From 5ff91d43e502487be112777f048746fe7845b62b Mon Sep 17 00:00:00 2001 From: Matheus-Aguilar Date: Thu, 25 Jul 2024 14:16:09 -0300 Subject: [PATCH] fix: remove metric and enforce validation --- node/directives/checkAdminAccess.ts | 17 +++----------- node/directives/checkUserAccess.ts | 17 +++----------- node/directives/helper.ts | 27 +++------------------- node/directives/validateAdminUserAccess.ts | 11 ++++----- node/directives/validateStoreUserAccess.ts | 11 ++++----- node/metrics/auth.ts | 2 -- 6 files changed, 19 insertions(+), 66 deletions(-) diff --git a/node/directives/checkAdminAccess.ts b/node/directives/checkAdminAccess.ts index 8a0b91b..03ac72b 100644 --- a/node/directives/checkAdminAccess.ts +++ b/node/directives/checkAdminAccess.ts @@ -24,12 +24,8 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor { vtex: { adminUserAuthToken, storeUserAuthToken, logger }, } = context - const { - hasAdminToken, - hasValidAdminToken, - hasCurrentValidAdminToken, - hasValidAdminTokenFromStore, - } = await validateAdminToken(context, adminUserAuthToken as string) + const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } = + await validateAdminToken(context, adminUserAuthToken as string) const { hasAdminTokenOnHeader, @@ -37,8 +33,7 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor { hasCurrentValidAdminTokenOnHeader, } = await validateAdminTokenOnHeader(context) - const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } = - await validateApiToken(context) + const { hasApiToken, hasValidApiToken } = await validateApiToken(context) const hasStoreToken = !!storeUserAuthToken // we don't need to validate store token @@ -64,8 +59,6 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor { hasStoreToken, hasAdminTokenOnHeader, hasValidAdminTokenOnHeader, - hasValidAdminTokenFromStore, - hasValidApiTokenFromStore, }, 'CheckAdminAccessAudit' ) @@ -86,8 +79,6 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor { hasStoreToken, hasAdminTokenOnHeader, hasValidAdminTokenOnHeader, - hasValidAdminTokenFromStore, - hasValidApiTokenFromStore, }) throw new AuthenticationError('No token was provided') } @@ -110,8 +101,6 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor { hasStoreToken, hasAdminTokenOnHeader, hasValidAdminTokenOnHeader, - hasValidAdminTokenFromStore, - hasValidApiTokenFromStore, }) throw new ForbiddenError('Unauthorized Access') } diff --git a/node/directives/checkUserAccess.ts b/node/directives/checkUserAccess.ts index 313e69d..958894f 100644 --- a/node/directives/checkUserAccess.ts +++ b/node/directives/checkUserAccess.ts @@ -25,12 +25,8 @@ export class CheckUserAccess extends SchemaDirectiveVisitor { vtex: { adminUserAuthToken, storeUserAuthToken, logger }, } = context - const { - hasAdminToken, - hasValidAdminToken, - hasCurrentValidAdminToken, - hasValidAdminTokenFromStore, - } = await validateAdminToken(context, adminUserAuthToken as string) + const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } = + await validateAdminToken(context, adminUserAuthToken as string) const { hasAdminTokenOnHeader, @@ -38,8 +34,7 @@ export class CheckUserAccess extends SchemaDirectiveVisitor { hasCurrentValidAdminTokenOnHeader, } = await validateAdminTokenOnHeader(context) - const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } = - await validateApiToken(context) + const { hasApiToken, hasValidApiToken } = await validateApiToken(context) const { hasStoreToken, hasValidStoreToken, hasCurrentValidStoreToken } = await validateStoreToken(context, storeUserAuthToken as string) @@ -67,8 +62,6 @@ export class CheckUserAccess extends SchemaDirectiveVisitor { hasValidStoreToken, hasAdminTokenOnHeader, hasValidAdminTokenOnHeader, - hasValidAdminTokenFromStore, - hasValidApiTokenFromStore, }, 'CheckUserAccessAudit' ) @@ -94,8 +87,6 @@ export class CheckUserAccess extends SchemaDirectiveVisitor { hasStoreToken, hasAdminTokenOnHeader, hasValidAdminTokenOnHeader, - hasValidAdminTokenFromStore, - hasValidApiTokenFromStore, }) throw new AuthenticationError('No token was provided') } @@ -120,8 +111,6 @@ export class CheckUserAccess extends SchemaDirectiveVisitor { hasValidStoreToken, hasAdminTokenOnHeader, hasValidAdminTokenOnHeader, - hasValidAdminTokenFromStore, - hasValidApiTokenFromStore, }) throw new ForbiddenError('Unauthorized Access') } diff --git a/node/directives/helper.ts b/node/directives/helper.ts index 58bf92a..1e10b7a 100644 --- a/node/directives/helper.ts +++ b/node/directives/helper.ts @@ -7,7 +7,6 @@ export const validateAdminToken = async ( hasAdminToken: boolean hasValidAdminToken: boolean hasCurrentValidAdminToken: boolean - hasValidAdminTokenFromStore: boolean }> => { const { clients: { identity, lm }, @@ -19,8 +18,6 @@ export const validateAdminToken = async ( let hasValidAdminToken = false // this is used to check if the token is valid by current standards let hasCurrentValidAdminToken = false - // this is used to check if the token is valid and from this store - let hasValidAdminTokenFromStore = false if (hasAdminToken) { try { @@ -32,17 +29,8 @@ export const validateAdminToken = async ( // in the future we should remove this line hasCurrentValidAdminToken = true - if (authUser?.audience === 'admin') { - hasValidAdminToken = await lm.getUserAdminPermissions( - authUser.account, - authUser.id - ) - } - - // check if the token is from this store. Currently used for metrics - // in future we should merge this with the previous check if (authUser?.audience === 'admin' && authUser?.account === account) { - hasValidAdminTokenFromStore = await lm.getUserAdminPermissions( + hasValidAdminToken = await lm.getUserAdminPermissions( account, authUser.id ) @@ -60,7 +48,6 @@ export const validateAdminToken = async ( hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken, - hasValidAdminTokenFromStore, } } @@ -69,7 +56,6 @@ export const validateApiToken = async ( ): Promise<{ hasApiToken: boolean hasValidApiToken: boolean - hasValidApiTokenFromStore: boolean }> => { const { clients: { identity, lm }, @@ -81,7 +67,6 @@ export const validateApiToken = async ( const appKey = context?.headers['vtex-api-appkey'] as string const hasApiToken = !!(apiToken?.length && appKey?.length) let hasValidApiToken = false - let hasValidApiTokenFromStore = false if (hasApiToken) { try { @@ -94,14 +79,8 @@ export const validateApiToken = async ( token, }) - if (authUser?.audience === 'admin') { - hasValidApiToken = true - } - - // check if the token is from this store. Currently used for metrics - // in future we should merge this with the previous check if (authUser?.audience === 'admin' && authUser?.account === account) { - hasValidApiTokenFromStore = await lm.getUserAdminPermissions( + hasValidApiToken = await lm.getUserAdminPermissions( account, authUser.id ) @@ -115,7 +94,7 @@ export const validateApiToken = async ( } } - return { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } + return { hasApiToken, hasValidApiToken } } export const validateStoreToken = async ( diff --git a/node/directives/validateAdminUserAccess.ts b/node/directives/validateAdminUserAccess.ts index f02bb6f..2d1aa86 100644 --- a/node/directives/validateAdminUserAccess.ts +++ b/node/directives/validateAdminUserAccess.ts @@ -41,15 +41,16 @@ export class ValidateAdminUserAccess extends SchemaDirectiveVisitor { userAgent, } - const { hasAdminToken, hasValidAdminToken, hasValidAdminTokenFromStore } = - await validateAdminToken(context, adminUserAuthToken as string) + const { hasAdminToken, hasValidAdminToken } = await validateAdminToken( + context, + adminUserAuthToken as string + ) // add admin token metrics metricFields = { ...metricFields, hasAdminToken, hasValidAdminToken, - hasValidAdminTokenFromStore, } // allow access if has valid admin token @@ -91,15 +92,13 @@ export class ValidateAdminUserAccess extends SchemaDirectiveVisitor { return resolve(root, args, context, info) } - const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } = - await validateApiToken(context) + const { hasApiToken, hasValidApiToken } = await validateApiToken(context) // add API token metrics metricFields = { ...metricFields, hasApiToken, hasValidApiToken, - hasValidApiTokenFromStore, } // allow access if has valid API token diff --git a/node/directives/validateStoreUserAccess.ts b/node/directives/validateStoreUserAccess.ts index 76f0149..0356a51 100644 --- a/node/directives/validateStoreUserAccess.ts +++ b/node/directives/validateStoreUserAccess.ts @@ -42,15 +42,16 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor { userAgent, } - const { hasAdminToken, hasValidAdminToken, hasValidAdminTokenFromStore } = - await validateAdminToken(context, adminUserAuthToken as string) + const { hasAdminToken, hasValidAdminToken } = await validateAdminToken( + context, + adminUserAuthToken as string + ) // add admin token metrics metricFields = { ...metricFields, hasAdminToken, hasValidAdminToken, - hasValidAdminTokenFromStore, } // allow access if has valid admin token @@ -92,15 +93,13 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor { return resolve(root, args, context, info) } - const { hasApiToken, hasValidApiToken, hasValidApiTokenFromStore } = - await validateApiToken(context) + const { hasApiToken, hasValidApiToken } = await validateApiToken(context) // add API token metrics metricFields = { ...metricFields, hasApiToken, hasValidApiToken, - hasValidApiTokenFromStore, } // allow access if has valid API token diff --git a/node/metrics/auth.ts b/node/metrics/auth.ts index 9b6733f..21ec49d 100644 --- a/node/metrics/auth.ts +++ b/node/metrics/auth.ts @@ -18,8 +18,6 @@ export interface AuthAuditMetric { hasValidApiToken?: boolean hasAdminTokenOnHeader?: boolean hasValidAdminTokenOnHeader?: boolean - hasValidAdminTokenFromStore?: boolean - hasValidApiTokenFromStore?: boolean } export class AuthMetric implements Metric {