wip:

proofzero · May 30, 2023 · 55a5874 · 55a5874
1 parent d88151c
commit 55a5874
Show file tree

Hide file tree

Showing 9 changed files with 66 additions and 66 deletions.
diff --git a/platform/account/src/context.ts b/platform/account/src/context.ts
@@ -21,8 +21,6 @@ interface CreateInnerContextOptions
   Analytics: AnalyticsEngineDataset
   ServiceDeploymentMetadata: DeploymentMetadata
   account?: DurableObjectStubProxy<Account>
-  JWKS_INTERNAL_URL_BASE: string
-
   // accountURN?: AccountURN
 }
 /**

diff --git a/platform/account/src/types.ts b/platform/account/src/types.ts
@@ -9,7 +9,6 @@ export interface Environment {
   Edges: Fetcher
   Analytics: AnalyticsEngineDataset
   ServiceDeploymentMetadata: DeploymentMetadata
-  JWKS_INTERNAL_URL_BASE: string
 }
 
 // TODO: move to types packages

diff --git a/platform/account/wrangler.toml b/platform/account/wrangler.toml
@@ -22,17 +22,11 @@ analytics_engine_datasets = [
 
 unsafe.bindings = [{ type = "metadata", name = "ServiceDeploymentMetadata" }]
 
-[vars]
-JWKS_INTERNAL_URL_BASE = 'http://127.0.0.1:10001/.well-known/jwks.json'
-
 [dev]
 port = 10201
 inspector_port = 11201
 local_protocol = "http"
 
-[env.dev.vars]
-JWKS_INTERNAL_URL_BASE = "https://passport-dev.pz3r0.com/.well-known/jwks.json"
-
 [env.dev]
 durable_objects.bindings = [{ name = "Account", class_name = "Account" }]
 services = [{ binding = "Edges", service = "edges-dev" }]
@@ -43,9 +37,6 @@ analytics_engine_datasets = [
 
 unsafe.bindings = [{ type = "metadata", name = "ServiceDeploymentMetadata" }]
 
-[env.next.vars]
-JWKS_INTERNAL_URL_BASE = "https://passport-next.pz3r0.com/.well-known/jwks.json"
-
 [env.next]
 durable_objects.bindings = [{ name = "Account", class_name = "Account" }]
 services = [{ binding = "Edges", service = "edges-next" }]
@@ -56,9 +47,6 @@ analytics_engine_datasets = [
 
 unsafe.bindings = [{ type = "metadata", name = "ServiceDeploymentMetadata" }]
 
-[env.current.vars]
-JWKS_INTERNAL_URL_BASE = "https://passport.pz3r0.com/.well-known/jwks.json"
-
 [env.current]
 durable_objects.bindings = [{ name = "Account", class_name = "Account" }]
 services = [{ binding = "Edges", service = "edges-current" }]

diff --git a/platform/address/wrangler.toml b/platform/address/wrangler.toml
@@ -27,7 +27,6 @@ MAX_ATTEMPTS = 5
 DELAY_BETWEEN_REGENERATION_ATTEMPTS_IN_MS = 2_000
 REGENERATION_COOLDOWN_PERIOD_IN_MS = 30_000
 MAX_ATTEMPTS_TIME_PERIOD_IN_MS = 300_000
-JWKS_INTERNAL_URL_BASE = "http://127.0.0.1:10001/.well-known/jwks.json"
 
 [dev]
 port = 10102
@@ -81,7 +80,6 @@ MAX_ATTEMPTS = 5
 DELAY_BETWEEN_REGENERATION_ATTEMPTS_IN_MS = 2_000
 REGENERATION_COOLDOWN_PERIOD_IN_MS = 30_000
 MAX_ATTEMPTS_TIME_PERIOD_IN_MS = 300_000
-JWKS_INTERNAL_URL_BASE = "https://passport-dev.pz3r0.com/.well-known/jwks.json"
 
 [env.next]
 durable_objects.bindings = [{ name = "Address", class_name = "Address" }]
@@ -109,7 +107,6 @@ MAX_ATTEMPTS = 5
 DELAY_BETWEEN_REGENERATION_ATTEMPTS_IN_MS = 30_000
 REGENERATION_COOLDOWN_PERIOD_IN_MS = 600_000
 MAX_ATTEMPTS_TIME_PERIOD_IN_MS = 300_000
-JWKS_INTERNAL_URL_BASE = "https://passport-next.pz3r0.com/.well-known/jwks.json"
 
 [env.current]
 durable_objects.bindings = [{ name = "Address", class_name = "Address" }]
@@ -136,4 +133,3 @@ MAX_ATTEMPTS = 5
 DELAY_BETWEEN_REGENERATION_ATTEMPTS_IN_MS = 30_000
 REGENERATION_COOLDOWN_PERIOD_IN_MS = 600_000
 MAX_ATTEMPTS_TIME_PERIOD_IN_MS = 300_000
-JWKS_INTERNAL_URL_BASE = "https://passport.pz3r0.com/.well-known/jwks.json"
diff --git a/platform/galaxy/src/env.ts b/platform/galaxy/src/env.ts
@@ -15,7 +15,6 @@ export default interface Env {
   Address: Fetcher
   Starbase: Fetcher
   Access: Fetcher
-  JWKS_INTERNAL_URL_BASE: string
 }
 
 export const required = ['Account', 'Address', 'Starbase', 'Access']
diff --git a/platform/galaxy/src/schema/resolvers/account.ts b/platform/galaxy/src/schema/resolvers/account.ts
@@ -10,6 +10,7 @@ import {
   validateApiKey,
   logAnalytics,
   getConnectedAddresses,
+  temporaryConvertToPublic,
   requestLogging,
 } from './utils'
 
@@ -20,7 +21,10 @@ import { ResolverContext } from './common'
 import { PlatformAddressURNHeader } from '@proofzero/types/headers'
 import { getAuthzHeaderConditionallyFromToken } from '@proofzero/utils'
 import type { AccountURN } from '@proofzero/urns/account'
-import { generateTraceContextHeaders } from '@proofzero/packages/platform-middleware/trace'
+import {
+  generateTraceContextHeaders,
+  TraceSpan,
+} from '@proofzero/packages/platform-middleware/trace'
 
 const accountResolvers: Resolvers = {
   Query: {
@@ -154,16 +158,29 @@ const ProfileResolverComposition = {
   'Query.profile': [
     requestLogging(),
     setupContext(),
-    isAuthorized('profile'),
+    validateApiKey(),
+    logAnalytics(),
+  ],
+  'Query.authorizedApps': [
+    requestLogging(),
+    setupContext(),
     validateApiKey(),
     logAnalytics(),
   ],
   'Query.connectedAddresses': [
     requestLogging(),
     setupContext(),
-    // isAuthorized('connected_accounts'),
     validateApiKey(),
     logAnalytics(),
+    temporaryConvertToPublic(),
+  ],
+
+  'Mutation.disconnectAddress': [
+    requestLogging(),
+    setupContext(),
+    validateApiKey(),
+    isAuthorized(),
+    logAnalytics(),
   ],
 }
 

diff --git a/platform/galaxy/src/schema/resolvers/address.ts b/platform/galaxy/src/schema/resolvers/address.ts
@@ -179,29 +179,25 @@ const addressResolvers: Resolvers = {
 
 // TODO: add address middleware
 const AddressResolverComposition = {
-  'Query.account': [
+  'Query.account': [requestLogging(), setupContext(), validateApiKey()],
+  'Query.addressProfile': [requestLogging(), setupContext(), validateApiKey()],
+  'Query.addressProfiles': [requestLogging(), setupContext(), validateApiKey()],
+  'Mutation.updateAddressNickname': [
     requestLogging(),
     setupContext(),
-    isAuthorized('profile'),
     validateApiKey(),
+    isAuthorized(),
   ],
 
-  'Query.addressProfile': [
+  'Mutation.updateConnectedAddressesProperties': [
     requestLogging(),
     setupContext(),
-    isAuthorized('profile'),
-    validateApiKey(),
-  ],
-  'Query.addressProfiles': [
-    requestLogging(),
-    setupContext(),
-    isAuthorized('connected_accounts'),
     validateApiKey(),
+    isAuthorized(),
   ],
   'Mutation.registerSessionKey': [
     requestLogging(),
     setupContext(),
-    isAuthorized('erc_4337'),
     validateApiKey(),
   ],
 }

diff --git a/platform/galaxy/src/schema/resolvers/app.ts b/platform/galaxy/src/schema/resolvers/app.ts
@@ -53,8 +53,20 @@ const appResolvers: Resolvers = {
 }
 
 const AppResolverComposition = {
-  //Leaving this here in case we want to (securely) expose these resolvers
-  //through a scope later
+  'Query.scopes': [
+    requestLogging(),
+    setupContext(),
+    validateApiKey(),
+    isAuthorized(),
+    logAnalytics(),
+  ],
+  'Mutation.revokeAppAuthorization': [
+    requestLogging(),
+    setupContext(),
+    validateApiKey(),
+    isAuthorized(),
+    logAnalytics(),
+  ],
 }
 
 export default composeResolvers(appResolvers, AppResolverComposition)
diff --git a/platform/galaxy/src/schema/resolvers/utils/index.ts b/platform/galaxy/src/schema/resolvers/utils/index.ts
@@ -15,14 +15,13 @@ import {
 
 import { WriteAnalyticsDataPoint } from '@proofzero/packages/platform-clients/analytics'
 
+import { NodeType } from '@proofzero/types/address'
 import {
   generateTraceContextHeaders,
   TraceSpan,
 } from '@proofzero/platform-middleware/trace'
 import type { ApplicationURN } from '@proofzero/urns/application'
 import { ApplicationURNSpace } from '@proofzero/urns/application'
-import { UnauthorizedError } from '@proofzero/errors'
-import { verifyToken } from '@proofzero/utils/token'
 
 // 404: 'USER_NOT_FOUND' as string,
 export function parseJwt(token: string): JWTPayload {
@@ -49,6 +48,7 @@ export const requestLogging =
 export const setupContext = () => (next) => (root, args, context, info) => {
   const jwt = getAuthzTokenFromReq(context.request)
   const apiKey = context.request.headers.get('X-GALAXY-KEY')
+
   const parsedJwt = jwt && parseJwt(jwt)
 
   const accountURN = jwt ? parsedJwt?.sub : undefined
@@ -72,36 +72,31 @@ export const temporaryConvertToPublic =
     return next(root, args, context, info)
   }
 
-export const isAuthorized =
-  (scopeVal?: string) => (next) => async (root, args, context, info) => {
-    if (!context.jwt) {
-      throw new GraphQLError('You are not authenticated!', {
-        extensions: {
-          http: {
-            status: 401,
-          },
+export const isAuthorized = () => (next) => (root, args, context, info) => {
+  if (!context.jwt) {
+    throw new GraphQLError('You are not authenticated!', {
+      extensions: {
+        http: {
+          status: 401,
         },
-      })
-    }
-
-    const jwtPayload = await verifyToken(
-      context.jwt,
-      context.env.JWKS_INTERNAL_URL_BASE
-    )
-    if (scopeVal) {
-      if (!jwtPayload.scope)
-        throw new UnauthorizedError({
-          message: 'No scope found in token',
-        })
-      const scopeArray = (jwtPayload.scope as string).split(' ')
-      if (!scopeArray.includes(scopeVal))
-        throw new UnauthorizedError({
-          message: `Required scope value (${scopeVal}) not found in provided token`,
-        })
-    }
-
-    return next(root, args, context, info)
+      },
+    })
   }
+  if (!isFromCFBinding(context.request)) {
+    // TODO: update to check if user is authorized with authorzation header
+    // Currently, until write scopes are implemented, this middleware will always
+    // return http 403, unless call is coming internally from service binding
+    throw new GraphQLError('You are not authorized!', {
+      extensions: {
+        http: {
+          status: 403,
+        },
+      },
+    })
+  }
+
+  return next(root, args, context, info)
+}
 
 export const validateApiKey =
   () => (next) => async (root, args, context, info) => {