Added 'form' authorization

src/controllers/index.ts

@@ -1,8 +1,9 @@
 import { PrismaClient } from "@prisma/client"
-import { getDBForm, getDBFormByUser } from "../db"
+import { getDBForm, getDBFormAuthor, getDBFormByUser } from "../db"
 import { FullForm } from "../db/types"
 
 import { Form as GraphqlForm, FormSubmission } from "../typeDefs/typeDefs.gen"
+import { JwtPayloadType } from "../types"
 
 const getForm = async (
   db: PrismaClient,
@@ -50,4 +51,27 @@ const getForms = async (
   return forms
 }
 
-export { getForm, getForms }
+const checkRightsAndResolve = async (
+  user: JwtPayloadType,
+  expected: JwtPayloadType,
+  controller: any
+) => {
+  if (
+    (!expected.id || user.id == expected.id) &&
+    (!expected.admin || expected.admin)
+  )
+    return controller()
+  throw new Error("Authentification error")
+}
+
+const getFormAuthor = async (db: PrismaClient, id: number) => {
+  const author = await getDBFormAuthor(db, id)
+
+  if (!author) throw Error("Not found")
+
+  const authorId = author.author.id
+
+  return authorId
+}
+
+export { getForm, getForms, checkRightsAndResolve, getFormAuthor }

src/db/index.ts

@@ -45,4 +45,19 @@ const getDBFormByUser = async (db: PrismaClient, id: number) => {
   })
 }
 
-export { getDBForm, getDBFormByUser }
+const getDBFormAuthor = async (db: PrismaClient, id: number) => {
+  return await db.form.findOne({
+    where: {
+      id,
+    },
+    select: {
+      author: {
+        select: {
+          id: true,
+        },
+      },
+    },
+  })
+}
+
+export { getDBForm, getDBFormByUser, getDBFormAuthor }

src/index.ts

@@ -1,12 +1,11 @@
 import { ApolloServer } from "apollo-server-express"
 import express from "express"
 import expressJwt from "express-jwt"
-import jwt from 'jsonwebtoken'
 import { PrismaClient } from "@prisma/client"
 
 import typeDefs from "./typeDefs"
 import resolvers from "./resolvers"
-import { ApolloContextType } from "./types"
+import { ApolloContextType, JwtPayloadType } from "./types"
 
 const app = express()
 
@@ -21,10 +20,15 @@ app.use(
 const server = new ApolloServer({
   typeDefs,
   resolvers,
-  context: async ({ req }): Promise<ApolloContextType> => {
+  context: async ({
+    req,
+  }: {
+    req: Request & { user: JwtPayloadType }
+  }): Promise<ApolloContextType> => {
     const db = new PrismaClient()
+    const user = req.user || null
 
-    return { db }
+    return { db, user }
   },
 })
 

src/resolvers/Form.ts

@@ -1,4 +1,4 @@
-import { getForm, getForms } from "../controllers"
+import { checkRightsAndResolve, getForm, getFormAuthor, getForms } from "../controllers"
 import {
   Form,
   QueryFormArgs,
@@ -11,10 +11,18 @@ import { ApolloContextType } from "../types"
 const formQuery: Resolver<Form, {}, ApolloContextType, QueryFormArgs> = async (
   _,
   { id },
-  { db }
+  { db, user }
 ) => {
   try {
-    return await getForm(db, id)
+    const authorId = await getFormAuthor(db, id)
+
+    const getFormById = () => getForm(db, id)
+
+    return await checkRightsAndResolve(
+      user!,
+      { id: authorId, admin: false },
+      getFormById
+    )
   } catch (err) {
     return err
   }

src/resolvers/User.ts

@@ -1,6 +1,6 @@
 import jwt from "jsonwebtoken"
 import { MutationLoginArgs, Resolver, User } from "../typeDefs/typeDefs.gen"
-import { ApolloContextType, JwtPayload } from "../types"
+import { ApolloContextType, JwtPayloadType } from "../types"
 
 const loginResolver: Resolver<
   User,
@@ -9,7 +9,7 @@ const loginResolver: Resolver<
   MutationLoginArgs
 > = async (_, { id, admin }, { db }) => {
   try {
-    const payload: JwtPayload = {
+    const payload: JwtPayloadType = {
       id,
       admin,
     }

src/types.ts

@@ -2,10 +2,11 @@ import { PrismaClient } from "@prisma/client"
 import {} from 'express-jwt'
 
 export type ApolloContextType = {
-  db: PrismaClient
+  db: PrismaClient,
+  user: JwtPayloadType | null
 }
 
-export type JwtPayload = {
+export type JwtPayloadType = {
   id: number,
   admin: boolean
 }