96db9b6c7f
Extends the #355 perf-metrics registry (all behind the METRICS_PORT hard gate — nullable instruments, no-op helpers when unset). New families: - collab_doc_load_duration_seconds{size_bucket} — onLoadDocument timed on the real DB-load paths only (the already-loaded early-return is skipped). - size_bucket added to collab_store_duration_seconds; storeDocument returns the ydoc byte length (reusing its single Y.encodeStateAsUpdate, no second encode) so onStoreDocument observes size without extra cost. - collab_docs_open (gauge, read-on-scrape via collect() from hocuspocus.getDocumentsCount() — never inc/dec'd, so it can't drift) + collab_doc_loads_total / collab_doc_unloads_total (afterLoad/afterUnload). - collab_connect_duration_seconds — onConnect->connected, correlated by a WeakMap keyed on the shared request (leak-free; the current client uses one socket per document). - collab_auth_duration_seconds — wraps onAuthenticate (success and failure). - sizeBucket() shared helper (lt64k|lt256k|lt1m|ge1m, 4 bounded values). The mcp_tool_duration_seconds histogram + collab_connect_timeouts_total counter helpers are registered here but wired in pass 2 (MCP callback). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
136 lines
4.6 KiB
TypeScript
136 lines
4.6 KiB
TypeScript
import { Extension, onAuthenticatePayload } from '@hocuspocus/server';
|
|
import {
|
|
Injectable,
|
|
Logger,
|
|
NotFoundException,
|
|
UnauthorizedException,
|
|
} from '@nestjs/common';
|
|
import { TokenService } from '../../core/auth/services/token.service';
|
|
import { UserRepo } from '@docmost/db/repos/user/user.repo';
|
|
import { PageRepo } from '@docmost/db/repos/page/page.repo';
|
|
import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
|
|
import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission.repo';
|
|
import { findHighestUserSpaceRole } from '@docmost/db/repos/space/utils';
|
|
import { SpaceRole } from '../../common/helpers/types/permission';
|
|
import { isUserDisabled } from '../../common/helpers';
|
|
import { getPageId } from '../collaboration.util';
|
|
import { JwtCollabPayload, JwtType } from '../../core/auth/dto/jwt-payload';
|
|
import { resolveProvenance } from '../../common/decorators/auth-provenance.decorator';
|
|
import { observeCollabAuth } from '../../integrations/metrics/metrics.registry';
|
|
|
|
@Injectable()
|
|
export class AuthenticationExtension implements Extension {
|
|
private readonly logger = new Logger(AuthenticationExtension.name);
|
|
|
|
constructor(
|
|
private tokenService: TokenService,
|
|
private userRepo: UserRepo,
|
|
private pageRepo: PageRepo,
|
|
private readonly spaceMemberRepo: SpaceMemberRepo,
|
|
private readonly pagePermissionRepo: PagePermissionRepo,
|
|
) {}
|
|
|
|
async onAuthenticate(data: onAuthenticatePayload) {
|
|
// #402 — time the whole auth (verify + user/page/permission lookups) into
|
|
// collab_auth_duration_seconds. finally so failed auths are timed too.
|
|
// No-op when METRICS_PORT is unset. Behavior unchanged.
|
|
const start = performance.now();
|
|
try {
|
|
return await this.doAuthenticate(data);
|
|
} finally {
|
|
observeCollabAuth((performance.now() - start) / 1000);
|
|
}
|
|
}
|
|
|
|
private async doAuthenticate(data: onAuthenticatePayload) {
|
|
const { documentName, token } = data;
|
|
const pageId = getPageId(documentName);
|
|
|
|
let jwtPayload: JwtCollabPayload;
|
|
|
|
try {
|
|
jwtPayload = await this.tokenService.verifyJwt(token, JwtType.COLLAB);
|
|
} catch (error) {
|
|
throw new UnauthorizedException('Invalid collab token');
|
|
}
|
|
|
|
const userId = jwtPayload.sub;
|
|
const workspaceId = jwtPayload.workspaceId;
|
|
|
|
const user = await this.userRepo.findById(userId, workspaceId, {
|
|
includeIsAgent: true,
|
|
});
|
|
|
|
if (!user) {
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
if (isUserDisabled(user)) {
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
const page = await this.pageRepo.findById(pageId);
|
|
if (!page) {
|
|
this.logger.debug(`Page not found: ${pageId}`);
|
|
throw new NotFoundException('Page not found');
|
|
}
|
|
|
|
const userSpaceRoles = await this.spaceMemberRepo.getUserSpaceRoles(
|
|
user.id,
|
|
page.spaceId,
|
|
);
|
|
|
|
const userSpaceRole = findHighestUserSpaceRole(userSpaceRoles);
|
|
|
|
if (!userSpaceRole) {
|
|
this.logger.warn(`User not authorized to access page: ${pageId}`);
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
// Check page-level permissions
|
|
const { hasAnyRestriction, canAccess, canEdit } =
|
|
await this.pagePermissionRepo.canUserEditPage(user.id, page.id);
|
|
|
|
if (hasAnyRestriction) {
|
|
if (!canAccess) {
|
|
this.logger.warn(
|
|
`User ${user.id} denied page-level access to page: ${pageId}`,
|
|
);
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
if (!canEdit) {
|
|
data.connectionConfig.readOnly = true;
|
|
this.logger.debug(
|
|
`User ${user.id} granted readonly access to restricted page: ${pageId}`,
|
|
);
|
|
}
|
|
} else {
|
|
// No restrictions - use space-level permissions
|
|
if (userSpaceRole === SpaceRole.READER) {
|
|
data.connectionConfig.readOnly = true;
|
|
this.logger.debug(`User granted readonly access to page: ${pageId}`);
|
|
}
|
|
}
|
|
|
|
if (page.deletedAt) {
|
|
data.connectionConfig.readOnly = true;
|
|
}
|
|
|
|
this.logger.debug(`Authenticated user ${user.id} on page ${pageId}`);
|
|
|
|
// Carry the agent-edit provenance into the hocuspocus connection context
|
|
// (§6.6 / §15 C2), derived via the SAME resolver as the REST seam so the two
|
|
// can't drift. An is_agent service account (e.g. the MCP bot) is attributed
|
|
// 'agent' here too, so its page-content edits over collab persist as
|
|
// lastUpdatedSource='agent' (#143 review Arch A) — not just its REST writes.
|
|
// The human collab path carries no claim and is not flagged → actor='user'.
|
|
const provenance = resolveProvenance(user, jwtPayload);
|
|
return {
|
|
user,
|
|
actor: provenance.actor,
|
|
aiChatId: provenance.aiChatId,
|
|
};
|
|
}
|
|
}
|