Fix/unblock graphql

docs/developer-guide/tutorials/authentication-api.md

@@ -130,9 +130,7 @@ A session can expire:
 
 ## Accessing the GraphQL API
 
-All requests to the GraphQL api should be [authenticated requests](#sessions-and-authenticated-requests), regardless of whether they are queries or mutations.
-
-Of course different requests may still require different privileges, ie. some mutations like `setSupportedCategories` will be only accessible for _root user_ etc., while other mutations may only be accessible for _Gateway account owners_.
+Different requests may still require different privileges, ie. some mutations like `setSupportedCategories` will be only accessible for _root user_ etc., while other mutations may only be accessible for _Gateway account owners_.
 
 ## Authentication API interactions
 
@@ -421,4 +419,4 @@ export DEV_DISABLE_SAME_SITE=true
 
 In order to be able to pass the cookie to Orion's Auth API when making requests from Atlas deployed under different domain, you should specify `credentials: 'include'` option in ApolloClient's `HttpLink` (see: https://www.apollographql.com/docs/react/networking/authentication/).
 
-Similarly, to include the cookie when making requests to the GraphQL API, you should provide `credentials: 'include'` to `fetch`: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#sending_a_request_with_credentials_included
+Similarly, to include the cookie when making requests to the GraphQL API, you should provide `credentials: 'include'` to `fetch`: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#sending_a_request_with_credentials_included

src/auth-server/handlers/createAccount.ts

@@ -82,7 +82,7 @@ export const createAccount: (
         isEmailConfirmed: false,
         registeredAt: new Date(),
         isBlocked: false,
-        userId: authContext.user.id,
+        userId: authContext?.user.id,
         joystreamAccount: joystreamAccountId,
         membershipId: memberId.toString(),
       })

src/auth-server/handlers/getSessionArtifacts.ts

@@ -19,7 +19,7 @@ export const getSessionArtifacts: (
   try {
     const em = await globalEm
     const { authContext: session } = res.locals
-    if (!session.account) {
+    if (!session?.account) {
       throw new UnauthorizedError('Cannot get session artifacts for anonymous session')
     }
     const artifacts = await em

src/auth-server/handlers/logout.ts

@@ -2,6 +2,7 @@ import express from 'express'
 import { AuthContext } from '../../utils/auth'
 import { globalEm } from '../../utils/globalEm'
 import { components } from '../generated/api-types'
+import { BadRequestError } from '../errors'
 
 type ReqParams = Record<string, string>
 type ResBody =
@@ -16,6 +17,9 @@ export const logout: (
 ) => Promise<void> = async (req, res, next) => {
   try {
     const { authContext: session } = res.locals
+    if (!session) {
+      throw new BadRequestError('No session to logout found.')
+    }
     const em = await globalEm
     session.expiry = new Date()
     await em.save(session)

src/auth-server/handlers/postSessionArtifacts.ts

@@ -21,10 +21,13 @@ export const postSessionArtifacts: (
   try {
     const { authContext: session } = res.locals
     const em = await globalEm
+    if (!session?.id) {
+      throw new UnauthorizedError('Cannot save session artifacts for empty session')
+    }
     const existingArtifacts = await em
       .getRepository(SessionEncryptionArtifacts)
       .findOneBy({ sessionId: session.id })
-    if (!session.account) {
+    if (!session?.account) {
       throw new UnauthorizedError('Cannot save session artifacts for anonymous session')
     }
     if (existingArtifacts) {

src/auth-server/index.ts

@@ -3,7 +3,7 @@ import cors from 'cors'
 import * as OpenApiValidator from 'express-openapi-validator'
 import { HttpError } from 'express-openapi-validator/dist/framework/types'
 import path from 'path'
-import { AuthApiError, UnauthorizedError } from './errors'
+import { AuthApiError } from './errors'
 import { createLogger } from '@subsquid/logger'
 import { authenticate, getCorsOrigin } from '../utils/auth'
 import cookieParser from 'cookie-parser'
@@ -19,9 +19,6 @@ export const app = express()
 function authHandler(type: 'header' | 'cookie') {
   return async (req: express.Request) => {
     const authContext = await authenticate(req, type)
-    if (!authContext) {
-      throw new UnauthorizedError()
-    }
     if (req.res) {
       req.res.locals.authContext = authContext
     }

src/server-extension/check.ts

@@ -28,14 +28,11 @@ export const requestCheck: RequestCheckFunction = async (ctx) => {
   const context = ctx.context as Context
 
   const authContext = await authenticate(context.req, 'cookie')
-  if (!authContext) {
-    return 'Unauthorized'
-  }
 
   Object.assign(context, authContext)
 
   if (
-    !authContext.user.isRoot &&
+    (!authContext || !authContext.user.isRoot) &&
     ctx.operation.selectionSet.selections.some(
       (s) => s.kind === 'Field' && autogeneratedOperatorQueries.includes(s.name.value)
     )
@@ -44,7 +41,7 @@ export const requestCheck: RequestCheckFunction = async (ctx) => {
   }
 
   // Set search_path accordingly if it's an operator request
-  if (authContext.user.isRoot) {
+  if (authContext?.user.isRoot) {
     const em = await (context.openreader as unknown as TypeormOpenreaderContext).getEntityManager()
     await em.query('SET LOCAL search_path TO admin,public')
   }

src/server-extension/resolvers/ChannelsResolver/index.ts

@@ -27,7 +27,7 @@ import { ListQuery } from '@subsquid/openreader/lib/sql/query'
 import { model } from '../model'
 import { Context } from '../../check'
 import { uniqueId } from '../../../utils/crypto'
-import { AccountOnly } from '../middleware'
+import { AccountOnly, UserOnly } from '../middleware'
 
 @Resolver()
 export class ChannelsResolver {
@@ -242,6 +242,7 @@ export class ChannelsResolver {
     })
   }
 
+  @UseMiddleware(UserOnly)
   @Mutation(() => ChannelReportInfo)
   async reportChannel(
     @Args() { channelId, rationale }: ReportChannelArgs,

src/server-extension/resolvers/VideosResolver/index.ts

@@ -1,5 +1,5 @@
 import 'reflect-metadata'
-import { Arg, Args, Ctx, Info, Mutation, Query, Resolver } from 'type-graphql'
+import { Arg, Args, Ctx, Info, Mutation, Query, Resolver, UseMiddleware } from 'type-graphql'
 import { EntityManager, MoreThan } from 'typeorm'
 import {
   AddVideoViewResult,
@@ -36,6 +36,7 @@ import { isObject } from 'lodash'
 import { has } from '../../../utils/misc'
 import { videoRelevanceManager } from '../../../mappings/utils'
 import { uniqueId } from '../../../utils/crypto'
+import { UserOnly } from '../middleware'
 
 @Resolver()
 export class VideosResolver {
@@ -184,6 +185,7 @@ export class VideosResolver {
     return result as VideosConnection
   }
 
+  @UseMiddleware(UserOnly)
   @Mutation(() => AddVideoViewResult)
   async addVideoView(
     @Arg('videoId', () => String, { nullable: false }) videoId: string,
@@ -250,6 +252,7 @@ export class VideosResolver {
     })
   }
 
+  @UseMiddleware(UserOnly)
   @Mutation(() => VideoReportInfo)
   async reportVideo(
     @Args() { videoId, rationale }: ReportVideoArgs,

src/server-extension/resolvers/middleware.ts

@@ -2,16 +2,24 @@ import { MiddlewareFn } from 'type-graphql'
 import { Context } from '../check'
 
 export const OperatorOnly: MiddlewareFn<Context> = async ({ context }, next) => {
-  if (!context.user.isRoot) {
+  if (!context?.user.isRoot) {
     throw new Error('Unauthorized: Root access required')
   }
   return next()
 }
 
 export const AccountOnly: MiddlewareFn<Context> = async ({ context }, next) => {
-  if (context.account === null) {
+  if (!context?.account) {
     throw new Error('Unauthorized: Account required')
   }
 
   return next()
 }
+
+export const UserOnly: MiddlewareFn<Context> = async ({ context }, next) => {
+  if (!context?.user) {
+    throw new Error('Unauthorized: User required')
+  }
+
+  return next()
+}

src/utils/auth.ts

@@ -105,7 +105,7 @@ sessionCache.on('expired', (sessionId: string, cachedData: CachedSessionData) =>
   })
 })
 
-export type AuthContext = Session
+export type AuthContext = Session | null
 
 export async function getSessionIdFromHeader(req: Request): Promise<string | undefined> {
   authLogger.trace(`Authorization header: ${JSON.stringify(req.headers.authorization, null, 2)}`)
@@ -121,32 +121,30 @@ export async function getSessionIdFromCookie(req: Request): Promise<string | und
 export async function authenticate(
   req: Request,
   authType: 'cookie' | 'header'
-): Promise<AuthContext | false> {
+): Promise<AuthContext> {
   const em = await globalEm
   const sessionId =
     authType === 'cookie' ? await getSessionIdFromCookie(req) : await getSessionIdFromHeader(req)
-  if (!sessionId) {
-    authLogger.debug(`Recieved a request w/ no sessionId provided. AuthType: ${authType}.`)
-    return false
-  }
-  authLogger.trace(`Authenticating... SessionId: ${sessionId}`)
-
-  const session = await findActiveSession(req, em, { id: sessionId })
-  if (session) {
-    const cachedSessionData = sessionCache.get<CachedSessionData>(sessionId)
-    if (cachedSessionData) {
-      cachedSessionData.lastActivity = new Date()
-      authLogger.trace(
-        `Updated last activity of session ${sessionId} to ${cachedSessionData.lastActivity.toISOString()}`
-      )
-    } else {
-      await tryToProlongSession(session.id, new Date())
+
+  if (sessionId) {
+    authLogger.trace(`Authenticating... SessionId: ${sessionId}`)
+
+    const session = await findActiveSession(req, em, { id: sessionId })
+    if (session) {
+      const cachedSessionData = sessionCache.get<CachedSessionData>(sessionId)
+      if (cachedSessionData) {
+        cachedSessionData.lastActivity = new Date()
+        authLogger.trace(
+          `Updated last activity of session ${sessionId} to ${cachedSessionData.lastActivity.toISOString()}`
+        )
+      } else {
+        await tryToProlongSession(session.id, new Date())
+      }
+      return session
     }
-    return session
   }
-  authLogger.warn(`Cannot authenticate user. Session not found or expired: ${sessionId}`)
-
-  return false
+  authLogger.debug(`Recieved a request w/ no sessionId provided. AuthType: ${authType}.`)
+  return null
 }
 
 export async function getOrCreateSession(