feat: Add authorization rules to user email object type (#863)

Author: kingston

.changeset/add-user-email-authorization.md

@@ -0,0 +1,5 @@
+---
+'@baseplate-dev/plugin-auth': patch
+---
+
+Add authorization rules to the User model's email field in both Better Auth and Placeholder Auth plugins, restricting email visibility to admins and the user themselves (via a new "self" instance role)

examples/blog-with-auth/apps/backend/baseplate/generated/src/modules/accounts/users/authorizers/user.authorizer.ts

@@ -5,5 +5,5 @@ export const userAuthorizer = createModelAuthorizer({
   model: 'user',
   idField: 'id',
   getModelById: (id) => prisma.user.findUnique({ where: { id } }),
-  roles: { owner: (ctx, model) => model.id === ctx.auth.userId },
+  roles: { self: (ctx, model) => model.id === ctx.auth.userId },
 });

examples/blog-with-auth/apps/backend/baseplate/generated/src/modules/accounts/users/authorizers/user.query-filter.ts

@@ -3,6 +3,6 @@ import { createModelQueryFilter } from '@src/utils/query-filters.js';
 export const userQueryFilter = createModelQueryFilter({
   model: 'user',
   roles: {
-    owner: (ctx) => (ctx.auth.userId != null ? { id: ctx.auth.userId } : false),
+    self: (ctx) => (ctx.auth.userId != null ? { id: ctx.auth.userId } : false),
   },
 });

examples/blog-with-auth/apps/backend/baseplate/generated/src/modules/accounts/users/schema/user.object-type.ts

@@ -6,7 +6,7 @@ export const userObjectType = builder.prismaObject('User', {
   fields: (t) => ({
     id: t.exposeID('id'),
     email: t.exposeString('email', {
-      authorize: ['admin', userAuthorizer.roles.owner],
+      authorize: ['admin', userAuthorizer.roles.self],
       nullable: true,
     }),
     name: t.exposeString('name', { nullable: true }),

examples/blog-with-auth/apps/backend/src/modules/accounts/users/authorizers/user.authorizer.ts

@@ -5,5 +5,5 @@ export const userAuthorizer = createModelAuthorizer({
   model: 'user',
   idField: 'id',
   getModelById: (id) => prisma.user.findUnique({ where: { id } }),
-  roles: { owner: (ctx, model) => model.id === ctx.auth.userId },
+  roles: { self: (ctx, model) => model.id === ctx.auth.userId },
 });

examples/blog-with-auth/apps/backend/src/modules/accounts/users/authorizers/user.query-filter.ts

@@ -3,6 +3,6 @@ import { createModelQueryFilter } from '@src/utils/query-filters.js';
 export const userQueryFilter = createModelQueryFilter({
   model: 'user',
   roles: {
-    owner: (ctx) => (ctx.auth.userId != null ? { id: ctx.auth.userId } : false),
+    self: (ctx) => (ctx.auth.userId != null ? { id: ctx.auth.userId } : false),
   },
 });

examples/blog-with-auth/apps/backend/src/modules/accounts/users/schema/user.object-type.ts

@@ -6,7 +6,7 @@ export const userObjectType = builder.prismaObject('User', {
   fields: (t) => ({
     id: t.exposeID('id'),
     email: t.exposeString('email', {
-      authorize: ['admin', userAuthorizer.roles.owner],
+      authorize: ['admin', userAuthorizer.roles.self],
       nullable: true,
     }),
     name: t.exposeString('name', { nullable: true }),

examples/blog-with-auth/baseplate/project-definition.json

@@ -614,8 +614,8 @@
         "roles": [
           {
             "expression": "model.id === userId",
-            "id": "model-authorizer-role:blog-user-owner",
-            "name": "owner"
+            "id": "model-authorizer-role:BjC0i357yrgp",
+            "name": "self"
           }
         ]
       },
@@ -632,7 +632,7 @@
             { "ref": "id" },
             {
               "globalRoles": ["admin"],
-              "instanceRoles": ["owner"],
+              "instanceRoles": ["self"],
               "ref": "email"
             },
             { "ref": "name" },

examples/blog-with-auth/pnpm-lock.yaml

@@ -5,5 +5,5 @@ export const userAuthorizer = createModelAuthorizer({
   model: 'user',
   idField: 'id',
   getModelById: (id) => prisma.user.findUnique({ where: { id } }),
-  roles: { owner: (ctx, model) => model.id === ctx.auth.userId },
+  roles: { self: (ctx, model) => model.id === ctx.auth.userId },
 });