Archive/screentinker

Fork 0

mirror of https://github.com/screentinker/screentinker.git synced 2026-06-15 10:43:36 -06:00

Commit graph

Author	SHA1	Message	Date
ScreenTinker	c4fbd2ba5c	feat(workspaces): invite/accept-invite backend (slice 1+3) Slice 1 + 3 of the user-management feature from the May 12 plan. Backend-only - no UI yet (slice 2 ships separately). Backend + accept-handler together so the email accept link is functional from day one without a half-state. Endpoints added: - GET /api/workspaces/:id/members (any member; via_org=true for org-level entries, read-only from ws context) - GET /api/workspaces/:id/invites (workspace_admin) - POST /api/workspaces/:id/invites (workspace_admin) - DELETE /api/workspaces/:id/invites/:inviteId (workspace_admin) - PUT /api/workspaces/:id/members/:userId (workspace_admin) - DELETE /api/workspaces/:id/members/:userId (workspace_admin) - POST /api/auth/accept-invite/:inviteId (requireAuth + case-insensitive email match) Permission gating: - canAdminWorkspace (existing) for admin-gated endpoints - canAccessWorkspace (new helper in lib/permissions.js) for the members read endpoint - mirrors canAdminWorkspace shape but admits any workspace_members role plus org/platform paths Security additions vs the original plan: - Transaction-bounded collision check on POST /invites closes the TOCTOU race between simultaneous duplicate POSTs (no UNIQUE constraint on workspace_invites(workspace_id, email)) - Per-(inviter, workspace), hour-window rate limit on POST /invites to prevent abuse / cost runaway. Env-configurable via INVITE_RATE_LIMIT_PER_HOUR with conservative 50/hour default. 429 response is generic - does not echo the configured value. - Invite expiry env-configurable via INVITE_EXPIRY_DAYS (default 7) - PUBLIC_URL env var (optional) pins the accept-URL origin in prod; falls back to request-derived for local dev Rollback rule on email send: only graph_error (real send attempt failed at Graph) deletes the row and returns 502. not_configured and dev_restricted are intentional non-sends - keep the row, count against rate limit, allow local accept-invite testing to proceed. Other safety blocks: - Cannot demote/remove the last workspace_admin (409) - Cannot remove the parent-org's org_owner via workspace path (403) - Accept-invite is idempotent if user already a member - Expired invites delete-on-read and return 410 - Wrong-account accept returns 403 without touching the invite Expired-invite cleanup added to services/heartbeat.js mirroring the team_invites sweep pattern. Verification: 9-case curl-driven E2E against the dev DB fixture (switcher-test + invitee-existing + invitee-new mid-flow register). All 9 pass: create / collision-409 / second-create / rate-limit-429 / existing-user-accept / register-then-accept / wrong-account-403 / expired-410 / viewer-cannot-invite-403. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 12:19:59 -05:00
ScreenTinker	fc29843035	feat(socket): Phase 2.3 workspace-scoped dashboard socket rooms + per-command permission gates. Dashboard namespace was previously a flat broadcast - every connected dashboard received every device's status/screenshot/playback events platform-wide (foreign device names + IPs included). Inbound socket commands gated by a legacy admin/superadmin role check that was dead code post-Phase-1 rename. Fix: at connect, enumerate the user's accessible workspace_ids (direct workspace_members + org_owner/admin paths + platform_admin 'all') via new accessibleWorkspaceIds() helper in lib/tenancy.js; socket.join one room per workspace. All 12 dashboardNs.emit sites across deviceSocket / heartbeat / server.js / devices route / video-walls route now route via dashboardNs.to(workspaceRoom(...)).emit() with the workspace looked up from the relevant device or wall. New lib/socket-rooms.js holds the helpers and breaks a circular dependency (dashboardSocket already requires heartbeat, so heartbeat can't require dashboardSocket). Inbound 6 commands rewired to canActOnDevice(socket, deviceId, tier): request-screenshot is read tier (workspace_viewer+); remote-touch/key/start/stop and device-command are write tier (workspace_editor+). Platform_admin and org_owner/admin always pass via actingAs. Legacy admin/superadmin branch dropped. Lifecycle note: workspace-switch already calls window.location.reload (Phase 3 switcher), which forces a fresh socket with updated memberships - no per-emit re-evaluation needed. Smoke tested with 3 simultaneous socket.io-client connections (switcher-test, swninja, dw5304 platform_admin) + direct canActOnDevice invocation for 6 user/device/tier combinations. All 9 outbound isolation cells and all 6 permission gates pass. Fixture mutation: switcher-test's Field Crew membership flipped from workspace_editor to workspace_viewer to exercise the read/write tier split in one login.	2026-05-12 11:34:24 -05:00
ScreenTinker	1594a9d4a4	Initial open source release ScreenTinker - open source digital signage management software. MIT License, all features included, no license gates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-08 12:14:53 -05:00

Author

SHA1

Message

Date

ScreenTinker

c4fbd2ba5c

feat(workspaces): invite/accept-invite backend (slice 1+3)

Slice 1 + 3 of the user-management feature from the May 12 plan.
Backend-only - no UI yet (slice 2 ships separately). Backend +
accept-handler together so the email accept link is functional
from day one without a half-state.

Endpoints added:
- GET    /api/workspaces/:id/members     (any member; via_org=true
                                          for org-level entries,
                                          read-only from ws context)
- GET    /api/workspaces/:id/invites     (workspace_admin)
- POST   /api/workspaces/:id/invites     (workspace_admin)
- DELETE /api/workspaces/:id/invites/:inviteId (workspace_admin)
- PUT    /api/workspaces/:id/members/:userId   (workspace_admin)
- DELETE /api/workspaces/:id/members/:userId   (workspace_admin)
- POST   /api/auth/accept-invite/:inviteId     (requireAuth +
                                                case-insensitive
                                                email match)

Permission gating:
- canAdminWorkspace (existing) for admin-gated endpoints
- canAccessWorkspace (new helper in lib/permissions.js) for the
  members read endpoint - mirrors canAdminWorkspace shape but
  admits any workspace_members role plus org/platform paths

Security additions vs the original plan:
- Transaction-bounded collision check on POST /invites closes the
  TOCTOU race between simultaneous duplicate POSTs (no UNIQUE
  constraint on workspace_invites(workspace_id, email))
- Per-(inviter, workspace), hour-window rate limit on POST /invites
  to prevent abuse / cost runaway. Env-configurable via
  INVITE_RATE_LIMIT_PER_HOUR with conservative 50/hour default.
  429 response is generic - does not echo the configured value.
- Invite expiry env-configurable via INVITE_EXPIRY_DAYS (default 7)
- PUBLIC_URL env var (optional) pins the accept-URL origin in prod;
  falls back to request-derived for local dev

Rollback rule on email send: only graph_error (real send attempt
failed at Graph) deletes the row and returns 502. not_configured
and dev_restricted are intentional non-sends - keep the row, count
against rate limit, allow local accept-invite testing to proceed.

Other safety blocks:
- Cannot demote/remove the last workspace_admin (409)
- Cannot remove the parent-org's org_owner via workspace path (403)
- Accept-invite is idempotent if user already a member
- Expired invites delete-on-read and return 410
- Wrong-account accept returns 403 without touching the invite

Expired-invite cleanup added to services/heartbeat.js mirroring
the team_invites sweep pattern.

Verification: 9-case curl-driven E2E against the dev DB fixture
(switcher-test + invitee-existing + invitee-new mid-flow register).
All 9 pass: create / collision-409 / second-create / rate-limit-429 /
existing-user-accept / register-then-accept / wrong-account-403 /
expired-410 / viewer-cannot-invite-403.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 12:19:59 -05:00

ScreenTinker

fc29843035

feat(socket): Phase 2.3 workspace-scoped dashboard socket rooms + per-command permission gates. Dashboard namespace was previously a flat broadcast - every connected dashboard received every device's status/screenshot/playback events platform-wide (foreign device names + IPs included). Inbound socket commands gated by a legacy admin/superadmin role check that was dead code post-Phase-1 rename.

Fix: at connect, enumerate the user's accessible workspace_ids (direct workspace_members + org_owner/admin paths + platform_admin 'all') via new accessibleWorkspaceIds() helper in lib/tenancy.js; socket.join one room per workspace. All 12 dashboardNs.emit sites across deviceSocket / heartbeat / server.js / devices route / video-walls route now route via dashboardNs.to(workspaceRoom(...)).emit() with the workspace looked up from the relevant device or wall. New lib/socket-rooms.js holds the helpers and breaks a circular dependency (dashboardSocket already requires heartbeat, so heartbeat can't require dashboardSocket).

Inbound 6 commands rewired to canActOnDevice(socket, deviceId, tier): request-screenshot is read tier (workspace_viewer+); remote-touch/key/start/stop and device-command are write tier (workspace_editor+). Platform_admin and org_owner/admin always pass via actingAs. Legacy admin/superadmin branch dropped.

Lifecycle note: workspace-switch already calls window.location.reload (Phase 3 switcher), which forces a fresh socket with updated memberships - no per-emit re-evaluation needed.

Smoke tested with 3 simultaneous socket.io-client connections (switcher-test, swninja, dw5304 platform_admin) + direct canActOnDevice invocation for 6 user/device/tier combinations. All 9 outbound isolation cells and all 6 permission gates pass. Fixture mutation: switcher-test's Field Crew membership flipped from workspace_editor to workspace_viewer to exercise the read/write tier split in one login.

2026-05-12 11:34:24 -05:00

ScreenTinker

1594a9d4a4

Initial open source release

ScreenTinker - open source digital signage management software.
MIT License, all features included, no license gates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-08 12:14:53 -05:00

3 commits