vantzs/corrosion-admin-panel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity
Files
9c9c7a8a97968bf4a0301029bf68955285da81d2
corrosion-admin-panel/frontend/src/stores/auth.ts
Vantz Stockwell 7f2207bc28
All checks were successful
CI / backend-types (push) Successful in 9s
Details
CI / frontend-build (push) Successful in 15s
Details
CI / agent-tests (push) Successful in 42s
Details
CI / integration (push) Successful in 21s
Details
feat(settings): password change, 2FA enable/disable, API-key UI + Swagger; fix Owner RBAC drift 
Settings was missing self-service account security and any API-key UI:
- Account security (new Security tab): change password (POST /auth/change-password
  — verifies current via Argon2, rejects unchanged), enable 2FA (wires the
  existing /auth/2fa/setup QR + /auth/2fa/verify), and disable 2FA (new
  POST /auth/2fa/disable, requires a current code so a hijacked session can't
  strip the second factor).
- New API tab: create/list/revoke per-license API keys (the overnight backend
  had no UI), plaintext shown once, plus an 'API docs' button to /api/docs (Swagger).

Root-cause RBAC fix — the system-default Owner role enumerated per-resource
wildcards (server.*, wipe.*, ...) and drifted: apikeys, webhooks, alerts,
analytics, chat, schedules, notifications, map, users and ALL plugin-config
modules (plus singular plugin.* vs granted plugins.*) were locked out for any
non-super-admin Owner. Owner = full control of its license:
- migration 025 sets the Owner role to {"*": true}
- PermissionsGuard honors '*' as allow-all
- frontend hasPermission honors '*' and resource.* wildcards (was exact-match
  only, so wildcard-based roles silently failed)

Backend tsc + frontend build green. NOTE: migration 025 auto-applies on a fresh
DB (Saturday); the live DB needs the one-line UPDATE applied to unlock the API
tab for a non-super-admin owner.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-12 08:57:17 -04:00

130 lines
4.5 KiB
TypeScript
Raw Blame History

import { defineStore } from 'pinia'
import { ref, computed } from 'vue'
import type { User, License } from '@/types'
/**
* Decode the permissions object from a JWT access token payload.
* JWTs are base64url-encoded — the payload is not secret, just signed.
* The backend JWT strategy embeds `permissions: role?.permissions || {}`
* which is a JSONB object from the Role entity (e.g. { 'server.view': true }).
* Returns an empty object if the token is missing or malformed.
*/
function decodeJwtPermissions(token: string): Record<string, boolean> {
try {
const payloadB64 = token.split('.')[1]
if (!payloadB64) return {}
const json = atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/'))
const payload = JSON.parse(json)
return payload.permissions && typeof payload.permissions === 'object'
? payload.permissions
: {}
} catch {
return {}
}
}
export const useAuthStore = defineStore('auth', () => {
const user = ref<User | null>(null)
const license = ref<License | null>(null)
const accessToken = ref<string | null>(null)
const refreshToken = ref<string | null>(null)
// Permissions decoded from the JWT payload — reflects the user's actual role permissions.
// Stored separately so hasPermission() works after page reload (token is persisted).
const permissions = ref<Record<string, boolean>>({})
const isAuthenticated = computed(() => !!accessToken.value)
const isSuperAdmin = computed(() => user.value?.is_super_admin ?? false)
const hasLicense = computed(() => !!license.value)
const isLicenseActive = computed(() => license.value?.status === 'active')
function setAuth(data: { access_token: string; refresh_token: string; user: User }) {
accessToken.value = data.access_token
refreshToken.value = data.refresh_token
user.value = data.user
// Decode permissions from the JWT so hasPermission() reflects the real role,
// not a hardcoded list. Custom roles work automatically this way.
permissions.value = decodeJwtPermissions(data.access_token)
}
function setLicense(data: License) {
license.value = data
}
function logout() {
user.value = null
license.value = null
accessToken.value = null
refreshToken.value = null
permissions.value = {}
}
/**
* Validate the persisted session against the API on app boot. Without this,
* a stale/revoked token renders the full panel chrome and only collapses on
* the first real API call. useApi's 401 path (refresh → retry → logout)
* does the heavy lifting; any non-auth failure (network, 5xx) keeps the
* session — never log users out because the API blipped.
* Dynamic import avoids a static auth-store ↔ useApi module cycle.
*/
async function validateSession(): Promise<void> {
if (!accessToken.value) return
try {
const { useApi } = await import('@/composables/useApi')
const me = await useApi().get<Partial<User>>('/auth/me')
if (user.value && me && typeof me === 'object') {
user.value = { ...user.value, ...me }
}
} catch {
// 401 → refresh → logout/redirect already handled inside useApi.
}
}
function hasModule(moduleSlug: string): boolean {
return license.value?.modules_enabled?.includes(moduleSlug) ?? false
}
function hasPermission(permission: string): boolean {
// Super admin has all permissions
if (isSuperAdmin.value) return true
// Check the permissions decoded from the JWT payload.
// The backend embeds role permissions as a JSONB object { 'resource.action': true }.
// If permissions is empty (e.g. after a page reload before re-auth), fall back to
// re-decoding from the persisted token so the user isn't locked out.
const perms = Object.keys(permissions.value).length > 0
? permissions.value
: accessToken.value
? decodeJwtPermissions(accessToken.value)
: {}
// Honor the global wildcard (Owner) and resource wildcards ("server.*")
// so role permissions stored as wildcards aren't missed by an exact match.
if (perms['*'] === true) return true
if (perms[permission] === true) return true
const resourceWildcard = permission.split('.')[0] + '.*'
return perms[resourceWildcard] === true
}
return {
user,
license,
accessToken,
refreshToken,
permissions,
isAuthenticated,
isSuperAdmin,
hasLicense,
isLicenseActive,
setAuth,
setLicense,
logout,
validateSession,
hasModule,
hasPermission,
}
}, {
persist: {
pick: ['accessToken', 'refreshToken', 'user', 'license'],
},
})
Reference in New Issue View Git Blame Copy Permalink