schema migration and handlers stubbed out

apps/server/src/api/v2/index.ts

@@ -4,6 +4,7 @@ import healthcheckRoutes from '../healthcheck';
 import chatsRoutes from './chats';
 import currencyRoutes from './currency';
 import electricShapeRoutes from './electric-shape';
+import securityRoutes from './security';
 import slackRoutes from './slack';
 import supportRoutes from './support';
 import userRoutes from './users';
@@ -15,6 +16,7 @@ const app = new Hono()
   .route('/chats', chatsRoutes)
   .route('/slack', slackRoutes)
   .route('/currency', currencyRoutes)
-  .route('/support', supportRoutes);
+  .route('/support', supportRoutes)
+  .route('/security', securityRoutes);
 
 export default app;

apps/server/src/api/v2/security/add-approved-domains.ts

@@ -0,0 +1,16 @@
+import type {
+  AddApprovedDomainRequest,
+  AddApprovedDomainsResponse,
+} from '@buster/server-shared/security';
+import type { User } from '@buster/database';
+
+export async function addApprovedDomainsHandler(
+  request: AddApprovedDomainRequest,
+  user: User
+): Promise<AddApprovedDomainsResponse> {
+  // TODO: Implement add approved domains logic
+  return request.domains.map((domain) => ({
+    domain,
+    created_at: new Date().toISOString(),
+  }));
+}

apps/server/src/api/v2/security/get-approved-domains.ts

@@ -0,0 +1,14 @@
+import type { GetApprovedDomainsResponse } from '@buster/server-shared/security';
+import type { User } from '@buster/database';
+
+export async function getApprovedDomainsHandler(
+  user: User
+): Promise<GetApprovedDomainsResponse> {
+  // TODO: Implement get approved domains logic
+  return [
+    {
+      domain: 'example.com',
+      created_at: new Date().toISOString(),
+    },
+  ];
+}

apps/server/src/api/v2/security/get-workspace-settings.ts

@@ -0,0 +1,18 @@
+import type { GetWorkspaceSettingsResponse } from '@buster/server-shared/security';
+import type { User } from '@buster/database';
+
+export async function getWorkspaceSettingsHandler(
+  user: User
+): Promise<GetWorkspaceSettingsResponse> {
+  // TODO: Implement get workspace settings logic
+  return {
+    restrict_new_user_invitations: false,
+    default_role: 'viewer',
+    default_datasets: [
+      {
+        id: '00000000-0000-0000-0000-000000000000',
+        name: 'Default Dataset',
+      },
+    ],
+  };
+}

apps/server/src/api/v2/security/index.ts

@@ -0,0 +1,62 @@
+import {
+  AddApprovedDomainRequestSchema,
+  RemoveApprovedDomainRequestSchema,
+  UpdateWorkspaceSettingsRequestSchema,
+} from '@buster/server-shared/security';
+import { zValidator } from '@hono/zod-validator';
+import { Hono } from 'hono';
+import { requireAuth } from '../../../middleware/auth';
+import '../../../types/hono.types';
+import { HTTPException } from 'hono/http-exception';
+import { getApprovedDomainsHandler } from './get-approved-domains';
+import { addApprovedDomainsHandler } from './add-approved-domains';
+import { removeApprovedDomainsHandler } from './remove-approved-domains';
+import { getWorkspaceSettingsHandler } from './get-workspace-settings';
+import { updateWorkspaceSettingsHandler } from './update-workspace-settings';
+
+const app = new Hono()
+  // Apply authentication middleware
+  .use('*', requireAuth)
+  
+  // Approved Domains endpoints
+  .get('/approved-domains', async (c) => {
+    const user = c.get('busterUser');
+    const response = await getApprovedDomainsHandler(user);
+    return c.json(response);
+  })
+  .post('/approved-domains', zValidator('json', AddApprovedDomainRequestSchema), async (c) => {
+    const request = c.req.valid('json');
+    const user = c.get('busterUser');
+    const response = await addApprovedDomainsHandler(request, user);
+    return c.json(response);
+  })
+  .delete('/approved-domains', zValidator('json', RemoveApprovedDomainRequestSchema), async (c) => {
+    const request = c.req.valid('json');
+    const user = c.get('busterUser');
+    const response = await removeApprovedDomainsHandler(request, user);
+    return c.json(response);
+  })
+  
+  // Workspace Settings endpoints
+  .get('/workspace-settings', async (c) => {
+    const user = c.get('busterUser');
+    const response = await getWorkspaceSettingsHandler(user);
+    return c.json(response);
+  })
+  .patch('/workspace-settings', zValidator('json', UpdateWorkspaceSettingsRequestSchema), async (c) => {
+    const request = c.req.valid('json');
+    const user = c.get('busterUser');
+    const response = await updateWorkspaceSettingsHandler(request, user);
+    return c.json(response);
+  })
+  .onError((e, _c) => {
+    if (e instanceof HTTPException) {
+      return e.getResponse();
+    }
+    
+    throw new HTTPException(500, {
+      message: 'Internal server error',
+    });
+  });
+
+export default app;

apps/server/src/api/v2/security/remove-approved-domains.ts

@@ -0,0 +1,13 @@
+import type {
+  RemoveApprovedDomainRequest,
+  RemoveApprovedDomainsResponse,
+} from '@buster/server-shared/security';
+import type { User } from '@buster/database';
+
+export async function removeApprovedDomainsHandler(
+  request: RemoveApprovedDomainRequest,
+  user: User
+): Promise<RemoveApprovedDomainsResponse> {
+  // TODO: Implement remove approved domains logic
+  return [];
+}

apps/server/src/api/v2/security/update-workspace-settings.ts

@@ -0,0 +1,22 @@
+import type {
+  UpdateWorkspaceSettingsRequest,
+  UpdateWorkspaceSettingsResponse,
+} from '@buster/server-shared/security';
+import type { User } from '@buster/database';
+
+export async function updateWorkspaceSettingsHandler(
+  request: UpdateWorkspaceSettingsRequest,
+  user: User
+): Promise<UpdateWorkspaceSettingsResponse> {
+  // TODO: Implement update workspace settings logic
+  return {
+    restrict_new_user_invitations: request.restrict_new_user_invitations ?? false,
+    default_role: request.default_role ?? 'viewer',
+    default_datasets: [
+      {
+        id: '00000000-0000-0000-0000-000000000000',
+        name: 'Default Dataset',
+      },
+    ],
+  };
+}

packages/database/drizzle/0076_tired_madripoor.sql

@@ -0,0 +1,8 @@
+ALTER TABLE "asset_permissions" ALTER COLUMN "role" SET DATA TYPE text;--> statement-breakpoint
+DROP TYPE "public"."asset_permission_role_enum";--> statement-breakpoint
+CREATE TYPE "public"."asset_permission_role_enum" AS ENUM('owner', 'viewer', 'full_access', 'can_edit', 'can_filter', 'can_view');--> statement-breakpoint
+ALTER TABLE "asset_permissions" ALTER COLUMN "role" SET DATA TYPE "public"."asset_permission_role_enum" USING "role"::"public"."asset_permission_role_enum";--> statement-breakpoint
+ALTER TABLE "messages" ADD COLUMN "post_processing_message" jsonb;--> statement-breakpoint
+ALTER TABLE "organizations" ADD COLUMN "domains" text[];--> statement-breakpoint
+ALTER TABLE "organizations" ADD COLUMN "restrict_new_user_invitations" boolean DEFAULT false NOT NULL;--> statement-breakpoint
+ALTER TABLE "organizations" ADD COLUMN "defaultRole" "user_organization_role_enum" DEFAULT 'restricted_querier' NOT NULL;

packages/database/drizzle/meta/_journal.json

@@ -533,6 +533,13 @@
       "when": 1751584000000,
       "tag": "0075_add_post_processing_message_to_messages",
       "breakpoints": false
+    },
+    {
+      "idx": 76,
+      "version": "7",
+      "when": 1752091186136,
+      "tag": "0076_tired_madripoor",
+      "breakpoints": true
     }
   ]
 }

packages/database/src/schema.ts

@@ -1018,6 +1018,9 @@ export const organizations = pgTable(
       .notNull(),
     deletedAt: timestamp('deleted_at', { withTimezone: true, mode: 'string' }),
     paymentRequired: boolean('payment_required').default(false).notNull(),
+    domains: text('domains').array(),
+    restrictNewUserInvitations: boolean('restrict_new_user_invitations').default(false).notNull(),
+    defaultRole: userOrganizationRoleEnum().default('restricted_querier').notNull(),
   },
   (table) => [unique('organizations_name_key').on(table.name)]
 );