-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(be): Restrict access to pages users don't have access to (intern…
…al-pr-358) * Page access middleware + improvements to the middleware system * updated the middleware to use `loggedInAndSignup` to make sure the user is logged in before checking for access * PR changes
- Loading branch information
Showing
9 changed files
with
93 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
packages/hash/api/src/graphql/resolvers/middlewares/canAccessAccount.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
import { ForbiddenError } from "apollo-server-express"; | ||
import { Scalars } from "../../apiTypes.gen"; | ||
import { GraphQLContext, LoggedInGraphQLContext } from "../../context"; | ||
import { loggedInAndSignedUp } from "./loggedInAndSignedUp"; | ||
import { ResolverMiddleware } from "./middlewareTypes"; | ||
|
||
/** Middleware verifying the current logged in user has access to the requested account. | ||
* This middleware needs to be run on a query that is passing an | ||
* account id | ||
*/ | ||
export const canAccessAccount: ResolverMiddleware< | ||
GraphQLContext, | ||
{ | ||
accountId: Scalars["ID"]; | ||
}, | ||
LoggedInGraphQLContext | ||
> = (next) => | ||
loggedInAndSignedUp(async (_, args, ctx, info) => { | ||
let isAllowed = false; | ||
if (ctx.user.accountId === args.accountId) { | ||
isAllowed = true; | ||
} else { | ||
isAllowed = await ctx.user.isMemberOfOrg( | ||
ctx.dataSources.db, | ||
args.accountId, | ||
); | ||
} | ||
if (!isAllowed) { | ||
throw new ForbiddenError( | ||
`You cannot perform this action as you don't have permission to access the account with accountId ${args.accountId}`, | ||
); | ||
} | ||
return next(_, args, ctx, info); | ||
}); |
14 changes: 14 additions & 0 deletions
14
packages/hash/api/src/graphql/resolvers/middlewares/loggedIn.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
import { ForbiddenError } from "apollo-server-express"; | ||
import { GraphQLContext, LoggedInGraphQLContext } from "../../context"; | ||
import { ResolverMiddleware } from "./middlewareTypes"; | ||
|
||
export const loggedIn: ResolverMiddleware< | ||
GraphQLContext, | ||
any, | ||
LoggedInGraphQLContext | ||
> = (next) => (obj: any, args: any, ctx: GraphQLContext, info: any) => { | ||
if (!ctx.user) { | ||
throw new ForbiddenError("You must be logged in to perform this action."); | ||
} | ||
return next(obj, args, ctx as LoggedInGraphQLContext, info); | ||
}; |
11 changes: 11 additions & 0 deletions
11
packages/hash/api/src/graphql/resolvers/middlewares/loggedInAndSignedUp.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
import { GraphQLContext, LoggedInGraphQLContext } from "../../context"; | ||
import { loggedIn } from "./loggedIn"; | ||
import { ResolverMiddleware } from "./middlewareTypes"; | ||
import { signedUp } from "./signedUp"; | ||
|
||
export const loggedInAndSignedUp: ResolverMiddleware< | ||
GraphQLContext, | ||
any, | ||
LoggedInGraphQLContext | ||
> = (next) => (obj: any, args: any, ctx: GraphQLContext, info: any) => | ||
loggedIn(signedUp(next))(obj, args, ctx, info); |
9 changes: 9 additions & 0 deletions
9
packages/hash/api/src/graphql/resolvers/middlewares/middlewareTypes.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
import { Resolver } from "../../apiTypes.gen"; | ||
|
||
export type ResolverMiddleware< | ||
TStartContext, | ||
TArgs, | ||
TEndContext = TStartContext, | ||
> = ( | ||
next: Resolver<any, any, TEndContext, any>, | ||
) => Resolver<any, any, TStartContext, TArgs>; |
13 changes: 13 additions & 0 deletions
13
packages/hash/api/src/graphql/resolvers/middlewares/signedUp.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
import { ForbiddenError } from "apollo-server-express"; | ||
import { LoggedInGraphQLContext } from "../../context"; | ||
import { ResolverMiddleware } from "./middlewareTypes"; | ||
|
||
export const signedUp: ResolverMiddleware<LoggedInGraphQLContext, any> = | ||
(next) => (obj: any, args: any, ctx: LoggedInGraphQLContext, info: any) => { | ||
if (!ctx.user.isAccountSignupComplete()) { | ||
throw new ForbiddenError( | ||
"You must complete the sign-up process to perform this action.", | ||
); | ||
} | ||
return next(obj, args, ctx, info); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters