hanh.tonguyen/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(server): integrate Better Auth, access control, and deployment mode startup

Browse Source 
Wire up Better Auth for session-based authentication. Add actor middleware
that resolves local_trusted mode to an implicit board actor and authenticated
mode to Better Auth sessions. Add access service with membership, permission,
invite, and join-request management. Register access routes for member/invite/
join-request CRUD. Update health endpoint to report deployment mode and
bootstrap status. Enforce tasks:assign and agents:create permissions in issue
and agent routes. Add deployment mode validation at startup with guardrails
(loopback-only for local_trusted, auth config required for authenticated).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
2026-02-23 14:40:32 -06:00
parent 60d6122271
commit e1f2be7ecf
24 changed files with 1530 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
server/src/routes/sidebar-badges.ts
View File

@@ -1,16 +1,38 @@
import { Router } from "express";
import type { Db } from "@paperclip/db";
import { and, eq, sql } from "drizzle-orm";
import { joinRequests } from "@paperclip/db";
import { sidebarBadgeService } from "../services/sidebar-badges.js";
import { accessService } from "../services/access.js";
import { assertCompanyAccess } from "./authz.js";
export function sidebarBadgeRoutes(db: Db) {
const router = Router();
const svc = sidebarBadgeService(db);
const access = accessService(db);
router.get("/companies/:companyId/sidebar-badges", async (req, res) => {
const companyId = req.params.companyId as string;
assertCompanyAccess(req, companyId);
const badges = await svc.get(companyId);
let canApproveJoins = false;
if (req.actor.type === "board") {
canApproveJoins =
req.actor.source === "local_implicit" ||
Boolean(req.actor.isInstanceAdmin) ||
(await access.canUser(companyId, req.actor.userId, "joins:approve"));
} else if (req.actor.type === "agent" && req.actor.agentId) {
canApproveJoins = await access.hasPermission(companyId, "agent", req.actor.agentId, "joins:approve");
}
const joinRequestCount = canApproveJoins
? await db
.select({ count: sql<number>`count(*)` })
.from(joinRequests)
.where(and(eq(joinRequests.companyId, companyId), eq(joinRequests.status, "pending_approval")))
.then((rows) => Number(rows[0]?.count ?? 0))
: 0;
const badges = await svc.get(companyId, { joinRequests: joinRequestCount });
res.json(badges);
});