@memberjunction/server 3.3.0 → 3.4.0

package/src/generic/ResolverBase.ts

@@ -19,8 +19,9 @@ import {
 } from '@memberjunction/core';
 import { AuditLogEntity, ErrorLogEntity, UserViewEntityExtended } from '@memberjunction/core-entities';
 import { SQLServerDataProvider, UserCache } from '@memberjunction/sqlserver-dataprovider';
-import { PubSubEngine } from 'type-graphql';
+import { PubSubEngine, AuthorizationError } from 'type-graphql';
 import { GraphQLError } from 'graphql';
+import { GetAPIKeyEngine } from '@memberjunction/api-keys';
 import sql from 'mssql';
 import { httpTransport, CloudEvent, emitterFor } from 'cloudevents';
 
@@ -504,7 +505,7 @@ export class ResolverBase {
     if (!userPayload) {
       throw new Error(`userPayload is null`);
     }
-    
+
     // first check permissions, the logged in user must have read permissions on the entity to run the view
     if (entityInfo) {
       const userInfo = UserCache.Users.find((u) => u.Email.toLowerCase().trim() === userPayload.email.toLowerCase().trim()); // get the user record from MD so we have ROLES attached, don't use the one from payload directly
@@ -516,12 +517,85 @@ export class ResolverBase {
       if (!userPermissions.CanRead) {
         throw new Error(`User ${userPayload.email} does not have read permissions on ${entityInfo.Name}`);
       }
-    } 
+    }
     else {
       throw new Error(`Entity not found in metadata`);
     }
   }
 
+  /**
+   * Checks API key scope authorization. Only performs check if request
+   * was authenticated via API key (apiKeyHash present in userPayload).
+   * For OAuth/JWT auth, this is a no-op.
+   *
+   * @param scopePath - The scope path (e.g., 'entity:read', 'agent:execute')
+   * @param resource - The resource name (e.g., entity name, agent name)
+   * @param userPayload - The user payload from context
+   * @throws AuthorizationError if API key lacks required scope
+   */
+  protected async CheckAPIKeyScopeAuthorization(
+    scopePath: string,
+    resource: string,
+    userPayload: UserPayload
+  ): Promise<void> {
+    // Skip scope check for OAuth/JWT auth (no API key)
+    if (!userPayload.apiKeyHash) {
+      return;
+    }
+
+    // Get system user for authorization call
+    // NOTE: We use system user here because Authorize() needs to run internal
+    // database queries (loading scope rules, logging decisions). The system user
+    // ensures these queries work regardless of what permissions the API key's
+    // user has. The API key's associated user (in userPayload.userRecord) is
+    // used later when the actual operation executes - their permissions are
+    // the ultimate ceiling that scopes can only narrow, never expand.
+    const systemUser = UserCache.Instance.Users.find(u => u.Type === 'System');
+    if (!systemUser) {
+      throw new Error('System user not found');
+    }
+
+    const apiKeyEngine = GetAPIKeyEngine();
+
+    // Check for full_access scope first (god power - bypasses all other checks)
+    const fullAccessResult = await apiKeyEngine.Authorize(
+      userPayload.apiKeyHash,
+      'MJAPI',
+      'full_access',
+      '*',
+      systemUser,
+      { endpoint: '/graphql', method: 'POST' }
+    );
+
+    if (fullAccessResult.Allowed) {
+      // full_access granted - skip specific scope check
+      return;
+    }
+
+    // Check specific scope
+    const result = await apiKeyEngine.Authorize(
+      userPayload.apiKeyHash,
+      'MJAPI',
+      scopePath,
+      resource,
+      systemUser,
+      {
+        endpoint: '/graphql',
+        method: 'POST'
+      }
+    );
+
+    if (!result.Allowed) {
+      // Provide specific, actionable error message
+      throw new AuthorizationError(
+        `Access denied. This API key requires the '${scopePath}' scope ` +
+        `for resource '${resource}' to perform this operation. ` +
+        `Please update the API key's scopes or use an API key with appropriate permissions. ` +
+        `Denial reason: ${result.Reason}`
+      );
+    }
+  }
+
   /**
    * Optimized RunViewGenericInternal implementation with:
    * - Field filtering at source (Fix #7)
@@ -550,6 +624,9 @@ export class ResolverBase {
     try {
       if (!viewInfo || !userPayload) return null;
 
+      // Check API key scope authorization for view operations
+      await this.CheckAPIKeyScopeAuthorization('view:run', viewInfo.Entity, userPayload);
+
       const md = provider
       const user = UserCache.Users.find((u) => u.Email.toLowerCase().trim() === userPayload?.email.toLowerCase().trim());
       if (!user) throw new Error(`User ${userPayload?.email} not found in metadata`);
@@ -908,6 +985,9 @@ export class ResolverBase {
   }
 
   protected async CreateRecord(entityName: string, input: any, provider: DatabaseProviderBase, userPayload: UserPayload, pubSub: PubSubEngine) {
+    // Check API key scope authorization for entity create operations
+    await this.CheckAPIKeyScopeAuthorization('entity:create', entityName, userPayload);
+
     if (await this.BeforeCreate(provider, input)) {
       // fire event and proceed if it wasn't cancelled
       const entityObject = await provider.GetEntityObject(entityName, this.GetUserFromPayload(userPayload));
@@ -940,6 +1020,9 @@ export class ResolverBase {
   protected async AfterCreate(provider: DatabaseProviderBase, input: any) {}
 
   protected async UpdateRecord(entityName: string, input: any, provider: DatabaseProviderBase, userPayload: UserPayload, pubSub: PubSubEngine) {
+    // Check API key scope authorization for entity update operations
+    await this.CheckAPIKeyScopeAuthorization('entity:update', entityName, userPayload);
+
     if (await this.BeforeUpdate(provider, input)) {
       // fire event and proceed if it wasn't cancelled
       const userInfo = this.GetUserFromPayload(userPayload);
@@ -1202,6 +1285,9 @@ export class ResolverBase {
     userPayload: UserPayload,
     pubSub: PubSubEngine
   ) {
+    // Check API key scope authorization for entity delete operations
+    await this.CheckAPIKeyScopeAuthorization('entity:delete', entityName, userPayload);
+
     if (await this.BeforeDelete(provider, key)) {
       // fire event and proceed if it wasn't cancelled
       const entityObject = await provider.GetEntityObject(entityName, this.GetUserFromPayload(userPayload));

package/src/index.ts

@@ -81,7 +81,15 @@ export { configInfo, DEFAULT_SERVER_CONFIG } from './config.js';
 export * from './directives/index.js';
 export * from './entitySubclasses/entityPermissions.server.js';
 export * from './types.js';
-export { TokenExpiredError, getSystemUser } from './auth/index.js';
+export {
+    TokenExpiredError,
+    getSystemUser,
+    getSigningKeys,
+    extractUserInfoFromPayload,
+    verifyUserRecord,
+    AuthProviderFactory,
+    IAuthProvider,
+} from './auth/index.js';
 export * from './auth/APIKeyScopeAuth.js';
 
 export * from './generic/PushStatusResolver.js';
@@ -98,7 +106,6 @@ export * from './generic/DeleteOptionsInput.js';
 export * from './agents/skip-agent.js';
 export * from './agents/skip-sdk.js';
 
-export * from './resolvers/AskSkipResolver.js';
 export * from './resolvers/ColorResolver.js';
 export * from './resolvers/ComponentRegistryResolver.js';
 export * from './resolvers/DatasetResolver.js';
@@ -115,6 +122,7 @@ export * from './resolvers/TransactionGroupResolver.js';
 export * from './resolvers/CreateQueryResolver.js';
 export * from './resolvers/TelemetryResolver.js';
 export * from './resolvers/APIKeyResolver.js';
+export * from './resolvers/MCPResolver.js';
 export { GetReadOnlyDataSource, GetReadWriteDataSource, GetReadWriteProvider, GetReadOnlyProvider } from './util.js';
 
 export * from './generated/generated.js';

package/src/resolvers/APIKeyResolver.ts

@@ -4,6 +4,7 @@ import { LogError, Metadata } from "@memberjunction/core";
 import { APIKeyScopeEntity } from "@memberjunction/core-entities";
 import { GetAPIKeyEngine } from "@memberjunction/api-keys";
 import { AppContext } from "../types.js";
+import { ResolverBase } from "../generic/ResolverBase.js";
 
 /**
  * Input type for creating a new API key
@@ -90,7 +91,7 @@ export class RevokeAPIKeyResult {
  * Handles secure server-side API key generation
  */
 @Resolver()
-export class APIKeyResolver {
+export class APIKeyResolver extends ResolverBase {
     /**
      * Creates a new API key with proper server-side cryptographic hashing.
      *
@@ -109,6 +110,9 @@ export class APIKeyResolver {
         @Arg("input") input: CreateAPIKeyInput,
         @Ctx() ctx: AppContext
     ): Promise<CreateAPIKeyResult> {
+        // Check API key scope authorization for API key creation
+        await this.CheckAPIKeyScopeAuthorization('apikey:create', '*', ctx.userPayload);
+
         try {
             // Get the authenticated user
             const user = ctx.userPayload.userRecord;
@@ -173,6 +177,9 @@ export class APIKeyResolver {
         @Arg("apiKeyId") apiKeyId: string,
         @Ctx() ctx: AppContext
     ): Promise<RevokeAPIKeyResult> {
+        // Check API key scope authorization for API key revocation
+        await this.CheckAPIKeyScopeAuthorization('apikey:revoke', apiKeyId, ctx.userPayload);
+
         try {
             const user = ctx.userPayload.userRecord;
             if (!user) {

package/src/resolvers/ActionResolver.ts

@@ -8,6 +8,7 @@ import { KeyValuePairInput } from "../generic/KeyValuePairInput.js";
 import { AppContext, ProviderInfo } from "../types.js";
 import { CopyScalarsAndArrays } from "@memberjunction/global";
 import { GetReadOnlyProvider } from "../util.js";
+import { ResolverBase } from "../generic/ResolverBase.js";
 
 /**
  * Input type for action parameters
@@ -171,7 +172,7 @@ export class ActionResultOutput {
  * Handles running actions and entity actions through GraphQL
  */
 @Resolver()
-export class ActionResolver {
+export class ActionResolver extends ResolverBase {
   /**
    * Mutation for running an action
    * @param input The input parameters for running the action
@@ -184,6 +185,9 @@ export class ActionResolver {
     @Ctx() ctx: AppContext
   ): Promise<ActionResultOutput> {
     try {
+      // Check API key scope authorization for action execution
+      await this.CheckAPIKeyScopeAuthorization('action:execute', input.ActionID, ctx.userPayload);
+
       // Get the user from context
       const user = ctx.userPayload.userRecord;
       if (!user) {
@@ -326,6 +330,9 @@ export class ActionResolver {
     @Ctx() ctx: AppContext
   ): Promise<ActionResultOutput> {
     try {
+      // Check API key scope authorization for entity action execution
+      await this.CheckAPIKeyScopeAuthorization('action:execute', input.EntityActionID, ctx.userPayload);
+
       const user = ctx.userPayload.userRecord;
       if (!user) {
         throw new Error("User is not authenticated");

package/src/resolvers/DatasetResolver.ts

@@ -2,6 +2,7 @@ import { Arg, Ctx, Field, InputType, Int, ObjectType, Query, Resolver } from 'ty
 import { AppContext } from '../types.js';
 import { LogError, Metadata } from '@memberjunction/core';
 import { GetReadOnlyProvider } from '../util.js';
+import { ResolverBase } from '../generic/ResolverBase.js';
 
 @ObjectType()
 export class DatasetResultType {
@@ -35,13 +36,16 @@ export class DatasetItemFilterTypeGQL {
 
 
 @Resolver(DatasetResultType)
-export class DatasetResolverExtended {
+export class DatasetResolverExtended extends ResolverBase {
   @Query(() => DatasetResultType)
   async GetDatasetByName(
     @Arg('DatasetName', () => String) DatasetName: string,
-    @Ctx() {providers}: AppContext,
+    @Ctx() { providers, userPayload }: AppContext,
     @Arg('ItemFilters', () => [DatasetItemFilterTypeGQL], { nullable: 'itemsAndList' }) ItemFilters?: DatasetItemFilterTypeGQL[]
   ) {
+    // Check API key scope authorization for dataset read
+    await this.CheckAPIKeyScopeAuthorization('dataset:read', DatasetName, userPayload);
+
     try {
       const md = GetReadOnlyProvider(providers, {allowFallbackToReadWrite: true});
       const result = await md.GetDatasetByName(DatasetName, ItemFilters);
@@ -86,13 +90,16 @@ export class DatasetStatusResultType {
 }
 
 @Resolver(DatasetStatusResultType)
-export class DatasetStatusResolver {
+export class DatasetStatusResolver extends ResolverBase {
   @Query(() => DatasetStatusResultType)
   async GetDatasetStatusByName(
     @Arg('DatasetName', () => String) DatasetName: string,
-    @Ctx() {providers}: AppContext,
+    @Ctx() { providers, userPayload }: AppContext,
     @Arg('ItemFilters', () => [DatasetItemFilterTypeGQL], { nullable: 'itemsAndList' }) ItemFilters?: DatasetItemFilterTypeGQL[]
   ) {
+    // Check API key scope authorization for dataset read
+    await this.CheckAPIKeyScopeAuthorization('dataset:read', DatasetName, userPayload);
+
     try {
       const md = GetReadOnlyProvider(providers, {allowFallbackToReadWrite: true});
       const result = await md.GetDatasetStatusByName(DatasetName, ItemFilters);

package/src/resolvers/EntityCommunicationsResolver.ts

@@ -8,6 +8,7 @@ import { GraphQLJSONObject } from 'graphql-type-json';
 import { TemplateEngineServer } from '@memberjunction/templates';
 import { EntityCommunicationParams } from '@memberjunction/entity-communications-base';
 import { z } from 'zod';
+import { ResolverBase } from '../generic/ResolverBase.js';
 
 @InputType()
 export class CommunicationProviderMessageType {
@@ -166,7 +167,7 @@ export class RunEntityCommunicationResultType {
 }
 
 @Resolver(RunEntityCommunicationResultType)
-export class ReportResolver {
+export class ReportResolver extends ResolverBase {
   @Query(() => RunEntityCommunicationResultType)
   async RunEntityCommunicationByViewID(
     @Arg('entityID', () => String) entityID: string,
@@ -178,6 +179,9 @@ export class ReportResolver {
     @Arg('includeProcessedMessages', () => Boolean) includeProcessedMessages: boolean,
     @Ctx() { userPayload }: AppContext
   ): Promise<RunEntityCommunicationResultType> {
+    // Check API key scope authorization for communication send
+    await this.CheckAPIKeyScopeAuthorization('communication:send', entityID, userPayload);
+
     try {
       await EntityCommunicationsEngine.Instance.Config(false, userPayload.userRecord);
       const newMessage = new Message(message as unknown as Message);

package/src/resolvers/GetDataContextDataResolver.ts

@@ -1,9 +1,10 @@
-import { Arg, Ctx, Field, ObjectType, Query } from "type-graphql";
+import { Arg, Ctx, Field, ObjectType, Query, Resolver } from "type-graphql";
 import { AppContext } from "../types.js";
 import { DataContext } from "@memberjunction/data-context";
 import { GetReadOnlyDataSource, GetReadOnlyProvider } from "../util.js";
 import { Metadata } from "@memberjunction/core";
 import { DataContextItemEntity } from "@memberjunction/core-entities";
+import { ResolverBase } from "../generic/ResolverBase.js";
 
 @ObjectType()
 export class GetDataContextItemDataOutputType {
@@ -39,16 +40,20 @@ export class GetDataContextDataOutputType {
 }
 
 
-export class GetDataContextDataResolver {
+@Resolver()
+export class GetDataContextDataResolver extends ResolverBase {
     /**
-     * Returns data for a given data context item. 
-     * @param DataContextItemID 
+     * Returns data for a given data context item.
+     * @param DataContextItemID
      */
     @Query(() => GetDataContextItemDataOutputType)
     async GetDataContextItemData(
         @Arg('DataContextItemID', () => String) DataContextItemID: string,
         @Ctx() appCtx: AppContext
     ) {
+        // Check API key scope authorization for data context read
+        await this.CheckAPIKeyScopeAuthorization('datacontext:read', DataContextItemID, appCtx.userPayload);
+
         try {
             const ds = GetReadOnlyDataSource(appCtx.dataSources, {
                 allowFallbackToReadWrite: true,
@@ -92,14 +97,17 @@ export class GetDataContextDataResolver {
     }
 
     /**
-     * Returns data for a given data context. 
-     * @param DataContextID 
+     * Returns data for a given data context.
+     * @param DataContextID
      */
     @Query(() => GetDataContextDataOutputType)
     async GetDataContextData(
         @Arg('DataContextID', () => String) DataContextID: string,
         @Ctx() appCtx: AppContext
     ) {
+        // Check API key scope authorization for data context read
+        await this.CheckAPIKeyScopeAuthorization('datacontext:read', DataContextID, appCtx.userPayload);
+
         try {
             // our job here is to load the entire data context, so we do that with the Data Context object
             const dc = new DataContext();