Skip to content

Commit

Permalink
fix: add token on header metrics and avoid reusing variables
Browse files Browse the repository at this point in the history
  • Loading branch information
@Matheus-Aguilar
Matheus-Aguilar committed Jul 10, 2024
1 parent b6e0ef1 commit d4ab4c5
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 49 deletions.
25 changes: 11 additions & 14 deletions node/directives/checkAdminAccess.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,14 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
vtex: { adminUserAuthToken, storeUserAuthToken, logger },
} = context

let { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
await validateAdminToken(context, adminUserAuthToken as string)

let hasAdminTokenOnHeader = false

// If there's no admin token on context, search for it on header
if (!hasAdminToken) {
;({
hasAdminToken,
hasValidAdminToken,
hasCurrentValidAdminToken,
hasAdminTokenOnHeader,
} = await validateAdminTokenOnHeader(context))
}
const {
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasCurrentValidAdminTokenOnHeader,
} = await validateAdminTokenOnHeader(context)

const { hasApiToken, hasValidApiToken } = await validateApiToken(context)

Expand All @@ -64,13 +58,14 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
},
'CheckAdminAccessAudit'
)

sendAuthMetric(logger, auditMetric)

if (!hasAdminToken) {
if (!hasAdminToken && !hasAdminTokenOnHeader) {
logger.warn({
message: 'CheckAdminAccess: No token provided',
userAgent,
Expand All @@ -83,11 +78,12 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
})
throw new AuthenticationError('No token was provided')
}

if (!hasCurrentValidAdminToken) {
if (!hasCurrentValidAdminToken && !hasCurrentValidAdminTokenOnHeader) {
logger.warn({
message: 'CheckAdminAccess: Invalid token',
userAgent,
Expand All @@ -100,6 +96,7 @@ export class CheckAdminAccess extends SchemaDirectiveVisitor {
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
})
throw new ForbiddenError('Unauthorized Access')
}
Expand Down
29 changes: 15 additions & 14 deletions node/directives/checkUserAccess.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,14 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
vtex: { adminUserAuthToken, storeUserAuthToken, logger },
} = context

let { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
const { hasAdminToken, hasValidAdminToken, hasCurrentValidAdminToken } =
await validateAdminToken(context, adminUserAuthToken as string)

let hasAdminTokenOnHeader = false

// If there's no admin token on context, search for it on header
if (!hasAdminToken) {
;({
hasAdminToken,
hasValidAdminToken,
hasCurrentValidAdminToken,
hasAdminTokenOnHeader,
} = await validateAdminTokenOnHeader(context))
}
const {
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
hasCurrentValidAdminTokenOnHeader,
} = await validateAdminTokenOnHeader(context)

const { hasApiToken, hasValidApiToken } = await validateApiToken(context)

Expand Down Expand Up @@ -67,13 +61,14 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasStoreToken,
hasValidStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
},
'CheckUserAccessAudit'
)

sendAuthMetric(logger, auditMetric)

if (!hasAdminToken && !hasStoreToken) {
if (!hasAdminToken && !hasStoreToken && !hasAdminTokenOnHeader) {
logger.warn({
message: 'CheckUserAccess: No token provided',
userAgent,
Expand All @@ -86,11 +81,16 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasValidApiToken,
hasStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
})
throw new AuthenticationError('No token was provided')
}

if (!hasCurrentValidAdminToken && !hasCurrentValidStoreToken) {
if (
!hasCurrentValidAdminToken &&
!hasCurrentValidStoreToken &&
!hasCurrentValidAdminTokenOnHeader
) {
logger.warn({
message: `CheckUserAccess: Invalid token`,
userAgent,
Expand All @@ -104,6 +104,7 @@ export class CheckUserAccess extends SchemaDirectiveVisitor {
hasStoreToken,
hasValidStoreToken,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
})
throw new ForbiddenError('Unauthorized Access')
}
Expand Down
19 changes: 8 additions & 11 deletions node/directives/helper.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,30 +142,27 @@ export const validateStoreToken = async (
export const validateAdminTokenOnHeader = async (
context: Context
): Promise<{
hasAdminToken: boolean
hasValidAdminToken: boolean
hasCurrentValidAdminToken: boolean
hasAdminTokenOnHeader: boolean
hasValidAdminTokenOnHeader: boolean
hasCurrentValidAdminTokenOnHeader: boolean
}> => {
const adminUserAuthToken = context?.headers.vtexidclientautcookie as string
const hasAdminTokenOnHeader = !!adminUserAuthToken?.length

if (!hasAdminTokenOnHeader) {
return {
hasAdminToken: false,
hasValidAdminToken: false,
hasCurrentValidAdminToken: false,
hasAdminTokenOnHeader,
hasAdminTokenOnHeader: false,
hasValidAdminTokenOnHeader: false,
hasCurrentValidAdminTokenOnHeader: false,
}
}

const { hasAdminToken, hasCurrentValidAdminToken, hasValidAdminToken } =
await validateAdminToken(context, adminUserAuthToken)

return {
hasAdminToken,
hasValidAdminToken,
hasCurrentValidAdminToken,
hasAdminTokenOnHeader,
hasAdminTokenOnHeader: hasAdminToken,
hasValidAdminTokenOnHeader: hasValidAdminToken,
hasCurrentValidAdminTokenOnHeader: hasCurrentValidAdminToken,
}
}
36 changes: 26 additions & 10 deletions node/directives/validateStoreUserAccess.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,25 +42,16 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor {
userAgent,
}

let { hasAdminToken, hasValidAdminToken } = await validateAdminToken(
const { hasAdminToken, hasValidAdminToken } = await validateAdminToken(
context,
adminUserAuthToken as string
)

let hasAdminTokenOnHeader = false

// If there's no admin token on context, search for it on header
if (!hasAdminToken) {
;({ hasAdminToken, hasValidAdminToken, hasAdminTokenOnHeader } =
await validateAdminTokenOnHeader(context))
}

// add admin token metrics
metricFields = {
...metricFields,
hasAdminToken,
hasValidAdminToken,
hasAdminTokenOnHeader,
}

// allow access if has valid admin token
Expand All @@ -77,6 +68,31 @@ export class ValidateStoreUserAccess extends SchemaDirectiveVisitor {
return resolve(root, args, context, info)
}

// If there's no valid admin token on context, search for it on header
const { hasAdminTokenOnHeader, hasValidAdminTokenOnHeader } =
await validateAdminTokenOnHeader(context)

// add admin header token metrics
metricFields = {
...metricFields,
hasAdminTokenOnHeader,
hasValidAdminTokenOnHeader,
}

// allow access if has valid admin token
if (hasValidAdminTokenOnHeader) {
sendAuthMetric(
logger,
new AuthMetric(
context?.vtex?.account,
metricFields,
'ValidateStoreUserAccessAudit'
)
)

return resolve(root, args, context, info)
}

const { hasApiToken, hasValidApiToken } = await validateApiToken(context)

// add API token metrics
Expand Down
1 change: 1 addition & 0 deletions node/metrics/auth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ export interface AuthAuditMetric {
hasApiToken?: boolean
hasValidApiToken?: boolean
hasAdminTokenOnHeader?: boolean
hasValidAdminTokenOnHeader?: boolean
}

export class AuthMetric implements Metric {
Expand Down

0 comments on commit d4ab4c5

Please sign in to comment.