aerogear · darahayes · Jul 5, 2019 · Jul 4, 2019 · Jul 5, 2019 · Jul 5, 2019
diff --git a/package.json b/package.json
@@ -37,11 +37,13 @@
     "@types/keycloak-connect": "4.5.1",
     "@types/node": "10.14.10",
     "@types/pino": "5.20.0",
+    "@types/sinon": "^7.0.13",
     "ava": "2.1.0",
     "coveralls": "3.0.4",
     "express": "^4.17.1",
     "graphql": "14.4.1",
     "nyc": "14.1.1",
+    "sinon": "^7.3.2",
     "ts-node": "8.3.0",
     "tslint": "5.18.0",
     "typescript": "3.5.2"
@@ -52,6 +54,9 @@
   "nyc": {
     "extension": [
       ".ts"
+    ],
+    "include": [
+      "src/**/*.ts"
     ]
   },
   "ava": {

diff --git a/src/AuthContextProvider.ts b/src/AuthContextProvider.ts
@@ -8,7 +8,7 @@ export class KeycloakAuthContextProvider implements AuthContextProvider {
   constructor ({ req }: { req: any }) {
     this.request = req
     this.accessToken = (req && req.kauth && req.kauth.grant) ? req.kauth.grant.access_token : undefined
-    this.authenticated = !!((req && req.kauth && req.kauth.grant) ? req.kauth.grant.access_token : undefined)
+    this.authenticated = this.accessToken && !this.accessToken.isExpired()
   }
 
   public isAuthenticated (): boolean {

diff --git a/src/KeycloakSecurityService.ts b/src/KeycloakSecurityService.ts
@@ -33,7 +33,8 @@ export class KeycloakSecurityService implements SecurityService {
   }
 
   public getTypeDefs(): string {
-    return 'directive @hasRole(role: [String]) on FIELD | FIELD_DEFINITION'
+    return `directive @hasRole(role: [String]) on FIELD | FIELD_DEFINITION
+    directive @auth on FIELD | FIELD_DEFINITION`
   }
 
   public getSchemaDirectives (): SchemaDirectives {

diff --git a/src/schemaDirectives/auth.ts b/src/schemaDirectives/auth.ts
@@ -0,0 +1,22 @@
+import { defaultFieldResolver, GraphQLSchema } from 'graphql'
+import { SchemaDirectiveVisitor } from 'graphql-tools'
+import { directiveResolvers } from './directiveResolvers'
+import { VisitableSchemaType } from 'graphql-tools/dist/schemaVisitor'
+
+export class AuthDirective extends SchemaDirectiveVisitor {
+
+  constructor (config: {
+      name: string
+      visitedType: VisitableSchemaType
+      schema: GraphQLSchema
+      context: { [key: string]: any }
+    }) {
+    // see https://github.com/apollographql/graphql-tools/issues/837
+    super(config as any)
+  }
+
+  public visitFieldDefinition (field: any) {
+    const { resolve = defaultFieldResolver } = field
+    field.resolve = directiveResolvers.auth(resolve)
+  }
+}
diff --git a/src/schemaDirectives/directiveResolvers.ts b/src/schemaDirectives/directiveResolvers.ts
@@ -0,0 +1,25 @@
+export const directiveResolvers = {
+  auth: (next: Function) => (root: any, args: any, context: any, info: any) => {
+    if (!context.auth || !context.auth.isAuthenticated()) {
+      throw new Error(`User not Authenticated`)
+    }
+    return next(root, args, context, info)
+  },
+  hasRole: (roles: Array<string>) => (next: Function) => (root: any, args: any, context: any, info: any) => {
+    if (!context.auth || !context.auth.isAuthenticated()) {
+      throw new Error(`User not Authenticated`)
+    }
+
+    let foundRole = null // this will be the role the user was successfully authorized on
+
+    foundRole = roles.find((role: string) => {
+      return context.auth.hasRole(role)
+    })
+
+    if (!foundRole) {
+      throw new Error(`User is not authorized. Must have one of the following roles: [${roles}]`)
+    }
+
+    return next(root, args, context, info)
+  }
+}
diff --git a/src/schemaDirectives/hasRole.ts b/src/schemaDirectives/hasRole.ts
@@ -1,13 +1,9 @@
-import { ForbiddenError } from 'apollo-server-express'
 import { defaultFieldResolver, GraphQLSchema } from 'graphql'
 import { SchemaDirectiveVisitor } from 'graphql-tools'
 import Joi from 'joi'
-import pino from 'pino' // also need to figure out where this comes from
-
+import { directiveResolvers } from './directiveResolvers'
 import { VisitableSchemaType } from 'graphql-tools/dist/schemaVisitor'
 
-const log = pino()
-
 export class HasRoleDirective extends SchemaDirectiveVisitor {
 
   constructor (config: {
@@ -25,41 +21,12 @@ export class HasRoleDirective extends SchemaDirectiveVisitor {
     const { resolve = defaultFieldResolver } = field
     const { error, value } = this.validateArgs()
     if (error) {
-      log.error(`Invalid hasRole directive on field ${field.name}`, error)
       throw error
     }
 
     const { roles } = value
 
-    field.resolve = async function (root: any, args: any, context: any, info: any) {
-      log.info(`checking user is authorized to access ${field.name} on parent ${info.parentType.name}. Must have one of [${roles}]`)
-
-      if (!context.auth || !context.auth.isAuthenticated()) {
-        const AuthorizationErrorMessage = `Unable to find authentication. Authorization is required for field ${field.name} on parent ${info.parentType.name}. Must have one of the following roles: [${roles}]`
-        log.error({ error: AuthorizationErrorMessage })
-        throw new ForbiddenError(AuthorizationErrorMessage)
-      }
-
-      const token = context.auth.accessToken
-
-      let foundRole = null // this will be the role the user was successfully authorized on
-
-      foundRole = roles.find((role: string) => {
-        return context.auth.hasRole(role)
-      })
-
-      if (!foundRole) {
-        const AuthorizationErrorMessage = `user is not authorized for field ${field.name} on parent ${info.parentType.name}. Must have one of the following roles: [${roles}]`
-        log.error({ error: AuthorizationErrorMessage, details: token.content })
-        throw new ForbiddenError(AuthorizationErrorMessage)
-      }
-
-      log.info(`user successfully authorized with role: ${foundRole}`)
-
-      // Return appropriate error if this is false
-      const result = await resolve.apply(this, [root, args, context, info])
-      return result
-    }
+    field.resolve = directiveResolvers.hasRole(roles)(resolve)
   }
 
   public validateArgs () {

diff --git a/src/schemaDirectives/index.ts b/src/schemaDirectives/index.ts
@@ -1,5 +1,7 @@
 import { HasRoleDirective } from './hasRole'
+import { AuthDirective } from './auth'
 
 export const schemaDirectives = {
+  auth: AuthDirective,
   hasRole: HasRoleDirective
 }
diff --git a/test/AuthContextProvider.test.ts b/test/AuthContextProvider.test.ts
@@ -0,0 +1,106 @@
+import test from 'ava'
+
+import { KeycloakAuthContextProvider } from '../src/AuthContextProvider'
+
+test('AuthContextProvider accessToken is the access_token in req.kauth', (t) => {
+
+  const req = {
+    kauth: {
+      grant: {
+        access_token: {
+          hasRole: (role: string) => {
+            return true
+          },
+          isExpired: () => {
+            return false
+          }
+        }
+      }
+    }
+  }
+
+  const provider = new KeycloakAuthContextProvider({ req })
+  t.deepEqual(provider.accessToken, req.kauth.grant.access_token)
+})
+
+test('AuthContextProvider hasRole calls hasRole in the access_token', (t) => {
+  t.plan(2)
+  const req = {
+    kauth: {
+      grant: {
+        access_token: {
+          hasRole: (role: string) => {
+            t.pass()
+            return true
+          },
+          isExpired: () => {
+            return false
+          }
+        }
+      }
+    }
+  }
+
+  const provider = new KeycloakAuthContextProvider({ req })
+  t.truthy(provider.hasRole(''))
+})
+
+test('AuthContextProvider.isAuthenticated is true when token is defined and isExpired returns false', (t) => {
+  const req = {
+    kauth: {
+      grant: {
+        access_token: {
+          hasRole: (role: string) => {
+            return true
+          },
+          isExpired: () => {
+            return false
+          }
+        }
+      }
+    }
+  }
+
+  const provider = new KeycloakAuthContextProvider({ req })
+  t.truthy(provider.isAuthenticated())
+})
+
+test('AuthContextProvider.isAuthenticated is false when token is defined but isExpired returns true', (t) => {
+  const req = {
+    kauth: {
+      grant: {
+        access_token: {
+          hasRole: (role: string) => {
+            return true
+          },
+          isExpired: () => {
+            return true
+          }
+        }
+      }
+    }
+  }
+
+  const provider = new KeycloakAuthContextProvider({ req })
+  t.false(provider.isAuthenticated())
+})
+
+test('AuthContextProvider.hasRole is false if token is expired', (t) => {
+  const req = {
+    kauth: {
+      grant: {
+        access_token: {
+          hasRole: (role: string) => {
+            return true
+          },
+          isExpired: () => {
+            return true
+          }
+        }
+      }
+    }
+  }
+
+  const provider = new KeycloakAuthContextProvider({ req })
+  t.false(provider.hasRole(''))
+})