feat: add document auth

2025-11-14 08:42:12 +10:00 · 2024-03-11 19:36:22 +08:00
parent d5c4885c67
commit 8d1b0adbb2
53 changed files with 2548 additions and 713 deletions
--- a/packages/lib/server-only/document/is-recipient-authorized.ts
+++ b/packages/lib/server-only/document/is-recipient-authorized.ts
@ -0,0 +1,86 @@
+import { match } from 'ts-pattern';
+
+import { prisma } from '@documenso/prisma';
+import type { Document, Recipient } from '@documenso/prisma/client';
+
+import type { TDocumentAuth, TDocumentAuthMethods } from '../../types/document-auth';
+import { DocumentAuth } from '../../types/document-auth';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
+
+type IsRecipientAuthorizedOptions = {
+  type: 'ACCESS' | 'ACTION';
+  document: Document;
+  recipient: Recipient;
+
+  /**
+   * The ID of the user who initiated the request.
+   */
+  userId?: number;
+
+  /**
+   * The auth details to check.
+   *
+   * Optional because there are scenarios where no auth options are required such as
+   * using the user ID.
+   */
+  authOptions?: TDocumentAuthMethods;
+};
+
+const getRecipient = async (email: string) => {
+  return await prisma.user.findFirst({
+    where: {
+      email,
+    },
+    select: {
+      id: true,
+    },
+  });
+};
+
+/**
+ * Whether the recipient is authorized to perform the requested operation on a
+ * document, given the provided auth options.
+ *
+ * @returns True if the recipient can perform the requested operation.
+ */
+export const isRecipientAuthorized = async ({
+  type,
+  document,
+  recipient,
+  userId,
+  authOptions,
+}: IsRecipientAuthorizedOptions): Promise<boolean> => {
+  const { derivedRecipientAccessAuth, derivedRecipientActionAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
+  });
+
+  const authMethod: TDocumentAuth | null =
+    type === 'ACCESS' ? derivedRecipientAccessAuth : derivedRecipientActionAuth;
+
+  // Early true return when auth is not required.
+  if (!authMethod || authMethod === DocumentAuth.EXPLICIT_NONE) {
+    return true;
+  }
+
+  // Authentication required does not match provided method.
+  if (authOptions && authOptions.type !== authMethod) {
+    return false;
+  }
+
+  return await match(authMethod)
+    .with(DocumentAuth.ACCOUNT, async () => {
+      if (userId === undefined) {
+        return false;
+      }
+
+      const recipientUser = await getRecipient(recipient.email);
+
+      if (!recipientUser) {
+        return false;
+      }
+
+      return recipientUser.id === userId;
+    })
+    .exhaustive();
+};