Update token creation

Author: fforres

package-lock.json

@@ -56,6 +56,7 @@
     "eslint-import-resolver-typescript": "^3.6.1",
     "eslint-plugin-import": "^2.29.1",
     "graphql-tag": "^2.12.6",
+    "jsonwebtoken": "^9.0.2",
     "prettier": "^3.0.0",
     "react-email": "2.1.1",
     "tsx": "^3.13.0",
@@ -85,6 +86,7 @@
     "@pothos/plugin-tracing": "^0.5.8",
     "@sanity/client": "^6.7.0",
     "@tsndr/cloudflare-worker-jwt": "^2.5.3",
+    "@types/jsonwebtoken": "^9.0.6",
     "@types/react": "^18.2.22",
     "cookie": "^0.5.0",
     "dataloader": "^2.2.2",

package.json

@@ -9,7 +9,9 @@ import {
   updateUserProfileInfo,
 } from "~/datasources/queries/users";
 import { getUsername } from "~/datasources/queries/utils/createUsername";
-import { unauthorizedError } from "~/errors";
+import { applicationError, ServiceErrors, unauthorizedError } from "~/errors";
+
+const preventUserUpdate = new Set<"retool">(["retool"]);
 
 // Obtener el token de autorización de la solicitud, ya sea del encabezado de
 // autorización o de la cookie "community-os-access-token"
@@ -25,12 +27,12 @@ const getAuthToken = (request: Request) => {
   return null;
 };
 
-export const createAuthToken = async (user: USER, SECRET: string) => {
+export const createMinimalAuthToken = async (user: USER, SECRET: string) => {
   const payload = {
-    audience: "retool-autenticated",
-    id: user.id,
-    email: user.email,
-    user_metadata: user,
+    audience: "retool",
+    user_metadata: {
+      sub: user.id,
+    },
     exp: Date.now() + 60 * 60 * 24 * 1000 /* 24 hours */,
   };
 
@@ -136,26 +138,39 @@ export const upsertUserFromRequest = async ({
     throw unauthorizedError("Token expired", logger);
   }
 
-  const { avatar_url, name, user_name, email_verified, sub, picture } =
-    payload.user_metadata;
-  const profileInfo = insertUsersSchema.safeParse({
-    email: payload.email.toLowerCase(),
-    isEmailVerified: email_verified,
-    imageUrl: avatar_url ? avatar_url : picture ? picture : "",
-    externalId: sub,
-    name,
-    username: user_name ?? getUsername(),
-    publicMetadata: payload,
-  });
-
-  if (profileInfo.success === false) {
-    logger.error("Could not parse profile info", profileInfo.error);
-    throw new Error("Could not parse profile info", profileInfo.error);
-  }
+  if (payload.audience && preventUserUpdate.has(payload.audience)) {
+    const userId = payload.user_metadata.sub;
+
+    logger.info(`Preventing update for user ID: ${userId}`);
+    const user = await findUserByID(DB, userId);
+
+    if (!user) {
+      throw applicationError("User not found", ServiceErrors.FORBIDDEN, logger);
+    }
 
-  logger.info(`Updating profile Info for user ID: ${sub}`);
+    return user;
+  } else {
+    const { avatar_url, name, user_name, email_verified, sub, picture } =
+      payload.user_metadata;
+    const profileInfo = insertUsersSchema.safeParse({
+      email: payload.email.toLowerCase(),
+      isEmailVerified: email_verified,
+      imageUrl: avatar_url ? avatar_url : picture ? picture : "",
+      externalId: sub,
+      name,
+      username: user_name ?? getUsername(),
+      publicMetadata: payload,
+    });
+
+    if (profileInfo.success === false) {
+      logger.error("Could not parse profile info", profileInfo.error);
+      throw new Error("Could not parse profile info", profileInfo.error);
+    }
+
+    logger.info(`Updating profile Info for user ID: ${sub}`);
 
-  return updateUserProfileInfo(DB, profileInfo.data, logger);
+    return updateUserProfileInfo(DB, profileInfo.data, logger);
+  }
 };
 
 export const logPossibleUserIdFromJWT = (

src/authn/index.ts

@@ -7,6 +7,7 @@ export type TokenPayload = {
     sub: string;
     email: string;
     phone: string;
+    audience?: string;
     app_metadata: { provider: string; providers: string[] };
     user_metadata: {
       avatar_url: string;

src/authn/types.ts

@@ -1,7 +1,7 @@
 import { eq } from "drizzle-orm";
 import { GraphQLError } from "graphql";
 
-import { createAuthToken } from "~/authn";
+import { createMinimalAuthToken } from "~/authn";
 import { builder } from "~/builder";
 import {
   PronounsEnum,
@@ -199,7 +199,7 @@ builder.mutationField("retoolToken", (t) =>
 
         const selectedUser = selectUsersSchema.parse(user);
 
-        const token = await createAuthToken(
+        const token = await createMinimalAuthToken(
           selectedUser,
           ctx.SUPABASE_JWT_ENCODER,
         );

src/schema/user/mutations.ts

@@ -1,8 +1,7 @@
 import { faker } from "@faker-js/faker";
-import { decode, verify } from "@tsndr/cloudflare-worker-jwt";
+import { verify } from "jsonwebtoken";
 import { it, describe, assert } from "vitest";
 
-import { USER } from "~/datasources/db/users";
 import { executeGraphqlOperation, insertUser } from "~/tests/fixtures";
 
 import {
@@ -49,26 +48,25 @@ describe("User", () => {
       throw new Error("Token not found");
     }
 
-    const verified = await verify(token, encoder);
+    const decodedToken = verify(token, encoder, {
+      complete: true,
+    }) as unknown as {
+      payload: {
+        audience: string;
+        user_metadata: {
+          sub: string;
+        };
+      };
+    };
 
-    assert.exists(verified);
-
-    assert.equal(verified, true);
-
-    const decodedToken = decode<{
-      user_metadata: USER;
-    }>(token);
-
-    const userTokenData = decodedToken?.payload?.user_metadata;
-
-    assert.equal(userTokenData?.email, user1.email);
+    assert.exists(token);
 
-    assert.equal(userTokenData?.isSuperAdmin, true);
+    const { user_metadata: userTokenData, audience } = decodedToken.payload;
 
-    assert.equal(userTokenData?.isRetoolEnabled, true);
+    assert.equal(userTokenData?.sub, user1.id);
 
-    assert.equal(userTokenData?.isEmailVerified, true);
+    assert.equal(Object.keys(userTokenData).length, 1);
 
-    assert.equal(userTokenData?.id, user1.id);
+    assert.equal(audience, "retool");
   });
 });