Enabling retool generation

Author: fforres

.dev.vars.example

@@ -9,5 +9,6 @@ STRIPE_KEY=""
 MERCADOPAGO_KEY=""
 RESEND_API_KEY=""
 SUPABASE_JWT_DECODER""
+SUPABASE_JWT_ENCODER=""
 
 ENFORCED_JWT_TOKEN=""

src/authn/index.ts

@@ -1,4 +1,4 @@
-import { decode, verify } from "@tsndr/cloudflare-worker-jwt";
+import { sign, decode, verify } from "@tsndr/cloudflare-worker-jwt";
 import { Logger } from "pino";
 
 import { TokenPayload } from "~/authn/types";
@@ -25,6 +25,20 @@ const getAuthToken = (request: Request) => {
   return null;
 };
 
+export const createAuthToken = async (user: USER, SECRET: string) => {
+  const payload = {
+    audience: "retool-autenticated",
+    id: user.id,
+    email: user.email,
+    user_metadata: user,
+    exp: Date.now() + 60 * 60 * 24 * 1000 /* 24 hours */,
+  };
+
+  const token = await sign(payload, SECRET);
+
+  return token;
+};
+
 // Obtener el token de autorización de la solicitud, ya sea del encabezado de
 // autorización o de la cookie "community-os-access-token"
 const getImpersonatedUserFromRequest = async (

src/context.ts

@@ -25,6 +25,8 @@ export const createGraphqlContext = async ({
   SANITY_API_VERSION,
   SANITY_SECRET_TOKEN,
   SUPABASE_JWT_DECODER,
+  SUPABASE_JWT_ENCODER,
+  RETOOL_AUTHENTICATION_TOKEN,
   STRIPE_KEY,
   HYPERDRIVE,
   MERCADOPAGO_KEY,
@@ -38,6 +40,14 @@ export const createGraphqlContext = async ({
     throw new Error("Missing MAIL_QUEUE");
   }
 
+  if (!RETOOL_AUTHENTICATION_TOKEN) {
+    throw new Error("Missing RETOOL_AUTHENTICATION_TOKEN");
+  }
+
+  if (!SUPABASE_JWT_ENCODER) {
+    throw new Error("Missing SUPABASE_JWT_ENCODER");
+  }
+
   if (!RPC_SERVICE_EMAIL) {
     throw new Error("RPC_SERVICE_EMAIL is not defined");
   }
@@ -134,5 +144,7 @@ export const createGraphqlContext = async ({
     GET_MERCADOPAGO_CLIENT,
     logger,
     RPC_SERVICE_EMAIL,
+    RETOOL_AUTHENTICATION_TOKEN,
+    SUPABASE_JWT_ENCODER,
   } satisfies Context;
 };

src/schema/user/mutations.ts

@@ -1,6 +1,7 @@
 import { eq } from "drizzle-orm";
 import { GraphQLError } from "graphql";
 
+import { createAuthToken } from "~/authn";
 import { builder } from "~/builder";
 import {
   PronounsEnum,
@@ -9,6 +10,7 @@ import {
   usersSchema,
   usersToCommunitiesSchema,
 } from "~/datasources/db/schema";
+import { applicationError, ServiceErrors } from "~/errors";
 import { UserRef } from "~/schema/shared/refs";
 import { pronounsEnum } from "~/schema/user/types";
 import {
@@ -156,3 +158,65 @@ builder.mutationField("updateUserRoleInCommunity", (t) =>
     },
   }),
 );
+
+const retoolToken = builder.inputType("retoolToken", {
+  fields: (t) => ({
+    userEmail: t.string({ required: true }),
+    authToken: t.string({ required: true }),
+  }),
+});
+
+export const TokenRef = builder.objectRef<{
+  token: string;
+}>("TokenRef");
+
+builder.mutationField("retoolToken", (t) =>
+  t.field({
+    description: "Update a user role",
+    type: TokenRef,
+    deprecationReason: "Not enabled",
+    nullable: false,
+    args: {
+      input: t.arg({ type: retoolToken, required: true }),
+    },
+    resolve: async (root, { input }, ctx) => {
+      try {
+        const { userEmail, authToken } = input;
+
+        if (authToken !== ctx.RETOOL_AUTHENTICATION_TOKEN) {
+          throw new Error("Not authorized");
+        }
+
+        const user = await ctx.DB.query.usersSchema.findFirst({
+          where: (u, { eq, and }) =>
+            and(
+              eq(u.email, userEmail.trim().toLocaleLowerCase()),
+              eq(u.isRetoolEnabled, true),
+              eq(u.isSuperAdmin, true),
+            ),
+        });
+
+        if (!user) {
+          throw new Error("Not authorized");
+        }
+
+        const selectedUser = selectUsersSchema.parse(user);
+
+        const token = await createAuthToken(
+          selectedUser,
+          ctx.SUPABASE_JWT_ENCODER,
+        );
+
+        return {
+          token,
+        };
+      } catch (e) {
+        throw applicationError(
+          "Not authorized",
+          ServiceErrors.FORBIDDEN,
+          ctx.logger,
+        );
+      }
+    },
+  }),
+);

src/schema/user/types.ts

@@ -8,6 +8,7 @@ import {
 } from "~/datasources/db/schema";
 import { CommunityRef, UserRef } from "~/schema/shared/refs";
 import { TeamRef } from "~/schema/teams/types";
+import { TokenRef } from "~/schema/user/mutations";
 
 export const pronounsEnum = builder.enumType(PronounsEnum, {
   name: "PronounsEnum",
@@ -108,3 +109,10 @@ builder.objectType(UserRef, {
 export const SearchableUserTags = builder.enumType("SearchableUserTags", {
   values: Object.values(AllowedUserTags),
 });
+
+builder.objectType(TokenRef, {
+  description: "Representation of a token",
+  fields: (t) => ({
+    token: t.exposeString("token", { nullable: false }),
+  }),
+});

src/types.ts

@@ -21,6 +21,8 @@ export type Context = {
   GOOGLE_PHOTOS_IMPORT_QUEUE: Queue;
   PURCHASE_CALLBACK_URL: string;
   RPC_SERVICE_EMAIL: Env["RPC_SERVICE_EMAIL"];
+  RETOOL_AUTHENTICATION_TOKEN: string;
+  SUPABASE_JWT_ENCODER: string;
 };
 
 export type GraphqlContext = Context &

worker-configuration.d.ts

@@ -1,5 +1,6 @@
 // Generated by Wrangler on Fri Jul 07 2023 08:10:34 GMT-0700 (Pacific Daylight Time)
 import type WorkerEntrypoint from "./workers/transactional_email_service";
+
 export interface Env {
   GRAPHQL_BASE_ENDPOINT: "/";
   NEON_URL: string | undefined;
@@ -18,6 +19,8 @@ export interface Env {
   HYPERDRIVE: Hyperdrive;
   PURCHASE_CALLBACK_URL: string;
   RPC_SERVICE_EMAIL: Service<WorkerEntrypoint>;
+  RETOOL_AUTHENTICATION_TOKEN: string;
+  SUPABASE_JWT_ENCODER: string;
 }
 
 declare global {