feat: locked/private view (#18268)

* feat: locked/private view * feat: locked/private view * pr feedback * fix: redirect loop * pr feedback
2025-11-14 17:36:12 +00:00 · 2025-05-15 09:35:21 -06:00 · 2025-05-15 09:35:21 -06:00 · b7b0b9b6d8
commit b7b0b9b6d8
parent 4935f3e0bb
61 changed files with 1018 additions and 186 deletions
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@ -126,6 +126,10 @@ export class AuthService extends BaseService {
    this.resetPinChecks(user, dto);

    await this.userRepository.update(auth.user.id, { pinCode: null });
+    const sessions = await this.sessionRepository.getByUserId(auth.user.id);
+    for (const session of sessions) {
+      await this.sessionRepository.update(session.id, { pinExpiresAt: null });
+    }
  }

  async changePinCode(auth: AuthDto, dto: PinCodeChangeDto) {
@ -444,10 +448,25 @@ export class AuthService extends BaseService {
        await this.sessionRepository.update(session.id, { id: session.id, updatedAt: new Date() });
      }

+      // Pin check
+      let hasElevatedPermission = false;
+
+      if (session.pinExpiresAt) {
+        const pinExpiresAt = DateTime.fromJSDate(session.pinExpiresAt);
+        hasElevatedPermission = pinExpiresAt > now;
+
+        if (hasElevatedPermission && now.plus({ minutes: 5 }) > pinExpiresAt) {
+          await this.sessionRepository.update(session.id, {
+            pinExpiresAt: DateTime.now().plus({ minutes: 5 }).toJSDate(),
+          });
+        }
+      }
+
      return {
        user: session.user,
        session: {
          id: session.id,
+          hasElevatedPermission,
        },
      };
    }
@ -455,6 +474,23 @@ export class AuthService extends BaseService {
    throw new UnauthorizedException('Invalid user token');
  }

+  async verifyPinCode(auth: AuthDto, dto: PinCodeSetupDto): Promise<void> {
+    const user = await this.userRepository.getForPinCode(auth.user.id);
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    this.resetPinChecks(user, { pinCode: dto.pinCode });
+
+    if (!auth.session) {
+      throw new BadRequestException('Session is missing');
+    }
+
+    await this.sessionRepository.update(auth.session.id, {
+      pinExpiresAt: new Date(DateTime.now().plus({ minutes: 15 }).toJSDate()),
+    });
+  }
+
  private async createLoginResponse(user: UserAdmin, loginDetails: LoginDetails) {
    const key = this.cryptoRepository.newPassword(32);
    const token = this.cryptoRepository.hashSha256(key);
@ -493,6 +529,7 @@ export class AuthService extends BaseService {
    return {
      pinCode: !!user.pinCode,
      password: !!user.password,
+      isElevated: !!auth.session?.hasElevatedPermission,
    };
  }
 }