✨ Ozone team member manager

[foysalit]

This PR adds lexicons for a full set of CRUD actions to manage team members with 3 predefined roles (that bluesky currently uses).

Right now, team members are maintained via environment variables. This PR will move the storage to a table in the database. In order to maintain backward compatibility

In order to keep members configured via env vars compatible with this implementation, on boot, we iterate over those and upsert into the table as needed.

[bnewbold]

general direction looks good!

[bnewbold]

probably UserAlreadyExists and "already a moderator" if we have a specific role called "Moderator"?

[bnewbold]

maybe OnlyRemainingAdmin? "LastAdmin" would be confusing to me out of context

[bnewbold]

Would be good docs to mention in each of these descriptions what privileges are required to use the endpoint. Eg, all require auth, but maybe listUsers only requires an ozone user of any role?

[devinivy]

This is quite the chunk of work! Good stuff, going to be a big upgrade 👍

[foysalit]

alright we should be close now. a few major things to review

1. the auth-verifier now gives the serviceDid to always access as admin
2. update and delete actions are no longer allowed on serviceDid
3. moderator terminology has been updated everywhere with member instead
4. profile hydration has been moved into the team service and applied on add, update and list endpoints
5. profile views are no longer cached and always fetched from appview on demand

[devinivy]

Suggested change

	return { members, cursor: members.slice(-1)[0]?.createdAt.toISOString() }
	return { members, cursor: members.at(-1)?.createdAt.toISOString() }

[devinivy]

Should we maintain updatedAt and lastUpdatedBy here too?

[devinivy]

There is a bit of a security issue here, since updates may contain fields not explicitly Picked out of Selectable<Member>, and they end up passed directly through to the query. For example, imagine if did were a field on updates.

Looking at the team.updateMember endpoint, I think the user could end-up successfully changing the user's createdAt time through the API. On its own that isn't a critical issue, but as we add new columns to the members table we might run into more sensitive issues.

[devinivy]

Perhaps we could avoid this exception if we folded the account into seedInitialMembers(), particularly now that there's a guard on deleting the user.

[devinivy]

You know, the more I think about it we may want to keep the deletion guard but not add any other exceptions for the service DID. I think there could be legitimate reasons for a deployment to not want to make the service DID a team member.

For the Ozone distribution we configure the service DID to be an admin anyway, so most deployments will have this by default. Perhaps the deletion rule should be to ensure you don't delete, demote, or disable yourself. That should be enough to ensure there's no way to lock yourself out, which I think is the main thing we're going for.

[foysalit]

yeah that makes sense!

[devinivy]

Suggested change

	const { isAdmin, isModerator, isTriage } =
	await this.teamService.getMemberRole(member)
	const { isAdmin, isModerator, isTriage } =
	this.teamService.getMemberRole(member)

[bnewbold]

Looking forward to this! Let me know when I can give it a spin in staging.