAuthPermit = Exclude<AuthPermit, "own">;
+
+type CheckInput = {
+  namespace: "Project";
+  id: string;
+
+  permit: AuthPermit;
+
+  subjectSet: {
+    namespace: "User" | "Token";
+    id: string;
+  };
 };
 
-export const hasProjectPermit = async (
-  props: {
-    projectId: Project["id"];
-    permit: AuthPermit;
-  },
-  context: AppContext
-) => {
-  const start = Date.now();
+const permitToRelationRewrite: Record<TokenAuthPermit, Relation[]> = {
+  view: ["viewers", "editors", "builders", "administrators"],
+  edit: ["editors", "builders", "administrators"],
+  build: ["builders", "administrators"],
+  admin: ["administrators"],
+};
 
-  try {
-    const { authorization } = context;
-    const { authorizeTrpc } = authorization;
+/**
+ * Pure function: checks whether a set of workspace relations grants a given
+ * permit. Used by the auth layer to evaluate workspace-based access.
+ */
+const isRolePermitted = (relations: string[], permit: AuthPermit): boolean => {
+  // Workspace owner gets all permits
+  if (relations.includes("own")) {
+    return true;
+  }
+  // Only workspace owner gets "own" permit
+  if (permit === "own") {
+    return false;
+  }
+  const permitted = permitToRelationRewrite[permit] ?? [];
+  return relations.some((r) => permitted.includes(r as Relation));
+};
 
-    const checks = [];
-    const namespace = "Project";
+const check = async (
+  postgrestClient: AppContext["postgrest"]["client"],
+  input: CheckInput
+) => {
+  const { subjectSet } = input;
 
-    // Allow load production build env i.e. "published" site
-    if (props.permit === "view" && context.authorization.isServiceCall) {
-      return true;
+  if (subjectSet.namespace === "User") {
+    // Check if the user is the direct owner of the project
+    const row = await postgrestClient
+      .from("Project")
+      .select("id")
+      .eq("id", input.id)
+      .eq("userId", subjectSet.id)
+      .maybeSingle();
+    if (row.error) {
+      throw row.error;
     }
 
-    // Allow load webstudiois for clone
-    // @todo Rethink permissions for this use-case
-    // The plan is to make new permission for projects which are allowed to be publicly clonable by anyone
-    // https://github.com/webstudio-is/webstudio-builder/issues/1038
-    if (
-      props.permit === "view" &&
-      props.projectId === "62154aaef0cb0860ccf85d6e"
-    ) {
-      return true;
+    if (row.data !== null) {
+      return { allowed: true };
     }
 
-    if (
-      props.permit === "view" &&
-      context.authorization.projectTemplates.includes(props.projectId)
-    ) {
-      return true;
+    // Workspace-based authorization
+    const wpaRows = await postgrestClient
+      .from("WorkspaceProjectAuthorization")
+      .select("relation")
+      .eq("userId", subjectSet.id)
+      .eq("projectId", input.id);
+
+    if (wpaRows.error) {
+      throw wpaRows.error;
     }
 
-    // Check if the user is allowed to access the project
-    if (authorization.userId !== undefined) {
-      checks.push(
-        authorizeTrpc.check.query({
-          subjectSet: {
-            namespace: "User",
-            id: authorization.userId,
-          },
-          namespace,
-          id: props.projectId,
-          permit: props.permit,
-        })
+    if (wpaRows.data.length > 0) {
+      const relations = wpaRows.data.flatMap((r) =>
+        r.relation !== null ? [r.relation] : []
       );
+      return { allowed: isRolePermitted(relations, input.permit) };
     }
 
-    // Check if the special link with a token allows to access the project
-    // Token doesn't have own permit, do not check it
-    if (authorization.authToken !== undefined && props.permit !== "own") {
-      checks.push(
-        authorizeTrpc.check.query({
-          namespace,
-          id: props.projectId,
-          subjectSet: {
-            id: authorization.authToken,
-            namespace: "Token",
-          },
-          permit: props.permit,
-        })
-      );
+    return { allowed: false };
+  }
+
+  if (input.permit === "own") {
+    return { allowed: false };
+  }
+
+  if (subjectSet.namespace !== "Token") {
+    return { allowed: false };
+  }
+
+  const row = await postgrestClient
+    .from("AuthorizationToken")
+    .select("token")
+    .eq("token", subjectSet.id)
+    .in("relation", [...permitToRelationRewrite[input.permit]])
+    .maybeSingle();
+
+  if (row.error) {
+    throw row.error;
+  }
+
+  return { allowed: row.data !== null };
+};
+
+// doesn't work in cloudflare workers
+const memoizedCheck = memoize(check, {
+  // Short TTL so plan downgrades propagate quickly. No cache invalidation
+  // hook exists yet — keep this low until one is added.
+  maxAge: 10 * 1000,
+  cacheKey: ([_context, input]) => JSON.stringify(input),
+});
+
+type AuthInfo =
+  | {
+      type: "user";
+      userId: string;
+    }
+  | {
+      type: "token";
+      authToken: string;
     }
+  | {
+      type: "service";
+    };
+
+export const checkProjectPermit = async ({
+  projectId,
+  permit,
+  authInfo,
+  postgrestClient,
+}: {
+  projectId: string;
+  permit: AuthPermit;
+  authInfo: AuthInfo;
+  postgrestClient: AppContext["postgrest"]["client"];
+}) => {
+  const checks = [];
+  const namespace = "Project";
+
+  if (authInfo.type === "service") {
+    return permit === "view";
+  }
+
+  // @todo Delete and use tokens
+  const templateIds = [
+    // Production
+    "5e086cf4-4293-471c-8eab-ddca8b5cd4db",
+    "94e6e1b8-c6c4-485a-9d7a-8282e11920c0",
+    "05954204-fcee-407e-b47f-77a38de74431",
+    "afc162c2-6396-41b7-a855-8fc04604a7b1",
+    "3f260731-825b-486a-b534-e747f0ed6106",
+    "400b1bde-def1-49e0-9b64-e26416d326fa",
+    "2e802ad7-ef32-48e6-8706-3a162785ef95",
+    "01f6f1d8-06f5-4a6c-a3b1-89a0448046c7",
+    "5b33acf4-53cf-4f03-8973-d5679772edee",
+    "909a139b-1f2d-415a-ac90-382fa19fa7d8",
+    "ef82ee51-e4d6-4a69-a4cc-7bf1dee65ed7",
+    "e761178f-6ac6-47f6-b881-56cc75640d73",
+    // Staging IDs
+    "c236999d-be6b-43fb-9edc-78a2ba59e56d",
+    "a1371dce-752c-4ccf-8ea4-88bab577fe50",
+    "6204396c-3f9e-4d29-8d19-ff0f76960a74",
+  ];
 
-    if (checks.length === 0) {
+  // @todo Delete and use tokens
+  if (permit === "view" && templateIds.includes(projectId)) {
+    return true;
+  }
+
+  if (authInfo.type === "token") {
+    // Token doesn't have "own" permit, do not check it
+    if (permit === "own") {
       return false;
     }
 
-    const authResults = await Promise.allSettled(checks);
+    checks.push(
+      memoizedCheck(postgrestClient, {
+        namespace,
+        id: projectId,
+        subjectSet: {
+          id: authInfo.authToken,
+          namespace: "Token",
+        },
+        permit: permit,
+      })
+    );
+  }
 
-    for (const authResult of authResults) {
-      if (authResult.status === "rejected") {
-        throw new Error(`Authorization call failed ${authResult.reason}`);
-      }
+  // Check if the user is allowed to access the project
+  if (authInfo.type === "user") {
+    checks.push(
+      memoizedCheck(postgrestClient, {
+        subjectSet: {
+          namespace: "User",
+          id: authInfo.userId,
+        },
+        namespace,
+        id: projectId,
+        permit: permit,
+      })
+    );
+  }
+
+  if (checks.length === 0) {
+    return false;
+  }
+
+  const authResults = await Promise.allSettled(checks);
+
+  for (const authResult of authResults) {
+    if (authResult.status === "rejected") {
+      throw new Error(`Authorization call failed ${authResult.reason}`);
     }
+  }
 
-    const allowed = authResults.some(
-      (authResult) =>
-        authResult.status === "fulfilled" && authResult.value.allowed
-    );
+  const allowed = authResults.some(
+    (authResult) =>
+      authResult.status === "fulfilled" && authResult.value.allowed
+  );
+
+  return allowed;
+};
+
+/**
+ * Look up the workspace owner's userId for a given project.
+ * Returns undefined when the project has no workspace.
+ */
+const getWorkspaceOwnerIdForProject = async (
+  projectId: string,
+  context: Pick<AppContext, "postgrest">
+): Promise<string | undefined> => {
+  const project = await context.postgrest.client
+    .from("Project")
+    .select("workspaceId")
+    .eq("id", projectId)
+    .maybeSingle();
+
+  if (project.error || project.data?.workspaceId == null) {
+    return;
+  }
+
+  const workspace = await context.postgrest.client
+    .from("Workspace")
+    .select("userId")
+    .eq("id", project.data.workspaceId)
+    .eq("isDeleted", false)
+    .maybeSingle();
+
+  return workspace.data?.userId ?? undefined;
+};
+
+export const hasProjectPermit = async (
+  props: {
+    projectId: string;
+    permit: AuthPermit;
+  },
+  context: AppContext
+) => {
+  const { authorization } = context;
+
+  if (authorization.type === "anonymous") {
+    return false;
+  }
+
+  const authInfo: AuthInfo = authorization;
+
+  if (authInfo === undefined) {
+    return false;
+  }
+
+  const allowed = await checkProjectPermit({
+    projectId: props.projectId,
+    permit: props.permit,
+    authInfo,
+    postgrestClient: context.postgrest.client,
+  });
+
+  if (allowed === false) {
+    return false;
+  }
+
+  // Workspace downgrade check: when a workspace member accesses a project,
+  // verify the workspace owner's plan still supports workspace features.
+  // Direct project owners and workspace owners are not affected.
+  if (authorization.type === "user") {
+    // "own" permit is only granted to direct owners and workspace owners —
+    // both are unaffected by downgrade. This call is memoized.
+    const isOwner = await checkProjectPermit({
+      projectId: props.projectId,
+      permit: "own",
+      authInfo,
+      postgrestClient: context.postgrest.client,
+    });
 
-    return allowed;
-  } finally {
-    const diff = Date.now() - start;
+    if (isOwner === false) {
+      // User is a workspace member — verify the owner's plan
+      const workspaceOwnerId = await getWorkspaceOwnerIdForProject(
+        props.projectId,
+        context
+      );
 
-    // eslint-disable-next-line no-console
-    console.log(`hasProjectPermit execution ${diff}ms`);
+      if (workspaceOwnerId !== undefined) {
+        const ownerPlan = await context.getOwnerPlanFeatures(workspaceOwnerId);
+        if (ownerPlan.maxWorkspaces <= 1) {
+          return false;
+        }
+      }
+    }
   }
+
+  return true;
 };
 
 /**
@@ -131,37 +323,33 @@ export const hasProjectPermit = async (
  * @todo think about caching to authorizeTrpc.check.query
  * batching check queries would help too https://github.com/ory/keto/issues/812
  */
-export const getProjectPermit = async <T extends AuthPermit>(
+export const getProjectPermit = async (
   props: {
     projectId: string;
-    permits: readonly T[];
+    permits: readonly AuthPermit[];
   },
   context: AppContext
-): Promise<T | undefined> => {
-  const start = Date.now();
-
-  try {
-    const permitToCheck = props.permits;
-
-    const permits = await Promise.allSettled(
-      permitToCheck.map((permit) =>
-        hasProjectPermit({ projectId: props.projectId, permit }, context)
-      )
-    );
+): Promise<AuthPermit | undefined> => {
+  const permitToCheck = props.permits;
 
-    for (const permit of permits) {
-      if (permit.status === "rejected") {
-        throw new Error(`Authorization call failed ${permit.reason}`);
-      }
+  const permits = await Promise.allSettled(
+    permitToCheck.map((permit) =>
+      hasProjectPermit({ projectId: props.projectId, permit }, context)
+    )
+  );
 
-      if (permit.value === true) {
-        return permitToCheck[permits.indexOf(permit)];
-      }
+  for (const permit of permits) {
+    if (permit.status === "rejected") {
+      throw new Error(`Authorization call failed ${permit.reason}`);
     }
-  } finally {
-    const diff = Date.now() - start;
 
-    // eslint-disable-next-line no-console
-    console.log(`getProjectPermit execution ${diff}ms`);
+    if (permit.value === true) {
+      return permitToCheck[permits.indexOf(permit)];
+    }
   }
 };
+
+export const __testing__ = {
+  isRolePermitted,
+  getWorkspaceOwnerIdForProject,
+};

package/src/authorize/role.ts

@@ -0,0 +1,18 @@
+export const roles = [
+  "viewers",
+  "editors",
+  "builders",
+  "administrators",
+] as const;
+
+export type Role = (typeof roles)[number];
+
+/** Safest default when role is unknown — principle of least privilege */
+export const defaultRole: Role = "viewers";
+
+export const roleLabels: Record<Role, string> = {
+  viewers: "Viewer",
+  editors: "Editor",
+  builders: "Builder",
+  administrators: "Admin",
+};

package/src/context/context.server.ts

@@ -1,32 +1,45 @@
 import type { TrpcInterfaceClient } from "../shared/shared-router";
+import type { Client } from "@webstudio-is/postgrest/index.server";
+import type { PlanFeatures, Purchase } from "@webstudio-is/plans";
 
 /**
  * All necessary parameters for Authorization
  */
-type AuthorizationContext = {
-  /**
-   * userId of the current authenticated user
-   */
-  userId: string | undefined;
-
-  /**
-   * token URLSearchParams or hostname
-   */
-  authToken: string | undefined;
-
-  /**
-   * project list serves as a template and is accessible to everyone.
-   */
-  projectTemplates: string[];
-
-  /**
-   * Allow service 2 service communications to skip authorization for view calls
-   */
-  isServiceCall: boolean;
+type AuthorizationContext =
+  | {
+      type: "user";
+      /**
+       * userId of the current authenticated user
+       */
+      userId: string;
+      sessionCreatedAt: number;
+      /**
+       * Has projectId in the tracked sessions
+       */
+      isLoggedInToBuilder: (projectId: string) => Promise<boolean>;
+    }
+  | {
+      type: "token";
+      /**
+       * token URLSearchParams or hostname
+       */
+      authToken: string;
 
-  // Pass trpcClient through context as only main app can initialize it
-  authorizeTrpc: TrpcInterfaceClient["authorize"];
-};
+      /**
+       * In case of authToken, this is the ownerId of the project
+       */
+      ownerId: string;
+    }
+  | {
+      type: "service";
+      /**
+       * Allow service 2 service communications to skip authorization for view calls
+       */
+      isServiceCall: boolean;
+    }
+  | {
+      type: "anonymous";
+    };
 
 type DomainContext = {
   domainTrpc: TrpcInterfaceClient["domain"];
@@ -46,10 +59,21 @@ type DeploymentContext = {
   deploymentTrpc: TrpcInterfaceClient["deployment"];
   env: {
     BUILDER_ORIGIN: string;
-    BRANCH_NAME: string;
+    GITHUB_REF_NAME: string;
+    GITHUB_SHA: string | undefined;
+    PUBLISHER_HOST: string;
   };
 };
 
+type TrpcCache = {
+  setMaxAge: (path: string, value: number) => void;
+  getMaxAge: (path: string) => number | undefined;
+};
+
+type PostgrestContext = {
+  client: Client;
+};
+
 /**
  * AppContext is a global context that is passed to all trpc/api queries/mutations
  * "authorization" is made inside the namespace because eventually there will be
@@ -60,4 +84,15 @@ export type AppContext = {
   domain: DomainContext;
   deployment: DeploymentContext;
   entri: EntriContext;
+  planFeatures: PlanFeatures;
+  purchases: Array<Purchase>;
+  trpcCache: TrpcCache;
+  postgrest: PostgrestContext;
+  createTokenContext: (token: string) => Promise<AppContext>;
+  /**
+   * Resolves plan features for a given user ID.
+   * Used by workspace authorization to check whether the workspace owner's plan
+   * still supports workspace features (maxWorkspaces > 1) after a potential downgrade.
+   */
+  getOwnerPlanFeatures: (userId: string) => Promise<PlanFeatures>;
 };

package/src/context/errors.server.ts

@@ -5,3 +5,19 @@ export const AuthorizationError = customErrorFactory(
     this.message = message;
   }
 );
+
+/**
+ * Standard response for any client-server communication with an error.
+ */
+export const createErrorResponse = (error: unknown) => {
+  const message =
+    typeof error === "string"
+      ? error
+      : error && typeof error === "object" && "message" in error
+        ? String(error.message)
+        : "Unknown error";
+  return {
+    success: false as const,
+    error: message,
+  };
+};

package/src/context/router.server.ts

@@ -0,0 +1,19 @@
+import { initTRPC } from "@trpc/server";
+import type { AppContext } from "./context.server";
+
+export const {
+  router,
+  procedure,
+  middleware,
+  mergeRouters,
+  createCallerFactory,
+} = initTRPC.context<AppContext>().create();
+
+export const createCacheMiddleware = (seconds: number) =>
+  middleware(async ({ path, ctx, next }) => {
+    // tRPC batches multiple requests into a single network call.
+    // The `path` is used as key to find the least max age among all paths for caching
+    ctx.trpcCache.setMaxAge(path, seconds);
+
+    return next({ ctx });
+  });

package/src/index.server.ts

@@ -2,7 +2,19 @@ export type { SharedRouter } from "./shared/shared-router";
 export { createTrpcProxyServiceClient } from "./shared/client";
 
 export type { AppContext } from "./context/context.server";
-export { AuthorizationError } from "./context/errors.server";
+
+export {
+  AuthorizationError,
+  createErrorResponse,
+} from "./context/errors.server";
 export * as authorizeProject from "./authorize/project.server";
-export * as authorizeAuthorizationToken from "./authorize/authorization-token.server";
-export type { AuthPermit } from "./shared/authorization-router";
+export type { AuthPermit } from "./authorize/project.server";
+
+export {
+  router,
+  procedure,
+  middleware,
+  mergeRouters,
+  createCacheMiddleware,
+  createCallerFactory,
+} from "./context/router.server";

package/src/shared/client.ts

@@ -5,7 +5,6 @@ import {
   type SharedRouter,
 } from "./shared-router";
 import { callerLink } from "../trpc-caller-link";
-import fetch from "node-fetch";
 
 type SharedClientOptions = {
   url: string;
@@ -21,7 +20,6 @@ export const createTrpcProxyServiceClient = (
       links: [
         httpBatchLink({
           url: options.url,
-          fetch: fetch as never,
           headers: () => ({
             Authorization: options.token,
             // We use this header for SaaS preview service discovery proxy