speckle-server/packages/server/modules/gatekeeper/services/featureAuthorization.ts

import type { GetWorkspacePlan } from '@/modules/gatekeeper/domain/billing'
import type {
  CanWorkspaceAccessFeature,
  WorkspaceFeatureAccessFunction
} from '@/modules/gatekeeper/domain/operations'
import { getFeatureFlags } from '@/modules/shared/helpers/envHelper'
import {
  throwUncoveredError,
  workspacePlanHasAccessToFeature,
  isPlanFeature,
  isWorkspaceFeatureFlagOn
} from '@speckle/shared'

export const canWorkspaceAccessFeatureFactory =
  ({
    getWorkspacePlan
  }: {
    getWorkspacePlan: GetWorkspacePlan
  }): CanWorkspaceAccessFeature =>
  async ({ workspaceId, workspaceFeature }) => {
    const workspacePlan = await getWorkspacePlan({ workspaceId })
    if (!workspacePlan) return false
    switch (workspacePlan.status) {
      case 'valid':
      case 'paymentFailed':
      case 'cancelationScheduled':
        break
      case 'canceled':
        return false
      default:
        throwUncoveredError(workspacePlan)
    }
    if (isPlanFeature(workspaceFeature))
      return workspacePlanHasAccessToFeature({
        plan: workspacePlan.name,
        feature: workspaceFeature,
        featureFlags: getFeatureFlags()
      })
    const isFlagOn = isWorkspaceFeatureFlagOn({
      workspaceFeatureFlags: workspacePlan.featureFlags,
      feature: workspaceFeature
    })
    return isFlagOn
  }

export const canWorkspaceUseOidcSsoFactory =
  (deps: { getWorkspacePlan: GetWorkspacePlan }): WorkspaceFeatureAccessFunction =>
  async ({ workspaceId }) =>
    canWorkspaceAccessFeatureFactory(deps)({ workspaceId, workspaceFeature: 'oidcSso' })

export const canWorkspaceUseRegionsFactory =
  (deps: { getWorkspacePlan: GetWorkspacePlan }): WorkspaceFeatureAccessFunction =>
  async ({ workspaceId }) =>
    canWorkspaceAccessFeatureFactory(deps)({
      workspaceId,
      workspaceFeature: 'workspaceDataRegionSpecificity'
    })

export const canWorkspaceUseDomainBasedSecurityPolicies =
  (deps: { getWorkspacePlan: GetWorkspacePlan }): WorkspaceFeatureAccessFunction =>
  async ({ workspaceId }) =>
    canWorkspaceAccessFeatureFactory(deps)({
      workspaceId,
      workspaceFeature: 'domainBasedSecurityPolicies'
    })