feat(auth): add user and role management

2023-07-18 21:00:10 +00:00
parent a7104c41a2
commit 0deaa03218
108 changed files with 2909 additions and 388 deletions
--- a/packages/backend/src/helpers/authentication.ts
+++ b/packages/backend/src/helpers/authentication.ts
@@ -15,10 +15,12 @@ const isAuthenticated = rule()(async (_parent, _args, req) => {
    req.currentUser = await User
      .query()
      .findById(userId)
-      .joinRelated({
+      .leftJoinRelated({
+        role: true,
        permissions: true,
      })
      .withGraphFetched({
+        role: true,
        permissions: true,
      });

@@ -38,9 +40,9 @@ const authentication = shield(
    },
    Mutation: {
      '*': isAuthenticated,
-      login: allow,
-      createUser: allow,
+      registerUser: allow,
      forgotPassword: allow,
+      login: allow,
      resetPassword: allow,
    },
  },
--- a/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
+++ b/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
@@ -22,7 +22,7 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
    return user;
  }

-  const createdUser = await User.query().insertGraphAndFetch({
+  const createdUser = await User.query().insertGraph({
    fullName: [
      mappedUser.name,
      mappedUser.surname
@@ -40,7 +40,7 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
    ]
  }, {
    relate: ['identities']
-  });
+  }).returning('*');

  return createdUser;
 };
--- a/packages/backend/src/helpers/permission-catalog.ee.ts
+++ b/packages/backend/src/helpers/permission-catalog.ee.ts
@@ -0,0 +1,72 @@
+const Connection = {
+  label: 'Connection',
+  key: 'Connection',
+};
+
+const Flow = {
+  label: 'Flow',
+  key: 'Flow',
+};
+
+const Execution = {
+  label: 'Execution',
+  key: 'Execution',
+};
+
+const permissionCatalog = {
+  conditions: [
+    {
+      key: 'isCreator',
+      label: 'Is creator'
+    }
+  ],
+  actions: [
+    {
+      label: 'Create',
+      key: 'create',
+      subjects: [
+        Connection.key,
+        Flow.key,
+      ]
+    },
+    {
+      label: 'Read',
+      key: 'read',
+      subjects: [
+        Connection.key,
+        Execution.key,
+        Flow.key,
+      ]
+    },
+    {
+      label: 'Update',
+      key: 'update',
+      subjects: [
+        Connection.key,
+        Flow.key,
+      ]
+    },
+    {
+      label: 'Delete',
+      key: 'delete',
+      subjects: [
+        Connection.key,
+        Flow.key,
+      ]
+    },
+    {
+      label: 'Publish',
+      key: 'publish',
+      subjects: [
+        Flow.key,
+      ]
+    }
+  ],
+  subjects: [
+    Connection,
+    Flow,
+    Execution
+  ]
+};
+
+export default permissionCatalog;
--- a/packages/backend/src/helpers/user-ability.ts
+++ b/packages/backend/src/helpers/user-ability.ts
@@ -0,0 +1,20 @@
+import { PureAbility, fieldPatternMatcher, mongoQueryMatcher } from '@casl/ability';
+import type User from '../models/user'
+
+// Must be kept in sync with `packages/web/src/helpers/userAbility.ts`!
+export default function userAbility(user: Partial<User>) {
+  const permissions = user?.permissions;
+  const role = user?.role;
+
+  // We're not using mongo, but our fields, conditions match
+  const options = {
+    conditionsMatcher: mongoQueryMatcher,
+    fieldMatcher: fieldPatternMatcher
+  };
+
+  if (!role || !permissions) {
+    return new PureAbility([], options);
+  }
+
+  return new PureAbility<[string, string], string[]>(permissions, options);
+}