@axinom/mosaic-id-guard 0.18.0-rc.9 → 0.18.0

package/dist/graphql/subscription-authorization-hook-factory.js

@@ -1,182 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.subscriptionAuthorizationHookFactory = void 0;
-const mosaic_service_common_1 = require("@axinom/mosaic-service-common");
-const graphql_tag_1 = __importDefault(require("graphql-tag"));
-const graphql_ws_1 = require("graphql-ws");
-const common_1 = require("../common");
-const guard_utils_1 = require("../common/guard-utils");
-const handle_end_user_authorization_1 = require("../common/handle-end-user-authorization");
-const handle_management_user_authorization_1 = require("../common/handle-management-user-authorization");
-/**
- * This is a hook plugin generator function that will use the PermissionDefinition object in PostGraphileOptions
- * to authorize the Subscription operation done over a web socket.
- * It checks if the authenticated user which initiates the subscription has required permissions.
- * The actual plugin is built using this function when the build() function is called in PostgraphileOptionsBuilder.
- * This function reference can be passed into addHookPluginGenerator() to activate authorization of subscriptions.
- * @param PostGraphileOptions object containing permissions.
- * @returns PostGraphilePlugin
- */
-const subscriptionAuthorizationHookFactory = (buildOptions) => {
-    return {
-        // Handles subscription requests coming through protocol `graphql-ws`
-        // This is maintained for backwards compatibility. Managed services use `graphql-transport-ws` protocol (implemented below)
-        'postgraphile:ws:onOperation': (params) => {
-            var _a;
-            // Extract GQL query and build an AST
-            // Need to determine the Subscription that's being called.
-            const gqlQuery = (0, graphql_tag_1.default)(params.query.toString());
-            const operationDefinitions = gqlQuery.definitions;
-            const subscription = getSubscription(operationDefinitions, params.operationName);
-            if (buildOptions !== undefined &&
-                buildOptions.graphileBuildOptions !== undefined &&
-                subscription !== undefined) {
-                // Get permissionDefinition from graphileBuildOptions
-                const permissionDefinition = buildOptions === null || buildOptions === void 0 ? void 0 : buildOptions.graphileBuildOptions.permissionDefinition;
-                const endUserAuthorizationConfig = buildOptions === null || buildOptions === void 0 ? void 0 : buildOptions.graphileBuildOptions.endUserAuthorizationConfig;
-                const ensureOnlyAuthentication = buildOptions === null || buildOptions === void 0 ? void 0 : buildOptions.graphileBuildOptions.ensureOnlyAuthentication;
-                const options = {
-                    operation: subscription.name.value,
-                    permissionDefinition,
-                    serviceId: params.context.config.serviceId,
-                    endUserAuthorizationConfig,
-                };
-                const error = undefined;
-                const subject = params.context.subject;
-                (0, common_1.assertGenericAuthenticatedSubject)(subject);
-                // If the authorization fails, throw error
-                if ((0, guard_utils_1.isAuthenticatedManagementSubject)(subject)) {
-                    (0, handle_management_user_authorization_1.handleManagementUserAuthorization)(options, ensureOnlyAuthentication, subject, error);
-                    return params;
-                }
-                else if ((0, guard_utils_1.isAuthenticatedEndUser)(subject)) {
-                    (0, handle_end_user_authorization_1.handleEndUserAuthorization)(options, ensureOnlyAuthentication, subject, error);
-                    return params;
-                }
-                else {
-                    throw new common_1.IdGuardError({
-                        message: 'User is not authorized for this subscription.',
-                        code: common_1.IdGuardErrors.UserNotAuthorized.code,
-                        details: {
-                            user: (_a = params.context.subject) === null || _a === void 0 ? void 0 : _a.sub,
-                            serviceId: options.serviceId,
-                        },
-                    });
-                }
-            }
-            throw new Error('Error in subscription setup. This is likely caused by a development time issue.');
-        },
-        // Handles subscription requests coming through protocol `graphql-transport-ws`
-        // Managed services use this protocol for subscriptions.
-        'postgraphile:ws:onSubscribe': (args, params) => {
-            var _a;
-            // If there were any Authentication Errors, close the web socket.
-            if (params.context.extra.request.authContext
-                .authErrorInfo !== undefined) {
-                params.context.extra.socket.close(graphql_ws_1.CloseCode.Forbidden, common_1.IdGuardErrors.AccessTokenInvalid.code);
-                return args;
-            }
-            const definitionNodes = args.document
-                .definitions;
-            const subscription = getSubscription(definitionNodes, (_a = args.operationName) !== null && _a !== void 0 ? _a : undefined);
-            if (buildOptions !== undefined &&
-                buildOptions.graphileBuildOptions !== undefined &&
-                subscription !== undefined) {
-                // Get permissionDefinition from graphileBuildOptions
-                const permissionDefinition = buildOptions === null || buildOptions === void 0 ? void 0 : buildOptions.graphileBuildOptions.permissionDefinition;
-                const endUserAuthorizationConfig = buildOptions === null || buildOptions === void 0 ? void 0 : buildOptions.graphileBuildOptions.endUserAuthorizationConfig;
-                const ensureOnlyAuthentication = buildOptions === null || buildOptions === void 0 ? void 0 : buildOptions.graphileBuildOptions.ensureOnlyAuthentication;
-                const options = {
-                    operation: subscription.name.value,
-                    permissionDefinition,
-                    serviceId: args.contextValue.config.serviceId,
-                    endUserAuthorizationConfig,
-                };
-                const error = undefined;
-                const subject = args.contextValue.subject;
-                (0, common_1.assertGenericAuthenticatedSubject)(subject);
-                // If the authorization fails, throw error
-                // Authorization is only checked for Management tokens
-                if ((0, guard_utils_1.isAuthenticatedManagementSubject)(subject)) {
-                    try {
-                        (0, handle_management_user_authorization_1.handleManagementUserAuthorization)(options, ensureOnlyAuthentication, subject, error);
-                    }
-                    catch (error) {
-                        assertIdGuardError(error);
-                        /**
-                         * If the token has expired, we close the connection with CloseCode.Forbidden, and allow the client to automatically re-establish
-                         * the connection with a new token.
-                         */
-                        if (error.code === common_1.IdGuardErrors.AccessTokenExpired.code) {
-                            /**
-                             * `CloseCode.Forbidden` is used so that the client will automatically start retry process with a newer token.
-                             * Any other CloseCode will result in a client exception and the client will not automatically retry.
-                             */
-                            params.context.extra.socket.close(graphql_ws_1.CloseCode.Forbidden, common_1.IdGuardErrors.AccessTokenExpired.code);
-                        }
-                        else {
-                            throw error;
-                        }
-                    }
-                    return args;
-                }
-                else if ((0, guard_utils_1.isAuthenticatedEndUser)(subject)) {
-                    try {
-                        (0, handle_end_user_authorization_1.handleEndUserAuthorization)(options, ensureOnlyAuthentication, subject, error);
-                    }
-                    catch (error) {
-                        assertIdGuardError(error);
-                        /**
-                         * If the token has expired, we close the connection with CloseCode.Forbidden, and allow the client to automatically re-establish
-                         * the connection with a new token.
-                         */
-                        if (error.code === common_1.IdGuardErrors.AccessTokenExpired.code) {
-                            /**
-                             * `CloseCode.Forbidden` is used so that the client will automatically start retry process with a newer token.
-                             * Any other CloseCode will result in a client exception and the client will not automatically retry.
-                             */
-                            params.context.extra.socket.close(graphql_ws_1.CloseCode.Forbidden, common_1.IdGuardErrors.AccessTokenExpired.code);
-                        }
-                        else {
-                            throw error;
-                        }
-                    }
-                    return args;
-                }
-            }
-            /**
-             * `graphql-transport-ws` does not propagate thrown exceptions to the client.
-             * So if either `graphileBuildOptions` or `subscription` is undefined, we close the web socket connection with BadRequest error.
-             * The client will have to explicitly re-establish the web socket connection.
-             */
-            params.context.extra.socket.close(graphql_ws_1.CloseCode.BadRequest, 'Error in subscription setup. This is likely caused by a development time issue.');
-            return args;
-        },
-    };
-};
-exports.subscriptionAuthorizationHookFactory = subscriptionAuthorizationHookFactory;
-/**
- * Extract Subscription from the AST.
- */
-const getSubscription = (operationDefinitions, operationName) => {
-    // In a subscription request query, there can be only one subscription,
-    // and only one operation with the same name.
-    // We extract the AST for the Subscription using the operationName sent in params
-    const subscriptionDefinition = operationDefinitions.filter((opDefs) => { var _a; return ((_a = opDefs.name) === null || _a === void 0 ? void 0 : _a.value) === operationName; })[0];
-    if (subscriptionDefinition !== undefined) {
-        // If the called operation is found in the query,
-        // proceed to extract the subscription from the GQL Operation definition.
-        // There can only be one subscription in a Subscription operation, hence getting the [0]th element.
-        const subscription = subscriptionDefinition.selectionSet.selections[0];
-        return subscription;
-    }
-};
-const assertIdGuardError = (error) => {
-    if (!(error instanceof common_1.IdGuardError)) {
-        throw new mosaic_service_common_1.NonMosaicError(`A caught error is not an instance of an IdGuardError class.`);
-    }
-};
-//# sourceMappingURL=subscription-authorization-hook-factory.js.map

package/dist/graphql/subscription-authorization-hook-factory.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"subscription-authorization-hook-factory.js","sourceRoot":"","sources":["../../src/graphql/subscription-authorization-hook-factory.ts"],"names":[],"mappings":";;;;;;AAIA,yEAAgF;AAQhF,8DAA8B;AAC9B,2CAAkE;AAQlE,sCAImB;AACnB,uDAI+B;AAC/B,2FAAqF;AACrF,yGAAmG;AAGnG;;;;;;;;GAQG;AACI,MAAM,oCAAoC,GAAG,CAClD,YAAgE,EAC5C,EAAE;IACtB,OAAO;QACL,qEAAqE;QACrE,2HAA2H;QAC3H,6BAA6B,EAAE,CAAC,MAAuB,EAAE,EAAE;;YACzD,qCAAqC;YACrC,0DAA0D;YAC1D,MAAM,QAAQ,GAAG,IAAA,qBAAG,EAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9C,MAAM,oBAAoB,GACxB,QAAQ,CAAC,WAAwC,CAAC;YAEpD,MAAM,YAAY,GAAG,eAAe,CAClC,oBAAoB,EACpB,MAAM,CAAC,aAAa,CACrB,CAAC;YAEF,IACE,YAAY,KAAK,SAAS;gBAC1B,YAAY,CAAC,oBAAoB,KAAK,SAAS;gBAC/C,YAAY,KAAK,SAAS,EAC1B;gBACA,qDAAqD;gBACrD,MAAM,oBAAoB,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,oBAAoB,CAC5D,oBAA4C,CAAC;gBAEhD,MAAM,0BAA0B,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,oBAAoB,CAClE,0BAAwD,CAAC;gBAE5D,MAAM,wBAAwB,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,oBAAoB,CAChE,wBAAmC,CAAC;gBAEvC,MAAM,OAAO,GAA4B;oBACvC,SAAS,EAAE,YAAY,CAAC,IAAI,CAAC,KAAK;oBAClC,oBAAoB;oBACpB,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS;oBAC1C,0BAA0B;iBAC3B,CAAC;gBACF,MAAM,KAAK,GAAgC,SAAS,CAAC;gBAErD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;gBACvC,IAAA,0CAAiC,EAAC,OAAO,CAAC,CAAC;gBAE3C,0CAA0C;gBAC1C,IAAI,IAAA,8CAAgC,EAAC,OAAO,CAAC,EAAE;oBAC7C,IAAA,wEAAiC,EAC/B,OAAO,EACP,wBAAwB,EACxB,OAAO,EACP,KAAK,CACN,CAAC;oBACF,OAAO,MAAM,CAAC;iBACf;qBAAM,IAAI,IAAA,oCAAsB,EAAC,OAAO,CAAC,EAAE;oBAC1C,IAAA,0DAA0B,EACxB,OAAO,EACP,wBAAwB,EACxB,OAAO,EACP,KAAK,CACN,CAAC;oBACF,OAAO,MAAM,CAAC;iBACf;qBAAM;oBACL,MAAM,IAAI,qBAAY,CAAC;wBACrB,OAAO,EAAE,+CAA+C;wBACxD,IAAI,EAAE,sBAAa,CAAC,iBAAiB,CAAC,IAAI;wBAC1C,OAAO,EAAE;4BACP,IAAI,EAAE,MAAA,MAAM,CAAC,OAAO,CAAC,OAAO,0CAAE,GAAG;4BACjC,SAAS,EAAE,OAAO,CAAC,SAAS;yBAC7B;qBACF,CAAC,CAAC;iBACJ;aACF;YACD,MAAM,IAAI,KAAK,CACb,iFAAiF,CAClF,CAAC;QACJ,CAAC;QAED,+EAA+E;QAC/E,wDAAwD;QACxD,6BAA6B,EAAE,CAC7B,IAEC,EACD,MAIC,EACD,EAAE;;YACF,iEAAiE;YACjE,IACG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAgC,CAAC,WAAW;iBAC/D,aAAa,KAAK,SAAS,EAC9B;gBACA,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAC/B,sBAAS,CAAC,SAAS,EACnB,sBAAa,CAAC,kBAAkB,CAAC,IAAI,CACtC,CAAC;gBACF,OAAO,IAAI,CAAC;aACb;YAED,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ;iBAClC,WAAwC,CAAC;YAE5C,MAAM,YAAY,GAAG,eAAe,CAClC,eAAe,EACf,MAAA,IAAI,CAAC,aAAa,mCAAI,SAAS,CAChC,CAAC;YACF,IACE,YAAY,KAAK,SAAS;gBAC1B,YAAY,CAAC,oBAAoB,KAAK,SAAS;gBAC/C,YAAY,KAAK,SAAS,EAC1B;gBACA,qDAAqD;gBACrD,MAAM,oBAAoB,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,oBAAoB,CAC5D,oBAA4C,CAAC;gBAEhD,MAAM,0BAA0B,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,oBAAoB,CAClE,0BAAwD,CAAC;gBAE5D,MAAM,wBAAwB,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,oBAAoB,CAChE,wBAAmC,CAAC;gBAEvC,MAAM,OAAO,GAA4B;oBACvC,SAAS,EAAE,YAAY,CAAC,IAAI,CAAC,KAAK;oBAClC,oBAAoB;oBACpB,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS;oBAC7C,0BAA0B;iBAC3B,CAAC;gBACF,MAAM,KAAK,GAAgC,SAAS,CAAC;gBAErD,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC;gBAC1C,IAAA,0CAAiC,EAAC,OAAO,CAAC,CAAC;gBAE3C,0CAA0C;gBAC1C,sDAAsD;gBACtD,IAAI,IAAA,8CAAgC,EAAC,OAAO,CAAC,EAAE;oBAC7C,IAAI;wBACF,IAAA,wEAAiC,EAC/B,OAAO,EACP,wBAAwB,EACxB,OAAO,EACP,KAAK,CACN,CAAC;qBACH;oBAAC,OAAO,KAAK,EAAE;wBACd,kBAAkB,CAAC,KAAK,CAAC,CAAC;wBAC1B;;;2BAGG;wBACH,IAAI,KAAK,CAAC,IAAI,KAAK,sBAAa,CAAC,kBAAkB,CAAC,IAAI,EAAE;4BACxD;;;+BAGG;4BACH,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAC/B,sBAAS,CAAC,SAAS,EACnB,sBAAa,CAAC,kBAAkB,CAAC,IAAI,CACtC,CAAC;yBACH;6BAAM;4BACL,MAAM,KAAK,CAAC;yBACb;qBACF;oBACD,OAAO,IAAI,CAAC;iBACb;qBAAM,IAAI,IAAA,oCAAsB,EAAC,OAAO,CAAC,EAAE;oBAC1C,IAAI;wBACF,IAAA,0DAA0B,EACxB,OAAO,EACP,wBAAwB,EACxB,OAAO,EACP,KAAK,CACN,CAAC;qBACH;oBAAC,OAAO,KAAK,EAAE;wBACd,kBAAkB,CAAC,KAAK,CAAC,CAAC;wBAC1B;;;2BAGG;wBACH,IAAI,KAAK,CAAC,IAAI,KAAK,sBAAa,CAAC,kBAAkB,CAAC,IAAI,EAAE;4BACxD;;;+BAGG;4BACH,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAC/B,sBAAS,CAAC,SAAS,EACnB,sBAAa,CAAC,kBAAkB,CAAC,IAAI,CACtC,CAAC;yBACH;6BAAM;4BACL,MAAM,KAAK,CAAC;yBACb;qBACF;oBACD,OAAO,IAAI,CAAC;iBACb;aACF;YACD;;;;eAIG;YACH,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAC/B,sBAAS,CAAC,UAAU,EACpB,iFAAiF,CAClF,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AA9MW,QAAA,oCAAoC,wCA8M/C;AAEF;;GAEG;AACH,MAAM,eAAe,GAAG,CACtB,oBAA+C,EAC/C,aAAiC,EACV,EAAE;IACzB,uEAAuE;IACvE,6CAA6C;IAC7C,iFAAiF;IACjF,MAAM,sBAAsB,GAAG,oBAAoB,CAAC,MAAM,CACxD,CAAC,MAAM,EAAE,EAAE,WAAC,OAAA,CAAA,MAAA,MAAM,CAAC,IAAI,0CAAE,KAAK,MAAK,aAAa,CAAA,EAAA,CACjD,CAAC,CAAC,CAAC,CAAC;IAEL,IAAI,sBAAsB,KAAK,SAAS,EAAE;QACxC,iDAAiD;QACjD,yEAAyE;QACzE,mGAAmG;QACnG,MAAM,YAAY,GAChB,sBAAsB,CAAC,YAAY,CAAC,UACrC,CAAC,CAAC,CAAC,CAAC;QACL,OAAO,YAAY,CAAC;KACrB;AACH,CAAC,CAAC;AAEF,MAAM,kBAAkB,GAAsD,CAC5E,KAAc,EACiB,EAAE;IACjC,IAAI,CAAC,CAAC,KAAK,YAAY,qBAAY,CAAC,EAAE;QACpC,MAAM,IAAI,sCAAc,CACtB,6DAA6D,CAC9D,CAAC;KACH;AACH,CAAC,CAAC"}