feat: add cerbos access control

2025-09-19 03:28:00 +02:00
parent d322138502
commit 74a9426bcc
41 changed files with 999 additions and 821 deletions
--- a/spec/schemas/access/role.ts
+++ b/spec/schemas/access/role.ts
@@ -1,14 +0,0 @@
-import z from "zod";
-
-import { makeSchemaParser } from "../database.ts";
-
-export const RoleSchema = z.object({
-  id: z.uuid(),
-  name: z.string(),
-  permissions: z.record(z.string(), z.array(z.string())),
-});
-
-export const parseRole = makeSchemaParser(RoleSchema);
-
-export type Role = z.infer<typeof RoleSchema>;
-export type RoleDocument = z.infer<typeof RoleSchema>;
--- a/spec/schemas/account/account.ts
+++ b/spec/schemas/account/account.ts
@@ -1,10 +1,10 @@
 import { z } from "zod";

-import { RoleSchema } from "../access/role.ts";
 import { AvatarSchema } from "../avatar.ts";
 import { ContactSchema } from "../contact.ts";
 import { makeSchemaParser } from "../database.ts";
 import { NameSchema } from "../name.ts";
+import { RoleSchema } from "./role.ts";
 import { StrategySchema } from "./strategies.ts";

 export const AccountSchema = z.object({
@@ -18,10 +18,8 @@ export const AccountSchema = z.object({
  roles: z.array(RoleSchema).default([]),
 });

-export const AccountDocumentSchema = AccountSchema.omit({ roles: true }).extend({ roles: z.array(z.string()) });
-
-export const toAccountDocument = makeSchemaParser(AccountDocumentSchema);
+export const toAccountDocument = makeSchemaParser(AccountSchema);
 export const fromAccountDocument = makeSchemaParser(AccountSchema);

 export type Account = z.infer<typeof AccountSchema>;
-export type AccountDocument = z.infer<typeof AccountDocumentSchema>;
+export type AccountDocument = z.infer<typeof AccountSchema>;
--- a/spec/schemas/account/role.ts
+++ b/spec/schemas/account/role.ts
@@ -0,0 +1,5 @@
+import z from "zod";
+
+export const RoleSchema = z.union([z.literal("user"), z.literal("admin")]);
+
+export type Role = z.infer<typeof RoleSchema>;
--- a/spec/schemas/account/routes.ts
+++ b/spec/schemas/account/routes.ts
@@ -1,7 +1,8 @@
-import { route } from "@spec/relay";
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@spec/relay";
 import z from "zod";

 import { NameSchema } from "../name.ts";
+import { AccountSchema } from "./account.ts";
 import { AccountEmailClaimedError } from "./errors.ts";

 export const create = route
@@ -15,6 +16,15 @@ export const create = route
  .errors([AccountEmailClaimedError])
  .response(z.uuid());

+export const getById = route
+  .get("/api/v1/accounts/:id")
+  .params({
+    id: z.string(),
+  })
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError])
+  .response(AccountSchema);
+
 export const routes = {
  create,
+  getById,
 };