feat: add document auth

2025-11-13 16:23:06 +10:00 · 2024-03-11 19:36:22 +08:00
parent d5c4885c67
commit 8d1b0adbb2
53 changed files with 2548 additions and 713 deletions
--- a/packages/lib/server-only/document/complete-document-with-token.ts
+++ b/packages/lib/server-only/document/complete-document-with-token.ts
@ -7,13 +7,19 @@ import { prisma } from '@documenso/prisma';
 import { DocumentStatus, SigningStatus } from '@documenso/prisma/client';
 import { WebhookTriggerEvents } from '@documenso/prisma/client';

+import { AppError, AppErrorCode } from '../../errors/app-error';
+import type { TRecipientActionAuth } from '../../types/document-auth';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
+import { isRecipientAuthorized } from './is-recipient-authorized';
 import { sealDocument } from './seal-document';
 import { sendPendingEmail } from './send-pending-email';

 export type CompleteDocumentWithTokenOptions = {
  token: string;
  documentId: number;
+  userId?: number;
+  authOptions?: TRecipientActionAuth;
  requestMetadata?: RequestMetadata;
 };

@ -40,6 +46,8 @@ const getDocument = async ({ token, documentId }: CompleteDocumentWithTokenOptio
 export const completeDocumentWithToken = async ({
  token,
  documentId,
+  userId,
+  authOptions,
  requestMetadata,
 }: CompleteDocumentWithTokenOptions) => {
  'use server';
@ -71,32 +79,52 @@ export const completeDocumentWithToken = async ({
    throw new Error(`Recipient ${recipient.id} has unsigned fields`);
  }

-  await prisma.recipient.update({
-    where: {
-      id: recipient.id,
-    },
-    data: {
-      signingStatus: SigningStatus.SIGNED,
-      signedAt: new Date(),
-    },
+  const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
  });

-  await prisma.documentAuditLog.create({
-    data: createDocumentAuditLogData({
-      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED,
-      documentId: document.id,
-      user: {
-        name: recipient.name,
-        email: recipient.email,
+  const isValid = await isRecipientAuthorized({
+    type: 'ACTION',
+    document: document,
+    recipient: recipient,
+    userId,
+    authOptions,
+  });
+
+  if (!isValid) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid authentication values');
+  }
+
+  await prisma.$transaction(async (tx) => {
+    await tx.recipient.update({
+      where: {
+        id: recipient.id,
      },
-      requestMetadata,
      data: {
-        recipientEmail: recipient.email,
-        recipientName: recipient.name,
-        recipientId: recipient.id,
-        recipientRole: recipient.role,
+        signingStatus: SigningStatus.SIGNED,
+        signedAt: new Date(),
      },
-    }),
+    });
+
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED,
+        documentId: document.id,
+        user: {
+          name: recipient.name,
+          email: recipient.email,
+        },
+        requestMetadata,
+        data: {
+          recipientEmail: recipient.email,
+          recipientName: recipient.name,
+          recipientId: recipient.id,
+          recipientRole: recipient.role,
+          actionAuth: derivedRecipientActionAuth || undefined,
+        },
+      }),
+    });
  });

  const pendingRecipients = await prisma.recipient.count({