Make Sprocket the source of truth for org-team permissions (#726)

core/migrations/1770500000000-UserOrgTeamPermission.ts

@@ -0,0 +1,33 @@
+import {MigrationInterface, QueryRunner} from "typeorm";
+
+export class UserOrgTeamPermission1770500000000 implements MigrationInterface {
+    name = "UserOrgTeamPermission1770500000000";
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(
+            "CREATE TABLE \"sprocket\".\"user_org_team_permission\" (\"id\" SERIAL NOT NULL, \"createdAt\" TIMESTAMP NOT NULL DEFAULT now(), \"updatedAt\" TIMESTAMP NOT NULL DEFAULT now(), \"userId\" integer NOT NULL, \"orgTeam\" smallint NOT NULL, CONSTRAINT \"PK_user_org_team_permission\" PRIMARY KEY (\"id\"))",
+        );
+        await queryRunner.query(
+            "CREATE UNIQUE INDEX \"UQ_user_org_team_user_org_team\" ON \"sprocket\".\"user_org_team_permission\" (\"userId\", \"orgTeam\")",
+        );
+        await queryRunner.query(
+            "CREATE INDEX \"user_org_team_permission_user_id_idx\" ON \"sprocket\".\"user_org_team_permission\" (\"userId\")",
+        );
+        await queryRunner.query(
+            "ALTER TABLE \"sprocket\".\"user_org_team_permission\" ADD CONSTRAINT \"FK_user_org_team_permission_user\" FOREIGN KEY (\"userId\") REFERENCES \"sprocket\".\"user\"(\"id\") ON DELETE CASCADE ON UPDATE NO ACTION",
+        );
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(
+            "ALTER TABLE \"sprocket\".\"user_org_team_permission\" DROP CONSTRAINT \"FK_user_org_team_permission_user\"",
+        );
+        await queryRunner.query(
+            "DROP INDEX \"sprocket\".\"user_org_team_permission_user_id_idx\"",
+        );
+        await queryRunner.query(
+            "DROP INDEX \"sprocket\".\"UQ_user_org_team_user_org_team\"",
+        );
+        await queryRunner.query("DROP TABLE \"sprocket\".\"user_org_team_permission\"");
+    }
+}

core/src/database/identity/identity.module.ts

@@ -3,9 +3,10 @@ import {TypeOrmModule} from "@nestjs/typeorm";
 
 import {User} from "./user";
 import {UserAuthenticationAccount} from "./user_authentication_account";
+import {UserOrgTeamPermission} from "./user_org_team_permission/user_org_team_permission.model";
 import {UserProfile} from "./user_profile";
 
-export const identityEntities = [User, UserProfile, UserAuthenticationAccount];
+export const identityEntities = [User, UserProfile, UserAuthenticationAccount, UserOrgTeamPermission];
 
 const ormModule = TypeOrmModule.forFeature(identityEntities);
 

core/src/database/identity/user_org_team_permission/user_org_team_permission.model.ts

@@ -0,0 +1,30 @@
+import {
+    Column, CreateDateColumn, Entity, Index, JoinColumn, ManyToOne, PrimaryGeneratedColumn, Unique, UpdateDateColumn,
+} from "typeorm";
+
+import {MLE_OrganizationTeam} from "../../mledb/enums/OrganizationTeam.enum";
+import {User} from "../user/user.model";
+
+@Entity({schema: "sprocket"})
+@Unique(["userId", "orgTeam"])
+@Index("user_org_team_permission_user_id_idx", ["userId"])
+export class UserOrgTeamPermission {
+    @PrimaryGeneratedColumn()
+    id: number;
+
+    @CreateDateColumn()
+    createdAt: Date;
+
+    @UpdateDateColumn()
+    updatedAt: Date;
+
+    @Column({name: "userId", type: "integer"})
+    userId: number;
+
+    @ManyToOne(() => User, {onDelete: "CASCADE"})
+    @JoinColumn({name: "userId"})
+    user: User;
+
+    @Column({name: "orgTeam", type: "smallint"})
+    orgTeam: MLE_OrganizationTeam;
+}

core/src/identity/auth/oauth/oauth.controller.ts

@@ -1,9 +1,7 @@
 import {
     Controller,
     ForbiddenException,
-    forwardRef,
     Get,
-    Inject,
     Logger,
     Request,
     Response,
@@ -16,7 +14,7 @@ import type {User} from "$db/identity/user/user.model";
 import type {UserAuthenticationAccount} from "$db/identity/user_authentication_account/user_authentication_account.model";
 import {UserAuthenticationAccountType} from "$db/identity/user_authentication_account/user_authentication_account_type.enum";
 
-import {MledbPlayerService} from "../../../mledb";
+import {OrgTeamPermissionResolutionService} from "../../user-org-team-permission/org-team-permission-resolution.service";
 import {UserService} from "../../user";
 import {DiscordAuthGuard} from "./guards";
 import {JwtRefreshGuard} from "./guards/jwt-refresh.guard";
@@ -32,8 +30,7 @@ export class OauthController {
     constructor(
         private authService: OauthService,
         private userService: UserService,
-    @Inject(forwardRef(() => MledbPlayerService))
-    private mledbUserService: MledbPlayerService,
+        private orgTeamPermissionResolution: OrgTeamPermissionResolutionService,
     ) {}
 
     @Get("login")
@@ -46,9 +43,7 @@ export class OauthController {
       = await this.userService.getUserAuthenticationAccountsForUser(ourUser.id);
         const discordAccount = authAccounts.find(obj => obj.accountType === UserAuthenticationAccountType.DISCORD);
         if (discordAccount) {
-            const player = await this.mledbUserService.getPlayerByDiscordId(discordAccount.accountId);
-            const player_to_orgs = await this.mledbUserService.getPlayerOrgs(player);
-            const orgs = player_to_orgs.map(pto => pto.orgTeam);
+            const orgs = await this.orgTeamPermissionResolution.resolveOrgTeamsForUser(ourUser.id);
             const payload: AuthPayload = {
                 sub: discordAccount.accountId,
                 username: userProfile.displayName,
@@ -73,9 +68,7 @@ export class OauthController {
       = await this.userService.getUserAuthenticationAccountsForUser(ourUser.userId);
         const discordAccount = authAccounts.find(obj => obj.accountType === UserAuthenticationAccountType.DISCORD);
         if (discordAccount) {
-            const player = await this.mledbUserService.getPlayerByDiscordId(discordAccount.accountId);
-            const player_to_orgs = await this.mledbUserService.getPlayerOrgs(player);
-            const orgs = player_to_orgs.map(pto => pto.orgTeam);
+            const orgs = await this.orgTeamPermissionResolution.resolveOrgTeamsForUser(ourUser.userId);
             const payload: AuthPayload = {
                 sub: discordAccount.accountId,
                 username: userProfile.displayName,

core/src/identity/identity.module.ts

@@ -1,11 +1,18 @@
-import {Module} from "@nestjs/common";
+import {forwardRef, Module} from "@nestjs/common";
 import {JwtModule} from "@nestjs/jwt";
 import {config} from "@sprocketbot/common";
+import {TypeOrmModule} from "@nestjs/typeorm";
+
+import {UserOrgTeamPermission} from "$db/identity/user_org_team_permission/user_org_team_permission.model";
 
 import {DatabaseModule} from "../database";
+import {MledbInterfaceModule} from "../mledb";
 import {UtilModule} from "../util/util.module";
 import {IdentityController} from "./identity.controller";
 import {IdentityService} from "./identity.service";
+import {OrgTeamPermissionResolutionService} from "./user-org-team-permission/org-team-permission-resolution.service";
+import {UserOrgTeamPermissionService} from "./user-org-team-permission/user-org-team-permission.service";
+import {UserOrgTeamPermissionResolver} from "./user-org-team-permission/user-org-team-permission.resolver";
 import {
     UserController, UserResolver, UserService,
 } from "./user";
@@ -14,14 +21,24 @@ import {UserAuthenticationAccountResolver} from "./user-authentication-account";
 @Module({
     imports: [
         DatabaseModule,
+        TypeOrmModule.forFeature([UserOrgTeamPermission]),
+        forwardRef(() => MledbInterfaceModule),
         UtilModule,
         JwtModule.register({
             secret: config.auth.jwt_secret,
             signOptions: {expiresIn: config.auth.jwt_expiry},
         }),
     ],
-    providers: [IdentityService, UserResolver, UserAuthenticationAccountResolver, UserService],
-    exports: [IdentityService, UserService],
+    providers: [
+        IdentityService,
+        UserResolver,
+        UserAuthenticationAccountResolver,
+        UserService,
+        UserOrgTeamPermissionService,
+        UserOrgTeamPermissionResolver,
+        OrgTeamPermissionResolutionService,
+    ],
+    exports: [IdentityService, UserService, UserOrgTeamPermissionService, OrgTeamPermissionResolutionService],
     controllers: [IdentityController, UserController],
 })
 export class IdentityModule {}

core/src/identity/user-org-team-permission/org-team-permission-resolution.service.ts

@@ -0,0 +1,78 @@
+import {forwardRef, Inject, Injectable, Logger} from "@nestjs/common";
+
+import type {MLE_OrganizationTeam} from "../../database/mledb";
+import {MledbPlayerService} from "../../mledb/mledb-player/mledb-player.service";
+import {UserOrgTeamPermissionService} from "./user-org-team-permission.service";
+
+/**
+ * Runtime org-team permissions for JWT and guards.
+ *
+ * **Source of truth:** `sprocket.user_org_team_permission` (see {@link UserOrgTeamPermissionService}).
+ *
+ * **Temporary dual-read:** When `ORG_TEAM_PERMISSION_DUAL_READ=true`, always loads legacy
+ * `mledb.player_to_org` as well, compares the two sets, and logs on mismatch. Effective permissions
+ * still prefer Sprocket when it has rows; otherwise MLEDB is used only under dual-read (unbackfilled
+ * users). Remove the env var and this branch once migration is validated.
+ */
+@Injectable()
+export class OrgTeamPermissionResolutionService {
+    private readonly logger = new Logger(OrgTeamPermissionResolutionService.name);
+
+    constructor(
+        private readonly userOrgTeamPermissionService: UserOrgTeamPermissionService,
+        @Inject(forwardRef(() => MledbPlayerService))
+        private readonly mledbPlayerService: MledbPlayerService,
+    ) {}
+
+    private orgTeamSetsEqual(a: MLE_OrganizationTeam[], b: MLE_OrganizationTeam[]): boolean {
+        if (a.length !== b.length) return false;
+        const sb = new Set(b);
+        return a.every(x => sb.has(x));
+    }
+
+    private formatOrgTeamSet(teams: MLE_OrganizationTeam[]): string {
+        return [...new Set(teams)].sort((x, y) => x - y).join(",");
+    }
+
+    async resolveOrgTeamsForUser(userId: number): Promise<MLE_OrganizationTeam[]> {
+        const fromSprocket = await this.userOrgTeamPermissionService.listOrgTeamsForUser(userId);
+        const dualRead = process.env.ORG_TEAM_PERMISSION_DUAL_READ === "true";
+
+        let fromMledb: MLE_OrganizationTeam[] = [];
+        if (dualRead) {
+            try {
+                const player = await this.mledbPlayerService.getMlePlayerBySprocketUser(userId);
+                const legacy = await this.mledbPlayerService.getPlayerOrgs(player);
+                fromMledb = [...new Set(legacy.map(row => row.orgTeam))];
+            } catch (err) {
+                this.logger.verbose(
+                    `Dual-read MLEDB load failed for userId=${userId}: ${(err as Error).message}`,
+                );
+            }
+        }
+
+        if (dualRead && (fromSprocket.length > 0 || fromMledb.length > 0)) {
+            if (!this.orgTeamSetsEqual(fromSprocket, fromMledb)) {
+                const detail
+                    = `userId=${userId} sprocket=[${this.formatOrgTeamSet(fromSprocket)}] mledb=[${this.formatOrgTeamSet(fromMledb)}]`;
+                if (fromSprocket.length > 0 && fromMledb.length > 0) {
+                    this.logger.warn(`Org-team dual-read mismatch (both non-empty): ${detail}`);
+                } else if (fromSprocket.length === 0 && fromMledb.length > 0) {
+                    this.logger.verbose(
+                        `Org-team dual-read: no Sprocket rows, MLEDB has org teams (expected until backfill): ${detail}`,
+                    );
+                } else {
+                    this.logger.warn(`Org-team dual-read mismatch (Sprocket non-empty, MLEDB empty): ${detail}`);
+                }
+            }
+        }
+
+        if (fromSprocket.length > 0) {
+            return fromSprocket;
+        }
+        if (dualRead && fromMledb.length > 0) {
+            return fromMledb;
+        }
+        return [];
+    }
+}

core/src/identity/user-org-team-permission/user-org-team-permission.resolver.ts

@@ -0,0 +1,54 @@
+import {UseGuards} from "@nestjs/common";
+import {
+    Args, Int, Mutation, Query, registerEnumType, Resolver,
+} from "@nestjs/graphql";
+
+import {MLE_OrganizationTeam} from "../../database/mledb";
+import {MLEOrganizationTeamGuard} from "../../mledb/mledb-player/mle-organization-team.guard";
+import {GqlJwtGuard} from "../auth/gql-auth-guard";
+import {UserOrgTeamPermissionService} from "./user-org-team-permission.service";
+
+registerEnumType(MLE_OrganizationTeam, {name: "MLE_OrganizationTeam"});
+
+@Resolver()
+export class UserOrgTeamPermissionResolver {
+    constructor(private readonly permissionService: UserOrgTeamPermissionService) {}
+
+    @Query(() => [MLE_OrganizationTeam])
+    @UseGuards(GqlJwtGuard, MLEOrganizationTeamGuard(MLE_OrganizationTeam.MLEDB_ADMIN))
+    async userOrgTeamPermissions(
+    @Args("userId", {type: () => Int}) userId: number,
+    ): Promise<MLE_OrganizationTeam[]> {
+        return this.permissionService.listOrgTeamsForUser(userId);
+    }
+
+    @Mutation(() => [MLE_OrganizationTeam])
+    @UseGuards(GqlJwtGuard, MLEOrganizationTeamGuard(MLE_OrganizationTeam.MLEDB_ADMIN))
+    async setUserOrgTeamPermissions(
+    @Args("userId", {type: () => Int}) userId: number,
+    @Args("orgTeams", {type: () => [MLE_OrganizationTeam]}) orgTeams: MLE_OrganizationTeam[],
+    ): Promise<MLE_OrganizationTeam[]> {
+        await this.permissionService.replaceAllForUser(userId, orgTeams);
+        return this.permissionService.listOrgTeamsForUser(userId);
+    }
+
+    @Mutation(() => Boolean)
+    @UseGuards(GqlJwtGuard, MLEOrganizationTeamGuard(MLE_OrganizationTeam.MLEDB_ADMIN))
+    async addUserOrgTeamPermission(
+    @Args("userId", {type: () => Int}) userId: number,
+    @Args("orgTeam", {type: () => MLE_OrganizationTeam}) orgTeam: MLE_OrganizationTeam,
+    ): Promise<boolean> {
+        await this.permissionService.addForUser(userId, orgTeam);
+        return true;
+    }
+
+    @Mutation(() => Boolean)
+    @UseGuards(GqlJwtGuard, MLEOrganizationTeamGuard(MLE_OrganizationTeam.MLEDB_ADMIN))
+    async removeUserOrgTeamPermission(
+    @Args("userId", {type: () => Int}) userId: number,
+    @Args("orgTeam", {type: () => MLE_OrganizationTeam}) orgTeam: MLE_OrganizationTeam,
+    ): Promise<boolean> {
+        await this.permissionService.removeForUser(userId, orgTeam);
+        return true;
+    }
+}

core/src/identity/user-org-team-permission/user-org-team-permission.service.ts

@@ -0,0 +1,44 @@
+import {Injectable} from "@nestjs/common";
+import {InjectRepository} from "@nestjs/typeorm";
+import {In, Repository} from "typeorm";
+
+import {UserOrgTeamPermission} from "$db/identity/user_org_team_permission/user_org_team_permission.model";
+import {MLE_OrganizationTeam} from "../../database/mledb";
+
+@Injectable()
+export class UserOrgTeamPermissionService {
+    constructor(
+    @InjectRepository(UserOrgTeamPermission)
+    private readonly repo: Repository<UserOrgTeamPermission>,
+    ) {}
+
+    async listOrgTeamsForUser(userId: number): Promise<MLE_OrganizationTeam[]> {
+        const rows = await this.repo.find({where: {userId} });
+        return [...new Set(rows.map(r => r.orgTeam))];
+    }
+
+    async replaceAllForUser(userId: number, orgTeams: MLE_OrganizationTeam[]): Promise<void> {
+        const unique = [...new Set(orgTeams)];
+        await this.repo.manager.transaction(async em => {
+            await em.delete(UserOrgTeamPermission, {userId});
+            if (unique.length === 0) return;
+            await em.insert(
+                UserOrgTeamPermission,
+                unique.map(orgTeam => ({userId, orgTeam})),
+            );
+        });
+    }
+
+    async addForUser(userId: number, orgTeam: MLE_OrganizationTeam): Promise<void> {
+        await this.repo.upsert({userId, orgTeam}, {conflictPaths: ["userId", "orgTeam"]});
+    }
+
+    async removeForUser(userId: number, orgTeam: MLE_OrganizationTeam): Promise<void> {
+        await this.repo.delete({userId, orgTeam});
+    }
+
+    async removeAllForUsers(userIds: number[]): Promise<void> {
+        if (userIds.length === 0) return;
+        await this.repo.delete({userId: In(userIds)});
+    }
+}

core/src/identity/user/user.resolver.ts

@@ -19,6 +19,7 @@ import {UserPayload} from "../auth";
 import {CurrentUser} from "../auth/current-user.decorator";
 import {GqlJwtGuard} from "../auth/gql-auth-guard";
 import {IdentityService} from "../identity.service";
+import {OrgTeamPermissionResolutionService} from "../user-org-team-permission/org-team-permission-resolution.service";
 import {UserService} from "./user.service";
 
 @Resolver(() => User)
@@ -30,6 +31,7 @@ export class UserResolver {
         private readonly userService: UserService,
         private readonly popService: PopulateService,
         private readonly jwtService: JwtService,
+        private readonly orgTeamPermissionResolution: OrgTeamPermissionResolutionService,
     ) {}
 
     @Query(() => User)
@@ -98,12 +100,13 @@ export class UserResolver {
     @Args("organizationId", {type: () => Int, nullable: true}) organizationId?: number,
     ): Promise<string> {
         const user = await this.userService.getUserById(userId, {relations: {profile: true} });
+        const orgTeams = await this.orgTeamPermissionResolution.resolveOrgTeamsForUser(user.id);
         const payload: AuthPayload = {
             sub: `${user.id}`,
             username: user.profile.displayName,
             userId: user.id,
             currentOrganizationId: organizationId ?? config.defaultOrganizationId,
-            orgTeams: [],
+            orgTeams,
         };
 
         this.logger.log(`${authedUser.username} (${authedUser.userId}) generated an authentication token for ${user.profile.displayName} (${user.id})`);