Feat: System settings (#66)

* Format checked, contributing.md update

* Middleware setup

* IAP API, create user/roles in frontend

* RBAC using CASL library

* Switch to CASL, secure search, resource-level access control

* Remove inherent behavior, index userEmail, adding docs for IAM policies

* Format

* System settings setup

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>

Author: wayneshn

packages/backend/src/api/controllers/settings.controller.ts

@@ -0,0 +1,25 @@
+import type { Request, Response } from 'express';
+import { SettingsService } from '../../services/SettingsService';
+
+const settingsService = new SettingsService();
+
+export const getSettings = async (req: Request, res: Response) => {
+    try {
+        const settings = await settingsService.getSettings();
+        res.status(200).json(settings);
+    } catch (error) {
+        // A more specific error could be logged here
+        res.status(500).json({ message: 'Failed to retrieve settings' });
+    }
+};
+
+export const updateSettings = async (req: Request, res: Response) => {
+    try {
+        // Basic validation can be performed here if necessary
+        const updatedSettings = await settingsService.updateSettings(req.body);
+        res.status(200).json(updatedSettings);
+    } catch (error) {
+        // A more specific error could be logged here
+        res.status(500).json({ message: 'Failed to update settings' });
+    }
+};

packages/backend/src/api/routes/settings.routes.ts

@@ -0,0 +1,22 @@
+import { Router } from 'express';
+import * as settingsController from '../controllers/settings.controller';
+import { requireAuth } from '../middleware/requireAuth';
+import { requirePermission } from '../middleware/requirePermission';
+import { AuthService } from '../../services/AuthService';
+
+export const createSettingsRouter = (authService: AuthService): Router => {
+    const router = Router();
+
+    // Public route to get non-sensitive settings.  settings read should not be scoped with a permission because all end users need the settings data in the frontend. However, for sensitive settings data, we need to add a new permission subject to limit access. So this route should only expose non-sensitive settings data.
+    router.get('/', settingsController.getSettings);
+
+    // Protected route to update settings
+    router.put(
+        '/',
+        requireAuth(authService),
+        requirePermission('manage', 'settings', 'You do not have permission to update system settings.'),
+        settingsController.updateSettings
+    );
+
+    return router;
+};

packages/backend/src/api/routes/test.routes.ts

@@ -0,0 +1,4 @@
+CREATE TABLE "system_settings" (
+	"id" serial PRIMARY KEY NOT NULL,
+	"config" jsonb NOT NULL
+);