feat(auth): add tenant boundaries to auth GraphQL resolvers (#3697)

* feat(auth): add migration to seed operators api secret

* feat(auth): propagate apiSecret during tenant creation

* test(auth): update api secret tests & tableManager

* chore(localenv): update ADMIN_API_SECRET in docker compose files

* chore(bruno): update authApiSignatureSecret in requests

* feat(auth): add getTenantFromApiSignature middleware

* chore(auth): move tenant signature functions to separate file

* feat(auth): update authed tenant middleware, and add tests

* test(backend): update tenant test

* chore(testenv): add ADMIN_API_SECRET to auth

* feat(backend): call the auth service client if apiSecret has been updated

* test(auth): update tenant signature test name

* feat(auth): update tenant response from auth api to include the apiSecet

* test(auth): pull out apolloClient creation from test app

* feat(auth): add tenantId to GraphQL schema

* feat(auth): add tenant boundaries to resolvers

* feat(auth): disconnect from redis on app shutdown

* test(auth): add additional tests for tenant signature verification

Author: mkurapov

packages/auth/src/grant/service.test.ts

@@ -317,6 +317,23 @@ describe('Grant Service', (): void => {
         expect(fetchedGrant?.id).toEqual(grant.id)
         expect(fetchedGrant?.access?.length).toBeGreaterThan(0)
       })
+
+      test('Can filter by tenantId', async () => {
+        const fetchedGrant = await grantService.getByIdWithAccess(
+          grant.id,
+          grant.tenantId
+        )
+        expect(fetchedGrant?.id).toEqual(grant.id)
+        expect(fetchedGrant?.access?.length).toBeGreaterThan(0)
+      })
+
+      test('Returns undefined if incorrect tenantId', async () => {
+        const fetchedGrant = await grantService.getByIdWithAccess(
+          grant.id,
+          v4()
+        )
+        expect(fetchedGrant).toBeUndefined()
+      })
     })
 
     describe('finalize', (): void => {
@@ -423,18 +440,33 @@ describe('Grant Service', (): void => {
     const walletAddress = 'example.com/test'
 
     beforeEach(async () => {
+      const secondTenant = await Tenant.query().insertAndFetch(generateTenant())
       const grantDetails = [
         {
           identifier: walletAddress,
           state: GrantState.Finalized,
-          finalizationReason: GrantFinalization.Revoked
+          finalizationReason: GrantFinalization.Revoked,
+          tenantId: tenant.id
         },
-        { identifier: walletAddress, state: GrantState.Pending },
-        { identifier: 'example.com/test3', state: GrantState.Pending }
+        {
+          identifier: walletAddress,
+          state: GrantState.Pending,
+          tenantId: tenant.id
+        },
+        {
+          identifier: 'example.com/test3',
+          state: GrantState.Pending,
+          tenantId: secondTenant.id
+        }
       ]
 
-      for (const { identifier, state, finalizationReason } of grantDetails) {
-        const grant = await createGrant(deps, tenant.id, { identifier })
+      for (const {
+        identifier,
+        state,
+        finalizationReason,
+        tenantId
+      } of grantDetails) {
+        const grant = await createGrant(deps, tenantId, { identifier })
         const updatedGrant = await grant
           .$query()
           .patchAndFetch({ state, finalizationReason })
@@ -542,5 +574,17 @@ describe('Grant Service', (): void => {
         })
       })
     })
+
+    test('Can filter by tenantId', async (): Promise<void> => {
+      const page = await grantService.getPage(
+        undefined,
+        undefined,
+        undefined,
+        tenant.id
+      )
+
+      expect(page.length).toBe(2)
+      expect(page.every((result) => result.tenantId === tenant.id)).toBeTruthy()
+    })
   })
 })

packages/auth/src/grant/service.ts

@@ -25,7 +25,10 @@ interface GrantFilter {
 }
 
 export interface GrantService {
-  getByIdWithAccess(grantId: string): Promise<Grant | undefined>
+  getByIdWithAccess(
+    grantId: string,
+    tenantId?: string
+  ): Promise<Grant | undefined>
   create(
     grantRequest: GrantRequest,
     tenantId: string,
@@ -43,7 +46,8 @@ export interface GrantService {
   getPage(
     pagination?: Pagination,
     filter?: GrantFilter,
-    sortOrder?: SortOrder
+    sortOrder?: SortOrder,
+    tenantId?: string
   ): Promise<Grant[]>
   updateLastContinuedAt(id: string): Promise<Grant>
   lock(grantId: string, trx: Transaction, timeoutMs?: number): Promise<void>
@@ -120,7 +124,8 @@ export async function createGrantService({
     knex
   }
   return {
-    getByIdWithAccess: (grantId: string) => getByIdWithAccess(grantId),
+    getByIdWithAccess: (grantId: string, tenantId?: string) =>
+      getByIdWithAccess(grantId, tenantId),
     create: (grantRequest: GrantRequest, tenantId: string, trx?: Transaction) =>
       create(deps, grantRequest, tenantId, trx),
     markPending: (grantId: string, trx?: Transaction) =>
@@ -134,16 +139,25 @@ export async function createGrantService({
     ) => getByContinue(continueId, continueToken, opts),
     revokeGrant: (grantId: string, tenantId?: string) =>
       revokeGrant(deps, grantId, tenantId),
-    getPage: (pagination?, filter?, sortOrder?) =>
-      getGrantsPage(deps, pagination, filter, sortOrder),
+    getPage: (pagination?, filter?, sortOrder?, tenantId?) =>
+      getGrantsPage(deps, pagination, filter, sortOrder, tenantId),
     updateLastContinuedAt: (id) => updateLastContinuedAt(id),
     lock: (grantId: string, trx: Transaction, timeoutMs?: number) =>
       lock(deps, grantId, trx, timeoutMs)
   }
 }
 
-async function getByIdWithAccess(grantId: string): Promise<Grant | undefined> {
-  return Grant.query().findById(grantId).withGraphJoined('access')
+async function getByIdWithAccess(
+  grantId: string,
+  tenantId?: string
+): Promise<Grant | undefined> {
+  const query = Grant.query().findById(grantId).withGraphJoined('access')
+
+  if (tenantId) {
+    query.where('tenantId', tenantId)
+  }
+
+  return query
 }
 
 async function approve(grantId: string): Promise<Grant> {
@@ -307,7 +321,8 @@ async function getGrantsPage(
   deps: ServiceDependencies,
   pagination?: Pagination,
   filter?: GrantFilter,
-  sortOrder?: SortOrder
+  sortOrder?: SortOrder,
+  tenantId?: string
 ): Promise<Grant[]> {
   const query = Grant.query(deps.knex).withGraphJoined('access')
   const { identifier, state, finalizationReason } = filter ?? {}
@@ -334,6 +349,10 @@ async function getGrantsPage(
       .orWhereNotIn('finalizationReason', finalizationReason.notIn)
   }
 
+  if (tenantId) {
+    query.where('tenantId', tenantId)
+  }
+
   return query.getPage(pagination, sortOrder)
 }