Update token creation

Author: fforres

src/authn/index.ts

@@ -9,7 +9,9 @@ import {
   updateUserProfileInfo,
 } from "~/datasources/queries/users";
 import { getUsername } from "~/datasources/queries/utils/createUsername";
-import { unauthorizedError } from "~/errors";
+import { applicationError, ServiceErrors, unauthorizedError } from "~/errors";
+
+const preventUserUpdate = new Set<"retool">(["retool"]);
 
 // Obtener el token de autorización de la solicitud, ya sea del encabezado de
 // autorización o de la cookie "community-os-access-token"
@@ -25,12 +27,12 @@ const getAuthToken = (request: Request) => {
   return null;
 };
 
-export const createAuthToken = async (user: USER, SECRET: string) => {
+export const createMinimalAuthToken = async (user: USER, SECRET: string) => {
   const payload = {
-    audience: "retool-autenticated",
-    id: user.id,
-    email: user.email,
-    user_metadata: user,
+    audience: "retool",
+    user_metadata: {
+      sub: user.id,
+    },
     exp: Date.now() + 60 * 60 * 24 * 1000 /* 24 hours */,
   };
 
@@ -155,7 +157,18 @@ export const upsertUserFromRequest = async ({
 
   logger.info(`Updating profile Info for user ID: ${sub}`);
 
-  return updateUserProfileInfo(DB, profileInfo.data, logger);
+  if (payload.audience && preventUserUpdate.has(payload.audience)) {
+    logger.info(`Preventing update for user ID: ${sub}`);
+    const user = await findUserByID(DB, sub);
+
+    if (!user) {
+      throw applicationError("User not found", ServiceErrors.FORBIDDEN, logger);
+    }
+
+    return user;
+  } else {
+    return updateUserProfileInfo(DB, profileInfo.data, logger);
+  }
 };
 
 export const logPossibleUserIdFromJWT = (

src/authn/types.ts

@@ -7,6 +7,7 @@ export type TokenPayload = {
     sub: string;
     email: string;
     phone: string;
+    audience?: string;
     app_metadata: { provider: string; providers: string[] };
     user_metadata: {
       avatar_url: string;

src/schema/user/mutations.ts

@@ -1,7 +1,7 @@
 import { eq } from "drizzle-orm";
 import { GraphQLError } from "graphql";
 
-import { createAuthToken } from "~/authn";
+import { createMinimalAuthToken } from "~/authn";
 import { builder } from "~/builder";
 import {
   PronounsEnum,
@@ -199,7 +199,7 @@ builder.mutationField("retoolToken", (t) =>
 
         const selectedUser = selectUsersSchema.parse(user);
 
-        const token = await createAuthToken(
+        const token = await createMinimalAuthToken(
           selectedUser,
           ctx.SUPABASE_JWT_ENCODER,
         );

src/schema/user/tests/token.test.ts

@@ -56,19 +56,22 @@ describe("User", () => {
     assert.equal(verified, true);
 
     const decodedToken = decode<{
-      user_metadata: USER;
+      audience: string;
+      user_metadata: {
+        sub: string;
+      };
     }>(token);
 
-    const userTokenData = decodedToken?.payload?.user_metadata;
-
-    assert.equal(userTokenData?.email, user1.email);
+    if (!decodedToken.payload) {
+      throw new Error("User token data not found");
+    }
 
-    assert.equal(userTokenData?.isSuperAdmin, true);
+    const { user_metadata: userTokenData, audience } = decodedToken.payload;
 
-    assert.equal(userTokenData?.isRetoolEnabled, true);
+    assert.equal(userTokenData?.sub, user1.id);
 
-    assert.equal(userTokenData?.isEmailVerified, true);
+    assert.equal(Object.keys(userTokenData).length, 1);
 
-    assert.equal(userTokenData?.id, user1.id);
+    assert.equal(audience, "retool");
   });
 });