feat: add document auth (#1029)

2024-03-28 13:13:29 +08:00
parent 956562d3b4
commit a54eb54ef7
77 changed files with 3904 additions and 846 deletions
--- a/packages/lib/server-only/field/sign-field-with-token.ts
+++ b/packages/lib/server-only/field/sign-field-with-token.ts
@@ -8,15 +8,21 @@ import { DocumentStatus, FieldType, SigningStatus } from '@documenso/prisma/clie

 import { DEFAULT_DOCUMENT_DATE_FORMAT } from '../../constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '../../constants/time-zones';
+import { AppError, AppErrorCode } from '../../errors/app-error';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { TRecipientActionAuth } from '../../types/document-auth';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
+import { isRecipientAuthorized } from '../document/is-recipient-authorized';

 export type SignFieldWithTokenOptions = {
  token: string;
  fieldId: number;
  value: string;
  isBase64?: boolean;
+  userId?: number;
+  authOptions?: TRecipientActionAuth;
  requestMetadata?: RequestMetadata;
 };

@@ -25,6 +31,8 @@ export const signFieldWithToken = async ({
  fieldId,
  value,
  isBase64,
+  userId,
+  authOptions,
  requestMetadata,
 }: SignFieldWithTokenOptions) => {
  const field = await prisma.field.findFirstOrThrow({
@@ -71,6 +79,33 @@ export const signFieldWithToken = async ({
    throw new Error(`Field ${fieldId} has no recipientId`);
  }

+  let { derivedRecipientActionAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
+  });
+
+  // Override all non-signature fields to not require any auth.
+  if (field.type !== FieldType.SIGNATURE) {
+    derivedRecipientActionAuth = null;
+  }
+
+  let isValid = true;
+
+  // Only require auth on signature fields for now.
+  if (field.type === FieldType.SIGNATURE) {
+    isValid = await isRecipientAuthorized({
+      type: 'ACTION',
+      document: document,
+      recipient: recipient,
+      userId,
+      authOptions,
+    });
+  }
+
+  if (!isValid) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid authentication values');
+  }
+
  const documentMeta = await prisma.documentMeta.findFirst({
    where: {
      documentId: document.id,
@@ -158,9 +193,11 @@ export const signFieldWithToken = async ({
              data: updatedField.customText,
            }))
            .exhaustive(),
-          fieldSecurity: {
-            type: 'NONE',
-          },
+          fieldSecurity: derivedRecipientActionAuth
+            ? {
+                type: derivedRecipientActionAuth,
+              }
+            : undefined,
        },
      }),
    });