chore: cleanup authorization code (#6736)

Author: n1ru4l

codegen.mts

@@ -36,10 +36,9 @@ const config: CodegenConfig = {
             ProjectType: '../shared/entities#ProjectType',
             NativeFederationCompatibilityStatus:
               '../shared/entities#NativeFederationCompatibilityStatus',
-            TargetAccessScope: '../modules/auth/providers/target-access#TargetAccessScope',
-            ProjectAccessScope: '../modules/auth/providers/project-access#ProjectAccessScope',
-            OrganizationAccessScope:
-              '../modules/auth/providers/organization-access#OrganizationAccessScope',
+            TargetAccessScope: '../modules/auth/providers/scopes#TargetAccessScope',
+            ProjectAccessScope: '../modules/auth/providers/scopes#ProjectAccessScope',
+            OrganizationAccessScope: '../modules/auth/providers/scopes#OrganizationAccessScope',
             SupportTicketPriority: '../shared/entities#SupportTicketPriority',
             SupportTicketStatus: '../shared/entities#SupportTicketStatus',
           },

packages/services/api/src/modules/auth/index.ts

@@ -1,10 +1,7 @@
 import { createModule } from 'graphql-modules';
 import { AuditLogManager } from '../audit-logs/providers/audit-logs-manager';
 import { AuthManager } from './providers/auth-manager';
-import { OrganizationAccess } from './providers/organization-access';
 import { OrganizationAccessTokenValidationCache } from './providers/organization-access-token-validation-cache';
-import { ProjectAccess } from './providers/project-access';
-import { TargetAccess } from './providers/target-access';
 import { UserManager } from './providers/user-manager';
 import { resolvers } from './resolvers.generated';
 import typeDefs from './module.graphql';
@@ -14,13 +11,5 @@ export const authModule = createModule({
   dirname: __dirname,
   typeDefs,
   resolvers,
-  providers: [
-    AuthManager,
-    UserManager,
-    OrganizationAccess,
-    ProjectAccess,
-    TargetAccess,
-    AuditLogManager,
-    OrganizationAccessTokenValidationCache,
-  ],
+  providers: [AuthManager, UserManager, AuditLogManager, OrganizationAccessTokenValidationCache],
 });

packages/services/api/src/modules/auth/lib/authz.spec.ts

@@ -15,6 +15,10 @@ class TestSession extends Session {
   ): Promise<Array<AuthorizationPolicyStatement>> | Array<AuthorizationPolicyStatement> {
     return this.policyStatements;
   }
+
+  getActor(): Promise<never> {
+    throw new Error('Not implemented');
+  }
 }
 
 describe('Session.assertPerformAction', () => {

packages/services/api/src/modules/auth/lib/authz.ts

@@ -5,6 +5,7 @@ import type { User } from '../../../shared/entities';
 import { AccessError } from '../../../shared/errors';
 import { objectEntries, objectFromEntries } from '../../../shared/helpers';
 import { isUUID } from '../../../shared/is-uuid';
+import type { OrganizationAccessToken } from '../../organization/providers/organization-access-tokens';
 import { Logger } from '../../shared/providers/logger';
 
 export type AuthorizationPolicyStatement = {
@@ -47,6 +48,18 @@ function parseResourceIdentifier(resource: string) {
   return { organizationId, resourceId: parts[2] };
 }
 
+export type UserActor = {
+  type: 'user';
+  user: User;
+};
+
+export type OrganizationAccessTokenActor = {
+  type: 'organizationAccessToken';
+  organizationAccessToken: OrganizationAccessToken;
+};
+
+type Actor = UserActor | OrganizationAccessTokenActor;
+
 /**
  * Abstract session class that is implemented by various ways to identify a session.
  * A session is a way to identify a user and their permissions for a specific organization.
@@ -75,8 +88,21 @@ export abstract class Session {
   abstract readonly id: string;
 
   /** Retrieve the current viewer. Implementations of the session need to implement this function */
-  public getViewer(): Promise<User> {
-    throw new AccessError('Authorization token is missing', 'UNAUTHENTICATED');
+  public abstract getActor(): Promise<Actor>;
+
+  /**
+   * Retrieve the Viewer of the session.
+   * A viewer can only be a {User} aka {SuperTokensSessions{}.
+   * If the session does not have a user an exception is raised.
+   */
+  public async getViewer(): Promise<User> {
+    const actor = await this.getActor();
+
+    if (actor.type !== 'user') {
+      throw new AccessError('Only authenticated users can perform this action.');
+    }
+
+    return actor.user;
   }
 
   public isViewer(): boolean {
@@ -498,6 +524,10 @@ class UnauthenticatedSession extends Session {
     return [];
   }
   id = 'noop';
+
+  public getActor(): Promise<Actor> {
+    throw new AccessError('Authorization token is missing', 'UNAUTHENTICATED');
+  }
 }
 
 /**

packages/services/api/src/modules/auth/lib/organization-access-token-strategy.ts

@@ -1,10 +1,16 @@
 import * as crypto from 'node:crypto';
 import { type FastifyReply, type FastifyRequest } from '@hive/service-common';
 import * as OrganizationAccessKey from '../../organization/lib/organization-access-key';
+import type { OrganizationAccessToken } from '../../organization/providers/organization-access-tokens';
 import { OrganizationAccessTokensCache } from '../../organization/providers/organization-access-tokens-cache';
 import { Logger } from '../../shared/providers/logger';
 import { OrganizationAccessTokenValidationCache } from '../providers/organization-access-token-validation-cache';
-import { AuthNStrategy, AuthorizationPolicyStatement, Session } from './authz';
+import {
+  AuthNStrategy,
+  AuthorizationPolicyStatement,
+  OrganizationAccessTokenActor,
+  Session,
+} from './authz';
 
 function hashToken(token: string) {
   return crypto.createHash('sha256').update(token).digest('hex');
@@ -13,13 +19,15 @@ function hashToken(token: string) {
 export class OrganizationAccessTokenSession extends Session {
   public readonly organizationId: string;
   private policies: Array<AuthorizationPolicyStatement>;
+  private organizationAccessToken: OrganizationAccessToken;
   readonly id: string;
 
   constructor(
     args: {
       id: string;
       organizationId: string;
       policies: Array<AuthorizationPolicyStatement>;
+      organizationAccessToken: OrganizationAccessToken;
     },
     deps: {
       logger: Logger;
@@ -29,6 +37,14 @@ export class OrganizationAccessTokenSession extends Session {
     this.id = args.id;
     this.organizationId = args.organizationId;
     this.policies = args.policies;
+    this.organizationAccessToken = args.organizationAccessToken;
+  }
+
+  public async getActor(): Promise<OrganizationAccessTokenActor> {
+    return {
+      type: 'organizationAccessToken',
+      organizationAccessToken: this.organizationAccessToken,
+    };
   }
 
   protected loadPolicyStatementsForOrganization(
@@ -112,6 +128,7 @@ export class OrganizationAccessTokenStrategy extends AuthNStrategy<OrganizationA
         id: organizationAccessToken.id,
         organizationId: organizationAccessToken.organizationId,
         policies: organizationAccessToken.authorizationPolicyStatements,
+        organizationAccessToken,
       },
       {
         logger: args.req.log,

packages/services/api/src/modules/auth/lib/supertokens-strategy.ts

@@ -2,13 +2,12 @@ import SessionNode from 'supertokens-node/recipe/session/index.js';
 import * as zod from 'zod';
 import type { FastifyReply, FastifyRequest } from '@hive/service-common';
 import { captureException } from '@sentry/node';
-import type { User } from '../../../shared/entities';
 import { AccessError, HiveError } from '../../../shared/errors';
 import { isUUID } from '../../../shared/is-uuid';
 import { OrganizationMembers } from '../../organization/providers/organization-members';
 import { Logger } from '../../shared/providers/logger';
 import type { Storage } from '../../shared/providers/storage';
-import { AuthNStrategy, AuthorizationPolicyStatement, Session } from './authz';
+import { AuthNStrategy, AuthorizationPolicyStatement, Session, UserActor } from './authz';
 
 export class SuperTokensCookieBasedSession extends Session {
   public superTokensUserId: string;
@@ -32,7 +31,7 @@ export class SuperTokensCookieBasedSession extends Session {
   protected async loadPolicyStatementsForOrganization(
     organizationId: string,
   ): Promise<Array<AuthorizationPolicyStatement>> {
-    const user = await this.getViewer();
+    const { user } = await this.getActor();
 
     this.logger.debug(
       'Loading policy statements for organization. (userId=%s, organizationId=%s)',
@@ -97,7 +96,7 @@ export class SuperTokensCookieBasedSession extends Session {
     return organizationMembership.assignedRole.authorizationPolicyStatements;
   }
 
-  public async getViewer(): Promise<User> {
+  public async getActor(): Promise<UserActor> {
     const user = await this.storage.getUserBySuperTokenId({
       superTokensUserId: this.superTokensUserId,
     });
@@ -106,7 +105,10 @@ export class SuperTokensCookieBasedSession extends Session {
       throw new AccessError('User not found');
     }
 
-    return user;
+    return {
+      type: 'user',
+      user,
+    };
   }
 
   public isViewer() {

packages/services/api/src/modules/auth/lib/target-access-token-strategy.ts

@@ -1,4 +1,5 @@
 import { maskToken, type FastifyReply, type FastifyRequest } from '@hive/service-common';
+import { AccessError } from '../../../shared/errors';
 import { Logger } from '../../shared/providers/logger';
 import { TokenStorage } from '../../token/providers/token-storage';
 import { TokensConfig } from '../../token/providers/tokens';
@@ -55,6 +56,10 @@ export class TargetAccessTokenSession extends Session {
       targetId: this.targetId,
     };
   }
+
+  public async getActor(): Promise<never> {
+    throw new AccessError('Authorization token is missing', 'UNAUTHENTICATED');
+  }
 }
 
 export class TargetAccessTokenStrategy extends AuthNStrategy<TargetAccessTokenSession> {

packages/services/api/src/modules/auth/module.graphql.mappers.ts

@@ -1,8 +1,10 @@
 import type { User } from '../../shared/entities';
 import { PermissionGroup, PermissionRecord } from '../organization/lib/permissions';
-import type { OrganizationAccessScope } from './providers/organization-access';
-import type { ProjectAccessScope } from './providers/project-access';
-import type { TargetAccessScope } from './providers/target-access';
+import type {
+  OrganizationAccessScope,
+  ProjectAccessScope,
+  TargetAccessScope,
+} from './providers/scopes';
 
 export type OrganizationAccessScopeMapper = OrganizationAccessScope;
 export type ProjectAccessScopeMapper = ProjectAccessScope;