metamigo-api: Use our own hapi plugin for postgraphile

apps/metamigo-api/src/app/plugins/auth-bearer.ts

@@ -11,11 +11,17 @@ export const registerAuthBearer = async (
 
   server.auth.strategy("session-id-bearer-token", "bearer-access-token", {
     allowQueryToken: false,
-    validate: async (request: Hapi.Request, token: string, h: Hapi.ResponseToolkit) => {
+    validate: async (
+      request: Hapi.Request,
+      token: string,
+      h: Hapi.ResponseToolkit
+    ) => {
       const repos = request.db() as IMetamigoRepositories;
       const session = await repos.sessions.findBy({ sessionToken: token });
       const isValid = !!session;
-      const credentials = { token };
+      if (!isValid) return { isValid, credentials: {} };
+      const user = await repos.users.findById({ id: session.userId });
+      const credentials = { sessionToken: token, user };
       return { isValid, credentials };
     },
   });

apps/metamigo-api/src/app/plugins/hapi-postgraphile.ts

@@ -1,34 +1,52 @@
 import type * as Hapi from "@hapi/hapi";
 import { IAppConfig } from "@digiresilience/metamigo-config";
-import { postgraphile } from 'postgraphile';
+import { postgraphile, HttpRequestHandler } from "postgraphile";
 import { getPostGraphileOptions } from "@digiresilience/metamigo-db";
 
-
+export interface HapiPostgraphileOptions {}
-export interface HapiPostgraphileOptions {
-    pgConfig: any;
-    schemaOptions: any;
-    schemaName: string;
-}
 
 const PostgraphilePlugin: Hapi.Plugin<HapiPostgraphileOptions> = {
-  name: 'postgraphilePlugin',
+  name: "postgraphilePlugin",
-  version: '1.0.0',
+  version: "1.0.0",
   register: async function (server, options: HapiPostgraphileOptions) {
-
+    const config = server.config();
-    const postgraphileMiddleware = postgraphile(options.pgConfig, options.schemaName, options.schemaOptions);
+    const postgraphileMiddleware: HttpRequestHandler = postgraphile(
+      config.postgraphile.authConnection,
+      "app_public",
+      {
+        ...getPostGraphileOptions(),
+        jwtSecret: "",
+        pgSettings: async (req) => {
+          const auth = (req as any).hapiAuth;
+          if (auth.isAuthenticated && auth.credentials.user.userRole) {
+            return {
+              role: `app_${auth.credentials.user.userRole}`,
+              "jwt.claims.session_id": auth.credentials.sessionToken,
+            };
+          } else {
+            return {
+              role: "app_anonymous",
+            };
+          }
+        },
+      }
+    );
 
     server.route({
-      method: ['POST'],
+      method: ["POST"],
-      path: '/graphql',
+      path: "/graphql",
       options: {
+        auth: "session-id-bearer-token",
         payload: {
           parse: false, // this disables payload parsing
-          output: 'stream' // ensures the payload is a readable stream
+          output: "stream", // ensures the payload is a readable stream which postgraphile expects
         },
       },
-      handler: (request, h) => {
+      handler: (request: Hapi.Request, h: Hapi.ResponseToolkit) => {
         return new Promise((resolve, reject) => {
-          postgraphileMiddleware(request.raw.req, request.raw.res, (error) => {
+          const rawReq = request.raw.req as any;
+          rawReq.hapiAuth = request.auth;
+          postgraphileMiddleware(rawReq, request.raw.res, (error) => {
             if (error) {
               reject(error);
             } else {
@@ -46,21 +64,8 @@ export const registerPostgraphile = async (
   server: Hapi.Server,
   config: IAppConfig
 ): Promise<void> => {
-
-
   await server.register({
     plugin: PostgraphilePlugin,
-    options: {
+    options: {},
-      pgConfig: config.postgraphile.authConnection,
-      schemaName: "app_public",
-      schemaOptions: {
-        ...getPostGraphileOptions(),
-        jwtAudiences: [config.nextAuth.audience],
-        jwtSecret: "",
-        // unauthenticated users will hit the database with this role
-        pgDefaultRole: "app_anonymous",
-      },
-    },
   });
 };
-