fix: Refactor pinning authorization logic to use user_tag table (#1654)

* see #1389 #1381 * Adding a missing comma. * Filtering tags on deleted_at is null. * Removing some PSA_ALLOW references.
nftstorage · Mar 17, 2022 · 043049e · 043049e
1 parent 986f356
commit 043049e
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -144,9 +144,7 @@ DAG_CARGO_PASSWORD=<db-password>
 
 
 
-# Pinning services api, requires a PSA allow list for authoritzation
-# this is the user id in the database
-PSA_ALLOW=1
+# Pinning services api, requires a user to have the HasPsaAccess user_tag.
 ```
 
 Production vars should be set in Github Actions secrets.

diff --git a/packages/api/README.md b/packages/api/README.md
@@ -51,7 +51,6 @@ wrangler secret put CLUSTER_BASIC_AUTH_TOKEN --env production # Get from nft.sto
 wrangler secret put CLUSTER_SERVICE --env production # Which cluster should be used. Options 'IpfsCluster' / 'IpfsCluster2' / 'IpfsCluster3'
 wrangler secret put MAILCHIMP_API_KEY --env production # Get from mailchimp
 wrangler secret put LOGTAIL_TOKEN --env production # Get from Logtail
-wrangler secret put PSA_ALLOW --env production # CSV user ID list, get from 1password vault
 wrangler secret put METAPLEX_AUTH_TOKEN --env production # User ID meteplex endpoint should use (not required for dev)
 wrangler secret put S3_REGION --env production # e.g us-east-2 (not required for dev)
 wrangler secret put S3_ACCESS_KEY_ID --env production # Get from Amazon S3 (not required for dev)

diff --git a/packages/api/src/bindings.d.ts b/packages/api/src/bindings.d.ts
@@ -24,7 +24,6 @@ declare global {
   const COMMITHASH: string
   const MAINTENANCE_MODE: Mode
   const METAPLEX_AUTH_TOKEN: string
-  const PSA_ALLOW: string
   const S3_ENDPOINT: string
   const S3_REGION: string
   const S3_ACCESS_KEY_ID: string

diff --git a/packages/api/src/utils/db-client.js b/packages/api/src/utils/db-client.js
@@ -83,13 +83,15 @@ export class DBClient {
     magic_link_id,
     github_id,
     did,
-    keys:auth_key_user_id_fkey(user_id,id,name,secret)
+    keys:auth_key_user_id_fkey(user_id,id,name,secret),
     tags:user_tag_user_id_fkey(user_id,id,tag,value)
     `
       )
       .or(`magic_link_id.eq.${id},github_id.eq.${id},did.eq.${id}`)
       // @ts-ignore
       .filter('keys.deleted_at', 'is', null)
+      // @ts-ignore
+      .filter('tags.deleted_at', 'is', null)
 
     const { data, error, status } = await select.single()
 

diff --git a/packages/api/test/scripts/helpers.js b/packages/api/test/scripts/helpers.js
@@ -48,6 +48,7 @@ export async function createTestUser({
  * @param {number} tag.user_id
  * @param {string} tag.tag
  * @param {string} tag.value
+ * @param {string=} tag.deleted_at
  * @param {string} tag.inserted_at
  * @param {string} tag.reason
  */
@@ -96,22 +97,40 @@ export async function createTestUserWithFixedToken({
     secret: token,
     userId: user.id,
   })
-
   await createUserTag({
     user_id: user.id,
     tag: 'HasPsaAccess',
     value: 'true',
     reason: '',
-    inserted_at: '2/22/2022',
+    inserted_at: new Date().toISOString(),
   })
 
   await createUserTag({
     user_id: user.id,
     tag: 'HasAccountRestriction',
     value: 'false',
     reason: '',
-    inserted_at: '2/22/2022',
+    inserted_at: new Date().toISOString(),
+  })
+
+  // Add some deleted tags to ensure our filtering works
+  await createUserTag({
+    user_id: user.id,
+    tag: 'HasPsaAccess',
+    value: 'false',
+    reason: '',
+    inserted_at: new Date().toISOString(),
+    deleted_at: new Date().toISOString(),
   })
+  await createUserTag({
+    user_id: user.id,
+    tag: 'HasAccountRestriction',
+    value: 'true',
+    reason: '',
+    inserted_at: new Date().toISOString(),
+    deleted_at: new Date().toISOString(),
+  })
+
   return { token, userId: user.id, githubId: user.github_id }
 }