auth using middleware api key

Author: SandroMaglione

README.md

@@ -7,4 +7,6 @@
 4. Access: Collaborator inputs workshopId and accessToken, downloads data.
 5. Sync: Clients edit locally, sync with server using their token.
 6. Revoke: Owner revokes access, collaborator’s token fails.
-7. Expiry: Client handles token expiration gracefully.
+7. Expiry: Client handles token expiration gracefully.
+
+> Allow user to check all changes (syncs) by selecting history by `workspaceId` (`"read"` scope?)

apps/client/src/lib/services/sync.ts

@@ -36,11 +36,9 @@ export class Sync extends Effect.Service<Sync>()("Sync", {
             Effect.flatMap((token) =>
               client.syncData
                 .push({
-                  // headers: { Authorization: `Bearer ${token}` },
-                  path: {
-                    workspaceId: workspace.workspaceId,
-                  },
-                  payload: { clientId, snapshot, snapshotId },
+                  headers: { "x-api-key": token },
+                  path: { workspaceId: workspace.workspaceId },
+                  payload: { snapshot, snapshotId },
                 })
                 .pipe(
                   Effect.map((response) => ({

apps/client/src/workers/live.ts

@@ -101,10 +101,12 @@ const WorkerLive = WorkerRunner.layer((params: LiveQuery) =>
     Effect.gen(function* () {
       yield* Effect.log("Startup live query connection");
 
-      yield* Effect.fork(main({ workspaceId: params.workspaceId }));
-      yield* Effect.forever(Effect.never);
+      yield* Effect.addFinalizer(() =>
+        Effect.log("Closed live query connection")
+      );
 
-      yield* Effect.log("Closed live query connection");
+      yield* Effect.fork(main({ workspaceId: params.workspaceId }));
+      yield* Effect.never;
     }).pipe(Effect.mapError(() => "Live query error"))
   )
 ).pipe(Layer.provide(BrowserWorkerRunner.layer));

apps/server/src/group/sync-auth.ts

@@ -1,69 +1,96 @@
 import { HttpApiBuilder } from "@effect/platform";
 import { SyncApi, type Scope } from "@local/sync";
-import { Config, Effect, Layer, Redacted, Schema } from "effect";
-import * as jwt from "jsonwebtoken";
-import { workspaceTable } from "../db/schema";
+import { eq } from "drizzle-orm";
+import { Effect, Layer, Schema } from "effect";
+import { tokenTable, workspaceTable } from "../db/schema";
 import { Drizzle } from "../drizzle";
-
-interface TokenPayload {
-  iat: number; // Issued at (Unix timestamp)
-  exp?: number; // Expiration (optional for master tokens)
-  sub: string; // Client ID
-  workspaceId: string; // Workshop ID
-  scope: typeof Scope.Type; // Permission scope
-  isMaster: boolean; // Master token flag
-}
+import { AuthorizationLive } from "../middleware/authorization";
+import { Jwt } from "../services/jwt";
 
 export const SyncAuthGroupLive = HttpApiBuilder.group(
   SyncApi,
   "syncAuth",
   (handlers) =>
     Effect.gen(function* () {
-      const secretKey = yield* Config.redacted("JWT_SECRET");
+      const jwt = yield* Jwt;
       const { query } = yield* Drizzle;
 
       return handlers
         .handle("generateToken", ({ payload }) =>
           Effect.gen(function* () {
-            const tokenPayload = {
-              iat: Math.floor(Date.now() / 1000), // Current timestamp in seconds
-              sub: payload.clientId,
-              workspaceId: payload.workspaceId,
-              scope: "read_write", // TODO
-              isMaster: true, // TODO
-            } satisfies TokenPayload;
+            const scope: typeof Scope.Type = "read_write";
+            const isMaster = true;
+            const issuedAt = new Date();
 
-            yield* Effect.log(tokenPayload);
+            yield* query({
+              Request: Schema.Struct({ workspaceId: Schema.String }),
+              execute: (db, { workspaceId }) =>
+                db
+                  .select()
+                  .from(workspaceTable)
+                  .where(eq(workspaceTable.workspaceId, workspaceId)),
+            })({ workspaceId: payload.workspaceId }).pipe(
+              Effect.flatMap((rows) =>
+                rows.length === 0
+                  ? Effect.void
+                  : Effect.fail({ message: "Workspace already exists" })
+              )
+            );
 
-            const token = jwt.sign(tokenPayload, Redacted.value(secretKey), {
-              algorithm: "HS256",
+            const token = jwt.sign({
+              clientId: payload.clientId,
+              workspaceId: payload.workspaceId,
             });
 
-            yield* query({
-              Request: Schema.Struct({
-                clientId: Schema.String,
-                workspaceId: Schema.String,
-                snapshot: Schema.Uint8ArrayFromSelf,
+            yield* Effect.all([
+              query({
+                Request: Schema.Struct({
+                  clientId: Schema.String,
+                  workspaceId: Schema.String,
+                  snapshot: Schema.Uint8ArrayFromSelf,
+                }),
+                execute: (db, { clientId, snapshot, workspaceId }) =>
+                  db.insert(workspaceTable).values({
+                    snapshot,
+                    clientId,
+                    workspaceId,
+                    ownerClientId: clientId,
+                    snapshotId: payload.snapshotId,
+                  }),
+              })({
+                clientId: payload.clientId,
+                snapshot: payload.snapshot,
+                workspaceId: payload.workspaceId,
               }),
-              execute: (db, { clientId, snapshot, workspaceId }) =>
-                db.insert(workspaceTable).values({
-                  snapshot,
-                  clientId,
-                  workspaceId,
-                  ownerClientId: clientId,
-                  snapshotId: payload.snapshotId,
+              query({
+                Request: Schema.Struct({
+                  clientId: Schema.String,
+                  workspaceId: Schema.String,
+                  tokenValue: Schema.String,
                 }),
-            })({
-              clientId: payload.clientId,
-              snapshot: payload.snapshot,
-              workspaceId: payload.workspaceId,
-            });
+                execute: (db, { clientId, tokenValue, workspaceId }) =>
+                  db.insert(tokenTable).values({
+                    clientId,
+                    scope,
+                    tokenValue,
+                    workspaceId,
+                    isMaster,
+                    issuedAt,
+                    expiresAt: null,
+                    revokedAt: null,
+                  }),
+              })({
+                clientId: payload.clientId,
+                tokenValue: token,
+                workspaceId: payload.workspaceId,
+              }),
+            ]);
 
             return {
               token,
               workspaceId: payload.workspaceId,
               snapshot: payload.snapshot,
-              createdAt: new Date(),
+              createdAt: issuedAt,
             };
           }).pipe(
             Effect.tapErrorCause(Effect.logError),
@@ -80,4 +107,4 @@ export const SyncAuthGroupLive = HttpApiBuilder.group(
           Effect.fail("Not implemented")
         );
     })
-).pipe(Layer.provide(Drizzle.Default));
+).pipe(Layer.provide([Drizzle.Default, AuthorizationLive, Jwt.Default]));

apps/server/src/group/sync-data.ts

@@ -1,48 +1,28 @@
 import { HttpApiBuilder } from "@effect/platform";
-import { SyncApi } from "@local/sync";
+import { AuthWorkspace, SyncApi } from "@local/sync";
 import { SnapshotToLoroDoc } from "@local/sync/loro";
-import { and, desc, eq } from "drizzle-orm";
 import { Array, Effect, Layer, Schema } from "effect";
 import { workspaceTable } from "../db/schema";
 import { Drizzle } from "../drizzle";
+import { AuthorizationLive } from "../middleware/authorization";
 
 export const SyncDataGroupLive = HttpApiBuilder.group(
   SyncApi,
   "syncData",
   (handlers) =>
     Effect.gen(function* () {
       const { query } = yield* Drizzle;
+
       return handlers
         .handle(
           "push",
-          ({
-            payload: { clientId, snapshot, snapshotId },
-            path: { workspaceId },
-          }) =>
+          ({ payload: { snapshot, snapshotId }, path: { workspaceId } }) =>
             Effect.gen(function* () {
+              const workspace = yield* AuthWorkspace;
               const doc = yield* Schema.decode(SnapshotToLoroDoc)(snapshot);
 
               yield* Effect.log(`Pushing workspace ${workspaceId}`);
 
-              const workspace = yield* query({
-                Request: Schema.Struct({
-                  workspaceId: Schema.UUID,
-                  clientId: Schema.UUID,
-                }),
-                execute: (db, { workspaceId, clientId }) =>
-                  db
-                    .select()
-                    .from(workspaceTable)
-                    .where(
-                      and(
-                        eq(workspaceTable.workspaceId, workspaceId),
-                        eq(workspaceTable.clientId, clientId)
-                      )
-                    )
-                    .orderBy(desc(workspaceTable.createdAt))
-                    .limit(1),
-              })({ clientId, workspaceId }).pipe(Effect.flatMap(Array.head));
-
               doc.import(workspace.snapshot); // 🪄
 
               const newSnapshot = yield* Schema.encode(SnapshotToLoroDoc)(doc);
@@ -78,4 +58,4 @@ export const SyncDataGroupLive = HttpApiBuilder.group(
           Effect.fail("Not implemented")
         );
     })
-).pipe(Layer.provide(Drizzle.Default));
+).pipe(Layer.provide([Drizzle.Default, AuthorizationLive]));

apps/server/src/middleware/authorization.ts

@@ -0,0 +1,63 @@
+import {
+  Authorization,
+  DatabaseError,
+  MissingWorkspace,
+  Unauthorized,
+} from "@local/sync";
+import { and, desc, eq } from "drizzle-orm";
+import { Array, Effect, Layer, Match, Redacted, Schema } from "effect";
+import { workspaceTable } from "../db/schema";
+import { Drizzle } from "../drizzle";
+import { Jwt } from "../services/jwt";
+
+export const AuthorizationLive = Layer.effect(
+  Authorization,
+  Effect.gen(function* () {
+    const jwt = yield* Jwt;
+    const { query } = yield* Drizzle;
+    yield* Effect.log("Creating Authorization middleware");
+    return {
+      apiKey: (apiKey) =>
+        Effect.gen(function* () {
+          yield* Effect.log("Api key", Redacted.value(apiKey));
+
+          const tokenPayload = yield* jwt.decode({ apiKey });
+
+          yield* Effect.log(`Valid auth ${tokenPayload.workspaceId}`);
+
+          return yield* query({
+            Request: Schema.Struct({
+              workspaceId: Schema.UUID,
+              clientId: Schema.UUID,
+            }),
+            execute: (db, { workspaceId, clientId }) =>
+              db
+                .select()
+                .from(workspaceTable)
+                .where(
+                  and(
+                    eq(workspaceTable.workspaceId, workspaceId),
+                    eq(workspaceTable.clientId, clientId)
+                  )
+                )
+                .orderBy(desc(workspaceTable.createdAt))
+                .limit(1),
+          })({
+            clientId: tokenPayload.sub,
+            workspaceId: tokenPayload.workspaceId,
+          }).pipe(Effect.flatMap(Array.head));
+        }).pipe(
+          Effect.mapError((error) =>
+            Match.value(error).pipe(
+              Match.tagsExhaustive({
+                NoSuchElementException: () => new MissingWorkspace(),
+                JwtError: () => new Unauthorized(),
+                ParseError: () => new Unauthorized(),
+                QueryError: () => new DatabaseError(),
+              })
+            )
+          )
+        ),
+    };
+  })
+).pipe(Layer.provide([Drizzle.Default, Jwt.Default]));

apps/server/src/services/jwt.ts

@@ -0,0 +1,55 @@
+import { Scope } from "@local/sync";
+import { Config, Data, Effect, Redacted, Schema } from "effect";
+import * as jwt from "jsonwebtoken";
+
+class TokenPayload extends Schema.Class<TokenPayload>("TokenPayload")({
+  iat: Schema.Number,
+  exp: Schema.optional(Schema.Number),
+  sub: Schema.String,
+  workspaceId: Schema.String,
+  scope: Scope,
+  isMaster: Schema.Boolean,
+}) {}
+
+class JwtError extends Data.TaggedError("JwtError")<{
+  reason: "missing" | "invalid";
+}> {}
+
+export class Jwt extends Effect.Service<Jwt>()("Jwt", {
+  effect: Effect.gen(function* () {
+    const secretKey = yield* Config.redacted("JWT_SECRET");
+    return {
+      sign: ({
+        clientId,
+        workspaceId,
+      }: {
+        clientId: string;
+        workspaceId: string;
+      }) =>
+        jwt.sign(
+          new TokenPayload({
+            iat: Math.floor(Date.now() / 1000),
+            sub: clientId,
+            workspaceId,
+            scope: "read_write",
+            isMaster: true,
+          }),
+          Redacted.value(secretKey),
+          { algorithm: "HS256" }
+        ),
+
+      decode: ({ apiKey }: { apiKey: Redacted.Redacted<string> }) =>
+        Effect.gen(function* () {
+          const decoded = jwt.decode(Redacted.value(apiKey));
+
+          if (decoded === null) {
+            return yield* new JwtError({ reason: "missing" });
+          }
+
+          return yield* Schema.decodeUnknown(TokenPayload)(decoded).pipe(
+            Effect.mapError(() => new JwtError({ reason: "invalid" }))
+          );
+        }),
+    };
+  }),
+}) {}