feat: add document auth (#1029)

2025-11-13 00:03:33 +10:00 · 2024-03-28 13:13:29 +08:00
parent 956562d3b4
commit a54eb54ef7
77 changed files with 3904 additions and 846 deletions
--- a/packages/lib/types/document-audit-logs.ts
+++ b/packages/lib/types/document-audit-logs.ts
@ -8,6 +8,8 @@ import { z } from 'zod';

 import { FieldType } from '@documenso/prisma/client';

+import { ZRecipientActionAuthTypesSchema } from './document-auth';
+
 export const ZDocumentAuditLogTypeSchema = z.enum([
  // Document actions.
  'EMAIL_SENT',
@ -26,6 +28,8 @@ export const ZDocumentAuditLogTypeSchema = z.enum([
  'DOCUMENT_DELETED', // When the document is soft deleted.
  'DOCUMENT_FIELD_INSERTED', // When a field is inserted (signed/approved/etc) by a recipient.
  'DOCUMENT_FIELD_UNINSERTED', // When a field is uninserted by a recipient.
+  'DOCUMENT_GLOBAL_AUTH_ACCESS_UPDATED', // When the global access authentication is updated.
+  'DOCUMENT_GLOBAL_AUTH_ACTION_UPDATED', // When the global action authentication is updated.
  'DOCUMENT_META_UPDATED', // When the document meta data is updated.
  'DOCUMENT_OPENED', // When the document is opened by a recipient.
  'DOCUMENT_RECIPIENT_COMPLETED', // When a recipient completes all their required tasks for the document.
@ -51,7 +55,13 @@ export const ZDocumentMetaDiffTypeSchema = z.enum([
 ]);

 export const ZFieldDiffTypeSchema = z.enum(['DIMENSION', 'POSITION']);
-export const ZRecipientDiffTypeSchema = z.enum(['NAME', 'ROLE', 'EMAIL']);
+export const ZRecipientDiffTypeSchema = z.enum([
+  'NAME',
+  'ROLE',
+  'EMAIL',
+  'ACCESS_AUTH',
+  'ACTION_AUTH',
+]);

 export const DOCUMENT_AUDIT_LOG_TYPE = ZDocumentAuditLogTypeSchema.Enum;
 export const DOCUMENT_EMAIL_TYPE = ZDocumentAuditLogEmailTypeSchema.Enum;
@ -107,25 +117,34 @@ export const ZDocumentAuditLogFieldDiffSchema = z.union([
  ZFieldDiffPositionSchema,
 ]);

-export const ZRecipientDiffNameSchema = z.object({
+export const ZGenericFromToSchema = z.object({
+  from: z.string().nullable(),
+  to: z.string().nullable(),
+});
+
+export const ZRecipientDiffActionAuthSchema = ZGenericFromToSchema.extend({
+  type: z.literal(RECIPIENT_DIFF_TYPE.ACCESS_AUTH),
+});
+
+export const ZRecipientDiffAccessAuthSchema = ZGenericFromToSchema.extend({
+  type: z.literal(RECIPIENT_DIFF_TYPE.ACTION_AUTH),
+});
+
+export const ZRecipientDiffNameSchema = ZGenericFromToSchema.extend({
  type: z.literal(RECIPIENT_DIFF_TYPE.NAME),
-  from: z.string(),
-  to: z.string(),
 });

-export const ZRecipientDiffRoleSchema = z.object({
+export const ZRecipientDiffRoleSchema = ZGenericFromToSchema.extend({
  type: z.literal(RECIPIENT_DIFF_TYPE.ROLE),
-  from: z.string(),
-  to: z.string(),
 });

-export const ZRecipientDiffEmailSchema = z.object({
+export const ZRecipientDiffEmailSchema = ZGenericFromToSchema.extend({
  type: z.literal(RECIPIENT_DIFF_TYPE.EMAIL),
-  from: z.string(),
-  to: z.string(),
 });

-export const ZDocumentAuditLogRecipientDiffSchema = z.union([
+export const ZDocumentAuditLogRecipientDiffSchema = z.discriminatedUnion('type', [
+  ZRecipientDiffActionAuthSchema,
+  ZRecipientDiffAccessAuthSchema,
  ZRecipientDiffNameSchema,
  ZRecipientDiffRoleSchema,
  ZRecipientDiffEmailSchema,
@ -217,11 +236,11 @@ export const ZDocumentAuditLogEventDocumentFieldInsertedSchema = z.object({
        data: z.string(),
      }),
    ]),
-
-    // Todo: Replace with union once we have more field security types.
-    fieldSecurity: z.object({
-      type: z.literal('NONE'),
-    }),
+    fieldSecurity: z
+      .object({
+        type: ZRecipientActionAuthTypesSchema,
+      })
+      .optional(),
  }),
 });

@ -236,6 +255,22 @@ export const ZDocumentAuditLogEventDocumentFieldUninsertedSchema = z.object({
  }),
 });

+/**
+ * Event: Document global authentication access updated.
+ */
+export const ZDocumentAuditLogEventDocumentGlobalAuthAccessUpdatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_GLOBAL_AUTH_ACCESS_UPDATED),
+  data: ZGenericFromToSchema,
+});
+
+/**
+ * Event: Document global authentication action updated.
+ */
+export const ZDocumentAuditLogEventDocumentGlobalAuthActionUpdatedSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_GLOBAL_AUTH_ACTION_UPDATED),
+  data: ZGenericFromToSchema,
+});
+
 /**
 * Event: Document meta updated.
 */
@ -251,7 +286,9 @@ export const ZDocumentAuditLogEventDocumentMetaUpdatedSchema = z.object({
 */
 export const ZDocumentAuditLogEventDocumentOpenedSchema = z.object({
  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_OPENED),
-  data: ZBaseRecipientDataSchema,
+  data: ZBaseRecipientDataSchema.extend({
+    accessAuth: z.string().optional(),
+  }),
 });

 /**
@ -259,7 +296,9 @@ export const ZDocumentAuditLogEventDocumentOpenedSchema = z.object({
 */
 export const ZDocumentAuditLogEventDocumentRecipientCompleteSchema = z.object({
  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_COMPLETED),
-  data: ZBaseRecipientDataSchema,
+  data: ZBaseRecipientDataSchema.extend({
+    actionAuth: z.string().optional(),
+  }),
 });

 /**
@ -303,7 +342,9 @@ export const ZDocumentAuditLogEventFieldRemovedSchema = z.object({
 export const ZDocumentAuditLogEventFieldUpdatedSchema = z.object({
  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.FIELD_UPDATED),
  data: ZBaseFieldEventDataSchema.extend({
-    changes: z.array(ZDocumentAuditLogFieldDiffSchema),
+    // Provide an empty array as a migration workaround due to a mistake where we were
+    // not passing through any changes via API/v1 due to a type error.
+    changes: z.preprocess((x) => x || [], z.array(ZDocumentAuditLogFieldDiffSchema)),
  }),
 });

@ -312,7 +353,9 @@ export const ZDocumentAuditLogEventFieldUpdatedSchema = z.object({
 */
 export const ZDocumentAuditLogEventRecipientAddedSchema = z.object({
  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_CREATED),
-  data: ZBaseRecipientDataSchema,
+  data: ZBaseRecipientDataSchema.extend({
+    actionAuth: ZRecipientActionAuthTypesSchema.optional(),
+  }),
 });

 /**
@ -352,6 +395,8 @@ export const ZDocumentAuditLogSchema = ZDocumentAuditLogBaseSchema.and(
    ZDocumentAuditLogEventDocumentDeletedSchema,
    ZDocumentAuditLogEventDocumentFieldInsertedSchema,
    ZDocumentAuditLogEventDocumentFieldUninsertedSchema,
+    ZDocumentAuditLogEventDocumentGlobalAuthAccessUpdatedSchema,
+    ZDocumentAuditLogEventDocumentGlobalAuthActionUpdatedSchema,
    ZDocumentAuditLogEventDocumentMetaUpdatedSchema,
    ZDocumentAuditLogEventDocumentOpenedSchema,
    ZDocumentAuditLogEventDocumentRecipientCompleteSchema,
--- a/packages/lib/types/document-auth.ts
+++ b/packages/lib/types/document-auth.ts
@ -0,0 +1,121 @@
+import { z } from 'zod';
+
+/**
+ * All the available types of document authentication options for both access and action.
+ */
+export const ZDocumentAuthTypesSchema = z.enum(['ACCOUNT', 'EXPLICIT_NONE']);
+export const DocumentAuth = ZDocumentAuthTypesSchema.Enum;
+
+const ZDocumentAuthAccountSchema = z.object({
+  type: z.literal(DocumentAuth.ACCOUNT),
+});
+
+const ZDocumentAuthExplicitNoneSchema = z.object({
+  type: z.literal(DocumentAuth.EXPLICIT_NONE),
+});
+
+/**
+ * All the document auth methods for both accessing and actioning.
+ */
+export const ZDocumentAuthMethodsSchema = z.discriminatedUnion('type', [
+  ZDocumentAuthAccountSchema,
+  ZDocumentAuthExplicitNoneSchema,
+]);
+
+/**
+ * The global document access auth methods.
+ *
+ * Must keep these two in sync.
+ */
+export const ZDocumentAccessAuthSchema = z.discriminatedUnion('type', [ZDocumentAuthAccountSchema]);
+export const ZDocumentAccessAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
+
+/**
+ * The global document action auth methods.
+ *
+ * Must keep these two in sync.
+ */
+export const ZDocumentActionAuthSchema = z.discriminatedUnion('type', [ZDocumentAuthAccountSchema]); // Todo: Add passkeys here.
+export const ZDocumentActionAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
+
+/**
+ * The recipient access auth methods.
+ *
+ * Must keep these two in sync.
+ */
+export const ZRecipientAccessAuthSchema = z.discriminatedUnion('type', [
+  ZDocumentAuthAccountSchema,
+]);
+export const ZRecipientAccessAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
+
+/**
+ * The recipient action auth methods.
+ *
+ * Must keep these two in sync.
+ */
+export const ZRecipientActionAuthSchema = z.discriminatedUnion('type', [
+  ZDocumentAuthAccountSchema, // Todo: Add passkeys here.
+  ZDocumentAuthExplicitNoneSchema,
+]);
+export const ZRecipientActionAuthTypesSchema = z.enum([
+  DocumentAuth.ACCOUNT,
+  DocumentAuth.EXPLICIT_NONE,
+]);
+
+export const DocumentAccessAuth = ZDocumentAccessAuthTypesSchema.Enum;
+export const DocumentActionAuth = ZDocumentActionAuthTypesSchema.Enum;
+export const RecipientAccessAuth = ZRecipientAccessAuthTypesSchema.Enum;
+export const RecipientActionAuth = ZRecipientActionAuthTypesSchema.Enum;
+
+/**
+ * Authentication options attached to the document.
+ */
+export const ZDocumentAuthOptionsSchema = z.preprocess(
+  (unknownValue) => {
+    if (unknownValue) {
+      return unknownValue;
+    }
+
+    return {
+      globalAccessAuth: null,
+      globalActionAuth: null,
+    };
+  },
+  z.object({
+    globalAccessAuth: ZDocumentAccessAuthTypesSchema.nullable(),
+    globalActionAuth: ZDocumentActionAuthTypesSchema.nullable(),
+  }),
+);
+
+/**
+ * Authentication options attached to the recipient.
+ */
+export const ZRecipientAuthOptionsSchema = z.preprocess(
+  (unknownValue) => {
+    if (unknownValue) {
+      return unknownValue;
+    }
+
+    return {
+      accessAuth: null,
+      actionAuth: null,
+    };
+  },
+  z.object({
+    accessAuth: ZRecipientAccessAuthTypesSchema.nullable(),
+    actionAuth: ZRecipientActionAuthTypesSchema.nullable(),
+  }),
+);
+
+export type TDocumentAuth = z.infer<typeof ZDocumentAuthTypesSchema>;
+export type TDocumentAuthMethods = z.infer<typeof ZDocumentAuthMethodsSchema>;
+export type TDocumentAuthOptions = z.infer<typeof ZDocumentAuthOptionsSchema>;
+export type TDocumentAccessAuth = z.infer<typeof ZDocumentAccessAuthSchema>;
+export type TDocumentAccessAuthTypes = z.infer<typeof ZDocumentAccessAuthTypesSchema>;
+export type TDocumentActionAuth = z.infer<typeof ZDocumentActionAuthSchema>;
+export type TDocumentActionAuthTypes = z.infer<typeof ZDocumentActionAuthTypesSchema>;
+export type TRecipientAccessAuth = z.infer<typeof ZRecipientAccessAuthSchema>;
+export type TRecipientAccessAuthTypes = z.infer<typeof ZRecipientAccessAuthTypesSchema>;
+export type TRecipientActionAuth = z.infer<typeof ZRecipientActionAuthSchema>;
+export type TRecipientActionAuthTypes = z.infer<typeof ZRecipientActionAuthTypesSchema>;
+export type TRecipientAuthOptions = z.infer<typeof ZRecipientAuthOptionsSchema>;