@webstudio-is/trpc-interface 0.91.0 → 0.260.2

package/lib/shared/authorization-router.js

@@ -1,164 +0,0 @@
-import { z } from "zod";
-import { router, procedure } from "./trpc";
-import { prisma } from "@webstudio-is/prisma-client";
-const Relation = z.enum(["viewers", "editors", "builders", "owners"]);
-const AuthPermit = z.enum(["view", "edit", "build", "own"]);
-const DeleteCreateInput = z.discriminatedUnion("namespace", [
-  z.object({
-    namespace: z.literal("Project"),
-    id: z.string(),
-    relation: Relation,
-    subjectSet: z.discriminatedUnion("namespace", [
-      z.object({
-        namespace: z.literal("User"),
-        id: z.string()
-      }),
-      z.object({
-        namespace: z.literal("Token"),
-        id: z.string()
-      }),
-      z.object({
-        namespace: z.literal("Email"),
-        id: z.string(),
-        relation: z.literal("owners")
-      })
-    ])
-  }),
-  z.object({
-    namespace: z.literal("Email"),
-    id: z.string(),
-    relation: z.enum(["owners"]),
-    subjectSet: z.object({
-      namespace: z.literal("User"),
-      id: z.string()
-    })
-  })
-]);
-const authorizationRouter = router({
-  /**
-   * Relation expansion in authorize looks like a tree
-   *
-   * :#@Project:AliceProjectUUID#viewers
-   *   :#@Email:bob@bob.com#owner
-   *     :#@User:BobUUID️
-   *   :#@Token:LinkRandomSequence️
-   *
-   * We don't need the whole tree in UI and need only the leaf nodes.
-   * i.e. @User:BobUUID️, @Token:LinkRandomSequence️ and the root relation i.e "viewers"
-   */
-  expandLeafNodes: procedure.input(
-    z.object({
-      namespace: z.literal("Project"),
-      id: z.string()
-    })
-  ).output(
-    z.array(
-      z.object({
-        // top level relation
-        relation: Relation,
-        // subjectSet
-        namespace: z.enum(["Email", "User", "Token"]),
-        id: z.string()
-      })
-    )
-  ).query(async ({ input }) => {
-    const { namespace, id } = input;
-    if (namespace !== "Project") {
-      throw new Error("Not implemented");
-    }
-    const ownerRow = await prisma.project.findUnique({
-      where: {
-        id
-      },
-      select: {
-        userId: true
-      }
-    });
-    const tokenRows = await prisma.authorizationToken.findMany({
-      where: {
-        projectId: id
-      }
-    });
-    const leafSubjectSets = [];
-    if (ownerRow !== null && ownerRow.userId !== null) {
-      leafSubjectSets.push({
-        namespace: "User",
-        id: ownerRow.userId,
-        relation: "owners"
-      });
-    }
-    for (const tokenRow of tokenRows) {
-      leafSubjectSets.push({
-        namespace: "Token",
-        id: tokenRow.token,
-        relation: tokenRow.relation
-      });
-    }
-    return leafSubjectSets;
-  }),
-  /**
-   * Check if subject has permit on the resource
-   */
-  check: procedure.input(
-    z.object({
-      namespace: z.enum(["Project"]),
-      id: z.string(),
-      permit: AuthPermit,
-      subjectSet: z.object({
-        namespace: z.enum(["User", "Token"]),
-        id: z.string()
-      })
-    })
-  ).output(z.object({ allowed: z.boolean() })).query(async ({ input }) => {
-    const { subjectSet } = input;
-    if (subjectSet.namespace === "User") {
-      const row = await prisma.project.findFirst({
-        where: {
-          id: input.id,
-          userId: subjectSet.id
-        },
-        select: {
-          id: true
-        }
-      });
-      return { allowed: row !== null };
-    }
-    const permitToRelationRewrite = {
-      view: ["viewers", "editors", "builders"],
-      edit: ["editors", "builders"],
-      build: ["builders"]
-    };
-    if (subjectSet.namespace === "Token" && input.permit !== "own") {
-      const row = await prisma.authorizationToken.findFirst({
-        where: {
-          token: subjectSet.id,
-          relation: {
-            in: [...permitToRelationRewrite[input.permit]]
-          }
-        },
-        select: { token: true }
-      });
-      return { allowed: row !== null };
-    }
-    return { allowed: false };
-  }),
-  /**
-   * In OSS we extract owner relation from the Project table, and the rest from the authorizationToken table
-   */
-  create: procedure.input(DeleteCreateInput).mutation(async ({ input }) => {
-  }),
-  delete: procedure.input(DeleteCreateInput).mutation(async ({ input }) => {
-  }),
-  patch: procedure.input(
-    z.array(
-      z.object({
-        action: z.enum(["insert", "delete"]),
-        relationTuple: DeleteCreateInput
-      })
-    )
-  ).mutation(async ({ input }) => {
-  })
-});
-export {
-  authorizationRouter
-};

package/lib/shared/client.js

@@ -1,35 +0,0 @@
-import { createTRPCProxyClient, httpBatchLink } from "@trpc/client";
-import {
-  sharedRouter
-} from "./shared-router";
-import { callerLink } from "../trpc-caller-link";
-import fetch from "node-fetch";
-const createTrpcProxyServiceClient = (options) => {
-  if (options !== void 0) {
-    const remoteClient = createTRPCProxyClient({
-      links: [
-        httpBatchLink({
-          url: options.url,
-          fetch,
-          headers: () => ({
-            Authorization: options.token,
-            // We use this header for SaaS preview service discovery proxy
-            "x-branch-name": options.branchName
-          })
-        })
-      ]
-    });
-    return remoteClient;
-  }
-  const client = createTRPCProxyClient({
-    links: [
-      callerLink({
-        appRouter: sharedRouter
-      })
-    ]
-  });
-  return client;
-};
-export {
-  createTrpcProxyServiceClient
-};

package/lib/shared/deployment.js

@@ -1,31 +0,0 @@
-import { z } from "zod";
-import { router, procedure } from "./trpc";
-const PublishInput = z.object({
-  // used to load build data from the builder see routes/rest.build.$buildId.ts
-  buildId: z.string(),
-  builderApiOrigin: z.string(),
-  // preview support
-  branchName: z.string(),
-  // action log helper (not used for deployment, but for action logs readablity)
-  projectDomainName: z.string()
-});
-const Output = z.discriminatedUnion("success", [
-  z.object({
-    success: z.literal(true)
-  }),
-  z.object({
-    success: z.literal(false),
-    error: z.string()
-  })
-]);
-const deploymentRouter = router({
-  publish: procedure.input(PublishInput).output(Output).mutation(async ({ input, ctx }) => {
-    return {
-      success: false,
-      error: `Not implemented, use buildId=${input.buildId}`
-    };
-  })
-});
-export {
-  deploymentRouter
-};

package/lib/shared/domain.js

@@ -1,78 +0,0 @@
-import { z } from "zod";
-import { router, procedure } from "./trpc";
-const CreateInput = z.object({ domain: z.string(), txtRecord: z.string() });
-const Input = z.object({ domain: z.string() });
-const createOutput = (data) => z.discriminatedUnion("success", [
-  z.object({ success: z.literal(true), data }),
-  z.object({ success: z.literal(false), error: z.string() })
-]);
-globalThis.dnsTxtEntries = globalThis.dnsTxtEntries ?? /* @__PURE__ */ new Map();
-globalThis.domainStates = globalThis.domainStates ?? /* @__PURE__ */ new Map();
-const domainRouter = router({
-  /**
-   * Verify TXT record and add custom domain entry to DNS
-   */
-  create: procedure.input(CreateInput).output(createOutput(z.optional(z.undefined()))).mutation(async ({ input, ctx }) => {
-    const record = dnsTxtEntries.get(input.domain);
-    if (record !== input.txtRecord) {
-      dnsTxtEntries.set(input.domain, input.txtRecord);
-      return {
-        success: false,
-        error: `TXT record does not match, expected "${input.txtRecord}" but got "${record ?? "undefined"}"`
-      };
-    }
-    domainStates.set(input.domain, "pending");
-    return { success: true };
-  }),
-  refresh: procedure.input(Input).output(createOutput(z.optional(z.undefined()))).mutation(async ({ input, ctx }) => {
-    return { success: true };
-  }),
-  /**
-   * Get status of verified domain
-   */
-  getStatus: procedure.input(Input).output(
-    createOutput(
-      z.discriminatedUnion("status", [
-        z.object({ status: z.enum(["active", "pending"]) }),
-        z.object({ status: z.enum(["error"]), error: z.string() })
-      ])
-    )
-  ).query(async ({ input, ctx }) => {
-    const domainState = domainStates.get(input.domain);
-    if (domainState === void 0) {
-      domainStates.set(input.domain, "pending");
-      return {
-        success: false,
-        error: `Domain ${input.domain} is not active`
-      };
-    }
-    if (domainState === "active") {
-      setTimeout(() => {
-        domainStates.set(input.domain, "error");
-      });
-    }
-    if (domainState === "pending" || domainState === "error") {
-      setTimeout(() => {
-        domainStates.set(input.domain, "active");
-      }, 5e3);
-    }
-    if (domainState === "error") {
-      return {
-        success: true,
-        data: {
-          status: "error",
-          error: "Domain cname verification failed"
-        }
-      };
-    }
-    return {
-      success: true,
-      data: {
-        status: domainState
-      }
-    };
-  })
-});
-export {
-  domainRouter
-};

package/lib/shared/shared-router.js

@@ -1,12 +0,0 @@
-import { router } from "./trpc";
-import { authorizationRouter } from "./authorization-router";
-import { domainRouter } from "./domain";
-import { deploymentRouter } from "./deployment";
-const sharedRouter = router({
-  authorize: authorizationRouter,
-  domain: domainRouter,
-  deployment: deploymentRouter
-});
-export {
-  sharedRouter
-};

package/lib/shared/trpc.js

@@ -1,11 +0,0 @@
-import { initTRPC } from "@trpc/server";
-const createContext = async () => {
-  return {};
-};
-const { router, procedure, middleware } = initTRPC.context().create();
-export {
-  createContext,
-  middleware,
-  procedure,
-  router
-};

package/lib/trpc-caller-link.js

@@ -1,26 +0,0 @@
-import { observable } from "@trpc/server/observable";
-import { TRPCClientError } from "@trpc/client";
-const callerLink = (opts) => {
-  const { appRouter, createContext } = opts;
-  return (runtime) => ({ op }) => observable((observer) => {
-    const caller = appRouter.createCaller(createContext?.() ?? {});
-    const { path, input } = op;
-    const paths = path.split(".");
-    let localCaller = caller;
-    for (const functionName of paths) {
-      localCaller = localCaller[functionName];
-    }
-    const promise = localCaller(input);
-    promise.then((data) => {
-      observer.next({
-        result: { data }
-      });
-      observer.complete();
-    }).catch((error) => observer.error(TRPCClientError.from(error)));
-    return () => {
-    };
-  });
-};
-export {
-  callerLink
-};

package/lib/types/authorize/authorization-token.server.d.ts

@@ -1,21 +0,0 @@
-import type { AppContext } from "../context/context.server";
-/**
- * For 3rd party authorization systems like Ory we need to register token for the project.
- *
- * We do that before the authorizationToken create (and out of the transaction),
- * so in case of an error we will have just stale records of non existed projects in authorization system.
- */
-export declare const registerToken: (props: {
-    projectId: string;
-    tokenId: string;
-    relation: "viewers" | "editors" | "builders";
-}, context: AppContext) => Promise<void>;
-export declare const patchToken: (props: {
-    projectId: string;
-    tokenId: string;
-}, prevRelation: "viewers" | "editors" | "builders", nextRelation: "viewers" | "editors" | "builders", context: AppContext) => Promise<void>;
-export declare const unregisterToken: (props: {
-    projectId: string;
-    tokenId: string;
-    relation: "viewers" | "editors";
-}, context: AppContext) => Promise<void>;

package/lib/types/authorize/project.server.d.ts

@@ -1,25 +0,0 @@
-import type { Project } from "@webstudio-is/prisma-client";
-import type { AuthPermit } from "../shared/authorization-router";
-import type { AppContext } from "../context/context.server";
-/**
- * For 3rd party authorization systems like Ory we need to register the project owner.
- *
- * We do that before the project create (and out of the transaction),
- * so in case of an error we will have just stale records of non existed projects in authorization system.
- */
-export declare const registerProjectOwner: (props: {
-    projectId: string;
-}, context: AppContext) => Promise<void>;
-export declare const hasProjectPermit: (props: {
-    projectId: Project["id"];
-    permit: AuthPermit;
-}, context: AppContext) => Promise<boolean>;
-/**
- * Returns the first allowed permit from the list or undefined if none is allowed
- * @todo think about caching to authorizeTrpc.check.query
- * batching check queries would help too https://github.com/ory/keto/issues/812
- */
-export declare const getProjectPermit: <T extends "build" | "view" | "edit" | "own">(props: {
-    projectId: string;
-    permits: readonly T[];
-}, context: AppContext) => Promise<T | undefined>;

package/lib/types/context/context.server.d.ts

@@ -1,53 +0,0 @@
-import type { TrpcInterfaceClient } from "../shared/shared-router";
-/**
- * All necessary parameters for Authorization
- */
-type AuthorizationContext = {
-    /**
-     * userId of the current authenticated user
-     */
-    userId: string | undefined;
-    /**
-     * token URLSearchParams or hostname
-     */
-    authToken: string | undefined;
-    /**
-     * project list serves as a template and is accessible to everyone.
-     */
-    projectTemplates: string[];
-    /**
-     * Allow service 2 service communications to skip authorization for view calls
-     */
-    isServiceCall: boolean;
-    authorizeTrpc: TrpcInterfaceClient["authorize"];
-};
-type DomainContext = {
-    domainTrpc: TrpcInterfaceClient["domain"];
-};
-type EntriContext = {
-    entryApi: {
-        getEntriToken: () => Promise<{
-            token: string;
-            applicationId: string;
-        }>;
-    };
-};
-type DeploymentContext = {
-    deploymentTrpc: TrpcInterfaceClient["deployment"];
-    env: {
-        BUILDER_ORIGIN: string;
-        BRANCH_NAME: string;
-    };
-};
-/**
- * AppContext is a global context that is passed to all trpc/api queries/mutations
- * "authorization" is made inside the namespace because eventually there will be
- * logging parameters, potentially "request" cache, etc.
- */
-export type AppContext = {
-    authorization: AuthorizationContext;
-    domain: DomainContext;
-    deployment: DeploymentContext;
-    entri: EntriContext;
-};
-export {};

package/lib/types/context/errors.server.d.ts

@@ -1 +0,0 @@
-export declare const AuthorizationError: import("ts-custom-error").CustomErrorConstructor<import("ts-custom-error").CustomErrorProperties>;

package/lib/types/index.d.ts

@@ -1 +0,0 @@
-export * from "./index.server";

package/lib/types/index.server.d.ts

@@ -1,7 +0,0 @@
-export type { SharedRouter } from "./shared/shared-router";
-export { createTrpcProxyServiceClient } from "./shared/client";
-export type { AppContext } from "./context/context.server";
-export { AuthorizationError } from "./context/errors.server";
-export * as authorizeProject from "./authorize/project.server";
-export * as authorizeAuthorizationToken from "./authorize/authorization-token.server";
-export type { AuthPermit } from "./shared/authorization-router";