Revert "fix(realtime): re-validate socket role and evict revoked collaborators"

apps/realtime/src/handlers/operations.ts

@@ -14,9 +14,8 @@ import { generateId } from '@sim/utils/id'
 import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
 import { ZodError } from 'zod'
 import { persistWorkflowOperation } from '@/database/operations'
-import { evictRevokedSocket } from '@/handlers/eviction'
 import type { AuthenticatedSocket } from '@/middleware/auth'
-import { authorizeSocketOperation } from '@/middleware/permissions'
+import { checkRolePermission } from '@/middleware/permissions'
 import type { IRoomManager, UserSession } from '@/rooms'
 
 const logger = createLogger('OperationsHandlers')
@@ -126,42 +125,15 @@ export function setupOperationsHandlers(socket: AuthenticatedSocket, roomManager
 
         await roomManager.updateUserActivity(workflowId, socket.id, { lastActivity: Date.now() })
 
-        // Re-validate the cached role against the live permissions table (bounded
-        // by a short TTL) so a revoked or downgraded collaborator cannot keep
-        // mutating the workflow on an already-connected socket.
-        const authorization = await authorizeSocketOperation({
-          roomManager,
-          workflowId,
-          socketId: socket.id,
-          userId: session.userId,
-          presence: userPresence,
-          operation,
-        })
-
-        if (authorization.accessRevoked) {
-          logger.warn(
-            `User ${session.userId} lost access to workflow ${workflowId}; evicting socket ${socket.id}`
-          )
-          emitOperationError(
-            {
-              type: 'ACCESS_REVOKED',
-              message: authorization.reason || 'Access to this workflow has been revoked',
-              operation,
-              target,
-            },
-            { error: authorization.reason || 'Access revoked', retryable: false }
-          )
-          await evictRevokedSocket(roomManager, socket, workflowId)
-          return
-        }
-
-        if (!authorization.allowed) {
+        // Check permissions using cached role (no DB query)
+        const permissionCheck = checkRolePermission(userPresence.role, operation)
+        if (!permissionCheck.allowed) {
           logger.warn(
-            `User ${session.userId} (role: ${authorization.role}) forbidden from ${operation} on ${target}`
+            `User ${session.userId} (role: ${userPresence.role}) forbidden from ${operation} on ${target}`
           )
           emitOperationError({
             type: 'INSUFFICIENT_PERMISSIONS',
-            message: `${authorization.reason} on '${target}'`,
+            message: `${permissionCheck.reason} on '${target}'`,
             operation,
             target,
           })

apps/realtime/src/handlers/subblocks.ts

@@ -6,9 +6,8 @@ import { getErrorMessage } from '@sim/utils/errors'
 import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
 import { isWorkflowBlockProtected } from '@sim/workflow-types/workflow'
 import { and, eq } from 'drizzle-orm'
-import { evictRevokedSocket } from '@/handlers/eviction'
 import type { AuthenticatedSocket } from '@/middleware/auth'
-import { authorizeSocketOperation } from '@/middleware/permissions'
+import { checkRolePermission } from '@/middleware/permissions'
 import type { IRoomManager } from '@/rooms'
 
 const logger = createLogger('SubblocksHandlers')
@@ -137,44 +136,18 @@ export function setupSubblocksHandlers(socket: AuthenticatedSocket, roomManager:
         return
       }
 
-      const authorization = await authorizeSocketOperation({
-        roomManager,
-        workflowId,
-        socketId: socket.id,
-        userId: session.userId,
-        presence: userPresence,
-        operation: SUBBLOCK_OPERATIONS.UPDATE,
-      })
-
-      if (authorization.accessRevoked) {
-        socket.emit('operation-forbidden', {
-          type: 'ACCESS_REVOKED',
-          message: authorization.reason || 'Access to this workflow has been revoked',
-          operation: SUBBLOCK_OPERATIONS.UPDATE,
-          target: 'subblock',
-        })
-        if (operationId) {
-          socket.emit('operation-failed', {
-            operationId,
-            error: authorization.reason || 'Access revoked',
-            retryable: false,
-          })
-        }
-        await evictRevokedSocket(roomManager, socket, workflowId)
-        return
-      }
-
-      if (!authorization.allowed) {
+      const permissionCheck = checkRolePermission(userPresence.role, SUBBLOCK_OPERATIONS.UPDATE)
+      if (!permissionCheck.allowed) {
         socket.emit('operation-forbidden', {
           type: 'INSUFFICIENT_PERMISSIONS',
-          message: authorization.reason || 'Insufficient permissions',
+          message: permissionCheck.reason || 'Insufficient permissions',
           operation: SUBBLOCK_OPERATIONS.UPDATE,
           target: 'subblock',
         })
         if (operationId) {
           socket.emit('operation-failed', {
             operationId,
-            error: authorization.reason || 'Insufficient permissions',
+            error: permissionCheck.reason || 'Insufficient permissions',
             retryable: false,
           })
         }

apps/realtime/src/handlers/variables.ts

@@ -5,9 +5,8 @@ import { VARIABLE_OPERATIONS } from '@sim/realtime-protocol/constants'
 import { getErrorMessage } from '@sim/utils/errors'
 import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
 import { eq } from 'drizzle-orm'
-import { evictRevokedSocket } from '@/handlers/eviction'
 import type { AuthenticatedSocket } from '@/middleware/auth'
-import { authorizeSocketOperation } from '@/middleware/permissions'
+import { checkRolePermission } from '@/middleware/permissions'
 import type { IRoomManager } from '@/rooms'
 
 const logger = createLogger('VariablesHandlers')
@@ -125,44 +124,18 @@ export function setupVariablesHandlers(socket: AuthenticatedSocket, roomManager:
         return
       }
 
-      const authorization = await authorizeSocketOperation({
-        roomManager,
-        workflowId,
-        socketId: socket.id,
-        userId: session.userId,
-        presence: userPresence,
-        operation: VARIABLE_OPERATIONS.UPDATE,
-      })
-
-      if (authorization.accessRevoked) {
-        socket.emit('operation-forbidden', {
-          type: 'ACCESS_REVOKED',
-          message: authorization.reason || 'Access to this workflow has been revoked',
-          operation: VARIABLE_OPERATIONS.UPDATE,
-          target: 'variable',
-        })
-        if (operationId) {
-          socket.emit('operation-failed', {
-            operationId,
-            error: authorization.reason || 'Access revoked',
-            retryable: false,
-          })
-        }
-        await evictRevokedSocket(roomManager, socket, workflowId)
-        return
-      }
-
-      if (!authorization.allowed) {
+      const permissionCheck = checkRolePermission(userPresence.role, VARIABLE_OPERATIONS.UPDATE)
+      if (!permissionCheck.allowed) {
         socket.emit('operation-forbidden', {
           type: 'INSUFFICIENT_PERMISSIONS',
-          message: authorization.reason || 'Insufficient permissions',
+          message: permissionCheck.reason || 'Insufficient permissions',
           operation: VARIABLE_OPERATIONS.UPDATE,
           target: 'variable',
         })
         if (operationId) {
           socket.emit('operation-failed', {
             operationId,
-            error: authorization.reason || 'Insufficient permissions',
+            error: permissionCheck.reason || 'Insufficient permissions',
             retryable: false,
           })
         }

apps/realtime/src/handlers/workflow.ts

@@ -160,7 +160,6 @@ export function setupWorkflowHandlers(socket: AuthenticatedSocket, roomManager:
         joinedAt: Date.now(),
         lastActivity: Date.now(),
         role: userRole,
-        roleCheckedAt: Date.now(),
         avatarUrl,
       }
 

apps/realtime/src/index.test.ts

@@ -73,11 +73,6 @@ vi.mock('@/middleware/permissions', () => ({
   checkRolePermission: vi.fn().mockReturnValue({
     allowed: true,
   }),
-  authorizeSocketOperation: vi.fn().mockResolvedValue({
-    allowed: true,
-    role: 'admin',
-    accessRevoked: false,
-  }),
 }))
 
 vi.mock('@/database/operations', () => ({