feat: auth-include permissions in user object

Author: GuptaSiddhant

.oxlintrc.json

@@ -17,7 +17,10 @@
     "arrow-body-style": "allow",
     "id-length": ["warn", { "exceptions": ["z"] }],
     "func-style": ["allow"],
-    "max-lines-per-function": ["warn", { "max": 50, "skipBlankLines": true, "skipComments": true }],
+    "max-lines-per-function": [
+      "warn",
+      { "max": 50, "skipBlankLines": true, "skipComments": true }
+    ],
     "import/consistent-type-specifier-style": "allow",
     "import/exports-last": "allow",
     "import/extensions": ["deny", "always"],
@@ -44,5 +47,13 @@
     "switch-exhaustiveness-check": "warn",
     "strict-boolean-expressions": "allow",
     "typescript/strict-boolean-expressions": "allow"
-  }
+  },
+  "overrides": [
+    {
+      "files": ["**/*.test.ts", "**/*.spec.ts", "**/mocks/**"],
+      "rules": {
+        "typescript/no-confusing-void-expression": "allow"
+      }
+    }
+  ]
 }

packages/azure/src/easy-auth.ts

@@ -1,22 +1,24 @@
 // oxlint-disable class-methods-use-this
-// oxlint-disable require-await
-
-import type {
-  AuthAdapter,
-  AuthAdapterAuthorise,
-  AuthAdapterOptions,
-  StoryBookerUser,
-} from "@storybooker/core/adapter";
+
+import {
+  StoryBookerPermissionsList,
+  StoryBookerPermissionsAllEnabled,
+  type AuthAdapter,
+  type AuthAdapterOptions,
+  type StoryBookerPermissionAction,
+  type StoryBookerPermissionResource,
+  type StoryBookerPermissionWithKey,
+  type StoryBookerUser,
+} from "@storybooker/core/adapter/auth";
 import { Buffer } from "node:buffer";
 
 export type {
-  AuthAdapterAuthorise,
   StoryBookerPermission,
   StoryBookerPermissionAction,
   StoryBookerPermissionKey,
   StoryBookerPermissionResource,
   StoryBookerPermissionWithKey,
-} from "@storybooker/core/adapter";
+} from "@storybooker/core/adapter/auth";
 
 export interface AzureEasyAuthClientPrincipal {
   claims: { typ: string; val: string }[];
@@ -31,23 +33,24 @@ export interface AzureEasyAuthUser extends StoryBookerUser {
   clientPrincipal?: AzureEasyAuthClientPrincipal;
 }
 
+export type AuthAdapterAuthorise<AuthUser extends StoryBookerUser = StoryBookerUser> = (
+  permission: StoryBookerPermissionWithKey,
+  user: Omit<AuthUser, "permissions">,
+) => boolean;
+
 /**
  * Modify the final user details object created from EasyAuth Client Principal.
  */
-export type ModifyUserDetails = (
-  user: AzureEasyAuthUser,
+export type ModifyUserDetails = <User extends Omit<AzureEasyAuthUser, "permissions">>(
+  user: User,
   options: AuthAdapterOptions,
-) => AzureEasyAuthUser | Promise<AzureEasyAuthUser>;
+) => User | Promise<User>;
 
-const DEFAULT_AUTHORISE: AuthAdapterAuthorise<AzureEasyAuthUser> = ({ permission, user }) => {
+const DEFAULT_AUTHORISE: AuthAdapterAuthorise<AzureEasyAuthUser> = (permission, user) => {
   if (!user) {
     return false;
   }
 
-  if (user.type === "application") {
-    return true;
-  }
-
   if (permission.action === "read") {
     return true;
   }
@@ -59,10 +62,15 @@ const DEFAULT_MODIFY_USER: ModifyUserDetails = (user) => user;
 
 /**
  * StoryBooker Auth adapter for Azure EasyAuth.
+ *
+ * @example
+ * ```ts
+ * const auth = new AzureEasyAuthService();
+ * ```
  */
 export class AzureEasyAuthService implements AuthAdapter<AzureEasyAuthUser> {
-  authorise: AuthAdapter<AzureEasyAuthUser>["authorise"];
-  modifyUserDetails: ModifyUserDetails;
+  #authorise: AuthAdapterAuthorise<AzureEasyAuthUser>;
+  #modifyUserDetails: ModifyUserDetails;
 
   metadata: AuthAdapter["metadata"] = { name: "Azure Easy Auth" };
 
@@ -76,8 +84,8 @@ export class AzureEasyAuthService implements AuthAdapter<AzureEasyAuthUser> {
      */
     modifyUserDetails?: ModifyUserDetails;
   }) {
-    this.authorise = options?.authorise ?? DEFAULT_AUTHORISE;
-    this.modifyUserDetails = options?.modifyUserDetails ?? DEFAULT_MODIFY_USER;
+    this.#authorise = options?.authorise ?? DEFAULT_AUTHORISE;
+    this.#modifyUserDetails = options?.modifyUserDetails ?? DEFAULT_MODIFY_USER;
   }
 
   getUserDetails: AuthAdapter<AzureEasyAuthUser>["getUserDetails"] = async (options) => {
@@ -100,10 +108,11 @@ export class AzureEasyAuthService implements AuthAdapter<AzureEasyAuthUser> {
         clientPrincipal,
         displayName: "App",
         id: azpToken,
+        permissions: StoryBookerPermissionsAllEnabled,
         roles: null,
         type: "application",
       };
-      return this.modifyUserDetails(user, options);
+      return user;
     }
 
     const name = claims.find((claim) => claim.typ === "name")?.val;
@@ -112,18 +121,22 @@ export class AzureEasyAuthService implements AuthAdapter<AzureEasyAuthUser> {
       .filter((claim) => claim.typ === clientPrincipal.role_typ || claim.typ === "roles")
       .map((claim) => claim.val);
 
-    const user: AzureEasyAuthUser = {
+    const userWithoutPermissions: Omit<AzureEasyAuthUser, "permissions"> = {
       clientPrincipal,
       displayName: name ?? "",
       id: email ?? "",
       roles,
       title: roles.join(", "),
       type: "user",
     };
-    return this.modifyUserDetails(user, options);
+
+    return {
+      ...(await this.#modifyUserDetails(userWithoutPermissions, options)),
+      permissions: authoriseUserPermissions(this.#authorise, userWithoutPermissions),
+    };
   };
 
-  login: AuthAdapter<AzureEasyAuthUser>["login"] = async ({ request }) => {
+  login: AuthAdapter<AzureEasyAuthUser>["login"] = ({ request }) => {
     const url = new URL("/.auth/login", request.url);
 
     return new Response(null, {
@@ -132,7 +145,7 @@ export class AzureEasyAuthService implements AuthAdapter<AzureEasyAuthUser> {
     });
   };
 
-  logout: AuthAdapter<AzureEasyAuthUser>["logout"] = async (_user, { request }) => {
+  logout: AuthAdapter<AzureEasyAuthUser>["logout"] = (_user, { request }) => {
     const url = new URL("/.auth/logout", request.url);
 
     return new Response(null, {
@@ -141,3 +154,21 @@ export class AzureEasyAuthService implements AuthAdapter<AzureEasyAuthUser> {
     });
   };
 }
+
+function authoriseUserPermissions(
+  authorise: AuthAdapterAuthorise<AzureEasyAuthUser>,
+  user: Omit<AzureEasyAuthUser, "permissions">,
+): AzureEasyAuthUser["permissions"] {
+  const permissions: AzureEasyAuthUser["permissions"] = {};
+
+  for (const key of StoryBookerPermissionsList) {
+    const [resource, action] = key.split(":") as [
+      StoryBookerPermissionResource,
+      StoryBookerPermissionAction,
+    ];
+    const permission: StoryBookerPermissionWithKey = { action, key, resource };
+    permissions[key] = authorise(permission, user);
+  }
+
+  return permissions;
+}

packages/core/package.json

@@ -112,7 +112,8 @@
       "source": "./src/utils/index.ts",
       "default": "./dist/utils.mjs"
     },
-    "./package.json": "./package.json"
+    "./package.json": "./package.json",
+    "./openapi.json": "./openapi.json"
   },
   "publishConfig": {
     "exports": {

packages/core/src/adapters/auth.ts

@@ -22,18 +22,7 @@ export interface AuthAdapter<AuthUser extends StoryBookerUser = StoryBookerUser>
   init?: (options: Omit<AuthAdapterOptions, "request">) => Promise<void>;
 
   /**
-   * This callback is called before every protected route and determines if user
-   * has access to the route. It receives a permission object.
-   *
-   * @returns
-   * - Respond with `true` to allow user to proceed.
-   * - Respond with `false` to block user.
-   * - Respond with `Response` to return custom response
-   */
-  authorise: AuthAdapterAuthorise<AuthUser>;
-
-  /**
-   * Get details about the user based on incoming request.
+   * Get details about the user and permissions based on incoming request.
    *
    * @param options Common options like abortSignal.
    *
@@ -85,7 +74,7 @@ export type AuthAdapterAuthorise<AuthUser extends StoryBookerUser = StoryBookerU
 /**  Type of permission to check */
 export interface StoryBookerPermission {
   action: StoryBookerPermissionAction;
-  projectId: string | undefined;
+  projectId?: string;
   resource: StoryBookerPermissionResource;
 }
 /** Permission object with key */
@@ -94,7 +83,7 @@ export type StoryBookerPermissionWithKey = StoryBookerPermission & {
 };
 /** Permission in a string format */
 export type StoryBookerPermissionKey =
-  `${StoryBookerPermissionResource}:${StoryBookerPermissionAction}:${string}`;
+  `${StoryBookerPermissionResource}:${StoryBookerPermissionAction}`;
 /** Type of possible resources to check permissions for */
 export type StoryBookerPermissionResource = "project" | "build" | "tag";
 /** Type of possible actions to check permissions for */
@@ -112,6 +101,8 @@ export interface StoryBookerUser {
   imageUrl?: string;
   /** Title or Team-name of the User shown in UI. */
   title?: string;
+  /** Permissions assigned to the user. Missing permissions are considered false. */
+  permissions: Partial<Record<StoryBookerPermissionKey, boolean>>;
 }
 
 /** Common Auth adapter options.  */
@@ -123,3 +114,22 @@ export interface AuthAdapterOptions {
   /** Logger */
   logger: LoggerAdapter;
 }
+
+export const StoryBookerPermissionsAllEnabled = {
+  "build:create": true,
+  "build:delete": true,
+  "project:update": true,
+  "build:read": true,
+  "tag:delete": true,
+  "build:update": true,
+  "tag:create": true,
+  "project:read": true,
+  "project:create": true,
+  "tag:read": true,
+  "project:delete": true,
+  "tag:update": true,
+} satisfies Record<StoryBookerPermissionKey, true>;
+
+export const StoryBookerPermissionsList = Object.keys(
+  StoryBookerPermissionsAllEnabled,
+) as StoryBookerPermissionKey[];

packages/core/src/handlers/handle-serve-storybook.ts

@@ -19,7 +19,7 @@ export async function handleServeStoryBook({
 }): Promise<Response> {
   const { abortSignal, logger, storage } = getStore();
   const storageFilepath = path.posix.join(buildId, filepath);
-  await authenticateOrThrow({ action: "read", projectId, resource: "build" });
+  authenticateOrThrow({ action: "read", projectId, resource: "build" });
 
   try {
     const { content, mimeType } = await storage.downloadFile(

packages/core/src/mocks/mock-auth-service.ts

@@ -1,39 +1,51 @@
 // oxlint-disable require-await
-// oxlint-disable sort-keys
 
-import type { AuthAdapter, StoryBookerUser } from "../adapters/auth.ts";
+import {
+  StoryBookerPermissionsAllEnabled,
+  type AuthAdapter,
+  type StoryBookerUser,
+} from "../adapters/auth.ts";
 
 export const mockUser: StoryBookerUser = {
   displayName: "Test User",
   id: "test-user-id",
   imageUrl: "https://example.com/avatar.png",
   title: "Tester",
+  permissions: StoryBookerPermissionsAllEnabled,
 };
 
-export const mockAuthService: AuthAdapter = {
-  metadata: { name: "MockAuthService" },
+export function mockAuthService(
+  permissions: Partial<StoryBookerUser["permissions"]> = {},
+): AuthAdapter {
+  const user = {
+    ...mockUser,
+    permissions: {
+      ...mockUser.permissions,
+      ...permissions,
+    },
+  };
 
-  init: async (_options) => {
-    // Mock init logic if needed
-  },
-  authorise: async () => {
-    // Allow all permissions for testing
-    return true;
-  },
-  getUserDetails: async (_options) => {
-    // Always return the mock user
-    return mockUser;
-  },
-  login: async (_options) => {
-    // Return a mock Response
-    return new Response("Logged in", { status: 200 });
-  },
-  logout: async (_user, _options) => {
-    // Return a mock Response
-    return new Response("Logged out", { status: 200 });
-  },
-  renderAccountDetails: async (_user, _options) => {
-    // Return mock HTML
-    return "<div>Mock Account Details</div>";
-  },
-};
+  return {
+    metadata: { name: "MockAuthService" },
+
+    init: async (_options): Promise<void> => {
+      // Mock init logic if needed
+    },
+    getUserDetails: async (_options) => {
+      // Always return the mock user
+      return user;
+    },
+    login: async (_options) => {
+      // Return a mock Response
+      return new Response("Logged in", { status: 200 });
+    },
+    logout: async (_user, _options) => {
+      // Return a mock Response
+      return new Response("Logged out", { status: 200 });
+    },
+    renderAccountDetails: async (_user, _options) => {
+      // Return mock HTML
+      return "<div>Mock Account Details</div>";
+    },
+  };
+}

packages/core/src/mocks/mock-store.ts

@@ -8,7 +8,7 @@ import { mockAuthService, mockUser } from "./mock-auth-service";
 
 export const mockStore: Store = {
   abortSignal: undefined,
-  auth: mockAuthService,
+  auth: mockAuthService(),
   headers: new SuperHeaders(),
   logger: {
     metadata: { name: "Mock Logger" },

packages/core/src/models/builds-model.ts

@@ -237,8 +237,8 @@ export class BuildsModel extends Model<BuildType> {
     };
   };
 
-  async checkAuth(action: StoryBookerPermissionAction): Promise<boolean> {
-    return await checkAuthorisation({
+  checkAuth(action: StoryBookerPermissionAction): boolean {
+    return checkAuthorisation({
       action,
       projectId: this.projectId,
       resource: "build",

packages/core/src/models/projects-model.ts

@@ -156,8 +156,8 @@ export class ProjectsModel extends Model<ProjectType> {
     await this.storage.deleteContainer(generateStorageContainerId(id), this.storageOptions);
   }
 
-  async checkAuth(action: StoryBookerPermissionAction, id?: string): Promise<boolean> {
-    return await checkAuthorisation({
+  checkAuth(action: StoryBookerPermissionAction, id?: string): boolean {
+    return checkAuthorisation({
       action,
       projectId: id ?? (this.projectId || undefined),
       resource: "project",