Add drawing share links/grants, API base path support, and DX improvements#64
Open
tototomate123 wants to merge 97 commits into
Open
Add drawing share links/grants, API base path support, and DX improvements#64tototomate123 wants to merge 97 commits into
tototomate123 wants to merge 97 commits into
Conversation
… admin role management - Implemented multi-user authentication with role-based access control. - Added environment variables for initial admin user setup. - Updated README and example environment file with new authentication options. - Introduced user and system configuration models in the database schema. - Enhanced authentication middleware to support user registration and role management. - Updated frontend to handle new authentication flows, including admin user creation and role updates.
- Introduced a `mustResetPassword` field in the User model to manage password reset requirements. - Enhanced authentication flow to support password changes, including validation and error handling. - Updated frontend components to handle password reset scenarios and integrate with the new API endpoints. - Modified authentication context and hooks to accommodate the new password reset logic. - Adjusted E2E tests to ensure proper coverage for the password reset functionality.
Bumps [diff](https://github.com/kpdecker/jsdiff) from 5.2.0 to 5.2.2. - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2) --- updated-dependencies: - dependency-name: diff dependency-version: 5.2.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1. - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.14.1) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) to 7.12.0 and updates ancestor dependency [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom). These dependencies need to be updated together. Updates `react-router` from 7.9.6 to 7.12.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/[email protected]/packages/react-router) Updates `react-router-dom` from 7.9.6 to 7.12.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/[email protected]/packages/react-router-dom) --- updated-dependencies: - dependency-name: react-router dependency-version: 7.12.0 dependency-type: indirect - dependency-name: react-router-dom dependency-version: 7.12.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
* pass rest of appState in put request
* fix: support both legacy and current currentItemRoundness formats
Add union type to accept both the old object format {type, value} and
the new enum format for backwards compatibility with existing drawings.
---------
Co-authored-by: Zimeng Xiong <[email protected]>
…ng#36) * fix: sync pasted/uploaded images across collaborating tabs - Implement file delta synchronization to broadcast image file data - Add periodic file sync check to catch async file data arrival - Wrap Excalidraw addFiles API to automatically emit file changes - Enhance socket element-update to include file payloads - Add comprehensive E2E test for image collaboration scenarios - Improve CORS flexibility for development localhost ports Fixes ZimengXiong#25: New images not appearing when collaborating - collaborators now see uploaded images immediately instead of placeholder until refresh. * perf: increase file sync polling interval from 500ms to 1000ms Reduces CPU overhead while still catching async file arrivals. Most updates go through the addFiles wrapper anyway. --------- Co-authored-by: Zimeng Xiong <[email protected]>
… and configuration options - Added a new `LoginAttempt` model to track login attempts, including rate limiting and lockout functionality. - Introduced environment variables for configuring login rate limits and maximum failures. - Updated the authentication middleware to handle login attempts and enforce rate limits. - Enhanced the user model with indexing for username and email for improved lookup performance. - Modified the `.env.example` file to include new optional authentication settings. - Updated integration tests to cover new login attempt features and authentication state management.
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
- Add User model with email, passwordHash, and name fields - Add userId foreign key to Drawing and Collection models - Create initial migration for user authentication
- Add PasswordResetToken model for password reset flow - Add RefreshToken model for token rotation tracking - Add AuditLog model for security event logging - All features disabled by default via feature flags
- Add enablePasswordReset, enableRefreshTokenRotation, enableAuditLogging flags - All flags default to false for backward compatibility - Add getOptionalBoolean helper for parsing boolean env vars - Update .env.example with feature flag documentation
- Add requireAuth middleware for protecting routes - Add errorHandler and asyncHandler middleware - Add user isolation helpers for database queries
- Add POST /auth/register endpoint with email validation - Add POST /auth/login endpoint with JWT token generation - Add POST /auth/refresh endpoint for token refresh - Add GET /auth/me endpoint for current user info - Add rate limiting for auth endpoints - Add bcrypt password hashing - Add JWT access and refresh token generation
- Add logAuditEvent function for security event logging - Add getAuditLogs function for retrieving audit logs - Gracefully handles disabled feature or missing table - Feature disabled by default via config flag
- Add authentication middleware to protected routes - Add user isolation to drawing and collection queries - Add audit logging to delete operations - Update CSRF token handling for authenticated users
- Add AuthContext for managing user authentication state - Add ProtectedRoute component for route protection - Update API client with JWT token injection - Add refresh token rotation support - Add CSRF token handling
- Add Login page with email/password form - Add Register page with email validation - Add forgot password link to login page - Update App.tsx with auth routes and AuthProvider - Add email validation in registration form
- Add PasswordResetRequest page for requesting reset - Add PasswordResetConfirm page for confirming reset - Handle feature disabled state gracefully - Add routes to App.tsx
- Add Profile page for viewing/editing user info - Add display name editing functionality - Add change password functionality with validation - Add Profile button to Sidebar navigation - Handle authentication errors gracefully
- Add Select All button with CheckSquare/Square icons - Toggle selection of all drawings in current view - Match styling with other icon buttons - Add tooltip for better UX
- Add mouse-based auto-hide functionality - Add toggle button to enable/disable auto-hide - Prevent auto-hide during drawing name editing - Smooth transitions with translate-y animations - Dynamic canvas height adjustment based on header visibility
- Add comprehensive tests for logAuditEvent - Add tests for getAuditLogs with user filtering - Test graceful degradation when feature disabled - Test JSON details parsing - Follow existing test patterns and style
- Document all security features added - Document UX improvements added - Include migration strategy and backward compatibility notes - Provide enable instructions for optional features
- Update test utilities for user authentication - Update Settings page for authenticated export - Update docker-compose.yml if needed - Update package-lock.json files
ZimengXiong
force-pushed
the
pre-release
branch
from
344a31f to
b2d3164
Compare
Owner
|
thanks for your effort, @tototomate123, what does this implement? the description is not too clear (most are not about the sharing part), sharing of drawings via links? are they scoped? asking because #56 is now merged with multi-user authentication and scoped sharing. |
Author
|
This PR bundled a few things, but the main feature was share-link based scoped access on top of auth: DrawingShareLink/DrawingShareGrant, viewer/editor links per drawing, token redemption into per-user grants, role enforcement in API + socket, and a "Shared with me" flow in the UI. So links are scoped (drawing + role) and still require login; not public anonymous links. It also included some collaboration/realtime hardening (role-aware socket permissions + sync reliability improvements), plus infra/DX changes (API_BASE_PATH, socket path alignment, x- share-token CORS header, migration fallback, logging/IP utility, minor cleanup). That said, I'm not fully sure how valuable all of this is now after #56 merged. I originally started this because prerelease v0.4.6 wasn't really ready for multi-user + collaboration yet, so this was meant to close that gap. If useful, you can try it and evaluate how it behaves with the current merged system, but I agree some parts may now be less necessary. |
Owner
|
Yeah sure, I'll take a look at them, thanks for your effort! Sorry I had a lot of the work done locally and didn't keep the Github in sync. |
ZimengXiong
added
enhancement
ZimengXiong
force-pushed
the
pre-release
branch
from
2696a67 to
1f0432a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces significant backend enhancements, most notably adding database support for drawing sharing via share links and grants, improving API routing flexibility, and increasing robustness in environment configuration and error logging. It also includes various code quality and developer experience improvements.
Database and Sharing Features:
DrawingShareLinkandDrawingShareGrantto the Prisma schema and created corresponding migration scripts, enabling per-drawing share links and granular sharing permissions. [1] [2] [3]UserandDrawingmodels to support the new sharing relationships. [1] [2]API Routing and Configuration:
API_BASE_PATHenvironment variable and related parsing logic, allowing the backend API to be served under a configurable base path (e.g.,/api). Updated CORS, socket, health check, and route registrations to respect this path. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]Developer Experience and Robustness:
pnpm execifnpxis unavailable, increasing reliability in different development environments. [1] [2]Security and Utilities:
x-share-tokenheader, supporting new sharing features.Minor and Documentation Updates:
README.md.These changes collectively lay the groundwork for advanced sharing capabilities, improve backend flexibility, and enhance developer and user experience.
I am working on this on gitea (thats the reason for that README edit, can be removed for this repo obv), and thought i'd port back my changes to you. If you don't need them / think this goes into the wrong direction just close this PR, but i thought it might be helpful :)