Merge pull request #310 from AppFlowy-IO/admin-frontend/self-host-env

Admin frontend/self host env
2024-02-09 15:15:56 +08:00 · 2024-02-09 15:15:56 +08:00 · e1ac591ea0
parent 263fdbafdc 0b08ab34ea
commit e1ac591ea0
10 changed files with 132 additions and 94 deletions
--- a/admin_frontend/src/web_api.rs
+++ b/admin_frontend/src/web_api.rs
@ -117,10 +117,13 @@ pub async fn invite_handler(
 ) -> Result<WebApiResponse<()>, WebApiError<'static>> {
  state
    .gotrue_client
-    .magic_link(&MagicLinkParams {
-      email: param.email,
-      ..Default::default()
-    })
+    .magic_link(
+      &MagicLinkParams {
+        email: param.email,
+        ..Default::default()
+      },
+      Some("/".to_owned()),
+    )
    .await?;
  Ok(WebApiResponse::<()>::from_str("Invitation sent".into()))
 }
@ -308,7 +311,7 @@ pub async fn sign_up_handler(

  let sign_up_res = state
    .gotrue_client
-    .sign_up_with_referrer(&param.email, &param.password, Some("/"))
+    .sign_up(&param.email, &param.password, Some("/"))
    .await?;

  match sign_up_res {
@ -378,10 +381,13 @@ async fn send_magic_link(
 ) -> Result<WebApiResponse<()>, WebApiError<'static>> {
  state
    .gotrue_client
-    .magic_link(&MagicLinkParams {
-      email: email.to_owned(),
-      ..Default::default()
-    })
+    .magic_link(
+      &MagicLinkParams {
+        email: email.to_owned(),
+        ..Default::default()
+      },
+      Some("/".to_owned()),
+    )
    .await?;
  Ok(WebApiResponse::<()>::from_str("Magic Link Sent".into()))
 }
--- a/deploy.env
+++ b/deploy.env
@ -1,11 +1,18 @@
-# GoTrue URL that the appflowy service will use to connect to gotrue
-# In docker environment, `gotrue` is the hostname of the gotrue service
-APPFLOWY_GOTRUE_BASE_URL=http://gotrue:9999
-APPFLOWY_DATABASE_URL=postgres://postgres:password@postgres:5432/postgres
-
 # This file is a template for docker compose deployment
 # Copy this file to .env and change the values as needed

+# AppFlowy Cloud
+## URL that connects to the gotrue docker container
+APPFLOWY_GOTRUE_BASE_URL=http://gotrue:9999
+## URL that connects to the postgres docker container
+APPFLOWY_DATABASE_URL=postgres://postgres:password@postgres:5432/postgres
+
+# admin frontend
+## URL that connects to redis docker container
+ADMIN_FRONTEND_REDIS_URL=redis://redis:6379
+## URL that connects to gotrue docker container
+ADMIN_FRONTEND_GOTRUE_URL=http://gotrue:9999
+
 # authentication key, change this and keep the key safe and secret
 # self defined key, you can use any string
 GOTRUE_JWT_SECRET=hello456
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -115,6 +115,10 @@ services:
      context: .
      dockerfile: ./admin_frontend/Dockerfile
    image: appflowyinc/admin_frontend:${BACKEND_VERSION:-latest}
+    environment:
+      - RUST_LOG=${RUST_LOG:-info}
+      - ADMIN_FRONTEND_REDIS_URL=${ADMIN_FRONTEND_REDIS_URL:-redis://redis:6379}
+      - ADMIN_FRONTEND_GOTRUE_URL=${ADMIN_FRONTEND_GOTRUE_URL:-http://gotrue:9999}

 volumes:
  postgres_data:
--- a/libs/client-api/src/http.rs
+++ b/libs/client-api/src/http.rs
@ -373,10 +373,13 @@ impl Client {
  pub async fn invite(&self, email: &str) -> Result<(), AppResponseError> {
    self
      .gotrue_client
-      .magic_link(&MagicLinkParams {
-        email: email.to_owned(),
-        ..Default::default()
-      })
+      .magic_link(
+        &MagicLinkParams {
+          email: email.to_owned(),
+          ..Default::default()
+        },
+        None,
+      )
      .await?;
    Ok(())
  }
@ -676,7 +679,7 @@ impl Client {

  #[instrument(level = "debug", skip_all, err)]
  pub async fn sign_up(&self, email: &str, password: &str) -> Result<(), AppResponseError> {
-    match self.gotrue_client.sign_up(email, password).await? {
+    match self.gotrue_client.sign_up(email, password, None).await? {
      Authenticated(access_token_resp) => {
        self.token.write().set(access_token_resp);
        Ok(())
--- a/libs/gotrue/src/api.rs
+++ b/libs/gotrue/src/api.rs
@ -55,12 +55,7 @@ impl Client {
  }

  #[tracing::instrument(skip_all, err)]
-  pub async fn sign_up(&self, email: &str, password: &str) -> Result<SignUpResponse, GoTrueError> {
-    self.sign_up_with_referrer(email, password, None).await
-  }
-
-  #[tracing::instrument(skip_all, err)]
-  pub async fn sign_up_with_referrer(
+  pub async fn sign_up(
    &self,
    email: &str,
    password: &str,
@ -224,14 +219,17 @@ impl Client {
    to_gotrue_result(resp).await
  }

-  pub async fn magic_link(&self, magic_link_params: &MagicLinkParams) -> Result<(), GoTrueError> {
+  pub async fn magic_link(
+    &self,
+    magic_link_params: &MagicLinkParams,
+    redirect_to: Option<String>,
+  ) -> Result<(), GoTrueError> {
    let url = format!("{}/magiclink", self.base_url);
-    let resp = self
-      .client
-      .request(Method::POST, &url)
-      .json(&magic_link_params)
-      .send()
-      .await?;
+    let mut req_builder = self.client.request(Method::POST, &url);
+    if let Some(redirect_to) = redirect_to {
+      req_builder = req_builder.header("redirect_to", redirect_to);
+    }
+    let resp = req_builder.json(&magic_link_params).send().await?;
    check_gotrue_result(resp).await
  }

--- a/src/application.rs
+++ b/src/application.rs
@ -237,7 +237,7 @@ async fn setup_admin_account(
 ) -> Result<(), Error> {
  let admin_email = gotrue_setting.admin_email.as_str();
  let password = gotrue_setting.admin_password.as_str();
-  let res_resp = gotrue_client.sign_up(admin_email, password).await;
+  let res_resp = gotrue_client.sign_up(admin_email, password, None).await;
  match res_resp {
    Err(err) => {
      if let app_error::gotrue::GoTrueError::Internal(err) = err {
--- a/src/biz/collab/access_control.rs
+++ b/src/biz/collab/access_control.rs
@ -36,6 +36,7 @@ where
  }

  #[instrument(level = "debug", skip_all, err)]
+  #[allow(clippy::blocks_in_if_conditions)]
  async fn check_collab_permission(
    &self,
    oid: &str,
--- a/src/biz/collab/storage.rs
+++ b/src/biz/collab/storage.rs
@ -73,6 +73,60 @@ where
      opened_collab_by_object_id: Arc::new(RwLock::new(HashMap::new())),
    }
  }
+
+  async fn check_collab_permission(
+    &self,
+    workspace_id: &str,
+    uid: &i64,
+    params: &CollabParams,
+    transaction: &mut Transaction<'_, sqlx::Postgres>,
+  ) -> Result<(), AppError> {
+    // Check if the user has enough permissions to insert collab
+    // 1. If the collab already exists, check if the user has enough permissions to update collab
+    // 2. If the collab doesn't exist, check if the user has enough permissions to create collab.
+    let collab_exists = is_collab_exists(&params.object_id, transaction.deref_mut()).await?;
+    if collab_exists {
+      // If the collab already exists, check if the user has enough permissions to update collab
+      let can_write = self
+        .access_control
+        .get_or_refresh_collab_access_level(uid, &params.object_id, transaction.deref_mut())
+        .await
+        .context(format!(
+          "Can't find the access level when user:{} try to insert collab",
+          uid
+        ))?
+        .can_write();
+      if !can_write {
+        return Err(AppError::NotEnoughPermissions(format!(
+          "user:{} doesn't have enough permissions to update collab {}",
+          uid, params.object_id
+        )));
+      }
+    } else {
+      // If the collab doesn't exist, check if the user has enough permissions to create collab.
+      // If the user is the owner or member of the workspace, the user can create collab.
+      let can_write_workspace = self
+        .access_control
+        .get_user_workspace_role(uid, workspace_id, transaction.deref_mut())
+        .await?
+        .can_create_collab();
+
+      if !can_write_workspace {
+        return Err(AppError::NotEnoughPermissions(format!(
+          "user:{} doesn't have enough permissions to insert collab {}",
+          uid, params.object_id
+        )));
+      }
+
+      // Cache the access level if the user has enough permissions to create collab.
+      self
+        .access_control
+        .cache_collab_access_level(uid, &params.object_id, AFAccessLevel::FullAccess)
+        .await?;
+    }
+
+    Ok(())
+  }
 }

 #[async_trait]
@ -128,6 +182,7 @@ where
  }

  #[instrument(level = "trace", skip(self, params), oid = %params.oid, err)]
+  #[allow(clippy::blocks_in_if_conditions)]
  async fn upsert_collab_with_transaction(
    &self,
    workspace_id: &str,
@ -136,46 +191,9 @@ where
    transaction: &mut Transaction<'_, sqlx::Postgres>,
  ) -> DatabaseResult<()> {
    params.validate()?;
-
-    // Check if the user has enough permissions to insert collab
-    // 1. If the collab already exists, check if the user has enough permissions to update collab
-    // 2. If the collab doesn't exist, check if the user has enough permissions to create collab.
-    let has_permission = if is_collab_exists(&params.object_id, transaction.deref_mut()).await? {
-      // If the collab already exists, check if the user has enough permissions to update collab
-      let level = self
-        .access_control
-        .get_or_refresh_collab_access_level(uid, &params.object_id, transaction.deref_mut())
-        .await
-        .context(format!(
-          "Can't find the access level when user:{} try to insert collab",
-          uid
-        ))?;
-      level.can_write()
-    } else {
-      // If the collab doesn't exist, check if the user has enough permissions to create collab.
-      // If the user is the owner or member of the workspace, the user can create collab.
-      let can_write_workspace = self
-        .access_control
-        .get_user_workspace_role(uid, workspace_id, transaction.deref_mut())
-        .await?
-        .can_create_collab();
-
-      // Cache the access level if the user has enough permissions to create collab.
-      if can_write_workspace {
-        self
-          .access_control
-          .cache_collab_access_level(uid, &params.object_id, AFAccessLevel::FullAccess)
-          .await?;
-      }
-      can_write_workspace
-    };
-
-    if !has_permission {
-      return Err(AppError::NotEnoughPermissions(format!(
-        "user:{} doesn't have enough permissions to insert collab {}",
-        uid, params.object_id
-      )));
-    }
+    self
+      .check_collab_permission(workspace_id, uid, &params, transaction)
+      .await?;
    let object_id = params.object_id.clone();
    let encoded_collab = params.encoded_collab_v1.clone();
    self
--- a/src/biz/workspace/access_control.rs
+++ b/src/biz/workspace/access_control.rs
@ -201,6 +201,7 @@ where
  }

  #[instrument(level = "trace", skip_all, err)]
+  #[allow(clippy::blocks_in_if_conditions)]
  async fn check_workspace_permission(
    &self,
    workspace_id: &Uuid,
@ -208,29 +209,28 @@ where
    method: Method,
  ) -> Result<(), AppError> {
    trace!("workspace_id: {:?}, uid: {:?}", workspace_id, uid);
-    match self
+    let role = self
      .access_control
      .get_role_from_uid(uid, workspace_id, &self.pg_pool)
      .await
-    {
-      Ok(role) => {
-        if method == Method::DELETE || method == Method::POST || method == Method::PUT {
-          if matches!(role, AFRole::Owner) {
-            Ok(())
-          } else {
-            Err(AppError::NotEnoughPermissions(format!(
-              "User:{:?} doesn't have the enough permission to access workspace:{}",
-              uid, workspace_id
-            )))
-          }
-        } else {
-          Ok(())
-        }
+      .map_err(|err| {
+        AppError::NotEnoughPermissions(format!(
+          "Can't find the role of the user:{:?} in the workspace:{:?}. error: {}",
+          uid, workspace_id, err
+        ))
+      })?;
+
+    match method {
+      Method::DELETE | Method::POST | Method::PUT => match role {
+        AFRole::Owner => return Ok(()),
+        _ => {
+          return Err(AppError::NotEnoughPermissions(format!(
+            "User:{:?} doesn't have the enough permission to access workspace:{}",
+            uid, workspace_id
+          )))
+        },
      },
-      Err(err) => Err(AppError::NotEnoughPermissions(format!(
-        "Can't find the role of the user:{:?} in the workspace:{:?}. error: {}",
-        uid, workspace_id, err
-      ))),
+      _ => Ok(()),
    }
  }

--- a/src/middleware/access_control_mw.rs
+++ b/src/middleware/access_control_mw.rs
@ -175,12 +175,13 @@ where
  forward_ready!(service);

  fn call(&self, mut req: ServiceRequest) -> Self::Future {
-    match req.match_pattern().map(|pattern| {
+    let path = req.match_pattern().map(|pattern| {
      let resource_ref = ResourceDef::new(pattern);
      let mut path = req.match_info().clone();
      resource_ref.capture_match_info(&mut path);
      path
-    }) {
+    });
+    match path {
      None => {
        let fut = self.service.call(req);
        Box::pin(fut)