Merge branch 'dev' into feat/resource-policies

2026-05-10 14:24:17 +00:00 · 2026-02-28 01:08:12 +01:00
parent 7b02d4104d 8347203bbe
commit c292578f80
214 changed files with 13059 additions and 7647 deletions
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -132,6 +132,7 @@ export enum ActionsEnum {
    exportLogs = "exportLogs",
    listApprovals = "listApprovals",
    updateApprovals = "updateApprovals",
+    signSshKey = "signSshKey",
    listResourcePolicies = "listResourcePolicies",
    getResourcePolicy = "getResourcePolicy",
    createResourcePolicy = "createResourcePolicy",
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -0,0 +1,45 @@
+import { db } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import { roleSiteResources, userSiteResources } from "@server/db";
+
+export async function canUserAccessSiteResource({
+    userId,
+    resourceId,
+    roleId
+}: {
+    userId: string;
+    resourceId: number;
+    roleId: number;
+}): Promise<boolean> {
+    const roleResourceAccess = await db
+        .select()
+        .from(roleSiteResources)
+        .where(
+            and(
+                eq(roleSiteResources.siteResourceId, resourceId),
+                eq(roleSiteResources.roleId, roleId)
+            )
+        )
+        .limit(1);
+
+    if (roleResourceAccess.length > 0) {
+        return true;
+    }
+
+    const userResourceAccess = await db
+        .select()
+        .from(userSiteResources)
+        .where(
+            and(
+                eq(userSiteResources.userId, userId),
+                eq(userSiteResources.siteResourceId, resourceId)
+            )
+        )
+        .limit(1);
+
+    if (userResourceAccess.length > 0) {
+        return true;
+    }
+
+    return false;
+}
--- a/server/auth/sessions/app.ts
+++ b/server/auth/sessions/app.ts
@@ -3,7 +3,14 @@ import {
    encodeHexLowerCase
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
-import { resourceSessions, Session, sessions, User, users } from "@server/db";
+import {
+    resourceSessions,
+    safeRead,
+    Session,
+    sessions,
+    User,
+    users
+} from "@server/db";
 import { db } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
 import config from "@server/lib/config";
@@ -54,11 +61,15 @@ export async function validateSessionToken(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const result = await db
-        .select({ user: users, session: sessions })
-        .from(sessions)
-        .innerJoin(users, eq(sessions.userId, users.userId))
-        .where(eq(sessions.sessionId, sessionId));
+
+    const result = await safeRead((db) =>
+        db
+            .select({ user: users, session: sessions })
+            .from(sessions)
+            .innerJoin(users, eq(sessions.userId, users.userId))
+            .where(eq(sessions.sessionId, sessionId))
+    );
+
    if (result.length < 1) {
        return { session: null, user: null };
    }
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -1,7 +1,7 @@
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { resourceSessions, ResourceSession } from "@server/db";
-import { db } from "@server/db";
+import { db, safeRead } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";

@@ -66,15 +66,17 @@ export async function validateResourceSessionToken(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const result = await db
-        .select()
-        .from(resourceSessions)
-        .where(
-            and(
-                eq(resourceSessions.sessionId, sessionId),
-                eq(resourceSessions.resourceId, resourceId)
+    const result = await safeRead((db) =>
+        db
+            .select()
+            .from(resourceSessions)
+            .where(
+                and(
+                    eq(resourceSessions.sessionId, sessionId),
+                    eq(resourceSessions.resourceId, resourceId)
+                )
            )
-        );
+    );

    if (result.length < 1) {
        return { resourceSession: null };
@@ -85,7 +87,7 @@ export async function validateResourceSessionToken(
    if (Date.now() >= resourceSession.expiresAt) {
        await db
            .delete(resourceSessions)
-            .where(eq(resourceSessions.sessionId, resourceSessions.sessionId));
+            .where(eq(resourceSessions.sessionId, sessionId));
        return { resourceSession: null };
    } else if (
        Date.now() >=
@@ -179,7 +181,7 @@ export function serializeResourceSessionCookie(
        return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Secure; Domain=${domain}`;
    } else {
        if (expiresAt === undefined) {
-            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=$domain}`;
+            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=${domain}`;
        }
        return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Domain=${domain}`;
    }