fix: remove metric and enforce validation

node/directives/checkAdminAccess.ts

@@ -24,21 +24,16 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
         vtex: { adminUserAuthToken, storeUserAuthToken, logger },
       } = context
 
-      const {
-        hasAdminToken,
-        hasValidAdminToken,
-        hasCurrentValidAdminToken,
-        hasValidAdminTokenFromStore,
-      } = await validateAdminToken(context, adminUserAuthToken as string)
+      const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
+        await validateAdminToken(context, adminUserAuthToken as string)
 
       const {
         hasAdminTokenOnHeader,
         hasValidAdminTokenOnHeader,
         hasCurrentValidAdminTokenOnHeader,
       } = await validateAdminTokenOnHeader(context)
 
-      const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
-        await validateApiToken(context)
+      const { hasApiToken, hasValidApiToken } = await validateApiToken(context)
 
       const hasStoreToken = !!storeUserAuthToken // we don't need to validate store token
 
@@ -64,8 +59,6 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
           hasStoreToken,
           hasAdminTokenOnHeader,
           hasValidAdminTokenOnHeader,
-          hasValidAdminTokenFromStore,
-          hasValidApiTokenFromStore,
         },
         'CheckAdminAccessAudit'
       )
@@ -86,8 +79,6 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
           hasStoreToken,
           hasAdminTokenOnHeader,
           hasValidAdminTokenOnHeader,
-          hasValidAdminTokenFromStore,
-          hasValidApiTokenFromStore,
         })
         throw new AuthenticationError('No token was provided')
       }
@@ -110,8 +101,6 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
           hasStoreToken,
           hasAdminTokenOnHeader,
           hasValidAdminTokenOnHeader,
-          hasValidAdminTokenFromStore,
-          hasValidApiTokenFromStore,
         })
         throw new ForbiddenError('Unauthorized Access')
       }

node/directives/checkUserAccess.ts

@@ -25,21 +25,16 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
         vtex: { adminUserAuthToken, storeUserAuthToken, logger },
       } = context
 
-      const {
-        hasAdminToken,
-        hasValidAdminToken,
-        hasCurrentValidAdminToken,
-        hasValidAdminTokenFromStore,
-      } = await validateAdminToken(context, adminUserAuthToken as string)
+      const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
+        await validateAdminToken(context, adminUserAuthToken as string)
 
       const {
         hasAdminTokenOnHeader,
         hasValidAdminTokenOnHeader,
         hasCurrentValidAdminTokenOnHeader,
       } = await validateAdminTokenOnHeader(context)
 
-      const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
-        await validateApiToken(context)
+      const { hasApiToken, hasValidApiToken } = await validateApiToken(context)
 
       const { hasStoreToken, hasValidStoreToken, hasCurrentValidStoreToken } =
         await validateStoreToken(context, storeUserAuthToken as string)
@@ -67,8 +62,6 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
           hasValidStoreToken,
           hasAdminTokenOnHeader,
           hasValidAdminTokenOnHeader,
-          hasValidAdminTokenFromStore,
-          hasValidApiTokenFromStore,
         },
         'CheckUserAccessAudit'
       )
@@ -94,8 +87,6 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
           hasStoreToken,
           hasAdminTokenOnHeader,
           hasValidAdminTokenOnHeader,
-          hasValidAdminTokenFromStore,
-          hasValidApiTokenFromStore,
         })
         throw new AuthenticationError('No token was provided')
       }
@@ -120,8 +111,6 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
           hasValidStoreToken,
           hasAdminTokenOnHeader,
           hasValidAdminTokenOnHeader,
-          hasValidAdminTokenFromStore,
-          hasValidApiTokenFromStore,
         })
         throw new ForbiddenError('Unauthorized Access')
       }

node/directives/helper.ts

@@ -7,7 +7,6 @@ export const validateAdminToken = async (
   hasAdminToken: boolean
   hasValidAdminToken: boolean
   hasCurrentValidAdminToken: boolean
-  hasValidAdminTokenFromStore: boolean
 }> => {
   const {
     clients: { identity, lm },
@@ -19,8 +18,6 @@ export const validateAdminToken = async (
   let hasValidAdminToken = false
   // this is used to check if the token is valid by current standards
   let hasCurrentValidAdminToken = false
-  // this is used to check if the token is valid and from this store
-  let hasValidAdminTokenFromStore = false
 
   if (hasAdminToken) {
     try {
@@ -32,17 +29,8 @@ export const validateAdminToken = async (
       // in the future we should remove this line
       hasCurrentValidAdminToken = true
 
-      if (authUser?.audience === 'admin') {
-        hasValidAdminToken = await lm.getUserAdminPermissions(
-          authUser.account,
-          authUser.id
-        )
-      }
-
-      // check if the token is from this store. Currently used for metrics
-      // in future we should merge this with the previous check
       if (authUser?.audience === 'admin' && authUser?.account === account) {
-        hasValidAdminTokenFromStore = await lm.getUserAdminPermissions(
+        hasValidAdminToken = await lm.getUserAdminPermissions(
           account,
           authUser.id
         )
@@ -60,7 +48,6 @@ export const validateAdminToken = async (
     hasAdminToken,
     hasValidAdminToken,
     hasCurrentValidAdminToken,
-    hasValidAdminTokenFromStore,
   }
 }
 
@@ -69,7 +56,6 @@ export const validateApiToken = async (
 ): Promise<{
   hasApiToken: boolean
   hasValidApiToken: boolean
-  hasValidApiTokenFromStore: boolean
 }> => {
   const {
     clients: { identity, lm },
@@ -81,7 +67,6 @@ export const validateApiToken = async (
   const appKey = context?.headers['vtex-api-appkey'] as string
   const hasApiToken = !!(apiToken?.length && appKey?.length)
   let hasValidApiToken = false
-  let hasValidApiTokenFromStore = false
 
   if (hasApiToken) {
     try {
@@ -94,14 +79,8 @@ export const validateApiToken = async (
         token,
       })
 
-      if (authUser?.audience === 'admin') {
-        hasValidApiToken = true
-      }
-
-      // check if the token is from this store. Currently used for metrics
-      // in future we should merge this with the previous check
       if (authUser?.audience === 'admin' && authUser?.account === account) {
-        hasValidApiTokenFromStore = await lm.getUserAdminPermissions(
+        hasValidApiToken = await lm.getUserAdminPermissions(
           account,
           authUser.id
         )
@@ -115,7 +94,7 @@ export const validateApiToken = async (
     }
   }
 
-  return { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore }
+  return { hasApiToken, hasValidApiToken }
 }
 
 export const validateStoreToken = async (

node/directives/validateAdminUserAccess.ts

@@ -41,15 +41,16 @@ export class ValidateAdminUserAccess extends SchemaDirectiveVisitor {
         userAgent,
       }
 
-      const { hasAdminToken, hasValidAdminToken, hasValidAdminTokenFromStore } =
-        await validateAdminToken(context, adminUserAuthToken as string)
+      const { hasAdminToken, hasValidAdminToken } = await validateAdminToken(
+        context,
+        adminUserAuthToken as string
+      )
 
       // add admin token metrics
       metricFields = {
         ...metricFields,
         hasAdminToken,
         hasValidAdminToken,
-        hasValidAdminTokenFromStore,
       }
 
       // allow access if has valid admin token
@@ -91,15 +92,13 @@ export class ValidateAdminUserAccess extends SchemaDirectiveVisitor {
         return resolve(root, args, context, info)
       }
 
-      const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
-        await validateApiToken(context)
+      const { hasApiToken, hasValidApiToken } = await validateApiToken(context)
 
       // add API token metrics
       metricFields = {
         ...metricFields,
         hasApiToken,
         hasValidApiToken,
-        hasValidApiTokenFromStore,
       }
 
       // allow access if has valid API token

node/directives/validateStoreUserAccess.ts

@@ -42,15 +42,16 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor {
         userAgent,
       }
 
-      const { hasAdminToken, hasValidAdminToken, hasValidAdminTokenFromStore } =
-        await validateAdminToken(context, adminUserAuthToken as string)
+      const { hasAdminToken, hasValidAdminToken } = await validateAdminToken(
+        context,
+        adminUserAuthToken as string
+      )
 
       // add admin token metrics
       metricFields = {
         ...metricFields,
         hasAdminToken,
         hasValidAdminToken,
-        hasValidAdminTokenFromStore,
       }
 
       // allow access if has valid admin token
@@ -92,15 +93,13 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor {
         return resolve(root, args, context, info)
       }
 
-      const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } =
-        await validateApiToken(context)
+      const { hasApiToken, hasValidApiToken } = await validateApiToken(context)
 
       // add API token metrics
       metricFields = {
         ...metricFields,
         hasApiToken,
         hasValidApiToken,
-        hasValidApiTokenFromStore,
       }
 
       // allow access if has valid API token

node/metrics/auth.ts

@@ -18,8 +18,6 @@ export interface AuthAuditMetric {
   hasValidApiToken?: boolean
   hasAdminTokenOnHeader?: boolean
   hasValidAdminTokenOnHeader?: boolean
-  hasValidAdminTokenFromStore?: boolean
-  hasValidApiTokenFromStore?: boolean
 }
 
 export class AuthMetric implements Metric {