mirror of
https://github.com/docmost/docmost.git
synced 2026-05-07 06:23:06 +08:00
Philipinho
110 lines
3.3 KiB
TypeScript
110 lines
3.3 KiB
TypeScript
import { Extension, onAuthenticatePayload } from '@hocuspocus/server';
|
|
import {
|
|
Injectable,
|
|
Logger,
|
|
NotFoundException,
|
|
UnauthorizedException,
|
|
} from '@nestjs/common';
|
|
import { TokenService } from '../../core/auth/services/token.service';
|
|
import { UserRepo } from '@docmost/db/repos/user/user.repo';
|
|
import { PageRepo } from '@docmost/db/repos/page/page.repo';
|
|
import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
|
|
import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
|
|
import { findHighestUserSpaceRole } from '@docmost/db/repos/space/utils';
|
|
import { SpaceRole } from '../../common/helpers/types/permission';
|
|
import { getPageId } from '../collaboration.util';
|
|
import { JwtCollabPayload, JwtType } from '../../core/auth/dto/jwt-payload';
|
|
|
|
@Injectable()
|
|
export class AuthenticationExtension implements Extension {
|
|
private readonly logger = new Logger(AuthenticationExtension.name);
|
|
|
|
constructor(
|
|
private tokenService: TokenService,
|
|
private userRepo: UserRepo,
|
|
private pageRepo: PageRepo,
|
|
private readonly spaceMemberRepo: SpaceMemberRepo,
|
|
private readonly pagePermissionRepo: PagePermissionRepo,
|
|
) {}
|
|
|
|
async onAuthenticate(data: onAuthenticatePayload) {
|
|
const { documentName, token } = data;
|
|
const pageId = getPageId(documentName);
|
|
|
|
let jwtPayload: JwtCollabPayload;
|
|
|
|
try {
|
|
jwtPayload = await this.tokenService.verifyJwt(token, JwtType.COLLAB);
|
|
} catch (error) {
|
|
throw new UnauthorizedException('Invalid collab token');
|
|
}
|
|
|
|
const userId = jwtPayload.sub;
|
|
const workspaceId = jwtPayload.workspaceId;
|
|
|
|
const user = await this.userRepo.findById(userId, workspaceId);
|
|
|
|
if (!user) {
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
if (user.deactivatedAt || user.deletedAt) {
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
const page = await this.pageRepo.findById(pageId);
|
|
if (!page) {
|
|
this.logger.debug(`Page not found: ${pageId}`);
|
|
throw new NotFoundException('Page not found');
|
|
}
|
|
|
|
const userSpaceRoles = await this.spaceMemberRepo.getUserSpaceRoles(
|
|
user.id,
|
|
page.spaceId,
|
|
);
|
|
|
|
const userSpaceRole = findHighestUserSpaceRole(userSpaceRoles);
|
|
|
|
if (!userSpaceRole) {
|
|
this.logger.warn(`User not authorized to access page: ${pageId}`);
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
// Check page-level permissions
|
|
const { hasAnyRestriction, canAccess, canEdit } =
|
|
await this.pagePermissionRepo.getUserPageAccessLevel(user.id, page.id);
|
|
|
|
if (hasAnyRestriction) {
|
|
if (!canAccess) {
|
|
this.logger.warn(
|
|
`User ${user.id} denied page-level access to page: ${pageId}`,
|
|
);
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
if (!canEdit) {
|
|
data.connectionConfig.readOnly = true;
|
|
this.logger.debug(
|
|
`User ${user.id} granted readonly access to restricted page: ${pageId}`,
|
|
);
|
|
}
|
|
} else {
|
|
// No restrictions - use space-level permissions
|
|
if (userSpaceRole === SpaceRole.READER) {
|
|
data.connectionConfig.readOnly = true;
|
|
this.logger.debug(`User granted readonly access to page: ${pageId}`);
|
|
}
|
|
}
|
|
|
|
if (page.deletedAt) {
|
|
data.connectionConfig.readOnly = true;
|
|
}
|
|
|
|
this.logger.debug(`Authenticated user ${user.id} on page ${pageId}`);
|
|
|
|
return {
|
|
user,
|
|
};
|
|
}
|
|
}
|