chore(vendor): update @lightbasenl/backend

_This PR is created by sync and will be force-pushed daily. Overwriting any manual changes done to this PR._

- feat(backend): add hook to be called in `authRequireUser` on a successful check (lightbasenl/platform-components@90f5223)
- chore: make compatible with new and old lint configs (lightbasenl/platform-components@445035b)
- chore(deps): Bump @lightbase/pull-through-cache from 0.2.0 to 0.2.1 in the production group (lightbasenl/platform-components#1326) (lightbasenl/platform-components@83e6a49)
- chore(backend): remove duplicate check on `requiredPermissions` (lightbasenl/platform-components@387fa87)
- feat(backend): support `oneOfRequiredPermissions` (lightbasenl/platform-components@f78adcc)
- feat(feature-flag,multitenant): report cache events as Sentry metric (lightbasenl/platform-components@22ebc13)- Failed to execute `npx compas lint`. Sync is not able to correct this, so human checks and fixes are necessary for this PR.

vendor/backend/package.json

@@ -13,7 +13,7 @@
   ],
   "scripts": {},
   "dependencies": {
-    "@lightbase/pull-through-cache": "0.1.2",
+    "@lightbase/pull-through-cache": "0.2.1",
     "@xmldom/xmldom": "0.8.10",
     "bcrypt": "5.1.1",
     "rate-limiter-flexible": "5.0.3",
@@ -30,5 +30,5 @@
     "url": "https://github.com/lightbasenl/platform-components.git",
     "directory": "packages/backend"
   },
-  "gitHead": "b335a6c8aa6f5e14489b582b02b6fa45beda00b6"
+  "gitHead": "ec78a715b0421e9b0ba377bc4fc9880fb6323de4"
 }

vendor/backend/src/auth/keycloak-based/events.js

@@ -408,6 +408,8 @@ export async function authKeycloakBasedVerifyAndReadToken(
   } catch (e) {
     throw AppError.validationError(
       "authKeycloakBased.verifyAndReadToken.invalidToken",
+      {},
+      e,
     );
   }
 }

vendor/backend/src/auth/permissions/controller.js

@@ -1,3 +1,4 @@
+/* eslint-disable jsdoc/check-types */
 import { newEventFromEvent } from "@compas/stdlib";
 import { backendGetTenantAndUser } from "../../events.js";
 import { sql } from "../../services.js";
@@ -19,8 +20,8 @@ import {
 
 /**
  * @typedef {(tenants:
- *   QueryResultBackendTenant[]) =>
- *   PermissionMandatoryRole[]} PermissionBuildMandatoryRoles
+ *   Array<QueryResultBackendTenant>) =>
+ *   Array<PermissionMandatoryRole>} PermissionBuildMandatoryRoles
  */
 
 /**

vendor/backend/src/auth/user.events.js

@@ -1,3 +1,5 @@
+/* eslint-disable jsdoc/check-types */
+
 import {
   AppError,
   eventStart,
@@ -10,6 +12,7 @@ import {
 import { query, queueWorkerAddJob } from "@compas/store";
 import speakeasy from "speakeasy";
 import {
+  onAuthRequireUserCallback,
   queries,
   queryPermission,
   queryRole,
@@ -89,7 +92,10 @@ const authQueries = {
  * @property {boolean|undefined} [requireDigidBased]
  * @property {boolean|undefined} [requireKeycloakBased]
  * @property {boolean|undefined} [requirePasswordBased]
- * @property {AuthPermissionIdentifier[]|undefined} [requiredPermissions]
+ * @property {AuthPermissionIdentifier[]|undefined} [requiredPermissions] Require all
+ *   provided permissions
+ * @property {AuthPermissionIdentifier[]|undefined} [oneOfRequiredPermissions] Require
+ *   one of the provided permissions
  */
 
 /**
@@ -271,12 +277,12 @@ export async function authCreateUser(event, sql, data, options) {
  *     isVerified?: boolean,
  *   },
  *   withPermissions?: {
- *     permissions?: AuthPermissionIdentifier[],
- *     roles?: string[],
+ *     permissions?: Array<AuthPermissionIdentifier>,
+ *     roles?: Array<string>,
  *   },
  *   withMultitenant?: {
  *     syncUsersAcrossAllTenants?: boolean,
- *     tenants?: string[],
+ *     tenants?: Array<string>,
  *   }
  * }} options
  * @returns {Promise<QueryResultAuthUser>}
@@ -633,8 +639,8 @@ export async function authRequireUser(
   }
 
   if (
-    Array.isArray(options.requiredPermissions) &&
-    options.requiredPermissions.length > 0
+    Array.isArray(options.requiredPermissions) ||
+    Array.isArray(options.oneOfRequiredPermissions)
   ) {
     const permissionSet = new Set();
     // @ts-expect-error
@@ -645,20 +651,38 @@ export async function authRequireUser(
       }
     }
 
-    const missingPermissions = [];
-    for (const requiredPermission of options.requiredPermissions) {
-      if (!permissionSet.has(requiredPermission)) {
-        missingPermissions.push(requiredPermission);
+    if (options.requiredPermissions) {
+      const missingPermissions = [];
+      for (const requiredPermission of options.requiredPermissions) {
+        if (!permissionSet.has(requiredPermission)) {
+          missingPermissions.push(requiredPermission);
+        }
       }
-    }
 
-    if (missingPermissions.length > 0) {
-      throw AppError.validationError(`${eventKey}.missingPermissions`, {
-        missingPermissions,
-      });
+      if (missingPermissions.length > 0) {
+        throw AppError.validationError(`${eventKey}.missingPermissions`, {
+          missingPermissions,
+        });
+      }
+    } else if (options.oneOfRequiredPermissions) {
+      let hasOnePermission = false;
+      for (const requiredPermission of options.oneOfRequiredPermissions) {
+        if (permissionSet.has(requiredPermission)) {
+          hasOnePermission = true;
+          break;
+        }
+      }
+
+      if (!hasOnePermission) {
+        throw AppError.validationError(`${eventKey}.missingPermissions`, {
+          missingPermissions: options.oneOfRequiredPermissions,
+        });
+      }
     }
   }
 
+  onAuthRequireUserCallback(user);
+
   eventStop(event);
 
   return user;

vendor/backend/src/feature-flag/cache.js

@@ -1,6 +1,7 @@
 import { AppError } from "@compas/stdlib";
 import { PullThroughCache } from "@lightbase/pull-through-cache";
 import { queryFeatureFlag, sql } from "../services.js";
+import { cacheEventToSentryMetric } from "../util.js";
 
 /**
  * Short TTL feature flag cache. Keeps all flags for 5 seconds in memory,
@@ -16,6 +17,9 @@ export const featureFlagCache = new PullThroughCache()
   })
   .withFetcher({
     fetcher: featureFlagFetcher,
+  })
+  .withEventCallback({
+    callback: cacheEventToSentryMetric("featureFlag"),
   });
 
 /**

vendor/backend/src/feature-flag/events.js

@@ -158,8 +158,7 @@ export async function featureFlagSetDynamic(
 
   if (featureFlagCache.isEnabled()) {
     // Clear the cache if enabled. This method function is often only used in test code, which most likely disables the cache anyways.
-    featureFlagCache.disable();
-    featureFlagCache.enable();
+    featureFlagCache.clearAll();
   }
 
   eventStop(event);

vendor/backend/src/multitenant/cache.js

@@ -1,6 +1,7 @@
 import { isNil, uuid } from "@compas/stdlib";
 import { PullThroughCache } from "@lightbase/pull-through-cache";
 import { queryTenant, sql, tenantBuilder } from "../services.js";
+import { cacheEventToSentryMetric } from "../util.js";
 
 /**
  * Frequently sampled tenant cache.
@@ -19,6 +20,9 @@ export const tenantCache = new PullThroughCache()
   })
   .withFetcher({
     fetcher: tenantFetcher,
+  })
+  .withEventCallback({
+    callback: cacheEventToSentryMetric("tenant"),
   });
 
 /**

vendor/backend/src/services.js

@@ -120,6 +120,12 @@ export let userBuilder = {
  */
 export let tenantBuilder = {};
 
+/**
+ * @type {(user: QueryResultAuthUser) => void}}
+ */
+// eslint-disable-next-line no-unused-vars
+export let onAuthRequireUserCallback = (_user) => {};
+
 /** @type {import("@compas/store").SessionTransportSettings} */
 // @ts-expect-error
 //
@@ -162,6 +168,7 @@ export let sessionDurationCallback = () => ({
  * @param {{
  *   userBuilder?: AuthUserQueryBuilder,
  *   tenantBuilder?: BackendTenantQueryBuilder,
+ *   onAuthRequireUserCallback?: (user: QueryResultAuthUser) => void,
  *   shouldPasswordBasedForcePasswordResetAfterSixMonths?: boolean,
  *   shouldPasswordBasedRollingLoginAttemptBlock?: boolean,
  *   shouldPasswordBasedUpdatePasswordRemoveCurrentSession?: boolean,
@@ -277,6 +284,9 @@ export async function backendInitServices(other) {
     tenantBuilder = { ...other.tenantBuilder, ...tenantBuilder };
   }
 
+  onAuthRequireUserCallback =
+    other.onAuthRequireUserCallback ?? onAuthRequireUserCallback;
+
   passwordBasedForcePasswordResetAfterSixMonths =
     other.shouldPasswordBasedForcePasswordResetAfterSixMonths ?? false;
   passwordBasedRollingLoginAttemptBlock =

vendor/backend/src/util.js

@@ -1,5 +1,24 @@
 import { existsSync } from "node:fs";
-import { AppError, isNil, pathJoin } from "@compas/stdlib";
+import { _compasSentryExport, AppError, isNil, pathJoin } from "@compas/stdlib";
+
+/**
+ * Count the different PullThroughCache events as their own metric
+ *
+ * @param {string} cacheName
+ * @returns {(function(string): void)}
+ */
+export function cacheEventToSentryMetric(cacheName) {
+  return (event) => {
+    if (_compasSentryExport?.metrics?.increment) {
+      _compasSentryExport.metrics.increment(`cache.${event}`, 1, {
+        tags: {
+          cacheName,
+        },
+        unit: "none",
+      });
+    }
+  };
+}
 
 /**
  * Takes an AppError and normalizes it to a 401, to simplify frontend error handling on