teableio
diff --git a/‎apps/nestjs-backend/src/features/aggregation/open-api/aggregation-open-api.controller.ts
Lines changed: 0 additions & 2 deletions b/‎apps/nestjs-backend/src/features/aggregation/open-api/aggregation-open-api.controller.ts
Lines changed: 0 additions & 2 deletions
diff --git a/‎apps/nestjs-backend/src/features/auth/auth.service.ts
Lines changed: 8 additions & 0 deletions b/‎apps/nestjs-backend/src/features/auth/auth.service.ts
Lines changed: 8 additions & 0 deletions
diff --git a/‎apps/nestjs-backend/src/features/auth/decorators/token.decorator.ts
Lines changed: 5 additions & 0 deletions b/‎apps/nestjs-backend/src/features/auth/decorators/token.decorator.ts
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/nestjs-backend/src/features/auth/guard/permission.guard.ts
Lines changed: 67 additions & 15 deletions b/‎apps/nestjs-backend/src/features/auth/guard/permission.guard.ts
Lines changed: 67 additions & 15 deletions
diff --git a/‎apps/nestjs-backend/src/features/auth/permission.module.ts
Lines changed: 9 additions & 1 deletion b/‎apps/nestjs-backend/src/features/auth/permission.module.ts
Lines changed: 9 additions & 1 deletion
diff --git a/‎apps/nestjs-backend/src/features/auth/permission.service.ts
Lines changed: 15 additions & 6 deletions b/‎apps/nestjs-backend/src/features/auth/permission.service.ts
Lines changed: 15 additions & 6 deletions
diff --git a/‎apps/nestjs-backend/src/features/auth/strategies/local.strategy.ts
Lines changed: 1 addition & 0 deletions b/‎apps/nestjs-backend/src/features/auth/strategies/local.strategy.ts
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/nestjs-backend/src/features/base/base.controller.ts
Lines changed: 1 addition & 3 deletions b/‎apps/nestjs-backend/src/features/base/base.controller.ts
Lines changed: 1 addition & 3 deletions
diff --git a/‎apps/nestjs-backend/src/features/field/open-api/field-open-api.controller.ts
Lines changed: 1 addition & 14 deletions b/‎apps/nestjs-backend/src/features/field/open-api/field-open-api.controller.ts
Lines changed: 1 addition & 14 deletions
diff --git a/‎apps/nestjs-backend/src/features/record/open-api/record-open-api.controller.ts
Lines changed: 1 addition & 13 deletions b/‎apps/nestjs-backend/src/features/record/open-api/record-open-api.controller.ts
Lines changed: 1 addition & 13 deletions
@@ -11,12 +11,10 @@ import {
 } from '@teable-group/core';
 import { ZodValidationPipe } from '../../../zod.validation.pipe';
 import { Permissions } from '../../auth/decorators/permissions.decorator';
-import { PermissionGuard } from '../../auth/guard/permission.guard';
 import { TqlPipe } from '../../record/open-api/tql.pipe';
 import { AggregationOpenApiService } from './aggregation-open-api.service';
 
 @Controller('api/table/:tableId/aggregation')
-@UseGuards(PermissionGuard)
 export class AggregationOpenApiController {
   constructor(private readonly aggregationOpenApiService: AggregationOpenApiService) {}
 
 
@@ -59,6 +59,7 @@ export class AuthService {
       email,
       salt,
       password: hashPassword,
+      lastSignTime: new Date().toISOString(),
     });
   }
 
@@ -96,4 +97,11 @@ export class AuthService {
     // clear session
     await this.sessionStoreService.clearByUserId(userId);
   }
+
+  async refreshLastSignTime(userId: string) {
+    await this.prismaService.user.update({
+      where: { id: userId, deletedTime: null },
+      data: { lastSignTime: new Date().toISOString() },
+    });
+  }
 }
@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const IS_TOKEN_ACCESS = 'isTokenAccess';
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const TokenAccess = () => SetMetadata(IS_TOKEN_ACCESS, true);
@@ -8,6 +8,7 @@ import { PERMISSIONS_KEY } from '../decorators/permissions.decorator';
 import { IS_PUBLIC_KEY } from '../decorators/public.decorator';
 import type { IResourceMeta } from '../decorators/resource_meta.decorator';
 import { RESOURCE_META } from '../decorators/resource_meta.decorator';
+import { IS_TOKEN_ACCESS } from '../decorators/token.decorator';
 import { PermissionService } from '../permission.service';
 
 @Injectable()
@@ -33,23 +34,20 @@ export class PermissionGuard {
     return req.params.baseId || req.params.spaceId || req.params.tableId;
   }
 
-  async canActivate(context: ExecutionContext) {
-    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
-      context.getHandler(),
-      context.getClass(),
-    ]);
-
-    if (isPublic) {
-      return true;
+  /**
+   * Space creation permissions are more specific and only pertain to users,
+   * but tokens can be disallowed from being created.
+   */
+  private async permissionCreateSpace() {
+    const accessTokenId = this.cls.get('accessTokenId');
+    if (accessTokenId) {
+      const { scopes } = await this.permissionService.getAccessToken(accessTokenId);
+      return scopes.includes('space|create');
     }
-    const permissions = this.reflector.getAllAndOverride<PermissionAction[] | undefined>(
-      PERMISSIONS_KEY,
-      [context.getHandler(), context.getClass()]
-    );
+    return true;
+  }
 
-    if (!permissions?.length) {
-      return true;
-    }
+  private async resourcePermission(context: ExecutionContext, permissions: PermissionAction[]) {
     const resourceId = this.getResourceId(context);
     if (!resourceId) {
       throw new ForbiddenException('permission check ID does not exist');
@@ -85,4 +83,58 @@ export class PermissionGuard {
     this.cls.set('permissions', permissionsByCheck);
     return true;
   }
+
+  /**
+   * permission step:
+   * 1. public decorator sign
+   *    full public interface
+   * 2. token decorator sign
+   *    The token can only access interfaces that are restricted by permissions or have a token access indicator.
+   * 3. permissions decorator sign
+   *    Decorate what permissions are needed to operate the interface,
+   *    if none then it means just logging in is sufficient
+   * 4. space create permission check
+   *    The space create permission is special, it has nothing to do with resources, but only with users.
+   * 5. resource permission check
+   *    Because the token is user-generated, the permissions will only be less than the current user,
+   *    so first determine the current user permissions
+   *    5.1. by user for space
+   *    5.2. by access token if exists
+   */
+  async canActivate(context: ExecutionContext) {
+    // public check
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (isPublic) {
+      return true;
+    }
+
+    const permissions = this.reflector.getAllAndOverride<PermissionAction[] | undefined>(
+      PERMISSIONS_KEY,
+      [context.getHandler(), context.getClass()]
+    );
+
+    const accessTokenId = this.cls.get('accessTokenId');
+    if (accessTokenId && !permissions?.length) {
+      // Pre-checking of tokens
+      // The token can only access interfaces that are restricted by permissions or have a token access indicator.
+      return this.reflector.getAllAndOverride<boolean>(IS_TOKEN_ACCESS, [
+        context.getHandler(),
+        context.getClass(),
+      ]);
+    }
+
+    if (!permissions?.length) {
+      return true;
+    }
+    // space create permission check
+    if (permissions?.includes('space|create')) {
+      return await this.permissionCreateSpace();
+    }
+    // resource permission check
+    return await this.resourcePermission(context, permissions);
+  }
 }
@@ -1,10 +1,18 @@
 import { Global, Module } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
 import { PermissionGuard } from './guard/permission.guard';
 import { PermissionService } from './permission.service';
 
 @Global()
 @Module({
-  providers: [PermissionService, PermissionGuard],
+  providers: [
+    PermissionService,
+    PermissionGuard,
+    {
+      provide: APP_GUARD,
+      useClass: PermissionGuard,
+    },
+  ],
   exports: [PermissionService, PermissionGuard],
 })
 export class PermissionModule {}
@@ -90,15 +90,24 @@ export class PermissionService {
     return await this.checkPermissionByBaseId(table.base.id, permissions);
   }
 
+  async getAccessToken(accessTokenId: string) {
+    const { scopes, spaceIds, baseIds } = await this.prismaService.accessToken.findFirstOrThrow({
+      where: { id: accessTokenId },
+      select: { scopes: true, spaceIds: true, baseIds: true },
+    });
+    return {
+      scopes: JSON.parse(scopes) as PermissionAction[],
+      spaceIds: spaceIds ? JSON.parse(spaceIds) : undefined,
+      baseIds: baseIds ? JSON.parse(baseIds) : undefined,
+    };
+  }
+
   async checkPermissionByAccessToken(
     resourceId: string,
     accessTokenId: string,
     permissions: PermissionAction[]
   ) {
-    const { scopes, spaceIds, baseIds } = await this.prismaService.accessToken.findFirstOrThrow({
-      where: { id: accessTokenId },
-      select: { scopes: true, spaceIds: true, baseIds: true },
-    });
+    const { scopes, spaceIds, baseIds } = await this.getAccessToken(accessTokenId);
 
     if (resourceId.startsWith(IdPrefix.Table)) {
       const table = await this.prismaService.tableMeta.findFirst({
@@ -123,11 +132,11 @@ export class PermissionService {
       throw new ForbiddenException(`not allowed to base ${resourceId}`);
     }
 
-    const accessTokenPermissions = JSON.parse(scopes) as PermissionAction[];
+    const accessTokenPermissions = scopes;
     if (permissions.some((permission) => !accessTokenPermissions.includes(permission))) {
       throw new ForbiddenException(`not allowed to ${resourceId}`);
     }
 
-    return JSON.parse(scopes) as PermissionAction[];
+    return scopes;
   }
 }
@@ -18,6 +18,7 @@ export class LocalStrategy extends PassportStrategy(Strategy) {
     if (!user) {
       throw new BadRequestException('Incorrect password.');
     }
+    await this.authService.refreshLastSignTime(user.id);
     return pickUserMe(user);
   }
 }
@@ -1,5 +1,5 @@
 /* eslint-disable sonarjs/no-duplicate-string */
-import { Body, Controller, Delete, Get, Param, Patch, Post, UseGuards } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Patch, Post } from '@nestjs/common';
 import {
   createBaseRoSchema,
   ICreateBaseRo,
@@ -18,13 +18,11 @@ import { Events } from '../../event-emitter/events';
 import { ZodValidationPipe } from '../../zod.validation.pipe';
 import { Permissions } from '../auth/decorators/permissions.decorator';
 import { ResourceMeta } from '../auth/decorators/resource_meta.decorator';
-import { PermissionGuard } from '../auth/guard/permission.guard';
 import { CollaboratorService } from '../collaborator/collaborator.service';
 import { BaseService } from './base.service';
 import { DbConnectionService } from './db-connection.service';
 
 @Controller('api/base/')
-@UseGuards(PermissionGuard)
 export class BaseController {
   constructor(
     private readonly baseService: BaseService,
 
@@ -1,16 +1,5 @@
 /* eslint-disable sonarjs/no-duplicate-string */
-import {
-  Body,
-  Controller,
-  Delete,
-  Get,
-  Param,
-  Patch,
-  Put,
-  Post,
-  Query,
-  UseGuards,
-} from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Patch, Put, Post, Query } from '@nestjs/common';
 import type { IFieldVo } from '@teable-group/core';
 import {
   createFieldRoSchema,
@@ -25,12 +14,10 @@ import {
 import type { IPlanFieldConvertVo, IPlanFieldVo } from '@teable-group/openapi';
 import { ZodValidationPipe } from '../../../zod.validation.pipe';
 import { Permissions } from '../../auth/decorators/permissions.decorator';
-import { PermissionGuard } from '../../auth/guard/permission.guard';
 import { FieldService } from '../field.service';
 import { FieldOpenApiService } from './field-open-api.service';
 
 @Controller('api/table/:tableId/field')
-@UseGuards(PermissionGuard)
 export class FieldOpenApiController {
   constructor(
     private readonly fieldService: FieldService,
 
@@ -1,14 +1,4 @@
-import {
-  Body,
-  Controller,
-  Delete,
-  Get,
-  Param,
-  Patch,
-  Post,
-  Query,
-  UseGuards,
-} from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Patch, Post, Query } from '@nestjs/common';
 import type { ICreateRecordsVo, IRecord, IRecordsVo } from '@teable-group/core';
 import {
   createRecordsRoSchema,
@@ -23,13 +13,11 @@ import {
 import { deleteRecordsQuerySchema, IDeleteRecordsQuery } from '@teable-group/openapi';
 import { ZodValidationPipe } from '../../../zod.validation.pipe';
 import { Permissions } from '../../auth/decorators/permissions.decorator';
-import { PermissionGuard } from '../../auth/guard/permission.guard';
 import { RecordService } from '../record.service';
 import { RecordOpenApiService } from './record-open-api.service';
 import { TqlPipe } from './tql.pipe';
 
 @Controller('api/table/:tableId/record')
-@UseGuards(PermissionGuard)
 export class RecordOpenApiController {
   constructor(
     private readonly recordService: RecordService,
Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ export class AuthService {`
`59`	`59`	`email,`
`60`	`60`	`salt,`
`61`	`61`	`password: hashPassword,`
	`62`	`+ lastSignTime: new Date().toISOString(),`
`62`	`63`	`});`
`63`	`64`	`}`
`64`	`65`
`@@ -96,4 +97,11 @@ export class AuthService {`
`96`	`97`	`// clear session`
`97`	`98`	`await this.sessionStoreService.clearByUserId(userId);`
`98`	`99`	`}`
	`100`	`+`
	`101`	`+ async refreshLastSignTime(userId: string) {`
	`102`	`+ await this.prismaService.user.update({`
	`103`	`+ where: { id: userId, deletedTime: null },`
	`104`	`+ data: { lastSignTime: new Date().toISOString() },`
	`105`	`+ });`
	`106`	`+ }`
`99`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ export class LocalStrategy extends PassportStrategy(Strategy) {`
`18`	`18`	`if (!user) {`
`19`	`19`	`throw new BadRequestException('Incorrect password.');`
`20`	`20`	`}`
	`21`	`+ await this.authService.refreshLastSignTime(user.id);`
`21`	`22`	`return pickUserMe(user);`
`22`	`23`	`}`
`23`	`24`	`}`