Skip to content

Commit

Permalink
fix: get admin token from header (#146)
Browse files Browse the repository at this point in the history 
* fix: get admin token from header

* chore: update CHANGELOG

* fix: add token on header metrics and avoid reusing variables

* fix: allow api token
  • Loading branch information
@Matheus-Aguilar
Matheus-Aguilar authored Jul 17, 2024
1 parent 632984c commit d13b201
Show file tree
Hide file tree
Showing 6 changed files with 107 additions and 5 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

## [Unreleased]

### Fixed
- Get tokens from headers when necessary

## [1.41.1] - 2024-07-15

### Added
Expand Down
26 changes: 23 additions & 3 deletions node/directives/checkAdminAccess.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,11 @@ import type { GraphQLField } from 'graphql'
import { defaultFieldResolver } from 'graphql'

import sendAuthMetric, { AuthMetric } from '../metrics/auth'
import { validateAdminToken, validateApiToken } from './helper'
import {
validateAdminToken,
validateAdminTokenOnHeader,
validateApiToken,
} from './helper'

export class CheckAdminAccess extends SchemaDirectiveVisitor {
public visitFieldDefinition(field: GraphQLField<any, any>) {
Expand All @@ -27,6 +31,12 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasValidAdminTokenFromStore,
} = await validateAdminToken(context, adminUserAuthToken as string)

const {
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasCurrentValidAdminTokenOnHeader,
} = await validateAdminTokenOnHeader(context)

const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
await validateApiToken(context)

Expand All @@ -52,6 +62,8 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasApiToken,
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasValidAdminTokenFromStore,
hasValidApiTokenFromStore,
},
Expand All @@ -60,7 +72,7 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {

sendAuthMetric(logger, auditMetric)

if (!hasAdminToken) {
if (!hasAdminToken && !hasApiToken && !hasAdminTokenOnHeader) {
logger.warn({
message: 'CheckAdminAccess: No token provided',
userAgent,
Expand All @@ -72,13 +84,19 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasApiToken,
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasValidAdminTokenFromStore,
hasValidApiTokenFromStore,
})
throw new AuthenticationError('No token was provided')
}

if (!hasCurrentValidAdminToken) {
if (
!hasCurrentValidAdminToken &&
!hasValidApiToken &&
!hasCurrentValidAdminTokenOnHeader
) {
logger.warn({
message: 'CheckAdminAccess: Invalid token',
userAgent,
Expand All @@ -90,6 +108,8 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasApiToken,
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasValidAdminTokenFromStore,
hasValidApiTokenFromStore,
})
Expand Down
27 changes: 25 additions & 2 deletions node/directives/checkUserAccess.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import { SchemaDirectiveVisitor } from 'graphql-tools'
import sendAuthMetric, { AuthMetric } from '../metrics/auth'
import {
validateAdminToken,
validateAdminTokenOnHeader,
validateApiToken,
validateStoreToken,
} from './helper'
Expand All @@ -31,6 +32,12 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasValidAdminTokenFromStore,
} = await validateAdminToken(context, adminUserAuthToken as string)

const {
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasCurrentValidAdminTokenOnHeader,
} = await validateAdminTokenOnHeader(context)

const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
await validateApiToken(context)

Expand Down Expand Up @@ -58,6 +65,8 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasValidApiToken,
hasStoreToken,
hasValidStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasValidAdminTokenFromStore,
hasValidApiTokenFromStore,
},
Expand All @@ -66,7 +75,12 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {

sendAuthMetric(logger, auditMetric)

if (!hasAdminToken && !hasStoreToken) {
if (
!hasAdminToken &&
!hasApiToken &&
!hasStoreToken &&
!hasAdminTokenOnHeader
) {
logger.warn({
message: 'CheckUserAccess: No token provided',
userAgent,
Expand All @@ -78,13 +92,20 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasApiToken,
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasValidAdminTokenFromStore,
hasValidApiTokenFromStore,
})
throw new AuthenticationError('No token was provided')
}

if (!hasCurrentValidAdminToken && !hasCurrentValidStoreToken) {
if (
!hasCurrentValidAdminToken &&
!hasValidApiToken &&
!hasCurrentValidStoreToken &&
!hasCurrentValidAdminTokenOnHeader
) {
logger.warn({
message: `CheckUserAccess: Invalid token`,
userAgent,
Expand All @@ -97,6 +118,8 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasValidApiToken,
hasStoreToken,
hasValidStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasValidAdminTokenFromStore,
hasValidApiTokenFromStore,
})
Expand Down
28 changes: 28 additions & 0 deletions node/directives/helper.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,3 +166,31 @@ export const validateStoreToken = async (

return { hasStoreToken, hasValidStoreToken, hasCurrentValidStoreToken }
}

export const validateAdminTokenOnHeader = async (
context: Context
): Promise<{
hasAdminTokenOnHeader: boolean
hasValidAdminTokenOnHeader: boolean
hasCurrentValidAdminTokenOnHeader: boolean
}> => {
const adminUserAuthToken = context?.headers.vtexidclientautcookie as string
const hasAdminTokenOnHeader = !!adminUserAuthToken?.length

if (!hasAdminTokenOnHeader) {
return {
hasAdminTokenOnHeader: false,
hasValidAdminTokenOnHeader: false,
hasCurrentValidAdminTokenOnHeader: false,
}
}

const { hasAdminToken, hasCurrentValidAdminToken, hasValidAdminToken } =
await validateAdminToken(context, adminUserAuthToken)

return {
hasAdminTokenOnHeader: hasAdminToken,
hasValidAdminTokenOnHeader: hasValidAdminToken,
hasCurrentValidAdminTokenOnHeader: hasCurrentValidAdminToken,
}
}
26 changes: 26 additions & 0 deletions node/directives/validateStoreUserAccess.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import type { AuthAuditMetric } from '../metrics/auth'
import sendAuthMetric, { AuthMetric } from '../metrics/auth'
import {
validateAdminToken,
validateAdminTokenOnHeader,
validateApiToken,
validateStoreToken,
} from './helper'
Expand Down Expand Up @@ -66,6 +67,31 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor {
return resolve(root, args, context, info)
}

// If there's no valid admin token on context, search for it on header
const { hasAdminTokenOnHeader, hasValidAdminTokenOnHeader } =
await validateAdminTokenOnHeader(context)

// add admin header token metrics
metricFields = {
...metricFields,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
}

// allow access if has valid admin token
if (hasValidAdminTokenOnHeader) {
sendAuthMetric(
logger,
new AuthMetric(
context?.vtex?.account,
metricFields,
'ValidateStoreUserAccessAudit'
)
)

return resolve(root, args, context, info)
}

const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
await validateApiToken(context)

Expand Down
2 changes: 2 additions & 0 deletions node/metrics/auth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ export interface AuthAuditMetric {
hasValidStoreToken?: boolean
hasApiToken?: boolean
hasValidApiToken?: boolean
hasAdminTokenOnHeader?: boolean
hasValidAdminTokenOnHeader?: boolean
hasValidAdminTokenFromStore?: boolean
hasValidApiTokenFromStore?: boolean
}
Expand Down

0 comments on commit d13b201

Please sign in to comment.