create-lego-one 2.0.10 → 2.0.12

package/template/host/src/kernel/rbac/service.ts

@@ -0,0 +1,504 @@
+import PocketBase from 'pocketbase';
+import type {
+  Organization,
+  CreateOrganizationData,
+  UpdateOrganizationData,
+  Role,
+  CreateRoleData,
+  UpdateRoleData,
+  Permission,
+  UserRole,
+  AssignRoleData,
+  UserWithRoles,
+  CreateUserRequest,
+  UpdateUserRequest,
+  PermissionCheck,
+  ResourceType,
+  ActionType,
+} from './types';
+import { SYSTEM_ROLES, DEFAULT_ROLE_PERMISSIONS } from './types';
+import type { ListResult } from 'pocketbase';
+
+export class RBACService {
+  constructor(private pb: PocketBase) {}
+
+  // ==================== Organization Management ====================
+
+  /**
+   * Get all organizations for current user
+   */
+  async getUserOrganizations(): Promise<Organization[]> {
+    try {
+      // The user's organizations are available via the relation
+      const model = this.pb.authStore.model as any;
+      const userId = model?.id;
+      if (!userId) return [];
+
+      // Get user record with expanded organizations
+      const userRecord = await this.pb.collection('users').getOne(userId, {
+        expand: 'organizations',
+      });
+
+      return (userRecord.expand?.organizations || []) as Organization[];
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Get organization by ID
+   */
+  async getOrganization(id: string): Promise<Organization> {
+    try {
+      return await this.pb.collection('organizations').getOne(id);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Get organization by slug
+   */
+  async getOrganizationBySlug(slug: string): Promise<Organization> {
+    try {
+      const result = await this.pb
+        .collection('organizations')
+        .getList(1, 1, { filter: `slug = "${slug}"` });
+      if (result.items.length === 0) {
+        throw new Error('Organization not found');
+      }
+      return result.items[0] as unknown as Organization;
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Create new organization
+   */
+  async createOrganization(data: CreateOrganizationData): Promise<Organization> {
+    try {
+      const model = this.pb.authStore.model as any;
+      const userId = model?.id;
+      if (!userId) throw new Error('Not authenticated');
+
+      const record = await this.pb.collection('organizations').create({
+        ...data,
+        ownerId: userId,
+      });
+
+      // Assign owner role to creator
+      const ownerRole = await this.getRoleByName(SYSTEM_ROLES.OWNER);
+      if (ownerRole) {
+        await this.assignRole({
+          userId,
+          roleId: ownerRole.id,
+          organizationId: record.id,
+        });
+      }
+
+      return record as unknown as Organization;
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Update organization
+   */
+  async updateOrganization(id: string, data: UpdateOrganizationData): Promise<Organization> {
+    try {
+      return await this.pb.collection('organizations').update(id, data);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Delete organization
+   */
+  async deleteOrganization(id: string): Promise<void> {
+    try {
+      await this.pb.collection('organizations').delete(id);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  // ==================== Role Management ====================
+
+  /**
+   * Get all roles for an organization
+   */
+  async getOrganizationRoles(organizationId: string): Promise<Role[]> {
+    try {
+      const result = await this.pb.collection('roles').getList(1, 100, {
+        filter: `organizationId = "${organizationId}" || organizationId = ""`,
+      });
+      return result.items as unknown as Role[];
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Get role by ID
+   */
+  async getRole(id: string): Promise<Role> {
+    try {
+      return await this.pb.collection('roles').getOne(id);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Get role by name
+   */
+  async getRoleByName(name: string): Promise<Role | null> {
+    try {
+      const result = await this.pb
+        .collection('roles')
+        .getList(1, 1, { filter: `name = "${name}" && organizationId = ""` });
+      if (result.items.length === 0) return null;
+      return result.items[0] as unknown as Role;
+    } catch (error) {
+      return null;
+    }
+  }
+
+  /**
+   * Create custom role
+   */
+  async createRole(data: CreateRoleData): Promise<Role> {
+    try {
+      return await this.pb.collection('roles').create({
+        name: data.name,
+        description: data.description,
+        organizationId: data.organizationId || '',
+        isSystem: false,
+      });
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Update role
+   */
+  async updateRole(id: string, data: UpdateRoleData): Promise<Role> {
+    try {
+      return await this.pb.collection('roles').update(id, data);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Delete role
+   */
+  async deleteRole(id: string): Promise<void> {
+    try {
+      await this.pb.collection('roles').delete(id);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  // ==================== Permission Management ====================
+
+  /**
+   * Get all permissions
+   */
+  async getAllPermissions(): Promise<Permission[]> {
+    try {
+      const result = await this.pb.collection('permissions').getList(1, 100, {
+        sort: 'resource,action',
+      });
+      return result.items as unknown as Permission[];
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Check if user has permission
+   */
+  async hasPermission(
+    userId: string,
+    organizationId: string,
+    resource: ResourceType,
+    action: ActionType
+  ): Promise<PermissionCheck> {
+    try {
+      // Get all user roles for this organization
+      const userRoles = await this.pb.collection('user_roles').getList(1, 50, {
+        filter: `userId = "${userId}" && organizationId = "${organizationId}"`,
+      });
+
+      if (userRoles.items.length === 0) {
+        return { allowed: false, reason: 'No roles assigned' };
+      }
+
+      const roleIds = userRoles.items.map((ur: any) => ur.roleId);
+
+      // Get all permissions for these roles
+      const permissions: Permission[] = [];
+
+      for (const roleId of roleIds) {
+        const role = await this.pb.collection('roles').getOne(roleId);
+
+        // If role has expand permissions
+        if (role.expand?.permissions) {
+          permissions.push(...role.expand.permissions);
+        }
+
+        // Check for system role defaults
+        if (role.isSystem) {
+          const defaults = DEFAULT_ROLE_PERMISSIONS[role.name];
+          if (defaults) {
+            // Convert defaults to Permission-like objects
+            for (const def of defaults) {
+              permissions.push({
+                id: `${def.resource}:${def.action}`,
+                resource: def.resource,
+                action: def.action,
+              } as Permission);
+            }
+          }
+        }
+      }
+
+      // Check for matching permission
+      const hasAll = permissions.some(p => p.resource === 'all' && p.action === 'all');
+      const hasResourceAll = permissions.some(p => p.resource === resource && p.action === 'all');
+      const hasActionAll = permissions.some(p => p.resource === 'all' && p.action === action);
+      const hasExact = permissions.some(p => p.resource === resource && p.action === action);
+
+      if (hasAll || hasResourceAll || hasActionAll || hasExact) {
+        return { allowed: true };
+      }
+
+      return { allowed: false, reason: 'Permission denied' };
+    } catch (error: any) {
+      return { allowed: false, reason: error.message };
+    }
+  }
+
+  /**
+   * Get user permissions for an organization
+   */
+  async getUserPermissions(
+    userId: string,
+    organizationId: string
+  ): Promise<{ resource: ResourceType; action: ActionType }[]> {
+    try {
+      const userRoles = await this.pb.collection('user_roles').getList(1, 50, {
+        filter: `userId = "${userId}" && organizationId = "${organizationId}"`,
+        expand: 'roleId',
+      });
+
+      const permissions: { resource: ResourceType; action: ActionType }[] = [];
+
+      for (const item of userRoles.items) {
+        const role = (item as any).expand?.roleId;
+        if (!role) continue;
+
+        if (role.isSystem) {
+          const defaults = DEFAULT_ROLE_PERMISSIONS[role.name];
+          if (defaults) {
+            permissions.push(...defaults);
+          }
+        }
+
+        if (role.expand?.permissions) {
+          for (const perm of role.expand.permissions) {
+            permissions.push({
+              resource: perm.resource as ResourceType,
+              action: perm.action as ActionType,
+            });
+          }
+        }
+      }
+
+      return permissions;
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  // ==================== User Management ====================
+
+  /**
+   * Get all users in an organization
+   */
+  async getOrganizationUsers(organizationId: string): Promise<UserWithRoles[]> {
+    try {
+      // Get users through the user_roles relation
+      const userRoles = await this.pb.collection('user_roles').getList(1, 100, {
+        filter: `organizationId = "${organizationId}"`,
+        expand: 'userId,roleId',
+      });
+
+      const usersMap = new Map<string, UserWithRoles>();
+
+      for (const item of userRoles.items) {
+        const ur = item as any;
+        const user = ur.expand?.userId;
+        const role = ur.expand?.roleId;
+
+        if (!user) continue;
+
+        if (!usersMap.has(user.id)) {
+          usersMap.set(user.id, {
+            id: user.id,
+            email: user.email,
+            name: user.name,
+            avatar: user.avatar,
+            roles: [],
+            organizations: [],
+            createdAt: user.created,
+          });
+        }
+
+        if (role) {
+          usersMap.get(user.id)!.roles.push({
+            id: role.id,
+            name: role.name,
+            organizationId: role.organizationId || organizationId,
+          });
+        }
+      }
+
+      return Array.from(usersMap.values());
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Assign role to user
+   */
+  async assignRole(data: AssignRoleData): Promise<UserRole> {
+    try {
+      return await this.pb.collection('user_roles').create(data);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Remove role from user
+   */
+  async removeRole(userRoleId: string): Promise<void> {
+    try {
+      await this.pb.collection('user_roles').delete(userRoleId);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Invite/create user in organization
+   */
+  async createUser(data: CreateUserRequest): Promise<void> {
+    try {
+      // Create user
+      const record = await this.pb.collection('users').create({
+        email: data.email,
+        password: data.password,
+        passwordConfirm: data.password,
+        name: data.name,
+        organizationId: data.organizationId,
+      });
+
+      // Assign roles if provided
+      if (data.roleIds && data.roleIds.length > 0) {
+        for (const roleId of data.roleIds) {
+          await this.assignRole({
+            userId: record.id,
+            roleId,
+            organizationId: data.organizationId,
+          });
+        }
+      }
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Update user
+   */
+  async updateUser(userId: string, data: UpdateUserRequest): Promise<void> {
+    try {
+      await this.pb.collection('users').update(userId, data);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Delete user
+   */
+  async deleteUser(userId: string): Promise<void> {
+    try {
+      await this.pb.collection('users').delete(userId);
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  // ==================== Audit Logging ====================
+
+  /**
+   * Log an action
+   */
+  async logAction(data: {
+    userId: string;
+    organizationId: string;
+    action: string;
+    resource: string;
+    resourceId?: string;
+    details?: Record<string, any>;
+  }): Promise<void> {
+    try {
+      await this.pb.collection('audit_logs').create(data);
+    } catch (error) {
+      // Log errors should not fail the main operation
+      console.error('Failed to log action:', error);
+    }
+  }
+
+  /**
+   * Get audit logs for organization
+   */
+  async getAuditLogs(
+    organizationId: string,
+    page = 1,
+    perPage = 50
+  ): Promise<ListResult<any>> {
+    try {
+      return await this.pb.collection('audit_logs').getList(page, perPage, {
+        filter: `organizationId = "${organizationId}"`,
+        sort: '-created',
+        expand: 'userId',
+      });
+    } catch (error: any) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Handle PocketBase errors
+   */
+  private handleError(error: any): Error {
+    if (error?.data?.message) {
+      return new Error(error.data.message);
+    }
+    if (error?.message) {
+      return new Error(error.message);
+    }
+    return new Error('An unexpected error occurred');
+  }
+}

package/template/host/src/kernel/rbac/types.ts

@@ -0,0 +1,164 @@
+// Organization types
+export interface Organization {
+  id: string;
+  name: string;
+  slug: string;
+  ownerId: string;
+  createdAt: string;
+  updated: string;
+}
+
+export interface CreateOrganizationData {
+  name: string;
+  slug: string;
+}
+
+export interface UpdateOrganizationData {
+  name?: string;
+  slug?: string;
+}
+
+// Role types
+export interface Role {
+  id: string;
+  name: string;
+  description?: string;
+  isSystem: boolean;
+  organizationId?: string;
+  createdAt: string;
+  updated: string;
+}
+
+export interface CreateRoleData {
+  name: string;
+  description?: string;
+  organizationId?: string;
+  permissions?: string[];
+}
+
+export interface UpdateRoleData {
+  name?: string;
+  description?: string;
+  permissions?: string[];
+}
+
+// Permission types
+export interface Permission {
+  id: string;
+  resource: string;
+  action: string;
+  description?: string;
+  createdAt: string;
+}
+
+// User role types
+export interface UserRole {
+  id: string;
+  userId: string;
+  roleId: string;
+  organizationId: string;
+  createdAt: string;
+}
+
+export interface AssignRoleData {
+  userId: string;
+  roleId: string;
+  organizationId: string;
+}
+
+// User management types
+export interface UserWithRoles {
+  id: string;
+  email: string;
+  name: string;
+  avatar?: string;
+  roles: Array<{
+    id: string;
+    name: string;
+    organizationId: string;
+  }>;
+  organizations: string[];
+  createdAt: string;
+}
+
+export interface CreateUserRequest {
+  email: string;
+  name: string;
+  password: string;
+  organizationId: string;
+  roleIds?: string[];
+}
+
+export interface UpdateUserRequest {
+  name?: string;
+  email?: string;
+  avatar?: string;
+}
+
+// Permission check result
+export interface PermissionCheck {
+  allowed: boolean;
+  reason?: string;
+}
+
+// Resource types for permissions
+export type ResourceType =
+  | 'organizations'
+  | 'users'
+  | 'roles'
+  | 'permissions'
+  | 'todos'
+  | 'settings'
+  | 'audit_logs'
+  | 'all';
+
+// Action types for permissions
+export type ActionType =
+  | 'create'
+  | 'read'
+  | 'update'
+  | 'delete'
+  | 'manage'
+  | 'all';
+
+// System roles
+export const SYSTEM_ROLES = {
+  OWNER: 'Owner',
+  ADMIN: 'Admin',
+  MEMBER: 'Member',
+  GUEST: 'Guest',
+} as const;
+
+// Default permissions for system roles
+export const DEFAULT_ROLE_PERMISSIONS: Record<
+  string,
+  { resource: ResourceType; action: ActionType }[]
+> = {
+  [SYSTEM_ROLES.OWNER]: [
+    { resource: 'all', action: 'all' },
+  ],
+  [SYSTEM_ROLES.ADMIN]: [
+    { resource: 'organizations', action: 'read' },
+    { resource: 'organizations', action: 'update' },
+    { resource: 'users', action: 'create' },
+    { resource: 'users', action: 'read' },
+    { resource: 'users', action: 'update' },
+    { resource: 'users', action: 'delete' },
+    { resource: 'roles', action: 'read' },
+    { resource: 'permissions', action: 'read' },
+    { resource: 'todos', action: 'manage' },
+    { resource: 'settings', action: 'read' },
+    { resource: 'settings', action: 'update' },
+    { resource: 'audit_logs', action: 'read' },
+  ],
+  [SYSTEM_ROLES.MEMBER]: [
+    { resource: 'organizations', action: 'read' },
+    { resource: 'users', action: 'read' },
+    { resource: 'todos', action: 'manage' },
+    { resource: 'settings', action: 'read' },
+  ],
+  [SYSTEM_ROLES.GUEST]: [
+    { resource: 'organizations', action: 'read' },
+    { resource: 'todos', action: 'read' },
+  ],
+};

package/template/host/src/kernel/rbac/utils.ts

@@ -0,0 +1,34 @@
+import type { Organization } from './types';
+
+/**
+ * Initialize first organization for user if none exists
+ */
+export async function initializeFirstOrganization(
+  pb: any,
+  userId: string
+): Promise<Organization | null> {
+  try {
+    // Check if user has any organizations
+    const userRecord = await pb.collection('users').getOne(userId, {
+      expand: 'organizations',
+    });
+
+    const organizations = userRecord.expand?.organizations || [];
+
+    if (organizations.length > 0) {
+      return organizations[0] as Organization;
+    }
+
+    // Create default organization
+    const org = await pb.collection('organizations').create({
+      name: `${userRecord.name || 'User'}'s Organization`,
+      slug: `${userRecord.email?.split('@')[0] || 'user'}-${Date.now()}`,
+      ownerId: userId,
+    });
+
+    return org as Organization;
+  } catch (error) {
+    console.error('Failed to initialize organization:', error);
+    return null;
+  }
+}