Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Add creator_id into CreateFlow mutation #826

Closed
wants to merge 3 commits into from

Conversation

DafyddLlyr
Copy link
Contributor

Addresses issue raised here - #825

Unpacks JWT to get userId, which is then passed into the CreateFlow mutation.

In future, we may want a UserStore or similar to keep hold of some user info (e.g. username for Avatar display), but this seemed a pragmatic solution for now. Feedback welcome if there's a better way to do this!

@DafyddLlyr DafyddLlyr requested a review from a team January 25, 2022 14:23
@github-actions
Copy link

github-actions bot commented Jan 25, 2022

Removed vultr server and associated DNS entries

Comment on lines 60 to 67
export function getLoggedInUserId(): number | undefined {
const jwt = getCookie("jwt");
if (!jwt) return;
const userId = Number(
(jwtDecode(jwt) as any)["https://hasura.io/jwt/claims"]["x-hasura-user-id"]
);
return userId;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you think it's worth refactoring this block to use the same bit of code?

if (
Number(
(jwtDecode(jwt) as any)["https://hasura.io/jwt/claims"][
"x-hasura-user-id"
]
) > 0
) {
return true;
}
} catch (e) {}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - looking at this lead me to have a bit of a rethink, see comment below.

@DafyddLlyr
Copy link
Contributor Author

@johnrees Had a bit of a rethink on this one - if feels like a bit of an anti-pattern to have a utils function which could be called time and time again to parse the JWT.

Decided it makes more sense to deal with the JWT a single time after login, and then set the user details on the React-Navi context to be referred to later. There might be a better place to store this - open to thoughts 👍

slug: $slug
team_id: $teamId
version: 1
creator_id: $creatorId
Copy link
Contributor

@johnrees johnrees Jan 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there might be a bit of a security issue here that could get flagged by a security audit in future. It might be that we can ignore it for the time being though*

The issue is - a user could potentially set any creator_id they wanted with some sneaky frontend code tweaking, or by looking at the network request and then replaying it with a different creator_id of their choosing.

The way around it would be to extract the x-hasura-user-id from the JWT in hasura itself, so in the hasura console, you'd set creator_id to have the default value of x-hasura-user-id and have permissions so that creator_id can't be overridden.

https://hasura.io/docs/latest/graphql/core/databases/postgres/schema/default-values/column-presets.html#step-1-configure-a-column-preset

e.g.
Screenshot 2022-01-28 at 2 14 38 AM

Doing that should mean that it's impossible for someone to spoof the creator_id.

* However, IIRC we've all got full admin permissions right now anyway, which is why I think we might have bigger problems than this if we had an audit soon. Hmm 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's very helpful feedback thanks - I'll take a crack at this approach.

@DafyddLlyr
Copy link
Contributor Author

Following up here after a chat on Slack about this.

The approach of using a column preset suggested by @johnrees will only work custom roles, not the default "admin" role created with Hasura - hasura/graphql-engine#6519

I agree that we should move away from this role, it's likely something that will be flagged in an audit.

Closing this PR and creating a ticket on Trello to handle the problem properly - https://trello.com/c/oCV7Vhof/1768-create-more-granular-user-roles

@DafyddLlyr DafyddLlyr closed this Feb 4, 2022
@DafyddLlyr DafyddLlyr deleted the dp/missing-creator-id branch February 8, 2022 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants