admin/hspguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: admin:17654850274233f06dfa248e168b3696c588841f
Branches Tags
admin:main admin:group-role-permission
...
compare: admin:group-role-permission
Branches Tags
admin:group-role-permission admin:main

43 Commits
1765485027 ... group-role

Author SHA1 Message Date
LandaMm
d35e5813b5 feat: beta version of role management for single user 2025-07-20 17:59:54 +02:00
LandaMm
533e6ea6af fix: no avatar handling 2025-06-30 00:08:25 +02:00
LandaMm
0c24ed9382 feat: check role assignment 2025-06-30 00:08:14 +02:00
LandaMm
f5c61bb6a0 feat: show roles 2025-06-29 23:20:59 +02:00
LandaMm
eb05f830fe feat: roles & group state 2025-06-29 23:20:50 +02:00
LandaMm
d86a9de388 feat: assign system roles 2025-06-29 23:19:05 +02:00
LandaMm
d80caac81b feat: roles API + type def 2025-06-25 11:56:06 +02:00
LandaMm
5d49a661ed feat: add roles & groups page 2025-06-25 11:55:52 +02:00
LandaMm
635a2d6058 feat: roles & groups page 2025-06-25 11:55:41 +02:00
LandaMm
1eb96e906d feat: create system roles 2025-06-25 11:55:27 +02:00
LandaMm
58974d9789 feat: add scope to the role 2025-06-25 11:55:04 +02:00
LandaMm
329fac415f feat: get all roles endpoint 2025-06-25 11:54:45 +02:00
LandaMm
a83ec61fae fix: avoid null value 2025-06-25 11:54:19 +02:00
LandaMm
d5e86acacf fix: import of user permissions API 2025-06-24 19:05:21 +02:00
LandaMm
221ef192bc feat: permissions store 2025-06-24 19:05:07 +02:00
LandaMm
18664dbd8b feat: remove image borders for service 2025-06-24 19:04:59 +02:00
LandaMm
d097735965 fix: remove unnecessary test fethcing 2025-06-24 19:04:48 +02:00
LandaMm
992776b8a6 feat: new nav item for app permissions 2025-06-24 19:04:26 +02:00
LandaMm
3f260b9029 feat: add API for fetching ALL permissions 2025-06-24 19:04:15 +02:00
LandaMm
65f40d0897 feat: app permissions admin page 2025-06-24 19:04:01 +02:00
LandaMm
6d482c784f feat: admin fetch all permissions 2025-06-24 19:03:45 +02:00
LandaMm
dc07868d15 feat: call permissions ensure 2025-06-24 19:01:26 +02:00
LandaMm
09a2f05ee5 feat: fetch permissions + grouped fetching 2025-06-24 19:01:16 +02:00
LandaMm
5cec1cf561 feat: ensure system permissions 2025-06-24 19:00:36 +02:00
LandaMm
3281764eff feat: display user's raw permissions 2025-06-24 14:37:25 +02:00
LandaMm
868337134d feat: get permissions call 2025-06-24 12:59:10 +02:00
LandaMm
9372673bf1 test: get user permissions endpoint 2025-06-24 12:58:29 +02:00
LandaMm
0eea81b42f feat: update repo with group, roles and permissions 2025-06-24 12:58:14 +02:00
LandaMm
7468303e41 feat: make name + scope combi unique 2025-06-24 12:18:54 +02:00
LandaMm
8745e7d8bc feat: group role permission 2025-06-17 12:21:02 +02:00
Amir Adal
bdc42beb27 Merge pull request 'sessions' (#2) from sessions into main 
Reviewed-on: #2
 2025-06-16 19:03:01 +02:00
LandaMm
72083fa0a4 hot+fix: round expires in number 2025-06-16 19:01:28 +02:00
LandaMm
b3ad13e55d feat: ignore .env.remote 2025-06-15 22:16:17 +02:00
LandaMm
0db54e0268 feat: update service session on refresh 2025-06-15 21:13:33 +02:00
LandaMm
b3ef96a0ce feat: update service session's tokens 2025-06-15 21:13:23 +02:00
LandaMm
a773f1f8b4 feat: signed token type 2025-06-15 21:05:09 +02:00
LandaMm
1a71f50914 fix: 'boolean' instead of 'bool' 2025-06-15 21:05:03 +02:00
LandaMm
d17e154e42 feat: logical columns for service sessions table 2025-06-15 21:04:50 +02:00
LandaMm
bad26775eb fix: don't redirect due to credentials modal 2025-06-15 21:04:40 +02:00
LandaMm
c3fd6637a5 fix: numeration 2025-06-15 21:04:22 +02:00
LandaMm
20173ea140 fix: numeration 2025-06-15 21:04:07 +02:00
LandaMm
41d439beab feat: create service session 2025-06-15 21:02:38 +02:00
LandaMm
b36b6e18ca feat: use signed token from types 2025-06-15 21:02:22 +02:00
40 changed files with 2209 additions and 179 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@ -27,6 +27,7 @@ go.work.sum
# env file
.env
.env.remote
# key files
*.pem

1
cmd/hspguard/main.go
View File

@ -45,6 +45,7 @@ func main() {
cache := cache.NewClient(&cfg)
user.EnsureAdminUser(ctx, &cfg, repo)
user.EnsureSystemPermissions(ctx, repo)
server := api.NewAPIServer(fmt.Sprintf("%s:%s", cfg.Host, cfg.Port), repo, fStorage, cache, &cfg)
if err := server.Run(); err != nil {

4
docker-compose.yml
View File

@ -6,6 +6,8 @@ services:
environment:
POSTGRES_USER: guard
POSTGRES_PASSWORD: guard
volumes:
- postgres-data:/var/lib/postgresql/data
ports:
- "5432:5432"
@ -23,3 +25,5 @@ services:
volumes:
redis-data:
driver: local
postgres-data:
driver: local

82
internal/admin/permissions.go Normal file
View File

@ -0,0 +1,82 @@
package admin
import (
"encoding/json"
"log"
"net/http"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/web"
"github.com/go-chi/chi/v5"
"github.com/google/uuid"
)
func (h *AdminHandler) GetAllPermissions(w http.ResponseWriter, r *http.Request) {
rows, err := h.repo.GetGroupedPermissions(r.Context())
if err != nil {
log.Println("ERR: Failed to list permissions from db:", err)
web.Error(w, "failed to get all permissions", http.StatusInternalServerError)
return
}
type RowDTO struct {
Scope string `json:"scope"`
Permissions []repository.Permission `json:"permissions"`
}
if len(rows) == 0 {
rows = make([]repository.GetGroupedPermissionsRow, 0)
}
var mapped []RowDTO
for _, row := range rows {
var permissions []repository.Permission
if err := json.Unmarshal(row.Permissions, &permissions); err != nil {
log.Println("ERR: Failed to extract permissions from byte array:", err)
web.Error(w, "failed to get permissions", http.StatusInternalServerError)
return
}
mapped = append(mapped, RowDTO{
Scope: row.Scope,
Permissions: permissions,
})
}
if len(mapped) == 0 {
mapped = make([]RowDTO, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(mapped); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
func (h *AdminHandler) GetUserPermissions(w http.ResponseWriter, r *http.Request) {
userId := chi.URLParam(r, "user_id")
permissions, err := h.repo.GetUserPermissions(r.Context(), uuid.MustParse(userId))
if err != nil {
log.Println("ERR: Failed to list permissions from db:", err)
web.Error(w, "failed to get user permissions", http.StatusInternalServerError)
return
}
if len(permissions) == 0 {
permissions = make([]repository.Permission, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(permissions); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}

156
internal/admin/roles.go Normal file
View File

@ -0,0 +1,156 @@
package admin
import (
"encoding/json"
"log"
"net/http"
"gitea.local/admin/hspguard/internal/repository"
"gitea.local/admin/hspguard/internal/web"
"github.com/go-chi/chi/v5"
"github.com/google/uuid"
)
func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
rows, err := h.repo.GetRolesGroupedWithPermissions(r.Context())
if err != nil {
log.Println("ERR: Failed to list roles from db:", err)
web.Error(w, "failed to get all roles", http.StatusInternalServerError)
return
}
type RolePermissions struct {
Permissions []repository.Permission `json:"permissions"`
repository.Role
}
type RowDTO struct {
Scope string `json:"scope"`
Roles []RolePermissions `json:"roles"`
}
if len(rows) == 0 {
rows = make([]repository.GetRolesGroupedWithPermissionsRow, 0)
}
var mapped []RowDTO
for _, row := range rows {
var mappedRow RowDTO
mappedRow.Scope = row.Scope
if err := json.Unmarshal(row.Roles, &mappedRow.Roles); err != nil {
log.Println("ERR: Failed to extract roles from byte array:", err)
web.Error(w, "failed to get roles", http.StatusInternalServerError)
return
}
mapped = append(mapped, mappedRow)
}
if len(mapped) == 0 {
mapped = make([]RowDTO, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(mapped); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
func (h *AdminHandler) GetUserRoles(w http.ResponseWriter, r *http.Request) {
userId := chi.URLParam(r, "user_id")
parsed, err := uuid.Parse(userId)
if err != nil {
log.Printf("ERR: Received invalid UUID on get user roles '%s': %v\n", userId, err)
web.Error(w, "invalid user id", http.StatusBadRequest)
return
}
rows, err := h.repo.GetUserRoles(r.Context(), parsed)
if err != nil {
log.Println("ERR: Failed to list roles from db:", err)
web.Error(w, "failed to get user roles", http.StatusInternalServerError)
return
}
if len(rows) == 0 {
rows = make([]repository.Role, 0)
}
encoder := json.NewEncoder(w)
w.Header().Set("Content-Type", "application/json")
if err := encoder.Encode(rows); err != nil {
web.Error(w, "failed to encode response", http.StatusInternalServerError)
}
}
type AssignRoleRequest struct {
RoleKey string `json:"role_key"`
}
func (h *AdminHandler) AssignUserRole(w http.ResponseWriter, r *http.Request) {
userId := chi.URLParam(r, "user_id")
var req AssignRoleRequest
decoder := json.NewDecoder(r.Body)
if err := decoder.Decode(&req); err != nil {
web.Error(w, "failed to parse request body", http.StatusBadRequest)
return
}
if req.RoleKey == "" {
web.Error(w, "role key is required for assign", http.StatusBadRequest)
return
}
parsed, err := uuid.Parse(userId)
if err != nil {
log.Printf("ERR: Failed to parse provided user ID '%s': %v\n", userId, err)
web.Error(w, "invalid user id provided", http.StatusBadRequest)
return
}
user, err := h.repo.FindUserId(r.Context(), parsed)
if err != nil {
web.Error(w, "no user found under provided id", http.StatusBadRequest)
return
}
if _, err := h.repo.FindUserRole(r.Context(), repository.FindUserRoleParams{
UserID: user.ID,
Key: req.RoleKey,
}); err == nil {
log.Printf("INFO: Unassigning role '%s' for user with '%s' id", req.RoleKey, user.ID.String())
// Unassign Role
if err := h.repo.UnassignUserRole(r.Context(), repository.UnassignUserRoleParams{
UserID: user.ID,
Key: req.RoleKey,
}); err != nil {
log.Printf("ERR: Failed to unassign role '%s' from user with '%s' id: %v\n", req.RoleKey, user.ID.String(), err)
web.Error(w, "failed to unassign role to user", http.StatusInternalServerError)
return
}
} else {
log.Printf("INFO: Assigning role '%s' for user with '%s' id", req.RoleKey, user.ID.String())
if err := h.repo.AssignUserRole(r.Context(), repository.AssignUserRoleParams{
UserID: user.ID,
Key: req.RoleKey,
}); err != nil {
log.Printf("ERR: Failed to assign role '%s' to user with '%s' id: %v\n", req.RoleKey, user.ID.String(), err)
web.Error(w, "failed to assign role to user", http.StatusInternalServerError)
return
}
}
w.WriteHeader(http.StatusOK)
}

7
internal/admin/routes.go
View File

@ -41,6 +41,13 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
r.Get("/service-sessions", h.GetServiceSessions)
r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
r.Get("/permissions", h.GetAllPermissions)
r.Get("/permissions/{user_id}", h.GetUserPermissions)
r.Get("/roles", h.GetAllRoles)
r.Get("/roles/{user_id}", h.GetUserRoles)
r.Patch("/roles/{user_id}", h.AssignUserRole)
})
router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

18
internal/auth/routes.go
View File

@ -20,21 +20,7 @@ type AuthHandler struct {
cfg *config.AppConfig
}
type SignedToken struct {
Token string
ExpiresAt time.Time
ID uuid.UUID
}
func NewSignedToken(token string, expiresAt time.Time, jti uuid.UUID) *SignedToken {
return &SignedToken{
Token: token,
ExpiresAt: expiresAt,
ID: jti,
}
}
func (h *AuthHandler) signTokens(user *repository.User) (*SignedToken, *SignedToken, error) {
func (h *AuthHandler) signTokens(user *repository.User) (*types.SignedToken, *types.SignedToken, error) {
accessExpiresAt := time.Now().Add(15 * time.Minute)
accessJTI := uuid.New()
@ -75,7 +61,7 @@ func (h *AuthHandler) signTokens(user *repository.User) (*SignedToken, *SignedTo
return nil, nil, err
}
return NewSignedToken(accessToken, accessExpiresAt, accessJTI), NewSignedToken(refreshToken, refreshExpiresAt, refreshJTI), nil
return types.NewSignedToken(accessToken, accessExpiresAt, accessJTI), types.NewSignedToken(refreshToken, refreshExpiresAt, refreshJTI), nil
}
func NewAuthHandler(repo *repository.Queries, cache *cache.Client, cfg *config.AppConfig) *AuthHandler {

135
internal/oauth/token.go
View File

@ -5,6 +5,7 @@ import (
"encoding/json"
"fmt"
"log"
"math"
"net/http"
"strings"
"time"
@ -17,20 +18,10 @@ import (
"github.com/google/uuid"
)
type ApiToken struct {
Token string
Expiration float64
}
type ApiTokens struct {
ID ApiToken
Access ApiToken
Refresh ApiToken
}
func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*ApiTokens, error) {
func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *repository.ApiService, nonce *string) (*types.SignedToken, *types.SignedToken, *types.SignedToken, error) {
accessExpiresIn := 15 * time.Minute
accessExpiresAt := time.Now().Add(accessExpiresIn)
accessJTI := uuid.New()
accessClaims := types.ApiClaims{
Permissions: []string{},
@ -40,12 +31,13 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
Audience: jwt.ClaimStrings{apiService.ClientID},
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(accessExpiresAt),
ID: accessJTI.String(),
},
}
access, err := util.SignJwtToken(accessClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return nil, err
return nil, nil, nil, err
}
var roles = []string{"user"}
@ -56,6 +48,7 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
idExpiresIn := 15 * time.Minute
idExpiresAt := time.Now().Add(idExpiresIn)
idJTI := uuid.New()
idClaims := types.IdTokenClaims{
Email: user.Email,
@ -70,16 +63,18 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
Audience: jwt.ClaimStrings{apiService.ClientID},
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(idExpiresAt),
ID: idJTI.String(),
},
}
idToken, err := util.SignJwtToken(idClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return nil, err
return nil, nil, nil, err
}
refreshExpiresIn := 24 * time.Hour
refreshExpiresAt := time.Now().Add(refreshExpiresIn)
refreshJTI := uuid.New()
refreshClaims := types.ApiRefreshClaims{
UserID: user.ID.String(),
@ -89,28 +84,16 @@ func (h *OAuthHandler) signApiTokens(user *repository.User, apiService *reposito
Audience: jwt.ClaimStrings{apiService.ClientID},
IssuedAt: jwt.NewNumericDate(time.Now()),
ExpiresAt: jwt.NewNumericDate(refreshExpiresAt),
ID: refreshJTI.String(),
},
}
refresh, err := util.SignJwtToken(refreshClaims, h.cfg.Jwt.PrivateKey)
if err != nil {
return nil, err
return nil, nil, nil, err
}
return &ApiTokens{
ID: ApiToken{
Token: idToken,
Expiration: idExpiresIn.Seconds(),
},
Access: ApiToken{
Token: access,
Expiration: accessExpiresIn.Seconds(),
},
Refresh: ApiToken{
Token: refresh,
Expiration: refreshExpiresIn.Seconds(),
},
}, nil
return types.NewSignedToken(idToken, idExpiresAt, idJTI), types.NewSignedToken(access, accessExpiresAt, accessJTI), types.NewSignedToken(refresh, refreshExpiresAt, refreshJTI), nil
}
func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
@ -174,40 +157,71 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
fmt.Printf("Code received: %s\n", code)
session, err := h.cache.GetAuthCode(r.Context(), code)
codeSession, err := h.cache.GetAuthCode(r.Context(), code)
if err != nil {
log.Printf("ERR: Failed to find session under the code %s: %v\n", code, err)
web.Error(w, "no session found under this auth code", http.StatusNotFound)
return
}
log.Printf("DEBUG: Fetched code session: %#v\n", session)
log.Printf("DEBUG: Fetched code session: %#v\n", codeSession)
apiService, err := h.repo.GetApiServiceCID(r.Context(), session.ClientID)
apiService, err := h.repo.GetApiServiceCID(r.Context(), codeSession.ClientID)
if err != nil {
log.Printf("ERR: Could not find API service with client %s: %v\n", session.ClientID, err)
log.Printf("ERR: Could not find API service with client %s: %v\n", codeSession.ClientID, err)
web.Error(w, "service is not registered", http.StatusForbidden)
return
}
if session.ClientID != clientId {
if codeSession.ClientID != clientId {
web.Error(w, "invalid auth", http.StatusUnauthorized)
return
}
user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(session.UserID))
user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(codeSession.UserID))
if err != nil {
web.Error(w, "requested user not found", http.StatusNotFound)
return
}
tokens, err := h.signApiTokens(&user, &apiService, &session.Nonce)
id, access, refresh, err := h.signApiTokens(&user, &apiService, &codeSession.Nonce)
if err != nil {
log.Println("ERR: Failed to sign api tokens:", err)
web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
return
}
log.Printf("DEBUG: Created api tokens: %v\n\n%v\n\n%v\n", id.ID.String(), access.ID.String(), refresh.ID.String())
userId, err := uuid.Parse(codeSession.UserID)
if err != nil {
log.Printf("ERR: Failed to parse user '%s' uuid: %v\n", codeSession.UserID, err)
web.Error(w, "failed to sign tokens", http.StatusInternalServerError)
return
}
ipAddr := util.GetClientIP(r)
ua := r.UserAgent()
session, err := h.repo.CreateServiceSession(r.Context(), repository.CreateServiceSessionParams{
ServiceID: apiService.ID,
ClientID: apiService.ClientID,
UserID: &userId,
ExpiresAt: &refresh.ExpiresAt,
LastActive: nil,
IpAddress: &ipAddr,
UserAgent: &ua,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
})
if err != nil {
log.Printf("ERR: Failed to create new service session: %v\n", err)
web.Error(w, "failed to create session", http.StatusInternalServerError)
return
}
log.Printf("INFO: Service session created for '%s' client_id with '%s' id\n", apiService.ClientID, session.ID.String())
type Response struct {
IdToken string `json:"id_token"`
TokenType string `json:"token_type"`
@ -219,11 +233,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
}
response := Response{
IdToken: tokens.ID.Token,
IdToken: id.Token,
TokenType: "Bearer",
AccessToken: tokens.Access.Token,
RefreshToken: tokens.Refresh.Token,
ExpiresIn: tokens.Access.Expiration,
AccessToken: access.Token,
RefreshToken: refresh.Token,
ExpiresIn: math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
Email: user.Email,
}
@ -256,6 +270,26 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
return
}
refreshJTI, err := uuid.Parse(claims.ID)
if err != nil {
log.Printf("ERR: Failed to parse refresh token JTI as uuid: %v\n", err)
web.Error(w, "failed to refresh token", http.StatusInternalServerError)
return
}
session, err := h.repo.GetServiceSessionByRefreshJTI(r.Context(), &refreshJTI)
if err != nil {
log.Printf("ERR: Failed to find session by '%s' refresh jti: %v\n", refreshJTI.String(), err)
web.Error(w, "session invalid", http.StatusUnauthorized)
return
}
if !session.IsActive {
log.Printf("INFO: Session with id '%s' is not active", session.ID.String())
web.Error(w, "session ended", http.StatusUnauthorized)
return
}
userID, err := uuid.Parse(claims.UserID)
if err != nil {
web.Error(w, "invalid user credentials in refresh token", http.StatusBadRequest)
@ -269,7 +303,18 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
return
}
tokens, err := h.signApiTokens(&user, &apiService, nil)
id, access, refresh, err := h.signApiTokens(&user, &apiService, nil)
if err := h.repo.UpdateServiceSessionTokens(r.Context(), repository.UpdateServiceSessionTokensParams{
ID: session.ID,
AccessTokenID: &access.ID,
RefreshTokenID: &refresh.ID,
ExpiresAt: &refresh.ExpiresAt,
}); err != nil {
log.Printf("ERR: Failed to update service session with '%s' id: %v\n", session.ID.String(), err)
web.Error(w, "failed to update session", http.StatusInternalServerError)
return
}
type Response struct {
IdToken string `json:"id_token"`
@ -280,11 +325,11 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
}
response := Response{
IdToken: tokens.ID.Token,
IdToken: id.Token,
TokenType: "Bearer",
AccessToken: tokens.Access.Token,
RefreshToken: tokens.Refresh.Token,
ExpiresIn: tokens.Access.Expiration,
AccessToken: access.Token,
RefreshToken: refresh.Token,
ExpiresIn: math.Ceil(access.ExpiresAt.Sub(time.Now()).Seconds()),
}
log.Printf("DEBUG: refresh - sending following response: %#v\n", response)

29
internal/repository/models.go
View File

@ -25,6 +25,25 @@ type ApiService struct {
IconUrl *string `json:"icon_url"`
}
type Permission struct {
ID uuid.UUID `json:"id"`
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
type Role struct {
ID uuid.UUID `json:"id"`
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
type RolePermission struct {
RoleID uuid.UUID `json:"role_id"`
PermissionID uuid.UUID `json:"permission_id"`
}
type ServiceSession struct {
ID uuid.UUID `json:"id"`
ServiceID uuid.UUID `json:"service_id"`
@ -60,6 +79,16 @@ type User struct {
Verified bool `json:"verified"`
}
type UserPermission struct {
UserID uuid.UUID `json:"user_id"`
PermissionID uuid.UUID `json:"permission_id"`
}
type UserRole struct {
UserID uuid.UUID `json:"user_id"`
RoleID uuid.UUID `json:"role_id"`
}
type UserSession struct {
ID uuid.UUID `json:"id"`
UserID uuid.UUID `json:"user_id"`

156
internal/repository/permissions.sql.go Normal file
View File

@ -0,0 +1,156 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.29.0
// source: permissions.sql
package repository
import (
"context"
"github.com/google/uuid"
)
const createPermission = `-- name: CreatePermission :one
INSERT into permissions (
name, scope, description
) VALUES (
$1, $2, $3
) RETURNING id, name, scope, description
`
type CreatePermissionParams struct {
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
func (q *Queries) CreatePermission(ctx context.Context, arg CreatePermissionParams) (Permission, error) {
row := q.db.QueryRow(ctx, createPermission, arg.Name, arg.Scope, arg.Description)
var i Permission
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const findPermission = `-- name: FindPermission :one
SELECT id, name, scope, description FROM permissions
WHERE name = $1 AND scope = $2
`
type FindPermissionParams struct {
Name string `json:"name"`
Scope string `json:"scope"`
}
func (q *Queries) FindPermission(ctx context.Context, arg FindPermissionParams) (Permission, error) {
row := q.db.QueryRow(ctx, findPermission, arg.Name, arg.Scope)
var i Permission
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const getAllPermissions = `-- name: GetAllPermissions :many
SELECT id, name, scope, description
FROM permissions p
ORDER BY p.scope
`
func (q *Queries) GetAllPermissions(ctx context.Context) ([]Permission, error) {
rows, err := q.db.Query(ctx, getAllPermissions)
if err != nil {
return nil, err
}
defer rows.Close()
var items []Permission
for rows.Next() {
var i Permission
if err := rows.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getGroupedPermissions = `-- name: GetGroupedPermissions :many
SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
FROM permissions
GROUP BY scope
`
type GetGroupedPermissionsRow struct {
Scope string `json:"scope"`
Permissions []byte `json:"permissions"`
}
func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermissionsRow, error) {
rows, err := q.db.Query(ctx, getGroupedPermissions)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetGroupedPermissionsRow
for rows.Next() {
var i GetGroupedPermissionsRow
if err := rows.Scan(&i.Scope, &i.Permissions); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getUserPermissions = `-- name: GetUserPermissions :many
SELECT DISTINCT p.id,p.name,p.scope,p.description
FROM user_roles ur
JOIN role_permissions rp ON ur.role_id = rp.role_id
JOIN permissions p ON rp.permission_id = p.id
WHERE ur.user_id = $1
ORDER BY p.scope
`
func (q *Queries) GetUserPermissions(ctx context.Context, userID uuid.UUID) ([]Permission, error) {
rows, err := q.db.Query(ctx, getUserPermissions, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var items []Permission
for rows.Next() {
var i Permission
if err := rows.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}

282
internal/repository/roles.sql.go Normal file
View File

@ -0,0 +1,282 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.29.0
// source: roles.sql
package repository
import (
"context"
"github.com/google/uuid"
)
const addPermissionsToRoleByKey = `-- name: AddPermissionsToRoleByKey :exec
INSERT INTO role_permissions (role_id, permission_id)
SELECT
$1,
p.id
FROM
permissions p
JOIN
unnest($2::text[]) AS key_str
ON key_str = p.scope || '_' || p.name
`
type AddPermissionsToRoleByKeyParams struct {
RoleID uuid.UUID `json:"role_id"`
PermissionKeys []string `json:"permission_keys"`
}
func (q *Queries) AddPermissionsToRoleByKey(ctx context.Context, arg AddPermissionsToRoleByKeyParams) error {
_, err := q.db.Exec(ctx, addPermissionsToRoleByKey, arg.RoleID, arg.PermissionKeys)
return err
}
const assignRolePermission = `-- name: AssignRolePermission :exec
INSERT INTO role_permissions (role_id, permission_id)
VALUES (
$1,
(
SELECT id
FROM permissions p
WHERE p.scope = split_part($2, '_', 1)
AND p.name = right($2, length($2) - position('_' IN $2))
)
)
`
type AssignRolePermissionParams struct {
RoleID uuid.UUID `json:"role_id"`
Key string `json:"key"`
}
func (q *Queries) AssignRolePermission(ctx context.Context, arg AssignRolePermissionParams) error {
_, err := q.db.Exec(ctx, assignRolePermission, arg.RoleID, arg.Key)
return err
}
const assignUserRole = `-- name: AssignUserRole :exec
INSERT INTO user_roles (user_id, role_id)
VALUES ($1, (
SELECT id FROM roles r
WHERE r.scope = split_part($2, '_', 1)
AND r.name = right($2, length($2) - position('_' IN $2))
))
`
type AssignUserRoleParams struct {
UserID uuid.UUID `json:"user_id"`
Key string `json:"key"`
}
func (q *Queries) AssignUserRole(ctx context.Context, arg AssignUserRoleParams) error {
_, err := q.db.Exec(ctx, assignUserRole, arg.UserID, arg.Key)
return err
}
const createRole = `-- name: CreateRole :one
INSERT INTO roles (name, scope, description)
VALUES ($1, $2, $3)
RETURNING id, name, scope, description
`
type CreateRoleParams struct {
Name string `json:"name"`
Scope string `json:"scope"`
Description *string `json:"description"`
}
func (q *Queries) CreateRole(ctx context.Context, arg CreateRoleParams) (Role, error) {
row := q.db.QueryRow(ctx, createRole, arg.Name, arg.Scope, arg.Description)
var i Role
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const findRole = `-- name: FindRole :one
SELECT id, name, scope, description
FROM roles
WHERE scope = $1 AND name = $2
`
type FindRoleParams struct {
Scope string `json:"scope"`
Name string `json:"name"`
}
func (q *Queries) FindRole(ctx context.Context, arg FindRoleParams) (Role, error) {
row := q.db.QueryRow(ctx, findRole, arg.Scope, arg.Name)
var i Role
err := row.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
)
return i, err
}
const findUserRole = `-- name: FindUserRole :one
SELECT user_id, role_id FROM user_roles
WHERE user_id = $1 AND role_id = (SELECT id FROM roles r WHERE r.scope = split_part($2, '_', 1) AND r.name = right($2, length($2) - position('_' IN $2)))
LIMIT 1
`
type FindUserRoleParams struct {
UserID uuid.UUID `json:"user_id"`
Key string `json:"key"`
}
func (q *Queries) FindUserRole(ctx context.Context, arg FindUserRoleParams) (UserRole, error) {
row := q.db.QueryRow(ctx, findUserRole, arg.UserID, arg.Key)
var i UserRole
err := row.Scan(&i.UserID, &i.RoleID)
return i, err
}
const getRoleAssignment = `-- name: GetRoleAssignment :one
SELECT role_id, permission_id FROM role_permissions
WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part($2, '_', 1) AND p.name = right($2, length($2) - position('_' IN $2)))
LIMIT 1
`
type GetRoleAssignmentParams struct {
RoleID uuid.UUID `json:"role_id"`
Key string `json:"key"`
}
func (q *Queries) GetRoleAssignment(ctx context.Context, arg GetRoleAssignmentParams) (RolePermission, error) {
row := q.db.QueryRow(ctx, getRoleAssignment, arg.RoleID, arg.Key)
var i RolePermission
err := row.Scan(&i.RoleID, &i.PermissionID)
return i, err
}
const getRolesGroupedWithPermissions = `-- name: GetRolesGroupedWithPermissions :many
SELECT
r.scope,
json_agg (
json_build_object (
'id',
r.id,
'name',
r.name,
'scope',
r.scope,
'description',
r.description,
'permissions',
COALESCE(p_list.permissions, '[]')
)
ORDER BY
r.name
) AS roles
FROM
roles r
LEFT JOIN (
SELECT
rp.role_id,
json_agg (
json_build_object (
'id',
p.id,
'name',
p.name,
'scope',
p.scope,
'description',
p.description
)
ORDER BY
p.name
) AS permissions
FROM
role_permissions rp
JOIN permissions p ON p.id = rp.permission_id
GROUP BY
rp.role_id
) p_list ON p_list.role_id = r.id
GROUP BY
r.scope
`
type GetRolesGroupedWithPermissionsRow struct {
Scope string `json:"scope"`
Roles []byte `json:"roles"`
}
func (q *Queries) GetRolesGroupedWithPermissions(ctx context.Context) ([]GetRolesGroupedWithPermissionsRow, error) {
rows, err := q.db.Query(ctx, getRolesGroupedWithPermissions)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetRolesGroupedWithPermissionsRow
for rows.Next() {
var i GetRolesGroupedWithPermissionsRow
if err := rows.Scan(&i.Scope, &i.Roles); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const getUserRoles = `-- name: GetUserRoles :many
SELECT r.id, r.name, r.scope, r.description FROM roles r
JOIN user_roles ur ON r.id = ur.role_id
WHERE ur.user_id = $1
`
func (q *Queries) GetUserRoles(ctx context.Context, userID uuid.UUID) ([]Role, error) {
rows, err := q.db.Query(ctx, getUserRoles, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var items []Role
for rows.Next() {
var i Role
if err := rows.Scan(
&i.ID,
&i.Name,
&i.Scope,
&i.Description,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const unassignUserRole = `-- name: UnassignUserRole :exec
DELETE FROM user_roles
WHERE user_id = $1 AND role_id = (
SELECT id FROM roles r
WHERE r.scope = split_part($2, '_', 1)
AND r.name = right($2, length($2) - position('_' IN $2))
)
`
type UnassignUserRoleParams struct {
UserID uuid.UUID `json:"user_id"`
Key string `json:"key"`
}
func (q *Queries) UnassignUserRole(ctx context.Context, arg UnassignUserRoleParams) error {
_, err := q.db.Exec(ctx, unassignUserRole, arg.UserID, arg.Key)
return err
}

30
internal/repository/service_sessions.sql.go
View File

@ -20,7 +20,7 @@ INSERT INTO service_sessions (
) VALUES (
$1, $2, $3, NOW(), $4, $5,
$6, $7, $8, $9,
TRUE, $8, $9
TRUE, $10, $11
)
RETURNING id, service_id, client_id, user_id, issued_at, expires_at, last_active, ip_address, user_agent, access_token_id, refresh_token_id, is_active, revoked_at, scope, claims
`
@ -35,6 +35,8 @@ type CreateServiceSessionParams struct {
UserAgent *string `json:"user_agent"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
Scope *string `json:"scope"`
Claims []byte `json:"claims"`
}
func (q *Queries) CreateServiceSession(ctx context.Context, arg CreateServiceSessionParams) (ServiceSession, error) {
@ -48,6 +50,8 @@ func (q *Queries) CreateServiceSession(ctx context.Context, arg CreateServiceSes
arg.UserAgent,
arg.AccessTokenID,
arg.RefreshTokenID,
arg.Scope,
arg.Claims,
)
var i ServiceSession
err := row.Scan(
@ -389,3 +393,27 @@ func (q *Queries) UpdateServiceSessionLastActive(ctx context.Context, id uuid.UU
_, err := q.db.Exec(ctx, updateServiceSessionLastActive, id)
return err
}
const updateServiceSessionTokens = `-- name: UpdateServiceSessionTokens :exec
UPDATE service_sessions
SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
WHERE id = $1
AND is_active = TRUE
`
type UpdateServiceSessionTokensParams struct {
ID uuid.UUID `json:"id"`
AccessTokenID *uuid.UUID `json:"access_token_id"`
RefreshTokenID *uuid.UUID `json:"refresh_token_id"`
ExpiresAt *time.Time `json:"expires_at"`
}
func (q *Queries) UpdateServiceSessionTokens(ctx context.Context, arg UpdateServiceSessionTokensParams) error {
_, err := q.db.Exec(ctx, updateServiceSessionTokens,
arg.ID,
arg.AccessTokenID,
arg.RefreshTokenID,
arg.ExpiresAt,
)
return err
}

21
internal/types/token.go Normal file
View File

@ -0,0 +1,21 @@
package types
import (
"time"
"github.com/google/uuid"
)
type SignedToken struct {
Token string
ExpiresAt time.Time
ID uuid.UUID
}
func NewSignedToken(token string, expiresAt time.Time, jti uuid.UUID) *SignedToken {
return &SignedToken{
Token: token,
ExpiresAt: expiresAt,
ID: jti,
}
}

215
internal/user/permissions.go Normal file
View File

@ -0,0 +1,215 @@
package user
import (
"context"
"log"
"gitea.local/admin/hspguard/internal/repository"
)
func String(s string) *string {
return &s
}
type RolePermissions struct {
Permissions []string `json:"permissions"`
repository.Role
}
var (
SYSTEM_SCOPE string = "system"
SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
{
Name: "log_into_guard",
Description: String("Allow users to log into their accounts"),
},
{
Name: "register",
Description: String("Allow users to register new accounts"),
},
{
Name: "edit_profile",
Description: String("Allow users to edit their profiles"),
},
{
Name: "recover_credentials",
Description: String("Allow users to recover their password/email"),
},
{
Name: "verify_profile",
Description: String("Allow users to verify their accounts"),
},
{
Name: "access_home_services",
Description: String("Allow users to access home services and tools"),
},
{
Name: "view_sessions",
Description: String("Allow users to view their active sessions"),
},
{
Name: "revoke_sessions",
Description: String("Allow users to revoke their active sessions"),
},
{
Name: "view_api_services",
Description: String("Allow users to view API Services (for admin)"),
},
{
Name: "add_api_services",
Description: String("Allow users to register new API Services (for admin)"),
},
{
Name: "edit_api_services",
Description: String("Allow users to edit API Services (for admin)"),
},
{
Name: "remove_api_services",
Description: String("Allow users to remove API Services (for admin)"),
},
{
Name: "view_users",
Description: String("Allow users to view other users (for admin)"),
},
{
Name: "add_users",
Description: String("Allow users to create new users (for admin)"),
},
// TODO: block, delete users
{
Name: "view_user_sessions",
Description: String("Allow users to view user sessions (for admin)"),
},
{
Name: "revoke_user_sessions",
Description: String("Allow users to revoke user sessions (for admin)"),
},
{
Name: "view_service_sessions",
Description: String("Allow users to view service sessions (for admin)"),
},
{
Name: "revoke_service_sessions",
Description: String("Allow users to revoke service sessions (for admin)"),
},
{
Name: "view_permissions",
Description: String("Allow users to view all permissions (for admin)"),
},
{
Name: "view_roles_groups",
Description: String("Allow users to view roles & groups (for admin)"),
},
}
SYSTEM_ROLES []RolePermissions = []RolePermissions{
{
Permissions: []string{
"system_log_into_guard",
"system_register",
"system_edit_profile",
"system_recover_credentials",
"system_verify_profile",
"system_access_home_services",
"system_view_sessions",
"system_revoke_sessions",
"system_view_api_services",
"system_add_api_services",
"system_edit_api_services",
"system_remove_api_services",
"system_view_users",
"system_add_users",
"system_view_user_sessions",
"system_revoke_user_sessions",
"system_view_service_sessions",
"system_revoke_service_sessions",
"system_view_permissions",
"system_view_roles_groups",
},
Role: repository.Role{
Name: "admin",
Description: String("User with full power"),
},
},
{
Permissions: []string{
"system_log_into_guard",
"system_register",
"system_edit_profile",
"system_recover_credentials",
"system_verify_profile",
"system_access_home_services",
"system_view_sessions",
"system_revoke_sessions",
},
Role: repository.Role{
Name: "member",
Description: String("User that is able to use home services"),
},
},
{
Permissions: []string{
"system_log_into_guard",
"system_register",
},
Role: repository.Role{
Name: "guest",
Description: String("New user that needs approve for everything from admin"),
},
},
}
)
func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
for _, permission := range SYSTEM_PERMISSIONS {
_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
Name: permission.Name,
Scope: SYSTEM_SCOPE,
})
if err != nil {
log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
Name: permission.Name,
Scope: SYSTEM_SCOPE,
Description: permission.Description,
})
if err != nil {
log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
}
}
}
for _, role := range SYSTEM_ROLES {
var found repository.Role
var err error
found, err = repo.FindRole(ctx, repository.FindRoleParams{
Scope: SYSTEM_SCOPE,
Name: role.Name,
})
if err != nil {
log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
Name: role.Name,
Scope: SYSTEM_SCOPE,
Description: role.Description,
})
if err != nil {
log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
}
}
for _, perm := range role.Permissions {
if _, exists := repo.GetRoleAssignment(ctx, repository.GetRoleAssignmentParams{
RoleID: found.ID,
Key: perm,
}); exists != nil {
if err := repo.AssignRolePermission(ctx, repository.AssignRolePermissionParams{
RoleID: found.ID,
Key: perm,
}); err != nil {
log.Fatalf("ERR: Failed to assign permission '%s' to SYSTEM role %s: %v\n", perm, found.Name, err)
}
}
}
}
}

55
migrations/00013_add_group_role_permission.sql Normal file
View File

@ -0,0 +1,55 @@
-- +goose Up
-- +goose StatementBegin
-- ROLES
CREATE TABLE roles (
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
name TEXT NOT NULL,
scope TEXT NOT NULL,
description TEXT,
UNIQUE (name, scope)
);
-- PERMISSIONS
CREATE TABLE permissions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
name TEXT NOT NULL,
scope TEXT NOT NULL,
description TEXT,
UNIQUE (name, scope)
);
-- ROLE-PERMISSIONS (many-to-many)
CREATE TABLE role_permissions (
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
PRIMARY KEY (role_id, permission_id)
);
-- USER-ROLES (direct assignment, optional)
CREATE TABLE user_roles (
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
PRIMARY KEY (user_id, role_id)
);
-- USER-PERMISSIONS (direct assignment, optional)
CREATE TABLE user_permissions (
user_id UUID REFERENCES users (id) ON DELETE CASCADE,
permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
PRIMARY KEY (user_id, permission_id)
);
-- +goose StatementEnd
-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS user_permissions;
DROP TABLE IF EXISTS user_roles;
DROP TABLE IF EXISTS role_permissions;
DROP TABLE IF EXISTS permissions;
DROP TABLE IF EXISTS roles;
-- +goose StatementEnd

29
queries/permissions.sql Normal file
View File

@ -0,0 +1,29 @@
-- name: GetAllPermissions :many
SELECT *
FROM permissions p
ORDER BY p.scope;
-- name: GetGroupedPermissions :many
SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
FROM permissions
GROUP BY scope;
-- name: CreatePermission :one
INSERT into permissions (
name, scope, description
) VALUES (
$1, $2, $3
) RETURNING *;
-- name: FindPermission :one
SELECT * FROM permissions
WHERE name = $1 AND scope = $2;
-- name: GetUserPermissions :many
SELECT DISTINCT p.id,p.name,p.scope,p.description
FROM user_roles ur
JOIN role_permissions rp ON ur.role_id = rp.role_id
JOIN permissions p ON rp.permission_id = p.id
WHERE ur.user_id = $1
ORDER BY p.scope;

109
queries/roles.sql Normal file
View File

@ -0,0 +1,109 @@
-- name: FindRole :one
SELECT *
FROM roles
WHERE scope = $1 AND name = $2;
-- name: GetRolesGroupedWithPermissions :many
SELECT
r.scope,
json_agg (
json_build_object (
'id',
r.id,
'name',
r.name,
'scope',
r.scope,
'description',
r.description,
'permissions',
COALESCE(p_list.permissions, '[]')
)
ORDER BY
r.name
) AS roles
FROM
roles r
LEFT JOIN (
SELECT
rp.role_id,
json_agg (
json_build_object (
'id',
p.id,
'name',
p.name,
'scope',
p.scope,
'description',
p.description
)
ORDER BY
p.name
) AS permissions
FROM
role_permissions rp
JOIN permissions p ON p.id = rp.permission_id
GROUP BY
rp.role_id
) p_list ON p_list.role_id = r.id
GROUP BY
r.scope;
-- name: CreateRole :one
INSERT INTO roles (name, scope, description)
VALUES ($1, $2, $3)
RETURNING *;
-- name: GetRoleAssignment :one
SELECT * FROM role_permissions
WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part(sqlc.arg('key'), '_', 1) AND p.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key'))))
LIMIT 1;
-- name: AssignRolePermission :exec
INSERT INTO role_permissions (role_id, permission_id)
VALUES (
$1,
(
SELECT id
FROM permissions p
WHERE p.scope = split_part(sqlc.arg('key'), '_', 1)
AND p.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
)
);
-- name: AddPermissionsToRoleByKey :exec
INSERT INTO role_permissions (role_id, permission_id)
SELECT
sqlc.arg(role_id),
p.id
FROM
permissions p
JOIN
unnest(sqlc.arg(permission_keys)::text[]) AS key_str
ON key_str = p.scope || '_' || p.name;
-- name: GetUserRoles :many
SELECT r.* FROM roles r
JOIN user_roles ur ON r.id = ur.role_id
WHERE ur.user_id = $1;
-- name: AssignUserRole :exec
INSERT INTO user_roles (user_id, role_id)
VALUES ($1, (
SELECT id FROM roles r
WHERE r.scope = split_part(sqlc.arg('key'), '_', 1)
AND r.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
));
-- name: UnassignUserRole :exec
DELETE FROM user_roles
WHERE user_id = $1 AND role_id = (
SELECT id FROM roles r
WHERE r.scope = split_part(sqlc.arg('key'), '_', 1)
AND r.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key')))
);
-- name: FindUserRole :one
SELECT * FROM user_roles
WHERE user_id = $1 AND role_id = (SELECT id FROM roles r WHERE r.scope = split_part(sqlc.arg('key'), '_', 1) AND r.name = right(sqlc.arg('key'), length(sqlc.arg('key')) - position('_' IN sqlc.arg('key'))))
LIMIT 1;

8
queries/service_sessions.sql
View File

@ -6,7 +6,7 @@ INSERT INTO service_sessions (
) VALUES (
$1, $2, $3, NOW(), $4, $5,
$6, $7, $8, $9,
TRUE, $8, $9
TRUE, $10, $11
)
RETURNING *;
@ -46,6 +46,12 @@ SET last_active = NOW()
WHERE id = $1
AND is_active = TRUE;
-- name: UpdateServiceSessionTokens :exec
UPDATE service_sessions
SET access_token_id = $2, refresh_token_id = $3, expires_at = $4
WHERE id = $1
AND is_active = TRUE;
-- name: ListAllServiceSessions :many
SELECT * FROM service_sessions
ORDER BY issued_at DESC

12
web/src/App.tsx
View File

@ -27,6 +27,8 @@ import VerifyAvatarPage from "./pages/Verify/Avatar";
import VerifyReviewPage from "./pages/Verify/Review";
import AdminUserSessionsPage from "./pages/Admin/UserSessions";
import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
import AdminAppPermissionsPage from "./pages/Admin/AppPermissions";
import AdminRolesGroupsPage from "./pages/Admin/RolesGroups";
const router = createBrowserRouter([
{
@ -93,6 +95,16 @@ const router = createBrowserRouter([
{ index: true, element: <AdminServiceSessionsPage /> },
],
},
{
path: "app-permissions",
children: [
{ index: true, element: <AdminAppPermissionsPage /> },
],
},
{
path: "roles-groups",
children: [{ index: true, element: <AdminRolesGroupsPage /> }],
},
],
},
],

34
web/src/api/admin/permissions.ts Normal file
View File

@ -0,0 +1,34 @@
import type { AppPermission } from "@/types";
import { axios, handleApiError } from "..";
export type FetchPermissionsResponse = AppPermission[];
export const getUserPermissionsApi = async (
userId: string,
): Promise<FetchPermissionsResponse> => {
const response = await axios.get<FetchPermissionsResponse>(
`/api/v1/admin/permissions/${userId}`,
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export type FetchGroupedPermissionsResponse = {
scope: string;
permissions: AppPermission[];
}[];
export const getPermissionsApi =
async (): Promise<FetchGroupedPermissionsResponse> => {
const response = await axios.get<FetchGroupedPermissionsResponse>(
"/api/v1/admin/permissions",
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};

51
web/src/api/admin/roles.ts Normal file
View File

@ -0,0 +1,51 @@
import type { AppPermission, AppRole } from "@/types";
import { axios, handleApiError } from "..";
export type FetchGroupedRolesResponse = {
scope: string;
roles: (AppRole & {
permissions: AppPermission[];
})[];
}[];
export const getRolesApi = async (): Promise<FetchGroupedRolesResponse> => {
const response = await axios.get<FetchGroupedRolesResponse>(
"/api/v1/admin/roles",
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export type FetchUserRolesResponse = AppRole[];
export const getUserRolesApi = async (
userId: string,
): Promise<FetchUserRolesResponse> => {
const response = await axios.get<FetchUserRolesResponse>(
`/api/v1/admin/roles/${userId}`,
);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};
export interface AssignUserRoleRequest {
role_key: string;
}
export const assignUserRoleApi = async (
userId: string,
params: AssignUserRoleRequest,
) => {
const response = await axios.patch(`/api/v1/admin/roles/${userId}`, params);
if (response.status !== 200 && response.status !== 201)
throw await handleApiError(response);
return response.data;
};

2
web/src/feature/Avatar/index.tsx
View File

@ -5,7 +5,7 @@ import { useMemo, type FC } from "react";
export interface AvatarProps {
iconSize?: number;
className?: string;
avatarId?: string;
avatarId?: string | null;
}
const Avatar: FC<AvatarProps> = ({ iconSize = 32, className, avatarId }) => {

115
web/src/feature/FoldableRolesTable/index.tsx Normal file
View File

@ -0,0 +1,115 @@
import { Button } from "@/components/ui/button";
import { useRoles } from "@/store/admin/rolesGroups";
import { useUsers } from "@/store/admin/users";
import type { AppRole } from "@/types";
import { ChevronDown, LoaderCircle, Plus } from "lucide-react";
import React, { useCallback, useEffect, useState } from "react";
type Props = {
userRoles: AppRole[];
onToggleRole?: (scope: string, role: string, isAssigned: boolean) => void;
};
const FoldableRolesTable: React.FC<Props> = ({ userRoles, onToggleRole }) => {
const [openScopes, setOpenScopes] = useState<Record<string, boolean>>({});
const roleMap = useRoles((s) => s.roles);
const loadRoles = useRoles((s) => s.fetch);
const loadUserRoles = useUsers((state) => state.fetchUserRoles);
const user = useUsers((s) => s.current);
const togglingRole = useRoles((s) => s.toggling);
const toggleRole = useRoles((s) => s.assign);
const toggleUserRole = useCallback(
async (role: AppRole) => {
if (togglingRole === role.id) return;
if (user) {
await toggleRole(user.id, role);
loadRoles();
loadUserRoles();
}
},
[loadRoles, loadUserRoles, toggleRole, togglingRole, user],
);
const toggleScope = (scope: string) => {
setOpenScopes((prev) => ({
...prev,
[scope]: !prev[scope],
}));
};
useEffect(() => {
loadRoles();
}, [loadRoles]);
return (
<div className="w-full mx-auto shadow-md overflow-hidden">
<div className="divide-y divide-gray-200 dark:divide-gray-700">
{Object.entries(roleMap).map(([scope, roles]) => (
<div key={`${scope}`}>
<div
className="w-full text-left px-4 py-3 flex items-center justify-between cursor-pointer"
onClick={() => toggleScope(scope)}
>
<div className="flex items-center">
<span className="font-semibold text-gray-800 dark:text-gray-200">
{scope.toUpperCase()}{" "}
<span className="text-sm opacity-50 font-light">
(
{
roles.filter((r) =>
userRoles.some((ur) => ur.id === r.id),
).length
}
/{roles.length})
</span>
</span>
</div>
<span className="text-sm text-gray-500">
<ChevronDown
className={`${openScopes[scope] ? "rotate-180" : ""} transition`}
/>
</span>
</div>
<ul
className={`px-5 py-1 pb-4 transition-height ${openScopes[scope] ? "h-auto" : "h-0 py-0!"} overflow-hidden flex items-center flex-wrap gap-2`}
>
{roles.length === 0 ? (
<li className="text-gray-500 italic">No roles found</li>
) : (
roles.map((role) => (
<li
key={role.id}
className="flex items-center justify-between"
onClick={() => toggleUserRole(role)}
>
<span
className={`px-2 py-1 flex items-center gap-1 cursor-pointer select-none rounded text-xs ${
userRoles.some((ur) => ur.id === role.id)
? "bg-green-200 text-green-800 dark:bg-green-700/20 dark:text-green-300"
: "bg-red-200 text-red-800 dark:bg-red-700/20 dark:text-red-300"
} ${togglingRole === role.id ? "opacity-50" : ""}`}
>
{togglingRole === role.id && (
<LoaderCircle className="animate-spin" size={12} />
)}
{role.name.toUpperCase()}
</span>
</li>
))
)}
</ul>
</div>
))}
</div>
</div>
);
};
export default FoldableRolesTable;

67
web/src/feature/RoleMatrix/index.tsx Normal file
View File

@ -0,0 +1,67 @@
import React from "react";
type RoleMatrixProps = {
scopes: string[];
roles: string[];
userRoles: Record<string, string[]>; // e.g. { "Project Alpha": ["admin", "viewer"] }
onToggle?: (scope: string, role: string, isAssigned: boolean) => void;
};
const RoleMatrix: React.FC<RoleMatrixProps> = ({
scopes,
roles,
userRoles,
onToggle,
}) => {
const isChecked = (scope: string, role: string) =>
userRoles[scope]?.includes(role) ?? false;
return (
<div className="overflow-x-auto">
<table className="min-w-full table-auto border border-gray-300">
<thead className="bg-gray-100">
<tr>
<th className="border border-gray-300 px-4 py-2 text-left">
Scope / Role
</th>
{roles.map((role) => (
<th
key={role}
className="border border-gray-300 px-4 py-2 text-center capitalize"
>
{role}
</th>
))}
</tr>
</thead>
<tbody>
{scopes.map((scope) => (
<tr key={scope} className="hover:bg-gray-50">
<td className="border border-gray-300 px-4 py-2 font-medium">
{scope}
</td>
{roles.map((role) => {
const checked = isChecked(scope, role);
return (
<td
key={`${scope}-${role}`}
className="border border-gray-300 px-4 py-2 text-center"
>
<input
type="checkbox"
className="form-checkbox h-4 w-4 text-indigo-600 transition duration-150"
checked={checked}
onChange={() => onToggle?.(scope, role, !checked)}
/>
</td>
);
})}
</tr>
))}
</tbody>
</table>
</div>
);
};
export default RoleMatrix;

23
web/src/hooks/barItems.tsx
View File

@ -1,5 +1,14 @@
import { useAuth } from "@/store/auth";
import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
import {
Blocks,
ContactRound,
EarthLock,
Home,
KeyRound,
User,
UserLock,
Users,
} from "lucide-react";
import { useCallback, type ReactNode } from "react";
import { useLocation } from "react-router";
@ -93,6 +102,18 @@ export const useBarItems = (): [Item[], (item: Item) => boolean] => {
tab: "admin.service-sessions",
pathname: "/admin/service-sessions",
},
{
icon: <KeyRound />,
title: "App Permissions",
tab: "admin.app-permissions",
pathname: "/admin/app-permissions",
},
{
icon: <ContactRound />,
title: "Roles & Groups",
tab: "admin.roles-groups",
pathname: "/admin/roles-groups",
},
]
: []),
],

5
web/src/index.css
View File

@ -9,6 +9,11 @@
-ms-overflow-style: none;
scrollbar-width: none;
}
.transition-height {
transition-property: height;
transition-duration: 300ms;
transition-timing-function: ease;
}
}
html,

14
web/src/pages/Admin/ApiServices/Create/index.tsx
View File

@ -5,7 +5,7 @@ import ApiServiceCredentialsModal from "@/feature/ApiServiceCredentialsModal";
import { useApiServices } from "@/store/admin/apiServices";
import { useCallback, type FC } from "react";
import { useForm } from "react-hook-form";
import { Link, useNavigate } from "react-router";
import { Link } from "react-router";
interface FormData {
name: string;
@ -32,12 +32,10 @@ const ApiServiceCreatePage: FC = () => {
const credentials = useApiServices((state) => state.createdCredentials);
const navigate = useNavigate();
const onSubmit = useCallback(
async (data: FormData) => {
console.log("Form submitted:", data);
const success = await createApiService({
await createApiService({
name: data.name,
description: data.description ?? "",
redirect_uris: data.redirectUris.trim().split("\n"),
@ -47,11 +45,11 @@ const ApiServiceCreatePage: FC = () => {
: ["authorization_code"],
is_active: data.enabled,
});
if (success) {
navigate("/admin/api-services");
}
// if (success) {
// navigate("/admin/api-services");
// }
},
[createApiService, navigate],
[createApiService],
);
return (

130
web/src/pages/Admin/AppPermissions/index.tsx Normal file
View File

@ -0,0 +1,130 @@
import { useEffect, type FC } from "react";
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { usePermissions } from "@/store/admin/permissions";
interface DisplayPermission {
name: string;
description: string;
}
interface IPermissionGroupProps {
scope: string;
permissions?: DisplayPermission[] | null | undefined;
generatedPermissions?: DisplayPermission[] | null | undefined;
}
const PermissionGroup: FC<IPermissionGroupProps> = ({
scope,
permissions,
generatedPermissions,
}) => {
return (
<div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
<h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
{scope}
</h2>
{(generatedPermissions?.length ?? 0) > 0 && (
<>
<p className="text-gray-500 text-sm mt-2 mb-4">Generated by Guard</p>
<ol
className={`grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium mb-${permissions && permissions.length > 0 ? "6" : "2"}`}
>
{generatedPermissions!.map(({ name, description }) => (
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
<div className="flex flex-col gap-1">
<label>{name}</label>
<p className="text-xs text-gray-400 dark:text-gray-500">
{description}
</p>
</div>
</li>
))}
</ol>
</>
)}
{(permissions?.length ?? 0) > 0 && (
<>
<p className="text-gray-500 text-sm mt-2 mb-4">Manually Created</p>
<ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
{permissions!.map(({ name, description }) => (
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
<div className="flex flex-col gap-1">
<label>{name}</label>
<p className="text-xs text-gray-400 dark:text-gray-500">
{description}
</p>
</div>
</li>
))}
</ol>
</>
)}
</div>
);
};
const AdminAppPermissionsPage: FC = () => {
const permissions = usePermissions((s) => s.permissions);
const fetch = usePermissions((s) => s.fetch);
useEffect(() => {
fetch();
}, [fetch]);
return (
<div className="relative flex flex-col items-stretch w-full">
<div className="p-4">
<Breadcrumbs
className="pb-2"
items={[
{
href: "/admin",
label: "Admin",
},
{
label: "App Permissions",
},
]}
/>
</div>
<div className="px-7">
{Object.keys(permissions).map((scope) => (
<PermissionGroup
scope={scope.toUpperCase()}
generatedPermissions={permissions[scope].map((p) => ({
name: p.name
.split("_")
.map((s) => s[0].toUpperCase() + s.slice(1))
.join(" "),
description: p.description,
}))}
/>
))}
{/* <PermissionGroup
scope="Open Chat"
generatedPermissions={["Access Open Chat"].map((name) => ({
name,
description: `You can ${name.toLowerCase()}`,
}))}
permissions={[
"Receive Messages",
"Send Messages",
"View Status",
"Post Status",
"Use Ghost Mode",
"Send Large Media",
].map((name) => ({
name,
description: `You can ${name.toLowerCase()}`,
}))}
/> */}
</div>
</div>
);
};
export default AdminAppPermissionsPage;

91
web/src/pages/Admin/RolesGroups/index.tsx Normal file
View File

@ -0,0 +1,91 @@
import { useEffect, type FC } from "react";
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { useRoles } from "@/store/admin/rolesGroups";
import type { AppPermission } from "@/types";
interface DisplayRole {
name: string;
description: string;
permissions: AppPermission[];
}
interface IPermissionGroupProps {
scope: string;
roles?: DisplayRole[] | null | undefined;
}
const RolesGroup: FC<IPermissionGroupProps> = ({ scope, roles }) => {
return (
<div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
<h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold mb-4">
{scope.toUpperCase()} <span className="opacity-45">(scope)</span>
</h2>
{roles?.map((role, index) => (
<div>
<h2 className="dark:text-gray-300 text-gray-800 text-md font-semibold">
{role.name.toUpperCase()} <span className="opacity-45">(role)</span>
</h2>
<p className="text-sm text-gray-400 dark:text-gray-500">
{role.description}
</p>
<ol className="grid gap-4 gap-y-3 grid-cols-1 my-4 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
{role.permissions.map(({ name, description }) => (
<li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
<div className="flex flex-col gap-1">
<label>{name}</label>
<p className="text-xs text-gray-400 dark:text-gray-500">
{description}
</p>
</div>
</li>
))}
</ol>
{index + 1 < roles.length && (
<div className="h-[1px] bg-gray-700 w-full rounded my-6"></div>
)}
</div>
))}
</div>
);
};
const AdminRolesGroupsPage: FC = () => {
const roles = useRoles((s) => s.roles);
const fetch = useRoles((s) => s.fetch);
useEffect(() => {
fetch();
}, [fetch]);
console.log("roles:", roles);
return (
<div className="relative flex flex-col items-stretch w-full">
<div className="p-4">
<Breadcrumbs
className="pb-2"
items={[
{
href: "/admin",
label: "Admin",
},
{
label: "Roles & Groups",
},
]}
/>
</div>
<div className="px-7">
{Object.keys(roles).map((scope) => (
<RolesGroup scope={scope} roles={roles[scope]} />
))}
</div>
</div>
);
};
export default AdminRolesGroupsPage;

56
web/src/pages/Admin/ServiceSessions/index.tsx
View File

@ -71,7 +71,7 @@ const AdminServiceSessionsPage: FC = () => {
Service
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Source
User + IP
</th>
<th className="px-6 py-3 text-left text-sm font-semibold text-gray-700 dark:text-white/70 border border-l-0 border-gray-300 dark:border-gray-700">
Status
@ -109,26 +109,44 @@ const AdminServiceSessionsPage: FC = () => {
key={session.id}
className="hover:bg-gray-50 dark:hover:bg-gray-800"
>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
<div className="flex flex-row items-center gap-2 justify-start">
{typeof session.user?.profile_picture === "string" && (
<Avatar
avatarId={session.user.profile_picture}
className="w-7 h-7 min-w-7"
/>
)}
<Link to={`/admin/users/view/${session.user_id}`}>
<p className="cursor-pointer text-blue-500 text-nowrap">
{session.user?.full_name ?? ""}{" "}
{session.user_id === profile?.id ? "(You)" : ""}
</p>
</Link>
</div>
</td>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
{/* <SessionSource deviceInfo={session.} /> */}
<p>{session.client_id}</p>
{typeof session.api_service?.icon_url === "string" && (
<Avatar
avatarId={session.api_service.icon_url ?? null}
className="w-7 h-7 min-w-7"
/>
)}
<Link to={`/admin/api-services/view/${session.service_id}`}>
<p className="cursor-pointer text-blue-500 text-nowrap">
{session.api_service?.name ?? session.client_id}
</p>
</Link>
</td>
<td className="px-5 py-3 text-sm text-gray-700 dark:text-gray-300 border border-gray-300 dark:border-gray-700">
<div className="flex flex-col items-stretch gap-2 justify-start">
<div className="flex flex-row items-center gap-2 justify-start">
{typeof session.user?.profile_picture === "string" && (
<Avatar
avatarId={session.user.profile_picture ?? null}
className="w-7 h-7 min-w-7"
/>
)}
<div className="flex flex-col items-stretch justify-center">
<Link to={`/admin/users/view/${session.user_id}`}>
<p className="cursor-pointer text-blue-500 text-nowrap">
{session.user?.full_name ?? ""}{" "}
{session.user_id === profile?.id ? "(You)" : ""}
</p>
</Link>
<p className="opacity-75">
{session.ip_address ?? "No IP available"}
</p>
</div>
</div>
</div>
</td>
<td className="px-5 py-3 text-sm border border-gray-300 dark:border-gray-700">
<span

2
web/src/pages/Admin/UserSessions/index.tsx
View File

@ -127,7 +127,7 @@ const AdminUserSessionsPage: FC = () => {
<div className="flex flex-row items-center gap-2 justify-start">
{typeof session.user?.profile_picture === "string" && (
<Avatar
avatarId={session.user.profile_picture}
avatarId={session.user.profile_picture ?? null}
className="w-7 h-7 min-w-7"
/>
)}

233
web/src/pages/Admin/Users/View/index.tsx
View File

@ -1,38 +1,65 @@
import Breadcrumbs from "@/components/ui/breadcrumbs";
import { Button } from "@/components/ui/button";
import Avatar from "@/feature/Avatar";
import FoldableRolesTable from "@/feature/FoldableRolesTable";
import RoleMatrix from "@/feature/RoleMatrix";
import { useRoles } from "@/store/admin/rolesGroups";
import { useUsers } from "@/store/admin/users";
import { useEffect, type FC } from "react";
import type { UserProfile } from "@/types";
import { Check, Mail, Phone } from "lucide-react";
import moment from "moment";
import { useEffect, type FC, type HTMLAttributes } from "react";
import { Link, useParams } from "react-router";
const InfoCard = ({
title,
children,
}: {
interface InfoCardProps extends HTMLAttributes<HTMLDivElement> {
title: string;
children: React.ReactNode;
}) => (
<div className="border dark:border-gray-800 border-gray-300 rounded mb-4">
<div className="p-4 border-b dark:border-gray-800 border-gray-300">
<h2 className="text-gray-800 dark:text-gray-200 font-semibold text-lg">
{title}
</h2>
hasSpacing?: boolean | undefined;
}
const InfoCard = ({
children,
hasSpacing = true,
title,
...props
}: InfoCardProps) => (
<div className="mb-6">
<h2 className="mb-4 text-xl">{title}</h2>
<div
{...props}
className={`border dark:border-gray-800 border-gray-300 rounded mb-4 ${props.className}`}
>
{/* <div className="p-4 border-b dark:border-gray-800 border-gray-300">
<h2 className="text-gray-800 dark:text-gray-200 font-semibold text-lg">
{title}
</h2>
</div> */}
<div className={hasSpacing ? "p-4" : ""}>{children}</div>
</div>
<div className="p-4">{children}</div>
</div>
);
const AdminViewUserPage: FC = () => {
const { userId } = useParams();
const user = useUsers((state) => state.current);
const userRoles = useUsers((s) => s.userRoles);
// const loading = useApiServices((state) => state.fetchingApiService);
const loadUser = useUsers((state) => state.fetchUser);
const loadUserRoles = useUsers((state) => state.fetchUserRoles);
useEffect(() => {
if (typeof userId === "string") loadUser(userId);
}, [loadUser, userId]);
useEffect(() => {
if (user) loadUserRoles();
}, [loadUserRoles, user]);
console.log({ userRoles });
if (!user) {
return (
<div className="p-4 flex items-center justify-center h-[60vh]">
@ -55,70 +82,138 @@ const AdminViewUserPage: FC = () => {
/>
<div className="sm:p-4 pt-4">
{/* 📋 Main Details */}
<InfoCard title="Personal Info">
<InfoCard title="Profile" hasSpacing={false}>
<div className="flex flex-col gap-4 text-sm">
<div className="flex flex-col gap-4">
<span className="font-medium text-gray-900 dark:text-white">
Avatar:
</span>
<Avatar
avatarId={user.profile_picture ?? undefined}
className="w-16 h-16"
iconSize={28}
/>
<div className="bg-black/15 shadow/20">
{/* Header */}
<div className="flex flex-row gap-4 items-center p-4">
<Avatar
avatarId={user.profile_picture ?? null}
className="w-28 h-28"
iconSize={48}
/>
<div className="flex flex-col gap-1">
<h2 className="text-lg font-medium">{user.full_name}</h2>
<div className="flex flex-row items-center gap-2">
<h3 className="text-base opacity-50 flex flex-row items-center gap-2">
<span>
<Mail size={18} />
</span>
{user.email}
</h3>
<div className="w-1 h-1 rounded-full bg-gray-600" />
<h3 className="text-base opacity-50 flex flex-row items-center gap-2">
<span>
<Phone size={18} />
</span>
{user.phone_number || "No Phone Number"}
</h3>
</div>
</div>
</div>
{/* TODO: */}
{/* Top Bars */}
{/* <div className="w-full border-b border-b-gray-600 p-4">
somethign
</div> */}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Full Name:
</span>{" "}
{user.full_name}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Email:
</span>{" "}
{user.email}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Phone Number:
</span>{" "}
{user.phone_number || "-"}{" "}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Is Admin:
</span>{" "}
<span
className={`font-semibold px-2 py-1 rounded ${
user.is_admin
? "bg-green-200 text-green-800 dark:bg-green-700/20 dark:text-green-300"
: "bg-red-200 text-red-800 dark:bg-red-700/20 dark:text-red-300"
}`}
>
{user.is_admin ? "Yes" : "No"}
</span>
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Created At:
</span>{" "}
{new Date(user.created_at).toLocaleString()}
</div>
<div>
<span className="font-medium text-gray-900 dark:text-white">
Last Login At:
</span>{" "}
{user.last_login
? new Date(user.last_login).toLocaleString()
: "never"}
<div className="grid grid-cols-2 gap-2 gap-y-4 p-4">
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Verification
</span>{" "}
<div className="flex items-center gap-2">
{[
["avatar_verified", "Avatar"],
["email_verified", "Email"],
].map(([key, label]) => (
<span
key={key}
className={`px-2 py-1 rounded ${
user[key as keyof UserProfile] === true
? "bg-green-200 text-green-800 dark:bg-green-700/20 dark:text-green-300"
: "bg-red-200 text-red-800 dark:bg-red-700/20 dark:text-red-300"
}`}
>
{label}
</span>
))}
</div>
</div>
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Roles
</span>{" "}
<span className={`font-semibold py-1 rounded`}>
{userRoles.length === 0 && <p>No Roles</p>}
{userRoles.map((role) => (
<span
key={role.id}
className="px-2 py-1 rounded bg-blue-200 text-blue-800 dark:bg-blue-700/20 dark:text-blue-300"
>
{role.name}
</span>
))}
</span>
</div>
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Created At
</span>{" "}
<span className={`font-semibold py-1 rounded`}>
{moment(user.created_at).format("LLLL")}
</span>
</div>
<div className="flex flex-col gap-2 items-start">
<span className="font-medium text-gray-400 dark:text-gray-500">
Last Login
</span>{" "}
<span className={`font-semibold py-1 rounded`}>
{user.last_login
? moment(user.last_login).format("LLLL")
: "never"}
</span>
</div>
</div>
</div>
</InfoCard>
<InfoCard title="Roles Management" hasSpacing={false}>
<FoldableRolesTable userRoles={userRoles} />
</InfoCard>
{/* <InfoCard title="Roles" hasSpacing={false}>
{Object.entries(roles).map(([scope, roles]) => (
<div className="w-full">
<h4 className="bg-black/40 p-3 text-xs opacity-50">
{scope.toUpperCase()}
</h4>
<ul className="bg-black/20">
{roles.map((r, index) => (
<div key={r.id}>
<li
key={r.id}
className="p-2 px-4 flex flex-row items-center gap-2"
>
<span
className={`opacity-${userRoles.some((ur) => ur.id === r.id) ? "100" : "0"}`}
>
<Check size={16} />
</span>
{r.name.toUpperCase()}
</li>
{index + 1 < roles.length && (
<div className="h-[1px] bg-gray-800 w-[95%] mx-auto"></div>
)}
</div>
))}
</ul>
</div>
))}
</InfoCard> */}
{/* 🚀 Actions */}
<div className="flex flex-wrap gap-4 mt-6 justify-between items-center">
<div className="flex flex-wrap gap-4 mt-6 justify-between items-center col-span-3">
<Link to="/admin/users">
<Button variant="outlined">Back</Button>
</Link>

2
web/src/pages/Admin/Users/index.tsx
View File

@ -94,7 +94,7 @@ const AdminUsersPage: FC = () => {
<Avatar
iconSize={21}
className="w-8 h-8"
avatarId={user.profile_picture ?? undefined}
avatarId={user.profile_picture ?? null}
/>
<p>{user.full_name}</p>
</div>

24
web/src/pages/Authorize/index.tsx
View File

@ -76,21 +76,21 @@ const AuthorizePage: FC = () => {
<div className="text-gray-400 dark:text-gray-600">
<ArrowLeftRight />
</div>
<div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500">
{/* <img
{/* <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500"> */}
{/* <img
src="https://lucide.dev/logo.dark.svg"
className="w-8 h-8"
/> */}
{apiService?.icon_url ? (
<img
src={apiService.icon_url}
className="w-full h-full"
alt="service_icon"
/>
) : (
<LayoutDashboard size={32} color="#fefefe" />
)}
</div>
{apiService?.icon_url ? (
<img
src={apiService.icon_url}
className="w-12 h-12"
alt="service_icon"
/>
) : (
<LayoutDashboard size={32} color="#fefefe" />
)}
{/* </div> */}
</div>
<div className="px-4 sm:mt-4 mt-8">

2
web/src/pages/Verify/Review/index.tsx
View File

@ -21,7 +21,7 @@ const VerifyReviewPage: FC = () => {
</p>
<Avatar
avatarId={profile?.profile_picture ?? undefined}
avatarId={profile?.profile_picture ?? null}
iconSize={64}
className="w-48 h-48 min-w-48 mx-auto mt-4"
/>

2
web/src/store/admin/apiServices.ts
View File

@ -22,7 +22,7 @@ interface IApiServicesState {
fetch: () => Promise<void>;
fetchSingle: (id: string) => Promise<void>;
create: (req: CreateApiServiceRequest) => Promise<bool>;
create: (req: CreateApiServiceRequest) => Promise<boolean>;
resetCredentials: () => void;
toggling: boolean;

32
web/src/store/admin/permissions.ts Normal file
View File

@ -0,0 +1,32 @@
import { getPermissionsApi } from "@/api/admin/permissions";
import type { AppPermission } from "@/types";
import { create } from "zustand";
export interface IAdminPermissionsState {
permissions: Record<string, AppPermission[]>;
fetching: boolean;
fetch: () => Promise<void>;
}
export const usePermissions = create<IAdminPermissionsState>((set) => ({
permissions: {},
fetching: false,
fetch: async () => {
set({ fetching: true });
try {
const response = await getPermissionsApi();
set({
permissions: Object.fromEntries(
response.map(({ scope, permissions }) => [scope, permissions]),
),
});
} catch (err) {
console.log("ERR: Failed to fetch admin permissions:", err);
} finally {
set({ fetching: false });
}
},
}));

57
web/src/store/admin/rolesGroups.ts Normal file
View File

@ -0,0 +1,57 @@
import {
assignUserRoleApi,
getRolesApi,
type AssignUserRoleRequest,
} from "@/api/admin/roles";
import type { AppPermission, AppRole } from "@/types";
import { create } from "zustand";
export type RolesMap = Record<
string,
(AppRole & { permissions: AppPermission[] })[]
>;
export interface IRolesGroups {
roles: RolesMap;
fetching: boolean;
toggling: string | null;
fetch: () => Promise<void>;
assign: (userId: string, role: AppRole) => Promise<void>;
}
export const useRoles = create<IRolesGroups>((set) => ({
roles: {},
fetching: false,
toggling: null,
fetch: async () => {
set({ fetching: true });
try {
const response = await getRolesApi();
set({
roles: Object.fromEntries(response.map((r) => [r.scope, r.roles])),
});
} catch (err) {
console.log("ERR: Failed to fetch admin roles:", err);
} finally {
set({ fetching: false });
}
},
assign: async (userId, role) => {
set({ toggling: role.id });
try {
await assignUserRoleApi(userId, {
role_key: `${role.scope}_${role.name}`,
});
} catch (err) {
console.log("ERR: Failed to assign user role:", err);
} finally {
set({ toggling: null });
}
},
}));

82
web/src/store/admin/users.ts
View File

@ -1,10 +1,12 @@
import { getUserPermissionsApi } from "@/api/admin/permissions";
import { assignUserRoleApi, getUserRolesApi } from "@/api/admin/roles";
import {
adminGetUserApi,
adminGetUsersApi,
postUser,
type CreateUserRequest,
} from "@/api/admin/users";
import type { UserProfile } from "@/types";
import type { AppPermission, AppRole, UserProfile } from "@/types";
import { create } from "zustand";
export interface IUsersState {
@ -14,14 +16,26 @@ export interface IUsersState {
current: UserProfile | null;
fetchingCurrent: boolean;
userPermissions: AppPermission[];
fetchingPermissions: boolean;
userRoles: AppRole[];
fetchingRoles: boolean;
creating: boolean;
createUser: (req: CreateUserRequest) => Promise<boolean>;
assigningRole: boolean;
fetchUsers: () => Promise<void>;
fetchUser: (id: string) => Promise<void>;
fetchUserPermissions: () => Promise<void>;
fetchUserRoles: () => Promise<void>;
assignUserRole: (roleKey: string) => Promise<void>;
}
export const useUsers = create<IUsersState>((set) => ({
export const useUsers = create<IUsersState>((set, get) => ({
users: [],
fetching: false,
@ -30,6 +44,14 @@ export const useUsers = create<IUsersState>((set) => ({
current: null,
fetchingCurrent: false,
userRoles: [],
fetchingRoles: false,
userPermissions: [],
fetchingPermissions: false,
assigningRole: false,
createUser: async (req: CreateUserRequest) => {
set({ creating: true });
@ -70,4 +92,60 @@ export const useUsers = create<IUsersState>((set) => ({
set({ fetchingCurrent: false });
}
},
fetchUserPermissions: async () => {
const user = get().current;
if (!user) {
console.warn("Trying to fetch user permissions without selected user");
return;
}
set({ fetchingPermissions: true });
try {
const response = await getUserPermissionsApi(user.id);
set({ userPermissions: response });
} catch (err) {
console.log("ERR: Failed to fetch single user for admin:", err);
} finally {
set({ fetchingPermissions: false });
}
},
fetchUserRoles: async () => {
const user = get().current;
if (!user) {
console.warn("Trying to fetch user permissions without selected user");
return;
}
set({ fetchingRoles: true });
try {
const response = await getUserRolesApi(user.id);
set({ userRoles: response ?? [] });
} catch (err) {
console.log("ERR: Failed to fetch single user for admin:", err);
} finally {
set({ fetchingRoles: false });
}
},
assignUserRole: async (roleKey: string) => {
const user = get().current;
if (!user) {
console.warn("Trying to fetch user permissions without selected user");
return;
}
set({ assigningRole: true });
try {
await assignUserRoleApi(user.id, { roleKey });
} catch (err) {
console.log("ERR: Failed to assign user role:", err);
} finally {
set({ assigningRole: false });
}
},
}));

14
web/src/types/index.ts
View File

@ -78,3 +78,17 @@ export interface DeviceInfo {
browser: string;
browser_version: string;
}
export interface AppPermission {
id: string;
name: string;
scope: string;
description: string;
}
export interface AppRole {
id: string;
name: string;
scope: string;
description: string;
}