domma-cms 0.2.1 → 0.5.0

package/server/middleware/auth.js

@@ -1,97 +1,136 @@
-/**
- * Authentication Middleware
- * JWT-based authentication with role guards for Domma CMS.
- */
-import { config } from '../config.js';
-
-const { roles } = config.auth;
-
-/**
- * Role hierarchy ordered from most to least privileged.
- * Used by canManageUser() to compare privilege levels.
- */
-export const ROLE_HIERARCHY = Object.entries(roles)
-    .sort((a, b) => a[1].level - b[1].level)
-    .map(([key]) => key);
-
-export const ROLES = Object.fromEntries(
-    Object.entries(roles).map(([key]) => [key.toUpperCase(), key])
-);
-
-/**
- * Verify JWT Bearer token. Populates request.user on success.
- *
- * @param {FastifyRequest} request
- * @param {FastifyReply} reply
- * @returns {Promise<void>}
- */
-export async function authenticate(request, reply) {
-    try {
-        await request.jwtVerify();
-    } catch {
-        return reply.code(401).send({
-            statusCode: 401,
-            error: 'Unauthorised',
-            message: 'Invalid or missing authentication token'
-        });
-    }
-}
-
-/**
- * Return a preHandler that enforces one of the specified roles.
- * Must be used after authenticate.
- *
- * @param {string[]} allowedRoles
- * @returns {Function}
- */
-export function requireRole(allowedRoles) {
-    const allowed = Array.isArray(allowedRoles) ? allowedRoles : [allowedRoles];
-
-    return async (request, reply) => {
-        if (!request.user) {
-            return reply.code(401).send({
-                statusCode: 401,
-                error: 'Unauthorised',
-                message: 'Authentication required'
-            });
-        }
-
-        if (!allowed.includes(request.user.role)) {
-            return reply.code(403).send({
-                statusCode: 403,
-                error: 'Forbidden',
-                message: `Access denied. Required role: ${allowed.join(' or ')}`
-            });
-        }
-    };
-}
-
-/**
- * Shorthand preHandler — admin only.
- *
- * @param {FastifyRequest} request
- * @param {FastifyReply} reply
- * @returns {Promise<void>}
- */
-export async function requireAdmin(request, reply) {
-    if (!request.user) {
-        return reply.code(401).send({ statusCode: 401, error: 'Unauthorised', message: 'Authentication required' });
-    }
-    if (request.user.role !== 'admin') {
-        return reply.code(403).send({ statusCode: 403, error: 'Forbidden', message: 'Admin access required' });
-    }
-}
-
-/**
- * Determine whether an actor can manage a target user.
- * Managers cannot create, edit, or delete admins.
- *
- * @param {string} actorRole - Role of the user performing the action
- * @param {string} targetRole - Role of the user being acted upon
- * @returns {boolean}
- */
-export function canManageUser(actorRole, targetRole) {
-    const actorLevel = roles[actorRole]?.level ?? Infinity;
-    const targetLevel = roles[targetRole]?.level ?? Infinity;
-    return actorLevel < targetLevel;
-}
+/**
+ * Authentication Middleware
+ * JWT-based authentication with role guards for Domma CMS.
+ * Role data is read from the roles cache (not config.auth.roles).
+ */
+import {getPermissionsFor, getPermissionsForRole, getRoleHierarchy, getRoleLevel} from '../services/roles.js';
+
+/**
+ * Verify JWT Bearer token. Populates request.user on success.
+ *
+ * @param {FastifyRequest} request
+ * @param {FastifyReply} reply
+ * @returns {Promise<void>}
+ */
+export async function authenticate(request, reply) {
+    try {
+        const decoded = await request.jwtVerify();
+        if (decoded.type !== 'access') {
+            return reply.code(401).send({
+                statusCode: 401,
+                error: 'Unauthorised',
+                message: 'Invalid token type'
+            });
+        }
+    } catch {
+        return reply.code(401).send({
+            statusCode: 401,
+            error: 'Unauthorised',
+            message: 'Invalid or missing authentication token'
+        });
+    }
+}
+
+/**
+ * Return a preHandler that enforces one of the specified roles.
+ * Must be used after authenticate.
+ *
+ * @param {string[]} allowedRoles
+ * @returns {Function}
+ */
+export function requireRole(allowedRoles) {
+    const allowed = Array.isArray(allowedRoles) ? allowedRoles : [allowedRoles];
+
+    return async (request, reply) => {
+        if (!request.user) {
+            return reply.code(401).send({
+                statusCode: 401,
+                error: 'Unauthorised',
+                message: 'Authentication required'
+            });
+        }
+
+        if (!allowed.includes(request.user.role)) {
+            return reply.code(403).send({
+                statusCode: 403,
+                error: 'Forbidden',
+                message: `Access denied. Required role: ${allowed.join(' or ')}`
+            });
+        }
+    };
+}
+
+/**
+ * Return a preHandler that checks the current user's role has access to a resource.
+ * Reads from the roles cache at request time — reflects live role changes.
+ *
+ * @param {string}  resource - Resource key (e.g. 'pages', 'users')
+ * @param {string} [action]  - Optional action (read | create | update | delete)
+ * @returns {Function}
+ */
+export function requirePermission(resource, action) {
+    return async (request, reply) => {
+        if (!request.user) {
+            return reply.code(401).send({
+                statusCode: 401,
+                error: 'Unauthorised',
+                message: 'Authentication required'
+            });
+        }
+
+        const allowed = getPermissionsFor(resource, action);
+        if (!allowed.includes(request.user.role)) {
+            return reply.code(403).send({
+                statusCode: 403,
+                error: 'Forbidden',
+                message: 'Insufficient permissions'
+            });
+        }
+    };
+}
+
+/**
+ * Export getPermissionsForRole for use in route handlers.
+ *
+ * @param {string} roleName
+ * @returns {string[]}
+ */
+export {getPermissionsForRole};
+
+/**
+ * Shorthand preHandler — level-0 role (admin) only.
+ *
+ * @param {FastifyRequest} request
+ * @param {FastifyReply} reply
+ * @returns {Promise<void>}
+ */
+export async function requireAdmin(request, reply) {
+    if (!request.user) {
+        return reply.code(401).send({ statusCode: 401, error: 'Unauthorised', message: 'Authentication required' });
+    }
+    if (getRoleLevel(request.user.role) !== 0) {
+        return reply.code(403).send({ statusCode: 403, error: 'Forbidden', message: 'Admin access required' });
+    }
+}
+
+/**
+ * Determine whether an actor can manage a target user.
+ * Managers cannot create, edit, or delete users with a lower level number (higher privilege).
+ *
+ * @param {string} actorRole - Role of the user performing the action
+ * @param {string} targetRole - Role of the user being acted upon
+ * @returns {boolean}
+ */
+export function canManageUser(actorRole, targetRole) {
+    return getRoleLevel(actorRole) < getRoleLevel(targetRole);
+}
+
+/**
+ * Return role names ordered from most to least privileged.
+ * Computed from the roles cache.
+ *
+ * @returns {string[]}
+ */
+export function getRoleHierarchyList() {
+    return getRoleHierarchy();
+}

package/server/routes/api/actions.js

@@ -0,0 +1,200 @@
+/**
+ * Actions API (Pro — requires MongoDB)
+ *
+ * Admin endpoints (authenticated + actions permission):
+ * GET    /actions                        - List all action configs
+ * POST   /actions                        - Create action config
+ * GET    /actions/:slug                  - Get action config
+ * PUT    /actions/:slug                  - Update action config
+ * DELETE /actions/:slug                  - Delete action config
+ * POST   /actions/:slug/execute          - Execute action on an entry (admin)
+ * GET    /actions/collection/:slug       - List actions for a collection
+ *
+ * Public endpoint (role-checked per action access config):
+ * POST   /actions/:slug/public           - Execute action (role-restricted)
+ */
+import {
+    createAction,
+    deleteAction,
+    executeAction,
+    getAction,
+    listActions,
+    listActionsForCollection,
+    updateAction
+} from '../../services/actions.js';
+import {getEntry} from '../../services/collections.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import {getRoleLevel} from '../../services/roles.js';
+import {checkEntryAccess} from '../../services/rowAccess.js';
+
+export async function actionsRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('actions', 'read')]};
+    const canCreate = {preHandler: [authenticate, requirePermission('actions', 'create')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('actions', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('actions', 'delete')]};
+
+    // -------------------------------------------------------------------------
+    // Admin CRUD
+    // -------------------------------------------------------------------------
+
+    fastify.get('/actions', canRead, async (request, reply) => {
+        try {
+            return await listActions();
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+    });
+
+    fastify.post('/actions', canCreate, async (request, reply) => {
+        try {
+            const action = await createAction(request.body || {}, request.user?.id || null);
+            return reply.status(201).send(action);
+        } catch (err) {
+            const status = err.message.includes('already exists') ? 409 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    // Static sub-route declared before parameterised :slug for radix-tree priority
+    fastify.get('/actions/collection/:collectionSlug', canRead, async (request, reply) => {
+        try {
+            return await listActionsForCollection(request.params.collectionSlug);
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+    });
+
+    fastify.get('/actions/:slug', canRead, async (request, reply) => {
+        try {
+            const action = await getAction(request.params.slug);
+            if (!action) return reply.status(404).send({ error: 'Action not found' });
+            return action;
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+    });
+
+    fastify.put('/actions/:slug', canUpdate, async (request, reply) => {
+        try {
+            return await updateAction(request.params.slug, request.body || {});
+        } catch (err) {
+            const status = err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    fastify.delete('/actions/:slug', canDelete, async (request, reply) => {
+        try {
+            await deleteAction(request.params.slug);
+            return { success: true };
+        } catch (err) {
+            const status = err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Execute (admin)
+    // -------------------------------------------------------------------------
+
+    fastify.post('/actions/:slug/execute', canRead, async (request, reply) => {
+        const { entryId } = request.body || {};
+        if (!entryId) return reply.status(400).send({ error: 'entryId is required' });
+
+        try {
+            const result = await executeAction(
+                request.params.slug,
+                entryId,
+                { user: request.user || null }
+            );
+            return result;
+        } catch (err) {
+            const status = err.statusCode === 403 ? 403
+                : err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Batch access check (used by admin UI to filter visible action buttons)
+    // -------------------------------------------------------------------------
+
+    fastify.post('/actions/:slug/check-access', canRead, async (request, reply) => {
+        const {entryIds} = request.body || {};
+        if (!Array.isArray(entryIds) || entryIds.length === 0) {
+            return reply.status(400).send({error: 'entryIds must be a non-empty array'});
+        }
+
+        let action;
+        try {
+            action = await getAction(request.params.slug);
+        } catch (err) {
+            return reply.status(503).send({error: err.message});
+        }
+        if (!action) return reply.status(404).send({error: 'Action not found'});
+
+        const rowLevel = action.access?.rowLevel;
+        const user = request.user;
+
+        // Admin or no row-level config → all IDs allowed
+        if (!rowLevel || getRoleLevel(user?.role) === 0) {
+            return {allowed: entryIds};
+        }
+
+        // Fetch entries and check access for each
+        const results = await Promise.all(
+            entryIds.map(async (id) => {
+                try {
+                    const entry = await getEntry(action.collection, id);
+                    return entry && checkEntryAccess(entry, user, rowLevel) ? id : null;
+                } catch {
+                    return null;
+                }
+            })
+        );
+
+        return {allowed: results.filter(Boolean)};
+    });
+
+    // -------------------------------------------------------------------------
+    // Public execute (role-checked per action access config)
+    // -------------------------------------------------------------------------
+
+    fastify.post('/actions/:slug/public', async (request, reply) => {
+        let action;
+        try {
+            action = await getAction(request.params.slug);
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+
+        if (!action) return reply.status(404).send({ error: 'Action not found' });
+
+        // Always require authentication for public action endpoints
+        try {
+            await request.jwtVerify();
+        } catch {
+            return reply.status(401).send({ error: 'Unauthorised' });
+        }
+
+        const user          = request.user;
+        const allowedRoles  = action.access?.roles || ['admin'];
+        const userLevel     = getRoleLevel(user?.role);
+        const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
+
+        if (userLevel > minAllowed) {
+            return reply.status(403).send({ error: 'Insufficient permissions' });
+        }
+
+        const { entryId } = request.body || {};
+        if (!entryId) return reply.status(400).send({ error: 'entryId is required' });
+
+        try {
+            return await executeAction(action.slug, entryId, { user });
+        } catch (err) {
+            const status = err.statusCode === 403 ? 403
+                : err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+}