@accounter/server
Version:
Accounter GraphQL server
48 lines (40 loc) • 1.52 kB
text/typescript
import { GraphQLError } from 'graphql';
import { Injectable, Scope } from 'graphql-modules';
import { sql } from '@pgtyped/runtime';
import { TenantAwareDBClient } from '../../app-providers/tenant-db-client.js';
import type { IGetSuperAdminByAuth0IdQuery } from '../types.js';
import { AuthContextProvider } from './auth-context.provider.js';
const getSuperAdminByAuth0Id = sql<IGetSuperAdminByAuth0IdQuery>`
SELECT auth0_user_id
FROM accounter_schema.super_admins
WHERE auth0_user_id = $auth0UserId
LIMIT 1;
`;
({ scope: Scope.Operation, global: true })
export class SuperAdminProvider {
constructor(
private db: TenantAwareDBClient,
private authContextProvider: AuthContextProvider,
) {}
async isSuperAdmin(auth0UserId: string): Promise<boolean> {
const rows = await getSuperAdminByAuth0Id.run({ auth0UserId }, this.db);
return rows.length > 0;
}
async requireSuperAdmin(): Promise<{ userId: string; auth0UserId: string }> {
const auth = await this.authContextProvider.getAuthContext();
const auth0UserId = auth?.user?.auth0UserId;
const userId = auth?.user?.userId;
if (!auth0UserId || !userId) {
throw new GraphQLError('Authentication required', {
extensions: { code: 'UNAUTHENTICATED' },
});
}
const ok = await this.isSuperAdmin(auth0UserId);
if (!ok) {
throw new GraphQLError('Super-admin access required', {
extensions: { code: 'FORBIDDEN' },
});
}
return { userId, auth0UserId };
}
}