fix: handle nullable auth() access

ymc9 · ymc9 · commit 7c0277d9f5cb · 2024-05-06T22:56:34.000+08:00
diff --git a/packages/runtime/src/enhancements/policy/constraint-solver.ts b/packages/runtime/src/enhancements/policy/constraint-solver.ts
@@ -83,6 +83,19 @@ export class ConstraintSolver {
     }
 
     private buildComparisonFormula(constraint: ComparisonConstraint) {
+        if (constraint.left.kind === 'value' && constraint.right.kind === 'value') {
+            // constant comparison
+            const left: ValueConstraint = constraint.left;
+            const right: ValueConstraint = constraint.right;
+            return match(constraint.kind)
+                .with('eq', () => (left.value === right.value ? Logic.TRUE : Logic.FALSE))
+                .with('gt', () => (left.value > right.value ? Logic.TRUE : Logic.FALSE))
+                .with('gte', () => (left.value >= right.value ? Logic.TRUE : Logic.FALSE))
+                .with('lt', () => (left.value < right.value ? Logic.TRUE : Logic.FALSE))
+                .with('lte', () => (left.value <= right.value ? Logic.TRUE : Logic.FALSE))
+                .exhaustive();
+        }
+
         return match(constraint.kind)
             .with('eq', () => this.transformEquality(constraint.left, constraint.right))
             .with('gt', () =>
diff --git a/packages/schema/src/plugins/enhancer/policy/constraint-transformer.ts b/packages/schema/src/plugins/enhancer/policy/constraint-transformer.ts
@@ -14,6 +14,7 @@ import {
     isDataModelField,
     isLiteralExpr,
     isMemberAccessExpr,
+    isNullExpr,
     isReferenceExpr,
     isThisExpr,
     isUnaryExpr,
@@ -125,13 +126,19 @@ export class ConstraintTransformer {
     }
 
     private transformMemberAccess(expr: MemberAccessExpr) {
+        // "this.x" is transformed into a named variable
         if (isThisExpr(expr.operand)) {
-            // "this.x" is transformed into a named variable
             return this.variable(expr.member.$refText, 'boolean');
         }
 
-        // other member access expressions are not supported and thus
-        // transformed into a free variable
+        // top-level auth access
+        const authAccess = this.getAuthAccess(expr);
+        if (authAccess) {
+            return this.value(`${authAccess} ?? false`, 'boolean');
+        }
+
+        // other top-level member access expressions are not supported
+        // and thus transformed into a free variable
         return this.nextVar();
     }
 
@@ -153,14 +160,19 @@ export class ConstraintTransformer {
     }
 
     private transformComparison(expr: BinaryExpr) {
-        const leftOperand = this.getComparisonOperand(expr.left);
-        const rightOperand = this.getComparisonOperand(expr.right);
+        if (this.isAuthEqualNull(expr)) {
+            // `auth() == null` => `user === null`
+            return this.value(`${this.options.authAccessor} === null`, 'boolean');
+        }
 
-        if (leftOperand === undefined || rightOperand === undefined) {
-            // if either operand is not supported, transform into a free variable
-            return this.nextVar();
+        if (this.isAuthNotEqualNull(expr)) {
+            // `auth() != null` => `user !== null`
+            return this.value(`${this.options.authAccessor} !== null`, 'boolean');
         }
 
+        const leftOperand = this.getComparisonOperand(expr.left);
+        const rightOperand = this.getComparisonOperand(expr.right);
+
         const op = match(expr.operator)
             .with('==', () => 'eq')
             .with('!=', () => 'eq')
@@ -175,12 +187,52 @@ export class ConstraintTransformer {
         let result = `{ kind: '${op}', left: ${leftOperand}, right: ${rightOperand} }`;
         if (expr.operator === '!=') {
             // transform "!=" into "not eq"
-            result = `{ kind: 'not', children: [${result}] }`;
+            result = this.not(result);
+        }
+
+        // `auth()` access can be undefined, when that happens, we assume a false condition
+        // for the comparison, unless we're directly comparing `auth() != null`
+
+        const leftAuthAccess = this.getAuthAccess(expr.left);
+        const rightAuthAccess = this.getAuthAccess(expr.right);
+
+        if (leftAuthAccess) {
+            // `auth().f op x` => `auth().f !== undefined && auth().f op x`
+            return this.and(this.value(`${this.normalizeToNull(leftAuthAccess)} !== null`, 'boolean'), result);
+        } else if (rightAuthAccess) {
+            // `x op auth().f` => `auth().f !== undefined && x op auth().f`
+            return this.and(this.value(`${this.normalizeToNull(rightAuthAccess)} !== null`, 'boolean'), result);
+        }
+
+        if (leftOperand === undefined || rightOperand === undefined) {
+            // if either operand is not supported, transform into a free variable
+            return this.nextVar();
         }
 
         return result;
     }
 
+    // normalize `auth()` access undefined value to null
+    private normalizeToNull(expr: string) {
+        return `(${expr} ?? null)`;
+    }
+
+    private isAuthEqualNull(expr: BinaryExpr) {
+        return (
+            expr.operator === '==' &&
+            ((isAuthInvocation(expr.left) && isNullExpr(expr.right)) ||
+                (isAuthInvocation(expr.right) && isNullExpr(expr.left)))
+        );
+    }
+
+    private isAuthNotEqualNull(expr: BinaryExpr) {
+        return (
+            expr.operator === '!=' &&
+            ((isAuthInvocation(expr.left) && isNullExpr(expr.right)) ||
+                (isAuthInvocation(expr.right) && isNullExpr(expr.left)))
+        );
+    }
+
     private getComparisonOperand(expr: Expression) {
         if (isLiteralExpr(expr)) {
             return this.transformLiteral(expr);
@@ -199,16 +251,9 @@ export class ConstraintTransformer {
 
         const authAccess = this.getAuthAccess(expr);
         if (authAccess) {
-            // `auth().` access is transformed into a runtime boolean value if it
-            // doesn't evaluate to undefined (due to ?. chaining), otherwise into
-            // a named variable
-            const fieldAccess = `${this.options.authAccessor}?.${authAccess}`;
             const mappedType = this.mapType(expr);
             if (mappedType) {
-                return `${fieldAccess} === undefined ? ${this.expressionVariable(expr, mappedType)} : ${this.value(
-                    fieldAccess,
-                    mappedType
-                )}`;
+                return `${this.value(authAccess, mappedType)}`;
             } else {
                 return undefined;
             }
@@ -241,7 +286,7 @@ export class ConstraintTransformer {
         }
 
         if (isAuthInvocation(expr.operand)) {
-            return expr.member.$refText;
+            return `${this.options.authAccessor}?.${expr.member.$refText}`;
         } else {
             const operand = this.getAuthAccess(expr.operand);
             return operand ? `${operand}?.${expr.member.$refText}` : undefined;
diff --git a/tests/integration/tests/enhancements/with-policy/checker.test.ts b/tests/integration/tests/enhancements/with-policy/checker.test.ts
@@ -277,19 +277,63 @@ describe('Permission checker', () => {
             model User {
                 id Int @id @default(autoincrement())
                 level Int
+                admin Boolean
             }
 
             model Model {
                 id Int @id @default(autoincrement())
                 value Int
                 @@allow('read', auth().level > 0)
+                @@allow('create', auth().admin)
+                @@allow('update', !auth().admin)
             }
             `
         );
 
-        await expect(enhance().model.check('read')).toResolveTruthy();
+        await expect(enhance().model.check('read')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('read')).toResolveFalsy();
         await expect(enhance({ id: 1, level: 0 }).model.check('read')).toResolveFalsy();
         await expect(enhance({ id: 1, level: 1 }).model.check('read')).toResolveTruthy();
+
+        await expect(enhance().model.check('create')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('create')).toResolveFalsy();
+        await expect(enhance({ id: 1, admin: false }).model.check('create')).toResolveFalsy();
+        await expect(enhance({ id: 1, admin: true }).model.check('create')).toResolveTruthy();
+
+        await expect(enhance().model.check('update')).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('update')).toResolveTruthy();
+        await expect(enhance({ id: 1, admin: true }).model.check('update')).toResolveFalsy();
+        await expect(enhance({ id: 1, admin: false }).model.check('update')).toResolveTruthy();
+    });
+
+    it('auth null check', async () => {
+        const { enhance } = await loadSchema(
+            `
+            model User {
+                id Int @id @default(autoincrement())
+                level Int
+            }
+
+            model Model {
+                id Int @id @default(autoincrement())
+                value Int
+                @@allow('read', auth() != null)
+                @@allow('create', auth() == null)
+                @@allow('update', auth().level > 0)
+            }
+            `
+        );
+
+        await expect(enhance().model.check('read')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('read')).toResolveTruthy();
+
+        await expect(enhance().model.check('create')).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('create')).toResolveFalsy();
+
+        await expect(enhance().model.check('update')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('update')).toResolveFalsy();
+        await expect(enhance({ id: 1, level: 0 }).model.check('update')).toResolveFalsy();
+        await expect(enhance({ id: 1, level: 1 }).model.check('update')).toResolveTruthy();
     });
 
     it('auth with relation', async () => {
@@ -315,8 +359,8 @@ describe('Permission checker', () => {
             `
         );
 
-        await expect(enhance().model.check('read')).toResolveTruthy();
-        await expect(enhance({ id: 1 }).model.check('read')).toResolveTruthy();
+        await expect(enhance().model.check('read')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('read')).toResolveFalsy();
         await expect(enhance({ id: 1, profile: { level: 0 } }).model.check('read')).toResolveFalsy();
         await expect(enhance({ id: 1, profile: { level: 1 } }).model.check('read')).toResolveTruthy();
     });
