mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-18 20:22:42 -06:00
797eab7c8d
The legacy /api/auth/users dropdown could write 'superadmin' and 'admin' role strings that not every code path recognized. Some checks matched only 'platform_admin' (tenancy accessContext/resolveTenancy), so a 'superadmin' user could list orgs but not act-as into them. Normalize to the current two-tier platform model (users.role holds the PLATFORM role only; org/workspace roles live in the membership tables): - Migration (idempotent, exact-string): superadmin -> platform_admin, admin -> user. No-ops on rows already in the current model. - Add isPlatformRole() helper in middleware/auth.js; route the two superadmin-excluding checks in tenancy.js through it so a stray 'superadmin' is never treated as lower-privileged (fixes act-as). - Remove the dead/stricter requirePlatformAdmin in permissions.js (bare === 'platform_admin'); the single guard is the one in middleware/auth.js. - Recovery-token default role admin -> platform_admin so emergency recovery keeps full access once 'admin' no longer implies elevation. - PUT /api/auth/users/:id/role whitelist -> ['user','platform_admin']; self-demote guard retargeted via isPlatformRole. - Frontend: platform user-management dropdown now offers User / Platform admin only; owner-delete guard and settings highlight use isPlatformAdmin. EN i18n: add admin.role.platform_admin. Behaviour is identical under HOSTED_INSTANCE set or unset; the migration only touches exact legacy strings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
122 lines
4.7 KiB
JavaScript
122 lines
4.7 KiB
JavaScript
const jwt = require('jsonwebtoken');
|
|
const config = require('../config');
|
|
const { db } = require('../db/database');
|
|
|
|
// Phase 2.1: JWT now optionally carries the user's current workspace_id so
|
|
// the tenancy middleware can resolve scope without an extra DB lookup on
|
|
// every request. Callers that don't know the workspace yet (legacy paths,
|
|
// recovery tokens) pass null and the tenancy resolver falls back to the
|
|
// user's first accessible workspace.
|
|
function generateToken(user, currentWorkspaceId) {
|
|
return jwt.sign(
|
|
{ id: user.id, email: user.email, role: user.role, current_workspace_id: currentWorkspaceId || null },
|
|
config.jwtSecret,
|
|
{ algorithm: 'HS256', expiresIn: config.jwtExpiry }
|
|
);
|
|
}
|
|
|
|
function verifyToken(token) {
|
|
return jwt.verify(token, config.jwtSecret, { algorithms: ['HS256'] });
|
|
}
|
|
|
|
// Synthetic user record for recovery tokens (scripts/reset-admin.js). Not
|
|
// persisted; only exists for the lifetime of the request.
|
|
function recoveryUser(decoded) {
|
|
return {
|
|
id: decoded.id,
|
|
email: decoded.email || 'admin@localhost',
|
|
name: 'Recovery Admin',
|
|
role: decoded.role || 'platform_admin',
|
|
auth_provider: 'recovery',
|
|
avatar_url: null,
|
|
plan_id: 'enterprise'
|
|
};
|
|
}
|
|
|
|
// Express middleware - requires valid JWT
|
|
function requireAuth(req, res, next) {
|
|
const authHeader = req.headers.authorization;
|
|
if (!authHeader || !authHeader.startsWith('Bearer ')) {
|
|
return res.status(401).json({ error: 'Authentication required' });
|
|
}
|
|
|
|
try {
|
|
const token = authHeader.split(' ')[1];
|
|
const decoded = verifyToken(token);
|
|
if (decoded.recovery) {
|
|
req.user = recoveryUser(decoded);
|
|
req.jwtWorkspaceId = null;
|
|
return next();
|
|
}
|
|
const user = db.prepare('SELECT id, email, name, role, auth_provider, avatar_url, plan_id, email_alerts FROM users WHERE id = ?').get(decoded.id);
|
|
if (!user) return res.status(401).json({ error: 'User not found' });
|
|
req.user = user;
|
|
// Tenancy middleware reads this on the resolver step.
|
|
req.jwtWorkspaceId = decoded.current_workspace_id || null;
|
|
next();
|
|
} catch (err) {
|
|
return res.status(401).json({ error: 'Invalid or expired token' });
|
|
}
|
|
}
|
|
|
|
// Optional auth - sets req.user if token present, continues either way
|
|
function optionalAuth(req, res, next) {
|
|
const authHeader = req.headers.authorization;
|
|
if (authHeader && authHeader.startsWith('Bearer ')) {
|
|
try {
|
|
const token = authHeader.split(' ')[1];
|
|
const decoded = verifyToken(token);
|
|
req.user = decoded.recovery
|
|
? recoveryUser(decoded)
|
|
: db.prepare('SELECT id, email, name, role, auth_provider, avatar_url, plan_id FROM users WHERE id = ?').get(decoded.id);
|
|
req.jwtWorkspaceId = decoded.current_workspace_id || null;
|
|
} catch (err) {
|
|
// Token invalid, continue without user
|
|
}
|
|
}
|
|
next();
|
|
}
|
|
|
|
// Phase 2.1: role rename. Phase 1 renamed 'superadmin' to 'platform_admin' and
|
|
// dropped the in-between 'admin' role. These two guards are widened to accept
|
|
// either spelling so existing callers keep working without per-route edits.
|
|
// New code should prefer requirePlatformAdmin / requireOrgAdmin / workspace
|
|
// role guards from server/lib/permissions.js.
|
|
//
|
|
// Issue #14 (role normalization): the data migration in db/database.js collapses
|
|
// any legacy 'superadmin' -> 'platform_admin' and 'admin' -> 'user'. 'superadmin'
|
|
// is kept in PLATFORM_ROLES purely as back-compat belt-and-suspenders (recovery
|
|
// tokens, stray strings) - no row should carry it post-migration. Owner-level
|
|
// power lives here in PLATFORM_ROLES; anything not in this set is denied.
|
|
|
|
const PLATFORM_ROLES = ['superadmin', 'platform_admin'];
|
|
const ELEVATED_ROLES = ['admin', 'superadmin', 'platform_admin'];
|
|
|
|
// isPlatformRole: single predicate for "is this string a platform-owner role".
|
|
// Use this instead of a bare `role === 'platform_admin'` so a stray 'superadmin'
|
|
// is never silently treated as lower-privileged (the act-as bug fixed in #14).
|
|
// NOTE: this is the OWNER tier only - it deliberately does NOT include
|
|
// 'platform_operator' (issue #13), which is cross-org staff, not an owner.
|
|
function isPlatformRole(role) {
|
|
return PLATFORM_ROLES.includes(role);
|
|
}
|
|
|
|
function requireAdmin(req, res, next) {
|
|
if (!req.user || !ELEVATED_ROLES.includes(req.user.role)) {
|
|
return res.status(403).json({ error: 'Admin access required' });
|
|
}
|
|
next();
|
|
}
|
|
|
|
function requireSuperAdmin(req, res, next) {
|
|
if (!req.user || !PLATFORM_ROLES.includes(req.user.role)) {
|
|
return res.status(403).json({ error: 'Platform admin access required' });
|
|
}
|
|
next();
|
|
}
|
|
|
|
// Preferred alias for new code.
|
|
const requirePlatformAdmin = requireSuperAdmin;
|
|
|
|
module.exports = { generateToken, verifyToken, requireAuth, optionalAuth, requireAdmin, requireSuperAdmin, requirePlatformAdmin, isPlatformRole, PLATFORM_ROLES, ELEVATED_ROLES };
|