Merge branch 'master' into fix/duplicate-orgs

CHANGELOG.md

@@ -10,27 +10,121 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
 - Add sort to searchDocumentsWithPaginationInfo at getAllUsers
 
+## [1.44.3] - 2024-08-22
+
+### Fixed
+- add new auth metric field
+
+## [1.44.2] - 2024-08-21
+
+### Fixed
+- addUser function to not accept invalid cost center
+
+## [1.44.1] - 2024-08-19
+
+### Added
+- Session audit metrics
+
+## [1.44.0] - 2024-08-14
+
+### Changed
+- Changed the token validation directive of some operations
+
+## [1.43.5] - 2024-08-08
+
+### Fixed
+- Storefront considers the active organizations when setting the user's profile
+
+## [1.43.4] - 2024-08-07
+
+### Changed
+- Changed the token validation directive of some operations
+
+## [1.43.3] - 2024-07-31
+
+### Changed
+- Changed the token validation directive of some operations
+
+## [1.43.2] - 2024-07-29
+
+### Added
+- Add enforcement of new validation for admin and api tokens
+- Add more details to admin and api token validation metric
+
+## [1.43.1] - 2024-07-24
+
+### Changed
+
+- Changed the token validation directive of some operations
+
+## [1.43.0] - 2024-07-23
+
+### Added
+
+- Add admin validation directive
+
+## [1.42.0] - 2024-07-17
+
+### Fixed
+
+- Get tokens from headers when necessary
+
+## [1.41.1] - 2024-07-15
+
+### Added
+
+- Add validation metrics for admin and api tokens
+
+## [1.41.0] - 2024-07-01
+
+### Added
+
+- Add token validation directive
+
+## [1.40.7] - 2024-06-11
+
+### Fixed
+
+- Provide correct tokens to clients
+
+## [1.40.6] - 2024-05-28
+
+### Changed
+
+- Check user is part of buyer org instead of "active" on checkUserAccess directive
+
+## [1.40.5] - 2024-05-22
+
+### Changed
+
+- Improved metrics and logging for checkUserAccess and checkAdminAccess directives
+
 ## [1.40.4] - 2024-04-29
 
 ### Added
+
 - Add token validation logs
 
 ### Removed
+
 - Reverted changes from versions 1.40.3, 1.40.2 and 1.40.1
 
 ## [1.40.3] - 2024-04-24
 
 ### Fixed
+
 - Provide correct auth tokens to clients
 
 ## [1.40.2] - 2024-04-19
 
 ### Fixed
+
 - Fix auth issue by adding additional admin token check to checkUserAccess and checkAdminAccess
 
 ## [1.40.1] - 2024-04-18
 
 ### Fixed
+
 - Fix auth issue by adding role check to checkUserAccess directive
 
 ## [1.40.0] - 2024-03-20
@@ -54,6 +148,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [1.39.2] - 2024-02-26
 
 ### Changed
+
 - Add intro description about Session Watcher
 
 ## [1.39.1] - 2024-02-09

catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: storefront-permissions
+  annotations:
+    github.com/project-slug: vtex-apps/storefront-permissions
+spec:
+  system: b2b-suite
+  type: backend-api
+  lifecycle: maintenance
+  owner: b-2-b-enabler

graphql/directives.graphql

@@ -1,5 +1,7 @@
 directive @checkUserAccess on FIELD | FIELD_DEFINITION
+directive @validateStoreUserAccess on FIELD | FIELD_DEFINITION
 directive @checkAdminAccess on FIELD | FIELD_DEFINITION
+directive @validateAdminUserAccess on FIELD | FIELD_DEFINITION
 directive @withSession on FIELD_DEFINITION
 directive @withSender on FIELD_DEFINITION
 directive @withUserPermissions on FIELD_DEFINITION

graphql/schema.graphql

@@ -23,7 +23,7 @@ type Query {
     @cacheControl(scope: PRIVATE, maxAge: SHORT)
     @withSender
 
-  getUser(id: ID!): User @cacheControl(scope: PRIVATE) @checkUserAccess
+  getUser(id: ID!): User @cacheControl(scope: PRIVATE) @validateStoreUserAccess
   getB2BUser(id: ID!): User @cacheControl(scope: PRIVATE)
 
   checkCustomerSchema: Boolean @cacheControl(scope: PRIVATE) @withSender
@@ -36,14 +36,14 @@ type Query {
   listAllUsers: [User]
     @cacheControl(scope: PRIVATE, maxAge: SHORT)
     @withSender
-    @checkUserAccess
+    @validateStoreUserAccess
 
   listUsers(organizationId: ID, costCenterId: ID, roleId: ID): [User]
     @cacheControl(scope: PRIVATE, maxAge: SHORT)
     @deprecated(
       reason: "This query is deprecated, use listUsersPaginated query instead."
     )
-    @checkUserAccess
+    @validateStoreUserAccess
 
   listUsersPaginated(
     organizationId: ID
@@ -56,7 +56,7 @@ type Query {
     sortedBy: String
   ): UserPagination
     @cacheControl(scope: PRIVATE, maxAge: SHORT)
-    @checkUserAccess
+    @validateStoreUserAccess
 
   checkImpersonation: UserImpersonation
     @settings(settingsType: "workspace")
@@ -71,21 +71,17 @@ type Query {
 
   getSessionWatcher: Boolean @cacheControl(scope: PRIVATE)
 
-  getUsersByEmail(
-    email: String!
-    orgId: ID
-    costId: ID
-  ): [User]
+  getUsersByEmail(email: String!, orgId: ID, costId: ID): [User]
     @cacheControl(scope: PRIVATE)
-    @checkUserAccess
+    @validateStoreUserAccess
 
   getActiveUserByEmail(email: String!): User
     @cacheControl(scope: PRIVATE)
-    @checkUserAccess
+    @validateStoreUserAccess
 
   getOrganizationsByEmail(email: String!): [Organization]
     @cacheControl(scope: PRIVATE)
-    @checkUserAccess
+    @validateStoreUserAccess
 }
 
 type Mutation {
@@ -96,12 +92,15 @@ type Mutation {
     name: String!
     slug: String
     features: [FeatureInput]
-  ): MutationResponse @cacheControl(scope: PRIVATE) @withSender @checkUserAccess
+  ): MutationResponse
+    @cacheControl(scope: PRIVATE)
+    @withSender
+    @validateStoreUserAccess
 
   deleteRole(id: ID!): MutationResponse
     @cacheControl(scope: PRIVATE)
     @withSender
-    @checkUserAccess
+    @validateStoreUserAccess
 
   saveUser(
     id: ID
@@ -113,7 +112,7 @@ type Mutation {
     canImpersonate: Boolean = false
     name: String!
     email: String!
-  ): MutationResponse @checkAdminAccess @cacheControl(scope: PRIVATE)
+  ): MutationResponse @validateAdminUserAccess @cacheControl(scope: PRIVATE)
 
   updateUser(
     id: ID
@@ -125,7 +124,7 @@ type Mutation {
     canImpersonate: Boolean = false
     email: String
     name: String
-  ): MutationResponse @checkAdminAccess @cacheControl(scope: PRIVATE)
+  ): MutationResponse @validateAdminUserAccess @cacheControl(scope: PRIVATE)
 
   addUser(
     id: ID
@@ -136,29 +135,29 @@ type Mutation {
     canImpersonate: Boolean = false
     name: String!
     email: String!
-  ): MutationResponse @checkAdminAccess @cacheControl(scope: PRIVATE)
+  ): MutationResponse @validateAdminUserAccess @cacheControl(scope: PRIVATE)
 
   addCostCenterToUser(costId: ID!, userId: ID!): MutationResponse
-    @checkUserAccess
+    @validateStoreUserAccess
     @cacheControl(scope: PRIVATE)
 
   addOrganizationToUser(
     orgId: ID!
     userId: ID!
     costId: ID!
     roleId: ID
-  ): MutationResponse @checkAdminAccess @cacheControl(scope: PRIVATE)
+  ): MutationResponse @validateAdminUserAccess @cacheControl(scope: PRIVATE)
 
   setActiveUserByOrganization(userId: ID): MutationResponse
-    @checkUserAccess
+    @validateStoreUserAccess
     @cacheControl(scope: PRIVATE)
 
   impersonateUser(userId: ID): MutationResponse
-    @checkUserAccess
+    @validateStoreUserAccess
     @cacheControl(scope: PRIVATE)
 
   deleteUser(id: ID!, userId: ID, email: String!): MutationResponse
-    @checkAdminAccess
+    @validateAdminUserAccess
     @cacheControl(scope: PRIVATE)
 
   setCurrentOrganization(orgId: ID!, costId: ID!): MutationResponse

manifest.json

@@ -1,7 +1,7 @@
 {
   "name": "storefront-permissions",
   "vendor": "vtex",
-  "version": "1.40.4",
+  "version": "1.44.3",
   "title": "Storefront Permissions",
   "description": "Manage User's permissions on apps that relates to this app",
   "mustUpdateAt": "2022-08-28",

node/clients/IdentityClient.ts

@@ -14,4 +14,14 @@ export default class IdentityClient extends JanusClient {
   public async validateToken({ token }: { token: string }): Promise<any> {
     return this.http.post('/api/vtexid/credential/validate', { token })
   }
+
+  public async getToken({
+    appkey,
+    apptoken,
+  }: {
+    appkey: string
+    apptoken: string
+  }): Promise<any> {
+    return this.http.post('/api/vtexid/apptoken/login', { appkey, apptoken })
+  }
 }

node/clients/Organizations.ts

@@ -1,8 +1,9 @@
-import type { InstanceOptions, IOContext } from '@vtex/api'
+import type { GraphQLResponse, InstanceOptions, IOContext } from '@vtex/api'
 import { AppGraphQLClient } from '@vtex/api'
 
 import { QUERIES } from '../resolvers/Routes/utils'
 import { getTokenToHeader } from './index'
+import type { GetCostCenterType } from '../typings/custom'
 
 const getPersistedQuery = () => {
   return {
@@ -36,14 +37,14 @@ export class OrganizationsGraphQLClient extends AppGraphQLClient {
     })
   }
 
-  public getCostCenterById = async (costId: string): Promise<unknown> => {
+  public getCostCenterById = async (costId: string) => {
     return this.query({
       extensions: getPersistedQuery(),
       query: QUERIES.getCostCenterById,
       variables: {
         id: costId,
       },
-    })
+    }) as Promise<GraphQLResponse<GetCostCenterType>>
   }
 
   public getMarketingTags = async (costId: string): Promise<unknown> => {
@@ -74,8 +75,8 @@ export class OrganizationsGraphQLClient extends AppGraphQLClient {
     return this.graphql.query(
       { query, variables, extensions },
       {
+        headers: getTokenToHeader(this.context),
         params: {
-          headers: getTokenToHeader(this.context),
           locale: this.context.locale,
         },
       }

node/clients/index.ts

@@ -12,15 +12,23 @@ import { Schema } from './schema'
 import VtexId from './vtexId'
 
 export const getTokenToHeader = (ctx: IOContext) => {
-  const token =
-    ctx.storeUserAuthToken ?? ctx.adminUserAuthToken ?? ctx.authToken
+  const adminToken = ctx.adminUserAuthToken ?? ctx.authToken
+  const userToken = ctx.storeUserAuthToken
+  const { sessionToken, account } = ctx
 
-  const { sessionToken } = ctx
+  let allCookies = `VtexIdclientAutCookie=${adminToken}`
+
+  if (userToken) {
+    allCookies += `; VtexIdclientAutCookie_${account}=${userToken}`
+  }
 
   return {
-    VtexIdclientAutCookie: token,
-    cookie: `VtexIdclientAutCookie=${token}`,
-    'x-vtex-session': sessionToken ?? '',
+    'x-vtex-credential': ctx.authToken,
+    VtexIdclientAutCookie: adminToken,
+    cookie: allCookies,
+    ...(sessionToken && {
+      'x-vtex-session': sessionToken,
+    }),
   }
 }