feat: complete document 2fa (wip)

packages/lib/server-only/document/update-document.ts

@@ -1,8 +1,6 @@
-import { DocumentVisibility } from '@prisma/client';
-import { DocumentStatus, TeamMemberRole } from '@prisma/client';
+import { DocumentStatus, DocumentVisibility, TeamMemberRole } from '@prisma/client';
 import { match } from 'ts-pattern';
 
-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { ApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import type { CreateDocumentAuditLogDataResponse } from '@documenso/lib/utils/document-audit-logs';
@@ -135,18 +133,18 @@ export const updateDocument = async ({
     data?.globalActionAuth === undefined ? documentGlobalActionAuth : data.globalActionAuth;
 
   // Check if user has permission to set the global action auth.
-  if (newGlobalActionAuth) {
-    const isDocumentEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
-    });
+  // if (newGlobalActionAuth) {
+  //   const isDocumentEnterprise = await isUserEnterprise({
+  //     userId,
+  //     teamId,
+  //   });
 
-    if (!isDocumentEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
-  }
+  //   if (!isDocumentEnterprise) {
+  //     throw new AppError(AppErrorCode.UNAUTHORIZED, {
+  //       message: 'You do not have permission to set the action auth',
+  //     });
+  //   }
+  // }
 
   const isTitleSame = data.title === undefined || data.title === document.title;
   const isExternalIdSame = data.externalId === undefined || data.externalId === document.externalId;

packages/lib/server-only/field/sign-field-with-token.ts

@@ -2,6 +2,7 @@ import { DocumentStatus, FieldType, RecipientRole, SigningStatus } from '@prisma
 import { DateTime } from 'luxon';
 import { match } from 'ts-pattern';
 
+import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { validateCheckboxField } from '@documenso/lib/advanced-fields-validation/validate-checkbox';
 import { validateDropdownField } from '@documenso/lib/advanced-fields-validation/validate-dropdown';
 import { validateNumberField } from '@documenso/lib/advanced-fields-validation/validate-number';
@@ -13,7 +14,7 @@ import { prisma } from '@documenso/prisma';
 import { DEFAULT_DOCUMENT_DATE_FORMAT } from '../../constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '../../constants/time-zones';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
-import type { TRecipientActionAuth } from '../../types/document-auth';
+import type { TRecipientActionAuth, TRecipientActionAuthTypes } from '../../types/document-auth';
 import {
   ZCheckboxFieldMeta,
   ZDropdownFieldMeta,
@@ -23,6 +24,7 @@ import {
 } from '../../types/field-meta';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
 import { validateFieldAuth } from '../document/validate-field-auth';
 
 export type SignFieldWithTokenOptions = {
@@ -169,13 +171,24 @@ export const signFieldWithToken = async ({
     }
   }
 
-  const derivedRecipientActionAuth = await validateFieldAuth({
-    documentAuthOptions: document.authOptions,
-    recipient,
-    field,
-    userId,
-    authOptions,
-  });
+  const isEnterprise = userId ? await isUserEnterprise({ userId }) : false;
+  let requiredAuthType: TRecipientActionAuthTypes | null = null;
+
+  if (isEnterprise) {
+    requiredAuthType = await validateFieldAuth({
+      documentAuthOptions: document.authOptions,
+      recipient,
+      field,
+      userId,
+      authOptions,
+    });
+  } else {
+    const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
+      documentAuth: document.authOptions,
+      recipientAuth: recipient.authOptions,
+    });
+    requiredAuthType = derivedRecipientActionAuth;
+  }
 
   const documentMeta = await prisma.documentMeta.findFirst({
     where: {
@@ -286,9 +299,9 @@ export const signFieldWithToken = async ({
               }),
             )
             .exhaustive(),
-          fieldSecurity: derivedRecipientActionAuth
+          fieldSecurity: requiredAuthType
             ? {
-                type: derivedRecipientActionAuth,
+                type: requiredAuthType,
               }
             : undefined,
         },

packages/lib/types/document-auth.ts

@@ -68,6 +68,16 @@ export const ZDocumentActionAuthTypesSchema = z
     'The type of authentication required for the recipient to sign the document. This field is restricted to Enterprise plan users only.',
   );
 
+/**
+ * The non-enterprise document action auth methods.
+ *
+ * Only includes options available to non-enterprise users.
+ */
+export const ZNonEnterpriseDocumentActionAuthTypesSchema = z.enum([
+  DocumentAuth.TWO_FACTOR_AUTH,
+  DocumentAuth.EXPLICIT_NONE,
+]);
+
 /**
  * The recipient access auth methods.
  *
@@ -102,6 +112,7 @@ export const ZRecipientActionAuthTypesSchema = z
 
 export const DocumentAccessAuth = ZDocumentAccessAuthTypesSchema.Enum;
 export const DocumentActionAuth = ZDocumentActionAuthTypesSchema.Enum;
+export const NonEnterpriseDocumentActionAuth = ZNonEnterpriseDocumentActionAuthTypesSchema.Enum;
 export const RecipientAccessAuth = ZRecipientAccessAuthTypesSchema.Enum;
 export const RecipientActionAuth = ZRecipientActionAuthTypesSchema.Enum;
 
@@ -152,6 +163,9 @@ export type TDocumentAccessAuth = z.infer<typeof ZDocumentAccessAuthSchema>;
 export type TDocumentAccessAuthTypes = z.infer<typeof ZDocumentAccessAuthTypesSchema>;
 export type TDocumentActionAuth = z.infer<typeof ZDocumentActionAuthSchema>;
 export type TDocumentActionAuthTypes = z.infer<typeof ZDocumentActionAuthTypesSchema>;
+export type TNonEnterpriseDocumentActionAuthTypes = z.infer<
+  typeof ZNonEnterpriseDocumentActionAuthTypesSchema
+>;
 export type TRecipientAccessAuth = z.infer<typeof ZRecipientAccessAuthSchema>;
 export type TRecipientAccessAuthTypes = z.infer<typeof ZRecipientAccessAuthTypesSchema>;
 export type TRecipientActionAuth = z.infer<typeof ZRecipientActionAuthSchema>;

packages/ui/components/document/document-global-auth-action-select.tsx

@@ -7,7 +7,11 @@ import type { SelectProps } from '@radix-ui/react-select';
 import { InfoIcon } from 'lucide-react';
 
 import { DOCUMENT_AUTH_TYPES } from '@documenso/lib/constants/document-auth';
-import { DocumentActionAuth, DocumentAuth } from '@documenso/lib/types/document-auth';
+import {
+  DocumentActionAuth,
+  DocumentAuth,
+  NonEnterpriseDocumentActionAuth,
+} from '@documenso/lib/types/document-auth';
 import {
   Select,
   SelectContent,
@@ -17,38 +21,51 @@ import {
 } from '@documenso/ui/primitives/select';
 import { Tooltip, TooltipContent, TooltipTrigger } from '@documenso/ui/primitives/tooltip';
 
-export const DocumentGlobalAuthActionSelect = forwardRef<HTMLButtonElement, SelectProps>(
-  (props, ref) => {
-    const { _ } = useLingui();
+interface DocumentGlobalAuthActionSelectProps extends SelectProps {
+  isDocumentEnterprise?: boolean;
+}
 
-    return (
-      <Select {...props}>
-        <SelectTrigger className="bg-background text-muted-foreground">
-          <SelectValue
-            ref={ref}
-            data-testid="documentActionSelectValue"
-            placeholder={_(msg`No restrictions`)}
-          />
-        </SelectTrigger>
+export const DocumentGlobalAuthActionSelect = forwardRef<
+  HTMLButtonElement,
+  DocumentGlobalAuthActionSelectProps
+>(({ isDocumentEnterprise, ...props }, ref) => {
+  const { _ } = useLingui();
 
-        <SelectContent position="popper">
-          {/* Note: -1 is remapped in the Zod schema to the required value. */}
-          <SelectItem value={'-1'}>
-            <Trans>No restrictions</Trans>
-          </SelectItem>
+  return (
+    <Select {...props}>
+      <SelectTrigger className="bg-background text-muted-foreground">
+        <SelectValue
+          ref={ref}
+          data-testid="documentActionSelectValue"
+          placeholder={_(msg`No restrictions`)}
+        />
+      </SelectTrigger>
 
-          {Object.values(DocumentActionAuth)
-            .filter((auth) => auth !== DocumentAuth.ACCOUNT)
-            .map((authType) => (
-              <SelectItem key={authType} value={authType}>
-                {DOCUMENT_AUTH_TYPES[authType].value}
-              </SelectItem>
-            ))}
-        </SelectContent>
-      </Select>
-    );
-  },
-);
+      <SelectContent position="popper">
+        {/* Note: -1 is remapped in the Zod schema to the required value. */}
+        <SelectItem value={'-1'}>
+          <Trans>No restrictions</Trans>
+        </SelectItem>
+
+        {isDocumentEnterprise
+          ? Object.values(DocumentActionAuth)
+              .filter((auth) => auth !== DocumentAuth.ACCOUNT)
+              .map((authType) => (
+                <SelectItem key={authType} value={authType}>
+                  {DOCUMENT_AUTH_TYPES[authType].value}
+                </SelectItem>
+              ))
+          : Object.values(NonEnterpriseDocumentActionAuth)
+              .filter((auth) => auth !== DocumentAuth.EXPLICIT_NONE)
+              .map((authType) => (
+                <SelectItem key={authType} value={authType}>
+                  {DOCUMENT_AUTH_TYPES[authType].value}
+                </SelectItem>
+              ))}
+      </SelectContent>
+    </Select>
+  );
+});
 
 DocumentGlobalAuthActionSelect.displayName = 'DocumentGlobalAuthActionSelect';
 

packages/ui/primitives/document-flow/add-settings.tsx

@@ -1,10 +1,15 @@
 import { useEffect } from 'react';
 
 import { zodResolver } from '@hookform/resolvers/zod';
-import { Trans } from '@lingui/react/macro';
-import { useLingui } from '@lingui/react/macro';
-import { DocumentVisibility, TeamMemberRole } from '@prisma/client';
-import { DocumentStatus, type Field, type Recipient, SendStatus } from '@prisma/client';
+import { Trans, useLingui } from '@lingui/react/macro';
+import {
+  DocumentStatus,
+  DocumentVisibility,
+  type Field,
+  type Recipient,
+  SendStatus,
+  TeamMemberRole,
+} from '@prisma/client';
 import { InfoIcon } from 'lucide-react';
 import { useForm } from 'react-hook-form';
 import { match } from 'ts-pattern';
@@ -268,24 +273,22 @@ export const AddSettingsFormPartial = ({
               />
             )}
 
-            {isDocumentEnterprise && (
-              <FormField
-                control={form.control}
-                name="globalActionAuth"
-                render={({ field }) => (
-                  <FormItem>
-                    <FormLabel className="flex flex-row items-center">
-                      <Trans>Recipient action authentication</Trans>
-                      <DocumentGlobalAuthActionTooltip />
-                    </FormLabel>
+            <FormField
+              control={form.control}
+              name="globalActionAuth"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel className="flex flex-row items-center">
+                    <Trans>Recipient action authentication</Trans>
+                    <DocumentGlobalAuthActionTooltip />
+                  </FormLabel>
 
-                    <FormControl>
-                      <DocumentGlobalAuthActionSelect {...field} onValueChange={field.onChange} />
-                    </FormControl>
-                  </FormItem>
-                )}
-              />
-            )}
+                  <FormControl>
+                    <DocumentGlobalAuthActionSelect {...field} onValueChange={field.onChange} />
+                  </FormControl>
+                </FormItem>
+              )}
+            />
 
             <Accordion type="multiple" className="mt-6">
               <AccordionItem value="advanced-options" className="border-none">