Merge pull request #108 from Lycoon/dev

added middleware for authentication, fixed macos deploymenet

Author: Lycoon

.github/workflows/deploy-macos.yaml

@@ -22,7 +22,7 @@ jobs:
             - name: Download provisioning profile
               uses: apple-actions/download-provisioning-profiles@v3
               with:
-                  bundle-id: "ArkoLogic.Scriptio"
+                  bundle-id: "app.scriptio"
                   profile-type: "MAC_APP_STORE"
                   issuer-id: ${{ secrets.APPSTORE_ISSUER_ID }}
                   api-key-id: ${{ secrets.APPSTORE_KEY_ID }}

components/home/HomeClient.tsx

@@ -1,32 +1,22 @@
 "use client";
 
 import { useEffect } from "react";
-import { useCookieUser } from "@src/lib/utils/hooks";
 import HomePageContainer from "@components/home/HomePageContainer";
 import Loading from "@components/utils/Loading";
 import LandingPageNavbar from "@components/navbar/LandingPageNavbar";
 import { isTauri } from "@tauri-apps/api/core";
 import { useTheme } from "next-themes";
-import { useRouter } from "next/navigation";
 
 export default function HomeClient() {
-    const { user, isLoading } = useCookieUser();
     const { setTheme } = useTheme();
-    const router = useRouter();
 
     useEffect(() => {
-        if (!isLoading && !user && !isTauri()) {
+        if (!isTauri()) {
             setTheme("dark");
         }
-    }, [user, isLoading, setTheme]);
+    }, [setTheme]);
 
-    useEffect(() => {
-        if (!isLoading && (user || isTauri())) {
-            router.replace("/projects");
-        }
-    }, [user, isLoading, router]);
-
-    if (isLoading || user || isTauri()) {
+    if (isTauri()) {
         return <Loading />;
     }
 

src/app/api/projects/[projectId]/cloud-token/route.ts

@@ -1,6 +1,5 @@
-import { getCookieUser } from "@src/lib/session";
-import { ApiContext, apiHandler } from "@src/lib/utils/api-handler";
-import { ForbiddenError, Success, UnauthorizedError, validate } from "@src/lib/utils/api-utils";
+import { apiHandler, AuthApiContext } from "@src/lib/utils/api-handler";
+import { ForbiddenError, Success, validate } from "@src/lib/utils/api-utils";
 
 import * as ProjectService from "@src/server/service/project-service";
 
@@ -12,12 +11,7 @@ const QuerySchema = z.object({
     projectId: z.string(),
 });
 
-async function projectCloudTokenRoute(req: NextRequest, { routeParams }: ApiContext) {
-    const user = await getCookieUser();
-    if (!user || !user.id) {
-        throw new UnauthorizedError();
-    }
-
+async function projectCloudTokenRoute(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
     const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {

src/app/api/projects/[projectId]/invite/route.ts

@@ -1,5 +1,4 @@
-import { getCookieUser } from "@src/lib/session";
-import { ApiContext, apiHandler } from "@src/lib/utils/api-handler";
+import { apiHandler, AuthApiContext } from "@src/lib/utils/api-handler";
 import { ProjectRole } from "@prisma/client";
 import {
     ForbiddenError,
@@ -8,7 +7,6 @@ import {
     Success,
     SuccessCreated,
     SuccessNoContent,
-    UnauthorizedError,
     validate,
 } from "@src/lib/utils/api-utils";
 import { requirePro } from "@src/lib/utils/pro-utils";
@@ -34,12 +32,7 @@ const QuerySchema = z.object({
  *
  * Returns the list of pending invites for this project
  */
-async function getInvites(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function getInvites(req: NextRequest, { routeParams }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
     const invites = await ProjectService.getInvites(projectId);
     return Success(invites);
@@ -50,25 +43,20 @@ async function getInvites(req: NextRequest, { routeParams }: ApiContext) {
  *
  * Invites a given user to a project, creating a pending `ProjectInvitation`
  */
-async function inviteMember(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function inviteMember(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const body = await req.json();
     const { email: emailToInvite } = validate(ProjectMemberEmailBodySchema, body);
     const { projectId } = validate(QuerySchema, routeParams);
 
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {
         throw new NotFoundError();
     }
     if (!Roles.hasRoleOrGreater(member.role, ProjectRole.ADMIN)) {
         throw new ForbiddenError("Only admin members can issue invites");
     }
 
-    await requirePro(cookie.id);
+    await requirePro(user.id);
 
     const invites = await ProjectService.getInvites(projectId);
     const isAlreadyInvited = invites.some((i) => i.email === emailToInvite);
@@ -98,17 +86,12 @@ async function inviteMember(req: NextRequest, { routeParams }: ApiContext) {
  *
  * Deletes the invite associated to a given email address, removing its pending `ProjectInvitation`
  */
-async function deleteInvite(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function deleteInvite(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const body = await req.json();
     const { email: emailToDelete } = validate(ProjectMemberEmailBodySchema, body);
     const { projectId } = validate(QuerySchema, routeParams);
 
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {
         throw new NotFoundError();
     }

src/app/api/projects/[projectId]/members/[userId]/route.ts

@@ -1,12 +1,10 @@
 import { ProjectRole } from "@prisma/client";
-import { getCookieUser } from "@src/lib/session";
-import { ApiContext, apiHandler } from "@src/lib/utils/api-handler";
+import { apiHandler, AuthApiContext } from "@src/lib/utils/api-handler";
 import {
     ForbiddenError,
     BodyFieldError,
     ProjectNotFoundError,
     Success,
-    UnauthorizedError,
     SuccessNoContent,
     NotFoundError,
     validate,
@@ -32,15 +30,9 @@ const QuerySchema = z.object({
  *
  * Returns a project member given its userId and associated projectId
  */
-async function getProjectMember(req: NextRequest, { routeParams }: ApiContext) {
-    // We query the user role for this poject, throw 404 in case it doesn't belong to it
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function getProjectMember(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {
         throw new ProjectNotFoundError();
     }
@@ -53,23 +45,18 @@ async function getProjectMember(req: NextRequest, { routeParams }: ApiContext) {
  *
  * Updates a project member role
  */
-async function updateProjectMemberRole(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function updateProjectMemberRole(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const body = await req.json();
     const { role } = validate(UpdateRoleSchema, body);
     const { userId: userToUpdateId, projectId } = validate(QuerySchema, routeParams);
 
-    const isSelf = cookie.id === userToUpdateId;
+    const isSelf = user.id === userToUpdateId;
     if (isSelf) throw new ForbiddenError("You cannot update your own role");
 
     if (!Roles.isValid(role)) throw new BodyFieldError("Unknown role");
     const newRole = role as ProjectRole;
 
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {
         throw new ProjectNotFoundError();
     }
@@ -86,7 +73,10 @@ async function updateProjectMemberRole(req: NextRequest, { routeParams }: ApiCon
         throw new ForbiddenError("You cannot assign the same role to another user");
     }
 
-    if (!Roles.hasRoleOrGreater(member.role, newRole) || !Roles.hasRoleOrGreater(member.role, memberToUpdate.role)) {
+    if (
+        !Roles.hasRoleOrGreater(member.role, newRole) ||
+        !Roles.hasRoleOrGreater(member.role, memberToUpdate.role)
+    ) {
         throw new ForbiddenError("User does not have sufficient permissions");
     }
 
@@ -99,27 +89,19 @@ async function updateProjectMemberRole(req: NextRequest, { routeParams }: ApiCon
  *
  * Removes a member from a project. A user can leave the project itself.
  */
-async function deleteProjectMember(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function deleteProjectMember(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { userId: userToDelete, projectId } = validate(QuerySchema, routeParams);
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {
         throw new NotFoundError();
     }
 
-    const isSelf = cookie.id === userToDelete;
+    const isSelf = user.id === userToDelete;
     if (isSelf) {
         if (member.role !== ProjectRole.OWNER) {
-            // No need to check roles, any non-owner member can leave the project on its own
             await ProjectService.deleteProjectMember(projectId, userToDelete);
             return Success({ redirectUrl: "/projects" });
         } else {
-            // An owner cannot leave its project as a collaborator
-            // He either needs to transfer ownership or delete project
             throw new ForbiddenError("Owner cannot leave project");
         }
     }

src/app/api/projects/[projectId]/members/route.ts

@@ -1,6 +1,5 @@
-import { getCookieUser } from "@src/lib/session";
-import { ApiContext, apiHandler } from "@src/lib/utils/api-handler";
-import { ProjectNotFoundError, Success, UnauthorizedError, validate } from "@src/lib/utils/api-utils";
+import { apiHandler, AuthApiContext } from "@src/lib/utils/api-handler";
+import { ProjectNotFoundError, Success, validate } from "@src/lib/utils/api-utils";
 
 import * as ProjectService from "@src/server/service/project-service";
 
@@ -16,12 +15,7 @@ const QuerySchema = z.object({
  *
  * Returns project memberships associated projectId
  */
-async function getProjectMemberships(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function getProjectMemberships(req: NextRequest, { routeParams }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
     const collaborators = await ProjectService.getCollaborators(projectId);
     if (!collaborators) {

src/app/api/projects/[projectId]/route.ts

@@ -1,16 +1,14 @@
-import { getCookieUser } from "@src/lib/session";
 import { ProjectRole } from "@prisma/client";
 
 import * as S3 from "@src/lib/s3";
 import * as ProjectService from "@src/server/service/project-service";
 import * as Roles from "@src/lib/utils/roles";
-import { ApiContext, apiHandler } from "@src/lib/utils/api-handler";
+import { apiHandler, AuthApiContext } from "@src/lib/utils/api-handler";
 import {
     ForbiddenError,
     InternalServerError,
     ProjectNotFoundError,
     Success,
-    UnauthorizedError,
     BodyFieldError,
     validate,
     SuccessNoContent,
@@ -30,13 +28,9 @@ const QuerySchema = z.object({
  *
  * Gets project information from authenticated user
  */
-async function getProject(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
+async function getProject(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
-    const membership = await ProjectService.getMembership(projectId, cookie.id);
+    const membership = await ProjectService.getMembership(projectId, user.id);
 
     if (!membership) {
         throw new ProjectNotFoundError();
@@ -50,14 +44,9 @@ async function getProject(req: NextRequest, { routeParams }: ApiContext) {
  *
  * Updates project information from authenticated user
  */
-async function updateProject(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function updateProject(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
 
     if (!member) {
         throw new ProjectNotFoundError();
@@ -103,16 +92,11 @@ async function updateProject(req: NextRequest, { routeParams }: ApiContext) {
 /**
  * DELETE `/projects/[projectId]`
  *
- * Deletes project from unautheticated user
+ * Deletes project from authenticated user
  */
-async function deleteProject(req: NextRequest, { routeParams }: ApiContext) {
-    const cookie = await getCookieUser();
-    if (!cookie || !cookie.id) {
-        throw new UnauthorizedError();
-    }
-
+async function deleteProject(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
-    const member = await ProjectService.getMembership(projectId, cookie.id);
+    const member = await ProjectService.getMembership(projectId, user.id);
 
     if (!member) {
         throw new ForbiddenError();

src/app/api/projects/[projectId]/saves/manual/route.ts

@@ -1,7 +1,12 @@
 import { ProjectRole } from "@prisma/client";
-import { getCookieUser } from "@src/lib/session";
-import { ApiContext, apiHandler } from "@src/lib/utils/api-handler";
-import { ForbiddenError, getCollabHttpUrl, Success, SuccessCreated, UnauthorizedError, validate } from "@src/lib/utils/api-utils";
+import { apiHandler, AuthApiContext } from "@src/lib/utils/api-handler";
+import {
+    ForbiddenError,
+    getCollabHttpUrl,
+    Success,
+    SuccessCreated,
+    validate,
+} from "@src/lib/utils/api-utils";
 import { requirePro } from "@src/lib/utils/pro-utils";
 
 import * as Roles from "@src/lib/utils/roles";
@@ -19,7 +24,7 @@ async function forwardToWorker(
     projectId: string,
     method: string,
     path: string,
-    body?: any
+    body?: any,
 ): Promise<Response> {
     const secret = new TextEncoder().encode(process.env.JWT_SECRET!);
     const token = await new SignJWT({ type: "admin-action", projectId })
@@ -46,12 +51,7 @@ async function forwardToWorker(
  * Creates a manual save with a user-provided name.
  * Requires EDITOR+ role.
  */
-async function createManualSave(req: NextRequest, { routeParams }: ApiContext) {
-    const user = await getCookieUser();
-    if (!user || !user.id) {
-        throw new UnauthorizedError();
-    }
-
+async function createManualSave(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
     const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {
@@ -81,12 +81,7 @@ async function createManualSave(req: NextRequest, { routeParams }: ApiContext) {
  *
  * Renames a manual save. Requires ADMIN+ role.
  */
-async function renameManualSave(req: NextRequest, { routeParams }: ApiContext) {
-    const user = await getCookieUser();
-    if (!user || !user.id) {
-        throw new UnauthorizedError();
-    }
-
+async function renameManualSave(req: NextRequest, { routeParams, user }: AuthApiContext) {
     const { projectId } = validate(QuerySchema, routeParams);
     const member = await ProjectService.getMembership(projectId, user.id);
     if (!member) {