Merge pull request #1017 from solocommand/auth-updates

Auth updates
parameter1 · Dec 2, 2024 · d14dd22 · d14dd22
2 parents 6ab7402 + 1e4377d
commit d14dd22
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 8 deletions.
diff --git a/services/graphql-server/src/auth-context/create.js b/services/graphql-server/src/auth-context/create.js
@@ -1,4 +1,7 @@
-const { AuthenticationError } = require('apollo-server-express');
+const {
+  AuthenticationError,
+  ForbiddenError,
+} = require('apollo-server-express');
 const UserContext = require('./context');
 
 const expression = /^Bearer (?<token>.+)/;
@@ -9,6 +12,10 @@ module.exports = async ({ req, userService }) => {
 
   if (!expression.test(authorization)) throw new AuthenticationError('The provided credentials are invalid.');
   const { token } = authorization.match(expression).groups;
-  const user = await userService.checkAuth(token);
-  return new UserContext({ user, token });
+  try {
+    const user = await userService.checkAuth(token);
+    return new UserContext({ user, token });
+  } catch (e) {
+    throw new ForbiddenError('The provided credentials are no longer valid.');
+  }
 };
diff --git a/services/graphql-server/src/user/user-service.js b/services/graphql-server/src/user/user-service.js
@@ -2,6 +2,13 @@ const { AuthenticationError } = require('apollo-server-express');
 const bcrypt = require('bcryptjs');
 const TokenService = require('./token-service');
 
+const activeCriteria = {
+  accountNonExpired: true,
+  accountNonLocked: true,
+  credentialsNonExpired: true,
+  enabled: true,
+};
+
 const UserService = class UserService {
   constructor({ basedb }) {
     this.basedb = basedb;
@@ -11,10 +18,7 @@ const UserService = class UserService {
   async login(username, plaintext) {
     const criteria = {
       username,
-      accountNonExpired: true,
-      accountNonLocked: true,
-      credentialsNonExpired: true,
-      enabled: true,
+      ...activeCriteria,
     };
     const user = await this.basedb.findOne('platform.User', criteria);
     if (!user || !user.password) throw new AuthenticationError('The provided user credentials are invalid.');
@@ -32,7 +36,10 @@ const UserService = class UserService {
 
   async checkAuth(token) {
     const { uid } = await this.tokenService.validate(token);
-    return this.basedb.findOne('platform.User', { _id: uid });
+    return this.basedb.strictFindOne('platform.User', {
+      _id: uid,
+      ...activeCriteria,
+    });
   }
 };