From 043049e22c53ca1143b01e87e563cc488f0e2845 Mon Sep 17 00:00:00 2001 From: trigramdev9 <98334141+trigramdev9@users.noreply.github.com> Date: Thu, 17 Mar 2022 13:40:54 -0700 Subject: [PATCH] fix: Refactor pinning authorization logic to use user_tag table (#1654) * see #1389 #1381 * Adding a missing comma. * Filtering tags on deleted_at is null. * Removing some PSA_ALLOW references. --- README.md | 4 +--- packages/api/README.md | 1 - packages/api/src/bindings.d.ts | 1 - packages/api/src/utils/db-client.js | 4 +++- packages/api/test/scripts/helpers.js | 25 ++++++++++++++++++++++--- 5 files changed, 26 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 46183eead5..3f6f5ef55a 100644 --- a/README.md +++ b/README.md @@ -144,9 +144,7 @@ DAG_CARGO_PASSWORD= -# Pinning services api, requires a PSA allow list for authoritzation -# this is the user id in the database -PSA_ALLOW=1 +# Pinning services api, requires a user to have the HasPsaAccess user_tag. ``` Production vars should be set in Github Actions secrets. diff --git a/packages/api/README.md b/packages/api/README.md index 14647baefc..8022df2167 100644 --- a/packages/api/README.md +++ b/packages/api/README.md @@ -51,7 +51,6 @@ wrangler secret put CLUSTER_BASIC_AUTH_TOKEN --env production # Get from nft.sto wrangler secret put CLUSTER_SERVICE --env production # Which cluster should be used. Options 'IpfsCluster' / 'IpfsCluster2' / 'IpfsCluster3' wrangler secret put MAILCHIMP_API_KEY --env production # Get from mailchimp wrangler secret put LOGTAIL_TOKEN --env production # Get from Logtail -wrangler secret put PSA_ALLOW --env production # CSV user ID list, get from 1password vault wrangler secret put METAPLEX_AUTH_TOKEN --env production # User ID meteplex endpoint should use (not required for dev) wrangler secret put S3_REGION --env production # e.g us-east-2 (not required for dev) wrangler secret put S3_ACCESS_KEY_ID --env production # Get from Amazon S3 (not required for dev) diff --git a/packages/api/src/bindings.d.ts b/packages/api/src/bindings.d.ts index a74ee07d1c..66c5cd256e 100644 --- a/packages/api/src/bindings.d.ts +++ b/packages/api/src/bindings.d.ts @@ -24,7 +24,6 @@ declare global { const COMMITHASH: string const MAINTENANCE_MODE: Mode const METAPLEX_AUTH_TOKEN: string - const PSA_ALLOW: string const S3_ENDPOINT: string const S3_REGION: string const S3_ACCESS_KEY_ID: string diff --git a/packages/api/src/utils/db-client.js b/packages/api/src/utils/db-client.js index e5c9940310..025c2a380f 100644 --- a/packages/api/src/utils/db-client.js +++ b/packages/api/src/utils/db-client.js @@ -83,13 +83,15 @@ export class DBClient { magic_link_id, github_id, did, - keys:auth_key_user_id_fkey(user_id,id,name,secret) + keys:auth_key_user_id_fkey(user_id,id,name,secret), tags:user_tag_user_id_fkey(user_id,id,tag,value) ` ) .or(`magic_link_id.eq.${id},github_id.eq.${id},did.eq.${id}`) // @ts-ignore .filter('keys.deleted_at', 'is', null) + // @ts-ignore + .filter('tags.deleted_at', 'is', null) const { data, error, status } = await select.single() diff --git a/packages/api/test/scripts/helpers.js b/packages/api/test/scripts/helpers.js index a92fad99a8..0d0bc845bb 100644 --- a/packages/api/test/scripts/helpers.js +++ b/packages/api/test/scripts/helpers.js @@ -48,6 +48,7 @@ export async function createTestUser({ * @param {number} tag.user_id * @param {string} tag.tag * @param {string} tag.value + * @param {string=} tag.deleted_at * @param {string} tag.inserted_at * @param {string} tag.reason */ @@ -96,13 +97,12 @@ export async function createTestUserWithFixedToken({ secret: token, userId: user.id, }) - await createUserTag({ user_id: user.id, tag: 'HasPsaAccess', value: 'true', reason: '', - inserted_at: '2/22/2022', + inserted_at: new Date().toISOString(), }) await createUserTag({ @@ -110,8 +110,27 @@ export async function createTestUserWithFixedToken({ tag: 'HasAccountRestriction', value: 'false', reason: '', - inserted_at: '2/22/2022', + inserted_at: new Date().toISOString(), + }) + + // Add some deleted tags to ensure our filtering works + await createUserTag({ + user_id: user.id, + tag: 'HasPsaAccess', + value: 'false', + reason: '', + inserted_at: new Date().toISOString(), + deleted_at: new Date().toISOString(), }) + await createUserTag({ + user_id: user.id, + tag: 'HasAccountRestriction', + value: 'true', + reason: '', + inserted_at: new Date().toISOString(), + deleted_at: new Date().toISOString(), + }) + return { token, userId: user.id, githubId: user.github_id } }