fix: support builder service account

src/auth/middleware.ts

@@ -10,14 +10,16 @@ export const createContext = async ({ req }): Promise<any> => {
 
   const user: AuthUserType = {
     roles: [],
-    uuid: undefined
+    uuid: undefined,
+    isBuilder: false
   }
 
   const authHeader = String(headers?.authorization ?? '')
   if (authHeader.startsWith('Bearer ')) {
     const token = authHeader.substring(7, authHeader.length).trim()
     const z = await verifyJWT(token)
 
+    user.isBuilder = z?.scope.includes('builder:default')
     user.roles = z?.['https://tacos.openbeta.io/roles'] ?? []
     const uidStr: string | undefined = z?.['https://tacos.openbeta.io/uuid']
     user.uuid = uidStr != null ? muid.from(uidStr) : undefined

src/auth/permissions.ts

@@ -1,9 +1,10 @@
-import { shield, allow } from 'graphql-shield'
-import { isEditor, isUserAdmin } from './rules.js'
+import { shield, allow, or } from 'graphql-shield'
+import { isEditor, isUserAdmin, isOwner, isBuilderServiceAccount } from './rules.js'
 
 const permissions = shield({
   Query: {
-    '*': allow
+    '*': allow,
+    getUserProfile: or(isOwner, isBuilderServiceAccount)
   },
   Mutation: {
     addOrganization: isUserAdmin,
@@ -12,7 +13,8 @@ const permissions = shield({
     addArea: isEditor,
     updateArea: isEditor,
     updateClimbs: isEditor,
-    deleteClimbs: isEditor
+    deleteClimbs: isEditor,
+    updateUserProfile: isOwner
   }
 },
 {

src/auth/rules.ts

@@ -1,9 +1,27 @@
 import { rule } from 'graphql-shield'
+import muuid from 'uuid-mongodb'
 
 export const isEditor = rule()(async (parent, args, ctx, info) => {
-  return (ctx.user.uuid != null) && ctx.user.roles.includes('editor')
+  return _hasUserUuid(ctx) && ctx.user.roles.includes('editor')
 })
 
 export const isUserAdmin = rule()(async (parent, args, ctx, info) => {
-  return (ctx.user.uuid != null) && ctx.user.roles.includes('user_admin')
+  return _hasUserUuid(ctx) && ctx.user.roles.includes('user_admin')
 })
+
+export const isOwner = rule()(async (parent, args, ctx, info) => {
+  return _hasUserUuid(ctx) && ctx.user.uuid === muuid.from(args.userUuid)
+})
+
+export const isBuilderServiceAccount = rule()(async (parent, args, ctx: Context, info) => {
+  return _hasUserUuid(ctx) && ctx.user.isBuilder
+})
+
+interface Context {
+  user: {
+    uuid?: string
+    isBuilder: boolean
+  }
+}
+
+const _hasUserUuid = (ctx: Context): boolean => ctx.user.uuid != null

src/graphql/user/UserQueries.ts

@@ -1,5 +1,5 @@
 import muuid from 'uuid-mongodb'
-import { DataSourcesType } from '../../types'
+import { DataSourcesType, ContextWithAuth } from '../../types'
 import { GetUsernameReturn, User } from '../../db/UserTypes'
 
 const UserQueries = {
@@ -9,7 +9,7 @@ const UserQueries = {
     return await users.getUsername(uuid)
   },
 
-  getUserProfile: async (_, { userUuid }, { dataSources }): Promise<User | null> => {
+  getUserProfile: async (_, { userUuid }, { dataSources }: ContextWithAuth): Promise<User | null> => {
     const { users }: DataSourcesType = dataSources
     const uuid = muuid.from(userUuid)
     return await users.getUserProfile(uuid)

src/model/UserDataSource.ts

@@ -156,7 +156,7 @@ const regUsernameKeywords = /openbeta|0penbeta|admin/i
  * @param username
  * @returns true if has valid format
  */
-export const isValidUsername = (username: string): boolean => {
+const isValidUsername = (username: string): boolean => {
   return username != null && username.length <= 30 &&
   !regUsernameKeywords.test(username) &&
   regUsername.test(username)
@@ -169,4 +169,4 @@ const isValidUrl = (url: string): boolean => {
   } catch (e) {
     return false
   }
-}
+}

src/types.ts

@@ -87,6 +87,7 @@ export interface QueryByIdType {
 export interface AuthUserType {
   roles: string[]
   uuid: MUUID | undefined
+  isBuilder: boolean
 }
 
 export interface DataSourcesType {