feat(auth): add user and role management
This commit is contained in:
@@ -2,19 +2,23 @@ import Base from './base';
|
||||
|
||||
class Permission extends Base {
|
||||
id: string;
|
||||
roleId: string;
|
||||
action: string;
|
||||
subject: string;
|
||||
conditions: string[];
|
||||
|
||||
static tableName = 'permissions';
|
||||
|
||||
static jsonSchema = {
|
||||
type: 'object',
|
||||
required: ['action', 'subject'],
|
||||
required: ['roleId', 'action', 'subject'],
|
||||
|
||||
properties: {
|
||||
id: { type: 'string', format: 'uuid' },
|
||||
roleId: { type: 'string', format: 'uuid' },
|
||||
action: { type: 'string', minLength: 1 },
|
||||
subject: { type: 'string', minLength: 1 },
|
||||
conditions: { type: 'array', items: { type: 'string' } },
|
||||
createdAt: { type: 'string' },
|
||||
updatedAt: { type: 'string' },
|
||||
},
|
||||
|
@@ -1,6 +1,7 @@
|
||||
import {
|
||||
Model,
|
||||
Page,
|
||||
ModelClass,
|
||||
PartialModelObject,
|
||||
ForClassMethod,
|
||||
AnyQueryBuilder,
|
||||
@@ -8,6 +9,10 @@ import {
|
||||
|
||||
const DELETED_COLUMN_NAME = 'deleted_at';
|
||||
|
||||
const supportsSoftDeletion = (modelClass: ModelClass<any>) => {
|
||||
return modelClass.jsonSchema.properties.deletedAt;
|
||||
}
|
||||
|
||||
const buildQueryBuidlerForClass = (): ForClassMethod => {
|
||||
return (modelClass) => {
|
||||
const qb: AnyQueryBuilder = Model.QueryBuilder.forClass.call(
|
||||
@@ -15,7 +20,7 @@ const buildQueryBuidlerForClass = (): ForClassMethod => {
|
||||
modelClass
|
||||
);
|
||||
qb.onBuild((builder) => {
|
||||
if (!builder.context().withSoftDeleted && qb.modelClass().jsonSchema.properties.deletedAt) {
|
||||
if (!builder.context().withSoftDeleted && supportsSoftDeletion(qb.modelClass())) {
|
||||
builder.whereNull(
|
||||
`${qb.modelClass().tableName}.${DELETED_COLUMN_NAME}`
|
||||
);
|
||||
@@ -38,9 +43,13 @@ class ExtendedQueryBuilder<M extends Model, R = M[]> extends Model.QueryBuilder<
|
||||
static forClass: ForClassMethod = buildQueryBuidlerForClass();
|
||||
|
||||
delete() {
|
||||
return this.patch({
|
||||
[DELETED_COLUMN_NAME]: new Date().toISOString(),
|
||||
} as unknown as PartialModelObject<M>);
|
||||
if (supportsSoftDeletion(this.modelClass())) {
|
||||
return this.patch({
|
||||
[DELETED_COLUMN_NAME]: new Date().toISOString(),
|
||||
} as unknown as PartialModelObject<M>);
|
||||
}
|
||||
|
||||
return super.delete();
|
||||
}
|
||||
|
||||
hardDelete() {
|
||||
|
@@ -1,4 +1,5 @@
|
||||
import Base from './base';
|
||||
import Permission from './permission';
|
||||
import User from './user';
|
||||
|
||||
class Role extends Base {
|
||||
@@ -7,6 +8,7 @@ class Role extends Base {
|
||||
key: string;
|
||||
description: string;
|
||||
users?: User[];
|
||||
permissions?: Permission[];
|
||||
|
||||
static tableName = 'roles';
|
||||
|
||||
@@ -18,12 +20,16 @@ class Role extends Base {
|
||||
id: { type: 'string', format: 'uuid' },
|
||||
name: { type: 'string', minLength: 1 },
|
||||
key: { type: 'string', minLength: 1 },
|
||||
description: { type: ['string', 'null'], minLength: 1, maxLength: 255 },
|
||||
description: { type: ['string', 'null'], maxLength: 255 },
|
||||
createdAt: { type: 'string' },
|
||||
updatedAt: { type: 'string' },
|
||||
},
|
||||
};
|
||||
|
||||
static get virtualAttributes() {
|
||||
return ['isAdmin'];
|
||||
}
|
||||
|
||||
static relationMappings = () => ({
|
||||
users: {
|
||||
relation: Base.HasManyRelation,
|
||||
@@ -33,7 +39,19 @@ class Role extends Base {
|
||||
to: 'users.role_id',
|
||||
},
|
||||
},
|
||||
permissions: {
|
||||
relation: Base.HasManyRelation,
|
||||
modelClass: Permission,
|
||||
join: {
|
||||
from: 'roles.id',
|
||||
to: 'permissions.role_id',
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
get isAdmin() {
|
||||
return this.key === 'admin';
|
||||
}
|
||||
}
|
||||
|
||||
export default Role;
|
||||
|
@@ -16,6 +16,7 @@ class SamlAuthProvider extends Base {
|
||||
emailAttributeName: string;
|
||||
roleAttributeName: string;
|
||||
defaultRoleId: string;
|
||||
active: boolean;
|
||||
|
||||
static tableName = 'saml_auth_providers';
|
||||
|
||||
@@ -45,7 +46,8 @@ class SamlAuthProvider extends Base {
|
||||
surnameAttributeName: { type: 'string', minLength: 1 },
|
||||
emailAttributeName: { type: 'string', minLength: 1 },
|
||||
roleAttributeName: { type: 'string', minLength: 1 },
|
||||
defaultRoleId: { type: 'string', format: 'uuid' }
|
||||
defaultRoleId: { type: 'string', format: 'uuid' },
|
||||
active: { type: 'boolean' },
|
||||
},
|
||||
};
|
||||
|
||||
|
@@ -1,22 +1,25 @@
|
||||
import crypto from 'node:crypto';
|
||||
import { QueryContext, ModelOptions } from 'objection';
|
||||
import bcrypt from 'bcrypt';
|
||||
import { DateTime } from 'luxon';
|
||||
import { Ability } from '@casl/ability';
|
||||
import type { Subject } from '@casl/ability';
|
||||
import crypto from 'node:crypto';
|
||||
import {
|
||||
ModelOptions,
|
||||
QueryContext
|
||||
} from 'objection';
|
||||
|
||||
import appConfig from '../config/app';
|
||||
import checkLicense from '../helpers/check-license.ee';
|
||||
import userAbility from '../helpers/user-ability';
|
||||
import Base from './base';
|
||||
import ExtendedQueryBuilder from './query-builder';
|
||||
import Connection from './connection';
|
||||
import Flow from './flow';
|
||||
import Step from './step';
|
||||
import Role from './role';
|
||||
import Permission from './permission';
|
||||
import Execution from './execution';
|
||||
import Flow from './flow';
|
||||
import Identity from './identity.ee';
|
||||
import UsageData from './usage-data.ee';
|
||||
import Permission from './permission';
|
||||
import ExtendedQueryBuilder from './query-builder';
|
||||
import Role from './role';
|
||||
import Step from './step';
|
||||
import Subscription from './subscription.ee';
|
||||
import UsageData from './usage-data.ee';
|
||||
|
||||
class User extends Base {
|
||||
id!: string;
|
||||
@@ -148,15 +151,11 @@ class User extends Base {
|
||||
},
|
||||
},
|
||||
permissions: {
|
||||
relation: Base.ManyToManyRelation,
|
||||
relation: Base.HasManyRelation,
|
||||
modelClass: Permission,
|
||||
join: {
|
||||
from: 'users.role_id',
|
||||
through: {
|
||||
from: 'roles_permissions.role_id',
|
||||
to: 'roles_permissions.permission_id',
|
||||
},
|
||||
to: 'permissions.id',
|
||||
to: 'permissions.role_id',
|
||||
},
|
||||
},
|
||||
identities: {
|
||||
@@ -292,23 +291,43 @@ class User extends Base {
|
||||
}
|
||||
}
|
||||
|
||||
get ability() {
|
||||
if (!this.permissions) {
|
||||
throw new Error('User.permissions must be fetched!');
|
||||
async $afterFind(): Promise<any> {
|
||||
const hasValidLicense = await checkLicense();
|
||||
|
||||
if (hasValidLicense) return this;
|
||||
|
||||
if (Array.isArray(this.permissions)) {
|
||||
this.permissions = this.permissions.filter((permission) => {
|
||||
const isRolePermission = permission.subject === 'Role';
|
||||
|
||||
return !isRolePermission;
|
||||
});
|
||||
}
|
||||
|
||||
return new Ability(this.permissions);
|
||||
return this;
|
||||
}
|
||||
|
||||
can(action: string, subject: Subject) {
|
||||
get ability(): ReturnType<typeof userAbility> {
|
||||
return userAbility(this);
|
||||
}
|
||||
|
||||
can(action: string, subject: string) {
|
||||
const can = this.ability.can(action, subject);
|
||||
|
||||
if (!can) throw new Error('Not authorized!');
|
||||
|
||||
return can;
|
||||
const relevantRule = this.ability.relevantRuleFor(action, subject);
|
||||
|
||||
const conditions = relevantRule?.conditions as string[] || [];
|
||||
const conditionMap: Record<string, true> = Object
|
||||
.fromEntries(
|
||||
conditions.map((condition) => [condition, true])
|
||||
)
|
||||
|
||||
return conditionMap;
|
||||
}
|
||||
|
||||
cannot(action: string, subject: Subject) {
|
||||
cannot(action: string, subject: string) {
|
||||
const cannot = this.ability.cannot(action, subject);
|
||||
|
||||
if (cannot) throw new Error('Not authorized!');
|
||||
|
Reference in New Issue
Block a user