fix: add additional check to admin token

vtex-apps · Jun 19, 2024 · 5a2663f · 5a2663f
1 parent 34d267d
commit 5a2663f
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/node/directives/helper.ts b/node/directives/helper.ts
@@ -9,7 +9,7 @@ export const validateAdminToken = async (
   hasCurrentValidAdminToken: boolean
 }> => {
   const {
-    clients: { identity },
+    clients: { identity, lm },
   } = context
 
   // check if has admin token and if it is valid
@@ -29,7 +29,14 @@ export const validateAdminToken = async (
       hasCurrentValidAdminToken = true
 
       if (authUser?.audience === 'admin') {
-        hasValidAdminToken = true
+        const hasAdminPermissions = await lm.getUserAdminPermissions(
+          authUser?.account,
+          authUser?.id
+        )
+
+        if (hasAdminPermissions) {
+          hasValidAdminToken = true
+        }
       }
     } catch (err) {
       // noop so we leave hasValidAdminToken as false

diff --git a/node/utils/LicenseManager.ts b/node/utils/LicenseManager.ts
@@ -73,6 +73,16 @@ export class LMClient extends ExternalClient {
     return user ? this.delete(this.routes.deleteUser(userId, '957'), {}) : {}
   }
 
+  public getUserAdminPermissions = async (account: string, userId: string) => {
+    return this.get(this.routes.getUserAdminPermissions(account, userId))
+      .then((res: any) => {
+        return res
+      })
+      .catch(() => {
+        return false
+      })
+  }
+
   protected get = <T>(url: string) => {
     return this.http.get<T>(url).catch(statusToError)
   }
@@ -103,6 +113,8 @@ export class LMClient extends ExternalClient {
       userByEmail: (email: string) =>
         `api/license-manager/pvt/users/${encodeURIComponent(email)}`,
       userById: (id: string) => `api/license-manager/pvt/users/${id}`,
+      getUserAdminPermissions: (account: string, userId: string) =>
+        `/api/license-manager/pvt/accounts/${account}/logins/${userId}/granted`,
     }
   }
 }