feat: major progress on interacting with member attendance

Author: jonahsnider

apps/api/adonisrc.ts

@@ -3,25 +3,25 @@ import { defineConfig } from '@adonisjs/core/app';
 // biome-ignore lint/style/noDefaultExport: This must be a default export
 export default defineConfig({
 	/*
-  |--------------------------------------------------------------------------
-  | Commands
-  |--------------------------------------------------------------------------
-  |
-  | List of ace commands to register from packages. The application commands
-  | will be scanned automatically from the "./commands" directory.
-  |
-  */
+|--------------------------------------------------------------------------
+| Commands
+|--------------------------------------------------------------------------
+|
+| List of ace commands to register from packages. The application commands
+| will be scanned automatically from the "./commands" directory.
+|
+*/
 	commands: [() => import('@adonisjs/core/commands'), () => import('@adonisjs/bouncer/commands')],
 
 	/*
-  |--------------------------------------------------------------------------
-  | Service providers
-  |--------------------------------------------------------------------------
-  |
-  | List of service providers to import and register when booting the
-  | application
-  |
-  */
+|--------------------------------------------------------------------------
+| Service providers
+|--------------------------------------------------------------------------
+|
+| List of service providers to import and register when booting the
+| application
+|
+*/
 	providers: [
 		() => import('@adonisjs/core/providers/app_provider'),
 		() => import('@adonisjs/core/providers/hash_provider'),
@@ -34,27 +34,28 @@ export default defineConfig({
 		() => import('@adonisjs/redis/redis_provider'),
 		() => import('@adonisjs/session/session_provider'),
 		() => import('@adonisjs/bouncer/bouncer_provider'),
+		() => import('@adonisjs/transmit/transmit_provider'),
 	],
 
 	/*
-  |--------------------------------------------------------------------------
-  | Preloads
-  |--------------------------------------------------------------------------
-  |
-  | List of modules to import before starting the application.
-  |
-  */
+|--------------------------------------------------------------------------
+| Preloads
+|--------------------------------------------------------------------------
+|
+| List of modules to import before starting the application.
+|
+*/
 	preloads: [() => import('#start/routes'), () => import('#start/kernel')],
 
 	/*
-  |--------------------------------------------------------------------------
-  | Tests
-  |--------------------------------------------------------------------------
-  |
-  | List of test suites to organize tests by their type. Feel free to remove
-  | and add additional suites.
-  |
-  */
+|--------------------------------------------------------------------------
+| Tests
+|--------------------------------------------------------------------------
+|
+| List of test suites to organize tests by their type. Feel free to remove
+| and add additional suites.
+|
+*/
 	tests: {
 		suites: [],
 		forceExit: false,

apps/api/app/auth/auth_service.ts

@@ -87,6 +87,8 @@ export class AuthService {
 					})
 					.returning({ id: Schema.users.id });
 
+				assert(user);
+
 				await tx.insert(Schema.credentials).values({
 					userId: user.id,
 					deviceType: verification.registrationInfo.credentialDeviceType,

apps/api/app/authorization/authorization_service.ts

@@ -0,0 +1,61 @@
+import { inject } from '@adonisjs/core';
+import type * as Schema from '#database/schema';
+import type { BouncerUser } from '#middleware/initialize_bouncer_middleware';
+import { injectHelper } from '../../util/inject_helper.js';
+import { GuestPasswordService } from '../guest_password/guest_password_service.js';
+import type { TeamSchema } from '../team/schemas/team_schema.js';
+import type { TeamMemberSchema } from '../team_member/schemas/team_member_schema.js';
+import { TeamMemberService } from '../team_member/team_member_service.js';
+import { TeamUserService } from '../team_user/team_user_service.js';
+
+export type TeamRole = Schema.TeamUserRole | 'guestToken';
+
+@inject()
+@injectHelper(GuestPasswordService, TeamUserService, TeamMemberService)
+export class AuthorizationService {
+	constructor(
+		private readonly guestPasswordService: GuestPasswordService,
+		private readonly teamUserService: TeamUserService,
+		private readonly teamMemberService: TeamMemberService,
+	) {}
+
+	async hasRoles(actor: BouncerUser, team: Pick<TeamSchema, 'slug'>, roles: TeamRole[]): Promise<boolean> {
+		if (actor.id === undefined) {
+			// No team user, so we can only check the guest token
+
+			if (!roles.includes('guestToken')) {
+				// Guest token wasn't a valid role, so we don't need to check the token
+
+				return false;
+			}
+
+			// Check if the token is still valid
+			return this.guestPasswordService.teamHasGuestToken(team, actor.unvalidatedGuestToken);
+		}
+
+		// Check if the DB contains any of the allowed roles
+		return this.teamUserService.userHasRoleInTeam(
+			actor,
+			team,
+			roles.filter((role): role is Schema.TeamUserRole => role !== 'guestToken'),
+		);
+	}
+
+	/** Check whether an actor has a role by querying via team member. */
+	async hasRolesByTeamMember(
+		actor: BouncerUser,
+		teamMember: Pick<TeamMemberSchema, 'id'>,
+		roles: TeamRole[],
+	): Promise<boolean> {
+		// TODO: Rewrite this to do one query instead of two - I'm not optimizing for performance for the MVP
+
+		const team = await this.teamMemberService.getTeamByMember(teamMember);
+
+		if (!team) {
+			// This should only ever be falsy if the team member ID doesn't exist anymore, and thus isn't associated with a team
+			return false;
+		}
+
+		return this.hasRoles(actor, team, roles);
+	}
+}

apps/api/app/db/db_service.ts

@@ -8,3 +8,5 @@ const connection = postgres(postgresUrl.release());
 export const db = drizzle(connection, {
 	schema: { ...schema, ...relations },
 });
+
+export type Db = typeof db;

apps/api/app/guest_password/guest_password_service.ts

@@ -0,0 +1,67 @@
+import assert from 'node:assert/strict';
+import type { HttpContext } from '@adonisjs/core/http';
+import redis from '@adonisjs/redis/services/main';
+import cuid2 from '@paralleldrive/cuid2';
+import { TRPCError } from '@trpc/server';
+import { convert } from 'convert';
+import { and, count, eq } from 'drizzle-orm';
+import * as Schema from '#database/schema';
+import { db } from '../db/db_service.js';
+import type { TeamSchema } from '../team/schemas/team_schema.js';
+
+/** Manages tokens for guest passwords, which allow limited access to a team. */
+export class GuestPasswordService {
+	private static redisKey(teamSlug: string): string {
+		return `team:${teamSlug}:guestTokens`;
+	}
+
+	private static readonly GUEST_PASSWORD_SESSION_LIFETIME = convert(6, 'months');
+
+	private async verifyPassword(
+		password: Pick<TeamSchema, 'password'>,
+		team: Pick<TeamSchema, 'slug'>,
+	): Promise<boolean> {
+		const [result] = await db
+			.select({ count: count() })
+			.from(Schema.teams)
+			.where(and(eq(Schema.teams.slug, team.slug), eq(Schema.teams.password, password.password)));
+
+		assert(result);
+
+		return result.count > 0;
+	}
+
+	/** Do a guest password login for a team. */
+	async guestPasswordLogin(input: Pick<TeamSchema, 'password' | 'slug'>, context: HttpContext): Promise<void> {
+		const correct = await this.verifyPassword(input, input);
+
+		if (!correct) {
+			throw new TRPCError({
+				code: 'UNAUTHORIZED',
+				message: 'Incorrect password',
+			});
+		}
+
+		const token = cuid2.createId();
+
+		const pipeline = redis.pipeline();
+		pipeline.sadd(GuestPasswordService.redisKey(input.slug), token);
+		pipeline.expire(
+			GuestPasswordService.redisKey(input.slug),
+			GuestPasswordService.GUEST_PASSWORD_SESSION_LIFETIME.to('s'),
+		);
+		await pipeline.exec();
+
+		context.session.put('guestToken', token);
+	}
+
+	async teamHasGuestToken(team: Pick<TeamSchema, 'slug'>, token: string): Promise<boolean> {
+		const result = await redis.sismember(GuestPasswordService.redisKey(team.slug), token);
+
+		return result === 1;
+	}
+
+	async clearTokensForTeam(team: Pick<TeamSchema, 'slug'>): Promise<void> {
+		await redis.del(GuestPasswordService.redisKey(team.slug));
+	}
+}

apps/api/app/middleware/initialize_bouncer_middleware.ts

@@ -6,7 +6,14 @@ import type { HttpContext } from '@adonisjs/core/http';
 import type { NextFn } from '@adonisjs/core/types/http';
 import type { UserSchema } from '../user/schemas/user_schema.js';
 
-export type BouncerUser = Pick<UserSchema, 'id'>;
+export type BouncerUser =
+	// Regular team user auth
+	| Pick<UserSchema, 'id'>
+	// Guest password auth
+	| {
+			id: undefined;
+			unvalidatedGuestToken: string;
+	  };
 
 export type AppBouncer = Bouncer<BouncerUser, typeof abilities, typeof policies>;
 
@@ -24,8 +31,17 @@ export default class InitializeBouncerMiddleware {
 		ctx.bouncer = new Bouncer(
 			(): BouncerUser | undefined => {
 				const userId = ctx.session.get('userId') as string | undefined;
+				const guestToken = ctx.session.get('guestToken') as string | undefined;
 
-				return userId ? { id: userId } : undefined;
+				if (userId) {
+					return { id: userId };
+				}
+
+				if (guestToken) {
+					return { id: undefined, unvalidatedGuestToken: guestToken };
+				}
+
+				return undefined;
 			},
 			abilities,
 			policies,

apps/api/app/policies/main.ts

@@ -13,6 +13,10 @@
 */
 
 export const policies = {
+	// biome-ignore lint/style/useNamingConvention: Convention is to use PascalCase
+	TeamMemberPolicy: () => import('../team_member/team_member_policy.js'),
 	// biome-ignore lint/style/useNamingConvention: Convention is to use PascalCase
 	UserPolicy: () => import('../user/user_policy.js'),
+	// biome-ignore lint/style/useNamingConvention: Convention is to use PascalCase
+	TeamPolicy: () => import('../team/team_policy.js'),
 };

apps/api/app/auth/auth_router.ts apps/api/app/routers/accounts_router.ts

@@ -1,13 +1,13 @@
 import { inject } from '@adonisjs/core';
 import { z } from 'zod';
 import { injectHelper } from '../../util/inject_helper.js';
-import { authedProcedure, publicProcedure, router } from '../trpc/trpc_service.js';
+import { AuthService } from '../auth/auth_service.js';
+import { publicProcedure, router } from '../trpc/trpc_service.js';
 import { UserSchema } from '../user/schemas/user_schema.js';
-import { AuthService } from './auth_service.js';
 
 @inject()
 @injectHelper(AuthService)
-export class AuthRouter {
+export class AccountsRouter {
 	constructor(private readonly authService: AuthService) {}
 
 	getRouter() {
@@ -54,7 +54,7 @@ export class AuthRouter {
 						return this.authService.verifyLogin(input.body, ctx.context);
 					}),
 			}),
-			logOut: authedProcedure.mutation(({ ctx }) => {
+			logOut: publicProcedure.mutation(({ ctx }) => {
 				ctx.context.session.clear();
 			}),
 		});

apps/api/app/routers/app_router.ts

@@ -1,24 +1,27 @@
 import { inject } from '@adonisjs/core';
 import { injectHelper } from '../../util/inject_helper.js';
-import { AuthRouter } from '../auth/auth_router.js';
-import { TeamRouter } from '../team/team_router.js';
 import { router } from '../trpc/trpc_service.js';
-import { UserRouter } from '../user/user_router.js';
+import { AccountsRouter } from './accounts_router.js';
+import { GuestRouter } from './guest_router.js';
+import { TeamRouter } from './team_router.js';
+import { UserRouter } from './user_router.js';
 
 @inject()
-@injectHelper(AuthRouter, UserRouter, TeamRouter)
+@injectHelper(AccountsRouter, UserRouter, TeamRouter, GuestRouter)
 export class AppRouter {
 	constructor(
-		private readonly authRouter: AuthRouter,
+		private readonly accountsRouter: AccountsRouter,
 		private readonly userRouter: UserRouter,
 		private readonly teamRouter: TeamRouter,
+		private readonly guestRouter: GuestRouter,
 	) {}
 
 	getRouter() {
 		return router({
-			auth: this.authRouter.getRouter(),
+			accounts: this.accountsRouter.getRouter(),
 			user: this.userRouter.getRouter(),
 			teams: this.teamRouter.getRouter(),
+			guestLogin: this.guestRouter.getRouter(),
 		});
 	}
 }

apps/api/app/routers/guest_router.ts

@@ -0,0 +1,32 @@
+import { inject } from '@adonisjs/core';
+import { z } from 'zod';
+import { injectHelper } from '../../util/inject_helper.js';
+import { GuestPasswordService } from '../guest_password/guest_password_service.js';
+import { TeamSchema } from '../team/schemas/team_schema.js';
+import { publicProcedure, router } from '../trpc/trpc_service.js';
+
+@inject()
+@injectHelper(GuestPasswordService)
+export class GuestRouter {
+	constructor(private readonly guestPasswordService: GuestPasswordService) {}
+
+	getRouter() {
+		return router({
+			isGuest: publicProcedure
+				.input(TeamSchema.pick({ slug: true }))
+				.output(z.boolean())
+				.query(({ ctx, input }) => {
+					if (!ctx.guestToken) {
+						return false;
+					}
+
+					return this.guestPasswordService.teamHasGuestToken(input, ctx.guestToken);
+				}),
+			passwordLogin: publicProcedure
+				.input(TeamSchema.pick({ password: true, slug: true }))
+				.mutation(async ({ ctx, input }) => {
+					await this.guestPasswordService.guestPasswordLogin(input, ctx.context);
+				}),
+		});
+	}
+}