Merge remote-tracking branch 'origin/develop' into more-fixes

2025-11-13 08:12:40 +10:00 · 2025-05-15 13:38:46 -04:00
parent 9d2aded70f ce27f76856
commit 1165d86c2c
22 changed files with 331 additions and 161 deletions
--- a/server/api/v1/client/auth/initiate.post.ts
+++ b/server/api/v1/client/auth/initiate.post.ts
@ -1,3 +1,10 @@
+import type {
+  CapabilityConfiguration,
+  InternalClientCapability,
+} from "~/server/internal/clients/capabilities";
+import capabilityManager, {
+  validCapabilities,
+} from "~/server/internal/clients/capabilities";
 import clientHandler from "~/server/internal/clients/handler";
 import { parsePlatform } from "~/server/internal/utils/parseplatform";

@ -6,6 +13,8 @@ export default defineEventHandler(async (h3) => {

  const name = body.name;
  const platformRaw = body.platform;
+  const capabilities: Partial<CapabilityConfiguration> =
+    body.capabilities ?? {};

  if (!name || !platformRaw)
    throw createError({
@ -20,7 +29,46 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Invalid or unsupported platform",
    });

-  const clientId = await clientHandler.initiate({ name, platform });
+  if (!capabilities || typeof capabilities !== "object")
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Capabilities must be an array",
+    });
+
+  const capabilityIterable = Object.entries(capabilities) as Array<
+    [InternalClientCapability, object]
+  >;
+  if (
+    capabilityIterable.length > 0 &&
+    capabilityIterable
+      .map(([capability]) => validCapabilities.find((v) => capability == v))
+      .filter((e) => e).length == 0
+  )
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid capabilities.",
+    });
+
+  if (
+    capabilityIterable.length > 0 &&
+    capabilityIterable.filter(
+      ([capability, configuration]) =>
+        !capabilityManager.validateCapabilityConfiguration(
+          capability,
+          configuration,
+        ),
+    ).length > 0
+  )
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid capability configuration.",
+    });
+
+  const clientId = await clientHandler.initiate({
+    name,
+    platform,
+    capabilities,
+  });

  return `/client/${clientId}/callback`;
 });
--- a/server/api/v1/client/capability/index.post.ts
+++ b/server/api/v1/client/capability/index.post.ts
@ -55,7 +55,7 @@ export default defineClientEventHandler(
      title: `"${client.name}" can now access ${capability}`,
      description: `A device called "${client.name}" now has access to your ${capability}.`,
      actions: ["Review|/account/devices"],
-      requiredPerms: ["clients:read"],
+      acls: ["user:clients:read"],
    });

    return {};
--- a/server/api/v1/notifications/index.get.ts
+++ b/server/api/v1/notifications/index.get.ts
@ -5,17 +5,19 @@ export default defineEventHandler(async (h3) => {
  const userId = await aclManager.getUserIdACL(h3, ["notifications:read"]);
  if (!userId) throw createError({ statusCode: 403 });

-  const userIds = [userId];
-  const hasSystemPerms = await aclManager.allowSystemACL(h3, [
-    "notifications:mark",
-  ]);
-  if (hasSystemPerms) {
-    userIds.push("system");
-  }
+  const acls = await aclManager.fetchAllACLs(h3);
+  if (!acls)
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Got userId but no ACLs - what?",
+    });

  const notifications = await prisma.notification.findMany({
    where: {
-      userId: { in: userIds },
+      userId,
+      acls: {
+        hasSome: acls,
+      },
    },
    orderBy: {
      created: "desc", // Newest first
--- a/server/api/v1/notifications/readall.post.ts
+++ b/server/api/v1/notifications/readall.post.ts
@ -5,17 +5,19 @@ export default defineEventHandler(async (h3) => {
  const userId = await aclManager.getUserIdACL(h3, ["notifications:mark"]);
  if (!userId) throw createError({ statusCode: 403 });

-  const userIds = [userId];
-  const hasSystemPerms = await aclManager.allowSystemACL(h3, [
-    "notifications:mark",
-  ]);
-  if (hasSystemPerms) {
-    userIds.push("system");
-  }
+  const acls = await aclManager.fetchAllACLs(h3);
+  if (!acls)
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Got userId but no ACLs - what?",
+    });

  await prisma.notification.updateMany({
    where: {
-      userId: { in: userIds },
+      userId,
+      acls: {
+        hasSome: acls,
+      },
    },
    data: {
      read: true,
--- a/server/api/v1/notifications/ws.get.ts
+++ b/server/api/v1/notifications/ws.get.ts
@ -14,22 +14,17 @@ export default defineWebSocketHandler({
      return;
    }

-    const userIds = [userId];
-
-    const hasSystemPerms = await aclManager.allowSystemACL(h3, [
-      "notifications:listen",
-    ]);
-    if (hasSystemPerms) {
-      userIds.push("system");
+    const acls = await aclManager.fetchAllACLs(h3);
+    if (!acls) {
+      peer.send("unauthenticated");
+      return;
    }

    socketSessions.set(peer.id, userId);

-    for (const listenUserId of userIds) {
-      notificationSystem.listen(listenUserId, peer.id, (notification) => {
-        peer.send(JSON.stringify(notification));
-      });
-    }
+    notificationSystem.listen(userId, acls, peer.id, (notification) => {
+      peer.send(JSON.stringify(notification));
+    });
  },
  async close(peer, _details) {
    const userId = socketSessions.get(peer.id);