feat: teamEditor role (#2182)

theopensystemslab · Sep 11, 2023 · dc46e96 · dc46e96
1 parent 7dcf60c
commit dc46e96
Show file tree

Hide file tree

Showing 37 changed files with 551 additions and 94 deletions.
diff --git a/api.planx.uk/modules/auth/service.ts b/api.planx.uk/modules/auth/service.ts
@@ -1,34 +1,49 @@
 import { sign } from "jsonwebtoken";
-import { adminGraphQLClient as adminClient } from "../../hasura";
-import { gql } from "graphql-request";
+import { $admin } from "../../client";
+import { User, Role } from "@opensystemslab/planx-core/types";
 
-export const buildJWT = async (email: string | undefined) => {
-  const { users } = await adminClient.request(
-    gql`
-      query ($email: String!) {
-        users(where: { email: { _eq: $email } }, limit: 1) {
-          id
-        }
-      }
-    `,
-    { email },
-  );
-
-  if (!users.length) return;
-
-  const { id } = users[0];
-
-  const hasura = {
-    "x-hasura-allowed-roles": ["platformAdmin", "public"],
-    "x-hasura-default-role": "platformAdmin",
-    "x-hasura-user-id": id.toString(),
-  };
+export const buildJWT = async (email: string): Promise<string | undefined> => {
+  const user = await $admin.user.getByEmail(email);
+  if (!user) return;
 
   const data = {
-    sub: id.toString(),
-    "https://hasura.io/jwt/claims": hasura,
+    sub: user.id.toString(),
+    "https://hasura.io/jwt/claims": generateHasuraClaimsForUser(user),
   };
 
   const jwt = sign(data, process.env.JWT_SECRET!);
   return jwt;
 };
+
+const generateHasuraClaimsForUser = (user: User) => ({
+  "x-hasura-allowed-roles": getAllowedRolesForUser(user),
+  "x-hasura-default-role": getDefaultRoleForUser(user),
+  "x-hasura-user-id": user.id.toString(),
+});
+
+/**
+ * Get all possible roles for this user
+ * Requests made outside this scope will not be authorised by Hasura
+ */
+const getAllowedRolesForUser = (user: User): Role[] => {
+  const teamRoles = user.teams.map((teamRole) => teamRole.role);
+  const allowedRoles: Role[] = [
+    "public", // Allow public access
+    "teamEditor", // Least privileged role for authenticated users - required for Editor access
+    ...teamRoles, // User specific roles
+  ];
+  if (user.isPlatformAdmin) allowedRoles.push("platformAdmin");
+
+  return [...new Set(allowedRoles)];
+};
+
+/**
+ * The default role is used for all requests
+ * Can be overwritten on a per-request basis in the client using the x-hasura-role header
+ * set to a role in the x-hasura-allowed-roles list
+ *
+ * This is the role of least privilege for the user
+ */
+const getDefaultRoleForUser = (user: User): Role => {
+  return user.isPlatformAdmin ? "platformAdmin" : "teamEditor";
+};
diff --git a/api.planx.uk/modules/auth/strategy/google.ts b/api.planx.uk/modules/auth/strategy/google.ts
@@ -9,6 +9,8 @@ export const googleStrategy = new GoogleStrategy(
   },
   async function (_accessToken, _refreshToken, profile, done) {
     const { email } = profile._json;
+    if (!email) throw Error("Unable to authenticate without email");
+
     const jwt = await buildJWT(email);
 
     if (!jwt) {

diff --git a/api.planx.uk/modules/team/controller.ts b/api.planx.uk/modules/team/controller.ts
@@ -12,7 +12,7 @@ export const upsertMemberSchema = z.object({
   }),
   body: z.object({
     userId: z.number(),
-    role: z.enum(["teamAdmin", "teamViewer"]),
+    role: z.enum(["teamEditor", "teamViewer"]),
   }),
 });
 

diff --git a/api.planx.uk/modules/team/docs.yaml b/api.planx.uk/modules/team/docs.yaml
@@ -21,7 +21,7 @@ components:
           example: 123
         role:
           type: string
-          enum: ["teamViewer", "teamAdmin"]
+          enum: ["teamViewer", "teamEditor"]
 paths:
   /team/{teamId}/add-member:
     put:

diff --git a/api.planx.uk/modules/team/index.test.ts b/api.planx.uk/modules/team/index.test.ts
@@ -57,7 +57,7 @@ describe("Adding a user to a team", () => {
       });
   });
 
-  it("validates that role must one an accepted value", async () => {
+  it("validates that role must be an accepted value", async () => {
     await supertest(app)
       .put("/team/123/add-member")
       .set(authHeader())
@@ -80,7 +80,7 @@ describe("Adding a user to a team", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(500)
       .then((res) => {
@@ -98,7 +98,7 @@ describe("Adding a user to a team", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(200)
       .then((res) => {
@@ -156,7 +156,7 @@ describe("Removing a user from a team", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(200)
       .then((res) => {
@@ -173,7 +173,7 @@ describe("Changing a user's role", () => {
       .patch("/team/123/change-member-role")
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(401);
   });
@@ -183,7 +183,7 @@ describe("Changing a user's role", () => {
       .patch("/team/123/change-member-role")
       .set(authHeader())
       .send({
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(400)
       .then((res) => {
@@ -229,7 +229,7 @@ describe("Changing a user's role", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(500)
       .then((res) => {
@@ -247,7 +247,7 @@ describe("Changing a user's role", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(200)
       .then((res) => {

diff --git a/api.planx.uk/package.json b/api.planx.uk/package.json
@@ -4,7 +4,7 @@
   "private": true,
   "dependencies": {
     "@airbrake/node": "^2.1.8",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "@types/isomorphic-fetch": "^0.0.36",
     "adm-zip": "^0.5.10",
     "aws-sdk": "^2.1441.0",

diff --git a/api.planx.uk/pnpm-lock.yaml b/api.planx.uk/pnpm-lock.yaml
diff --git a/api.planx.uk/tests/mockJWT.js b/api.planx.uk/tests/mockJWT.js
@@ -4,8 +4,8 @@ function getJWT(userId) {
   const data = {
     sub: String(userId),
     "https://hasura.io/jwt/claims": {
-      "x-hasura-allowed-roles": ["admin"],
-      "x-hasura-default-role": "admin",
+      "x-hasura-allowed-roles": ["platformAdmin", "public"],
+      "x-hasura-default-role": "platformAdmin",
       "x-hasura-user-id": String(userId),
     },
   };

diff --git a/e2e/tests/api-driven/package.json b/e2e/tests/api-driven/package.json
@@ -6,7 +6,7 @@
   },
   "dependencies": {
     "@cucumber/cucumber": "^9.3.0",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "axios": "^1.4.0",
     "dotenv": "^16.3.1",
     "dotenv-expand": "^10.0.0",

diff --git a/e2e/tests/api-driven/pnpm-lock.yaml b/e2e/tests/api-driven/pnpm-lock.yaml
diff --git a/e2e/tests/ui-driven/package.json b/e2e/tests/ui-driven/package.json
@@ -8,7 +8,7 @@
     "postinstall": "./install-dependencies.sh"
   },
   "dependencies": {
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "axios": "^1.4.0",
     "dotenv": "^16.3.1",
     "eslint": "^8.44.0",

diff --git a/e2e/tests/ui-driven/pnpm-lock.yaml b/e2e/tests/ui-driven/pnpm-lock.yaml
diff --git a/e2e/tests/ui-driven/src/context.ts b/e2e/tests/ui-driven/src/context.ts
@@ -108,8 +108,8 @@ export function generateAuthenticationToken(userId) {
     {
       sub: `${userId}`,
       "https://hasura.io/jwt/claims": {
-        "x-hasura-allowed-roles": ["admin"],
-        "x-hasura-default-role": "admin",
+        "x-hasura-allowed-roles": ["platformAdmin", "public"],
+        "x-hasura-default-role": "platformAdmin",
         "x-hasura-user-id": `${userId}`,
       },
     },

diff --git a/e2e/tests/ui-driven/src/utils.ts b/e2e/tests/ui-driven/src/utils.ts
@@ -29,8 +29,8 @@ export const getJWT = (userId) => {
   const data = {
     sub: String(userId),
     "https://hasura.io/jwt/claims": {
-      "x-hasura-allowed-roles": ["admin"],
-      "x-hasura-default-role": "admin",
+      "x-hasura-allowed-roles": ["platformAdmin", "public"],
+      "x-hasura-default-role": "platformAdmin",
       "x-hasura-user-id": String(userId),
     },
   };

diff --git a/editor.planx.uk/package.json b/editor.planx.uk/package.json
@@ -14,7 +14,7 @@
     "@mui/styles": "^5.14.5",
     "@mui/utils": "^5.14.5",
     "@opensystemslab/map": "^0.7.5",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "@tiptap/core": "^2.0.3",
     "@tiptap/extension-bold": "^2.0.3",
     "@tiptap/extension-bubble-menu": "^2.1.6",

diff --git a/editor.planx.uk/pnpm-lock.yaml b/editor.planx.uk/pnpm-lock.yaml
diff --git a/editor.planx.uk/src/lib/graphql.ts b/editor.planx.uk/src/lib/graphql.ts
@@ -1,6 +1,7 @@
 import {
   ApolloClient,
   createHttpLink,
+  DefaultContext,
   from,
   InMemoryCache,
 } from "@apollo/client";
@@ -88,3 +89,13 @@ export const publicClient = new ApolloClient({
   link: from([retryLink, errorLink, publicHttpLink]),
   cache: new InMemoryCache(),
 });
+
+/**
+ * Explicitly connect to Hasura using the "public" role
+ * Allows authenticated users with a different x-hasura-default-role (e.g. teamEditor, platformAdmin) to access public resources
+ */
+export const publicContext: DefaultContext = {
+  headers: {
+    "x-hasura-role": "public"
+  }
+}