Merge pull request #1142 from joshunrau/dev

fix: issue where additional permissions are not added to the JWT

Author: joshunrau

apps/api/package.json

@@ -17,7 +17,7 @@
   "dependencies": {
     "@douglasneuroinformatics/libcrypto": "catalog:",
     "@douglasneuroinformatics/libjs": "catalog:",
-    "@douglasneuroinformatics/libnest": "^5.2.0",
+    "@douglasneuroinformatics/libnest": "^5.3.0",
     "@douglasneuroinformatics/libpasswd": "catalog:",
     "@douglasneuroinformatics/libstats": "catalog:",
     "@faker-js/faker": "^9.4.0",

apps/api/src/vendor/configured.auth.module.ts

@@ -3,6 +3,7 @@ import type { Model } from '@douglasneuroinformatics/libnest';
 import { Module } from '@nestjs/common';
 import { $LoginCredentials } from '@opendatacapture/schemas/auth';
 import type { JwtPayload } from '@opendatacapture/schemas/auth';
+import { $Permissions } from '@opendatacapture/schemas/core';
 import { $Group } from '@opendatacapture/schemas/group';
 import { $BasePermissionLevel } from '@opendatacapture/schemas/user';
 import { z } from 'zod';
@@ -13,7 +14,7 @@ import { z } from 'zod';
       inject: [getModelToken('User')],
       useFactory: (userModel: Model<'User'>) => {
         return {
-          defineAbility: (ability, payload) => {
+          defineAbility: (ability, payload, metadata) => {
             const groupIds = payload.groups.map((group) => group.id);
             switch (payload.basePermissionLevel) {
               case 'ADMIN':
@@ -41,9 +42,15 @@ import { z } from 'zod';
                 ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
                 break;
             }
+            metadata.additionalPermissions?.forEach(({ action, subject }) => {
+              ability.can(action, subject);
+            });
           },
           schemas: {
             loginCredentials: $LoginCredentials,
+            metadata: z.object({
+              additionalPermissions: $Permissions.optional()
+            }),
             tokenPayload: z.object({
               basePermissionLevel: $BasePermissionLevel.nullable(),
               firstName: z.string().nullable(),
@@ -62,6 +69,9 @@ import { z } from 'zod';
             }
             return {
               hashedPassword: user.hashedPassword,
+              metadata: {
+                additionalPermissions: user.additionalPermissions
+              },
               tokenPayload: {
                 basePermissionLevel: user.basePermissionLevel,
                 firstName: user.firstName,

apps/web/src/features/admin/components/UpdateUserForm.tsx

@@ -5,8 +5,8 @@ import { estimatePasswordStrength } from '@douglasneuroinformatics/libpasswd';
 import { Button, Dialog, Form } from '@douglasneuroinformatics/libui/components';
 import { useTranslation } from '@douglasneuroinformatics/libui/hooks';
 import type { FormTypes } from '@opendatacapture/runtime-core';
-import { $UserPermission } from '@opendatacapture/schemas/user';
-import type { UserPermission } from '@opendatacapture/schemas/user';
+import { $UserPermission } from '@opendatacapture/schemas/core';
+import type { UserPermission } from '@opendatacapture/schemas/core';
 import type { Promisable } from 'type-fest';
 import { z } from 'zod';
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "opendatacapture",
   "type": "module",
-  "version": "1.10.0",
+  "version": "1.10.1",
   "private": true,
   "packageManager": "[email protected]",
   "license": "Apache-2.0",

packages/schemas/src/core/core.ts

@@ -23,7 +23,14 @@ export const $AppSubjectName = z.enum([
 
 export type BaseAppAbility = PureAbility<[AppAction, AppSubjectName]>;
 
-export type Permissions = RawRuleOf<BaseAppAbility>[];
+export type UserPermission = z.infer<typeof $UserPermission>;
+export const $UserPermission = z.object({
+  action: $AppAction,
+  subject: $AppSubjectName
+}) satisfies z.ZodType<RawRuleOf<BaseAppAbility>>;
+
+export type Permissions = z.infer<typeof $Permissions>;
+export const $Permissions = z.array($UserPermission);
 
 export const $Language: z.ZodType<Language> = z.enum(['en', 'fr']);
 

packages/schemas/src/user/user.ts

@@ -1,23 +1,15 @@
 import { z } from 'zod';
 
-import { $AppAction, $AppSubjectName, $BaseModel } from '../core/core.js';
+import { $BaseModel, $Permissions } from '../core/core.js';
 import { $Sex } from '../subject/subject.js';
 
 export const $BasePermissionLevel = z.enum(['ADMIN', 'GROUP_MANAGER', 'STANDARD']);
 
 export type BasePermissionLevel = z.infer<typeof $BasePermissionLevel>;
 
-export type UserPermission = z.infer<typeof $UserPermission>;
-export const $UserPermission = z.object({
-  action: $AppAction,
-  subject: $AppSubjectName
-});
-
-export const $AdditionalUserPermissions = z.array($UserPermission);
-
 export type User = z.infer<typeof $User>;
 export const $User = $BaseModel.extend({
-  additionalPermissions: $AdditionalUserPermissions,
+  additionalPermissions: $Permissions,
   basePermissionLevel: $BasePermissionLevel.nullable(),
   dateOfBirth: z.coerce.date().nullish(),
   firstName: z.string().min(1),
@@ -44,5 +36,5 @@ export const $CreateUserData = $User
 
 export type UpdateUserData = z.infer<typeof $UpdateUserData>;
 export const $UpdateUserData = $CreateUserData.partial().extend({
-  additionalPermissions: $AdditionalUserPermissions.optional()
+  additionalPermissions: $Permissions.optional()
 });