From 400a438fff53d6886f4dad38ed360269e84cb843 Mon Sep 17 00:00:00 2001 From: ScreenTinker Date: Sun, 14 Jun 2026 15:52:11 -0500 Subject: [PATCH] revert: drop zone-binding, keep whole-playlist grants + size-guidance card (#73) Investigation found zone placement is a DEVICE property (device.layout_id), not a playlist property: a normal playlist has no derivable layout (zone_id is NULL unless set in the device-assignment flow), so a playlist-scoped zone grant can't reach the normal flow. The right model: placement belongs to the device (same playlist can be full-screen on one screen, a zone on another); the agency just gets whole-playlist grants + size-guidance. Removed the zone-grant machinery (security-adjacent dead surface is a liability, not dormant convenience): api_token_target_zones (schema + a DROP migration for the dev DB where the short-lived CREATE ran), resolveGrantedZone, grantableZoneIds, buildZoneGrantRows, the create/PUT zone validation, GET /api/playlists/:id/zones, getPlaylistZones, the settings zone-picker + its i18n, and the zone-grant bite-test. KEPT (model-agnostic, good): the reactive per-playlist size-guidance card - GET /api/agency/playlists/:playlistId/layout (router.param-confined) now reports the zones the playlist actually feeds (where/what-size content lands), or full-screen when it has no layout. Whole-playlist grants = today's working model. 147 suite green. Co-Authored-By: Claude Opus 4.8 (1M context) --- frontend/js/api.js | 1 - frontend/js/i18n/de.js | 2 - frontend/js/i18n/en.js | 2 - frontend/js/i18n/es.js | 2 - frontend/js/i18n/fr.js | 2 - frontend/js/i18n/pt.js | 2 - frontend/js/views/settings.js | 35 +-------- server/db/database.js | 6 +- server/db/schema.sql | 16 ---- server/lib/agency-targets.js | 39 +--------- server/routes/agency.js | 35 +++------ server/routes/playlists.js | 15 ---- server/routes/tokens.js | 35 +-------- server/test/agency-zone-grants.test.js | 102 ------------------------- server/test/agency.test.js | 5 -- 15 files changed, 18 insertions(+), 281 deletions(-) delete mode 100644 server/test/agency-zone-grants.test.js diff --git a/frontend/js/api.js b/frontend/js/api.js index 82d7cad..e0ec520 100644 --- a/frontend/js/api.js +++ b/frontend/js/api.js @@ -137,7 +137,6 @@ export const api = { // Playlists getPlaylists: () => request('/playlists'), - getPlaylistZones: (id) => request('/playlists/' + id + '/zones'), // #73: grantable zones for the agency designate UI createPlaylist: (name, description) => request('/playlists', { method: 'POST', body: JSON.stringify({ name, description }) }), getPlaylist: (id) => request(`/playlists/${id}`), updatePlaylist: (id, data) => request(`/playlists/${id}`, { method: 'PUT', body: JSON.stringify(data) }), diff --git a/frontend/js/i18n/de.js b/frontend/js/i18n/de.js index 42d3fc6..36f6bb1 100644 --- a/frontend/js/i18n/de.js +++ b/frontend/js/i18n/de.js @@ -366,8 +366,6 @@ export default { 'apitoken.auto_publish_label': 'Automatisch veröffentlichen (meine Freigabe überspringen)', 'apitoken.auto_publish_hint': 'Aus (Standard): Hinzufügungen warten als Entwurf auf deine Veröffentlichung. An: sie gehen sofort live – nur für Agenturen, denen du voll vertraust.', 'apitoken.auto_publish_on': 'Auto-Veröffentlichung an', - 'apitoken.zone_grant_hint': 'Bestimmte Zonen freigeben, oder leer lassen für die ganze Playlist:', - 'apitoken.zone_grant_fullscreen': 'Vollbild – keine Zonen freizugeben.', 'apitoken.create': 'Token erstellen', 'apitoken.none': 'Noch keine Tokens.', 'apitoken.col_token': 'Token', diff --git a/frontend/js/i18n/en.js b/frontend/js/i18n/en.js index 60c1312..4754cff 100644 --- a/frontend/js/i18n/en.js +++ b/frontend/js/i18n/en.js @@ -402,8 +402,6 @@ export default { 'apitoken.auto_publish_label': 'Auto-publish (skip my approval)', 'apitoken.auto_publish_hint': 'Off (default): additions wait as drafts for you to publish. On: they go live immediately — only for agencies you fully trust.', 'apitoken.auto_publish_on': 'auto-publish on', - 'apitoken.zone_grant_hint': 'Grant specific zones, or leave unchecked for the whole playlist:', - 'apitoken.zone_grant_fullscreen': 'Full-screen — no zones to grant.', 'apitoken.create': 'Create token', 'apitoken.none': 'No tokens yet.', 'apitoken.col_token': 'Token', diff --git a/frontend/js/i18n/es.js b/frontend/js/i18n/es.js index c775d50..d4080b7 100644 --- a/frontend/js/i18n/es.js +++ b/frontend/js/i18n/es.js @@ -365,8 +365,6 @@ export default { 'apitoken.auto_publish_label': 'Publicación automática (omitir mi aprobación)', 'apitoken.auto_publish_hint': 'Desactivado (predeterminado): las adiciones esperan como borradores para que las publiques. Activado: se publican de inmediato, solo para agencias de plena confianza.', 'apitoken.auto_publish_on': 'publicación automática activada', - 'apitoken.zone_grant_hint': 'Concede zonas específicas, o deja sin marcar para toda la lista:', - 'apitoken.zone_grant_fullscreen': 'Pantalla completa: no hay zonas que conceder.', 'apitoken.create': 'Crear token', 'apitoken.none': 'Aún no hay tokens.', 'apitoken.col_token': 'Token', diff --git a/frontend/js/i18n/fr.js b/frontend/js/i18n/fr.js index b669f59..bec332b 100644 --- a/frontend/js/i18n/fr.js +++ b/frontend/js/i18n/fr.js @@ -366,8 +366,6 @@ export default { 'apitoken.auto_publish_label': 'Publication automatique (ignorer mon approbation)', 'apitoken.auto_publish_hint': 'Désactivé (par défaut) : les ajouts attendent en brouillon votre publication. Activé : ils sont diffusés immédiatement, uniquement pour les agences de pleine confiance.', 'apitoken.auto_publish_on': 'publication automatique activée', - 'apitoken.zone_grant_hint': 'Accordez des zones spécifiques, ou laissez décoché pour toute la liste :', - 'apitoken.zone_grant_fullscreen': 'Plein écran — aucune zone à accorder.', 'apitoken.create': 'Créer un jeton', 'apitoken.none': 'Aucun jeton pour le moment.', 'apitoken.col_token': 'Jeton', diff --git a/frontend/js/i18n/pt.js b/frontend/js/i18n/pt.js index 433267e..ffa7553 100644 --- a/frontend/js/i18n/pt.js +++ b/frontend/js/i18n/pt.js @@ -366,8 +366,6 @@ export default { 'apitoken.auto_publish_label': 'Publicação automática (ignorar minha aprovação)', 'apitoken.auto_publish_hint': 'Desativado (padrão): as adições aguardam como rascunho para você publicar. Ativado: vão ao ar imediatamente, apenas para agências de total confiança.', 'apitoken.auto_publish_on': 'publicação automática ativada', - 'apitoken.zone_grant_hint': 'Conceda zonas específicas, ou deixe sem marcar para a lista inteira:', - 'apitoken.zone_grant_fullscreen': 'Tela cheia — sem zonas para conceder.', 'apitoken.create': 'Criar token', 'apitoken.none': 'Ainda não há tokens.', 'apitoken.col_token': 'Token', diff --git a/frontend/js/views/settings.js b/frontend/js/views/settings.js index f30e7d9..dcec920 100644 --- a/frontend/js/views/settings.js +++ b/frontend/js/views/settings.js @@ -413,31 +413,9 @@ export async function render(container) { agencyPlaylistsLoaded = true; const list = document.getElementById('agencyPlaylistList'); const pls = await api.getPlaylists().catch(() => []); - if (!pls.length) { - list.innerHTML = `

${t('apitoken.agency_no_playlists')}

`; - return; - } - list.innerHTML = pls.map(p => ` -
- - -
`).join(''); - // #73: checking a playlist reveals its grantable zones (lazy-loaded). Leaving them all - // unchecked = whole-playlist (full-screen). Zones offered come from the playlist's layout. - list.querySelectorAll('.agency-pl').forEach(cb => cb.addEventListener('change', async () => { - const box = list.querySelector(`.agency-zones[data-pl="${cb.value}"]`); - if (!cb.checked) { box.style.display = 'none'; return; } - box.style.display = 'block'; - if (box.dataset.loaded) return; - box.dataset.loaded = '1'; - const zones = await api.getPlaylistZones(cb.value).catch(() => []); - box.innerHTML = zones.length - ? `
${t('apitoken.zone_grant_hint')}
` + zones.map(z => { - const wpx = Math.round(z.layout_width * z.width_percent / 100), hpx = Math.round(z.layout_height * z.height_percent / 100); - return ``; - }).join('') - : `
${t('apitoken.zone_grant_fullscreen')}
`; - })); + list.innerHTML = pls.length + ? pls.map(p => ``).join('') + : `

${t('apitoken.agency_no_playlists')}

`; } }); @@ -449,13 +427,6 @@ export async function render(container) { const ids = [...document.querySelectorAll('#agencyPlaylistList .agency-pl:checked')].map(c => c.value); if (!ids.length) return showToast(t('apitoken.agency_needs_playlists'), 'error'); payload.target_playlist_ids = ids; - // #73: per-playlist zone grants (a playlist with no checked zones = whole-playlist) - const target_zones = {}; - for (const pid of ids) { - const zoneIds = [...document.querySelectorAll(`.agency-zone[data-pl="${pid}"]:checked`)].map(c => c.value); - if (zoneIds.length) target_zones[pid] = zoneIds; - } - if (Object.keys(target_zones).length) payload.target_zones = target_zones; payload.auto_publish = !!document.getElementById('tokAutoPublish')?.checked; } const btn = document.getElementById('createTokenBtn'); diff --git a/server/db/database.js b/server/db/database.js index 73a7472..4780e37 100644 --- a/server/db/database.js +++ b/server/db/database.js @@ -200,9 +200,9 @@ const migrations = [ // #73: agency-upload notification queue (batched digest). "CREATE TABLE IF NOT EXISTS agency_notifications (id INTEGER PRIMARY KEY AUTOINCREMENT, workspace_id TEXT NOT NULL, token_id TEXT NOT NULL, playlist_id TEXT NOT NULL, action TEXT NOT NULL, content_id TEXT, created_at INTEGER NOT NULL DEFAULT (strftime('%s','now')), sent_at INTEGER)", "CREATE INDEX IF NOT EXISTS idx_agency_notifications_unsent ON agency_notifications(sent_at)", - // #73: zone refinement of a playlist grant - FK-anchored to api_token_targets (orphan- - // impossible + cascades on playlist-grant revoke). Additive; does NOT touch api_token_targets. - "CREATE TABLE IF NOT EXISTS api_token_target_zones (token_id TEXT NOT NULL, playlist_id TEXT NOT NULL, zone_id TEXT NOT NULL REFERENCES layout_zones(id) ON DELETE CASCADE, created_at INTEGER NOT NULL DEFAULT (strftime('%s','now')), PRIMARY KEY (token_id, playlist_id, zone_id), FOREIGN KEY (token_id, playlist_id) REFERENCES api_token_targets(token_id, playlist_id) ON DELETE CASCADE)", + // #73: zone-binding was reverted (placement belongs to the device, not the playlist - see + // the agency-tokens history). Drop the table on DBs where the short-lived migration ran. + "DROP TABLE IF EXISTS api_token_target_zones", ]; // Apply each ALTER idempotently. A "duplicate column name" / "already exists" // error means the column is already present (expected on a migrated DB) - benign. diff --git a/server/db/schema.sql b/server/db/schema.sql index 66f5659..542984f 100644 --- a/server/db/schema.sql +++ b/server/db/schema.sql @@ -551,22 +551,6 @@ CREATE TABLE IF NOT EXISTS api_token_targets ( ); CREATE INDEX IF NOT EXISTS idx_api_tokens_user ON api_tokens(user_id); --- #73: OPTIONAL zone refinement of a playlist grant. A row here narrows the agency to a --- specific zone WITHIN an already-granted playlist. STRUCTURALLY anchored: the composite FK --- to api_token_targets(token_id, playlist_id) means a zone grant CANNOT exist without its --- playlist grant (orphan-impossible) and CASCADES away when the playlist grant is revoked - --- that's what makes "narrow" structural, not conventional. zone_id FK -> layout_zones so a --- deleted zone/layout drops the grant too. No rows for a (token,playlist) = whole-playlist --- (full-screen), as before. (Requires PRAGMA foreign_keys=ON, set in db/database.js.) -CREATE TABLE IF NOT EXISTS api_token_target_zones ( - token_id TEXT NOT NULL, - playlist_id TEXT NOT NULL, - zone_id TEXT NOT NULL REFERENCES layout_zones(id) ON DELETE CASCADE, - created_at INTEGER NOT NULL DEFAULT (strftime('%s','now')), - PRIMARY KEY (token_id, playlist_id, zone_id), - FOREIGN KEY (token_id, playlist_id) REFERENCES api_token_targets(token_id, playlist_id) ON DELETE CASCADE -); - -- #73: agency-upload notification queue. The agency endpoint enqueues one row per item added -- (only when email is configured); a 15-min flush job groups per token+playlist+action and -- sends one digest per group, stamping sent_at ONLY after a successful send (failed -> retry). diff --git a/server/lib/agency-targets.js b/server/lib/agency-targets.js index c6cc223..20af630 100644 --- a/server/lib/agency-targets.js +++ b/server/lib/agency-targets.js @@ -17,41 +17,4 @@ function listDesignatedPlaylists(db, tokenId, workspaceId) { `).all(tokenId, workspaceId); } -// #73: resolve which zone an agency item-add lands in, enforcing the zone grants. The grant -// is the boundary; a body-supplied zone can pick WITHIN it but never escape it. -// - No zone grants for (token, playlist) -> whole-playlist/full-screen (zone_id NULL); a -// body zone_id is ignored (placement isn't agency-driven when nothing's granted). -// - Zone grants exist -> the item MUST land in a GRANTED zone: -// requested zone that IS granted -> use it (agency picks among its grants); -// requested zone NOT granted -> { ok:false, reason:'forbidden' } (403); -// no request, exactly one grant -> auto-place into it; -// no request, multiple grants -> { ok:false, reason:'ambiguous' } (must pick). -function resolveGrantedZone(db, tokenId, playlistId, requestedZoneId) { - const grants = db.prepare('SELECT zone_id FROM api_token_target_zones WHERE token_id = ? AND playlist_id = ?') - .all(tokenId, playlistId).map(r => r.zone_id); - if (!grants.length) return { ok: true, zoneId: null }; - if (requestedZoneId) { - return grants.includes(requestedZoneId) - ? { ok: true, zoneId: requestedZoneId } - : { ok: false, reason: 'forbidden' }; - } - if (grants.length === 1) return { ok: true, zoneId: grants[0] }; - return { ok: false, reason: 'ambiguous' }; -} - -// #73 issuance-side mirror of the runtime confinement: the set of zone_ids an admin may -// grant for a playlist = all zones of the layout(s) that playlist feeds (its items' -// zones -> their layouts -> all zones of those layouts). Token-less (used at create time, -// before the token exists). A zone the playlist's layout doesn't have -> not in this set -> -// rejected at issuance, the same boundary resolveGrantedZone enforces at runtime. -function grantableZoneIds(db, playlistId) { - return new Set(db.prepare(` - SELECT DISTINCT lz_all.id - FROM playlist_items pi - JOIN layout_zones lz ON lz.id = pi.zone_id - JOIN layout_zones lz_all ON lz_all.layout_id = lz.layout_id - WHERE pi.playlist_id = ? - `).all(playlistId).map(r => r.id)); -} - -module.exports = { listDesignatedPlaylists, resolveGrantedZone, grantableZoneIds }; +module.exports = { listDesignatedPlaylists }; diff --git a/server/routes/agency.js b/server/routes/agency.js index 6156ee2..c97c987 100644 --- a/server/routes/agency.js +++ b/server/routes/agency.js @@ -13,7 +13,7 @@ const { db } = require('../db/database'); const upload = require('../middleware/upload'); const { checkStorageLimit } = require('../middleware/subscription'); const { ingestUploadedFile } = require('../lib/content-ingest'); -const { listDesignatedPlaylists, resolveGrantedZone } = require('../lib/agency-targets'); +const { listDesignatedPlaylists } = require('../lib/agency-targets'); const { listLayoutGeometry } = require('../lib/agency-layouts'); const { publishPlaylist } = require('./playlists'); // #73: shared publish path for auto-publish const { isConfigured } = require('../services/email'); // #73: gate digest enqueue on SMTP being set @@ -28,18 +28,13 @@ router.get('/playlists', (req, res) => { res.json(listDesignatedPlaylists(db, req.apiToken.id, req.jwtWorkspaceId)); }); -// Layout GEOMETRY for ONE designated playlist (the per-playlist card): canvas size + zone -// positions/sizes, with "your zone" = the GRANTED zones (placement = grant). Has :playlistId, -// so router.param confines it to a granted playlist. DEVICE-FREE (lib/agency-layouts.js) - no -// device names/locations/topology. Bite-tested in agency-layouts.test.js (the geometry) + -// router.param (the confinement). +// Layout GEOMETRY for ONE designated playlist (the per-playlist size-guidance card): canvas +// size + zone positions/sizes, with feeds_zone_ids = the zones this playlist actually feeds +// (so the agency sees where/what-size their content lands). Returns [] when the playlist has +// no layout -> the card shows the full-screen message. Placement itself stays the admin's job +// (device-side). Has :playlistId, so router.param confines it. DEVICE-FREE (lib/agency-layouts.js). router.get('/playlists/:playlistId/layout', (req, res) => { - const layouts = listLayoutGeometry(db, req.apiToken.id, req.jwtWorkspaceId, req.params.playlistId); - const granted = new Set(db.prepare('SELECT zone_id FROM api_token_target_zones WHERE token_id = ? AND playlist_id = ?') - .all(req.apiToken.id, req.params.playlistId).map(r => r.zone_id)); - // "your zone" = the granted zones, not the item-feed zones (placement is the grant) - for (const l of layouts) l.feeds_zone_ids = l.zones.filter(z => granted.has(z.id)).map(z => z.id); - res.json(layouts); + res.json(listLayoutGeometry(db, req.apiToken.id, req.jwtWorkspaceId, req.params.playlistId)); }); // #73 THE target seam. router.param fires for EVERY route with :playlistId, WITH the param, @@ -84,16 +79,6 @@ router.post('/playlists/:playlistId/items', (req, res) => { return res.status(403).json({ error: 'Content is not in this workspace' }); } - // #73: zone placement IS the grant. If this token has zone grants for the playlist, the - // item MUST land in a granted zone (a body zone_id picks among grants, never escapes them); - // if none, whole-playlist/full-screen. Same FK-anchored api_token_targets seam. - const z = resolveGrantedZone(db, req.apiToken.id, req.params.playlistId, req.body.zone_id); - if (!z.ok) { - return z.reason === 'ambiguous' - ? res.status(400).json({ error: 'This playlist has multiple granted zones — specify zone_id.' }) - : res.status(403).json({ error: 'That zone is not granted to this token for this playlist.' }); - } - let { duration_sec, days, start, end, start_date, end_date } = req.body; if (duration_sec != null && (typeof duration_sec !== 'number' || duration_sec < 1)) { return res.status(400).json({ error: 'duration_sec must be a positive integer' }); @@ -111,8 +96,8 @@ router.post('/playlists/:playlistId/items', (req, res) => { if (!(TIME_RE.test(en) || en === '24:00')) return res.status(400).json({ error: 'end must be HH:MM or 24:00' }); const order = db.prepare('SELECT COALESCE(MAX(sort_order),0)+1 AS n FROM playlist_items WHERE playlist_id = ?').get(req.params.playlistId).n; - const itemId = db.prepare('INSERT INTO playlist_items (playlist_id, content_id, zone_id, sort_order, duration_sec) VALUES (?, ?, ?, ?, ?)') - .run(req.params.playlistId, content_id, z.zoneId, order, duration_sec).lastInsertRowid; + const itemId = db.prepare('INSERT INTO playlist_items (playlist_id, content_id, sort_order, duration_sec) VALUES (?, ?, ?, ?)') + .run(req.params.playlistId, content_id, order, duration_sec).lastInsertRowid; db.prepare('INSERT INTO playlist_item_schedules (id, playlist_item_id, active_days, start_time, end_time, start_date, end_date, sort_order) VALUES (?,?,?,?,?,?,?,0)') .run(uuidv4(), itemId, dys.join(','), st, en, sd, ed); // #73: draft vs live is decided by the TOKEN's auto_publish (admin-set, read from @@ -133,7 +118,7 @@ router.post('/playlists/:playlistId/items', (req, res) => { .run(req.workspaceId, req.apiToken.id, req.params.playlistId, published ? 'published' : 'draft', content_id); } - res.status(201).json({ id: itemId, playlist_id: req.params.playlistId, content_id, zone_id: z.zoneId, duration_sec, start_date: sd, end_date: ed, published }); + res.status(201).json({ id: itemId, playlist_id: req.params.playlistId, content_id, duration_sec, start_date: sd, end_date: ed, published }); }); module.exports = router; diff --git a/server/routes/playlists.js b/server/routes/playlists.js index 65b3e82..5d9e57c 100644 --- a/server/routes/playlists.js +++ b/server/routes/playlists.js @@ -291,21 +291,6 @@ router.delete('/:id', requirePlaylistWrite, (req, res) => { // --- Playlist Items --- // List items -// #73: the zones of the layout(s) this playlist feeds - for the agency-token designate UI to -// offer grantable zones. Geometry only (matches the agency layout view's safe surface). -router.get('/:id/zones', requirePlaylistRead, (req, res) => { - res.json(db.prepare(` - SELECT DISTINCT lz_all.id, lz_all.name, lz_all.width_percent, lz_all.height_percent, - l.name AS layout_name, l.width AS layout_width, l.height AS layout_height - FROM playlist_items pi - JOIN layout_zones lz ON lz.id = pi.zone_id - JOIN layout_zones lz_all ON lz_all.layout_id = lz.layout_id - JOIN layouts l ON l.id = lz_all.layout_id - WHERE pi.playlist_id = ? - ORDER BY lz_all.sort_order, lz_all.z_index - `).all(req.params.id)); -}); - router.get('/:id/items', requirePlaylistRead, (req, res) => { const items = db.prepare(` SELECT pi.*, diff --git a/server/routes/tokens.js b/server/routes/tokens.js index f418093..3e3270b 100644 --- a/server/routes/tokens.js +++ b/server/routes/tokens.js @@ -7,26 +7,6 @@ const crypto = require('crypto'); const { db } = require('../db/database'); const { generateToken, hashToken, displayPrefix } = require('../middleware/apiToken'); const { accessContext } = require('../lib/tenancy'); -const { grantableZoneIds } = require('../lib/agency-targets'); - -// #73: validate per-playlist zone grants and return the (playlist_id, zone_id) rows to insert. -// target_zones is { playlist_id: [zone_id,...] }. Each playlist must be a granted target, and -// each zone must be one the playlist's layout actually feeds (grantableZoneIds) - the issuance- -// side mirror of the runtime confinement. Returns { error } on the first violation, else { rows }. -function buildZoneGrantRows(target_zones, targetIdSet) { - const rows = []; - if (!target_zones || typeof target_zones !== 'object') return { rows }; - for (const [playlistId, zoneIds] of Object.entries(target_zones)) { - if (!targetIdSet.has(playlistId)) return { error: `zone grant references playlist ${playlistId} which is not a designated target` }; - if (!Array.isArray(zoneIds)) return { error: `zones for ${playlistId} must be an array` }; - const grantable = grantableZoneIds(db, playlistId); - for (const zid of zoneIds) { - if (!grantable.has(zid)) return { error: `zone ${zid} is not in playlist ${playlistId}'s layout` }; - rows.push({ playlistId, zoneId: zid }); - } - } - return { rows }; -} // #73: 'agency' is OFF the read/write/full ladder (not in apiToken.js SCOPE_RANK), so a // tokenScopeGate-mounted router rejects it; it reaches only the AGENCY_ROUTER via agencyGate. @@ -67,7 +47,6 @@ router.post('/', (req, res) => { // auto_publish is meaningful ONLY for agency scope and is the admin's explicit opt-OUT of // approval. Anything but agency-scope + literal true -> 0 (draft, the fail-safe default). const autoPublish = (scope === 'agency' && req.body.auto_publish === true) ? 1 : 0; - let zoneRows = []; if (scope === 'agency') { targetIds = Array.isArray(req.body.target_playlist_ids) ? req.body.target_playlist_ids : []; if (!targetIds.length) return res.status(400).json({ error: 'an agency token requires target_playlist_ids' }); @@ -75,10 +54,6 @@ router.post('/', (req, res) => { for (const pid of targetIds) { if (!inWs.get(pid, req.workspaceId)) return res.status(400).json({ error: `playlist ${pid} is not in this workspace` }); } - // #73: optional zone grants - validated against each playlist's layout zones up front. - const zg = buildZoneGrantRows(req.body.target_zones, new Set(targetIds)); - if (zg.error) return res.status(400).json({ error: zg.error }); - zoneRows = zg.rows; } const secret = generateToken(); const id = crypto.randomUUID(); @@ -90,8 +65,6 @@ router.post('/', (req, res) => { if (scope === 'agency') { const ins = db.prepare('INSERT INTO api_token_targets (token_id, playlist_id) VALUES (?, ?)'); for (const pid of targetIds) ins.run(id, pid); - const insZ = db.prepare('INSERT INTO api_token_target_zones (token_id, playlist_id, zone_id) VALUES (?, ?, ?)'); - for (const r of zoneRows) insZ.run(id, r.playlistId, r.zoneId); // FK requires the playlist grant above } })(); // `token` is returned only here, never again. @@ -120,18 +93,12 @@ router.put('/:id/targets', (req, res) => { for (const pid of ids) { if (!inWs.get(pid, tok.workspace_id)) return res.status(400).json({ error: `playlist ${pid} is not in this token's workspace` }); } - // #73: optional zone grants, validated against each playlist's layout zones. - const zg = buildZoneGrantRows(req.body.target_zones, new Set(ids)); - if (zg.error) return res.status(400).json({ error: zg.error }); const ins = db.prepare('INSERT OR IGNORE INTO api_token_targets (token_id, playlist_id) VALUES (?, ?)'); - const insZ = db.prepare('INSERT INTO api_token_target_zones (token_id, playlist_id, zone_id) VALUES (?, ?, ?)'); db.transaction(() => { - // delete the PARENT rows; the FK cascade clears the old zone grants (no manual child delete) db.prepare('DELETE FROM api_token_targets WHERE token_id = ?').run(tok.id); for (const pid of ids) ins.run(tok.id, pid); - for (const r of zg.rows) insZ.run(tok.id, r.playlistId, r.zoneId); })(); - res.json({ id: tok.id, target_playlist_ids: ids, zone_grants: zg.rows.length }); + res.json({ id: tok.id, target_playlist_ids: ids }); }); module.exports = router; diff --git a/server/test/agency-zone-grants.test.js b/server/test/agency-zone-grants.test.js deleted file mode 100644 index e411cc3..0000000 --- a/server/test/agency-zone-grants.test.js +++ /dev/null @@ -1,102 +0,0 @@ -'use strict'; - -// #73 zone-grant security model. Proves the structural narrow guarantee BEFORE any UI rides -// on it: zone grants confine placement, are FK-anchored to the playlist grant (orphan- -// impossible), and cascade away with it. The whole thing depends on PRAGMA foreign_keys=ON, -// so this test asserts that too (a cascade that silently no-ops because FKs are off is the trap). - -const { test } = require('node:test'); -const assert = require('node:assert/strict'); -const Database = require('better-sqlite3'); -const { resolveGrantedZone, grantableZoneIds } = require('../lib/agency-targets'); - -function freshDb() { - const db = new Database(':memory:'); - db.pragma('foreign_keys = ON'); // mirrors db/database.js:13 - db.exec(` - CREATE TABLE api_tokens (id TEXT PRIMARY KEY); - CREATE TABLE playlists (id TEXT PRIMARY KEY, workspace_id TEXT); - CREATE TABLE layouts (id TEXT PRIMARY KEY); - CREATE TABLE layout_zones (id TEXT PRIMARY KEY, layout_id TEXT REFERENCES layouts(id) ON DELETE CASCADE); - CREATE TABLE api_token_targets ( - token_id TEXT NOT NULL REFERENCES api_tokens(id) ON DELETE CASCADE, - playlist_id TEXT NOT NULL REFERENCES playlists(id) ON DELETE CASCADE, - PRIMARY KEY (token_id, playlist_id)); - CREATE TABLE api_token_target_zones ( - token_id TEXT NOT NULL, playlist_id TEXT NOT NULL, - zone_id TEXT NOT NULL REFERENCES layout_zones(id) ON DELETE CASCADE, - created_at INTEGER, - PRIMARY KEY (token_id, playlist_id, zone_id), - FOREIGN KEY (token_id, playlist_id) REFERENCES api_token_targets(token_id, playlist_id) ON DELETE CASCADE); - INSERT INTO api_tokens VALUES ('tok1'); - INSERT INTO playlists VALUES ('plA','wsA'), ('plB','wsA'); - INSERT INTO layouts VALUES ('L1'), ('L2'); - INSERT INTO layout_zones VALUES ('zA1','L1'), ('zA2','L1'), ('zB1','L2'); - CREATE TABLE playlist_items (id INTEGER PRIMARY KEY, playlist_id TEXT, zone_id TEXT); - INSERT INTO playlist_items VALUES (1,'plA','zA1'), (2,'plB','zB1'); -- plA feeds L1, plB feeds L2 - INSERT INTO api_token_targets VALUES ('tok1','plA'), ('tok1','plB'); - INSERT INTO api_token_target_zones VALUES ('tok1','plA','zA1', 0); -- plA narrowed to zA1; plB has none - `); - return db; -} - -test('#73 foreign_keys is ON (the cascade/FK guarantees are real, not silent no-ops)', () => { - assert.equal(freshDb().pragma('foreign_keys', { simple: true }), 1); -}); - -test('#73 zone confinement: granted YES, non-granted/cross-playlist/ambiguous all blocked', () => { - const db = freshDb(); - // granted zone within a designated playlist -> YES - assert.deepEqual(resolveGrantedZone(db, 'tok1', 'plA', 'zA1'), { ok: true, zoneId: 'zA1' }); - // NON-granted zone within the SAME designated playlist -> blocked (the refinement bites) - assert.equal(resolveGrantedZone(db, 'tok1', 'plA', 'zA2').ok, false); - // a zone from a DIFFERENT playlist's layout -> blocked (no cross-playlist) - assert.equal(resolveGrantedZone(db, 'tok1', 'plA', 'zB1').ok, false); - // no requested zone, exactly one grant -> auto-place into it - assert.deepEqual(resolveGrantedZone(db, 'tok1', 'plA', null), { ok: true, zoneId: 'zA1' }); - // playlist with NO zone grants -> whole-playlist (full-screen); a body zone is IGNORED - assert.deepEqual(resolveGrantedZone(db, 'tok1', 'plB', null), { ok: true, zoneId: null }); - assert.deepEqual(resolveGrantedZone(db, 'tok1', 'plB', 'zB1'), { ok: true, zoneId: null }); - // multiple grants, no pick -> must specify - db.prepare("INSERT INTO api_token_target_zones VALUES ('tok1','plA','zA2',0)").run(); - assert.equal(resolveGrantedZone(db, 'tok1', 'plA', null).reason, 'ambiguous'); - assert.deepEqual(resolveGrantedZone(db, 'tok1', 'plA', 'zA2'), { ok: true, zoneId: 'zA2' }); // picks among grants -}); - -test('#73 orphan-grant is IMPOSSIBLE: a zone grant cannot exist without its playlist grant', () => { - const db = freshDb(); - // (tok1, plC) is NOT in api_token_targets -> the composite FK must reject the zone grant - assert.throws( - () => db.prepare("INSERT INTO api_token_target_zones VALUES ('tok1','plC','zA1',0)").run(), - /FOREIGN KEY/i, - 'inserting a zone grant without its playlist grant must be rejected by the FK'); -}); - -test('#73 cascade: revoking the playlist grant removes its zone grants (structural, not manual)', () => { - const db = freshDb(); - db.prepare("DELETE FROM api_token_targets WHERE token_id='tok1' AND playlist_id='plA'").run(); - assert.equal(db.prepare("SELECT COUNT(*) c FROM api_token_target_zones WHERE playlist_id='plA'").get().c, 0, - 'zone grants cascade out when the parent playlist grant is deleted'); -}); - -test('#73 cascade chain: deleting a playlist removes BOTH the playlist grant and the zone grants', () => { - const db = freshDb(); - db.prepare("DELETE FROM playlists WHERE id='plA'").run(); - assert.equal(db.prepare("SELECT COUNT(*) c FROM api_token_targets WHERE playlist_id='plA'").get().c, 0, 'playlist grant gone'); - assert.equal(db.prepare("SELECT COUNT(*) c FROM api_token_target_zones WHERE playlist_id='plA'").get().c, 0, 'zone grants gone (no orphans)'); -}); - -test('#73 cascade: deleting a zone (or its layout) drops the grant referencing it', () => { - const db = freshDb(); - db.prepare("DELETE FROM layouts WHERE id='L1'").run(); // -> layout_zones zA1/zA2 cascade -> zone grants cascade - assert.equal(db.prepare("SELECT COUNT(*) c FROM api_token_target_zones WHERE zone_id='zA1'").get().c, 0); -}); - -test('#73 ISSUANCE validation: can only grant a zone the playlist\'s layout feeds', () => { - const db = freshDb(); - // plA feeds L1, so its layout's zones (zA1, zA2) are grantable - and nothing else - assert.deepEqual([...grantableZoneIds(db, 'plA')].sort(), ['zA1', 'zA2']); - // zB1 belongs to L2 (plB's layout) - NOT grantable for plA (no cross-playlist-layout grant) - assert.equal(grantableZoneIds(db, 'plA').has('zB1'), false); - assert.deepEqual([...grantableZoneIds(db, 'plB')], ['zB1']); -}); diff --git a/server/test/agency.test.js b/server/test/agency.test.js index a54640d..ca857f9 100644 --- a/server/test/agency.test.js +++ b/server/test/agency.test.js @@ -92,11 +92,6 @@ test('#73 agency token: full bite-suite (happy path + 4 confinement assertions)' const badTok = await jfetch('/api/tokens', jpost(jwt, { name: 'Bad', scope: 'agency', target_playlist_ids: ['nonexistent'] })); assert.equal(badTok.status, 400, 'cannot bind an out-of-workspace target at issuance'); - // BITE 5 (issuance, zone): can't grant a zone the playlist's layout doesn't feed -> 400 - // (pl1 has no zone-targeted items, so NO zone is grantable for it) - const badZone = await jfetch('/api/tokens', jpost(jwt, { name: 'BadZone', scope: 'agency', target_playlist_ids: [pl1.id], target_zones: { [pl1.id]: ['nope-zone'] } })); - assert.equal(badZone.status, 400, 'cannot grant a zone the playlist\'s layout does not feed'); - // Portal graceful-failure trigger: an invalid/revoked key -> 401, which the portal catches // to show "paste it again" (never a wall of 403s). const bogus = await jfetch('/api/agency/playlists', { headers: { Authorization: 'Bearer st_bogus_invalid_key' } });