commit 73a62160f3843551f11ca5a04043b0fde1840fb5
parent e1dcd39c615dfdbde284f1ebf9d7b0e5a195a913
Author: srfsh <dev@srf.sh>
Date: Wed, 3 Aug 2022 10:21:04 +0300
Zenflows.{Web,GQL}: add authenticate_calls? context variable
This will allow us to skip authentication in tests. It is set to true
by default in Zenflows.Web.Router, so there's no security hole.
Zenflows.GQL.MW's submodules can be inspected to see how it is used.
Diffstat:
3 files changed, 26 insertions(+), 14 deletions(-)
diff --git a/src/zenflows/gql/mw/admin.ex b/src/zenflows/gql/mw/admin.ex
@@ -26,13 +26,17 @@ alias Zenflows.Restroom
@impl true
def call(res, _opts) do
- with %{gql_admin: key} <- res.context,
- {:ok, key_given} <- Base.decode16(key, case: :lower),
- key_want = Application.fetch_env!(:zenflows, Zenflows.Admin)[:admin_key],
- true <- Restroom.byte_equal?(key_given, key_want) do
+ if res.context.authenticate_calls? do
+ with %{gql_admin: key} <- res.context,
+ {:ok, key_given} <- Base.decode16(key, case: :lower),
+ key_want = Application.fetch_env!(:zenflows, Zenflows.Admin)[:admin_key],
+ true <- Restroom.byte_equal?(key_given, key_want) do
+ res
+ else _ ->
+ Absinthe.Resolution.put_result(res, {:error, "you are not an admin"})
+ end
+ else
res
- else _ ->
- Absinthe.Resolution.put_result(res, {:error, "you are not an admin"})
end
end
end
diff --git a/src/zenflows/gql/mw/sign.ex b/src/zenflows/gql/mw/sign.ex
@@ -27,12 +27,16 @@ alias Zenflows.VF.Person
@impl true
def call(res, _opts) do
- with %{gql_user: user, gql_sign: sign, gql_body: body} <- res.context,
- per when not is_nil(per) <- Person.Domain.by_user(user),
- true <- Restroom.verify_graphql?(body, sign, per.eddsa_public_key) do
+ if res.context.authenticate_calls? do
+ with %{gql_user: user, gql_sign: sign, gql_body: body} <- res.context,
+ per when not is_nil(per) <- Person.Domain.by_user(user),
+ true <- Restroom.verify_graphql?(body, sign, per.eddsa_public_key) do
+ put_in(res.context[:req_user], per)
+ else _ ->
+ Absinthe.Resolution.put_result(res, {:error, "you are not authenticated"})
+ end
+ else
res
- else _ ->
- Absinthe.Resolution.put_result(res, {:error, "you are not authenticated"})
end
end
end
diff --git a/src/zenflows/web/router.ex b/src/zenflows/web/router.ex
@@ -32,14 +32,18 @@ plug Plug.Parsers,
plug MW.GQLContext
plug :dispatch
+@init_opts [
+ schema: Zenflows.GQL.Schema,
+ context: %{authenticate_calls?: true},
+]
+
forward "/api",
to: Absinthe.Plug,
- schema: Zenflows.GQL.Schema
+ init_opts: @init_opts
forward "/play",
to: Absinthe.Plug.GraphiQL,
- schema: Zenflows.GQL.Schema,
- interface: :advanced
+ init_opts: [{:interface, :advanced} | @init_opts]
match _ do
conn