refactor oauthScopes to enum

Author: jordanh

codegen.json

@@ -49,6 +49,12 @@
     "packages/server/graphql/public/resolverTypes.ts": {
       "config": {
         "contextType": "../graphql#GQLContext",
+        "enumValues": {
+          "OAuthScopeEnum": {
+            "graphql_query": "graphql:query",
+            "graphql_mutation": "graphql:mutation"
+          }
+        },
         "mappers": {
           "AddTeamPayload": "./types/AddTeamPayload#AddTeamPayloadSource",
           "AddOrgPayload": "./types/AddOrgPayload#AddOrgPayloadSource",
@@ -245,7 +251,8 @@
           "UpsertTeamPromptResponseSuccess": "./types/UpsertTeamPromptResponseSuccess#UpsertTeamPromptResponseSuccessSource",
           "User": "../../postgres/types/index#User as UserDB",
           "UserLogInPayload": "./types/UserLogInPayload#UserLogInPayloadSource",
-          "_xGitLabProject": "./types/_xGitLabProject#_xGitLabProjectSource as _xGitLabProject"
+          "_xGitLabProject": "./types/_xGitLabProject#_xGitLabProjectSource as _xGitLabProject",
+          "OAuthScopeEnum": "../../postgres/types/pg#Oauthscopeenum"
         },
         "showUnusedMappers": false
       },

packages/client/modules/userDashboard/components/OrgIntegrations/OAuthAppFormContent.tsx

@@ -21,7 +21,9 @@ export interface FormContentProps {
 const OAuthAppFormContent = ({orgId, isNew, initialData, onClose}: FormContentProps) => {
   const [name, setName] = useState(initialData?.name || '')
   const [redirectUris, setRedirectUris] = useState((initialData?.redirectUris || []).join(', '))
-  const [scopes, setScopes] = useState<string[]>(initialData?.scopes || [])
+  const [scopes, setScopes] = useState<string[]>(
+    (initialData?.scopes || []).map((s: string) => s.replace(':', '_'))
+  )
   const [error, setError] = useState<string | null>(null)
   const [isSaving, setIsSaving] = useState(false)
   const [regenerateConfirmOpen, setRegenerateConfirmOpen] = useState(false)
@@ -99,14 +101,17 @@ const OAuthAppFormContent = ({orgId, isNew, initialData, onClose}: FormContentPr
 
     const providerId = initialData?.id
 
+    // Cast scopes to any to avoid type errors since we don't have OAuthScopeEnum imported
+    const mutationScopes = scopes as any
+
     if (providerId) {
       commitUpdate({
         variables: {
           input: {
             providerId,
             name,
             redirectUris: uriList,
-            scopes
+            scopes: mutationScopes
           }
         },
         onCompleted: () => {
@@ -126,7 +131,7 @@ const OAuthAppFormContent = ({orgId, isNew, initialData, onClose}: FormContentPr
             orgId,
             name,
             redirectUris: uriList,
-            scopes
+            scopes: mutationScopes
           }
         },
         updater: (store) => {
@@ -350,17 +355,17 @@ const OAuthAppFormContent = ({orgId, isNew, initialData, onClose}: FormContentPr
                 <label className='flex cursor-pointer items-center gap-2 text-slate-700 text-sm'>
                   <input
                     type='checkbox'
-                    checked={scopes.includes('graphql:query')}
-                    onChange={() => toggleScope('graphql:query')}
+                    checked={scopes.includes('graphql_query')}
+                    onChange={() => toggleScope('graphql_query')}
                     className='rounded border-slate-300 text-sky-500 focus:ring-sky-500'
                   />
                   graphql:query
                 </label>
                 <label className='flex cursor-pointer items-center gap-2 text-slate-700 text-sm'>
                   <input
                     type='checkbox'
-                    checked={scopes.includes('graphql:mutation')}
-                    onChange={() => toggleScope('graphql:mutation')}
+                    checked={scopes.includes('graphql_mutation')}
+                    onChange={() => toggleScope('graphql_mutation')}
                     className='rounded border-slate-300 text-sky-500 focus:ring-sky-500'
                   />
                   graphql:mutation

packages/server/graphql/public/mutations/createOAuthAPIProvider.ts

@@ -1,10 +1,7 @@
-import {GraphQLError} from 'graphql'
 import {SubscriptionChannel} from 'parabol-client/types/constEnums'
 import {generateOAuthClientId, generateOAuthClientSecret} from '../../../oauth2/credentials'
-import {OAUTH_SCOPES, validateOAuthScopes} from '../../../oauth2/oauthScopes'
 import getKysely from '../../../postgres/getKysely'
 import {selectOAuthAPIProvider} from '../../../postgres/select'
-import type {Oauthscopeenum} from '../../../postgres/types/pg'
 import publish from '../../../utils/publish'
 import type {MutationResolvers} from '../resolverTypes'
 
@@ -21,15 +18,7 @@ export const createOAuthAPIProvider: MutationResolvers['createOAuthAPIProvider']
   const clientSecret = generateOAuthClientSecret()
 
   if (scopes.length === 0) {
-    scopes = [OAUTH_SCOPES['graphql:query'], OAUTH_SCOPES['graphql:mutation']]
-  }
-
-  if (!validateOAuthScopes(scopes)) {
-    throw new GraphQLError('Invalid scopes.', {
-      extensions: {
-        code: 'BAD_USER_INPUT'
-      }
-    })
+    scopes = ['graphql:query', 'graphql:mutation']
   }
 
   const pg = getKysely()
@@ -40,7 +29,7 @@ export const createOAuthAPIProvider: MutationResolvers['createOAuthAPIProvider']
     clientId,
     clientSecret,
     redirectUris,
-    scopes: scopes as Oauthscopeenum[]
+    scopes
   }
 
   const {id: providerId} = await pg

packages/server/graphql/public/mutations/updateOAuthAPIProvider.ts

@@ -1,9 +1,7 @@
 import {GraphQLError} from 'graphql'
 import {SubscriptionChannel} from 'parabol-client/types/constEnums'
-import {OAUTH_SCOPES, validateOAuthScopes} from '../../../oauth2/oauthScopes'
 import getKysely from '../../../postgres/getKysely'
 import {selectOAuthAPIProvider} from '../../../postgres/select'
-import type {Oauthscopeenum} from '../../../postgres/types/pg'
 import {getUserId, isUserOrgAdmin} from '../../../utils/authorization'
 import {CipherId} from '../../../utils/CipherId'
 import publish from '../../../utils/publish'
@@ -43,15 +41,7 @@ const updateOAuthAPIProvider: MutationResolvers['updateOAuthAPIProvider'] = asyn
 
   if (scopes) {
     if (scopes && scopes.length === 0) {
-      scopes = [OAUTH_SCOPES['graphql:query'], OAUTH_SCOPES['graphql:mutation']]
-    }
-    if (!validateOAuthScopes(scopes)) {
-      throw new GraphQLError('Invalid scopes. Only graphql:read and graphql:write are allowed.', {
-        extensions: {
-          code: 'BAD_USER_INPUT',
-          userId: viewerId
-        }
-      })
+      scopes = ['graphql:query', 'graphql:mutation']
     }
   }
 
@@ -60,7 +50,7 @@ const updateOAuthAPIProvider: MutationResolvers['updateOAuthAPIProvider'] = asyn
     .set({
       name: name ?? undefined,
       redirectUris: redirectUris ?? undefined,
-      scopes: scopes ? (scopes as Oauthscopeenum[]) : undefined
+      scopes: scopes || undefined
     })
     .where('id', '=', providerId)
     .execute()

packages/server/graphql/public/typeDefs/CreateOAuthAPIProviderInput.graphql

@@ -2,5 +2,5 @@ input CreateOAuthAPIProviderInput {
   orgId: ID!
   name: String!
   redirectUris: [RedirectURI!]!
-  scopes: [String!]!
+  scopes: [OAuthScopeEnum!]!
 }

packages/server/graphql/public/typeDefs/OAuthScopeEnum.graphql

@@ -0,0 +1,4 @@
+enum OAuthScopeEnum {
+  graphql_query
+  graphql_mutation
+}

packages/server/graphql/public/typeDefs/UpdateOAuthAPIProviderInput.graphql

@@ -2,5 +2,5 @@ input UpdateOAuthAPIProviderInput {
   providerId: ID!
   name: String
   redirectUris: [RedirectURI!]
-  scopes: [String!]
+  scopes: [OAuthScopeEnum!]
 }

packages/server/graphql/public/types/OAuthScopeEnum.ts

@@ -0,0 +1,6 @@
+const OAuthScopeEnum = {
+  graphql_query: 'graphql:query',
+  graphql_mutation: 'graphql:mutation'
+}
+
+export default OAuthScopeEnum

packages/server/oauth2/createOAuthCode.ts

@@ -1,7 +1,7 @@
+import crypto from 'crypto'
 import ms from 'ms'
 import getKysely from '../postgres/getKysely'
 import type {Oauthscopeenum} from '../postgres/types/pg'
-import {CipherId} from '../utils/CipherId'
 
 interface CreateOAuthCodeParams {
   clientId: string
@@ -35,9 +35,11 @@ export async function createOAuthCode(
   }
 
   const expiresAt = new Date(Date.now() + ms('10m'))
+  const code = crypto.randomBytes(32).toString('hex')
   const {id: codeId} = await pg
     .insertInto('OAuthAPICode')
     .values({
+      id: code,
       clientId,
       redirectUri,
       userId,
@@ -48,6 +50,6 @@ export async function createOAuthCode(
     .executeTakeFirstOrThrow()
 
   return {
-    code: CipherId.toClient(codeId, 'OAuthAPICode')
+    code: codeId
   }
 }