Implement frontend checkAccess

Author: lcharette

packages/sprinkle-account/app/assets/composables/index.ts

@@ -4,3 +4,4 @@ export { useRegisterApi } from './useRegisterApi'
 export { useUserProfileEditApi } from './useUserProfileEditApi'
 export { useUserPasswordEditApi } from './useUserPasswordEditApi'
 export { useUserEmailEditApi } from './useUserEmailEditApi'
+export { useAuthorizationManager } from './useAuthorizationManager'

packages/sprinkle-account/app/assets/composables/useAuthorizationManager.ts

@@ -0,0 +1,65 @@
+import { useConfigStore } from '@userfrosting/sprinkle-core/stores'
+import type { UserDataInterface } from '../interfaces'
+
+/**
+ * API Composable
+ */
+export function useAuthorizationManager(user: UserDataInterface | null) {
+    function checkAccess(slug: string): Boolean {
+        // Trace debug information
+        debugAuth(`==> Checking authorization access for ${user?.user_name}`, {
+            user,
+            slug
+        })
+
+        // Deny access if no user is defined.
+        if (user === null) {
+            debugAuth('No user defined. Access denied.')
+
+            return false
+        }
+
+        // The master (root) account has access to everything.
+        if (user.is_master) {
+            debugAuth('User is the master (root) user. Access granted.')
+
+            return true
+        }
+
+        // Find all permissions that apply to this user (via roles), and check if any evaluate to true.
+        if (user.permissions === null || user.permissions[slug] === undefined) {
+            debugAuth('No permissions found. Access denied.')
+
+            return false
+        }
+
+        // Find matching permission conditions
+        const conditions = user.permissions[slug]
+        debugAuth('Found matching permission conditions', conditions)
+
+        // Check if any condition is 'always()'
+        if (conditions.some((condition) => condition === 'always()')) {
+            debugAuth(`User passed conditions 'always()'. Access granted.`)
+
+            return true
+        } else if (conditions.length !== 0) {
+            // We don't support other condition than always(). Log a warning and don't accept.
+            debugAuth(`Unsupported conditions found. Only 'always()' is supported.`)
+        }
+
+        debugAuth('User failed to pass any of the matched permissions. Access denied.')
+
+        return false
+    }
+
+    function debugAuth(message: string, payload?: any): void {
+        const config = useConfigStore()
+        if (config.get('site.debug.auth', false)) {
+            console.debug(message, payload)
+        }
+    }
+
+    return {
+        checkAccess
+    }
+}

packages/sprinkle-account/app/assets/interfaces/AuthCheckApi.ts

@@ -1,4 +1,4 @@
-import type { UserInterface, UserPermissionsMapInterface } from './'
+import type { UserDataInterface } from './'
 
 /**
  * API Interfaces - What the API expects and what it returns
@@ -11,7 +11,4 @@ import type { UserInterface, UserPermissionsMapInterface } from './'
  *
  * This api doesn't have a corresponding Request data interface.
  */
-export interface AuthCheckResponse {
-    user: UserInterface | null
-    permissions: UserPermissionsMapInterface | null
-}
+export interface AuthCheckResponse extends UserDataInterface {}

packages/sprinkle-account/app/assets/interfaces/LoginApi.ts

@@ -1,4 +1,4 @@
-import type { UserInterface, UserPermissionsMapInterface } from './'
+import type { UserDataInterface } from './'
 
 /**
  * API Interfaces - What the API expects and what it returns
@@ -12,8 +12,7 @@ export interface LoginRequest {
 }
 
 export interface LoginResponse {
-    user: UserInterface
-    permissions: UserPermissionsMapInterface
+    user: UserDataInterface
     message: string
     redirect: string
 }

packages/sprinkle-account/app/assets/interfaces/UserDataInterface.ts

@@ -0,0 +1,11 @@
+import type { UserInterface, UserPermissionsMapInterface } from './'
+
+/**
+ * Special user interface that includes permissions and master status.
+ * This interface is used by the auth store to store the current user with extra
+ * information needed for authorization.
+ */
+export interface UserDataInterface extends UserInterface {
+    permissions: UserPermissionsMapInterface
+    is_master: boolean
+}

packages/sprinkle-account/app/assets/interfaces/index.ts

@@ -9,3 +9,4 @@ export type { PasswordEditRequest } from './PasswordEditApi'
 export type { EmailEditRequest } from './EmailEditApi'
 export type { RegisterRequest, RegisterResponse } from './RegisterApi'
 export type { LoginRequest, LoginResponse } from './LoginApi'
+export type { UserDataInterface } from './UserDataInterface'

packages/sprinkle-account/app/assets/stores/auth.ts

@@ -1,40 +1,43 @@
 import { defineStore } from 'pinia'
 import axios from 'axios'
 import type {
-    UserInterface,
     LoginRequest,
     LoginResponse,
     AuthCheckResponse,
-    UserPermissionsMapInterface
+    UserDataInterface
 } from '../interfaces'
 import { type AlertInterface, Severity } from '@userfrosting/sprinkle-core/interfaces'
 import { useTranslator } from '@userfrosting/sprinkle-core/stores'
+import { useAuthorizationManager } from '../composables/useAuthorizationManager'
 
 export const useAuthStore = defineStore('auth', {
     persist: true,
     state: () => {
         return {
-            user: null as UserInterface | null,
-            permissions: null as UserPermissionsMapInterface | null
+            user: null as UserDataInterface | null
         }
     },
     getters: {
-        isAuthenticated: (state): boolean => state.user !== null
+        isAuthenticated: (state): boolean => state.user !== null,
+        checkAccess:
+            (state) =>
+            (slug: string): Boolean => {
+                const authorizer = useAuthorizationManager(state.user)
+                return authorizer.checkAccess(slug)
+            }
     },
     actions: {
-        setUser(user: UserInterface, permissions: UserPermissionsMapInterface): void {
+        setUser(user: UserDataInterface): void {
             this.user = user
-            this.permissions = permissions
         },
         unsetUser(): void {
             this.user = null
-            this.permissions = null
         },
         async login(form: LoginRequest) {
             return axios
                 .post<LoginResponse>('/account/login', form)
                 .then((response) => {
-                    this.setUser(response.data.user, response.data.permissions)
+                    this.setUser(response.data.user)
 
                     // Reload the translator dictionary to reflect the user's language
                     useTranslator().load()
@@ -58,27 +61,26 @@ export const useAuthStore = defineStore('auth', {
             return axios
                 .get<AuthCheckResponse>('/account/auth-check')
                 .then((response) => {
-                    if (response.data.user === null) {
-                        this.unsetUser()
-                    } else {
-                        this.setUser(response.data.user, response.data.permissions ?? {})
-                    }
+                    this.setUser(response.data)
 
                     return this.user
                 })
                 .catch((err) => {
-                    this.unsetUser()
+                    // Test status is 401 and unset user, otherwise, throw error
+                    if (err.response.status === 401) {
+                        this.unsetUser()
+                    } else {
+                        const error: AlertInterface = {
+                            ...{
+                                description: 'An error as occurred',
+                                style: Severity.Danger,
+                                closeBtn: true
+                            },
+                            ...err.response.data
+                        }
 
-                    const error: AlertInterface = {
-                        ...{
-                            description: 'An error as occurred',
-                            style: Severity.Danger,
-                            closeBtn: true
-                        },
-                        ...err.response.data
+                        throw error
                     }
-
-                    throw error
                 })
         },
         async logout() {

packages/sprinkle-account/app/assets/tests/composables/useAuthorizationManager.test.ts

@@ -0,0 +1,109 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest'
+import { useConfigStore } from '@userfrosting/sprinkle-core/stores'
+import { useAuthorizationManager } from '../../composables'
+import type { UserDataInterface } from 'app/assets/interfaces'
+
+// Mock the user and it's permissions
+const mockUser: UserDataInterface = {
+    id: 1,
+    user_name: 'test_user',
+    first_name: 'Test',
+    last_name: 'User',
+    full_name: 'Test User',
+    email: 'test_user@example.com',
+    avatar: '',
+    flag_enabled: true,
+    flag_verified: true,
+    group_id: null,
+    locale: 'en_US',
+    created_at: new Date().toString(),
+    updated_at: new Date().toString(),
+    deleted_at: null,
+    is_master: false,
+    permissions: {
+        'test.permission': ['always()'],
+        'unsupported.permission': ['unsupportedCondition()'],
+        'multiple.conditions': ['always()', 'unsupportedCondition()']
+    }
+}
+
+// Mock the config store
+vi.mock('@userfrosting/sprinkle-core/stores')
+const mockUseConfigStore = {
+    get: vi.fn()
+}
+
+describe('useAuthorizationManager', () => {
+    afterEach(() => {
+        vi.clearAllMocks()
+        vi.resetAllMocks()
+    })
+
+    beforeEach(() => {
+        // Mock the config store
+        mockUseConfigStore.get.mockReturnValue(true)
+        vi.mocked(useConfigStore).mockReturnValue(mockUseConfigStore as any)
+
+        // Mock console.debug
+        vi.spyOn(console, 'debug').mockImplementation(() => {})
+    })
+
+    test('should deny access if no user is defined', () => {
+        const { checkAccess } = useAuthorizationManager(null)
+        expect(checkAccess('test.permission')).toBe(false)
+        expect(console.debug).toHaveBeenCalledWith('No user defined. Access denied.', undefined)
+    })
+
+    test('should deny access if no permissions are defined', () => {
+        // Force mock user permissions to be empty
+        const mockUserWithNoPermissions = { ...mockUser, permissions: {} }
+        const { checkAccess } = useAuthorizationManager(mockUserWithNoPermissions)
+        expect(checkAccess('test.permission')).toBe(false)
+    })
+
+    test('should deny access if the permission slug is not found', () => {
+        const { checkAccess } = useAuthorizationManager(mockUser)
+        expect(checkAccess('nonexistent.permission')).toBe(false)
+    })
+
+    test('should grant access if the condition is "always()"', () => {
+        const { checkAccess } = useAuthorizationManager(mockUser)
+        expect(checkAccess('test.permission')).toBe(true)
+    })
+
+    test('should grant access if the user is the master user', () => {
+        // Force mock user permissions to be empty
+        const mockUserIsMaster = { ...mockUser, is_master: true }
+        const { checkAccess } = useAuthorizationManager(mockUserIsMaster)
+
+        // Accept even if the condition is unsupported or doesn't exist
+        expect(checkAccess('test.permission')).toBe(true)
+        expect(checkAccess('unsupported.permission')).toBe(true)
+        expect(checkAccess('exist.not')).toBe(true)
+    })
+
+    test('should deny access if the condition is unsupported', () => {
+        const { checkAccess } = useAuthorizationManager(mockUser)
+        expect(checkAccess('unsupported.permission')).toBe(false)
+    })
+
+    test('should grant access if conditions contains one "always()"', () => {
+        const { checkAccess } = useAuthorizationManager(mockUser)
+        expect(checkAccess('multiple.conditions')).toBe(true)
+    })
+
+    test('should deny access if no conditions are met', () => {
+        const { checkAccess } = useAuthorizationManager(mockUser)
+        expect(checkAccess('exist.not')).toBe(false)
+    })
+
+    test('should not send debug to console if config disabled', () => {
+        // Disable debug for this test
+        mockUseConfigStore.get.mockReturnValue(false)
+        vi.mocked(useConfigStore).mockReturnValue(mockUseConfigStore as any)
+
+        const { checkAccess } = useAuthorizationManager(null)
+        expect(checkAccess('test.permission')).toBe(false)
+        expect(console.debug).not.toHaveBeenCalled()
+    })
+})