fix worker server (#390)

our staging deploys still use workers, this should unbreak them, and
also appropriately error if we attempt to generate a read-only access
token since those are not supported in the worker

crates/y-sweet-core/src/api_types.rs

@@ -6,7 +6,7 @@ pub struct NewDocResponse {
     pub doc_id: String,
 }
 
-#[derive(Copy, Clone, Serialize, Deserialize)]
+#[derive(Copy, Clone, Serialize, Deserialize, PartialEq)]
 pub enum Authorization {
     #[serde(rename = "read-only")]
     ReadOnly,

crates/y-sweet-core/src/doc_connection.rs

@@ -42,11 +42,15 @@ pub struct DocConnection {
 
 impl DocConnection {
     #[cfg(not(feature = "sync"))]
-    pub fn new<F>(awareness: Arc<RwLock<Awareness>>, callback: F) -> Self
+    pub fn new<F>(
+        awareness: Arc<RwLock<Awareness>>,
+        authorization: Authorization,
+        callback: F,
+    ) -> Self
     where
         F: Fn(&[u8]) + 'static,
     {
-        Self::new_inner(awareness, Arc::new(callback))
+        Self::new_inner(awareness, authorization, Arc::new(callback))
     }
 
     #[cfg(feature = "sync")]

crates/y-sweet-worker/src/durable_object.rs

@@ -9,7 +9,9 @@ use worker::{
 };
 #[allow(unused)]
 use worker_sys::console_log;
-use y_sweet_core::{doc_connection::DocConnection, doc_sync::DocWithSyncKv};
+use y_sweet_core::{
+    api_types::Authorization, doc_connection::DocConnection, doc_sync::DocWithSyncKv,
+};
 
 #[durable_object]
 pub struct YServe {
@@ -170,7 +172,7 @@ async fn websocket_connect(req: Request, ctx: RouteContext<&mut YServe>) -> Resu
 
     let connection = {
         let server = server.clone();
-        DocConnection::new(awareness, move |bytes| {
+        DocConnection::new(awareness, Authorization::Full, move |bytes| {
             let uint8_array = Uint8Array::from(bytes);
             let result = server
                 .as_ref()

crates/y-sweet-worker/src/lib.rs

@@ -9,7 +9,8 @@ use worker::{event, Env};
 use worker::{Date, Method, Request, Response, ResponseBody, Result, RouteContext, Router, Url};
 use y_sweet_core::{
     api_types::{
-        validate_doc_name, AuthDocRequest, ClientToken, DocCreationRequest, NewDocResponse,
+        validate_doc_name, AuthDocRequest, Authorization, ClientToken, DocCreationRequest,
+        NewDocResponse,
     },
     auth::{Authenticator, ExpirationTimeEpochMillis, DEFAULT_EXPIRATION_SECONDS},
     doc_sync::DocWithSyncKv,
@@ -213,14 +214,19 @@ async fn auth_doc(
         .await
         .map_err(|_| Error::BadRequest)?;
 
+    if body.authorization != Authorization::Full {
+        // Non-full authorization is not supported on the worker.
+        return Err(Error::BadRequest);
+    }
+
     let valid_time_seconds = body.valid_for_seconds.unwrap_or(DEFAULT_EXPIRATION_SECONDS);
     let expiration_time =
         ExpirationTimeEpochMillis(get_time_millis_since_epoch() + valid_time_seconds * 1000);
 
     let token = ctx
         .data
         .auth()?
-        .map(|auth| auth.gen_doc_token(&doc_id, expiration_time));
+        .map(|auth| auth.gen_doc_token(&doc_id, body.authorization, expiration_time));
 
     let url = if let Some(url_prefix) = &ctx.data.config.url_prefix {
         let mut parsed = Url::parse(url_prefix).map_err(|_| Error::ConfigurationError {
@@ -262,6 +268,7 @@ async fn auth_doc(
     Ok(ClientToken {
         url,
         base_url: None,
+        authorization: body.authorization,
         doc_id: doc_id.to_string(),
         token,
     })