Merge pull request #6141 from mozilla/gql-session

feat(settings): add session verified state to graphql-api

packages/fxa-auth-client/lib/client.ts

@@ -531,7 +531,9 @@ export default class AuthClient {
     return this.sessionPost('/session/destroy', sessionToken, options);
   }
 
-  async sessionStatus(sessionToken: string) {
+  async sessionStatus(
+    sessionToken: string
+  ): Promise<{ state: 'verified' | 'unverified'; uid: string }> {
     return this.sessionGet('/session/status', sessionToken);
   }
 
@@ -933,7 +935,9 @@ export default class AuthClient {
     return this.sessionPost('/totp/destroy', sessionToken, {});
   }
 
-  async checkTotpTokenExists(sessionToken: string): Promise<{ exists: boolean, verified: boolean }> {
+  async checkTotpTokenExists(
+    sessionToken: string
+  ): Promise<{ exists: boolean; verified: boolean }> {
     return this.sessionGet('/totp/exists', sessionToken);
   }
 

packages/fxa-graphql-api/src/lib/auth.ts

@@ -13,10 +13,9 @@ export class SessionTokenAuth {
   @Inject(fxAccountClientToken)
   private authClient!: AuthClient;
 
-  public async lookupUserId(sessionToken: string): Promise<string> {
+  public async getSessionStatus(sessionToken: string) {
     try {
-      const result = await this.authClient.sessionStatus(sessionToken);
+      return await this.authClient.sessionStatus(sessionToken);
-      return result.uid;
     } catch (err) {
       throw new AuthenticationError('Invalid session token');
     }

packages/fxa-graphql-api/src/lib/resolvers/account-resolver.ts

@@ -215,7 +215,7 @@ export class AccountResolver {
 
   @Query((returns) => AccountType, { nullable: true })
   public account(@Ctx() context: Context, @Info() info: GraphQLResolveInfo) {
-    context.logger.info('account', { uid: context.authUser });
+    context.logger.info('account', { uid: context.session.uid });
 
     // Introspect the query to determine if we should load the emails
     const parsed: any = parseResolveInfo(info);
@@ -228,7 +228,7 @@ export class AccountResolver {
     const options: AccountOptions = includeEmails
       ? { include: ['emails'] }
       : {};
-    return accountByUid(context.authUser, options);
+    return accountByUid(context.session.uid, options);
   }
 
   @FieldResolver()

packages/fxa-graphql-api/src/lib/resolvers/session-resolver.ts

@@ -0,0 +1,25 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { GraphQLResolveInfo } from 'graphql';
+import {
+  Ctx,
+  Info,
+  Query,
+  Resolver,
+} from 'type-graphql';
+import { Context } from '../server';
+import { Session as SessionType } from './types/session'
+
+@Resolver((of) => SessionType)
+export class SessionResolver {
+
+  @Query((returns) => SessionType)
+  session(@Ctx() context: Context, @Info() info: GraphQLResolveInfo) {
+    context.logger.info('session', { uid: context.session.uid });
+    return {
+      verified: context.session.state === 'verified'
+    } as SessionType
+  }
+}

packages/fxa-graphql-api/src/lib/resolvers/types/session.ts

@@ -0,0 +1,14 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ import { Field, ObjectType } from 'type-graphql';
+
+ @ObjectType({ description: 'Session (token) info' })
+ export class Session {
+   @Field({
+     description:
+       'Whether the current session is verified',
+   })
+   public verified!: boolean;
+ }

packages/fxa-graphql-api/src/lib/server.ts

@@ -12,6 +12,7 @@ import { SessionTokenAuth } from './auth';
 import { AuthServerSource } from './datasources/authServer';
 import { ProfileServerSource } from './datasources/profileServer';
 import { AccountResolver } from './resolvers/account-resolver';
+import { SessionResolver } from './resolvers/session-resolver';
 import { reportGraphQLError } from './sentry';
 
 type ServerConfig = {
@@ -39,7 +40,7 @@ export function formatError(debug: boolean, logger: Logger, err: GraphQLError) {
  * Context available to resolvers
  */
 export type Context = {
-  authUser: string;
+  session: { uid: string; state: 'verified' | 'unverified' };
   token: string;
   dataSources: DataSources;
   logger: Logger;
@@ -57,11 +58,11 @@ export async function createServer(
 ): Promise<ApolloServer> {
   const schema = await TypeGraphQL.buildSchema({
     container: Container,
-    resolvers: [AccountResolver],
+    resolvers: [AccountResolver, SessionResolver],
     validate: false,
   });
   const authHeader = config.authHeader.toLowerCase();
-  const authUser = Container.get(SessionTokenAuth);
+  const authToken = Container.get(SessionTokenAuth);
   const debugMode = config.env !== 'production';
   const defaultContext = async ({ req }: { req: Request }) => {
     const bearerToken = req.headers[authHeader];
@@ -70,13 +71,12 @@ export async function createServer(
         'Invalid authentcation header found at: ' + authHeader
       );
     }
-    const userId = await authUser.lookupUserId(bearerToken);
+    const session = await authToken.getSessionStatus(bearerToken);
     return {
-      authUser: userId,
       token: bearerToken,
+      session,
       logger,
-    };
+    } as Context;
-    '';
   };
 
   return new ApolloServer({

packages/fxa-graphql-api/src/test/lib/auth.spec.ts

@@ -25,18 +25,21 @@ describe('SessionTokenAuth', () => {
     sandbox.resetHistory();
   });
 
-  describe('lookupUserId', async () => {
+  describe('getSessionStatus', async () => {
     it('looks up user successfully', async () => {
-      fxAccountClient.sessionStatus.resolves({ uid: '9001xyz', state: 'test' });
+      fxAccountClient.sessionStatus.resolves({
-      const result = await sessionAuth.lookupUserId('token');
+        uid: '9001xyz',
-      assert.equal(result, '9001xyz');
+        state: 'unverified',
+      });
+      const result = await sessionAuth.getSessionStatus('token');
+      assert.equal(result.uid, '9001xyz');
     });
 
     it('throws when the authClient throws', async () => {
       fxAccountClient.sessionStatus.rejects(new Error('boom'));
       try {
-        await sessionAuth.lookupUserId('token');
+        await sessionAuth.getSessionStatus('token');
-        assert.fail('lookupUserId should have thrown');
+        assert.fail('getSessionStatus should have thrown');
       } catch (e) {
         assert.instanceOf(e, AuthenticationError);
       }

packages/fxa-graphql-api/src/test/lib/datasources/authServer.spec.ts

@@ -84,7 +84,7 @@ describe('AuthServerSource', () => {
       recoveryEmailSecondaryResendCode: sandbox.stub(),
     };
     Container.set(fxAccountClientToken, authClient);
-    context = mockContext();
+    context = mockContext() as Context;
     authSource = new AuthServerSource();
     const config = stubInterface<DataSourceConfig<Context>>();
     config.context = context;

packages/fxa-graphql-api/src/test/lib/datasources/profileServer.spec.ts

@@ -43,7 +43,7 @@ describe('ProfileServerSource', () => {
     };
     Container.set(fxAccountClientToken, authClient);
     Container.set(configContainerToken, config);
-    context = mockContext();
+    context = mockContext() as Context;
     profileSource = new ProfileServerSource();
     const pluginConfig = stubInterface<DataSourceConfig<Context>>();
     pluginConfig.context = context;

packages/fxa-graphql-api/src/test/lib/mocks.ts

@@ -13,7 +13,10 @@ export function mockContext() {
     profileAPI: stubInterface<ProfileServerSource>(),
   };
   return {
-    authUser: '',
+    session: {
+      uid: '',
+      state: 'unverified',
+    },
     token: 'test',
     logger: stubInterface<Logger>(),
     dataSources: ds,

packages/fxa-graphql-api/src/test/lib/resolvers/account-resolver.spec.ts

@@ -56,7 +56,7 @@ describe('accountResolver', () => {
             accountCreated
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -78,7 +78,7 @@ describe('accountResolver', () => {
             uid
           }
         }`;
-        context.authUser = USER_2.uid;
+        context.session.uid = USER_2.uid;
         const result = (await graphql(
           schema,
           query,
@@ -101,7 +101,7 @@ describe('accountResolver', () => {
             clientMutationId
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -125,7 +125,7 @@ describe('accountResolver', () => {
             displayName
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -155,7 +155,7 @@ describe('accountResolver', () => {
             clientMutationId
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -188,7 +188,7 @@ describe('accountResolver', () => {
             recoveryCodes
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -217,7 +217,7 @@ describe('accountResolver', () => {
             recoveryCodes
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -244,7 +244,7 @@ describe('accountResolver', () => {
             success
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -268,7 +268,7 @@ describe('accountResolver', () => {
             clientMutationId
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -291,7 +291,7 @@ describe('accountResolver', () => {
             clientMutationId
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -314,7 +314,7 @@ describe('accountResolver', () => {
             clientMutationId
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,
@@ -339,7 +339,7 @@ describe('accountResolver', () => {
             clientMutationId
           }
         }`;
-        context.authUser = USER_1.uid;
+        context.session.uid = USER_1.uid;
         const result = (await graphql(
           schema,
           query,

packages/fxa-graphql-api/src/test/lib/schema.spec.ts

@@ -29,20 +29,22 @@ describe('Schema', () => {
     schemaIntrospection = builtSchema.data!.__schema as IntrospectionSchema;
     assert.isDefined(schemaIntrospection);
     queryType = schemaIntrospection.types.find(
-      type => type.name === (schemaIntrospection as IntrospectionSchema).queryType.name
+      (type) =>
+        type.name ===
+        (schemaIntrospection as IntrospectionSchema).queryType.name
     ) as IntrospectionObjectType;
 
     const mutationTypeNameRef = schemaIntrospection.mutationType;
     if (mutationTypeNameRef) {
       mutationType = schemaIntrospection.types.find(
-        type => type.name === mutationTypeNameRef.name
+        (type) => type.name === mutationTypeNameRef.name
       ) as IntrospectionObjectType;
     }
   });
 
   function findTypeByName(name: string) {
     return schemaIntrospection.types.find(
-      type => type.kind === TypeKind.OBJECT && type.name === name
+      (type) => type.kind === TypeKind.OBJECT && type.name === name
     ) as IntrospectionObjectType;
   }
 
@@ -50,13 +52,13 @@ describe('Schema', () => {
     const typ = findTypeByName(name);
     assert.isDefined(typ);
     assert.lengthOf(typ.fields, members.length);
-    const typNames = typ.fields.map(it => it.name);
+    const typNames = typ.fields.map((it) => it.name);
     assert.sameMembers(typNames, members);
   }
 
   it('is created with expected types', async () => {
-    const queryNames = queryType.fields.map(it => it.name);
+    const queryNames = queryType.fields.map((it) => it.name);
-    assert.sameMembers(queryNames, ['account']);
+    assert.sameMembers(queryNames, ['account', 'session']);
 
     verifyTypeMembers('Account', [
       'uid',
@@ -106,5 +108,6 @@ describe('Schema', () => {
       'os',
     ]);
     verifyTypeMembers('Location', ['city', 'country', 'state', 'stateCode']);
+    verifyTypeMembers('Session', ['verified']);
   });
 });

packages/fxa-graphql-api/src/test/lib/server.spec.ts

@@ -20,7 +20,7 @@ import { createServer } from '../../lib/server';
 
 const sandbox = sinon.createSandbox();
 
-const sessionAuth = { lookupUserId: sandbox.stub() };
+const sessionAuth = { getSessionStatus: sandbox.stub() };
 
 const mockLogger = ({ info: () => {} } as unknown) as Logger;
 
@@ -89,7 +89,7 @@ describe('createServer', () => {
     });
 
     it('should throw an AuthenticationError when auth server has auth error', async () => {
-      sessionAuth.lookupUserId.rejects(
+      sessionAuth.getSessionStatus.rejects(
         new AuthenticationError('Invalid token')
       );
       try {
@@ -101,12 +101,16 @@ describe('createServer', () => {
     });
 
     it('should return a user and the bearer token', async () => {
-      sessionAuth.lookupUserId.resolves('9001xyz');
+      sessionAuth.getSessionStatus.resolves({
+        uid: '9001xyz',
+        state: 'unverified',
+      });
       try {
         const context = await (server as any).context({
           req: { headers: { authorization: 'lolcatz' } },
         });
-        assert.equal(context.authUser, '9001xyz');
+        assert.equal(context.session.uid, '9001xyz');
+        assert.equal(context.session.state, 'unverified');
         assert.equal(context.token, 'lolcatz');
       } catch (e) {
         assert.fail('Should not have thrown an exception: ' + e);

packages/fxa-settings/src/components/AccountDataHOC/index.tsx

@@ -15,9 +15,6 @@ type AccountDataHOCProps = {
   children: (props: AccountDataHOCChildrenProps) => React.ReactNode;
 };
 
-// A data extraction layer for initial load.
-// TODO: If an account is unverified we'll need to
-// requery with less requested properties.
 export const AccountDataHOC = ({ children }: AccountDataHOCProps) => {
   const { loading, error, data } = useQuery(GET_ACCOUNT);
 

packages/fxa-settings/src/components/VerifiedSessionGuard/index.test.tsx

@@ -0,0 +1,78 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import React from 'react';
+import { InMemoryCache } from '@apollo/client';
+import '@testing-library/jest-dom/extend-expect';
+import { render, act, wait, screen } from '@testing-library/react';
+import { MockedProvider, MockedResponse } from '@apollo/client/testing';
+import { VerifiedSessionGuard, GET_SESSION } from '.';
+
+const verifiedCache = new InMemoryCache();
+verifiedCache.writeQuery({
+  query: GET_SESSION,
+  data: {
+    session: {
+      verified: true,
+    },
+  },
+});
+
+const unverifiedCache = new InMemoryCache();
+unverifiedCache.writeQuery({
+  query: GET_SESSION,
+  data: {
+    session: {
+      verified: false,
+    },
+  },
+});
+
+it('renders the content when verified', async () => {
+  render(
+    <MockedProvider addTypename={false} cache={verifiedCache}>
+      <VerifiedSessionGuard guard={<div data-testid="guard">oops</div>}>
+        <div data-testid="children">Content</div>
+      </VerifiedSessionGuard>
+    </MockedProvider>
+  );
+
+  await wait();
+
+  expect(screen.getByTestId('children')).toBeInTheDocument();
+});
+
+it('renders the guard when unverified', async () => {
+  async () => {
+    render(
+      <MockedProvider addTypename={false} cache={unverifiedCache}>
+        <VerifiedSessionGuard guard={<div data-testid="guard">oops</div>}>
+          <div>Content</div>
+        </VerifiedSessionGuard>
+      </MockedProvider>
+    );
+
+    await wait();
+
+    expect(screen.getByTestId('guard')).toBeInTheDocument();
+  };
+});
+
+it('renders the guard when loading fails', async () => {
+  // don't pollute the test output with console logs
+  const consoleError = console.error;
+  console.error = () => {};
+  render(
+    <MockedProvider>
+      <VerifiedSessionGuard guard={<div data-testid="guard">oops</div>}>
+        <div>Content</div>
+      </VerifiedSessionGuard>
+    </MockedProvider>
+  );
+
+  await wait();
+
+  expect(screen.getByTestId('guard')).toBeInTheDocument();
+  console.error = consoleError;
+});

packages/fxa-settings/src/components/VerifiedSessionGuard/index.tsx

@@ -0,0 +1,37 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import React from 'react';
+import { gql, useQuery } from '@apollo/client';
+import sentryMetrics from 'fxa-shared/lib/sentry';
+
+export const GET_SESSION = gql`
+  query GetSession {
+    session {
+      verified
+    }
+  }
+`;
+
+export const VerifiedSessionGuard = ({
+  guard,
+  children,
+}: {
+  guard: React.ReactElement;
+  children: React.ReactElement;
+}) => {
+  const { error, data } = useQuery(GET_SESSION, { fetchPolicy: 'cache-only' });
+
+  if (error || !data) {
+    // idk if this'll ever happen irl
+    const e = error || new Error('VerifiedSessionGuard missing data');
+    console.error(e);
+    sentryMetrics.captureException(e);
+    return guard;
+  }
+
+  return data.session.verified ? children : guard;
+};
+
+export default VerifiedSessionGuard;

packages/fxa-settings/src/lib/auth.ts

@@ -15,3 +15,6 @@ export function useAuth() {
   }
   return auth!;
 }
+
+// NOTE for future self
+// In cases where the sessionToken changes we should also flush the session { verified } value from apollo cache

packages/fxa-settings/src/lib/cache.ts

@@ -17,18 +17,18 @@ export function sessionToken(newToken?: string) {
   }
 }
 
-// sessionToken is added as a local field in the cache as an example.
+// sessionToken is added as a local field as an example.
 export const typeDefs = gql`
-  extend type Query {
+  extend type Session {
-    sessionToken: String!
+    token: String!
   }
 `;
 
 export const cache = new InMemoryCache({
   typePolicies: {
-    Query: {
+    Session: {
       fields: {
-        sessionToken: {
+        token: {
           read() {
             return sessionToken();
           },