Merge branch 'main' into feat/add-attachments-reworked

2025-11-24 13:41:30 +10:00 · 2025-10-10 14:39:21 +03:00
parent 90e40e4368 7b17156e56
commit 01ff304e6e
112 changed files with 7314 additions and 1237 deletions
--- a/apps/remix/app/routes/_authenticated+/admin+/organisations.$id.tsx
+++ b/apps/remix/app/routes/_authenticated+/admin+/organisations.$id.tsx
@ -71,6 +71,23 @@ export default function OrganisationGroupSettingsPage({ params }: Route.Componen
      },
    });

+  const { mutateAsync: promoteToOwner, isPending: isPromotingToOwner } =
+    trpc.admin.organisationMember.promoteToOwner.useMutation({
+      onSuccess: () => {
+        toast({
+          title: t`Success`,
+          description: t`Member promoted to owner successfully`,
+        });
+      },
+      onError: () => {
+        toast({
+          title: t`Error`,
+          description: t`We couldn't promote the member to owner. Please try again.`,
+          variant: 'destructive',
+        });
+      },
+    });
+
  const teamsColumns = useMemo(() => {
    return [
      {
@ -101,6 +118,26 @@ export default function OrganisationGroupSettingsPage({ params }: Route.Componen
          <Link to={`/admin/users/${row.original.user.id}`}>{row.original.user.email}</Link>
        ),
      },
+      {
+        header: t`Actions`,
+        cell: ({ row }) => (
+          <div className="flex justify-end space-x-2">
+            <Button
+              variant="outline"
+              disabled={row.original.userId === organisation?.ownerUserId}
+              loading={isPromotingToOwner}
+              onClick={async () =>
+                promoteToOwner({
+                  organisationId,
+                  userId: row.original.userId,
+                })
+              }
+            >
+              <Trans>Promote to owner</Trans>
+            </Button>
+          </div>
+        ),
+      },
    ] satisfies DataTableColumnDef<TGetAdminOrganisationResponse['members'][number]>[];
  }, [organisation]);

--- a/apps/remix/app/routes/_internal+/[__htmltopdf]+/certificate.tsx
+++ b/apps/remix/app/routes/_internal+/[__htmltopdf]+/certificate.tsx
@ -151,6 +151,7 @@ export default function SigningCertificate({ loaderData }: Route.ComponentProps)

      authLevel = match(accessAuthMethod)
        .with('ACCOUNT', () => _(msg`Account Authentication`))
+        .with('TWO_FACTOR_AUTH', () => _(msg`Two-Factor Authentication`))
        .with(undefined, () => _(msg`Email`))
        .exhaustive();
    }
--- a/apps/remix/app/routes/_recipient+/d.$token+/_index.tsx
+++ b/apps/remix/app/routes/_recipient+/d.$token+/_index.tsx
@ -47,10 +47,12 @@ export async function loader({ params, request }: Route.LoaderArgs) {
  });

  // Ensure typesafety when we add more options.
-  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
-    .with(DocumentAccessAuth.ACCOUNT, () => Boolean(session.user))
-    .with(undefined, () => true)
-    .exhaustive();
+  const isAccessAuthValid = derivedRecipientAccessAuth.every((auth) =>
+    match(auth)
+      .with(DocumentAccessAuth.ACCOUNT, () => Boolean(session.user))
+      .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => true)
+      .exhaustive(),
+  );

  if (!isAccessAuthValid) {
    return superLoaderJson({
--- a/apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+++ b/apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
@ -3,12 +3,12 @@ import { DocumentSigningOrder, DocumentStatus, RecipientRole, SigningStatus } fr
 import { Clock8 } from 'lucide-react';
 import { Link, redirect } from 'react-router';
 import { getOptionalLoaderContext } from 'server/utils/get-loader-session';
+import { match } from 'ts-pattern';

 import signingCelebration from '@documenso/assets/images/signing-celebration.png';
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import { useOptionalSession } from '@documenso/lib/client-only/providers/session';
 import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
-import { isRecipientAuthorized } from '@documenso/lib/server-only/document/is-recipient-authorized';
 import { viewedDocument } from '@documenso/lib/server-only/document/viewed-document';
 import { getCompletedFieldsForToken } from '@documenso/lib/server-only/field/get-completed-fields-for-token';
 import { getFieldsForToken } from '@documenso/lib/server-only/field/get-fields-for-token';
@ -19,6 +19,7 @@ import { getRecipientSignatures } from '@documenso/lib/server-only/recipient/get
 import { getRecipientsForAssistant } from '@documenso/lib/server-only/recipient/get-recipients-for-assistant';
 import { getTeamSettings } from '@documenso/lib/server-only/team/get-team-settings';
 import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
+import { DocumentAccessAuth } from '@documenso/lib/types/document-auth';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
 import { SigningCard3D } from '@documenso/ui/components/signing-card';

@ -98,16 +99,16 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    recipientAuth: recipient.authOptions,
  });

-  const isDocumentAccessValid = await isRecipientAuthorized({
-    type: 'ACCESS',
-    documentAuthOptions: document.authOptions,
-    recipient,
-    userId: user?.id,
-  });
+  const isAccessAuthValid = derivedRecipientAccessAuth.every((accesssAuth) =>
+    match(accesssAuth)
+      .with(DocumentAccessAuth.ACCOUNT, () => user && user.email === recipient.email)
+      .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => true) // Allow without account requirement
+      .exhaustive(),
+  );

  let recipientHasAccount: boolean | null = null;

-  if (!isDocumentAccessValid) {
+  if (!isAccessAuthValid) {
    recipientHasAccount = await getUserByEmail({ email: recipient.email })
      .then((user) => !!user)
      .catch(() => false);
--- a/apps/remix/app/routes/api+/health.ts
+++ b/apps/remix/app/routes/api+/health.ts
@ -23,10 +23,12 @@ export const loader = async () => {

  try {
    const certStatus = getCertificateStatus();
+
    if (certStatus.isAvailable) {
      checks.certificate = { status: 'ok' };
    } else {
      checks.certificate = { status: 'warning' };
+
      if (overallStatus === 'ok') {
        overallStatus = 'warning';
      }
--- a/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
@ -58,10 +58,12 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    documentAuth: template.authOptions,
  });

-  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
-    .with(DocumentAccessAuth.ACCOUNT, () => !!user)
-    .with(undefined, () => true)
-    .exhaustive();
+  const isAccessAuthValid = derivedRecipientAccessAuth.every((auth) =>
+    match(auth)
+      .with(DocumentAccessAuth.ACCOUNT, () => !!user)
+      .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => false) // Not supported for direct links
+      .exhaustive(),
+  );

  if (!isAccessAuthValid) {
    throw data(
--- a/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
@ -1,10 +1,12 @@
 import { RecipientRole } from '@prisma/client';
 import { data } from 'react-router';
+import { getOptionalLoaderContext } from 'server/utils/get-loader-session';
 import { match } from 'ts-pattern';

 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
 import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
+import { viewedDocument } from '@documenso/lib/server-only/document/viewed-document';
 import { getCompletedFieldsForToken } from '@documenso/lib/server-only/field/get-completed-fields-for-token';
 import { getFieldsForToken } from '@documenso/lib/server-only/field/get-fields-for-token';
 import { getOrganisationClaimByTeamId } from '@documenso/lib/server-only/organisation/get-organisation-claims';
@ -23,6 +25,8 @@ import { superLoaderJson, useSuperLoaderData } from '~/utils/super-json-loader';
 import type { Route } from './+types/sign.$url';

 export async function loader({ params, request }: Route.LoaderArgs) {
+  const { requestMetadata } = getOptionalLoaderContext();
+
  if (!params.url) {
    throw new Response('Not found', { status: 404 });
  }
@ -71,10 +75,12 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    documentAuth: document.authOptions,
  });

-  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
-    .with(DocumentAccessAuth.ACCOUNT, () => user && user.email === recipient.email)
-    .with(undefined, () => true)
-    .exhaustive();
+  const isAccessAuthValid = derivedRecipientAccessAuth.every((accesssAuth) =>
+    match(accesssAuth)
+      .with(DocumentAccessAuth.ACCOUNT, () => user && user.email === recipient.email)
+      .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => true) // Allow without account requirement
+      .exhaustive(),
+  );

  if (!isAccessAuthValid) {
    throw data(
@ -102,6 +108,12 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    );
  }

+  await viewedDocument({
+    token,
+    requestMetadata,
+    recipientAccessAuth: derivedRecipientAccessAuth,
+  });
+
  const allRecipients =
    recipient.role === RecipientRole.ASSISTANT
      ? await getRecipientsForAssistant({