Fix token validation on graphql IntrospectionQuery (#5255)

## Context
We recently introduced a change that now throws a 401 if the token is
invalid or expired.
The first implementation is using an allow list and 'IntrospectionQuery'
was missing so the playground was broken.

The check has been updated and we now only check the excludedOperations
list if a token is not present. This is because some operations can be
both used as loggedIn and loggedOut so we want to validate the token for
those sometimes (and set the workspace, user, cache version, etc). Still
not a very clean solution imho.
This commit is contained in:
Weiko 2024-05-03 10:30:47 +02:00 committed by GitHub
parent 1430a6745c
commit 30ffe0160e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -14,6 +14,7 @@ export class UserWorkspaceMiddleware implements NestMiddleware {
async use(req: Request, res: Response, next: NextFunction) { async use(req: Request, res: Response, next: NextFunction) {
const body = req.body; const body = req.body;
const excludedOperations = [ const excludedOperations = [
'GetClientConfig', 'GetClientConfig',
'GetCurrentUser', 'GetCurrentUser',
@ -24,12 +25,12 @@ export class UserWorkspaceMiddleware implements NestMiddleware {
'Verify', 'Verify',
'SignUp', 'SignUp',
'RenewToken', 'RenewToken',
'IntrospectionQuery',
]; ];
if ( if (
body && !this.tokenService.isTokenPresent(req) &&
body.operationName && (!body?.operationName || excludedOperations.includes(body.operationName))
excludedOperations.includes(body.operationName)
) { ) {
return next(); return next();
} }