feat(auth): add user and role management

packages/backend/src/models/permission.ts

@@ -4,6 +4,7 @@ class Permission extends Base {
   id: string;
   action: string;
   subject: string;
+  conditions: string[];
 
   static tableName = 'permissions';
 
@@ -15,6 +16,7 @@ class Permission extends Base {
       id: { type: 'string', format: 'uuid' },
       action: { type: 'string', minLength: 1 },
       subject: { type: 'string', minLength: 1 },
+      conditions: { type: 'array', items: { type: 'string' } },
       createdAt: { type: 'string' },
       updatedAt: { type: 'string' },
     },

packages/backend/src/models/query-builder.ts

@@ -1,6 +1,7 @@
 import {
   Model,
   Page,
+  ModelClass,
   PartialModelObject,
   ForClassMethod,
   AnyQueryBuilder,
@@ -8,6 +9,10 @@ import {
 
 const DELETED_COLUMN_NAME = 'deleted_at';
 
+const supportsSoftDeletion = (modelClass: ModelClass<any>) => {
+  return modelClass.jsonSchema.properties.deletedAt;
+}
+
 const buildQueryBuidlerForClass = (): ForClassMethod => {
   return (modelClass) => {
     const qb: AnyQueryBuilder = Model.QueryBuilder.forClass.call(
@@ -15,7 +20,7 @@ const buildQueryBuidlerForClass = (): ForClassMethod => {
       modelClass
     );
     qb.onBuild((builder) => {
-      if (!builder.context().withSoftDeleted && qb.modelClass().jsonSchema.properties.deletedAt) {
+      if (!builder.context().withSoftDeleted && supportsSoftDeletion(qb.modelClass())) {
         builder.whereNull(
           `${qb.modelClass().tableName}.${DELETED_COLUMN_NAME}`
         );
@@ -38,9 +43,13 @@ class ExtendedQueryBuilder<M extends Model, R = M[]> extends Model.QueryBuilder<
   static forClass: ForClassMethod = buildQueryBuidlerForClass();
 
   delete() {
-    return this.patch({
-      [DELETED_COLUMN_NAME]: new Date().toISOString(),
-    } as unknown as PartialModelObject<M>);
+    if (supportsSoftDeletion(this.modelClass())) {
+      return this.patch({
+        [DELETED_COLUMN_NAME]: new Date().toISOString(),
+      } as unknown as PartialModelObject<M>);
+    }
+
+    return super.delete();
   }
 
   hardDelete() {

packages/backend/src/models/role.ts

@@ -1,4 +1,5 @@
 import Base from './base';
+import Permission from './permission';
 import User from './user';
 
 class Role extends Base {
@@ -7,6 +8,7 @@ class Role extends Base {
   key: string;
   description: string;
   users?: User[];
+  permissions?: Permission[];
 
   static tableName = 'roles';
 
@@ -24,6 +26,10 @@ class Role extends Base {
     },
   };
 
+  static get virtualAttributes() {
+    return ['isAdmin'];
+  }
+
   static relationMappings = () => ({
     users: {
       relation: Base.HasManyRelation,
@@ -33,7 +39,23 @@ class Role extends Base {
         to: 'users.role_id',
       },
     },
+    permissions: {
+      relation: Base.ManyToManyRelation,
+      modelClass: Permission,
+      join: {
+        from: 'roles.id',
+        through: {
+          from: 'roles_permissions.role_id',
+          to: 'roles_permissions.permission_id',
+        },
+        to: 'permissions.id',
+      },
+    },
   });
+
+  get isAdmin() {
+    return this.key === 'admin';
+  }
 }
 
 export default Role;

packages/backend/src/models/user.ts

@@ -2,7 +2,7 @@ import crypto from 'node:crypto';
 import { QueryContext, ModelOptions } from 'objection';
 import bcrypt from 'bcrypt';
 import { DateTime } from 'luxon';
-import { Ability } from '@casl/ability';
+import { PureAbility, fieldPatternMatcher, mongoQueryMatcher } from '@casl/ability';
 import type { Subject } from '@casl/ability';
 
 import appConfig from '../config/app';
@@ -297,7 +297,11 @@ class User extends Base {
       throw new Error('User.permissions must be fetched!');
     }
 
-    return new Ability(this.permissions);
+    // We're not using mongo, but our fields, conditions match
+    return new PureAbility(this.permissions, {
+      conditionsMatcher: mongoQueryMatcher,
+      fieldMatcher: fieldPatternMatcher
+    });
   }
 
   can(action: string, subject: Subject) {