drive/packages/convex/functions.ts

import type { DataModel } from "@fileone/convex/dataModel"
import type { MutationCtx, QueryCtx } from "@fileone/convex/server"
import { mutation, query } from "@fileone/convex/server"
import type {
	DocumentByName,
	TableNamesInDataModel,
	UserIdentity,
} from "convex/server"
import { type GenericId, v } from "convex/values"
import {
	customCtx,
	customMutation,
	customQuery,
} from "convex-helpers/server/customFunctions"
import * as ApiKey from "./model/apikey"
import { type AuthUser, userIdentityOrThrow, userOrThrow } from "./model/user"
import { ErrorCode, error } from "./shared/error"

export type AuthenticatedQueryCtx = QueryCtx & {
	user: AuthUser
	identity: UserIdentity
}

export type AuthenticatedMutationCtx = MutationCtx & {
	user: AuthUser
	identity: UserIdentity
}

export type ApiKeyAuthenticatedQueryCtx = QueryCtx & {
	__branded: "ApiKeyAuthenticatedQueryCtx"
}

/**
 * Custom query that automatically provides authenticated user context
 * Throws an error if the user is not authenticated
 */
export const authenticatedQuery = customQuery(
	query,
	customCtx(async (ctx: QueryCtx) => {
		const user = await userOrThrow(ctx)
		const identity = await userIdentityOrThrow(ctx)
		return { user, identity }
	}),
)

/**
 * Custom mutation that automatically provides authenticated user context
 * Throws an error if the user is not authenticated
 */
export const authenticatedMutation = customMutation(
	mutation,
	customCtx(async (ctx: MutationCtx) => {
		const user = await userOrThrow(ctx)
		const identity = await userIdentityOrThrow(ctx)
		return { user, identity }
	}),
)

/**
 * Custom query that requires api key authentication for a query.
 */
export const apiKeyAuthenticatedQuery = customQuery(query, {
	args: {
		apiKey: v.string(),
	},
	input: async (ctx, args) => {
		if (!(await ApiKey.verifyApiKey(ctx, args.apiKey))) {
			error({
				code: ErrorCode.Unauthenticated,
				message: "Invalid API key",
			})
		}
		return { ctx: ctx as ApiKeyAuthenticatedQueryCtx, args }
	},
})

/**
 * Custom mutation that requires api key authentication for a mutation.
 */
export const apiKeyAuthenticatedMutation = customMutation(mutation, {
	args: {
		apiKey: v.string(),
	},
	input: async (ctx, args) => {
		if (!(await ApiKey.verifyApiKey(ctx, args.apiKey))) {
			error({
				code: ErrorCode.Unauthenticated,
				message: "Invalid API key",
			})
		}
		return { ctx, args }
	},
})

/**
 * Gets a document by its id and checks if the user is authorized to access it
 *
 * @returns The document associated with the id or null if the document is not found.
 */
export async function authorizedGet<T extends TableNamesInDataModel<DataModel>>(
	ctx: AuthenticatedQueryCtx | AuthenticatedMutationCtx,
	id: GenericId<T>,
): Promise<DocumentByName<DataModel, T> | null> {
	const item = await ctx.db.get(id)
	if (item && item.userId !== ctx.user._id) {
		return null
	}
	return item
}
feat[convex]: api key auth support 2025-10-20 00:17:41 +00:00			`import type { DataModel } from "@fileone/convex/dataModel"`
			`import type { MutationCtx, QueryCtx } from "@fileone/convex/server"`
			`import { mutation, query } from "@fileone/convex/server"`
feat: implement comprehensive access control system - Add authorizedGet function for secure resource access - Implement ownership verification for all file/directory operations - Use security through obscurity (not found vs access denied) - Optimize bulk operations by removing redundant authorization checks - Move generateFileUrl to filesystem.ts as fetchFileUrl with proper auth - Ensure all database access goes through authorization layer Co-authored-by: Ona <no-reply@ona.com> 2025-10-16 21:43:23 +00:00			`import type {`
			`DocumentByName,`
			`TableNamesInDataModel,`
			`UserIdentity,`
			`} from "convex/server"`
feat[convex]: api key auth support 2025-10-20 00:17:41 +00:00			`import { type GenericId, v } from "convex/values"`
feat: add auth to convex fns 2025-09-15 21:44:41 +00:00			`import {`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`customCtx,`
feat: add auth to convex fns 2025-09-15 21:44:41 +00:00			`customMutation,`
			`customQuery,`
			`} from "convex-helpers/server/customFunctions"`
feat[convex]: api key auth support 2025-10-20 00:17:41 +00:00			`import * as ApiKey from "./model/apikey"`
fix: root directory creation Co-authored-by: Ona <no-reply@ona.com> 2025-10-05 22:14:44 +00:00			`import { type AuthUser, userIdentityOrThrow, userOrThrow } from "./model/user"`
refactor: update remaining error imports to use ErrorCode - Replace Err.Code with ErrorCode throughout convex model files - Update error() function calls to use new signature - Remove unused Err namespace imports Co-authored-by: Ona <no-reply@ona.com> 2025-11-08 18:03:10 +00:00			`import { ErrorCode, error } from "./shared/error"`
feat: add auth to convex fns 2025-09-15 21:44:41 +00:00
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`export type AuthenticatedQueryCtx = QueryCtx & {`
fix: root directory creation Co-authored-by: Ona <no-reply@ona.com> 2025-10-05 22:14:44 +00:00			`user: AuthUser`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`identity: UserIdentity`
			`}`

			`export type AuthenticatedMutationCtx = MutationCtx & {`
fix: root directory creation Co-authored-by: Ona <no-reply@ona.com> 2025-10-05 22:14:44 +00:00			`user: AuthUser`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`identity: UserIdentity`
			`}`

feat: initial impl of file proxy 2025-10-21 23:45:04 +00:00			`export type ApiKeyAuthenticatedQueryCtx = QueryCtx & {`
			`__branded: "ApiKeyAuthenticatedQueryCtx"`
			`}`

feat: add auth to convex fns 2025-09-15 21:44:41 +00:00			`/**`
			`* Custom query that automatically provides authenticated user context`
			`* Throws an error if the user is not authenticated`
			`*/`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`export const authenticatedQuery = customQuery(`
			`query,`
			`customCtx(async (ctx: QueryCtx) => {`
feat: add auth to convex fns 2025-09-15 21:44:41 +00:00			`const user = await userOrThrow(ctx)`
			`const identity = await userIdentityOrThrow(ctx)`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`return { user, identity }`
			`}),`
			`)`
feat: add auth to convex fns 2025-09-15 21:44:41 +00:00
			`/**`
			`* Custom mutation that automatically provides authenticated user context`
			`* Throws an error if the user is not authenticated`
			`*/`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`export const authenticatedMutation = customMutation(`
			`mutation,`
			`customCtx(async (ctx: MutationCtx) => {`
feat: add auth to convex fns 2025-09-15 21:44:41 +00:00			`const user = await userOrThrow(ctx)`
			`const identity = await userIdentityOrThrow(ctx)`
feat: hook syncUser to login callback Co-authored-by: Ona <no-reply@ona.com> 2025-09-15 22:58:23 +00:00			`return { user, identity }`
			`}),`
			`)`
feat: implement comprehensive access control system - Add authorizedGet function for secure resource access - Implement ownership verification for all file/directory operations - Use security through obscurity (not found vs access denied) - Optimize bulk operations by removing redundant authorization checks - Move generateFileUrl to filesystem.ts as fetchFileUrl with proper auth - Ensure all database access goes through authorization layer Co-authored-by: Ona <no-reply@ona.com> 2025-10-16 21:43:23 +00:00
feat: initial impl of file proxy 2025-10-21 23:45:04 +00:00			`/**`
			`* Custom query that requires api key authentication for a query.`
			`*/`
			`export const apiKeyAuthenticatedQuery = customQuery(query, {`
			`args: {`
			`apiKey: v.string(),`
			`},`
			`input: async (ctx, args) => {`
			`if (!(await ApiKey.verifyApiKey(ctx, args.apiKey))) {`
refactor: update remaining error imports to use ErrorCode - Replace Err.Code with ErrorCode throughout convex model files - Update error() function calls to use new signature - Remove unused Err namespace imports Co-authored-by: Ona <no-reply@ona.com> 2025-11-08 18:03:10 +00:00			`error({`
			`code: ErrorCode.Unauthenticated,`
			`message: "Invalid API key",`
			`})`
feat: initial impl of file proxy 2025-10-21 23:45:04 +00:00			`}`
			`return { ctx: ctx as ApiKeyAuthenticatedQueryCtx, args }`
			`},`
			`})`

feat[convex]: api key auth support 2025-10-20 00:17:41 +00:00			`/**`
			`* Custom mutation that requires api key authentication for a mutation.`
			`*/`
			`export const apiKeyAuthenticatedMutation = customMutation(mutation, {`
			`args: {`
			`apiKey: v.string(),`
			`},`
			`input: async (ctx, args) => {`
			`if (!(await ApiKey.verifyApiKey(ctx, args.apiKey))) {`
refactor: update remaining error imports to use ErrorCode - Replace Err.Code with ErrorCode throughout convex model files - Update error() function calls to use new signature - Remove unused Err namespace imports Co-authored-by: Ona <no-reply@ona.com> 2025-11-08 18:03:10 +00:00			`error({`
			`code: ErrorCode.Unauthenticated,`
			`message: "Invalid API key",`
			`})`
feat[convex]: api key auth support 2025-10-20 00:17:41 +00:00			`}`
			`return { ctx, args }`
			`},`
			`})`

feat: implement comprehensive access control system - Add authorizedGet function for secure resource access - Implement ownership verification for all file/directory operations - Use security through obscurity (not found vs access denied) - Optimize bulk operations by removing redundant authorization checks - Move generateFileUrl to filesystem.ts as fetchFileUrl with proper auth - Ensure all database access goes through authorization layer Co-authored-by: Ona <no-reply@ona.com> 2025-10-16 21:43:23 +00:00			`/**`
			`* Gets a document by its id and checks if the user is authorized to access it`
			`*`
			`* @returns The document associated with the id or null if the document is not found.`
			`*/`
			`export async function authorizedGet<T extends TableNamesInDataModel<DataModel>>(`
			`ctx: AuthenticatedQueryCtx \| AuthenticatedMutationCtx,`
			`id: GenericId<T>,`
			`): Promise<DocumentByName<DataModel, T> \| null> {`
			`const item = await ctx.db.get(id)`
			`if (item && item.userId !== ctx.user._id) {`
			`return null`
			`}`
			`return item`
			`}`