feat: adjust api auth route (#1062)

* Elevate to user role, if you have a developer key but not on kariba data collective. previously this was stuck at anon role * Add JWT token decoding, just for seeing if we can get this to work * Up some API limits
opensource-observer · Mar 15, 2024 · 48d2e79 · 48d2e79
1 parent 57bfcbe
commit 48d2e79
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 13 deletions.
diff --git a/apps/frontend/app/api/auth/route.ts b/apps/frontend/app/api/auth/route.ts
@@ -1,11 +1,13 @@
 import { NextResponse, type NextRequest } from "next/server";
 import { supabasePrivileged } from "../../../lib/clients/supabase";
+import { jwtDecode } from "jwt-decode";
 //import { logger } from "../../../lib/logger";
 
 export const runtime = "edge"; // 'nodejs' (default) | 'edge'
 //export const dynamic = "force-dynamic";
 export const revalidate = 0;
 const CACHE_CONTROL = "max-age=3600"; // in seconds
+const AUTH_PREFIX = "bearer";
 const DATA_COLLECTIVE_TABLE = "data_collective";
 const API_KEY_TABLE = "api_keys";
 const USER_ID_COLUMN = "user_id";
@@ -15,13 +17,13 @@ const ALL_COLUMNS = `${USER_ID_COLUMN},${API_KEY_COLUMN},${DELETED_COLUMN}`;
 const makeAnonRole = () => ({
   "x-hasura-role": "anonymous",
 });
-/**
 const makeUserRole = (userId: string) => ({
-  "x-hasura-default-role": "user",
-  "x-hasura-allowed-roles": ["user"],
+  //"x-hasura-default-role": "user",
+  //"x-hasura-allowed-roles": ["user"],
+  "x-hasura-role": "user",
   "x-hasura-user-id": userId,
+  "cache-control": CACHE_CONTROL,
 });
-**/
 const makeDevRole = (userId: string) => ({
   "x-hasura-role": "developer",
   "x-hasura-user-id": userId,
@@ -45,10 +47,18 @@ export async function GET(request: NextRequest) {
 
   // Get the token
   const trimmedAuth = auth.trim();
-  const token = trimmedAuth.toLowerCase().startsWith("bearer")
-    ? trimmedAuth.slice(6).trim()
+  const token = trimmedAuth.toLowerCase().startsWith(AUTH_PREFIX)
+    ? trimmedAuth.slice(AUTH_PREFIX.length).trim()
     : trimmedAuth;
 
+  // Try JWT decoding
+  try {
+    const decoded = jwtDecode(token);
+    console.log("JWT token:", decoded);
+  } catch (e) {
+    console.warn("JWT error: ", e);
+  }
+
   // Get the user
   const { data: keyData, error: keyError } = await supabasePrivileged
     .from(API_KEY_TABLE)
@@ -79,10 +89,10 @@ export async function GET(request: NextRequest) {
       "Error retrieving data collective membership",
       collectiveError,
     );
-    return NextResponse.json(makeAnonRole());
+    return NextResponse.json(makeUserRole(userId));
   } else if (collectiveData.length < 1) {
     // Not a member
-    return NextResponse.json(makeAnonRole());
+    return NextResponse.json(makeUserRole(userId));
   }
 
   // Passes all checks, elevate to developer role

diff --git a/apps/frontend/package.json b/apps/frontend/package.json
@@ -45,6 +45,7 @@
     "generate-api-key": "^1.0.2",
     "graphql": "^16.8.1",
     "instantsearch.css": "^8.1.0",
+    "jwt-decode": "^4.0.0",
     "next": "^14.1.0",
     "qs": "^6.11.2",
     "random-words": "^2.0.0",

diff --git a/apps/hasura/metadata/api_limits.yaml b/apps/hasura/metadata/api_limits.yaml
@@ -3,8 +3,8 @@ node_limit:
   global: 100
   per_role:
     anonymous: 10
-    user: 10
-    developer: 100
+    user: 100
+    developer: 1000
 rate_limit:
   global:
     max_reqs_per_min: 1000

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml