feat: add document auth

2025-11-16 17:51:49 +10:00 · 2024-03-11 19:36:22 +08:00
parent d5c4885c67
commit 8d1b0adbb2
53 changed files with 2548 additions and 713 deletions
--- a/packages/lib/server-only/field/sign-field-with-token.ts
+++ b/packages/lib/server-only/field/sign-field-with-token.ts
@ -8,15 +8,21 @@ import { DocumentStatus, FieldType, SigningStatus } from '@documenso/prisma/clie

 import { DEFAULT_DOCUMENT_DATE_FORMAT } from '../../constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '../../constants/time-zones';
+import { AppError, AppErrorCode } from '../../errors/app-error';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { TRecipientActionAuth } from '../../types/document-auth';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
+import { isRecipientAuthorized } from '../document/is-recipient-authorized';

 export type SignFieldWithTokenOptions = {
  token: string;
  fieldId: number;
  value: string;
  isBase64?: boolean;
+  userId?: number;
+  authOptions?: TRecipientActionAuth;
  requestMetadata?: RequestMetadata;
 };

@ -25,6 +31,8 @@ export const signFieldWithToken = async ({
  fieldId,
  value,
  isBase64,
+  userId,
+  authOptions,
  requestMetadata,
 }: SignFieldWithTokenOptions) => {
  const field = await prisma.field.findFirstOrThrow({
@ -71,6 +79,23 @@ export const signFieldWithToken = async ({
    throw new Error(`Field ${fieldId} has no recipientId`);
  }

+  const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
+  });
+
+  const isValid = await isRecipientAuthorized({
+    type: 'ACTION',
+    document: document,
+    recipient: recipient,
+    userId,
+    authOptions,
+  });
+
+  if (!isValid) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid authentication values');
+  }
+
  const documentMeta = await prisma.documentMeta.findFirst({
    where: {
      documentId: document.id,
@ -158,9 +183,11 @@ export const signFieldWithToken = async ({
              data: updatedField.customText,
            }))
            .exhaustive(),
-          fieldSecurity: {
-            type: 'NONE',
-          },
+          fieldSecurity: derivedRecipientActionAuth
+            ? {
+                type: derivedRecipientActionAuth,
+              }
+            : undefined,
        },
      }),
    });