breaking: remove SecurityService interface

aerogear · Jul 5, 2019 · 6b82d5e · 6b82d5e
1 parent ea4bcd8
commit 6b82d5e
Show file tree

Hide file tree

Showing 17 changed files with 106 additions and 316 deletions.
diff --git a/src/KeycloakSecurityService.ts b/src/KeycloakSecurityService.ts
diff --git a/src/KeycloakSubscriptionHandler.ts b/src/KeycloakSubscriptionHandler.ts
@@ -0,0 +1,45 @@
+import { Token } from './KeycloakToken'
+import { KeycloakSubscriptionHandlerOptions } from './api'
+
+export class KeycloakSubscriptionHandler {
+
+  public readonly keycloakConfig: any
+  public readonly schemaDirectives: any
+  public readonly authContextProvider: any
+  public keycloak: any
+
+  constructor (options: KeycloakSubscriptionHandlerOptions) {
+    if (!options.keycloak) {
+      throw new Error('missing keycloak instance in options')
+    }
+    this.keycloak = options.keycloak
+  }
+
+  public async onSubscriptionConnect(connectionParams: any, webSocket: any, context: any): Promise<any> {
+    if (!connectionParams || typeof connectionParams !== 'object') {
+      throw new Error('Access Denied - missing connection parameters for Authentication')
+    }
+    const header = connectionParams.Authorization
+                  || connectionParams.authorization
+                  || connectionParams.Auth
+                  || connectionParams.auth
+    const clientId = connectionParams.clientId
+    if (!header) {
+      throw new Error('Access Denied - missing Authorization field in connection parameters')
+    }
+    const token = this.getBearerTokenFromHeader(header, clientId)
+    try {
+      await this.keycloak.grantManager.validateToken(token, 'Bearer')
+      return token
+    } catch (e) {
+      throw new Error(`Access Denied - ${e}`)
+    }
+  }
+
+  private getBearerTokenFromHeader(header: any, clientId?: string) {
+    if (header && typeof header === 'string' && (header.indexOf('bearer ') === 0 || header.indexOf('Bearer ') === 0)) {
+      const token = header.substring(7)
+      return new Token(token, clientId)
+    }
+  }
+}
diff --git a/src/api/ApplyAuthMiddlewareOptions.ts b/src/api/ApplyAuthMiddlewareOptions.ts
diff --git a/src/api/DefaultSecurityService.ts b/src/api/DefaultSecurityService.ts
diff --git a/src/api/KeycloakSecurityServiceOptions.ts b/src/api/KeycloakSecurityServiceOptions.ts
diff --git a/src/api/KeycloakSubscriptionHandlerOptions.ts b/src/api/KeycloakSubscriptionHandlerOptions.ts
@@ -0,0 +1,3 @@
+export interface KeycloakSubscriptionHandlerOptions {
+  keycloak: any
+}
diff --git a/src/api/SecurityService.ts b/src/api/SecurityService.ts
diff --git a/src/api/index.ts b/src/api/index.ts
@@ -1,7 +1,3 @@
-export * from './SecurityService'
-export * from './DefaultSecurityService'
 export * from './AuthContextProvider'
-export * from './SecurityService'
-export * from './ApplyAuthMiddlewareOptions'
-export * from './KeycloakSecurityServiceOptions'
+export * from './KeycloakSubscriptionHandlerOptions'
 export * from './SchemaDirectives'
diff --git a/src/directives/directiveResolvers.ts b/src/directives/directiveResolvers.ts
@@ -0,0 +1,24 @@
+export const auth = (next: Function) => (root: any, args: any, context: any, info: any) => {
+  if (!context.auth || !context.auth.isAuthenticated()) {
+    throw new Error(`User not Authenticated`)
+  }
+  return next(root, args, context, info)
+}
+
+export const hasRole = (roles: Array<string>) => (next: Function) => (root: any, args: any, context: any, info: any) => {
+  if (!context.auth || !context.auth.isAuthenticated()) {
+    throw new Error(`User not Authenticated`)
+  }
+
+  let foundRole = null // this will be the role the user was successfully authorized on
+
+  foundRole = roles.find((role: string) => {
+    return context.auth.hasRole(role)
+  })
+
+  if (!foundRole) {
+    throw new Error(`User is not authorized. Must have one of the following roles: [${roles}]`)
+  }
+
+  return next(root, args, context, info)
+}
diff --git a/src/schemaDirectives/index.ts → src/directives/index.ts b/src/schemaDirectives/index.ts → src/directives/index.ts
@@ -1,5 +1,4 @@
-import { HasRoleDirective } from './hasRole'
-import { AuthDirective } from './auth'
+import { HasRoleDirective, AuthDirective } from './schemaDirectiveVisitors'
 
 export const schemaDirectives = {
   auth: AuthDirective,

diff --git a/src/schemaDirectives/hasRole.ts → src/directives/schemaDirectiveVisitors.ts b/src/schemaDirectives/hasRole.ts → src/directives/schemaDirectiveVisitors.ts
@@ -1,9 +1,27 @@
 import { defaultFieldResolver, GraphQLSchema } from 'graphql'
 import { SchemaDirectiveVisitor } from 'graphql-tools'
 import Joi from 'joi'
-import { directiveResolvers } from './directiveResolvers'
+import { auth, hasRole } from './directiveResolvers'
 import { VisitableSchemaType } from 'graphql-tools/dist/schemaVisitor'
 
+export class AuthDirective extends SchemaDirectiveVisitor {
+
+  constructor (config: {
+      name: string
+      visitedType: VisitableSchemaType
+      schema: GraphQLSchema
+      context: { [key: string]: any }
+    }) {
+    // see https://github.com/apollographql/graphql-tools/issues/837
+    super(config as any)
+  }
+
+  public visitFieldDefinition (field: any) {
+    const { resolve = defaultFieldResolver } = field
+    field.resolve = auth(resolve)
+  }
+}
+
 export class HasRoleDirective extends SchemaDirectiveVisitor {
 
   constructor (config: {
@@ -26,7 +44,7 @@ export class HasRoleDirective extends SchemaDirectiveVisitor {
 
     const { roles } = value
 
-    field.resolve = directiveResolvers.hasRole(roles)(resolve)
+    field.resolve = hasRole(roles)(resolve)
   }
 
   public validateArgs () {

diff --git a/src/index.ts b/src/index.ts
@@ -1,2 +1,4 @@
-export * from './KeycloakSecurityService'
+export * from './KeycloakSubscriptionHandler'
+export * from './AuthContextProvider'
+export * from './directives'
 export * from './api'