From db9709a3308929e4e8c22f7f01d2cc13b862010d Mon Sep 17 00:00:00 2001
From: Paul Butler <paul@driftingin.space>
Date: Wed, 5 Feb 2025 13:08:54 -0500
Subject: [PATCH] fix worker server (#390)

our staging deploys still use workers, this should unbreak them, and
also appropriately error if we attempt to generate a read-only access
token since those are not supported in the worker
---
 crates/y-sweet-core/src/api_types.rs        |  2 +-
 crates/y-sweet-core/src/doc_connection.rs   |  8 ++++++--
 crates/y-sweet-worker/Cargo.lock            |  4 ++--
 crates/y-sweet-worker/src/durable_object.rs |  6 ++++--
 crates/y-sweet-worker/src/lib.rs            | 11 +++++++++--
 5 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/crates/y-sweet-core/src/api_types.rs b/crates/y-sweet-core/src/api_types.rs
index 7c7d0496..5c45ad6c 100644
--- a/crates/y-sweet-core/src/api_types.rs
+++ b/crates/y-sweet-core/src/api_types.rs
@@ -6,7 +6,7 @@ pub struct NewDocResponse {
     pub doc_id: String,
 }
 
-#[derive(Copy, Clone, Serialize, Deserialize)]
+#[derive(Copy, Clone, Serialize, Deserialize, PartialEq)]
 pub enum Authorization {
     #[serde(rename = "read-only")]
     ReadOnly,
diff --git a/crates/y-sweet-core/src/doc_connection.rs b/crates/y-sweet-core/src/doc_connection.rs
index 9f90defb..f8c90ae9 100644
--- a/crates/y-sweet-core/src/doc_connection.rs
+++ b/crates/y-sweet-core/src/doc_connection.rs
@@ -42,11 +42,15 @@ pub struct DocConnection {
 
 impl DocConnection {
     #[cfg(not(feature = "sync"))]
-    pub fn new<F>(awareness: Arc<RwLock<Awareness>>, callback: F) -> Self
+    pub fn new<F>(
+        awareness: Arc<RwLock<Awareness>>,
+        authorization: Authorization,
+        callback: F,
+    ) -> Self
     where
         F: Fn(&[u8]) + 'static,
     {
-        Self::new_inner(awareness, Arc::new(callback))
+        Self::new_inner(awareness, authorization, Arc::new(callback))
     }
 
     #[cfg(feature = "sync")]
diff --git a/crates/y-sweet-worker/Cargo.lock b/crates/y-sweet-worker/Cargo.lock
index 8fd74e08..d3032891 100644
--- a/crates/y-sweet-worker/Cargo.lock
+++ b/crates/y-sweet-worker/Cargo.lock
@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "addr2line"
@@ -1533,7 +1533,7 @@ dependencies = [
 
 [[package]]
 name = "y-sweet-core"
-version = "0.5.0"
+version = "0.8.2"
 dependencies = [
  "anyhow",
  "async-trait",
diff --git a/crates/y-sweet-worker/src/durable_object.rs b/crates/y-sweet-worker/src/durable_object.rs
index 68b07671..bd3c116d 100644
--- a/crates/y-sweet-worker/src/durable_object.rs
+++ b/crates/y-sweet-worker/src/durable_object.rs
@@ -9,7 +9,9 @@ use worker::{
 };
 #[allow(unused)]
 use worker_sys::console_log;
-use y_sweet_core::{doc_connection::DocConnection, doc_sync::DocWithSyncKv};
+use y_sweet_core::{
+    api_types::Authorization, doc_connection::DocConnection, doc_sync::DocWithSyncKv,
+};
 
 #[durable_object]
 pub struct YServe {
@@ -170,7 +172,7 @@ async fn websocket_connect(req: Request, ctx: RouteContext<&mut YServe>) -> Resu
 
     let connection = {
         let server = server.clone();
-        DocConnection::new(awareness, move |bytes| {
+        DocConnection::new(awareness, Authorization::Full, move |bytes| {
             let uint8_array = Uint8Array::from(bytes);
             let result = server
                 .as_ref()
diff --git a/crates/y-sweet-worker/src/lib.rs b/crates/y-sweet-worker/src/lib.rs
index f4acbdcd..ea27962a 100644
--- a/crates/y-sweet-worker/src/lib.rs
+++ b/crates/y-sweet-worker/src/lib.rs
@@ -9,7 +9,8 @@ use worker::{event, Env};
 use worker::{Date, Method, Request, Response, ResponseBody, Result, RouteContext, Router, Url};
 use y_sweet_core::{
     api_types::{
-        validate_doc_name, AuthDocRequest, ClientToken, DocCreationRequest, NewDocResponse,
+        validate_doc_name, AuthDocRequest, Authorization, ClientToken, DocCreationRequest,
+        NewDocResponse,
     },
     auth::{Authenticator, ExpirationTimeEpochMillis, DEFAULT_EXPIRATION_SECONDS},
     doc_sync::DocWithSyncKv,
@@ -213,6 +214,11 @@ async fn auth_doc(
         .await
         .map_err(|_| Error::BadRequest)?;
 
+    if body.authorization != Authorization::Full {
+        // Non-full authorization is not supported on the worker.
+        return Err(Error::BadRequest);
+    }
+
     let valid_time_seconds = body.valid_for_seconds.unwrap_or(DEFAULT_EXPIRATION_SECONDS);
     let expiration_time =
         ExpirationTimeEpochMillis(get_time_millis_since_epoch() + valid_time_seconds * 1000);
@@ -220,7 +226,7 @@ async fn auth_doc(
     let token = ctx
         .data
         .auth()?
-        .map(|auth| auth.gen_doc_token(&doc_id, expiration_time));
+        .map(|auth| auth.gen_doc_token(&doc_id, body.authorization, expiration_time));
 
     let url = if let Some(url_prefix) = &ctx.data.config.url_prefix {
         let mut parsed = Url::parse(url_prefix).map_err(|_| Error::ConfigurationError {
@@ -262,6 +268,7 @@ async fn auth_doc(
     Ok(ClientToken {
         url,
         base_url: None,
+        authorization: body.authorization,
         doc_id: doc_id.to_string(),
         token,
     })