Skip to content

feat: Add session sharing with granular access control #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
54m wants to merge 20 commits into
base: main
Choose a base branch
from
Open

feat: Add session sharing with granular access control #25

54m wants to merge 20 commits into from

Conversation

@54m
Copy link

@54m 54m commented Jan 9, 2026

Summary

Implements secure session sharing functionality enabling collaboration on Happy Coder sessions while maintaining end-to-end encryption. Supports both direct user-to-user sharing with granular access control and public link sharing with privacy-first design.

Features

Direct Session Sharing

  • Share sessions with specific users by username or user ID
  • Three access levels:
    • view: Read-only access
    • edit: Can send messages but cannot manage sharing
    • admin: Full access including sharing management
  • Real-time notifications via Socket.io when shares are created, updated, or revoked
  • Encrypted data keys distributed to authorized users

Public Link Sharing

  • Generate shareable URLs with unique tokens
  • Always view-only for security
  • Optional expiration dates and usage limits
  • Consent-based access logging (IP/UA only logged with explicit user consent)
  • User blocking capability
  • Anonymous access supported

Security

  • End-to-end encryption maintained throughout sharing
  • Server never sees unencrypted content
  • Access control enforced at API layer
  • GDPR-compliant consent-based logging
  • Comprehensive test coverage

Implementation Details

Database Schema

  • SessionShare: Direct user-to-user sharing
  • PublicSessionShare: Public link sharing
  • SessionShareAccessLog & PublicShareAccessLog: Audit trails
  • PublicShareBlockedUser: User blocking for public shares

API Endpoints

  • POST /api/sessions/:sessionId/shares - Create/update share
  • GET /api/sessions/:sessionId/shares - List shares
  • PATCH /api/sessions/:sessionId/shares/:shareId - Update access level
  • DELETE /api/sessions/:sessionId/shares/:shareId - Revoke access
  • GET /api/shares/shared-with-me - List sessions shared with user
  • POST /api/sessions/:sessionId/public-share - Create/update public link
  • GET /api/sessions/:sessionId/public-share - Get public share info
  • DELETE /api/sessions/:sessionId/public-share - Delete public link
  • POST /api/public-shares/:token/access - Access via public link

Real-time Events

  • session-shared: Emitted when session is shared with user
  • session-share-updated: Access level changed
  • session-share-revoked: Access revoked
  • public-share-created: Public link created
  • public-share-updated: Public link settings updated
  • public-share-deleted: Public link deleted

Testing

Added comprehensive unit tests covering:

  • Access control logic
  • IP address and user agent extraction
  • Consent-based logging
  • Socket.io event payload construction

All tests passing (38 tests).

Commits

  1. Database schema and migrations
  2. Access control functions
  3. Session sharing API endpoints
  4. Public link restrictions
  5. Public share API endpoints
  6. Consent-based logging system
  7. TypeScript type fixes
  8. Socket.io event types
  9. Real-time event emissions for shares
  10. Real-time event emissions for public links
  11. Comprehensive unit tests
  12. Documentation updates

Migration Required

Run migrations before deploying:

npx prisma migrate deploy

54m added 18 commits January 9, 2026 13:51
@54m
add: Add session sharing database schema
b23dc0c 
Add Prisma models for session sharing feature including direct user-to-user sharing, public shareable links, access logging, and user blocking.

Files:
- prisma/schema.prisma
- prisma/migrations/20260109044634_add_session_sharing/migration.sql
@54m
add: Add session access control functions
8f2906a 
Implement access control functions for session sharing including owner checks, permission validation, and public share access verification.

Files:
- sources/app/share/accessControl.ts
@54m
feat: Add session sharing API endpoints
4fdc386 
Implement REST API endpoints for user-to-user session sharing including create, update, delete shares and list shared sessions.

Files:
- sources/app/api/routes/shareRoutes.ts
- sources/app/api/api.ts
@54m
change: Restrict public shares to view-only access
43eb448 
Remove accessLevel field from PublicSessionShare model to enforce read-only access for all public links. This improves security by preventing unauthorized edits via public URLs.

Files:
- prisma/schema.prisma
- prisma/migrations/20260109050001_remove_public_share_access_level/migration.sql
- sources/app/share/accessControl.ts
@54m
feat: Add public share API endpoints
2739f3d 
Implement REST API endpoints for public session sharing including create, get, delete public links, user blocking, and access logs. Public shares are always view-only.

Files:
- sources/app/api/routes/publicShareRoutes.ts
- sources/app/api/api.ts
@54m
feat: Add consent-based access logging system
eb0034a 
Implement privacy-friendly access logging with explicit user consent. Public shares can require consent to view, enabling detailed IP/UA logging only when users agree.

Files:
- prisma/schema.prisma
- prisma/migrations/20260109051716_add_log_access_to_public_share/migration.sql
- prisma/migrations/20260109052146_rename_log_access_to_is_consent_required/migration.sql
- sources/app/share/accessLogger.ts
- sources/app/api/routes/publicShareRoutes.ts
- sources/app/api/routes/shareRoutes.ts
@54m
fix: Resolve TypeScript type errors in sharing routes
3a38e30 
Add common profile type definition and fix Buffer type casting issues. All type errors resolved.

Files:
- sources/app/share/types.ts
- sources/app/api/routes/shareRoutes.ts
- sources/app/api/routes/publicShareRoutes.ts
- sources/app/share/accessControl.ts
@54m
add: Add Socket.io event types for session sharing
29b864e 
Define new update event types for real-time sharing notifications.
Includes session-shared, share-updated, share-revoked, and public
share events with corresponding builder functions.

- sources/app/events/eventRouter.ts
@54m
feat: Emit real-time events on session share changes
07b5b33 
Broadcast Socket.io events when sessions are shared, updated, or
revoked. Shared users receive instant notifications about their
access changes.

- sources/app/api/routes/shareRoutes.ts
@54m
feat: Emit real-time events on public share changes
4e6d332 
Broadcast Socket.io events when public links are created, updated,
or deleted. Session owners receive instant notifications about their
public sharing status.

- sources/app/api/routes/publicShareRoutes.ts
@54m
add: Add comprehensive tests for session sharing
a373ee5 
Add unit tests covering access control, logging, and event builders.
Tests validate permission checks, IP extraction, consent-based logging,
and Socket.io event payload construction.

- sources/app/share/accessControl.spec.ts
- sources/app/share/accessLogger.spec.ts
- sources/app/events/sharingEvents.spec.ts
- vitest.config.ts
@54m
update: Add session sharing documentation
82584da 
Document new collaboration features including direct sharing
with granular access control and public link sharing with
consent-based logging.

- README.md
@54m
change: Restrict session sharing to friends only
3691fe6 
Add friend relationship check before allowing session sharing.
Users can only share sessions with friends to prevent spam
and unauthorized sharing attempts.

- sources/app/share/accessControl.ts
- sources/app/api/routes/shareRoutes.ts
- sources/app/share/accessControl.spec.ts
@54m
fix: Fix race condition in public share useCount
60c3b39 
Use Prisma transaction to atomically check maxUses limit and increment
useCount, preventing concurrent requests from exceeding the usage limit.

- sources/app/api/routes/publicShareRoutes.ts
@54m
refactor: Add transactions to share deletion endpoints
9482937 
Wrap share deletion operations in transactions to ensure consistent
state between database operations and real-time notifications.

- sources/app/api/routes/shareRoutes.ts
- sources/app/api/routes/publicShareRoutes.ts
@54m
feat: Add rate limiting to sharing endpoints
ed8da12 
Add rate limiting to prevent abuse of sharing functionality:
- Public share access: 10 requests/minute
- Share creation: 20 requests/minute
- Public share creation: 10 requests/minute

- sources/app/api/api.ts
- sources/app/api/routes/shareRoutes.ts
- sources/app/api/routes/publicShareRoutes.ts
- package.json
@54m
feat: Add publicKey to user profile API
77e49fb 
Adds user publicKey to UserProfile type and API responses.
Required for encrypting session data keys when sharing.

- sources/app/social/type.ts
- sources/app/api/routes/userRoutes.ts
@54m
feat: Implement server-side data key encryption for sharing
225c3ab 
Encrypt session data keys on the server using recipient public keys.
Removes need for client to handle sensitive encryption keys.

- sources/app/share/encryptDataKey.ts
- sources/app/api/routes/shareRoutes.ts
@54m 54m marked this pull request as draft January 9, 2026 12:37
@54m 54m mentioned this pull request Jan 9, 2026
Open
54m added 2 commits January 10, 2026 02:37
@54m
feat: Support client-generated tokens for public shares
6fec156 
Allow clients to generate tokens and encrypt data keys client-side for
enhanced security. The server now accepts token parameter and uses it
directly instead of generating its own.

Files:
- sources/app/api/routes/publicShareRoutes.ts
@54m
feat: Return owner info for consent-required shares
446dcad 
Include session owner profile in 403 response when consent is required.
Allows client to display who is sharing before user accepts consent.

- sources/app/api/routes/publicShareRoutes.ts
@54m 54m marked this pull request as ready for review January 10, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@54m