feat(core): add version check to sign in

packages/backend/server/package.json

@@ -82,6 +82,7 @@
     "prisma": "^5.22.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
+    "semver": "^7.6.3",
     "ses": "^1.10.0",
     "socket.io": "^4.8.1",
     "stripe": "^17.4.0",
@@ -104,6 +105,7 @@
     "@types/node": "^20.17.10",
     "@types/nodemailer": "^6.4.17",
     "@types/on-headers": "^1.0.3",
+    "@types/semver": "^7.5.8",
     "@types/sinon": "^17.0.3",
     "@types/supertest": "^6.0.2",
     "ava": "^6.2.0",

packages/backend/server/src/app.module.ts

@@ -35,6 +35,7 @@ import { SelfhostModule } from './core/selfhost';
 import { StorageModule } from './core/storage';
 import { SyncModule } from './core/sync';
 import { UserModule } from './core/user';
+import { VersionModule } from './core/version';
 import { WorkspaceModule } from './core/workspaces';
 import { REGISTERED_PLUGINS } from './plugins';
 import { ENABLED_PLUGINS } from './plugins/registry';
@@ -167,6 +168,7 @@ export function buildAppModule() {
     .useIf(
       config => config.flavor.graphql,
       ScheduleModule.forRoot(),
+      VersionModule,
       GqlModule,
       StorageModule,
       ServerConfigModule,

packages/backend/server/src/base/error/def.ts

@@ -593,4 +593,15 @@ export const USER_FRIENDLY_ERRORS = {
     type: 'bad_request',
     message: 'Captcha verification failed.',
   },
+  // version errors
+  unsupported_client_version: {
+    type: 'action_forbidden',
+    args: {
+      clientVersion: 'string',
+      recommendedVersion: 'string',
+      action: 'string',
+    },
+    message: ({ clientVersion, recommendedVersion, action }) =>
+      `Unsupported client version: ${clientVersion}, please ${action} to ${recommendedVersion}.`,
+  },
 } satisfies Record<string, UserFriendlyErrorOptions>;

packages/backend/server/src/base/error/errors.gen.ts

@@ -591,6 +591,18 @@ export class CaptchaVerificationFailed extends UserFriendlyError {
     super('bad_request', 'captcha_verification_failed', message);
   }
 }
+@ObjectType()
+class UnsupportedClientVersionDataType {
+  @Field() clientVersion!: string
+  @Field() recommendedVersion!: string
+  @Field() action!: string
+}
+
+export class UnsupportedClientVersion extends UserFriendlyError {
+  constructor(args: UnsupportedClientVersionDataType, message?: string | ((args: UnsupportedClientVersionDataType) => string)) {
+    super('action_forbidden', 'unsupported_client_version', message, args);
+  }
+}
 export enum ErrorNames {
   INTERNAL_SERVER_ERROR,
   TOO_MANY_REQUEST,
@@ -669,7 +681,8 @@ export enum ErrorNames {
   MAILER_SERVICE_IS_NOT_CONFIGURED,
   CANNOT_DELETE_ALL_ADMIN_ACCOUNT,
   CANNOT_DELETE_OWN_ACCOUNT,
-  CAPTCHA_VERIFICATION_FAILED
+  CAPTCHA_VERIFICATION_FAILED,
+  UNSUPPORTED_CLIENT_VERSION
 }
 registerEnumType(ErrorNames, {
   name: 'ErrorNames'
@@ -678,5 +691,5 @@ registerEnumType(ErrorNames, {
 export const ErrorDataUnionType = createUnionType({
   name: 'ErrorDataUnion',
   types: () =>
-    [WrongSignInCredentialsDataType, UnknownOauthProviderDataType, MissingOauthQueryParameterDataType, InvalidEmailDataType, InvalidPasswordLengthDataType, SpaceNotFoundDataType, MemberNotFoundInSpaceDataType, NotInSpaceDataType, AlreadyInSpaceDataType, SpaceAccessDeniedDataType, SpaceOwnerNotFoundDataType, DocNotFoundDataType, DocAccessDeniedDataType, VersionRejectedDataType, InvalidHistoryTimestampDataType, DocHistoryNotFoundDataType, BlobNotFoundDataType, UnsupportedSubscriptionPlanDataType, SubscriptionAlreadyExistsDataType, SubscriptionNotExistsDataType, SameSubscriptionRecurringDataType, SubscriptionPlanNotFoundDataType, CopilotMessageNotFoundDataType, CopilotPromptNotFoundDataType, CopilotProviderSideErrorDataType, RuntimeConfigNotFoundDataType, InvalidRuntimeConfigTypeDataType] as const,
+    [WrongSignInCredentialsDataType, UnknownOauthProviderDataType, MissingOauthQueryParameterDataType, InvalidEmailDataType, InvalidPasswordLengthDataType, SpaceNotFoundDataType, MemberNotFoundInSpaceDataType, NotInSpaceDataType, AlreadyInSpaceDataType, SpaceAccessDeniedDataType, SpaceOwnerNotFoundDataType, DocNotFoundDataType, DocAccessDeniedDataType, VersionRejectedDataType, InvalidHistoryTimestampDataType, DocHistoryNotFoundDataType, BlobNotFoundDataType, UnsupportedSubscriptionPlanDataType, SubscriptionAlreadyExistsDataType, SubscriptionNotExistsDataType, SameSubscriptionRecurringDataType, SubscriptionPlanNotFoundDataType, CopilotMessageNotFoundDataType, CopilotPromptNotFoundDataType, CopilotProviderSideErrorDataType, RuntimeConfigNotFoundDataType, InvalidRuntimeConfigTypeDataType, UnsupportedClientVersionDataType] as const,
 });

packages/backend/server/src/base/guard/guard.ts

@@ -18,14 +18,19 @@ export class BasicGuard implements CanActivate {
 
   async canActivate(context: ExecutionContext) {
     // get registered guard name
-    const providerName = this.reflector.get<string>(
+    const providerName = this.reflector.get<string[]>(
       BasicGuardSymbol,
       context.getHandler()
     );
 
-    const provider = GUARD_PROVIDER[providerName as NamedGuards];
-    if (provider) {
-      return await provider.canActivate(context);
+    if (Array.isArray(providerName) && providerName.length > 0) {
+      for (const name of providerName) {
+        const provider = GUARD_PROVIDER[name as NamedGuards];
+        if (provider) {
+          const ret = await provider.canActivate(context);
+          if (!ret) return false;
+        }
+      }
     }
 
     return true;
@@ -46,5 +51,5 @@ export class BasicGuard implements CanActivate {
  * }
  * ```
  */
-export const UseNamedGuard = (name: NamedGuards) =>
+export const UseNamedGuard = (...name: NamedGuards[]) =>
   applyDecorators(UseGuards(BasicGuard), SetMetadata(BasicGuardSymbol, name));

packages/backend/server/src/core/auth/controller.ts

@@ -72,6 +72,7 @@ export class AuthController {
   }
 
   @Public()
+  @UseNamedGuard('version')
   @Post('/preflight')
   async preflight(
     @Body() params?: { email: string }
@@ -103,7 +104,7 @@ export class AuthController {
   }
 
   @Public()
-  @UseNamedGuard('captcha')
+  @UseNamedGuard('version', 'captcha')
   @Post('/sign-in')
   @Header('content-type', 'application/json')
   async signIn(
@@ -236,6 +237,7 @@ export class AuthController {
   }
 
   @Public()
+  @UseNamedGuard('version')
   @Post('/magic-link')
   async magicLinkSignIn(
     @Req() req: Request,

packages/backend/server/src/core/version/config.ts

@@ -0,0 +1,29 @@
+import { defineRuntimeConfig, ModuleConfig } from '../../base/config';
+
+export interface VersionConfig {
+  enable: boolean;
+  allowedVersion: string;
+}
+
+declare module '../../base/config' {
+  interface AppConfig {
+    version: ModuleConfig<never, VersionConfig>;
+  }
+}
+
+declare module '../../base/guard' {
+  interface RegisterGuardName {
+    version: 'version';
+  }
+}
+
+defineRuntimeConfig('version', {
+  enable: {
+    desc: 'Check version of the app',
+    default: false,
+  },
+  allowedVersion: {
+    desc: 'Allowed version range of the app that can access the server',
+    default: '>=0.0.1',
+  },
+});

packages/backend/server/src/core/version/guard.ts

@@ -0,0 +1,40 @@
+import type {
+  CanActivate,
+  ExecutionContext,
+  OnModuleInit,
+} from '@nestjs/common';
+import { Injectable } from '@nestjs/common';
+
+import {
+  getRequestResponseFromContext,
+  GuardProvider,
+  Runtime,
+} from '../../base';
+import { VersionService } from './service';
+
+@Injectable()
+export class VersionGuardProvider
+  extends GuardProvider
+  implements CanActivate, OnModuleInit
+{
+  name = 'version' as const;
+
+  constructor(
+    private readonly runtime: Runtime,
+    private readonly version: VersionService
+  ) {
+    super();
+  }
+
+  async canActivate(context: ExecutionContext) {
+    if (!(await this.runtime.fetch('version/enable'))) {
+      return true;
+    }
+
+    const { req } = getRequestResponseFromContext(context);
+
+    const version = req.headers['x-affine-version'];
+
+    return this.version.checkVersion(version);
+  }
+}

packages/backend/server/src/core/version/index.ts

@@ -0,0 +1,13 @@
+import './config';
+
+import { Module } from '@nestjs/common';
+
+import { VersionGuardProvider } from './guard';
+import { VersionService } from './service';
+
+@Module({
+  providers: [VersionService, VersionGuardProvider],
+})
+export class VersionModule {}
+
+export type { VersionConfig } from './config';

packages/backend/server/src/core/version/service.ts

@@ -0,0 +1,68 @@
+import assert from 'node:assert';
+
+import { Injectable, Logger } from '@nestjs/common';
+import semver from 'semver';
+
+import { Runtime, UnsupportedClientVersion } from '../../base';
+
+@Injectable()
+export class VersionService {
+  private readonly logger = new Logger(VersionService.name);
+
+  constructor(private readonly runtime: Runtime) {}
+
+  private async getRecommendedVersion(versionRange: string) {
+    try {
+      const range = new semver.Range(versionRange);
+      const versions = range.set
+        .flat()
+        .map(c => c.semver)
+        .toSorted((a, b) => semver.rcompare(a, b));
+      return versions[0]?.toString();
+    } catch {
+      return semver.valid(semver.coerce(versionRange));
+    }
+  }
+
+  async checkVersion(clientVersion?: any) {
+    const allowedVersion = await this.runtime.fetch('version/allowedVersion');
+    const recommendedVersion = await this.getRecommendedVersion(allowedVersion);
+    if (!allowedVersion || !recommendedVersion) {
+      // ignore invalid allowed version config
+      return true;
+    }
+
+    const parsedClientVersion = semver.valid(clientVersion);
+    const action = semver.lt(parsedClientVersion || '0.0.0', recommendedVersion)
+      ? 'upgrade'
+      : 'downgrade';
+    assert(
+      typeof clientVersion === 'string' && clientVersion.length > 0,
+      new UnsupportedClientVersion({
+        clientVersion: '[Not Provided]',
+        recommendedVersion,
+        action,
+      })
+    );
+
+    if (parsedClientVersion) {
+      if (!semver.satisfies(parsedClientVersion, allowedVersion)) {
+        throw new UnsupportedClientVersion({
+          clientVersion,
+          recommendedVersion,
+          action,
+        });
+      }
+      return true;
+    } else {
+      if (clientVersion) {
+        this.logger.warn(`Invalid client version: ${clientVersion}`);
+      }
+      throw new UnsupportedClientVersion({
+        clientVersion,
+        recommendedVersion,
+        action,
+      });
+    }
+  }
+}

packages/backend/server/src/plugins/oauth/controller.ts

@@ -16,6 +16,7 @@ import {
   OauthAccountAlreadyConnected,
   OauthStateExpired,
   UnknownOauthProvider,
+  UseNamedGuard,
 } from '../../base';
 import { AuthService, Public } from '../../core/auth';
 import { UserService } from '../../core/user';
@@ -35,6 +36,7 @@ export class OAuthController {
   ) {}
 
   @Public()
+  @UseNamedGuard('version')
   @Post('/preflight')
   @HttpCode(HttpStatus.OK)
   async preflight(
@@ -64,6 +66,7 @@ export class OAuthController {
   }
 
   @Public()
+  @UseNamedGuard('version')
   @Post('/callback')
   @HttpCode(HttpStatus.OK)
   async callback(

packages/backend/server/src/schema.gql

@@ -209,7 +209,7 @@ type EditorType {
   name: String!
 }
 
-union ErrorDataUnion = AlreadyInSpaceDataType | BlobNotFoundDataType | CopilotMessageNotFoundDataType | CopilotPromptNotFoundDataType | CopilotProviderSideErrorDataType | DocAccessDeniedDataType | DocHistoryNotFoundDataType | DocNotFoundDataType | InvalidEmailDataType | InvalidHistoryTimestampDataType | InvalidPasswordLengthDataType | InvalidRuntimeConfigTypeDataType | MemberNotFoundInSpaceDataType | MissingOauthQueryParameterDataType | NotInSpaceDataType | RuntimeConfigNotFoundDataType | SameSubscriptionRecurringDataType | SpaceAccessDeniedDataType | SpaceNotFoundDataType | SpaceOwnerNotFoundDataType | SubscriptionAlreadyExistsDataType | SubscriptionNotExistsDataType | SubscriptionPlanNotFoundDataType | UnknownOauthProviderDataType | UnsupportedSubscriptionPlanDataType | VersionRejectedDataType | WrongSignInCredentialsDataType
+union ErrorDataUnion = AlreadyInSpaceDataType | BlobNotFoundDataType | CopilotMessageNotFoundDataType | CopilotPromptNotFoundDataType | CopilotProviderSideErrorDataType | DocAccessDeniedDataType | DocHistoryNotFoundDataType | DocNotFoundDataType | InvalidEmailDataType | InvalidHistoryTimestampDataType | InvalidPasswordLengthDataType | InvalidRuntimeConfigTypeDataType | MemberNotFoundInSpaceDataType | MissingOauthQueryParameterDataType | NotInSpaceDataType | RuntimeConfigNotFoundDataType | SameSubscriptionRecurringDataType | SpaceAccessDeniedDataType | SpaceNotFoundDataType | SpaceOwnerNotFoundDataType | SubscriptionAlreadyExistsDataType | SubscriptionNotExistsDataType | SubscriptionPlanNotFoundDataType | UnknownOauthProviderDataType | UnsupportedClientVersionDataType | UnsupportedSubscriptionPlanDataType | VersionRejectedDataType | WrongSignInCredentialsDataType
 
 enum ErrorNames {
   ACCESS_DENIED
@@ -282,6 +282,7 @@ enum ErrorNames {
   TOO_MANY_REQUEST
   UNKNOWN_OAUTH_PROVIDER
   UNSPLASH_IS_NOT_CONFIGURED
+  UNSUPPORTED_CLIENT_VERSION
   UNSUPPORTED_SUBSCRIPTION_PLAN
   USER_AVATAR_NOT_FOUND
   USER_NOT_FOUND
@@ -861,6 +862,12 @@ type UnknownOauthProviderDataType {
   name: String!
 }
 
+type UnsupportedClientVersionDataType {
+  action: String!
+  clientVersion: String!
+  recommendedVersion: String!
+}
+
 type UnsupportedSubscriptionPlanDataType {
   plan: String!
 }