-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Backend authentication RBAC refactor #497
base: v2/auth
Are you sure you want to change the base?
Conversation
Started off by refactoring the getPageData request. Also refactoring the file structure for easier maintainence/contribution
… into v2/backend/rbac
Update: completed moving over gameplay routes to new file structure. |
It appears atm this PR is ready for review. File structure migrations has been completed and some major security issues were addressed in regards to database queries and not requiring enough / minimal fields to determine which records to retrieve. In some instances, if you spoofed a userId, you could gain access to apikeys or other models that were not yours... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't let me request changes, but I have put a few comments in.
const query = await prisma.v2Account.findFirst({ | ||
where: { | ||
providerAccountId: | ||
logto_user.userInfo.identities[ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we assign this to a variable like providerAccountId
just to clean things up a bit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
if (!query || query == null) | ||
await prisma.v2Account.create({ | ||
data: { | ||
provider: Object.keys(logto_user.userInfo.identities)[0], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Run Object.keys
once and assign to a variable and grab the ID needed above from this variable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
// always update user data on sign-in | ||
try { | ||
const result = await prisma.account.findFirst({ | ||
const result = await prisma.v2Account.findFirst({ | ||
where: { | ||
providerAccountId: | ||
logto_user.userInfo.identities[ | ||
Object.keys(logto_user.userInfo.identities)[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above here please.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
'read:gameplay', | ||
]) | ||
.meta({ openapi: { method: 'GET', path: '/clip' } }) | ||
.input( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the zod input/output schemas be assigned to their own variable please. See gameplay/create.ts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need to do this if the object is that small.. I think it would be viable if the object had maybe 2-3 more values but just one doesn't make sense unless this input policy would be used in more than 1 route.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would make sense to me to match the rest of the codebase, it's more of a readability/convention issue.
…e to explain better
Description
This will eventually refactor all the current backend code into use logto's RBAC system to authenticate use of the backend API depending the permissions the logged in user has.
This will also refactor the current backend file structure for improved readability, contribution and maintenance.
Routers to refactor
Issues