chore: bump deps (#15059)

#### PR Dependency Tree


* **PR #15059** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Configurable minimum account age before new accounts can invite
members or create share links (default: 24 hours).
* Sign-in now returns and caches user info for improved session
handling.

* **Bug Fixes**
  * Queue handling accepts and resolves job IDs with special characters.
* Improved clipboard/rich-text caret handling and nested-list paste
reliability.
  * Calendar tests use dynamic current-month dates.
  * AI search returns explicit "No matching documents" when none found.
  * Auth session responses are explicitly non-cacheable.

* **Chores**
* Dependency and toolchain bumps; admin UI config/schema exposes the new
account-age setting.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
DarkSky
2026-06-01 20:13:59 +08:00
committed by GitHub
parent 78cf402141
commit 7123595831
29 changed files with 344 additions and 130 deletions
+1 -1
View File
@@ -65,7 +65,7 @@
"@queuedash/api": "^3.16.0",
"@react-email/components": "^0.5.7",
"@socket.io/redis-adapter": "^8.3.0",
"bullmq": "5.53.0",
"bullmq": "5.77.6",
"commander": "^13.1.0",
"cookie-parser": "^1.4.7",
"cross-env": "^10.1.0",
@@ -70,6 +70,14 @@ test('should be able to sign in with credential', async t => {
t.is(session?.id, u1.id);
});
test('should not cache auth session response', async t => {
const { app } = t.context;
const res = await app.GET('/api/auth/session').expect(200);
t.is(res.headers['cache-control'], 'no-store');
});
async function exchangeSession(app: TestingApp, code: string) {
return await supertest(app.getHttpServer())
.post('/api/auth/native/exchange')
@@ -104,6 +104,23 @@ test('should add job to queue', async t => {
t.is(queuedJob!.name, job.name);
});
test('should accept job id containing colon', async t => {
const job = await queue.add(
'nightly.__test__job',
{ name: 'test' },
{ jobId: 'custom:id' }
);
const queuedJob = await queue.get('custom:id', 'nightly.__test__job');
const roundTripJob = await queue.get(job.id!, 'nightly.__test__job');
const data = await queue.remove(job.id!, 'nightly.__test__job');
t.is(job.id, 'custom%3Aid');
t.is(queuedJob!.name, job.name);
t.is(roundTripJob!.name, job.name);
t.deepEqual(data, { name: 'test' });
});
test('should remove job from queue', async t => {
const job = await queue.add('nightly.__test__job', { name: 'test' });
@@ -21,6 +21,19 @@ const removableJobStates = [
] as const;
const removeWhereBatchSize = 100;
function normalizeJobId(jobId: string) {
return encodeURIComponent(jobId);
}
function normalizedJobIds(jobId: string) {
const normalized = normalizeJobId(jobId);
if (jobId.includes(':')) {
return [normalized];
}
return normalized === jobId ? [jobId] : [jobId, normalized];
}
@Injectable()
export class JobQueue {
private readonly logger = new Logger(JobQueue.name);
@@ -30,6 +43,9 @@ export class JobQueue {
async add<T extends JobName>(name: T, payload: Jobs[T], opts?: JobsOptions) {
const ns = namespace(name);
const queue = this.getQueue(ns);
const normalizedOpts = opts?.jobId
? { ...opts, jobId: normalizeJobId(opts.jobId) }
: opts;
const job = await queue.add(
name,
{
@@ -37,7 +53,7 @@ export class JobQueue {
ClsServiceManager.getClsService().getId() ?? genRequestId('job'),
payload,
} as JobData<T>,
opts
normalizedOpts
);
this.logger.debug(`Job [${name}] added; id=${job.id}`);
return job;
@@ -49,15 +65,16 @@ export class JobQueue {
): Promise<Jobs[T] | undefined> {
const ns = namespace(jobName);
const queue = this.getQueue(ns);
const job = (await queue.getJob(jobId)) as Job<JobData<T>> | undefined;
const job = await this.get(jobId, jobName);
if (!job) {
return;
}
const removed = await queue.remove(jobId);
if (!job.id) return;
const removed = await queue.remove(job.id);
if (removed) {
this.logger.log(`Job ${jobName}(id=${jobId}) removed from queue ${ns}`);
this.logger.log(`Job ${jobName}(id=${job.id}) removed from queue ${ns}`);
return job.data.payload;
}
@@ -120,7 +137,14 @@ export class JobQueue {
async get<T extends JobName>(jobId: string, jobName: T) {
const ns = namespace(jobName);
const queue = this.getQueue(ns);
return (await queue.getJob(jobId)) as Job<JobData<T>> | undefined;
for (const id of normalizedJobIds(jobId)) {
const job = (await queue.getJob(id)) as Job<JobData<T>> | undefined;
if (job) {
return job;
}
}
return undefined;
}
private getQueue(ns: string): Queue {
@@ -11,6 +11,7 @@ export interface AuthConfig {
allowSignupForOauth: boolean;
requireEmailDomainVerification: boolean;
requireEmailVerification: boolean;
newAccountShareActionDelay: number;
passwordRequirements: ConfigItem<{
min: number;
max: number;
@@ -40,6 +41,11 @@ defineModuleConfig('auth', {
desc: 'Whether require email verification before accessing restricted resources(not implemented).',
default: true,
},
newAccountShareActionDelay: {
desc: 'Minimum account age in seconds before new accounts can invite members or create share links.',
default: 24 * 60 * 60,
shape: z.number().int().min(0),
},
passwordRequirements: {
desc: 'The password strength requirements when set new password.',
default: {
@@ -256,6 +256,7 @@ export class AuthController {
@Throttle('default', { limit: 1200 })
@Public()
@Get('/session')
@Header('Cache-Control', 'no-store')
async currentSessionUser(@CurrentUser() user?: CurrentUser) {
return { user };
}
@@ -1,10 +1,6 @@
import test from 'ava';
import {
containsUrlOrDomain,
isUserOldEnoughForShareActions,
SHARE_ACTION_ACCOUNT_AGE_MS,
} from '../abuse';
import { canUserExecuteLimitedActions, containsUrlOrDomain } from '../abuse';
test('should detect links and bare domains in workspace names', t => {
t.true(containsUrlOrDomain('BTC https://spam.example'));
@@ -20,10 +16,21 @@ test('should not detect email addresses or partial domain words', t => {
});
test('should check account age for share actions', t => {
t.false(isUserOldEnoughForShareActions({ createdAt: new Date() }));
const minimumAccountAgeMs = 24 * 60 * 60 * 1000;
t.false(
canUserExecuteLimitedActions({ createdAt: new Date() }, minimumAccountAgeMs)
);
t.true(
isUserOldEnoughForShareActions({
createdAt: new Date(Date.now() - SHARE_ACTION_ACCOUNT_AGE_MS - 1),
})
canUserExecuteLimitedActions(
{
createdAt: new Date(Date.now() - minimumAccountAgeMs - 1),
},
minimumAccountAgeMs
)
);
});
test('should skip account age check when share action delay is disabled', t => {
t.true(canUserExecuteLimitedActions({ createdAt: new Date() }, 0));
});
@@ -1,5 +1,3 @@
export const SHARE_ACTION_ACCOUNT_AGE_MS = 24 * 60 * 60 * 1000;
const URL_OR_DOMAIN_PATTERN =
/(?:https?:\/\/|www\.|(?<![@\w-])(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,63}(?=$|[^\p{L}\p{N}._-]))/iu;
@@ -7,6 +5,10 @@ export function containsUrlOrDomain(value: string | null | undefined) {
return URL_OR_DOMAIN_PATTERN.test(value ?? '');
}
export function isUserOldEnoughForShareActions(user: { createdAt: Date }) {
return Date.now() - user.createdAt.getTime() >= SHARE_ACTION_ACCOUNT_AGE_MS;
export function canUserExecuteLimitedActions(
user: { createdAt: Date },
minimumAccountAgeMs: number
) {
if (minimumAccountAgeMs <= 0) return true;
return Date.now() - user.createdAt.getTime() >= minimumAccountAgeMs;
}
@@ -17,6 +17,7 @@ import { SafeIntResolver } from 'graphql-scalars';
import {
ActionForbidden,
Cache,
Config,
DocActionDenied,
DocDefaultRoleCanNotBeOwner,
DocNotFound,
@@ -45,7 +46,7 @@ import {
PermissionService,
} from '../../permission';
import { PublicUserType, WorkspaceUserType } from '../../user';
import { isUserOldEnoughForShareActions } from '../abuse';
import { canUserExecuteLimitedActions } from '../abuse';
import { DocGrantsService } from '../doc-grants';
import { WorkspaceType } from '../types';
import { TimeBucket, TimeWindow } from './analytics-types';
@@ -301,14 +302,27 @@ export class WorkspaceDocResolver {
private readonly permission: PermissionService,
private readonly models: Models,
private readonly cache: Cache,
private readonly event: EventBus
private readonly event: EventBus,
private readonly config: Config
) {}
private async assertCanShare(userId: string) {
private async assertCanShare(
userId: string,
context: { workspaceId: string; docId: string; action: 'publishDoc' }
) {
const user = await this.models.user.get(userId);
if (!user || !isUserOldEnoughForShareActions(user)) {
const newAccountAgeMs = this.config.auth.newAccountShareActionDelay * 1000;
if (!user || !canUserExecuteLimitedActions(user, newAccountAgeMs)) {
this.logger.warn('Share action blocked for new account', {
userId,
email: user?.email,
createdAt: user?.createdAt,
accountAgeMs: user ? Date.now() - user.createdAt.getTime() : null,
minimumAccountAgeMs: newAccountAgeMs,
...context,
});
throw new ActionForbidden(
'Sharing links is unavailable during the first 24 hours after signup.'
'This feature is temporarily unavailable for you.'
);
}
}
@@ -452,7 +466,11 @@ export class WorkspaceDocResolver {
}
await this.ac.user(user.id).doc(workspaceId, docId).assert('Doc.Publish');
await this.assertCanShare(user.id);
await this.assertCanShare(user.id, {
workspaceId,
docId,
action: 'publishDoc',
});
const doc = await this.models.doc.publish(workspaceId, docId, mode);
this.event.emit('doc.public_state.changed', { workspaceId, docId });
@@ -1,3 +1,4 @@
import { Logger } from '@nestjs/common';
import {
Args,
Int,
@@ -21,6 +22,7 @@ import {
AuthenticationRequired,
Cache,
CanNotRevokeYourself,
Config,
EventBus,
InvalidInvitation,
isValidCacheTtl,
@@ -46,7 +48,7 @@ import {
import { QuotaService } from '../../quota';
import { UserType } from '../../user';
import { validators } from '../../utils/validators';
import { containsUrlOrDomain, isUserOldEnoughForShareActions } from '../abuse';
import { canUserExecuteLimitedActions, containsUrlOrDomain } from '../abuse';
import { WorkspaceService } from '../service';
import {
InvitationType,
@@ -64,6 +66,8 @@ import {
*/
@Resolver(() => WorkspaceType)
export class WorkspaceMemberResolver {
private readonly logger = new Logger(WorkspaceMemberResolver.name);
constructor(
private readonly cache: Cache,
private readonly event: EventBus,
@@ -73,14 +77,30 @@ export class WorkspaceMemberResolver {
private readonly mutex: RequestMutex,
private readonly policy: WorkspacePolicyService,
private readonly workspaceService: WorkspaceService,
private readonly quota: QuotaService
private readonly quota: QuotaService,
private readonly config: Config
) {}
private async assertCanInviteOrShare(userId: string) {
private async assertCanInviteOrShare(
userId: string,
context: {
workspaceId: string;
action: 'inviteMembers' | 'createInviteLink';
}
) {
const user = await this.models.user.get(userId);
if (!user || !isUserOldEnoughForShareActions(user)) {
const newAccountAgeMs = this.config.auth.newAccountShareActionDelay * 1000;
if (!user || !canUserExecuteLimitedActions(user, newAccountAgeMs)) {
this.logger.warn('Share action blocked for new account', {
userId,
email: user?.email,
createdAt: user?.createdAt,
accountAgeMs: user ? Date.now() - user.createdAt.getTime() : null,
minimumAccountAgeMs: newAccountAgeMs,
...context,
});
throw new ActionForbidden(
'Inviting members and creating share links are unavailable during the first 24 hours after signup.'
'This feature is temporarily unavailable for you.'
);
}
}
@@ -169,7 +189,10 @@ export class WorkspaceMemberResolver {
.user(me.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
await this.assertCanInviteOrShare(me.id);
await this.assertCanInviteOrShare(me.id, {
workspaceId,
action: 'inviteMembers',
});
await this.assertWorkspaceNameCanInvite(workspaceId);
if (emails.length > 512) {
@@ -302,7 +325,10 @@ export class WorkspaceMemberResolver {
.user(user.id)
.workspace(workspaceId)
.assert('Workspace.Users.Manage');
await this.assertCanInviteOrShare(user.id);
await this.assertCanInviteOrShare(user.id, {
workspaceId,
action: 'createInviteLink',
});
await this.assertWorkspaceNameCanInvite(workspaceId);
const cacheWorkspaceId = `workspace:inviteLink:${workspaceId}`;
@@ -190,11 +190,15 @@ export class WorkspaceMcpProvider {
const abortedAfterDocs = abortIfNeeded(options.signal);
if (abortedAfterDocs) return abortedAfterDocs;
if (!docs || docs.length === 0) {
return toolText('No matching documents found.');
}
return {
content: (docs?.map(doc => ({
content: docs.map(doc => ({
type: 'text',
text: clearEmbeddingChunk(doc).content,
})) ?? []),
})),
};
},
});
@@ -235,10 +239,10 @@ export class WorkspaceMcpProvider {
}
return {
content: (docs?.map(doc => ({
content: docs.map(doc => ({
type: 'text',
text: JSON.stringify(pick(doc, 'docId', 'title', 'createdAt')),
})) ?? []),
})),
};
},
});
@@ -740,10 +740,8 @@ fn parse_markdown_inner(markdown: &str) -> Result<MarkdownDocument, ParseError>
inline.push(InlineAttr::link(dest_url.to_string()));
}
}
Event::End(TagEnd::Link) => {
if pending_bookmark.is_none() {
inline.pop(InlineAttr::new(InlineStyle::Link));
}
Event::End(TagEnd::Link) if pending_bookmark.is_none() => {
inline.pop(InlineAttr::new(InlineStyle::Link));
}
_ => {}
}
@@ -136,11 +136,11 @@ impl YTypeRef {
#[allow(dead_code)]
pub fn read(&self) -> Option<(RwLockReadGuard<'_, DocStore>, RwLockReadGuard<'_, YType>)> {
self.store().and_then(|store| self.ty().map(|ty| (store, ty)))
self.store().zip(self.ty())
}
pub fn write(&self) -> Option<(RwLockWriteGuard<'_, DocStore>, RwLockWriteGuard<'_, YType>)> {
self.store_mut().and_then(|store| self.ty_mut().map(|ty| (store, ty)))
self.store_mut().zip(self.ty_mut())
}
}
+4
View File
@@ -79,6 +79,10 @@
"type": "Boolean",
"desc": "Whether require email verification before accessing restricted resources(not implemented)."
},
"newAccountShareActionDelay": {
"type": "Number",
"desc": "Minimum account age in seconds before new accounts can invite members or create share links."
},
"passwordRequirements": {
"type": "Object",
"desc": "The password strength requirements when set new password."
@@ -62,6 +62,11 @@ export const KNOWN_CONFIG_GROUPS = [
fields: [
'allowSignup',
'allowSignupForOauth',
{
key: 'newAccountShareActionDelay',
type: 'Number',
desc: 'Minimum account age in seconds before new accounts can invite members or create share links.',
},
// nested json object
{
key: 'passwordRequirements',
@@ -8,7 +8,13 @@ import {
setNativeAuthToken,
} from './native-token';
interface SignInResponse {
export interface SignInResponse {
id?: string;
email?: string;
name?: string;
hasPassword?: boolean | null;
avatarUrl?: string | null;
emailVerified?: boolean;
exchangeCode?: string;
redirectUri?: string;
}
@@ -97,7 +103,8 @@ export const authHandlers = {
token,
client_nonce: clientNonce,
});
await exchangeSession(endpoint, await readJson(response));
const body = await readJson<SignInResponse>(response);
await exchangeSession(endpoint, body);
},
signInOauth: async (
@@ -145,7 +152,9 @@ export const authHandlers = {
password: credential.password,
}),
});
await exchangeSession(endpoint, await readJson(response));
const body = await readJson<SignInResponse>(response);
await exchangeSession(endpoint, body);
return body;
},
signInOpenAppSignInCode: async (_e, endpoint: string, code: string) => {
+1 -1
View File
@@ -74,7 +74,7 @@
"lit": "^3.2.1",
"lodash-es": "^4.17.23",
"lottie-react": "^2.4.0",
"mermaid": "^11.13.0",
"mermaid": "^11.15.0",
"mp4-muxer": "^5.2.2",
"nanoid": "^5.1.6",
"next-themes": "^0.4.4",
@@ -70,7 +70,7 @@ export function configureDefaultAuthProvider(framework: Framework) {
headers['x-captcha-challenge'] = credential.challenge;
}
await fetchService.fetch('/api/auth/sign-in', {
const res = await fetchService.fetch('/api/auth/sign-in', {
method: 'POST',
body: JSON.stringify(credential),
headers: {
@@ -78,6 +78,7 @@ export function configureDefaultAuthProvider(framework: Framework) {
...headers,
},
});
return await res.json();
},
async signInOpenAppSignInCode(code: string) {
await fetchService.fetch('/api/auth/open-app/sign-in', {
@@ -1,5 +1,14 @@
import { createIdentifier } from '@toeverything/infra';
export interface SignInUserInfo {
id: string;
email: string;
name: string;
hasPassword: boolean | null;
avatarUrl: string | null;
emailVerified: boolean;
}
export interface AuthProvider {
signInMagicLink(
email: string,
@@ -19,7 +28,7 @@ export interface AuthProvider {
password: string;
verifyToken?: string;
challenge?: string;
}): Promise<void>;
}): Promise<SignInUserInfo | void>;
signInOpenAppSignInCode(code: string): Promise<void>;
@@ -235,7 +235,10 @@ export class AuthService extends Service {
}) {
track.$.$.auth.signIn({ method: 'password' });
try {
await this.store.signInPassword(credential);
const user = await this.store.signInPassword(credential);
if (user) {
this.store.setCachedSignInUser(user);
}
this.session.revalidate();
track.$.$.auth.signedIn({ method: 'password' });
} catch (e) {
@@ -9,7 +9,7 @@ import { Store } from '@toeverything/infra';
import type { GlobalState, NbstoreService } from '../../storage';
import type { AuthSessionInfo } from '../entities/session';
import type { AuthProvider } from '../provider/auth';
import type { AuthProvider, SignInUserInfo } from '../provider/auth';
import type { FetchService } from '../services/fetch';
import type { GraphQLService } from '../services/graphql';
import type { ServerService } from '../services/server';
@@ -57,6 +57,25 @@ export class AuthStore extends Store {
this.globalState.set(`${this.serverService.server.id}-auth`, session);
}
setCachedSignInUser(user: SignInUserInfo) {
this.setCachedAuthSession({
account: {
id: user.id,
email: user.email,
label: user.name,
avatar: user.avatarUrl,
info: {
id: user.id,
email: user.email,
name: user.name,
hasPassword: Boolean(user.hasPassword),
avatarUrl: user.avatarUrl,
emailVerified: user.emailVerified ? 'true' : null,
},
},
});
}
getClientNonce() {
return this.globalState.get<string>('auth-client-nonce');
}
@@ -67,7 +86,7 @@ export class AuthStore extends Store {
async fetchSession() {
const { user } = await this.fetchService
.fetch('/api/auth/session')
.fetch('/api/auth/session', { cache: 'no-store' })
.then(res => res.json());
const authMethods = user
? await this.fetchService
@@ -109,7 +128,7 @@ export class AuthStore extends Store {
verifyToken?: string;
challenge?: string;
}) {
await this.authProvider.signInPassword(credential);
return await this.authProvider.signInPassword(credential);
}
async signInOpenAppSignInCode(code: string) {
@@ -112,7 +112,7 @@ impl SqliteDocStorage {
return Ok(None);
}
updates.sort_by(|a, b| a.timestamp.cmp(&b.timestamp));
updates.sort_by_key(|a| a.timestamp);
let mut segments = Vec::with_capacity(snapshot.as_ref().map(|_| 1).unwrap_or(0) + updates.len());
if let Some(record) = snapshot {