louis/gigafibre-fsm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c6b2dd1491
gigafibre-fsm/services/targo-hub/lib/auth.js
louispaulb 320655b0a0 refactor: major cleanup — remove dead dispatch app, commit all backend code, extract client composables 
- Remove apps/dispatch/ (100% replaced by ops dispatch module, unmaintained)
- Commit services/targo-hub/lib/ (24 modules, 6290 lines — was never tracked)
- Commit services/docuseal + services/legacy-db docker-compose configs
- Extract client app composables: useOTP, useAddressSearch, catalog data, format utils
- Refactor CartPage.vue 630→175 lines, CatalogPage.vue 375→95 lines
- Clean hardcoded credentials from config.js fallback values
- Add client portal: catalog, cart, checkout, OTP verification, address search
- Add ops: NetworkPage, AgentFlowsPage, ConversationPanel, UnifiedCreateModal
- Add ops composables: useBestTech, useConversations, usePermissions, useScanner
- Add field app: scanner composable, docker/nginx configs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 17:38:38 -04:00

333 lines
14 KiB
JavaScript
Raw Blame History

'use strict'
const cfg = require('./config')
const { log, json, parseBody, httpRequest } = require('./helpers')
let mysql = null
try { mysql = require('mysql2/promise') } catch (e) { /* optional */ }
const CAPABILITIES = [
{ key: 'view_dashboard_kpi', label: 'Voir KPIs (revenus, AR)', category: 'Dashboard' },
{ key: 'view_clients', label: 'Voir la liste clients', category: 'Clients' },
{ key: 'view_client_detail', label: 'Voir le détail client', category: 'Clients' },
{ key: 'edit_customer', label: 'Modifier les champs client', category: 'Clients' },
{ key: 'view_invoices', label: 'Voir les factures', category: 'Finance' },
{ key: 'create_invoices', label: 'Créer/modifier factures', category: 'Finance' },
{ key: 'view_payments', label: 'Voir les paiements', category: 'Finance' },
{ key: 'create_payments', label: 'Créer paiements', category: 'Finance' },
{ key: 'edit_subscription_price', label: 'Modifier prix abonnement', category: 'Finance' },
{ key: 'view_all_jobs', label: 'Voir tous les jobs', category: 'Dispatch' },
{ key: 'view_own_jobs', label: 'Voir ses propres jobs', category: 'Dispatch' },
{ key: 'assign_jobs', label: 'Assigner/réassigner', category: 'Dispatch' },
{ key: 'create_jobs', label: 'Créer des jobs', category: 'Dispatch' },
{ key: 'view_equipment', label: 'Voir diagnostics équipement', category: 'Équipement' },
{ key: 'reboot_provision', label: 'Reboot/provisionner', category: 'Équipement' },
{ key: 'view_all_tickets', label: 'Voir tous les tickets', category: 'Tickets' },
{ key: 'view_own_tickets', label: 'Voir ses tickets', category: 'Tickets' },
{ key: 'manage_tickets', label: 'Créer/fermer tickets', category: 'Tickets' },
{ key: 'send_sms', label: 'Envoyer SMS', category: 'Communication' },
{ key: 'make_calls', label: 'Passer des appels', category: 'Communication' },
{ key: 'manage_telephony', label: 'Gérer Fonoster/trunks', category: 'Téléphonie' },
{ key: 'view_settings', label: 'Voir paramètres', category: 'Administration' },
{ key: 'manage_settings', label: 'Modifier paramètres', category: 'Administration' },
{ key: 'manage_users', label: 'Gérer utilisateurs', category: 'Administration' },
{ key: 'delete_records', label: 'Supprimer des enregistrements', category: 'Administration' },
{ key: 'manage_permissions', label: 'Modifier les permissions', category: 'Administration' },
]
const OPS_GROUPS = ['admin', 'sysadmin', 'tech', 'support', 'comptabilite', 'facturation', 'dev']
function akFetch (path, method = 'GET', body = null) {
if (!cfg.AUTHENTIK_TOKEN) throw new Error('AUTHENTIK_TOKEN not configured')
return httpRequest(cfg.AUTHENTIK_URL, '/api/v3' + path, {
method, body, headers: { Authorization: 'Bearer ' + cfg.AUTHENTIK_TOKEN }, timeout: 10000,
})
}
let groupCache = null, groupCacheTs = 0
async function fetchGroups () {
if (groupCache && Date.now() - groupCacheTs < 60000) return groupCache
const r = await akFetch('/core/groups/?page_size=100')
if (r.status !== 200) throw new Error('Authentik groups fetch failed: ' + r.status)
groupCache = r.data.results
groupCacheTs = Date.now()
return groupCache
}
function invalidateCache () { groupCache = null; groupCacheTs = 0 }
async function findUserByEmail (email) {
const r = await akFetch('/core/users/?search=' + encodeURIComponent(email) + '&page_size=5')
if (r.status !== 200) return { error: 'Authentik user lookup failed', status: 502 }
const user = r.data.results?.find(u => u.email?.toLowerCase() === email.toLowerCase())
return user ? { user } : { error: 'User not found: ' + email, status: 404 }
}
function validatePermissions (body) {
const validKeys = new Set(CAPABILITIES.map(c => c.key))
const result = {}
for (const [key, val] of Object.entries(body)) {
if (validKeys.has(key) && typeof val === 'boolean') result[key] = val
}
return result
}
async function handle (req, res, method, path, url) {
if (!cfg.AUTHENTIK_TOKEN) return json(res, 503, { error: 'Authentik not configured' })
try {
const parts = path.replace('/auth/', '').split('/').filter(Boolean)
const resource = parts[0]
if (resource === 'capabilities' && method === 'GET') {
return json(res, 200, CAPABILITIES)
}
if (resource === 'permissions' && method === 'GET') {
const email = url.searchParams.get('email') || req.headers['x-authentik-email']
if (!email) return json(res, 400, { error: 'Missing email parameter' })
const lookup = await findUserByEmail(email)
if (lookup.error) return json(res, lookup.status, { error: lookup.error })
const { user } = lookup
const allGroups = await fetchGroups()
const userGroupPks = new Set(user.groups || [])
const userGroups = allGroups.filter(g => userGroupPks.has(g.pk) && OPS_GROUPS.includes(g.name))
// Merge permissions: union of all group permissions
const merged = {}
for (const cap of CAPABILITIES) merged[cap.key] = false
for (const g of userGroups) {
const perms = g.attributes?.ops_permissions || {}
for (const [key, val] of Object.entries(perms)) {
if (val === true) merged[key] = true
}
}
// Per-user overrides from custom_attributes
const overrides = user.attributes?.ops_permissions_override || {}
for (const [key, val] of Object.entries(overrides)) {
if (typeof val === 'boolean') merged[key] = val
}
return json(res, 200, {
email: user.email, username: user.username, name: user.name,
groups: userGroups.map(g => g.name), is_superuser: user.is_superuser || false,
capabilities: merged, overrides,
})
}
if (resource === 'groups' && !parts[1] && method === 'GET') {
const allGroups = await fetchGroups()
const opsGroups = allGroups
.filter(g => OPS_GROUPS.includes(g.name))
.map(g => ({
pk: g.pk, name: g.name, num_users: g.users_obj?.length || 0,
is_superuser: g.is_superuser || false, permissions: g.attributes?.ops_permissions || {},
}))
.sort((a, b) => OPS_GROUPS.indexOf(a.name) - OPS_GROUPS.indexOf(b.name))
return json(res, 200, { groups: opsGroups, capabilities: CAPABILITIES })
}
if (resource === 'groups' && parts[2] === 'permissions' && method === 'PUT') {
const groupName = decodeURIComponent(parts[1])
const allGroups = await fetchGroups()
const group = allGroups.find(g => g.name === groupName)
if (!group) return json(res, 404, { error: 'Group not found: ' + groupName })
const perms = validatePermissions(await parseBody(req))
const attrs = { ...(group.attributes || {}), ops_permissions: perms }
const r = await akFetch('/core/groups/' + group.pk + '/', 'PATCH', { attributes: attrs })
if (r.status !== 200) return json(res, 502, { error: 'Authentik update failed: ' + r.status })
invalidateCache()
log(`Auth: updated permissions for group ${groupName}: ${Object.keys(perms).filter(k => perms[k]).length} capabilities enabled`)
return json(res, 200, { ok: true, group: groupName, permissions: perms })
}
if (resource === 'users' && !parts[1] && method === 'GET') {
const page = url.searchParams.get('page') || '1'
const search = url.searchParams.get('search') || ''
const groupFilter = url.searchParams.get('group') || ''
let akPath = `/core/users/?page=${page}&page_size=100&ordering=username`
if (search) akPath += '&search=' + encodeURIComponent(search)
// Filter by Authentik group UUID if requested
if (groupFilter) {
const allGrps = await fetchGroups()
const grp = allGrps.find(g => g.name === groupFilter)
if (grp) akPath += '&groups_by_pk=' + grp.pk
}
const r = await akFetch(akPath)
if (r.status !== 200) return json(res, 502, { error: 'Authentik users fetch failed' })
const allGroups = await fetchGroups()
const groupMap = new Map(allGroups.map(g => [g.pk, g.name]))
const users = r.data.results
.filter(u => !u.username.startsWith('ak-outpost'))
.map(u => ({
pk: u.pk, username: u.username, email: u.email, name: u.name,
is_active: u.is_active, is_superuser: u.is_superuser,
groups: (u.groups || []).map(pk => groupMap.get(pk)).filter(n => OPS_GROUPS.includes(n)),
overrides: u.attributes?.ops_permissions_override || {},
last_login: u.last_login,
}))
return json(res, 200, { users, total: r.data.pagination?.count || users.length })
}
if (resource === 'users' && parts[2] === 'overrides' && method === 'PUT') {
const email = decodeURIComponent(parts[1])
const lookup = await findUserByEmail(email)
if (lookup.error) return json(res, lookup.status, { error: lookup.error })
const { user } = lookup
const overrides = validatePermissions(await parseBody(req))
const attrs = { ...(user.attributes || {}), ops_permissions_override: overrides }
const r = await akFetch('/core/users/' + user.pk + '/', 'PATCH', { attributes: attrs })
if (r.status !== 200) return json(res, 502, { error: 'Authentik update failed: ' + r.status })
log(`Auth: updated overrides for ${email}: ${JSON.stringify(overrides)}`)
return json(res, 200, { ok: true, email, overrides })
}
if (resource === 'users' && parts[2] === 'groups' && method === 'PUT') {
const email = decodeURIComponent(parts[1])
const lookup = await findUserByEmail(email)
if (lookup.error) return json(res, lookup.status, { error: lookup.error })
const { user } = lookup
const { groups: requestedGroups = [] } = await parseBody(req)
const allGroups = await fetchGroups()
const opsGroupMap = new Map(allGroups.filter(g => OPS_GROUPS.includes(g.name)).map(g => [g.name, g.pk]))
// Keep non-ops group memberships, replace ops ones
const currentNonOps = (user.groups || []).filter(pk => {
const g = allGroups.find(gr => gr.pk === pk)
return g && !OPS_GROUPS.includes(g.name)
})
const finalGroups = [...currentNonOps, ...requestedGroups.map(n => opsGroupMap.get(n)).filter(Boolean)]
const r = await akFetch('/core/users/' + user.pk + '/', 'PATCH', { groups: finalGroups })
if (r.status !== 200) return json(res, 502, { error: 'Authentik update failed: ' + r.status })
invalidateCache()
log(`Auth: updated groups for ${email}: [${requestedGroups.join(', ')}]`)
return json(res, 200, { ok: true, email, groups: requestedGroups })
}
// ─── Sync legacy staff groups to Authentik ───
if (resource === 'sync-legacy' && method === 'POST') {
if (!mysql) return json(res, 503, { error: 'mysql2 not installed' })
const body = await parseBody(req)
const dryRun = body.dry_run !== false // default true = preview only
// 1. Read legacy staff table
let conn
try {
conn = await mysql.createConnection({
host: cfg.LEGACY_DB_HOST, user: cfg.LEGACY_DB_USER,
password: cfg.LEGACY_DB_PASS, database: cfg.LEGACY_DB_NAME,
})
const [rows] = await conn.execute(
'SELECT email, group_ad, first_name, last_name, status FROM staff WHERE status = 1 AND email != "" AND group_ad != ""'
)
await conn.end()
// 2. Fetch Authentik users + groups
const allGroups = await fetchGroups()
const opsGroupMap = new Map()
for (const g of allGroups) {
if (OPS_GROUPS.includes(g.name)) opsGroupMap.set(g.name, g)
}
// Fetch all Authentik users (paginate)
let akUsers = [], page = 1
while (true) {
const r = await akFetch('/core/users/?page=' + page + '&page_size=100&ordering=username')
if (r.status !== 200) break
akUsers = akUsers.concat(r.data.results || [])
if (!r.data.pagination || page >= r.data.pagination.total_pages) break
page++
}
// Build email → user map (lowercase)
const emailMap = new Map()
for (const u of akUsers) {
if (u.email) emailMap.set(u.email.toLowerCase(), u)
}
// 3. Match & compute changes
const report = { matched: [], not_found: [], already_ok: [], errors: [] }
for (const row of rows) {
const legacyEmail = row.email.toLowerCase().trim()
const targetGroup = row.group_ad.trim()
if (!opsGroupMap.has(targetGroup)) continue
const akUser = emailMap.get(legacyEmail)
if (!akUser) {
report.not_found.push({ email: legacyEmail, legacy_group: targetGroup, name: `${row.first_name} ${row.last_name}` })
continue
}
const group = opsGroupMap.get(targetGroup)
const userGroupPks = new Set(akUser.groups || [])
if (userGroupPks.has(group.pk)) {
report.already_ok.push({ email: legacyEmail, group: targetGroup })
continue
}
// Need to add this user to the group
const entry = { email: legacyEmail, username: akUser.username, group: targetGroup, user_pk: akUser.pk }
if (!dryRun) {
// Add group pk to user's existing groups
const newGroups = [...(akUser.groups || []), group.pk]
const r = await akFetch('/core/users/' + akUser.pk + '/', 'PATCH', { groups: newGroups })
if (r.status === 200) {
entry.status = 'synced'
log(`Legacy sync: added ${legacyEmail} to group ${targetGroup}`)
} else {
entry.status = 'error'
entry.error = 'Authentik PATCH failed: ' + r.status
report.errors.push(entry)
continue
}
} else {
entry.status = 'pending'
}
report.matched.push(entry)
}
if (!dryRun) invalidateCache()
return json(res, 200, {
dry_run: dryRun,
summary: {
to_sync: report.matched.length,
already_ok: report.already_ok.length,
not_found: report.not_found.length,
errors: report.errors.length,
},
...report,
})
} catch (e) {
if (conn) try { await conn.end() } catch {}
log('Legacy sync error:', e.message)
return json(res, 502, { error: 'Legacy sync error: ' + e.message })
}
}
return json(res, 404, { error: 'Unknown auth endpoint' })
} catch (e) {
log('Auth error:', e.message)
return json(res, 502, { error: 'Auth error: ' + e.message })
}
}
module.exports = { handle, CAPABILITIES, OPS_GROUPS }
Reference in New Issue View Git Blame Copy Permalink