@memberjunction/server 3.2.0 → 3.4.0

package/src/resolvers/APIKeyResolver.ts

@@ -0,0 +1,241 @@
+import { Resolver, Mutation, Arg, Ctx } from "type-graphql";
+import { Field, InputType, ObjectType } from "type-graphql";
+import { LogError, Metadata } from "@memberjunction/core";
+import { APIKeyScopeEntity } from "@memberjunction/core-entities";
+import { GetAPIKeyEngine } from "@memberjunction/api-keys";
+import { AppContext } from "../types.js";
+import { ResolverBase } from "../generic/ResolverBase.js";
+
+/**
+ * Input type for creating a new API key
+ */
+@InputType()
+export class CreateAPIKeyInput {
+    /**
+     * Human-readable label for the API key
+     */
+    @Field()
+    Label: string;
+
+    /**
+     * Optional description of what the key is used for
+     */
+    @Field(() => String, { nullable: true })
+    Description?: string;
+
+    /**
+     * Optional expiration date for the key
+     */
+    @Field(() => Date, { nullable: true })
+    ExpiresAt?: Date;
+
+    /**
+     * Optional array of scope IDs to assign to this key
+     */
+    @Field(() => [String], { nullable: true })
+    ScopeIDs?: string[];
+}
+
+/**
+ * Result type for API key creation
+ * Returns the raw key ONCE - it cannot be recovered after this
+ */
+@ObjectType()
+export class CreateAPIKeyResult {
+    /**
+     * Whether the key was created successfully
+     */
+    @Field()
+    Success: boolean;
+
+    /**
+     * The raw API key - show this to the user ONCE
+     * This cannot be recovered after the initial response
+     */
+    @Field(() => String, { nullable: true })
+    RawKey?: string;
+
+    /**
+     * The database ID of the created API key
+     */
+    @Field(() => String, { nullable: true })
+    APIKeyID?: string;
+
+    /**
+     * Error message if creation failed
+     */
+    @Field(() => String, { nullable: true })
+    Error?: string;
+}
+
+/**
+ * Result type for API key revocation
+ */
+@ObjectType()
+export class RevokeAPIKeyResult {
+    /**
+     * Whether the key was revoked successfully
+     */
+    @Field()
+    Success: boolean;
+
+    /**
+     * Error message if revocation failed
+     */
+    @Field(() => String, { nullable: true })
+    Error?: string;
+}
+
+/**
+ * Resolver for API key operations
+ * Handles secure server-side API key generation
+ */
+@Resolver()
+export class APIKeyResolver extends ResolverBase {
+    /**
+     * Creates a new API key with proper server-side cryptographic hashing.
+     *
+     * This mutation:
+     * 1. Generates a cryptographically secure API key using APIKeyEngine
+     * 2. Stores only the SHA-256 hash in the database (never the raw key)
+     * 3. Returns the raw key ONCE - it cannot be recovered after this call
+     * 4. Optionally assigns scope permissions to the key
+     *
+     * @param input The creation parameters
+     * @param ctx The GraphQL context with authenticated user
+     * @returns The raw key (show once!) and database ID
+     */
+    @Mutation(() => CreateAPIKeyResult)
+    async CreateAPIKey(
+        @Arg("input") input: CreateAPIKeyInput,
+        @Ctx() ctx: AppContext
+    ): Promise<CreateAPIKeyResult> {
+        // Check API key scope authorization for API key creation
+        await this.CheckAPIKeyScopeAuthorization('apikey:create', '*', ctx.userPayload);
+
+        try {
+            // Get the authenticated user
+            const user = ctx.userPayload.userRecord;
+            if (!user) {
+                return {
+                    Success: false,
+                    Error: "User is not authenticated"
+                };
+            }
+
+            // Use APIKeyEngine to create the API key with proper server-side crypto
+            const apiKeyEngine = GetAPIKeyEngine();
+            const result = await apiKeyEngine.CreateAPIKey(
+                {
+                    UserId: user.ID,
+                    Label: input.Label,
+                    Description: input.Description,
+                    ExpiresAt: input.ExpiresAt
+                },
+                user
+            );
+
+            if (!result.Success) {
+                return {
+                    Success: false,
+                    Error: result.Error || "Failed to create API key"
+                };
+            }
+
+            // Save scope associations if provided
+            if (input.ScopeIDs && input.ScopeIDs.length > 0 && result.APIKeyId) {
+                await this.saveScopeAssociations(result.APIKeyId, input.ScopeIDs, user);
+            }
+
+            return {
+                Success: true,
+                RawKey: result.RawKey,
+                APIKeyID: result.APIKeyId
+            };
+        } catch (e) {
+            const error = e as Error;
+            LogError(`Error in CreateAPIKey resolver: ${error.message}`);
+            return {
+                Success: false,
+                Error: `Error creating API key: ${error.message}`
+            };
+        }
+    }
+
+    /**
+     * Revokes an API key, permanently disabling it.
+     *
+     * Once revoked, an API key cannot be reactivated. Users must create a new key.
+     * This uses APIKeyEngine.RevokeAPIKey() for consistency.
+     *
+     * @param apiKeyId The database ID of the API key to revoke
+     * @param ctx The GraphQL context with authenticated user
+     * @returns Success status
+     */
+    @Mutation(() => RevokeAPIKeyResult)
+    async RevokeAPIKey(
+        @Arg("apiKeyId") apiKeyId: string,
+        @Ctx() ctx: AppContext
+    ): Promise<RevokeAPIKeyResult> {
+        // Check API key scope authorization for API key revocation
+        await this.CheckAPIKeyScopeAuthorization('apikey:revoke', apiKeyId, ctx.userPayload);
+
+        try {
+            const user = ctx.userPayload.userRecord;
+            if (!user) {
+                return {
+                    Success: false,
+                    Error: "User is not authenticated"
+                };
+            }
+
+            const apiKeyEngine = GetAPIKeyEngine();
+            const result = await apiKeyEngine.RevokeAPIKey(apiKeyId, user);
+
+            if (result) {
+                return { Success: true };
+            } else {
+                return {
+                    Success: false,
+                    Error: "Failed to revoke API key. It may not exist or you may not have permission."
+                };
+            }
+        } catch (e) {
+            const error = e as Error;
+            LogError(`Error in RevokeAPIKey resolver: ${error.message}`);
+            return {
+                Success: false,
+                Error: `Error revoking API key: ${error.message}`
+            };
+        }
+    }
+
+    /**
+     * Saves scope associations for the newly created API key
+     * @param apiKeyId The ID of the created API key
+     * @param scopeIds Array of scope IDs to associate
+     * @param user The context user
+     */
+    private async saveScopeAssociations(
+        apiKeyId: string,
+        scopeIds: string[],
+        user: any
+    ): Promise<void> {
+        const md = new Metadata();
+
+        for (const scopeId of scopeIds) {
+            try {
+                const keyScope = await md.GetEntityObject<APIKeyScopeEntity>(
+                    'MJ: API Key Scopes',
+                    user
+                );
+                keyScope.APIKeyID = apiKeyId;
+                keyScope.ScopeID = scopeId;
+                await keyScope.Save();
+            } catch (error) {
+                LogError(`Error saving scope association for API key ${apiKeyId}, scope ${scopeId}: ${error}`);
+                // Continue with other scopes even if one fails
+            }
+        }
+    }
+}

package/src/resolvers/ActionResolver.ts

@@ -8,6 +8,7 @@ import { KeyValuePairInput } from "../generic/KeyValuePairInput.js";
 import { AppContext, ProviderInfo } from "../types.js";
 import { CopyScalarsAndArrays } from "@memberjunction/global";
 import { GetReadOnlyProvider } from "../util.js";
+import { ResolverBase } from "../generic/ResolverBase.js";
 
 /**
  * Input type for action parameters
@@ -171,7 +172,7 @@ export class ActionResultOutput {
  * Handles running actions and entity actions through GraphQL
  */
 @Resolver()
-export class ActionResolver {
+export class ActionResolver extends ResolverBase {
   /**
    * Mutation for running an action
    * @param input The input parameters for running the action
@@ -184,6 +185,9 @@ export class ActionResolver {
     @Ctx() ctx: AppContext
   ): Promise<ActionResultOutput> {
     try {
+      // Check API key scope authorization for action execution
+      await this.CheckAPIKeyScopeAuthorization('action:execute', input.ActionID, ctx.userPayload);
+
       // Get the user from context
       const user = ctx.userPayload.userRecord;
       if (!user) {
@@ -326,6 +330,9 @@ export class ActionResolver {
     @Ctx() ctx: AppContext
   ): Promise<ActionResultOutput> {
     try {
+      // Check API key scope authorization for entity action execution
+      await this.CheckAPIKeyScopeAuthorization('action:execute', input.EntityActionID, ctx.userPayload);
+
       const user = ctx.userPayload.userRecord;
       if (!user) {
         throw new Error("User is not authenticated");

package/src/resolvers/DatasetResolver.ts

@@ -2,6 +2,7 @@ import { Arg, Ctx, Field, InputType, Int, ObjectType, Query, Resolver } from 'ty
 import { AppContext } from '../types.js';
 import { LogError, Metadata } from '@memberjunction/core';
 import { GetReadOnlyProvider } from '../util.js';
+import { ResolverBase } from '../generic/ResolverBase.js';
 
 @ObjectType()
 export class DatasetResultType {
@@ -35,13 +36,16 @@ export class DatasetItemFilterTypeGQL {
 
 
 @Resolver(DatasetResultType)
-export class DatasetResolverExtended {
+export class DatasetResolverExtended extends ResolverBase {
   @Query(() => DatasetResultType)
   async GetDatasetByName(
     @Arg('DatasetName', () => String) DatasetName: string,
-    @Ctx() {providers}: AppContext,
+    @Ctx() { providers, userPayload }: AppContext,
     @Arg('ItemFilters', () => [DatasetItemFilterTypeGQL], { nullable: 'itemsAndList' }) ItemFilters?: DatasetItemFilterTypeGQL[]
   ) {
+    // Check API key scope authorization for dataset read
+    await this.CheckAPIKeyScopeAuthorization('dataset:read', DatasetName, userPayload);
+
     try {
       const md = GetReadOnlyProvider(providers, {allowFallbackToReadWrite: true});
       const result = await md.GetDatasetByName(DatasetName, ItemFilters);
@@ -86,13 +90,16 @@ export class DatasetStatusResultType {
 }
 
 @Resolver(DatasetStatusResultType)
-export class DatasetStatusResolver {
+export class DatasetStatusResolver extends ResolverBase {
   @Query(() => DatasetStatusResultType)
   async GetDatasetStatusByName(
     @Arg('DatasetName', () => String) DatasetName: string,
-    @Ctx() {providers}: AppContext,
+    @Ctx() { providers, userPayload }: AppContext,
     @Arg('ItemFilters', () => [DatasetItemFilterTypeGQL], { nullable: 'itemsAndList' }) ItemFilters?: DatasetItemFilterTypeGQL[]
   ) {
+    // Check API key scope authorization for dataset read
+    await this.CheckAPIKeyScopeAuthorization('dataset:read', DatasetName, userPayload);
+
     try {
       const md = GetReadOnlyProvider(providers, {allowFallbackToReadWrite: true});
       const result = await md.GetDatasetStatusByName(DatasetName, ItemFilters);

package/src/resolvers/EntityCommunicationsResolver.ts

@@ -8,6 +8,7 @@ import { GraphQLJSONObject } from 'graphql-type-json';
 import { TemplateEngineServer } from '@memberjunction/templates';
 import { EntityCommunicationParams } from '@memberjunction/entity-communications-base';
 import { z } from 'zod';
+import { ResolverBase } from '../generic/ResolverBase.js';
 
 @InputType()
 export class CommunicationProviderMessageType {
@@ -166,7 +167,7 @@ export class RunEntityCommunicationResultType {
 }
 
 @Resolver(RunEntityCommunicationResultType)
-export class ReportResolver {
+export class ReportResolver extends ResolverBase {
   @Query(() => RunEntityCommunicationResultType)
   async RunEntityCommunicationByViewID(
     @Arg('entityID', () => String) entityID: string,
@@ -178,6 +179,9 @@ export class ReportResolver {
     @Arg('includeProcessedMessages', () => Boolean) includeProcessedMessages: boolean,
     @Ctx() { userPayload }: AppContext
   ): Promise<RunEntityCommunicationResultType> {
+    // Check API key scope authorization for communication send
+    await this.CheckAPIKeyScopeAuthorization('communication:send', entityID, userPayload);
+
     try {
       await EntityCommunicationsEngine.Instance.Config(false, userPayload.userRecord);
       const newMessage = new Message(message as unknown as Message);

package/src/resolvers/GetDataContextDataResolver.ts

@@ -1,9 +1,10 @@
-import { Arg, Ctx, Field, ObjectType, Query } from "type-graphql";
+import { Arg, Ctx, Field, ObjectType, Query, Resolver } from "type-graphql";
 import { AppContext } from "../types.js";
 import { DataContext } from "@memberjunction/data-context";
 import { GetReadOnlyDataSource, GetReadOnlyProvider } from "../util.js";
 import { Metadata } from "@memberjunction/core";
 import { DataContextItemEntity } from "@memberjunction/core-entities";
+import { ResolverBase } from "../generic/ResolverBase.js";
 
 @ObjectType()
 export class GetDataContextItemDataOutputType {
@@ -39,16 +40,20 @@ export class GetDataContextDataOutputType {
 }
 
 
-export class GetDataContextDataResolver {
+@Resolver()
+export class GetDataContextDataResolver extends ResolverBase {
     /**
-     * Returns data for a given data context item. 
-     * @param DataContextItemID 
+     * Returns data for a given data context item.
+     * @param DataContextItemID
      */
     @Query(() => GetDataContextItemDataOutputType)
     async GetDataContextItemData(
         @Arg('DataContextItemID', () => String) DataContextItemID: string,
         @Ctx() appCtx: AppContext
     ) {
+        // Check API key scope authorization for data context read
+        await this.CheckAPIKeyScopeAuthorization('datacontext:read', DataContextItemID, appCtx.userPayload);
+
         try {
             const ds = GetReadOnlyDataSource(appCtx.dataSources, {
                 allowFallbackToReadWrite: true,
@@ -92,14 +97,17 @@ export class GetDataContextDataResolver {
     }
 
     /**
-     * Returns data for a given data context. 
-     * @param DataContextID 
+     * Returns data for a given data context.
+     * @param DataContextID
      */
     @Query(() => GetDataContextDataOutputType)
     async GetDataContextData(
         @Arg('DataContextID', () => String) DataContextID: string,
         @Ctx() appCtx: AppContext
     ) {
+        // Check API key scope authorization for data context read
+        await this.CheckAPIKeyScopeAuthorization('datacontext:read', DataContextID, appCtx.userPayload);
+
         try {
             // our job here is to load the entire data context, so we do that with the Data Context object
             const dc = new DataContext();