Merge pull request #254 from vtex-apps/feat/security-layer-2

lucvysk · web-flow · commit d1d7d68c1396 · 2024-10-30T10:55:02.000-03:00
feat:  mutation bugfix
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Added
+
+- [VSC-1261609] Added security layer
+
 ## [0.18.9] - 2024-09-09
 
 ### Fixed
diff --git a/graphql/schema.graphql b/graphql/schema.graphql
@@ -3,6 +3,7 @@ type Query {
   getHistory: [GetHistoryResponse] @cacheControl(scope: PRIVATE)
   getLast(workspace: String): GetLastResponse @cacheControl(scope: PRIVATE)
   getById(id: String): ConfigResponse @cacheControl(scope: PRIVATE)
+  getPermissions: GetPermissionsResponse @cacheControl(scope: PRIVATE)
 }
 
 type Mutation {
@@ -49,6 +50,9 @@ type GetHistoryResponse {
   appVersion: String
 }
 
+type GetPermissionsResponse {
+  access: Boolean
+}
 type GetSetupConfigResponse {
   adminSetup: AdminSetupResponse
 }
diff --git a/manifest.json b/manifest.json
@@ -39,6 +39,9 @@
     {
       "name": "LogisticsViewer"
     },
+    {
+      "name": "Get_User_By_Identifier"
+    },
     {
       "name": "outbound-access",
       "attrs": {
@@ -66,6 +69,20 @@
         "host": "{{account}}.vtexcommercestable.com.br",
         "path": "/api/logistics/pvt/configuration/holidays/"
       }
+    },
+    {
+      "name": "outbound-access",
+      "attrs": {
+        "host": "portal.vtexcommercestable.com.br",
+        "path": "/api/vtexid/*"
+      }
+    },
+    {
+      "name": "outbound-access",
+      "attrs": {
+        "host": "{{account}}.vtexcommercestable.com.br",
+        "path": "/api/license-manager/*"
+      }
     }
   ],
   "scripts": {},
diff --git a/messages/ar.json b/messages/ar.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "واجهة المستخدم المخصصة للدفع",
   "admin/checkout-ui.update-warning": "تم تحديث هذا التطبيق. الرجاء النقر فوق \"نشر\" لتطبيق أحدث الإصلاحات على عملية الدفع الخاصة بك.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "واجهة المستخدم المخصصة للدفع",
   "admin/checkout-ui.tab.layout": "التصميم",
   "admin/checkout-ui.tab.colors": "الألوان",
diff --git a/messages/context.json b/messages/context.json
@@ -2,6 +2,8 @@
   "admin/checkout-ui.navigation.title": "admin/checkout-ui.navigation.title",
   "admin/checkout-ui.title": "admin/checkout-ui.title",
   "admin/checkout-ui.update-warning": "admin/checkout-ui.update-warning",
+  "admin/checkout-ui.permission-warning": "admin/checkout-ui.permission-warning",
+  "admin/checkout-ui.permission-tooltip": "admin/checkout-ui.permission-tooltip",
   "admin/checkout-ui.tab.layout": "admin/checkout-ui.tab.layout",
   "admin/checkout-ui.tab.colors": "admin/checkout-ui.tab.colors",
   "admin/checkout-ui.tab.javascript": "admin/checkout-ui.tab.javascript",
diff --git a/messages/de.json b/messages/de.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Checkout UI Benutzerdefiniert",
   "admin/checkout-ui.update-warning": "Diese App wurde aktualisiert. Bitte klicken Sie auf VERÖFFENTLICHEN, um die neuesten Korrekturen auf Ihren Checkout anzuwenden.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Checkout UI Benutzerdefiniert",
   "admin/checkout-ui.tab.layout": "Layout",
   "admin/checkout-ui.tab.colors": "Farben",
diff --git a/messages/en.json b/messages/en.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Checkout UI Custom",
   "admin/checkout-ui.update-warning": "This app has been updated. Please click PUBLISH to apply the latest fixes to your checkout.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Checkout UI Custom",
   "admin/checkout-ui.tab.layout": "Layout",
   "admin/checkout-ui.tab.colors": "Colors",
diff --git a/messages/es.json b/messages/es.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Interfaz personalizada del checkout",
   "admin/checkout-ui.update-warning": "Esta aplicación ha sido actualizada. Por favor, haz clic en PUBLICAR para aplicar las últimas correcciones a tu checkout.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Interfaz personalizada del checkout",
   "admin/checkout-ui.tab.layout": "Layout",
   "admin/checkout-ui.tab.colors": "Colores",
diff --git a/messages/fi.json b/messages/fi.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Räätälöity kassakäyttöliittymä",
   "admin/checkout-ui.update-warning": "Tämä sovellus on päivitetty. Napsauta JULKAISE lisätäksesi viimeisimmät korjaukset kassalle.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Räätälöity kassakäyttöliittymä",
   "admin/checkout-ui.tab.layout": "Asettelu",
   "admin/checkout-ui.tab.colors": "Värit",
diff --git a/messages/it.json b/messages/it.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Interfaccia personalizzata del checkout",
   "admin/checkout-ui.update-warning": "Questa app è stata aggiornata. Clicca su \"PUBBLICA\" per applicare le ultime correzioni al tuo checkout.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Interfaccia personalizzata del checkout",
   "admin/checkout-ui.tab.layout": "Layout",
   "admin/checkout-ui.tab.colors": "Colori",
diff --git a/messages/ja-JP.json b/messages/ja-JP.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "UI カスタムをチェックアウト",
   "admin/checkout-ui.update-warning": "このアプリはアップデートされています。公開をクリックし、チェックアウトに最新の修正を適用してください。",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "UI カスタムをチェックアウト",
   "admin/checkout-ui.tab.layout": "レイアウト",
   "admin/checkout-ui.tab.colors": "色",
diff --git a/messages/ko-KR.json b/messages/ko-KR.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "체크아웃 UI 사용자 정의",
   "admin/checkout-ui.update-warning": "이 앱이 업데이트되었습니다. 체크아웃에 최신 수정사항을 적용하려면 [게시;]를 클릭하세요.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "체크아웃 UI 사용자 정의",
   "admin/checkout-ui.tab.layout": "레이아웃",
   "admin/checkout-ui.tab.colors": "색",
diff --git a/messages/pt.json b/messages/pt.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Interface personalizada do checkout",
   "admin/checkout-ui.update-warning": "Este app foi atualizado. Clique em PUBLICAR para aplicar as últimas correções ao seu checkout.",
+  "admin/checkout-ui.permission-warning":"Você não tem permissão para publicar", 
+  "admin/checkout-ui.permission-tooltip":"Licença necessária: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Interface personalizada do checkout",
   "admin/checkout-ui.tab.layout": "Interface",
   "admin/checkout-ui.tab.colors": "Cores",
diff --git a/messages/ro-RO.json b/messages/ro-RO.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "Personalizare Checkout UI",
   "admin/checkout-ui.update-warning": "Această aplicație a fost actualizată. Te rugăm să apeși pe PUBLICĂ pentru a aplica cele mai recente remedieri la finalizarea comenzii tale.",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "Personalizare Checkout UI",
   "admin/checkout-ui.tab.layout": "Mod de afișare",
   "admin/checkout-ui.tab.colors": "Culori",
diff --git a/messages/th-TH.json b/messages/th-TH.json
@@ -1,6 +1,8 @@
 {
   "admin/checkout-ui.title": "กำหนด UI ใน Checkout",
   "admin/checkout-ui.update-warning": "แอปนี้มีการอัปเดต โปรดคลิก เผยแพร่ เพื่อให้การแก้ไขล่าสุดมีผลใน Checkout ของคุณ",
+  "admin/checkout-ui.permission-warning":"You don't have permission to publish", 
+  "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'", 
   "admin/checkout-ui.navigation.title": "กำหนด UI ใน Checkout",
   "admin/checkout-ui.tab.layout": "เลย์เอาต์",
   "admin/checkout-ui.tab.colors": "สี",
diff --git a/node/clients/IdentityClient.ts b/node/clients/IdentityClient.ts
@@ -0,0 +1,27 @@
+import type { InstanceOptions, IOContext } from '@vtex/api'
+import { JanusClient } from '@vtex/api'
+
+export default class IdentityClient extends JanusClient {
+  constructor(ctx: IOContext, options?: InstanceOptions) {
+    super(ctx, {
+      ...options,
+      headers: {
+        ...options?.headers,
+      },
+    })
+  }
+
+  public async validateToken({ token }: { token: string }): Promise<any> {
+    return this.http.post('/api/vtexid/credential/validate', { token })
+  }
+
+  public async getToken({
+    appkey,
+    apptoken,
+  }: {
+    appkey: string
+    apptoken: string
+  }): Promise<any> {
+    return this.http.post('/api/vtexid/apptoken/login', { appkey, apptoken })
+  }
+}
diff --git a/node/clients/LMClient.ts b/node/clients/LMClient.ts
@@ -0,0 +1,89 @@
+import type { InstanceOptions, IOContext } from '@vtex/api'
+import { ExternalClient } from '@vtex/api'
+
+export default class LMClient extends ExternalClient {
+  constructor(ctx: IOContext, options?: InstanceOptions) {
+    super(`http://${ctx.account}.vtexcommercestable.com.br/`, ctx, {
+      ...options,
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+        VtexIdclientAutCookie: ctx.authToken,
+      },
+    })
+  }
+
+  public getUserAdminPermissions = async (account: string, userId: string) => {
+    return this.get(
+      `/api/license-manager/pvt/accounts/${encodeURI(
+        account
+      )}/logins/${encodeURI(userId)}/granted`
+    ).then((res: any) => {
+      return res
+    })
+  }
+
+  public getUserRolePermissions = async (account: string,userId: string) => {
+    return this.get(
+      `/api/license-manager/pvt/users/${encodeURI(userId)}/resources?an=${account}`
+    ).then((res: any) => {
+      return res
+    })
+  }
+
+  public getAccount = async () => {
+    return this.get<GetAccountResponse>(`/api/license-manager/account`).then(
+      (res) => {
+        return res
+      }
+    )
+  }
+
+  protected get = <T>(url: string) => {
+    return this.http.get<T>(url)
+  }
+}
+
+interface GetAccountResponse {
+  isActive: boolean
+  id: string
+  name: string
+  accountName: string
+  lv: unknown
+  isOperating: boolean
+  defaultUrl: unknown
+  district: unknown
+  country: unknown
+  complement: unknown
+  compunknownName: string
+  cnpj: string
+  haveParentAccount: boolean
+  parentAccountId: unknown
+  parentAccountName: unknown
+  city: unknown
+  address: unknown
+  logo: unknown
+  hasLogo: boolean
+  number: unknown
+  postalCode: unknown
+  state: unknown
+  telephone: string
+  tradingName: string
+  licenses: unknown[]
+  sponsor: {
+    name: string
+    email: string
+    phone: string
+  }
+  contact: {
+    name: string
+    email: string
+    phone: string
+  }
+  operationDate: unknown
+  inactivationDate: unknown
+  creationDate: string
+  hosts: unknown[]
+  sites: unknown[]
+  appKeys: unknown[]
+}
diff --git a/node/clients/index.ts b/node/clients/index.ts
@@ -1,8 +1,19 @@
 import { IOClients } from '@vtex/api'
 
 import { SaveVB } from './server-settings'
+import LMClient from './LMClient'
+import IdentityClient from './IdentityClient'
+
+
 // Extend the default IOClients implementation with our own custom clients.
 export class Clients extends IOClients {
+
+  public get lm() {
+    return this.getOrSet('lm', LMClient)
+  }
+  public get identity() {
+    return this.getOrSet('identity', IdentityClient)
+  }
   public get server() {
     return this.getOrSet('server', SaveVB)
   }
diff --git a/node/graphql/authcheck.ts b/node/graphql/authcheck.ts
@@ -0,0 +1,51 @@
+import { ForbiddenError } from '@vtex/api'
+import { validateAdminToken } from './helper'
+
+export const authCheck = async (ctx: Context, app: string) => {
+  const {
+    vtex: { logger },
+  } = ctx
+
+    const version = app.split(`@`)[1]
+
+    const cookie = ctx.headers?.cookie
+
+    const vtexCredentials: any = cookie
+      ? cookie
+          .split('; ')
+          .find((cookie: string) => cookie.startsWith('VtexIdclientAutCookie='))
+          ?.split('=')[1] ?? ''
+      : '';
+
+
+    if (version <= `0.18.9`) {
+      logger.warn({
+        message: 'Error: Invalid version',
+      })
+      throw new ForbiddenError('Unauthorized version')
+    }
+
+    if (!vtexCredentials.trim()) {
+      logger.warn({
+        message: 'CheckAdminAccess: Invalid token',
+      })
+      throw new ForbiddenError('Unauthorized Access')
+    }
+
+    if (vtexCredentials) {
+      const permission = await validateAdminToken(ctx, vtexCredentials)
+
+      if (
+        !permission.hasAdminToken ||
+        !permission.hasValidAdminToken ||
+        !permission.hasCurrentValidAdminToken ||
+        !permission.hasValidAdminRole
+      ) {
+        logger.warn({
+          message: 'CheckAdminAccess: Invalid store token',
+        })
+        throw new ForbiddenError('Unauthorized Access Token')
+      }
+    }
+  
+}
diff --git a/node/graphql/helper.ts b/node/graphql/helper.ts
diff --git a/node/graphql/index.ts b/node/graphql/index.ts
diff --git a/node/package.json b/node/package.json
diff --git a/node/yarn.lock b/node/yarn.lock
diff --git a/react/Admin.tsx b/react/Admin.tsx
diff --git a/react/queries/getPermissions.gql b/react/queries/getPermissions.gql

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ type Query {`
`3`	`3`	`getHistory: [GetHistoryResponse] @cacheControl(scope: PRIVATE)`
`4`	`4`	`getLast(workspace: String): GetLastResponse @cacheControl(scope: PRIVATE)`
`5`	`5`	`getById(id: String): ConfigResponse @cacheControl(scope: PRIVATE)`
	`6`	`+ getPermissions: GetPermissionsResponse @cacheControl(scope: PRIVATE)`
`6`	`7`	`}`
`7`	`8`
`8`	`9`	`type Mutation {`
`@@ -49,6 +50,9 @@ type GetHistoryResponse {`
`49`	`50`	`appVersion: String`
`50`	`51`	`}`
`51`	`52`
	`53`	`+type GetPermissionsResponse {`
	`54`	`+ access: Boolean`
	`55`	`+}`
`52`	`56`	`type GetSetupConfigResponse {`
`53`	`57`	`adminSetup: AdminSetupResponse`
`54`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"admin/checkout-ui.title": "واجهة المستخدم المخصصة للدفع",`
`3`	`3`	`"admin/checkout-ui.update-warning": "تم تحديث هذا التطبيق. الرجاء النقر فوق \"نشر\" لتطبيق أحدث الإصلاحات على عملية الدفع الخاصة بك.",`
	`4`	`+ "admin/checkout-ui.permission-warning":"You don't have permission to publish",`
	`5`	`+ "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'",`
`4`	`6`	`"admin/checkout-ui.navigation.title": "واجهة المستخدم المخصصة للدفع",`
`5`	`7`	`"admin/checkout-ui.tab.layout": "التصميم",`
`6`	`8`	`"admin/checkout-ui.tab.colors": "الألوان",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"admin/checkout-ui.title": "Checkout UI Benutzerdefiniert",`
`3`	`3`	`"admin/checkout-ui.update-warning": "Diese App wurde aktualisiert. Bitte klicken Sie auf VERÖFFENTLICHEN, um die neuesten Korrekturen auf Ihren Checkout anzuwenden.",`
	`4`	`+ "admin/checkout-ui.permission-warning":"You don't have permission to publish",`
	`5`	`+ "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'",`
`4`	`6`	`"admin/checkout-ui.navigation.title": "Checkout UI Benutzerdefiniert",`
`5`	`7`	`"admin/checkout-ui.tab.layout": "Layout",`
`6`	`8`	`"admin/checkout-ui.tab.colors": "Farben",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"admin/checkout-ui.title": "Checkout UI Custom",`
`3`	`3`	`"admin/checkout-ui.update-warning": "This app has been updated. Please click PUBLISH to apply the latest fixes to your checkout.",`
	`4`	`+ "admin/checkout-ui.permission-warning":"You don't have permission to publish",`
	`5`	`+ "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'",`
`4`	`6`	`"admin/checkout-ui.navigation.title": "Checkout UI Custom",`
`5`	`7`	`"admin/checkout-ui.tab.layout": "Layout",`
`6`	`8`	`"admin/checkout-ui.tab.colors": "Colors",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"admin/checkout-ui.title": "Interfaz personalizada del checkout",`
`3`	`3`	`"admin/checkout-ui.update-warning": "Esta aplicación ha sido actualizada. Por favor, haz clic en PUBLICAR para aplicar las últimas correcciones a tu checkout.",`
	`4`	`+ "admin/checkout-ui.permission-warning":"You don't have permission to publish",`
	`5`	`+ "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'",`
`4`	`6`	`"admin/checkout-ui.navigation.title": "Interfaz personalizada del checkout",`
`5`	`7`	`"admin/checkout-ui.tab.layout": "Layout",`
`6`	`8`	`"admin/checkout-ui.tab.colors": "Colores",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"admin/checkout-ui.title": "Räätälöity kassakäyttöliittymä",`
`3`	`3`	`"admin/checkout-ui.update-warning": "Tämä sovellus on päivitetty. Napsauta JULKAISE lisätäksesi viimeisimmät korjaukset kassalle.",`
	`4`	`+ "admin/checkout-ui.permission-warning":"You don't have permission to publish",`
	`5`	`+ "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'",`
`4`	`6`	`"admin/checkout-ui.navigation.title": "Räätälöity kassakäyttöliittymä",`
`5`	`7`	`"admin/checkout-ui.tab.layout": "Asettelu",`
`6`	`8`	`"admin/checkout-ui.tab.colors": "Värit",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"admin/checkout-ui.title": "Interfaccia personalizzata del checkout",`
`3`	`3`	`"admin/checkout-ui.update-warning": "Questa app è stata aggiornata. Clicca su \"PUBBLICA\" per applicare le ultime correzioni al tuo checkout.",`
	`4`	`+ "admin/checkout-ui.permission-warning":"You don't have permission to publish",`
	`5`	`+ "admin/checkout-ui.permission-tooltip":"Required role: 'SaveOrderFormConfiguration'",`
`4`	`6`	`"admin/checkout-ui.navigation.title": "Interfaccia personalizzata del checkout",`
`5`	`7`	`"admin/checkout-ui.tab.layout": "Layout",`
`6`	`8`	`"admin/checkout-ui.tab.colors": "Colori",`