Dev (#1702)

* Initial Typescript models.

* Re-add realtime data

* get distinct sessions for session metrics

* Add queries for new schema.

* Fix Typo.

* Add some api/team endpoints.

* Fix destructure error.

* Fix getWebsites call.

* Ignore typescript build errors.

* Fix enum issue.

* add clickhouse route to deleteWebsite

* Fix Website auth.

* Updated lint-staged config.

* Add permission checks.

* Add user role api.

* Fix error when updating website.

* Fix isAdmin check.  Fix Schema.

* Initial conversion to react-basics.

* Remove user/team transfer from website update.

* delete website in relational query

* Fix login secure token creation.

* Add event type to event.

* Allow user to be added to team with role.

* Updated login form.

* Add Role to TeamUser.

* Add database migration.

* Refactored permissions check. Updated redis lib.

* Feat/um 114 roles and permissions (#1683)

* Auth checkpoint.

* Merge branch 'dev' into feat/um-114-roles-and-permissions

* Add 02 migration.

* Added lib/types.

* Updated schema.

* Updated roles and permissions logic.

* Implement react-basics styles. Fix queries.

* Update website details layout.

* Add 01 migration.

* Fix admin create.

* Update react-basics.

Co-authored-by: Francis Cao <franciscao@gmail.com>
Co-authored-by: Mike Cao <mike@mikecao.com>
Co-authored-by: Mike Cao <moocao@gmail.com>

pages/api/users/[id]/index.ts

@@ -1,8 +1,23 @@
-import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
-import { getUser, deleteUser, updateUser } from 'queries';
+import { NextApiRequestQueryBody } from 'lib/types';
+import { canUpdateUser, canViewUser } from 'lib/auth';
 import { useAuth } from 'lib/middleware';
+import { NextApiResponse } from 'next';
+import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { deleteUser, getUser, updateUser, User } from 'queries';
 
-export default async (req, res) => {
+export interface UserRequestQuery {
+  id: string;
+}
+
+export interface UserRequestBody {
+  username: string;
+  password: string;
+}
+
+export default async (
+  req: NextApiRequestQueryBody<UserRequestQuery, UserRequestBody>,
+  res: NextApiResponse<User>,
+) => {
   await useAuth(req, res);
 
   const {
@@ -11,7 +26,7 @@ export default async (req, res) => {
   const { id } = req.query;
 
   if (req.method === 'GET') {
-    if (id !== userId && !isAdmin) {
+    if (await canViewUser(userId, id)) {
       return unauthorized(res);
     }
 
@@ -21,22 +36,22 @@ export default async (req, res) => {
   }
 
   if (req.method === 'POST') {
-    const { username, password } = req.body;
-
-    if (id !== userId && !isAdmin) {
+    if (await canUpdateUser(userId, id)) {
       return unauthorized(res);
     }
 
+    const { username, password } = req.body;
+
     const user = await getUser({ id });
 
-    const data = {};
+    const data: any = {};
 
     if (password) {
       data.password = hashPassword(password);
     }
 
     // Only admin can change these fields
-    if (isAdmin) {
+    if (username && isAdmin) {
       data.username = username;
     }
 
@@ -55,12 +70,12 @@ export default async (req, res) => {
   }
 
   if (req.method === 'DELETE') {
-    if (id === userId) {
-      return badRequest(res, 'You cannot delete your own user.');
+    if (isAdmin) {
+      return unauthorized(res);
     }
 
-    if (!isAdmin) {
-      return unauthorized(res);
+    if (id === userId) {
+      return badRequest(res, 'You cannot delete your own user.');
     }
 
     await deleteUser(id);

pages/api/users/[id]/password.ts

@@ -1,27 +1,43 @@
-import { getUser, updateUser } from 'queries';
+import { NextApiRequestQueryBody } from 'lib/types';
+import { canUpdateUser } from 'lib/auth';
 import { useAuth } from 'lib/middleware';
+import { NextApiResponse } from 'next';
 import {
   badRequest,
+  checkPassword,
+  hashPassword,
   methodNotAllowed,
   ok,
   unauthorized,
-  checkPassword,
-  hashPassword,
 } from 'next-basics';
-import { allowQuery } from 'lib/auth';
-import { TYPE_USER } from 'lib/constants';
+import { getUser, updateUser, User } from 'queries';
 
-export default async (req, res) => {
+export interface UserPasswordRequestQuery {
+  id: string;
+}
+
+export interface UserPasswordRequestBody {
+  current_password: string;
+  new_password: string;
+}
+
+export default async (
+  req: NextApiRequestQueryBody<UserPasswordRequestQuery, UserPasswordRequestBody>,
+  res: NextApiResponse<User>,
+) => {
   await useAuth(req, res);
 
   const { current_password, new_password } = req.body;
   const { id } = req.query;
-
-  if (!(await allowQuery(req, TYPE_USER))) {
-    return unauthorized(res);
-  }
+  const {
+    user: { id: userId },
+  } = req.auth;
 
   if (req.method === 'POST') {
+    if (canUpdateUser(userId, id)) {
+      return unauthorized(res);
+    }
+
     const user = await getUser({ id });
 
     if (!checkPassword(current_password, user.password)) {

pages/api/users/[id]/websites.ts

@@ -0,0 +1,57 @@
+import { Prisma } from '@prisma/client';
+import { NextApiRequestQueryBody } from 'lib/types';
+import { uuid } from 'lib/crypto';
+import { useAuth, useCors } from 'lib/middleware';
+import { NextApiResponse } from 'next';
+import { methodNotAllowed, ok } from 'next-basics';
+import { createWebsite, getUserWebsites } from 'queries';
+
+export interface WebsitesRequestQuery {}
+
+export interface WebsitesRequestBody {
+  name: string;
+  domain: string;
+  shareId: string;
+  teamId?: string;
+}
+
+export default async (
+  req: NextApiRequestQueryBody<WebsitesRequestQuery, WebsitesRequestBody>,
+  res: NextApiResponse,
+) => {
+  await useCors(req, res);
+  await useAuth(req, res);
+
+  const {
+    user: { id: userId },
+  } = req.auth;
+
+  if (req.method === 'GET') {
+    const websites = await getUserWebsites(userId);
+
+    return ok(res, websites);
+  }
+
+  if (req.method === 'POST') {
+    const { name, domain, shareId, teamId } = req.body;
+
+    const data: Prisma.WebsiteUncheckedCreateInput = {
+      id: uuid(),
+      name,
+      domain,
+      shareId,
+    };
+
+    if (teamId) {
+      data.teamId = teamId;
+    } else {
+      data.userId = userId;
+    }
+
+    const website = await createWebsite(data);
+
+    return ok(res, website);
+  }
+
+  return methodNotAllowed(res);
+};

pages/api/users/index.js

@@ -1,42 +0,0 @@
-import { ok, unauthorized, methodNotAllowed, badRequest, hashPassword } from 'next-basics';
-import { useAuth } from 'lib/middleware';
-import { uuid } from 'lib/crypto';
-import { createUser, getUser, getUsers } from 'queries';
-
-export default async (req, res) => {
-  await useAuth(req, res);
-
-  const {
-    user: { isAdmin },
-  } = req.auth;
-
-  if (!isAdmin) {
-    return unauthorized(res);
-  }
-
-  if (req.method === 'GET') {
-    const users = await getUsers();
-
-    return ok(res, users);
-  }
-
-  if (req.method === 'POST') {
-    const { username, password, id } = req.body;
-
-    const user = await getUser({ username });
-
-    if (user) {
-      return badRequest(res, 'User already exists');
-    }
-
-    const created = await createUser({
-      id: id || uuid(),
-      username,
-      password: hashPassword(password),
-    });
-
-    return ok(res, created);
-  }
-
-  return methodNotAllowed(res);
-};

pages/api/users/index.ts

@@ -0,0 +1,59 @@
+import { NextApiRequestQueryBody } from 'lib/types';
+import { uuid } from 'lib/crypto';
+import { useAuth } from 'lib/middleware';
+import { ROLES } from 'lib/constants';
+import { NextApiResponse } from 'next';
+import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { createUser, getUser, getUsers, User } from 'queries';
+
+export interface UsersRequestBody {
+  username: string;
+  password: string;
+  id: string;
+}
+
+export default async (
+  req: NextApiRequestQueryBody<any, UsersRequestBody>,
+  res: NextApiResponse<User[] | User>,
+) => {
+  await useAuth(req, res);
+
+  const {
+    user: { isAdmin },
+  } = req.auth;
+
+  if (req.method === 'GET') {
+    if (isAdmin) {
+      return unauthorized(res);
+    }
+
+    const users = await getUsers();
+
+    return ok(res, users);
+  }
+
+  if (req.method === 'POST') {
+    if (isAdmin) {
+      return unauthorized(res);
+    }
+
+    const { username, password, id } = req.body;
+
+    const existingUser = await getUser({ username });
+
+    if (existingUser) {
+      return badRequest(res, 'User already exists');
+    }
+
+    const created = await createUser({
+      id: id || uuid(),
+      username,
+      password: hashPassword(password),
+      role: ROLES.user,
+    });
+
+    return ok(res, created);
+  }
+
+  return methodNotAllowed(res);
+};