fix: use readonly connections for guests (#8221)

Signed-off-by: Alexander Onnikov <Alexander.Onnikov@xored.com>

server/collaborator/src/extensions/authentication.ts

@@ -19,7 +19,7 @@ import { decodeToken } from '@hcengineering/server-token'
 import { Extension, onAuthenticatePayload } from '@hocuspocus/server'
 
 import { Context, buildContext } from '../context'
-import { getWorkspaceIds } from '../utils'
+import { getWorkspaceIds, isGuest } from '../utils'
 
 export interface AuthenticationConfiguration {
   ctx: MeasureContext
@@ -38,8 +38,13 @@ export class AuthenticationExtension implements Extension {
 
     return await ctx.with('authenticate', { workspaceId }, async () => {
       const token = decodeToken(data.token)
+      const readonly = isGuest(token)
 
-      ctx.info('authenticate', { workspaceId, mode: token.extra?.mode ?? '' })
+      ctx.info('authenticate', { workspaceId, mode: token.extra?.mode ?? '', readonly })
+
+      if (readonly) {
+        data.connection.readOnly = true
+      }
 
       // verify workspace can be accessed with the token
       const ids = await getWorkspaceIds(data.token)

server/collaborator/src/utils.ts

@@ -12,11 +12,17 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
-import { type WorkspaceIds } from '@hcengineering/core'
+import { GUEST_ACCOUNT } from '@hcengineering/account'
 import { getClient as getAccountClient } from '@hcengineering/account-client'
+import { type WorkspaceIds } from '@hcengineering/core'
+import { type Token } from '@hcengineering/server-token'
 
 import config from './config'
 
+export function isGuest (token: Token): boolean {
+  return token.account === GUEST_ACCOUNT && token.extra?.guest === 'true'
+}
+
 // TODO: consider storing this in a cache for some short period of time
 export async function getWorkspaceIds (token: string): Promise<WorkspaceIds> {
   const workspaceInfo = await getAccountClient(config.AccountsUrl, token).getWorkspaceInfo()