fix: get admin token from header

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Fixed
+- Get tokens from headers when necessary
+
 ## [1.41.0] - 2024-07-01
 
 ### Added

node/directives/checkAdminAccess.ts

@@ -4,7 +4,11 @@ import type { GraphQLField } from 'graphql'
 import { defaultFieldResolver } from 'graphql'
 
 import sendAuthMetric, { AuthMetric } from '../metrics/auth'
-import { validateAdminToken, validateApiToken } from './helper'
+import {
+  validateAdminToken,
+  validateAdminTokenOnHeader,
+  validateApiToken,
+} from './helper'
 
 export class CheckAdminAccess extends SchemaDirectiveVisitor {
   public visitFieldDefinition(field: GraphQLField<any, any>) {
@@ -20,9 +24,21 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
         vtex: { adminUserAuthToken, storeUserAuthToken, logger },
       } = context
 
-      const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
+      let { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
         await validateAdminToken(context, adminUserAuthToken as string)
 
+      let hasAdminTokenOnHeader = false
+
+      // If there's no admin token on context, search for it on header
+      if (!hasAdminToken) {
+        ;({
+          hasAdminToken,
+          hasValidAdminToken,
+          hasCurrentValidAdminToken,
+          hasAdminTokenOnHeader,
+        } = await validateAdminTokenOnHeader(context))
+      }
+
       const { hasApiToken, hasValidApiToken } = await validateApiToken(context)
 
       const hasStoreToken = !!storeUserAuthToken // we don't need to validate store token
@@ -47,6 +63,7 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
           hasApiToken,
           hasValidApiToken,
           hasStoreToken,
+          hasAdminTokenOnHeader,
         },
         'CheckAdminAccessAudit'
       )
@@ -65,6 +82,7 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
           hasApiToken,
           hasValidApiToken,
           hasStoreToken,
+          hasAdminTokenOnHeader,
         })
         throw new AuthenticationError('No token was provided')
       }
@@ -81,6 +99,7 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
           hasApiToken,
           hasValidApiToken,
           hasStoreToken,
+          hasAdminTokenOnHeader,
         })
         throw new ForbiddenError('Unauthorized Access')
       }

node/directives/checkUserAccess.ts

@@ -6,6 +6,7 @@ import { SchemaDirectiveVisitor } from 'graphql-tools'
 import sendAuthMetric, { AuthMetric } from '../metrics/auth'
 import {
   validateAdminToken,
+  validateAdminTokenOnHeader,
   validateApiToken,
   validateStoreToken,
 } from './helper'
@@ -24,9 +25,21 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
         vtex: { adminUserAuthToken, storeUserAuthToken, logger },
       } = context
 
-      const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
+      let { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
         await validateAdminToken(context, adminUserAuthToken as string)
 
+      let hasAdminTokenOnHeader = false
+
+      // If there's no admin token on context, search for it on header
+      if (!hasAdminToken) {
+        ;({
+          hasAdminToken,
+          hasValidAdminToken,
+          hasCurrentValidAdminToken,
+          hasAdminTokenOnHeader,
+        } = await validateAdminTokenOnHeader(context))
+      }
+
       const { hasApiToken, hasValidApiToken } = await validateApiToken(context)
 
       const { hasStoreToken, hasValidStoreToken, hasCurrentValidStoreToken } =
@@ -53,6 +66,7 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
           hasValidApiToken,
           hasStoreToken,
           hasValidStoreToken,
+          hasAdminTokenOnHeader,
         },
         'CheckUserAccessAudit'
       )
@@ -71,6 +85,7 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
           hasApiToken,
           hasValidApiToken,
           hasStoreToken,
+          hasAdminTokenOnHeader,
         })
         throw new AuthenticationError('No token was provided')
       }
@@ -88,6 +103,7 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
           hasValidApiToken,
           hasStoreToken,
           hasValidStoreToken,
+          hasAdminTokenOnHeader,
         })
         throw new ForbiddenError('Unauthorized Access')
       }

node/directives/helper.ts

@@ -138,3 +138,34 @@ export const validateStoreToken = async (
 
   return { hasStoreToken, hasValidStoreToken, hasCurrentValidStoreToken }
 }
+
+export const validateAdminTokenOnHeader = async (
+  context: Context
+): Promise<{
+  hasAdminToken: boolean
+  hasValidAdminToken: boolean
+  hasCurrentValidAdminToken: boolean
+  hasAdminTokenOnHeader: boolean
+}> => {
+  const adminUserAuthToken = context?.headers.vtexidclientautcookie as string
+  const hasAdminTokenOnHeader = !!adminUserAuthToken?.length
+
+  if (!hasAdminTokenOnHeader) {
+    return {
+      hasAdminToken: false,
+      hasValidAdminToken: false,
+      hasCurrentValidAdminToken: false,
+      hasAdminTokenOnHeader,
+    }
+  }
+
+  const { hasAdminToken, hasCurrentValidAdminToken, hasValidAdminToken } =
+    await validateAdminToken(context, adminUserAuthToken)
+
+  return {
+    hasAdminToken,
+    hasValidAdminToken,
+    hasCurrentValidAdminToken,
+    hasAdminTokenOnHeader,
+  }
+}

node/directives/validateStoreUserAccess.ts

@@ -7,6 +7,7 @@ import type { AuthAuditMetric } from '../metrics/auth'
 import sendAuthMetric, { AuthMetric } from '../metrics/auth'
 import {
   validateAdminToken,
+  validateAdminTokenOnHeader,
   validateApiToken,
   validateStoreToken,
 } from './helper'
@@ -41,13 +42,26 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor {
         userAgent,
       }
 
-      const { hasAdminToken, hasValidAdminToken } = await validateAdminToken(
+      let { hasAdminToken, hasValidAdminToken } = await validateAdminToken(
         context,
         adminUserAuthToken as string
       )
 
+      let hasAdminTokenOnHeader = false
+
+      // If there's no admin token on context, search for it on header
+      if (!hasAdminToken) {
+        ;({ hasAdminToken, hasValidAdminToken, hasAdminTokenOnHeader } =
+          await validateAdminTokenOnHeader(context))
+      }
+
       // add admin token metrics
-      metricFields = { ...metricFields, hasAdminToken, hasValidAdminToken }
+      metricFields = {
+        ...metricFields,
+        hasAdminToken,
+        hasValidAdminToken,
+        hasAdminTokenOnHeader,
+      }
 
       // allow access if has valid admin token
       if (hasValidAdminToken) {

node/metrics/auth.ts

@@ -16,6 +16,7 @@ export interface AuthAuditMetric {
   hasValidStoreToken?: boolean
   hasApiToken?: boolean
   hasValidApiToken?: boolean
+  hasAdminTokenOnHeader?: boolean
 }
 
 export class AuthMetric implements Metric {