npm - @axinom/mosaic-id-guard - Versions diffs - 0.18.0-rc.8 → 0.18.0 - Mend

@axinom/mosaic-id-guard 0.18.0-rc.8 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/src/graphql/subscription-authorization-hook-factory.ts DELETED Viewed

@@ -1,286 +0,0 @@
-import {
-  EndUserAuthorizationConfig,
-  PermissionDefinition,
-} from '@axinom/mosaic-id-utils';
-import { MosaicErrorInfo, NonMosaicError } from '@axinom/mosaic-service-common';
-import { Request, Response } from 'express';
-import {
-  DocumentNode,
-  ExecutionArgs,
-  FieldNode,
-  OperationDefinitionNode,
-} from 'graphql';
-import gql from 'graphql-tag';
-import { CloseCode, Context, SubscribeMessage } from 'graphql-ws';
-import { Extra } from 'graphql-ws/lib/use/ws';
-import {
-  CreateRequestHandlerOptions,
-  PostGraphileOptions,
-  PostGraphilePlugin,
-} from 'postgraphile';
-import { ExecutionParams } from 'subscriptions-transport-ws';
-import {
-  assertGenericAuthenticatedSubject,
-  IdGuardError,
-  IdGuardErrors,
-} from '../common';
-import {
-  GqlAuthorizationOptions,
-  isAuthenticatedEndUser,
-  isAuthenticatedManagementSubject,
-} from '../common/guard-utils';
-import { handleEndUserAuthorization } from '../common/handle-end-user-authorization';
-import { handleManagementUserAuthorization } from '../common/handle-management-user-authorization';
-import { AuthenticatedRequest } from '../common/types/authentication-request-context';
-/**
- * This is a hook plugin generator function that will use the PermissionDefinition object in PostGraphileOptions
- * to authorize the Subscription operation done over a web socket.
- * It checks if the authenticated user which initiates the subscription has required permissions.
- * The actual plugin is built using this function when the build() function is called in PostgraphileOptionsBuilder.
- * This function reference can be passed into addHookPluginGenerator() to activate authorization of subscriptions.
- * @param PostGraphileOptions object containing permissions.
- * @returns PostGraphilePlugin
- */
-export const subscriptionAuthorizationHookFactory = (
-  buildOptions: PostGraphileOptions<Request, Response> | undefined,
-): PostGraphilePlugin => {
-  return {
-    // Handles subscription requests coming through protocol `graphql-ws`
-    // This is maintained for backwards compatibility. Managed services use `graphql-transport-ws` protocol (implemented below)
-    'postgraphile:ws:onOperation': (params: ExecutionParams) => {
-      // Extract GQL query and build an AST
-      // Need to determine the Subscription that's being called.
-      const gqlQuery = gql(params.query.toString());
-      const operationDefinitions =
-        gqlQuery.definitions as OperationDefinitionNode[];
-      const subscription = getSubscription(
-        operationDefinitions,
-        params.operationName,
-      );
-      if (
-        buildOptions !== undefined &&
-        buildOptions.graphileBuildOptions !== undefined &&
-        subscription !== undefined
-      ) {
-        // Get permissionDefinition from graphileBuildOptions
-        const permissionDefinition = buildOptions?.graphileBuildOptions
-          .permissionDefinition as PermissionDefinition;
-        const endUserAuthorizationConfig = buildOptions?.graphileBuildOptions
-          .endUserAuthorizationConfig as EndUserAuthorizationConfig;
-        const ensureOnlyAuthentication = buildOptions?.graphileBuildOptions
-          .ensureOnlyAuthentication as boolean;
-        const options: GqlAuthorizationOptions = {
-          operation: subscription.name.value, // the subscription name extracted from subscription operation.
-          permissionDefinition,
-          serviceId: params.context.config.serviceId,
-          endUserAuthorizationConfig,
-        };
-        const error: MosaicErrorInfo | undefined = undefined;
-        const subject = params.context.subject;
-        assertGenericAuthenticatedSubject(subject);
-        // If the authorization fails, throw error
-        if (isAuthenticatedManagementSubject(subject)) {
-          handleManagementUserAuthorization(
-            options,
-            ensureOnlyAuthentication,
-            subject,
-            error,
-          );
-          return params;
-        } else if (isAuthenticatedEndUser(subject)) {
-          handleEndUserAuthorization(
-            options,
-            ensureOnlyAuthentication,
-            subject,
-            error,
-          );
-          return params;
-        } else {
-          throw new IdGuardError({
-            message: 'User is not authorized for this subscription.',
-            code: IdGuardErrors.UserNotAuthorized.code,
-            details: {
-              user: params.context.subject?.sub,
-              serviceId: options.serviceId,
-            },
-          });
-        }
-      }
-      throw new Error(
-        'Error in subscription setup. This is likely caused by a development time issue.',
-      );
-    },
-    // Handles subscription requests coming through protocol `graphql-transport-ws`
-    // Managed services use this protocol for subscriptions.
-    'postgraphile:ws:onSubscribe': (
-      args: ExecutionArgs & {
-        document: DocumentNode | null;
-      },
-      params: {
-        context: Context<Extra>;
-        message: SubscribeMessage;
-        options: CreateRequestHandlerOptions;
-      },
-    ) => {
-      // If there were any Authentication Errors, close the web socket.
-      if (
-        (params.context.extra.request as AuthenticatedRequest).authContext
-          .authErrorInfo !== undefined
-      ) {
-        params.context.extra.socket.close(
-          CloseCode.Forbidden,
-          IdGuardErrors.AccessTokenInvalid.code,
-        );
-        return args;
-      }
-      const definitionNodes = args.document
-        .definitions as OperationDefinitionNode[];
-      const subscription = getSubscription(
-        definitionNodes,
-        args.operationName ?? undefined,
-      );
-      if (
-        buildOptions !== undefined &&
-        buildOptions.graphileBuildOptions !== undefined &&
-        subscription !== undefined
-      ) {
-        // Get permissionDefinition from graphileBuildOptions
-        const permissionDefinition = buildOptions?.graphileBuildOptions
-          .permissionDefinition as PermissionDefinition;
-        const endUserAuthorizationConfig = buildOptions?.graphileBuildOptions
-          .endUserAuthorizationConfig as EndUserAuthorizationConfig;
-        const ensureOnlyAuthentication = buildOptions?.graphileBuildOptions
-          .ensureOnlyAuthentication as boolean;
-        const options: GqlAuthorizationOptions = {
-          operation: subscription.name.value, // the subscription name extracted from subscription operation.
-          permissionDefinition,
-          serviceId: args.contextValue.config.serviceId,
-          endUserAuthorizationConfig,
-        };
-        const error: MosaicErrorInfo | undefined = undefined;
-        const subject = args.contextValue.subject;
-        assertGenericAuthenticatedSubject(subject);
-        // If the authorization fails, throw error
-        // Authorization is only checked for Management tokens
-        if (isAuthenticatedManagementSubject(subject)) {
-          try {
-            handleManagementUserAuthorization(
-              options,
-              ensureOnlyAuthentication,
-              subject,
-              error,
-            );
-          } catch (error) {
-            assertIdGuardError(error);
-            /**
-             * If the token has expired, we close the connection with CloseCode.Forbidden, and allow the client to automatically re-establish
-             * the connection with a new token.
-             */
-            if (error.code === IdGuardErrors.AccessTokenExpired.code) {
-              /**
-               * `CloseCode.Forbidden` is used so that the client will automatically start retry process with a newer token.
-               * Any other CloseCode will result in a client exception and the client will not automatically retry.
-               */
-              params.context.extra.socket.close(
-                CloseCode.Forbidden,
-                IdGuardErrors.AccessTokenExpired.code,
-              );
-            } else {
-              throw error;
-            }
-          }
-          return args;
-        } else if (isAuthenticatedEndUser(subject)) {
-          try {
-            handleEndUserAuthorization(
-              options,
-              ensureOnlyAuthentication,
-              subject,
-              error,
-            );
-          } catch (error) {
-            assertIdGuardError(error);
-            /**
-             * If the token has expired, we close the connection with CloseCode.Forbidden, and allow the client to automatically re-establish
-             * the connection with a new token.
-             */
-            if (error.code === IdGuardErrors.AccessTokenExpired.code) {
-              /**
-               * `CloseCode.Forbidden` is used so that the client will automatically start retry process with a newer token.
-               * Any other CloseCode will result in a client exception and the client will not automatically retry.
-               */
-              params.context.extra.socket.close(
-                CloseCode.Forbidden,
-                IdGuardErrors.AccessTokenExpired.code,
-              );
-            } else {
-              throw error;
-            }
-          }
-          return args;
-        }
-      }
-      /**
-       * `graphql-transport-ws` does not propagate thrown exceptions to the client.
-       * So if either `graphileBuildOptions` or `subscription` is undefined, we close the web socket connection with BadRequest error.
-       * The client will have to explicitly re-establish the web socket connection.
-       */
-      params.context.extra.socket.close(
-        CloseCode.BadRequest,
-        'Error in subscription setup. This is likely caused by a development time issue.',
-      );
-      return args;
-    },
-  };
-};
-/**
- * Extract Subscription from the AST.
- */
-const getSubscription = (
-  operationDefinitions: OperationDefinitionNode[],
-  operationName: string | undefined,
-): FieldNode | undefined => {
-  // In a subscription request query, there can be only one subscription,
-  // and only one operation with the same name.
-  // We extract the AST for the Subscription using the operationName sent in params
-  const subscriptionDefinition = operationDefinitions.filter(
-    (opDefs) => opDefs.name?.value === operationName,
-  )[0];
-  if (subscriptionDefinition !== undefined) {
-    // If the called operation is found in the query,
-    // proceed to extract the subscription from the GQL Operation definition.
-    // There can only be one subscription in a Subscription operation, hence getting the [0]th element.
-    const subscription = (
-      subscriptionDefinition.selectionSet.selections as FieldNode[]
-    )[0];
-    return subscription;
-  }
-};
-const assertIdGuardError: (error: unknown) => asserts error is IdGuardError = (
-  error: unknown,
-): asserts error is IdGuardError => {
-  if (!(error instanceof IdGuardError)) {
-    throw new NonMosaicError(
-      `A caught error is not an instance of an IdGuardError class.`,
-    );
-  }
-};