Files
simstudioai--sim/apps/sim/lib/auth/ban.ts
T
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

54 lines
2.1 KiB
TypeScript

import { db, user } from '@sim/db'
import { inArray, sql } from 'drizzle-orm'
import { getAccessControlConfig, isEmailBlockedByAccessControl } from '@/lib/auth/access-control'
/**
* True when a ban is currently in effect. Mirrors better-auth admin-plugin
* semantics: a ban whose `banExpires` is in the past is treated as lifted.
*/
export function isBanActive(row: { banned: boolean | null; banExpires: Date | null }): boolean {
if (!row.banned) return false
if (row.banExpires && row.banExpires.getTime() <= Date.now()) return false
return true
}
/**
* True when a raw email (e.g. an inbound sender) is blocked: it is in the
* appconfig blocked-emails list, its domain is in the blocked-domains list,
* or it belongs to an account with an active ban. Covers senders that don't
* resolve to a known user id.
*/
export async function isEmailBlocked(email: string | null | undefined): Promise<boolean> {
if (!email) return false
const accessControl = await getAccessControlConfig()
if (isEmailBlockedByAccessControl(email, accessControl)) return true
const rows = await db
.select({ banned: user.banned, banExpires: user.banExpires })
.from(user)
.where(sql`lower(${user.email}) = ${email.toLowerCase()}`)
return rows.some(isBanActive)
}
/**
* Returns the subset of the given user ids that are currently blocked: an
* active account ban, or an email/domain in the appconfig blocked lists.
* One user query plus the cached access-control fetch. Throws on db
* failure — callers must fail closed.
*/
export async function getActivelyBannedUserIds(userIds: string[]): Promise<string[]> {
const ids = [...new Set(userIds.filter(Boolean))]
if (ids.length === 0) return []
const [accessControl, rows] = await Promise.all([
getAccessControlConfig(),
db
.select({ id: user.id, email: user.email, banned: user.banned, banExpires: user.banExpires })
.from(user)
.where(inArray(user.id, ids)),
])
return rows
.filter((row) => isBanActive(row) || isEmailBlockedByAccessControl(row.email, accessControl))
.map((row) => row.id)
}