feat: Adding HasDeleteRestriction user_tag

* Adding the type and failing HTTP DELETE operations if this tag is set.
* See nftstorage/admin.storage#66

packages/api/db/migrations/003-add-HasDeleteRestriction-type.sql

@@ -0,0 +1 @@
+ALTER TYPE user_tag_type ADD VALUE 'HasDeleteRestriction';

packages/api/db/tables.sql

@@ -12,6 +12,7 @@ CREATE TYPE auth_key_blocked_status_type AS ENUM (
 CREATE TYPE user_tag_type AS ENUM
 (
   'HasAccountRestriction',
+  'HasDeleteRestriction',
   'HasPsaAccess',
   'HasSuperHotAccess',
   'StorageLimitBytes'
@@ -208,4 +209,4 @@ CREATE TABLE IF NOT EXISTS metric
     value BIGINT NOT NULL,
     inserted_at TIMESTAMP WITH TIME ZONE DEFAULT timezone('utc'::text, now()) NOT NULL,
     updated_at  TIMESTAMP WITH TIME ZONE DEFAULT timezone('utc'::text, now()) NOT NULL
-);
+);

packages/api/src/errors.js

@@ -197,6 +197,15 @@ export class ErrorPinningUnauthorized extends HTTPError {
 }
 ErrorPinningUnauthorized.CODE = 'ERROR_PINNING_UNAUTHORIZED'
 
+export class ErrorDeleteRestricted extends HTTPError {
+  constructor(msg = 'Delete operations restricted.') {
+    super(msg, 403)
+    this.name = 'DeleteRestricted'
+    this.code = ErrorDeleteRestricted.CODE
+  }
+}
+ErrorDeleteRestricted.CODE = 'ERROR_DELETE_RESTRICTED'
+
 export class ErrorAccountRestricted extends HTTPError {
   constructor(msg = 'Account restricted.') {
     super(msg, 403)

packages/api/src/index.js

@@ -46,8 +46,9 @@ const r = new Router(getContext, {
   },
 })
 
-const checkHasPsaAccess = true
 const checkHasAccountRestriction = true
+const checkHasDeleteRestriction = true
+const checkHasPsaAccess = true
 const checkUcan = true
 
 // Monitoring
@@ -116,7 +117,7 @@ r.add(
 r.add(
   'delete',
   '/pins/:requestid',
-  withAuth(withMode(pinsDelete, RW), { checkHasPsaAccess }),
+  withAuth(withMode(pinsDelete, RW), { checkHasDeleteRestriction, checkHasPsaAccess }),
   [postCors]
 )
 
@@ -145,7 +146,7 @@ r.add(
   withAuth(withMode(nftStore, RW), { checkHasAccountRestriction }),
   [postCors]
 )
-r.add('delete', '/:cid', withAuth(withMode(nftDelete, RW)), [postCors])
+r.add('delete', '/:cid', withAuth(withMode(nftDelete, RW), { checkHasDeleteRestriction }), [postCors])
 
 // Temporary Metaplex upload route, mapped to metaplex user account.
 r.add('post', '/metaplex/upload', withMode(metaplexUpload, RW), [postCors])
@@ -167,7 +168,7 @@ r.add(
   withAuth(withMode(tokensCreate, RW), { checkHasAccountRestriction }),
   [postCors]
 )
-r.add('delete', '/internal/tokens', withAuth(withMode(tokensDelete, RW)), [
+r.add('delete', '/internal/tokens', withAuth(withMode(tokensDelete, RW), { checkHasDeleteRestriction}), [
   postCors,
 ])
 
@@ -208,7 +209,7 @@ r.add(
 r.add(
   'delete',
   '/api/pins/:requestid',
-  withAuth(withMode(pinsDelete, RW), { checkHasPsaAccess }),
+  withAuth(withMode(pinsDelete, RW), { checkHasDeleteRestriction, checkHasPsaAccess }),
   [postCors]
 )
 
@@ -222,7 +223,7 @@ r.add(
   withAuth(withMode(nftUpload, RW), { checkUcan, checkHasAccountRestriction }),
   [postCors]
 )
-r.add('delete', '/api/:cid', withAuth(withMode(nftDelete, RW)), [postCors])
+r.add('delete', '/api/:cid', withAuth(withMode(nftDelete, RW), { checkHasDeleteRestriction }), [postCors])
 
 r.add('all', '*', notFound)
 addEventListener('fetch', r.listen.bind(r))

packages/api/src/middleware/auth.js

@@ -1,4 +1,4 @@
-import { ErrorAccountRestricted, ErrorPinningUnauthorized } from '../errors'
+import { ErrorAccountRestricted, ErrorDeleteRestricted, ErrorPinningUnauthorized } from '../errors'
 import { validate } from '../utils/auth'
 import { hasTag } from '../utils/utils'
 
@@ -19,6 +19,13 @@ export function withAuth(handler, options) {
       throw new ErrorAccountRestricted()
     }
 
+    if (
+      options?.checkHasDeleteRestriction &&
+      hasTag(auth.user, 'HasDeleteRestriction', 'true')
+    ) {
+      throw new ErrorDeleteRestricted()
+    }
+
     if (
       options?.checkHasPsaAccess &&
       !hasTag(auth.user, 'HasPsaAccess', 'true')