From 30ffe0160e51e34359561c19f3cdc9961753381b Mon Sep 17 00:00:00 2001 From: Weiko Date: Fri, 3 May 2024 10:30:47 +0200 Subject: [PATCH] Fix token validation on graphql IntrospectionQuery (#5255) ## Context We recently introduced a change that now throws a 401 if the token is invalid or expired. The first implementation is using an allow list and 'IntrospectionQuery' was missing so the playground was broken. The check has been updated and we now only check the excludedOperations list if a token is not present. This is because some operations can be both used as loggedIn and loggedOut so we want to validate the token for those sometimes (and set the workspace, user, cache version, etc). Still not a very clean solution imho. --- .../src/engine/middlewares/user-workspace.middleware.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/twenty-server/src/engine/middlewares/user-workspace.middleware.ts b/packages/twenty-server/src/engine/middlewares/user-workspace.middleware.ts index a45c6f6fce5..eb7f36b8328 100644 --- a/packages/twenty-server/src/engine/middlewares/user-workspace.middleware.ts +++ b/packages/twenty-server/src/engine/middlewares/user-workspace.middleware.ts @@ -14,6 +14,7 @@ export class UserWorkspaceMiddleware implements NestMiddleware { async use(req: Request, res: Response, next: NextFunction) { const body = req.body; + const excludedOperations = [ 'GetClientConfig', 'GetCurrentUser', @@ -24,12 +25,12 @@ export class UserWorkspaceMiddleware implements NestMiddleware { 'Verify', 'SignUp', 'RenewToken', + 'IntrospectionQuery', ]; if ( - body && - body.operationName && - excludedOperations.includes(body.operationName) + !this.tokenService.isTokenPresent(req) && + (!body?.operationName || excludedOperations.includes(body.operationName)) ) { return next(); }