Adding user-data test and tightening security (#240)

- Move user_data table to its own file
- Add a `CanSeePersonalData` auth rule.
- Validate mutation works for creation and editing.
- Adds zod to some inserts/updates

Author: fforres

src/authz/index.ts

@@ -1,7 +1,12 @@
 /* eslint-disable @typescript-eslint/no-unused-vars */
-import { PreExecutionRule, UnauthorizedError } from "@graphql-authz/core";
+import {
+  PreExecutionRule,
+  UnauthorizedError,
+  PostExecutionRule,
+} from "@graphql-authz/core";
 import { GraphQLError } from "graphql";
 
+import { UserLoadable } from "~/schema/user/types";
 import { GraphqlContext } from "~/types";
 
 import { authHelpers } from "./helpers";
@@ -173,3 +178,28 @@ export class canApproveTicket extends PreExecutionRule {
     return Boolean(isEventAdmin);
   }
 }
+
+export class CanSeePersonalData extends PostExecutionRule {
+  public async execute(
+    ctx: GraphqlContext,
+    fieldArgs: any,
+    _: any,
+    parent: {
+      id: string;
+    },
+  ) {
+    if (!ctx.USER) {
+      return false;
+    }
+
+    if (ctx.USER.isSuperAdmin) {
+      return true;
+    }
+
+    const loadedUser = await UserLoadable.getDataloader(ctx).load(parent.id);
+
+    return loadedUser?.id === ctx.USER.id;
+  }
+
+  selectionSet = `{ id }`;
+}

src/datasources/db/schema.ts

@@ -1,4 +1,3 @@
-// TABLES/RELATIONS/CRUD
 export * from "~/datasources/db/allowedCurrencies";
 
 export * from "~/datasources/db/communities";
@@ -45,6 +44,8 @@ export * from "~/datasources/db/users";
 
 export * from "~/datasources/db/usersCommunities";
 
+export * from "~/datasources/db/usersData";
+
 export * from "~/datasources/db/usersTags";
 
 export * from "~/datasources/db/userTeams";

src/datasources/db/users.ts

@@ -1,19 +1,13 @@
 import { relations } from "drizzle-orm";
-import {
-  jsonb,
-  boolean,
-  pgTable,
-  text,
-  uuid,
-  uniqueIndex,
-} from "drizzle-orm/pg-core";
+import { boolean, jsonb, pgTable, text, uuid } from "drizzle-orm/pg-core";
 import { createInsertSchema, createSelectSchema } from "drizzle-zod";
 import { z } from "zod";
 
 import {
+  userDataSchema,
+  usersToCommunitiesSchema,
   userTeamsSchema,
   userTicketsSchema,
-  usersToCommunitiesSchema,
 } from "./schema";
 import {
   createdAndUpdatedAtFields,
@@ -107,29 +101,3 @@ export const allowedUserUpdateForAuth = insertUsersSchema
     status: true,
   })
   .partial();
-
-export const userDataSchema = pgTable(
-  "user_data",
-  {
-    id: uuid("id").primaryKey().notNull().defaultRandom(),
-    userId: uuid("user_id").references(() => usersSchema.id),
-    countryOfResidence: text("country_of_residence").notNull(),
-    city: text("city").notNull(),
-    worksInOrganization: boolean("works_in_organization").notNull(),
-    organizationName: text("organization_name"),
-    roleInOrganization: text("role_in_organization"),
-    ...createdAndUpdatedAtFields,
-  },
-  (table) => ({
-    userIdIndex: uniqueIndex("user_id_index").on(table.userId),
-  }),
-);
-
-export const userDataRelations = relations(userDataSchema, ({ one }) => ({
-  user: one(usersSchema, {
-    fields: [userDataSchema.userId],
-    references: [usersSchema.id],
-  }),
-}));
-
-export const selectUserDataSchema = createSelectSchema(userDataSchema);

src/datasources/db/usersData.ts

@@ -0,0 +1,42 @@
+import { relations } from "drizzle-orm";
+import { boolean, pgTable, text, uniqueIndex, uuid } from "drizzle-orm/pg-core";
+import { createInsertSchema, createSelectSchema } from "drizzle-zod";
+
+import { usersSchema } from "./schema";
+import { createdAndUpdatedAtFields } from "./shared";
+
+export const userDataSchema = pgTable(
+  "user_data",
+  {
+    id: uuid("id").primaryKey().notNull().defaultRandom(),
+    userId: uuid("user_id").references(() => usersSchema.id),
+    countryOfResidence: text("country_of_residence").notNull(),
+    city: text("city").notNull(),
+    worksInOrganization: boolean("works_in_organization").notNull(),
+    organizationName: text("organization_name"),
+    roleInOrganization: text("role_in_organization"),
+    ...createdAndUpdatedAtFields,
+  },
+  (table) => ({
+    userIdIndex: uniqueIndex("user_id_index").on(table.userId),
+  }),
+);
+
+export const userDataRelations = relations(userDataSchema, ({ one }) => ({
+  user: one(usersSchema, {
+    fields: [userDataSchema.userId],
+    references: [usersSchema.id],
+  }),
+}));
+
+export const selectUserDataSchema = createSelectSchema(userDataSchema);
+
+export const insertUserDataSchema = createInsertSchema(userDataSchema);
+
+export const updateUserDataSchema = insertUserDataSchema.pick({
+  city: true,
+  countryOfResidence: true,
+  organizationName: true,
+  roleInOrganization: true,
+  worksInOrganization: true,
+});

src/schema/invitations/mutations.ts

@@ -110,6 +110,7 @@ builder.mutationField("giftTicketsToUsers", (t) =>
               userId,
               ticketTemplateId: ticket.id,
               purchaseOrderId: purchaseOrder.id,
+              approvalStatus: "approved",
             }),
           ),
         )

src/schema/user/mutations.ts

@@ -4,14 +4,17 @@ import slugify from "slugify";
 
 import { builder } from "~/builder";
 import {
+  insertUserDataSchema,
   insertUsersSchema,
   PronounsEnum,
   selectUsersSchema,
+  updateUserDataSchema,
   updateUsersSchema,
   userDataSchema,
   usersSchema,
   usersToCommunitiesSchema,
 } from "~/datasources/db/schema";
+import { applicationError, ServiceErrors } from "~/errors";
 import { UserRef } from "~/schema/shared/refs";
 import { pronounsEnum } from "~/schema/user/types";
 import { usersFetcher } from "~/schema/user/userFetcher";
@@ -182,51 +185,60 @@ builder.mutationField("updateMyUserData", (t) =>
       input: t.arg({ type: updateUserDataInput, required: true }),
     },
     resolve: async (root, { input }, ctx) => {
-      try {
-        const {
-          countryOfResidence,
-          city,
-          worksInOrganization,
-          organizationName,
-          roleInOrganization,
-        } = input;
+      const {
+        countryOfResidence,
+        city,
+        worksInOrganization,
+        organizationName,
+        roleInOrganization,
+      } = input;
 
-        const USER = ctx.USER;
+      const USER = ctx.USER;
 
-        if (!USER) {
-          throw new Error("User not found");
-        }
+      if (!USER) {
+        throw new Error("User not found");
+      }
+
+      const userData = insertUserDataSchema.parse({
+        userId: USER.id,
+        countryOfResidence,
+        city,
+        worksInOrganization,
+        organizationName,
+        roleInOrganization,
+      });
 
-        await ctx.DB.insert(userDataSchema)
-          .values({
-            userId: USER.id,
+      const updatedUsers = await ctx.DB.insert(userDataSchema)
+        .values(userData)
+        .onConflictDoUpdate({
+          target: userDataSchema.userId,
+          set: updateUserDataSchema.parse({
             countryOfResidence,
             city,
             worksInOrganization,
             organizationName,
             roleInOrganization,
-          })
-          .onConflictDoUpdate({
-            target: userDataSchema.userId,
-            set: {
-              countryOfResidence,
-              city,
-              worksInOrganization,
-              organizationName,
-              roleInOrganization,
-            },
-          });
-
-        const user = await ctx.DB.query.usersSchema.findFirst({
-          where: (u, { eq }) => eq(u.id, USER.id),
-        });
+          }),
+        })
+        .returning();
+      const updatedUser = updatedUsers[0];
 
-        return selectUsersSchema.parse(user);
-      } catch (e) {
-        throw new GraphQLError(
-          e instanceof Error ? e.message : "Unknown error",
+      if (!updatedUser) {
+        throw applicationError(
+          "Could not update the user information",
+          ServiceErrors.NOT_FOUND,
+          ctx.logger,
         );
       }
+
+      const user = await usersFetcher.searchUsers({
+        DB: ctx.DB,
+        search: {
+          userIds: [USER.id],
+        },
+      });
+
+      return selectUsersSchema.parse(user[0]);
     },
   }),
 );

src/schema/user/tests/updateMyUserData/updateMyUserData.generated.ts

@@ -0,0 +1,30 @@
+/* eslint-disable */
+/* @ts-nocheck */
+/* prettier-ignore */
+/* This file is automatically generated using `npm run graphql:types` */
+import type * as Types from '../../../../generated/types';
+
+import type { JsonObject } from "type-fest";
+import gql from 'graphql-tag';
+export type UpdateMyUserDataMutationVariables = Types.Exact<{
+  input: Types.UpdateUserDataInput;
+}>;
+
+
+export type UpdateMyUserDataMutation = { __typename?: 'Mutation', updateMyUserData: { __typename?: 'User', id: string, userData: { __typename?: 'UserData', city: string, countryOfResidence: string, organizationName: string | null, roleInOrganization: string | null, worksInOrganization: boolean } | null } };
+
+
+export const UpdateMyUserData = gql`
+    mutation UpdateMyUserData($input: updateUserDataInput!) {
+  updateMyUserData(input: $input) {
+    id
+    userData {
+      city
+      countryOfResidence
+      organizationName
+      roleInOrganization
+      worksInOrganization
+    }
+  }
+}
+    `;

src/schema/user/tests/updateMyUserData/updateMyUserData.gql

@@ -0,0 +1,12 @@
+mutation UpdateMyUserData($input: updateUserDataInput!) {
+  updateMyUserData(input: $input) {
+    id
+    userData {
+      city
+      countryOfResidence
+      organizationName
+      roleInOrganization
+      worksInOrganization
+    }
+  }
+}