mirror of
https://github.com/twentyhq/twenty
synced 2026-04-21 13:37:22 +00:00
Some checks are pending
CD deploy main / deploy-main (push) Waiting to run
CI Create App E2E minimal / changed-files-check (push) Waiting to run
CI Create App E2E minimal / create-app-e2e-minimal (push) Blocked by required conditions
CI Create App E2E minimal / ci-create-app-e2e-minimal-status-check (push) Blocked by required conditions
CI Emails / emails-test (push) Blocked by required conditions
CI Example App Hello World / ci-example-app-hello-world-status-check (push) Blocked by required conditions
CI Example App Postcard / changed-files-check (push) Waiting to run
CI Example App Postcard / example-app-postcard (push) Blocked by required conditions
CI Example App Postcard / ci-example-app-postcard-status-check (push) Blocked by required conditions
Push translations to Crowdin / Extract and upload translations (push) Waiting to run
CI Create App / changed-files-check (push) Waiting to run
CI Create App / create-app-test (lint) (push) Blocked by required conditions
CI Create App / create-app-test (test) (push) Blocked by required conditions
CI Create App / create-app-test (typecheck) (push) Blocked by required conditions
CI Create App / ci-create-app-status-check (push) Blocked by required conditions
CI Docs / changed-files-check (push) Waiting to run
CI Docs / docs-lint (push) Blocked by required conditions
CI Emails / changed-files-check (push) Waiting to run
CI Emails / ci-emails-status-check (push) Blocked by required conditions
CI Example App Hello World / changed-files-check (push) Waiting to run
CI Example App Hello World / example-app-hello-world (push) Blocked by required conditions
## Summary Splits admin-panel resolvers off the shared `/metadata` GraphQL endpoint onto a dedicated `/admin-panel` endpoint. The backend plumbing mirrors the existing `metadata` / `core` pattern (new scope, decorator, module, factory), and admin types now live in their own `generated-admin/graphql.ts` on the frontend — dropping 877 lines of admin noise from `generated-metadata`. ## Why - **Smaller attack surface on `/metadata`** — every authenticated user hits that endpoint; admin ops don't belong there. - **Independent complexity limits and monitoring** per endpoint. - **Cleaner module boundaries** — admin is a cross-cutting concern that doesn't match the "shared-schema configuration" meaning of `/metadata`. - **Deploy / blast-radius isolation** — a broken admin query can't affect `/metadata`. Runtime behavior, auth, and authorization are unchanged — this is a relocation, not a re-permissioning. All existing guards (`WorkspaceAuthGuard`, `UserAuthGuard`, `SettingsPermissionGuard(SECURITY)` at class level; `AdminPanelGuard` / `ServerLevelImpersonateGuard` at method level) remain on `AdminPanelResolver`. ## What changed ### Backend - `@AdminResolver()` decorator with scope `'admin'`, naming parallels `CoreResolver` / `MetadataResolver`. - `AdminPanelGraphQLApiModule` + `adminPanelModuleFactory` registered at `/admin-panel`, same Yoga hook set as the metadata factory (Sentry tracing, error handler, introspection-disabling in prod, complexity validation). - Middleware chain on `/admin-panel` is identical to `/metadata`. - `@nestjs/graphql` patch extended: `resolverSchemaScope?: 'core' | 'metadata' | 'admin'`. - `AdminPanelResolver` class decorator swapped from `@MetadataResolver()` to `@AdminResolver()` — no other changes. ### Frontend - `codegen-admin.cjs` → `src/generated-admin/graphql.ts` (982 lines). - `codegen-metadata.cjs` excludes admin paths; metadata file shrinks by 877 lines. - `ApolloAdminProvider` / `useApolloAdminClient` follow the existing `ApolloCoreProvider` / `useApolloCoreClient` pattern, wired inside `AppRouterProviders` alongside the core provider. - 37 admin consumer files migrated: imports switched to `~/generated-admin/graphql` and `client: useApolloAdminClient()` is passed to `useQuery` / `useMutation`. - Three files intentionally kept on `generated-metadata` because they consume non-admin Documents: `useHandleImpersonate.ts`, `SettingsAdminApplicationRegistrationDangerZone.tsx`, `SettingsAdminApplicationRegistrationGeneralToggles.tsx`. ### CI - `ci-server.yaml` runs all three `graphql:generate` configurations and diff-checks all three generated dirs. ## Authorization (unchanged, but audited while reviewing) Every one of the 38 methods on `AdminPanelResolver` has a method-level guard: - `AdminPanelGuard` (32 methods) — requires `canAccessFullAdminPanel === true` - `ServerLevelImpersonateGuard` (6 methods: user/workspace lookup + chat thread views) — requires `canImpersonate === true` On top of the class-level guards above. No resolver method is accessible without these flags + `SECURITY` permission in the workspace. ## Test plan - [ ] Dev server boots; `/graphql`, `/metadata`, `/admin-panel` all mapped as separate GraphQL routes (confirmed locally during development). - [ ] `nx typecheck twenty-server` passes. - [ ] `nx typecheck twenty-front` passes. - [ ] `nx lint:diff-with-main twenty-server` and `twenty-front` both clean. - [ ] Manual smoke test: log in with a user who has `canAccessFullAdminPanel=true`, open the admin panel at `/settings/admin-panel`, verify each tab loads (General, Health, Config variables, AI, Apps, Workspace details, User details, chat threads). - [ ] Manual smoke test: log in with a user who has `canImpersonate=false` and `canAccessFullAdminPanel=false`, hit `/admin-panel` directly with a raw GraphQL request, confirm permission error on every operation. - [ ] Production deploy note: reverse proxy / ingress must route the new `/admin-panel` path to the Nest server. If the proxy has an explicit allowlist, infra change required before cutover. ## Follow-ups (out of scope here) - Consider cutting over the three `SettingsAdminApplicationRegistration*` components to admin-scope versions of the app-registration operations so the admin page is fully on the admin endpoint. - The `renderGraphiQL` double-assignment in `admin-panel.module-factory.ts` is copied from `metadata.module-factory.ts` — worth cleaning up in both.
255 lines
7.8 KiB
TypeScript
255 lines
7.8 KiB
TypeScript
import { lingui } from '@lingui/vite-plugin';
|
|
import { isNonEmptyString } from '@sniptt/guards';
|
|
import react from '@vitejs/plugin-react-swc';
|
|
import wyw from '@wyw-in-js/vite';
|
|
import fs from 'fs';
|
|
import path from 'path';
|
|
import { visualizer } from 'rollup-plugin-visualizer';
|
|
import {
|
|
defineConfig,
|
|
loadEnv,
|
|
type PluginOption,
|
|
searchForWorkspaceRoot,
|
|
} from 'vite';
|
|
import svgr from 'vite-plugin-svgr';
|
|
import tsconfigPaths from 'vite-tsconfig-paths';
|
|
|
|
import { createWywProfilingPlugin } from 'twenty-shared/vite';
|
|
|
|
export default defineConfig(({ mode }) => {
|
|
const env = loadEnv(mode, __dirname, '');
|
|
|
|
const {
|
|
REACT_APP_SERVER_BASE_URL,
|
|
VITE_BUILD_SOURCEMAP,
|
|
VITE_HOST,
|
|
SSL_CERT_PATH,
|
|
SSL_KEY_PATH,
|
|
REACT_APP_PORT,
|
|
IS_DEBUG_MODE,
|
|
} = env;
|
|
|
|
const port = isNonEmptyString(REACT_APP_PORT)
|
|
? parseInt(REACT_APP_PORT)
|
|
: 3001;
|
|
|
|
const CHUNK_SIZE_WARNING_LIMIT = 1024 * 1024; // 1MB
|
|
// Please don't increase this limit for main index chunk
|
|
// If it gets too big then find modules in the code base
|
|
// that can be loaded lazily, there are more!
|
|
const MAIN_CHUNK_SIZE_LIMIT = 6.8 * 1024 * 1024; // 6.8MB for main index chunk
|
|
const OTHER_CHUNK_SIZE_LIMIT = 5 * 1024 * 1024; // 5MB for other chunks
|
|
|
|
if (VITE_BUILD_SOURCEMAP === 'true') {
|
|
// oxlint-disable-next-line no-console
|
|
console.log(`VITE_BUILD_SOURCEMAP: ${VITE_BUILD_SOURCEMAP}`);
|
|
}
|
|
|
|
return {
|
|
root: __dirname,
|
|
cacheDir: '../../node_modules/.vite/packages/twenty-front',
|
|
|
|
server: {
|
|
port: port,
|
|
...(VITE_HOST ? { host: VITE_HOST } : {}),
|
|
...(SSL_KEY_PATH && SSL_CERT_PATH
|
|
? {
|
|
protocol: 'https',
|
|
https: {
|
|
key: fs.readFileSync(env.SSL_KEY_PATH),
|
|
cert: fs.readFileSync(env.SSL_CERT_PATH),
|
|
},
|
|
}
|
|
: {
|
|
protocol: 'http',
|
|
}),
|
|
fs: {
|
|
allow: [
|
|
searchForWorkspaceRoot(process.cwd()),
|
|
'**/@blocknote/core/src/fonts/**',
|
|
],
|
|
},
|
|
},
|
|
|
|
plugins: [
|
|
react({
|
|
plugins: [['@lingui/swc-plugin', {}]],
|
|
}),
|
|
tsconfigPaths({
|
|
root: __dirname,
|
|
projects: ['tsconfig.json'],
|
|
}),
|
|
svgr(),
|
|
lingui({
|
|
configPath: path.resolve(__dirname, './lingui.config.ts'),
|
|
}),
|
|
createWywProfilingPlugin(
|
|
wyw({
|
|
include: [path.resolve(__dirname, 'src') + '/**/*.{ts,tsx}'],
|
|
exclude: [
|
|
'**/generated-metadata/**',
|
|
'**/generated-admin/**',
|
|
'**/testing/mock-data/**',
|
|
'**/testing/jest/**',
|
|
'**/testing/hooks/**',
|
|
'**/testing/utils/**',
|
|
'**/testing/constants/**',
|
|
'**/testing/cache/**',
|
|
'**/*.test.{ts,tsx}',
|
|
'**/*.spec.{ts,tsx}',
|
|
'**/__tests__/**',
|
|
'**/__mocks__/**',
|
|
'**/types/**',
|
|
'**/constants/**',
|
|
'**/states/**',
|
|
'**/selectors/**',
|
|
'**/guards/**',
|
|
'**/schemas/**',
|
|
'**/utils/**',
|
|
'**/contexts/**',
|
|
'**/hooks/**',
|
|
'**/enums/**',
|
|
'**/queries/**',
|
|
'**/mutations/**',
|
|
'**/fragments/**',
|
|
'**/graphql/**',
|
|
'**/decorators/**',
|
|
],
|
|
babelOptions: {
|
|
presets: ['@babel/preset-typescript', '@babel/preset-react'],
|
|
plugins: ['@babel/plugin-transform-export-namespace-from'],
|
|
},
|
|
}),
|
|
),
|
|
...(env.ANALYZE === 'true'
|
|
? [
|
|
visualizer({
|
|
open: !process.env.CI,
|
|
gzipSize: true,
|
|
brotliSize: true,
|
|
filename: 'dist/stats.html',
|
|
}) as PluginOption,
|
|
]
|
|
: []),
|
|
],
|
|
|
|
optimizeDeps: {
|
|
exclude: [
|
|
'../../node_modules/.vite',
|
|
'../../node_modules/.cache',
|
|
'../../node_modules/twenty-ui',
|
|
],
|
|
},
|
|
|
|
build: {
|
|
minify: 'esbuild',
|
|
outDir: 'build',
|
|
sourcemap: VITE_BUILD_SOURCEMAP === 'true' ? 'hidden' : false,
|
|
chunkSizeWarningLimit: CHUNK_SIZE_WARNING_LIMIT,
|
|
rollupOptions: {
|
|
// Don't use manual chunks as it causes many issue
|
|
// including this one we wasted a lot of time on:
|
|
// https://github.com/rollup/rollup/issues/2793
|
|
output: {
|
|
// Custom plugin to fail build if chunks exceed max size
|
|
plugins: [
|
|
{
|
|
name: 'chunk-size-limit',
|
|
generateBundle(_options, bundle) {
|
|
const oversizedChunks: string[] = [];
|
|
|
|
Object.entries(bundle).forEach(([fileName, chunk]) => {
|
|
if (chunk.type === 'chunk' && chunk.code !== undefined) {
|
|
const size = Buffer.byteLength(chunk.code, 'utf8');
|
|
const isMainChunk =
|
|
fileName.includes('index') && chunk.isEntry;
|
|
const sizeLimit = isMainChunk
|
|
? MAIN_CHUNK_SIZE_LIMIT
|
|
: OTHER_CHUNK_SIZE_LIMIT;
|
|
const limitType = isMainChunk ? 'main' : 'other';
|
|
|
|
if (size > sizeLimit) {
|
|
oversizedChunks.push(
|
|
`${fileName} (${limitType}): ${(size / 1024 / 1024).toFixed(2)}MB (limit: ${(sizeLimit / 1024 / 1024).toFixed(2)}MB)`,
|
|
);
|
|
}
|
|
}
|
|
});
|
|
|
|
if (oversizedChunks.length > 0) {
|
|
const errorMessage = `Build failed: The following chunks exceed their size limits:\n${oversizedChunks.map((chunk) => ` - ${chunk}`).join('\n')}`;
|
|
this.error(errorMessage);
|
|
}
|
|
},
|
|
},
|
|
// TODO; later - think about prefetching modules such
|
|
// as date time picker, phone input etc...
|
|
/*
|
|
{
|
|
name: 'add-prefetched-modules',
|
|
transformIndexHtml(html: string,
|
|
ctx: {
|
|
path: string;
|
|
filename: string;
|
|
server?: ViteDevServer;
|
|
bundle?: import('rollup').OutputBundle;
|
|
chunk?: import('rollup').OutputChunk;
|
|
}) {
|
|
|
|
const bundles = Object.keys(ctx.bundle ?? {});
|
|
|
|
let modernBundles = bundles.filter(
|
|
(bundle) => bundle.endsWith('.map') === false
|
|
);
|
|
|
|
|
|
// Remove existing files and concatenate them into link tags
|
|
const prefechBundlesString = modernBundles
|
|
.filter((bundle) => html.includes(bundle) === false)
|
|
.map((bundle) => `<link rel="prefetch" href="${ctx.server?.config.base}${bundle}">`)
|
|
.join('');
|
|
|
|
// Use regular expression to get the content within <head> </head>
|
|
const headContent = html.match(/<head>([\s\S]*)<\/head>/)?.[1] ?? '';
|
|
// Insert the content of prefetch into the head
|
|
const newHeadContent = `${headContent}${prefechBundlesString}`;
|
|
// Replace the original head
|
|
html = html.replace(
|
|
/<head>([\s\S]*)<\/head>/,
|
|
`<head>${newHeadContent}</head>`
|
|
);
|
|
|
|
return html;
|
|
|
|
|
|
},
|
|
}*/
|
|
],
|
|
},
|
|
},
|
|
},
|
|
|
|
envPrefix: 'REACT_APP_',
|
|
|
|
define: {
|
|
_env_: {
|
|
REACT_APP_SERVER_BASE_URL,
|
|
},
|
|
'process.env': {
|
|
REACT_APP_SERVER_BASE_URL,
|
|
IS_DEBUG_MODE,
|
|
IS_DEV_ENV: mode === 'development' ? 'true' : 'false',
|
|
},
|
|
},
|
|
css: {
|
|
modules: {
|
|
localsConvention: 'camelCaseOnly',
|
|
},
|
|
},
|
|
resolve: {
|
|
alias: {
|
|
path: 'rollup-plugin-node-polyfills/polyfills/path',
|
|
},
|
|
},
|
|
};
|
|
});
|