SatsAllDay 4b77e7a1a9
Limit scope of API Keys (#989)
* first pass of disallowing certain APIs with API keys

Disallow the following APIs:
* item.act (zap)
* create withdrawal
* unlink auth method
* link unverified email

* disallow creating lnauths via API key to stop the flow of linking via lnauth

* undo the limitation on donating to rewards

* revert the assertion on createAuth

* assert no api key on createWithdrawal and sendToLNAddr

* incorporate PR feedback by adding API Key negative assertion to more mutations:

* `createInvite`
* `createAuth`
* `upsertWalletLND` by way of `upsertWallet`
* `upsertWalletLNAddr` by way of `upsertWallet`
2024-04-03 15:11:06 -05:00

60 lines
1.8 KiB
JavaScript

import { randomBytes } from 'crypto'
import { bech32 } from 'bech32'
import { GraphQLError } from 'graphql'
import assertGofacYourself from './ofac'
import assertApiKeyNotPermitted from './apiKey'
function encodedUrl (iurl, tag, k1) {
const url = new URL(iurl)
url.searchParams.set('tag', tag)
url.searchParams.set('k1', k1)
// bech32 encode url
const words = bech32.toWords(Buffer.from(url.toString(), 'utf8'))
return bech32.encode('lnurl', words, 1023)
}
function k1 () {
return randomBytes(32).toString('hex')
}
export default {
Query: {
lnAuth: async (parent, { k1 }, { models }) => {
return await models.lnAuth.findUnique({ where: { k1 } })
},
lnWith: async (parent, { k1 }, { models }) => {
return await models.lnWith.findUnique({ where: { k1 } })
}
},
Mutation: {
createAuth: async (parent, args, { models, me }) => {
assertApiKeyNotPermitted({ me })
return await models.lnAuth.create({ data: { k1: k1() } })
},
createWith: async (parent, args, { me, models, headers }) => {
await assertGofacYourself({ models, headers })
if (!me) {
throw new GraphQLError('you must be logged in', { extensions: { code: 'UNAUTHENTICATED' } })
}
assertApiKeyNotPermitted({ me })
return await models.lnWith.create({ data: { k1: k1(), userId: me.id } })
}
},
LnAuth: {
encodedUrl: async (lnAuth, args, { models }) => {
return encodedUrl(process.env.LNAUTH_URL, 'login', lnAuth.k1)
}
},
LnWith: {
encodedUrl: async (lnWith, args, { models }) => {
return encodedUrl(process.env.LNWITH_URL, 'withdrawRequest', lnWith.k1)
},
user: async (lnWith, args, { models }) => {
return await models.user.findUnique({ where: { id: lnWith.userId } })
}
}
}