auth checks

SandroMaglione · SandroMaglione · commit e657cca73145 · 2025-03-03T05:37:45.000+01:00
diff --git a/apps/client/src/routes/$workspaceId/token.tsx b/apps/client/src/routes/$workspaceId/token.tsx
@@ -46,6 +46,8 @@ function RouteComponent() {
           scope: "read_write",
         },
       });
+
+      yield* Effect.promise(() => router.invalidate({ sync: true }));
     })
   );
 
diff --git a/apps/server/src/group/sync-auth.ts b/apps/server/src/group/sync-auth.ts
@@ -25,7 +25,7 @@ export const SyncAuthGroupLive = HttpApiBuilder.group(
 
             const scope: typeof Scope.Type = "read_write";
             const isMaster = true;
-            const issuedAt = new Date();
+            const issuedAt = DateTime.toDate(yield* DateTime.now);
 
             yield* query({
               Request: Schema.Struct({ workspaceId: Schema.String }),
diff --git a/apps/server/src/group/sync-data.ts b/apps/server/src/group/sync-data.ts
@@ -1,7 +1,7 @@
 import { HttpApiBuilder } from "@effect/platform";
 import { AuthWorkspace, SyncApi } from "@local/sync";
 import { SnapshotToLoroDoc } from "@local/sync/loro";
-import { and, desc, eq } from "drizzle-orm";
+import { and, desc, eq, gt, isNull, or } from "drizzle-orm";
 import { Array, Effect, Layer, Schema } from "effect";
 import { tokenTable, workspaceTable } from "../db/schema";
 import { AuthorizationLive } from "../middleware/authorization";
@@ -24,8 +24,7 @@ export const SyncDataGroupLive = HttpApiBuilder.group(
 
               yield* Effect.log(`Pushing workspace ${workspaceId}`);
 
-              doc.import(workspace.snapshot); // 🪄
-
+              doc.import(workspace.snapshot);
               const newSnapshot = yield* Schema.encode(SnapshotToLoroDoc)(doc);
 
               const newWorkspace = yield* query({
@@ -69,7 +68,15 @@ export const SyncDataGroupLive = HttpApiBuilder.group(
                   .where(
                     and(
                       eq(tokenTable.workspaceId, workspaceId),
-                      eq(tokenTable.clientId, clientId)
+                      eq(tokenTable.clientId, clientId),
+                      or(
+                        isNull(tokenTable.revokedAt),
+                        gt(tokenTable.revokedAt, new Date())
+                      ),
+                      or(
+                        isNull(tokenTable.expiresAt),
+                        gt(tokenTable.expiresAt, new Date())
+                      )
                     )
                   )
                   .orderBy(desc(tokenTable.issuedAt))
diff --git a/apps/server/src/middleware/authorization.ts b/apps/server/src/middleware/authorization.ts
@@ -40,6 +40,10 @@ export const AuthorizationLive = Layer.effect(
                   and(
                     eq(tokenTable.workspaceId, workspaceId),
                     eq(tokenTable.clientId, clientId),
+                    or(
+                      isNull(tokenTable.revokedAt),
+                      gt(tokenTable.revokedAt, new Date())
+                    ),
                     or(
                       isNull(tokenTable.expiresAt),
                       gt(tokenTable.expiresAt, new Date())
@@ -54,7 +58,12 @@ export const AuthorizationLive = Layer.effect(
           }).pipe(
             Effect.flatMap(Array.head),
             Effect.tapError(Effect.logError),
-            Effect.mapError(() => new Unauthorized())
+            Effect.mapError(
+              () =>
+                new Unauthorized({
+                  message: "Missing, expired, or revoked token",
+                })
+            )
           );
 
           return yield* query({
@@ -76,9 +85,10 @@ export const AuthorizationLive = Layer.effect(
             Match.value(error).pipe(
               Match.tagsExhaustive({
                 NoSuchElementException: () => new MissingWorkspace(),
-                Unauthorized: () => new Unauthorized(),
-                JwtError: () => new Unauthorized(),
-                ParseError: () => new Unauthorized(),
+                Unauthorized: (error) => error,
+                JwtError: () => new Unauthorized({ message: "Invalid token" }),
+                ParseError: () =>
+                  new Unauthorized({ message: "Invalid parameters" }),
                 QueryError: () => new DatabaseError(),
               })
             )
diff --git a/apps/server/src/middleware/master-authorization.ts b/apps/server/src/middleware/master-authorization.ts
@@ -47,15 +47,16 @@ export const MasterAuthorizationLive = Layer.effect(
             }).pipe(Effect.flatMap(Array.head));
           }
 
-          return yield* new Unauthorized();
+          return yield* new Unauthorized({ message: "Not master access" });
         }).pipe(
           Effect.mapError((error) =>
             Match.value(error).pipe(
               Match.tagsExhaustive({
                 NoSuchElementException: () => new MissingWorkspace(),
-                Unauthorized: () => new Unauthorized(),
-                JwtError: () => new Unauthorized(),
-                ParseError: () => new Unauthorized(),
+                Unauthorized: (error) => error,
+                JwtError: () => new Unauthorized({ message: "Invalid token" }),
+                ParseError: () =>
+                  new Unauthorized({ message: "Invalid parameters" }),
                 QueryError: () => new DatabaseError(),
               })
             )
diff --git a/packages/sync/src/main.ts b/packages/sync/src/main.ts
@@ -11,7 +11,7 @@ import { Snapshot } from "./loro";
 
 export class Unauthorized extends Schema.TaggedError<Unauthorized>()(
   "Unauthorized",
-  {},
+  { message: Schema.String },
   HttpApiSchema.annotations({ status: 401 })
 ) {}
 
