Improve security and add utility components for gating access (#15)

* Implement same security level for images as well

* Implement trpc panel for api docs

* Fix build issues with server code on client

* Implement backbone functions for page and component security - client and server side (client side are not meant for security, only UX)

* Implement security hooks and component in other pages

* Add guest user group to groups and make unassignable

* Refactor permission components to be more structurized and less confusing

* Fix RequirePermission component to support any

* Fix type errors

* Add PermissionGates to some wiki pages

Author: barisgit

.env.example

@@ -10,4 +10,6 @@ GITHUB_CLIENT_ID=your-github-client-id
 GITHUB_CLIENT_SECRET=your-github-client-secret
 
 GOOGLE_CLIENT_ID=your-google-client-id
-GOOGLE_CLIENT_SECRET=your-google-client-secret 
+GOOGLE_CLIENT_SECRET=your-google-client-secret 
+
+NEXT_PUBLIC_DEV_MODE=true

docs/permissions.md

@@ -25,6 +25,7 @@
     "@codemirror/language": "^6.11.0",
     "@codemirror/language-data": "^6.5.1",
     "@codemirror/state": "^6.5.2",
+    "@heroicons/react": "^2.2.0",
     "@lezer/highlight": "^1.2.1",
     "@neondatabase/serverless": "^1.0.0",
     "@radix-ui/react-dialog": "^1.1.10",
@@ -107,6 +108,7 @@
     "postcss": "^8.5.3",
     "tailwind-merge": "^3.2.0",
     "tailwindcss": "^4.1.4",
+    "trpc-ui": "^1.0.15",
     "tsx": "^4.19.3",
     "typescript": "^5.8.3"
   }

package.json

@@ -0,0 +1,7 @@
+export default function LoginLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return <div>{children}</div>;
+}

pnpm-lock.yaml

@@ -0,0 +1,54 @@
+"use client";
+
+import { LoginForm } from "~/components/auth/LoginForm";
+import { Suspense, useEffect } from "react";
+import { useRouter } from "next/navigation";
+import { usePermissions } from "~/components/auth/permission/client";
+import { Button } from "~/components/ui/button";
+import { ArrowLeftIcon } from "lucide-react";
+
+export default function LoginPage() {
+  const router = useRouter();
+  const { isAuthenticated, hasPermission } = usePermissions();
+
+  useEffect(() => {
+    if (isAuthenticated) {
+      router.push("/");
+    }
+  }, [isAuthenticated, router]);
+
+  const hasWikiReadPermission = hasPermission("wiki:page:read");
+
+  return (
+    <div className="flex flex-col items-center justify-center min-h-screen px-4 py-12 sm:px-6 lg:px-8 bg-background-paper">
+      <div className="w-full max-w-md space-y-8">
+        <div>
+          <h2 className="mt-6 text-3xl font-bold tracking-tight text-center">
+            Sign in to NextWiki
+          </h2>
+          {!hasWikiReadPermission && (
+            <p className="mt-2 text-sm text-center text-text-secondary">
+              This is a private wiki. You need to be logged in to access it.
+            </p>
+          )}
+        </div>
+
+        <Suspense fallback={<div>Loading login form...</div>}>
+          <LoginForm />
+        </Suspense>
+      </div>
+
+      {/* Show the back to home button if the user has the wiki:page:read permission, otherwise they will be redirected back here so no need to show it */}
+      {hasWikiReadPermission && (
+        <Button
+          className="fixed rounded-full bottom-16 left-16"
+          variant="outlined"
+          onClick={() => router.push("/")}
+        >
+          <ArrowLeftIcon className="w-4 h-4" />
+          Back to home
+        </Button>
+      )}
+    </div>
+  );
+}

src/app/(auth)/layout.tsx

@@ -0,0 +1,51 @@
+"use client";
+
+import { ArrowLeftIcon } from "lucide-react";
+import { useRouter } from "next/navigation";
+import { useEffect } from "react";
+import { RegisterForm } from "~/components/auth/RegisterForm";
+import { usePermissions } from "~/components/auth/permission/client";
+import { Button } from "~/components/ui/button";
+
+export default function RegisterPage({
+  isFirstUser = false,
+}: {
+  isFirstUser?: boolean;
+}) {
+  const router = useRouter();
+  const { isAuthenticated } = usePermissions();
+
+  useEffect(() => {
+    if (isAuthenticated) {
+      router.push("/");
+    }
+  }, [isAuthenticated, router]);
+
+  return (
+    <div className="flex flex-col items-center justify-center h-screen px-4 py-12 sm:px-6 lg:px-8 bg-background-paper">
+      <div className="w-full max-w-md space-y-8">
+        <div>
+          <h2 className="mt-6 text-3xl font-bold tracking-tight text-center">
+            {isFirstUser ? "Create Admin Account" : "Create Account"}
+          </h2>
+          {isFirstUser && (
+            <p className="mt-2 text-sm text-center text-text-secondary">
+              This will be the first user and will have admin privileges
+            </p>
+          )}
+        </div>
+
+        <RegisterForm isFirstUser={isFirstUser} />
+
+        <Button
+          className="fixed rounded-full bottom-16 left-16"
+          variant="outlined"
+          onClick={() => router.push("/")}
+        >
+          <ArrowLeftIcon className="w-4 h-4" />
+          Back to home
+        </Button>
+      </div>
+    </div>
+  );
+}

src/app/(auth)/login/page.tsx

@@ -1,4 +1,4 @@
-import { notFound } from "next/navigation";
+import { notFound, redirect } from "next/navigation";
 import { MainLayout } from "~/components/layout/MainLayout";
 import { WikiPage } from "~/components/wiki/WikiPage";
 import { WikiEditor } from "~/components/wiki/WikiEditor";
@@ -11,6 +11,7 @@ import { authOptions } from "~/lib/auth";
 import { Suspense } from "react";
 import { PageLocationEditor } from "~/components/wiki/PageLocationEditor";
 import { renderWikiMarkdownToHtml } from "~/lib/services/markdown";
+import { authorizationService } from "~/lib/services/authorization";
 
 export const dynamic = "auto";
 export const revalidate = 300; // 5 minutes
@@ -70,12 +71,22 @@ export default async function WikiPageView({
   const resolvedParams = await params;
   const resolvedSearchParams = await searchParams;
 
-  const page = await getWikiPageByPath(resolvedParams.path);
   const session = await getServerSession(authOptions);
   const currentUserId = session?.user?.id
     ? parseInt(session.user.id)
     : undefined;
 
+  const canAccessPage = await authorizationService.hasPermission(
+    currentUserId,
+    "wiki:page:read"
+  );
+
+  if (!canAccessPage) {
+    redirect("/");
+  }
+
+  const page = await getWikiPageByPath(resolvedParams.path);
+
   if (!page) {
     notFound();
   }
@@ -86,6 +97,13 @@ export default async function WikiPageView({
 
   // Edit mode
   if (isEditMode) {
+    const canEditPage = await authorizationService.hasPermission(
+      currentUserId,
+      "wiki:page:update"
+    );
+    if (!canEditPage) {
+      redirect("/");
+    }
     return (
       <WikiEditor
         mode="edit"
@@ -100,6 +118,13 @@ export default async function WikiPageView({
 
   // Move mode
   if (isMoveMode) {
+    const canMovePage = await authorizationService.hasPermission(
+      currentUserId,
+      "wiki:page:move"
+    );
+    if (!canMovePage) {
+      redirect("/");
+    }
     return (
       <MainLayout>
         <PageLocationEditor

src/app/(auth)/register/page.tsx

@@ -0,0 +1,86 @@
+import { Metadata } from "next";
+import { notFound } from "next/navigation";
+import { PermissionGate } from "~/components/auth/permission/server";
+import { PermissionsExample } from "~/components/auth/PermissionsExample";
+import { env } from "~/env";
+
+export const metadata: Metadata = {
+  title: "Permission Examples | NextWiki",
+  description: "Server-side permission checking examples",
+};
+
+export default function PermissionExamplesPage() {
+  if (env.NODE_ENV !== "development") {
+    notFound();
+  }
+
+  return (
+    <div className="container p-6 mx-auto">
+      <h1 className="mb-6 text-3xl font-bold">Permission Examples</h1>
+
+      <div className="p-6 mb-6 rounded-lg shadow-sm bg-background-level1">
+        <h2 className="mb-4 text-xl font-semibold">Single Permission Check</h2>
+
+        <PermissionGate permission="wiki:page:read">
+          <PermissionGate.Authorized>
+            <div className="p-4 rounded bg-success-light text-success">
+              You have permission to read wiki pages.
+            </div>
+          </PermissionGate.Authorized>
+          <PermissionGate.Unauthorized>
+            <div className="p-4 rounded bg-warning-light text-warning">
+              You do not have permission to read wiki pages.
+            </div>
+          </PermissionGate.Unauthorized>
+        </PermissionGate>
+      </div>
+
+      <div className="p-6 mb-6 rounded-lg shadow-sm bg-background-level1">
+        <h2 className="mb-4 text-xl font-semibold">
+          Multiple Permissions Check (Any)
+        </h2>
+
+        <PermissionGate permissions={["wiki:page:create", "wiki:page:update"]}>
+          <PermissionGate.Authorized>
+            <div className="p-4 rounded bg-success-light text-success">
+              You have permission to create or update wiki pages.
+            </div>
+          </PermissionGate.Authorized>
+          <PermissionGate.Unauthorized>
+            <div className="p-4 rounded bg-warning-light text-warning">
+              You do not have permission to create or update wiki pages.
+            </div>
+          </PermissionGate.Unauthorized>
+        </PermissionGate>
+      </div>
+
+      <div className="p-6 rounded-lg shadow-sm bg-background-level1">
+        <h2 className="mb-4 text-xl font-semibold">With Redirect Example</h2>
+        <p className="mb-6 text-sm text-text-secondary">
+          In this example, if you don&apos;t have admin permissions, you would
+          be redirected to the login page. Since we want to show this example,
+          we&apos;re not using the redirect here, but it would look like:
+        </p>
+        <pre className="p-4 overflow-x-auto rounded bg-code-bg text-code-text">
+          {`<PermissionGate.Root
+  permission="system:admin:access" 
+>
+  <PermissionGate.Authorized>
+    Admin content here
+  </PermissionGate.Authorized>
+  <PermissionGate.Unauthorized redirectTo="/login">
+    Redirecting to login...
+  </PermissionGate.Unauthorized>
+</PermissionGate.Root>`}
+        </pre>
+      </div>
+
+      <div className="p-6 mt-6 rounded-lg shadow-sm bg-background-level1">
+        <h2 className="mb-4 text-xl font-semibold">
+          Client-side permission checking
+        </h2>
+        <PermissionsExample />
+      </div>
+    </div>
+  );
+}

src/app/[...path]/page.tsx

@@ -71,7 +71,13 @@ export default async function EditGroupPage({ params }: EditGroupPageProps) {
         <GroupForm
           group={{
             ...group,
-            isLocked: group.isLocked === null ? undefined : group.isLocked,
+            isSystem: group.isSystem === null ? undefined : group.isSystem,
+            isEditable:
+              group.isEditable === null ? undefined : group.isEditable,
+            allowUserAssignment:
+              group.allowUserAssignment === null
+                ? undefined
+                : group.allowUserAssignment,
           }}
           permissions={permissions}
           groupPermissions={groupPermissionIds}