Remove undocumented audiences mechanism

keystonejs · Mar 17, 2020 · a32c845 · a32c845
1 parent d30b749
commit a32c845
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 65 deletions.
diff --git a/packages/app-admin-ui/index.js b/packages/app-admin-ui/index.js
@@ -66,9 +66,7 @@ class AdminUIApp {
 
     return (
       req.user &&
-      this._isAccessAllowed({ authentication: { item: req.user, listKey: req.authedListKey } }) &&
-      req.session.audiences &&
-      req.session.audiences.includes('admin')
+      this._isAccessAllowed({ authentication: { item: req.user, listKey: req.authedListKey } })
     );
   }
 
@@ -80,8 +78,6 @@ class AdminUIApp {
     // Short-circuit GET requests when the user already signed in (avoids
     // downloading UI bundle, doing a client side redirect, etc)
     app.get(signinPath, (req, res, next) =>
-      // This session is currently authenticated as part of the 'admin'
-      // audience.
       this.isAccessAllowed(req) ? res.redirect(this.adminPath) : next()
     );
 

diff --git a/packages/app-graphql/index.js b/packages/app-graphql/index.js
@@ -1,5 +1,4 @@
 const express = require('express');
-const { restrictAudienceMiddleware } = require('@keystonejs/session');
 const { GraphQLPlaygroundApp } = require('@keystonejs/app-graphql-playground');
 const { createApolloServer } = require('./lib/apolloServer');
 const validation = require('./validation');
@@ -22,10 +21,6 @@ class GraphQLApp {
    */
   prepareMiddleware({ keystone, dev }) {
     const server = createApolloServer(keystone, this._apollo, this._schemaName, dev);
-    // GraphQL API always exists independent of any adminUI or Session
-    // settings We currently make the admin UI public. In the future we want
-    // to be able to restrict this to a limited audience, while setting up a
-    // separate public API with much stricter access control.
     const apiPath = this._apiPath;
     const graphiqlPath = this._graphiqlPath;
     const app = express();
@@ -40,9 +35,6 @@ class GraphQLApp {
 
     // { cors: false } - prevent ApolloServer from overriding Keystone's CORS configuration.
     // https://www.apollographql.com/docs/apollo-server/api/apollo-server.html#ApolloServer-applyMiddleware
-    // This probably isn't the right place to put this restriction middleware. -TL
-    const restrict = restrictAudienceMiddleware({ isPublic: true });
-    app.use(apiPath, restrict);
     app.use(server.getMiddleware({ path: apiPath, cors: false }));
     return app;
   }

diff --git a/packages/auth-passport/lib/Passport.js b/packages/auth-passport/lib/Passport.js
@@ -506,12 +506,9 @@ class PassportAuthStrategy {
   }
 
   async _authenticateItem(item, accessToken, isNewItem, req, res, next) {
-    const audiences = ['admin'];
-
     const token = await startAuthedSession(
       req,
       { item, list: this._getList() },
-      audiences,
       this._cookieSecret
     );
     this._onAuthenticated({ token, item, isNewItem }, req, res, next);

diff --git a/packages/keystone/lib/Keystone/index.js b/packages/keystone/lib/Keystone/index.js
@@ -222,8 +222,8 @@ module.exports = class Keystone {
 
     return {
       schemaName,
-      startAuthedSession: ({ item, list }, audiences) =>
-        startAuthedSession(req, { item, list }, audiences, this._cookieSecret),
+      startAuthedSession: ({ item, list }) =>
+        startAuthedSession(req, { item, list }, this._cookieSecret),
       endAuthedSession: endAuthedSession.bind(null, req),
       authedItem: req.user,
       authedListKey: req.authedListKey,

diff --git a/packages/keystone/lib/providers/listAuth.js b/packages/keystone/lib/providers/listAuth.js
@@ -109,18 +109,13 @@ class ListAuthProvider {
     const gqlName = this.gqlNames.authenticateMutationName;
     this.checkAccess(context, 'mutation', { gqlName });
 
-    // This is currently hard coded to enable authenticating with the admin UI.
-    // In the near future we will set up the admin-ui application and api to be
-    // non-public.
-    const audiences = ['admin'];
-
     // Verify incoming details
     const { item, success, message } = await this.authStrategy.validate(args);
     if (!success) {
       throw new Error(message);
     }
 
-    const token = await context.startAuthedSession({ item, list: this.list }, audiences);
+    const token = await context.startAuthedSession({ item, list: this.list });
     return { token, item };
   }
 

diff --git a/packages/session/index.js b/packages/session/index.js
@@ -1,13 +1,3 @@
-const {
-  commonSessionMiddleware,
-  restrictAudienceMiddleware,
-  startAuthedSession,
-  endAuthedSession,
-} = require('./lib/session');
+const { commonSessionMiddleware, startAuthedSession, endAuthedSession } = require('./lib/session');
 
-module.exports = {
-  commonSessionMiddleware,
-  restrictAudienceMiddleware,
-  startAuthedSession,
-  endAuthedSession,
-};
+module.exports = { commonSessionMiddleware, startAuthedSession, endAuthedSession };
diff --git a/packages/session/lib/session.js b/packages/session/lib/session.js
@@ -90,39 +90,17 @@ function populateAuthedItemMiddleware(keystone) {
     }
     req.user = item;
     req.authedListKey = list.key;
-    req.audiences = req.session.audiences;
 
     next();
   };
 }
 
-function restrictAudienceMiddleware({ isPublic, audiences }) {
-  return (req, res, next) => {
-    if (isPublic) {
-      // If the session restriction is marked public, we let everything through.
-      next();
-    } else if (
-      req.audiences &&
-      audiences &&
-      Array.isArray(audiences) &&
-      req.audiences.some(audience => audiences.includes(audience))
-    ) {
-      // Otherwise, if one of the session audiences matches one of the restriction audiences, we let them through.
-      next();
-    } else {
-      // If the don't make it through, we simply respond with a 403 Permission Denied
-      res.status(403).send();
-    }
-  };
-}
-
-function startAuthedSession(req, { item, list }, audiences, cookieSecret) {
+function startAuthedSession(req, { item, list }, cookieSecret) {
   return new Promise((resolve, reject) =>
     req.session.regenerate(err => {
       if (err) return reject(err);
       req.session.keystoneListKey = list.key;
       req.session.keystoneItemId = item.id;
-      req.session.audiences = audiences;
       resolve(cookieSignature.sign(req.session.id, cookieSecret));
     })
   );
@@ -137,9 +115,4 @@ function endAuthedSession(req) {
   );
 }
 
-module.exports = {
-  commonSessionMiddleware,
-  restrictAudienceMiddleware,
-  startAuthedSession,
-  endAuthedSession,
-};
+module.exports = { commonSessionMiddleware, startAuthedSession, endAuthedSession };