Make Sprocket the source of truth for org-team permissions (#726)#738
Draft
Make Sprocket the source of truth for org-team permissions (#726)#738
Conversation
- Add sprocket.user_org_team_permission table and TypeORM entity - Resolve JWT org teams from Sprocket; optional ORG_TEAM_PERMISSION_DUAL_READ MLEDB fallback - Admin GraphQL CRUD for org-team permissions; wire loginAsUser and replay-parse override - Register FormerPlayerScrimGuard in MledbInterfaceModule for DI - Document source of truth and removal plan in reports/ Co-authored-by: Jake Bailey <asaxplayinghorse@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements GitHub issue #726: org-team / LO-style permission bits used in JWTs and guards now persist in Sprocket (
sprocket.user_org_team_permission) instead of readingmledb.player_to_orgon every login/refresh.What changed
sprocket.user_org_team_permission(migration1770500000000-UserOrgTeamPermission) with unique(userId, orgTeam)and FK tosprocket.user.UserOrgTeamPermissionService— list/replace/add/remove permissions.OrgTeamPermissionResolutionService— resolves org teams for a user id; prefers Sprocket rows.OauthController) — buildsorgTeamsfrom resolution (no directplayer_to_orgreads).loginAsUser— copies target user’s resolved org teams into the short-lived token.ReplayParseService— LO/admin override uses resolution instead of MLEDB.FormerPlayerScrimGuard— short-circuits for LO/admin via resolution; still uses MLE player for the FP check (guard is now a properMledbInterfaceModuleprovider).userOrgTeamPermissions,setUserOrgTeamPermissions,addUserOrgTeamPermission,removeUserOrgTeamPermission.reports/issue-726-org-team-permissions.md— source of truth, env flag, removal plan.Dual-read compatibility (temporary)
If a user has no Sprocket permission rows and
ORG_TEAM_PERMISSION_DUAL_READ=true, resolution falls back to legacymledb.player_to_org. Default is off so fresh environments do not hit MLEDB for auth until data is migrated or the flag is enabled during cutover.Proof
npm run build --workspace=core(passes).Follow-ups (not in this PR)
player_to_org→user_org_team_permissionfor existing users.ORG_TEAM_PERMISSION_DUAL_READand remove the fallback code path.