fix(M2-005,M2-006): enforce user ownership at repo level for conversations and agents (#293)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #293.
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
import { eq, asc, desc, type Db, conversations, messages } from '@mosaic/db';
|
||||
import { eq, and, asc, desc, type Db, conversations, messages } from '@mosaic/db';
|
||||
|
||||
/** Maximum number of conversations returned per list query. */
|
||||
const MAX_CONVERSATIONS = 200;
|
||||
@@ -21,8 +21,15 @@ export function createConversationsRepo(db: Db) {
|
||||
.limit(MAX_CONVERSATIONS);
|
||||
},
|
||||
|
||||
async findById(id: string): Promise<Conversation | undefined> {
|
||||
const rows = await db.select().from(conversations).where(eq(conversations.id, id));
|
||||
/**
|
||||
* Find a conversation by ID, scoped to the given user.
|
||||
* Returns undefined if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async findById(id: string, userId: string): Promise<Conversation | undefined> {
|
||||
const rows = await db
|
||||
.select()
|
||||
.from(conversations)
|
||||
.where(and(eq(conversations.id, id), eq(conversations.userId, userId)));
|
||||
return rows[0];
|
||||
},
|
||||
|
||||
@@ -31,21 +38,47 @@ export function createConversationsRepo(db: Db) {
|
||||
return rows[0]!;
|
||||
},
|
||||
|
||||
async update(id: string, data: Partial<NewConversation>): Promise<Conversation | undefined> {
|
||||
/**
|
||||
* Update a conversation, scoped to the given user.
|
||||
* Returns undefined if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async update(
|
||||
id: string,
|
||||
userId: string,
|
||||
data: Partial<NewConversation>,
|
||||
): Promise<Conversation | undefined> {
|
||||
const rows = await db
|
||||
.update(conversations)
|
||||
.set({ ...data, updatedAt: new Date() })
|
||||
.where(eq(conversations.id, id))
|
||||
.where(and(eq(conversations.id, id), eq(conversations.userId, userId)))
|
||||
.returning();
|
||||
return rows[0];
|
||||
},
|
||||
|
||||
async remove(id: string): Promise<boolean> {
|
||||
const rows = await db.delete(conversations).where(eq(conversations.id, id)).returning();
|
||||
/**
|
||||
* Delete a conversation, scoped to the given user.
|
||||
* Returns false if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async remove(id: string, userId: string): Promise<boolean> {
|
||||
const rows = await db
|
||||
.delete(conversations)
|
||||
.where(and(eq(conversations.id, id), eq(conversations.userId, userId)))
|
||||
.returning();
|
||||
return rows.length > 0;
|
||||
},
|
||||
|
||||
async findMessages(conversationId: string): Promise<Message[]> {
|
||||
/**
|
||||
* Find messages for a conversation, scoped to the given user.
|
||||
* Returns an empty array if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async findMessages(conversationId: string, userId: string): Promise<Message[]> {
|
||||
// Verify ownership of the parent conversation before returning messages.
|
||||
const conv = await db
|
||||
.select()
|
||||
.from(conversations)
|
||||
.where(and(eq(conversations.id, conversationId), eq(conversations.userId, userId)));
|
||||
if (conv.length === 0) return [];
|
||||
|
||||
return db
|
||||
.select()
|
||||
.from(messages)
|
||||
@@ -54,7 +87,19 @@ export function createConversationsRepo(db: Db) {
|
||||
.limit(MAX_MESSAGES);
|
||||
},
|
||||
|
||||
async addMessage(data: NewMessage): Promise<Message> {
|
||||
/**
|
||||
* Add a message to a conversation, scoped to the given user.
|
||||
* Verifies the parent conversation belongs to the user before inserting.
|
||||
* Returns undefined if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async addMessage(data: NewMessage, userId: string): Promise<Message | undefined> {
|
||||
// Verify ownership of the parent conversation before inserting the message.
|
||||
const conv = await db
|
||||
.select()
|
||||
.from(conversations)
|
||||
.where(and(eq(conversations.id, data.conversationId), eq(conversations.userId, userId)));
|
||||
if (conv.length === 0) return undefined;
|
||||
|
||||
const rows = await db.insert(messages).values(data).returning();
|
||||
return rows[0]!;
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user