feat: implement board access control (#349)

* feat: implement board access control * fix: deepsource issues * wip: address pull request feedback * chore: address pull request feedback * fix: format issue * test: improve tests * fix: type and lint issue * chore: address pull request feedback * refactor: rename board procedures
2024-04-30 21:32:55 +02:00
parent 56388eb8ef
commit 7ab9dc2501
50 changed files with 1020 additions and 324 deletions
--- a/packages/auth/index.ts
+++ b/packages/auth/index.ts
@@ -1,3 +1,4 @@
+import { cache } from "react";
 import type { DefaultSession } from "@auth/core/types";

 import { createConfiguration } from "./configuration";
@@ -16,5 +17,11 @@ export * from "./security";

 export const createHandlers = (isCredentialsRequest: boolean) =>
  createConfiguration(isCredentialsRequest);
-export const { auth } = createConfiguration(false);
+const { auth: defaultAuth } = createConfiguration(false);
+
+/**
+ * This is the main way to get session data for your RSCs.
+ * This will de-duplicate all calls to next-auth's default `auth()` function and only call it once per request
+ */
+export const auth = cache(defaultAuth);
 export { getSessionFromToken, sessionTokenCookieName } from "./session";
--- a/packages/auth/package.json
+++ b/packages/auth/package.json
@@ -6,6 +6,7 @@
    ".": "./index.ts",
    "./security": "./security.ts",
    "./client": "./client.ts",
+    "./shared": "./shared.ts",
    "./env.mjs": "./env.mjs"
  },
  "private": true,
--- a/packages/auth/permissions/board-permissions.ts
+++ b/packages/auth/permissions/board-permissions.ts
@@ -0,0 +1,35 @@
+import type { Session } from "@auth/core/types";
+
+export type BoardPermissionsProps = (
+  | {
+      creator: {
+        id: string;
+      } | null;
+    }
+  | {
+      creatorId: string | null;
+    }
+) & {
+  permissions: {
+    permission: string;
+  }[];
+  isPublic: boolean;
+};
+
+export const constructBoardPermissions = (
+  board: BoardPermissionsProps,
+  session: Session | null,
+) => {
+  const creatorId = "creator" in board ? board.creator?.id : board.creatorId;
+
+  return {
+    hasFullAccess: session?.user?.id === creatorId,
+    hasChangeAccess:
+      session?.user?.id === creatorId ||
+      board.permissions.some(({ permission }) => permission === "board-change"),
+    hasViewAccess:
+      session?.user?.id === creatorId ||
+      board.permissions.length >= 1 ||
+      board.isPublic,
+  };
+};
--- a/packages/auth/permissions/index.ts
+++ b/packages/auth/permissions/index.ts
@@ -0,0 +1 @@
+export * from "./board-permissions";
--- a/packages/auth/permissions/test/board-permissions.spec.ts
+++ b/packages/auth/permissions/test/board-permissions.spec.ts
@@ -0,0 +1,106 @@
+import type { Session } from "@auth/core/types";
+import { describe, expect, test } from "vitest";
+
+import { constructBoardPermissions } from "../board-permissions";
+
+describe("constructBoardPermissions", () => {
+  test("should return all board permissions as true when session user id is equal to creator id", () => {
+    // Arrange
+    const board = {
+      creator: {
+        id: "1",
+      },
+      permissions: [],
+      isPublic: false,
+    };
+    const session = {
+      user: {
+        id: "1",
+      },
+      expires: new Date().toISOString(),
+    } satisfies Session;
+
+    // Act
+    const result = constructBoardPermissions(board, session);
+
+    // Assert
+    expect(result.hasFullAccess).toBe(true);
+    expect(result.hasChangeAccess).toBe(true);
+    expect(result.hasViewAccess).toBe(true);
+  });
+
+  test('should return hasChangeAccess as true when board permissions include "board-change"', () => {
+    // Arrange
+    const board = {
+      creator: {
+        id: "1",
+      },
+      permissions: [{ permission: "board-change" }],
+      isPublic: false,
+    };
+    const session = {
+      user: {
+        id: "2",
+      },
+      expires: new Date().toISOString(),
+    } satisfies Session;
+
+    // Act
+    const result = constructBoardPermissions(board, session);
+
+    // Assert
+    expect(result.hasFullAccess).toBe(false);
+    expect(result.hasChangeAccess).toBe(true);
+    expect(result.hasViewAccess).toBe(true);
+  });
+
+  test("should return hasViewAccess as true when board permissions length is greater than or equal to 1", () => {
+    // Arrange
+    const board = {
+      creator: {
+        id: "1",
+      },
+      permissions: [{ permission: "board-view" }],
+      isPublic: false,
+    };
+    const session = {
+      user: {
+        id: "2",
+      },
+      expires: new Date().toISOString(),
+    } satisfies Session;
+
+    // Act
+    const result = constructBoardPermissions(board, session);
+
+    // Assert
+    expect(result.hasFullAccess).toBe(false);
+    expect(result.hasChangeAccess).toBe(false);
+    expect(result.hasViewAccess).toBe(true);
+  });
+
+  test("should return hasViewAccess as true when board is public", () => {
+    // Arrange
+    const board = {
+      creator: {
+        id: "1",
+      },
+      permissions: [],
+      isPublic: true,
+    };
+    const session = {
+      user: {
+        id: "2",
+      },
+      expires: new Date().toISOString(),
+    } satisfies Session;
+
+    // Act
+    const result = constructBoardPermissions(board, session);
+
+    // Assert
+    expect(result.hasFullAccess).toBe(false);
+    expect(result.hasChangeAccess).toBe(false);
+    expect(result.hasViewAccess).toBe(true);
+  });
+});
--- a/packages/auth/shared.ts
+++ b/packages/auth/shared.ts
@@ -0,0 +1 @@
+export * from "./permissions";