admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix workspace hydratation (#12452)

Browse Source 
We must separate the concept of hydratation which happens at the request
level (take the token and pass auth/user context), from the concept of
authorization which happens at the query/endpoint/mutation level.

Previously, hydratation exemption happened at the operation name level
which is not correct because the operation name is meaningless and
optional. Still this gave an impression of security by enforcing a
blacklist. So in this PR we introduce linting rule that aim to achieve a
similar behavior, now every api method has to have a guard. That way if
and endpoint is not protected by AuthUserGuard or AuthWorspaceGuard,
then it has to be stated explicitly next to its code.

---------

Co-authored-by: Charles Bochet <charles@twenty.com>
This commit is contained in:
Félix Malfait
2025-06-09 14:14:32 +02:00
committed by GitHub
parent 322c8a1852
commit ecf21774dd
37 changed files with 741 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/twenty-server/.eslintrc.cjs
View File

@ -97,6 +97,8 @@ module.exports = {
'prefer-arrow/prefer-arrow-functions': 'off',
'@nx/workspace-max-consts-per-file': 'off',
'@nx/workspace-inject-workspace-repository': 'warn',
'@nx/workspace-rest-api-methods-should-be-guarded': 'error',
'@nx/workspace-graphql-resolvers-should-be-guarded': 'error',
},
},
{

10
packages/twenty-server/src/engine/core-modules/audit/audit.resolver.ts
View File

@ -1,4 +1,4 @@
import { UseFilters } from '@nestjs/common';
import { UseFilters, UseGuards } from '@nestjs/common';
import { Args, Mutation, Resolver } from '@nestjs/graphql';
import { AuditExceptionFilter } from 'src/engine/core-modules/audit/audit-exception-filter';
@ -11,6 +11,8 @@ import { User } from 'src/engine/core-modules/user/user.entity';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
import {
CreateAnalyticsInputV2,
@ -29,13 +31,14 @@ export class AuditResolver {
async createPageview(
@Args()
createAnalyticsInput: CreateAnalyticsInputV2,
@AuthWorkspace() workspace: Workspace | undefined,
@AuthWorkspace({ allowUndefined: true }) workspace: Workspace | undefined,
@AuthUser({ allowUndefined: true }) user: User | undefined,
) {
return this.trackAnalytics(createAnalyticsInput, workspace, user);
}
@Mutation(() => Analytics)
@UseGuards(WorkspaceAuthGuard)
async createObjectEvent(
@Args()
createObjectEventInput: CreateObjectEventInput,
@ -63,10 +66,11 @@ export class AuditResolver {
}
@Mutation(() => Analytics)
@UseGuards(PublicEndpointGuard)
async trackAnalytics(
@Args()
createAnalyticsInput: CreateAnalyticsInputV2,
@AuthWorkspace() workspace: Workspace | undefined,
@AuthWorkspace({ allowUndefined: true }) workspace: Workspace | undefined,
@AuthUser({ allowUndefined: true }) user: User | undefined,
) {
const analyticsContext = this.auditService.createContext({

21
packages/twenty-server/src/engine/core-modules/auth/auth.resolver.ts
View File

@ -49,6 +49,7 @@ import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate';
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
import { SettingsPermissionsGuard } from 'src/engine/guards/settings-permissions.guard';
import { UserAuthGuard } from 'src/engine/guards/user-auth.guard';
import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
@ -94,7 +95,7 @@ export class AuthResolver {
private sSOService: SSOService,
) {}
@UseGuards(CaptchaGuard)
@UseGuards(CaptchaGuard, PublicEndpointGuard)
@Query(() => UserExistsOutput)
async checkUserExists(
@Args() checkUserExistsInput: CheckUserExistsInput,
@ -105,6 +106,7 @@ export class AuthResolver {
}
@Mutation(() => GetAuthorizationUrlForSSOOutput)
@UseGuards(PublicEndpointGuard)
async getAuthorizationUrlForSSO(
@Args('input') params: GetAuthorizationUrlForSSOInput,
) {
@ -115,6 +117,7 @@ export class AuthResolver {
}
@Query(() => WorkspaceInviteHashValid)
@UseGuards(PublicEndpointGuard)
async checkWorkspaceInviteHashIsValid(
@Args() workspaceInviteHashValidInput: WorkspaceInviteHashValidInput,
): Promise<WorkspaceInviteHashValid> {
@ -124,6 +127,7 @@ export class AuthResolver {
}
@Query(() => Workspace)
@UseGuards(PublicEndpointGuard)
async findWorkspaceFromInviteHash(
@Args() workspaceInviteHashValidInput: WorkspaceInviteHashValidInput,
): Promise<Workspace> {
@ -132,7 +136,7 @@ export class AuthResolver {
);
}
@UseGuards(CaptchaGuard)
@UseGuards(CaptchaGuard, PublicEndpointGuard)
@Mutation(() => LoginToken)
async getLoginTokenFromCredentials(
@Args()
@ -166,6 +170,7 @@ export class AuthResolver {
}
@Mutation(() => GetLoginTokenFromEmailVerificationTokenOutput)
@UseGuards(PublicEndpointGuard)
async getLoginTokenFromEmailVerificationToken(
@Args()
getLoginTokenFromEmailVerificationTokenInput: GetLoginTokenFromEmailVerificationTokenInput,
@ -197,7 +202,7 @@ export class AuthResolver {
return { loginToken, workspaceUrls };
}
@UseGuards(CaptchaGuard)
@UseGuards(CaptchaGuard, PublicEndpointGuard)
@Mutation(() => SignUpOutput)
async signUp(@Args() signUpInput: SignUpInput): Promise<SignUpOutput> {
const currentWorkspace = await this.authService.findWorkspaceForSignInUp({
@ -269,6 +274,7 @@ export class AuthResolver {
}
@Mutation(() => SignUpOutput)
@UseGuards(UserAuthGuard)
async signUpInNewWorkspace(
@AuthUser() currentUser: User,
): Promise<SignUpOutput> {
@ -300,7 +306,7 @@ export class AuthResolver {
// }
@Mutation(() => TransientToken)
@UseGuards(WorkspaceAuthGuard, UserAuthGuard)
@UseGuards(UserAuthGuard)
async generateTransientToken(
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
@ -324,6 +330,7 @@ export class AuthResolver {
}
@Mutation(() => AuthTokens)
@UseGuards(PublicEndpointGuard)
async getAuthTokensFromLoginToken(
@Args() getAuthTokensFromLoginTokenInput: GetAuthTokensFromLoginTokenInput,
@Args('origin') origin: string,
@ -351,7 +358,7 @@ export class AuthResolver {
}
@Mutation(() => AuthorizeApp)
@UseGuards(WorkspaceAuthGuard, UserAuthGuard)
@UseGuards(UserAuthGuard)
async authorizeApp(
@Args() authorizeAppInput: AuthorizeAppInput,
@AuthUser() user: User,
@ -365,6 +372,7 @@ export class AuthResolver {
}
@Mutation(() => AuthTokens)
@UseGuards(PublicEndpointGuard)
async renewToken(@Args() args: AppTokenInput): Promise<AuthTokens> {
const tokens = await this.renewTokenService.generateTokensFromRefreshToken(
args.appToken,
@ -390,6 +398,7 @@ export class AuthResolver {
}
@Mutation(() => EmailPasswordResetLink)
@UseGuards(PublicEndpointGuard)
async emailPasswordResetLink(
@Args() emailPasswordResetInput: EmailPasswordResetLinkInput,
@Context() context: I18nContext,
@ -408,6 +417,7 @@ export class AuthResolver {
}
@Mutation(() => InvalidatePassword)
@UseGuards(PublicEndpointGuard)
async updatePasswordViaResetToken(
@Args()
{ passwordResetToken, newPassword }: UpdatePasswordViaResetTokenInput,
@ -428,6 +438,7 @@ export class AuthResolver {
}
@Query(() => ValidatePasswordResetToken)
@UseGuards(PublicEndpointGuard)
async validatePasswordResetToken(
@Args() args: ValidatePasswordResetTokenInput,
): Promise<ValidatePasswordResetToken> {

5
packages/twenty-server/src/engine/core-modules/auth/controllers/google-apis-auth.controller.ts
View File

@ -26,6 +26,7 @@ import { GuardRedirectService } from 'src/engine/core-modules/guard-redirect/ser
import { OnboardingService } from 'src/engine/core-modules/onboarding/onboarding.service';
import { TwentyConfigService } from 'src/engine/core-modules/twenty-config/twenty-config.service';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('auth/google-apis')
@UseFilters(AuthRestApiExceptionFilter)
@ -42,14 +43,14 @@ export class GoogleAPIsAuthController {
) {}
@Get()
@UseGuards(GoogleAPIsOauthRequestCodeGuard)
@UseGuards(GoogleAPIsOauthRequestCodeGuard, PublicEndpointGuard)
async googleAuth() {
// As this method is protected by Google Auth guard, it will trigger Google SSO flow
return;
}
@Get('get-access-token')
@UseGuards(GoogleAPIsOauthExchangeCodeForTokenGuard)
@UseGuards(GoogleAPIsOauthExchangeCodeForTokenGuard, PublicEndpointGuard)
async googleAuthGetAccessToken(
@Req() req: GoogleAPIsRequest,
@Res() res: Response,

5
packages/twenty-server/src/engine/core-modules/auth/controllers/google-auth.controller.ts
View File

@ -21,6 +21,7 @@ import { LoginTokenService } from 'src/engine/core-modules/auth/token/services/l
import { DomainManagerService } from 'src/engine/core-modules/domain-manager/services/domain-manager.service';
import { GuardRedirectService } from 'src/engine/core-modules/guard-redirect/services/guard-redirect.service';
import { User } from 'src/engine/core-modules/user/user.entity';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('auth/google')
@UseFilters(AuthRestApiExceptionFilter)
@ -35,14 +36,14 @@ export class GoogleAuthController {
) {}
@Get()
@UseGuards(GoogleProviderEnabledGuard, GoogleOauthGuard)
@UseGuards(GoogleProviderEnabledGuard, GoogleOauthGuard, PublicEndpointGuard)
async googleAuth() {
// As this method is protected by Google Auth guard, it will trigger Google SSO flow
return;
}
@Get('redirect')
@UseGuards(GoogleProviderEnabledGuard, GoogleOauthGuard)
@UseGuards(GoogleProviderEnabledGuard, GoogleOauthGuard, PublicEndpointGuard)
@UseFilters(AuthOAuthExceptionFilter)
async googleAuthRedirect(@Req() req: GoogleRequest, @Res() res: Response) {
const {

5
packages/twenty-server/src/engine/core-modules/auth/controllers/microsoft-apis-auth.controller.ts
View File

@ -26,6 +26,7 @@ import { GuardRedirectService } from 'src/engine/core-modules/guard-redirect/ser
import { OnboardingService } from 'src/engine/core-modules/onboarding/onboarding.service';
import { TwentyConfigService } from 'src/engine/core-modules/twenty-config/twenty-config.service';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('auth/microsoft-apis')
@UseFilters(AuthRestApiExceptionFilter)
@ -42,14 +43,14 @@ export class MicrosoftAPIsAuthController {
) {}
@Get()
@UseGuards(MicrosoftAPIsOauthRequestCodeGuard)
@UseGuards(MicrosoftAPIsOauthRequestCodeGuard, PublicEndpointGuard)
async MicrosoftAuth() {
// As this method is protected by Microsoft Auth guard, it will trigger Microsoft SSO flow
return;
}
@Get('get-access-token')
@UseGuards(MicrosoftAPIsOauthExchangeCodeForTokenGuard)
@UseGuards(MicrosoftAPIsOauthExchangeCodeForTokenGuard, PublicEndpointGuard)
async MicrosoftAuthGetAccessToken(
@Req() req: MicrosoftAPIsRequest,
@Res() res: Response,

13
packages/twenty-server/src/engine/core-modules/auth/controllers/microsoft-auth.controller.ts
View File

@ -20,6 +20,7 @@ import { LoginTokenService } from 'src/engine/core-modules/auth/token/services/l
import { DomainManagerService } from 'src/engine/core-modules/domain-manager/services/domain-manager.service';
import { GuardRedirectService } from 'src/engine/core-modules/guard-redirect/services/guard-redirect.service';
import { User } from 'src/engine/core-modules/user/user.entity';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('auth/microsoft')
@UseFilters(AuthRestApiExceptionFilter)
@ -34,14 +35,22 @@ export class MicrosoftAuthController {
) {}
@Get()
@UseGuards(MicrosoftProviderEnabledGuard, MicrosoftOAuthGuard)
@UseGuards(
MicrosoftProviderEnabledGuard,
MicrosoftOAuthGuard,
PublicEndpointGuard,
)
async microsoftAuth() {
// As this method is protected by Microsoft Auth guard, it will trigger Microsoft SSO flow
return;
}
@Get('redirect')
@UseGuards(MicrosoftProviderEnabledGuard, MicrosoftOAuthGuard)
@UseGuards(
MicrosoftProviderEnabledGuard,
MicrosoftOAuthGuard,
PublicEndpointGuard,
)
async microsoftAuthRedirect(
@Req() req: MicrosoftRequest,
@Res() res: Response,

11
packages/twenty-server/src/engine/core-modules/auth/controllers/sso-auth.controller.ts
View File

@ -38,6 +38,7 @@ import {
import { User } from 'src/engine/core-modules/user/user.entity';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { workspaceValidator } from 'src/engine/core-modules/workspace/workspace.validate';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('auth')
export class SSOAuthController {
@ -55,7 +56,7 @@ export class SSOAuthController {
) {}
@Get('saml/metadata/:identityProviderId')
@UseGuards(EnterpriseFeaturesEnabledGuard)
@UseGuards(EnterpriseFeaturesEnabledGuard, PublicEndpointGuard)
@UseFilters(AuthRestApiExceptionFilter)
// eslint-disable-next-line @typescript-eslint/no-explicit-any
async generateMetadata(@Req() req: any): Promise<string | void> {
@ -73,7 +74,7 @@ export class SSOAuthController {
}
@Get('oidc/login/:identityProviderId')
@UseGuards(EnterpriseFeaturesEnabledGuard, OIDCAuthGuard)
@UseGuards(EnterpriseFeaturesEnabledGuard, OIDCAuthGuard, PublicEndpointGuard)
@UseFilters(AuthRestApiExceptionFilter)
async oidcAuth() {
// As this method is protected by OIDC Auth guard, it will trigger OIDC SSO flow
@ -81,7 +82,7 @@ export class SSOAuthController {
}
@Get('saml/login/:identityProviderId')
@UseGuards(EnterpriseFeaturesEnabledGuard, SAMLAuthGuard)
@UseGuards(EnterpriseFeaturesEnabledGuard, SAMLAuthGuard, PublicEndpointGuard)
@UseFilters(AuthRestApiExceptionFilter)
async samlAuth() {
// As this method is protected by SAML Auth guard, it will trigger SAML SSO flow
@ -89,14 +90,14 @@ export class SSOAuthController {
}
@Get('oidc/callback')
@UseGuards(EnterpriseFeaturesEnabledGuard, OIDCAuthGuard)
@UseGuards(EnterpriseFeaturesEnabledGuard, OIDCAuthGuard, PublicEndpointGuard)
@UseFilters(AuthOAuthExceptionFilter)
async oidcAuthCallback(@Req() req: OIDCRequest, @Res() res: Response) {
return await this.authCallback(req, res);
}
@Post('saml/callback/:identityProviderId')
@UseGuards(EnterpriseFeaturesEnabledGuard, SAMLAuthGuard)
@UseGuards(EnterpriseFeaturesEnabledGuard, SAMLAuthGuard, PublicEndpointGuard)
@UseFilters(AuthOAuthExceptionFilter)
async samlAuthCallback(@Req() req: SAMLRequest, @Res() res: Response) {
try {

4
packages/twenty-server/src/engine/core-modules/billing/billing.controller.ts
View File

@ -9,6 +9,7 @@ import {
Req,
Res,
UseFilters,
UseGuards,
} from '@nestjs/common';
import { Response } from 'express';
@ -29,6 +30,8 @@ import { BillingWebhookInvoiceService } from 'src/engine/core-modules/billing/we
import { BillingWebhookPriceService } from 'src/engine/core-modules/billing/webhooks/services/billing-webhook-price.service';
import { BillingWebhookProductService } from 'src/engine/core-modules/billing/webhooks/services/billing-webhook-product.service';
import { BillingWebhookSubscriptionService } from 'src/engine/core-modules/billing/webhooks/services/billing-webhook-subscription.service';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller()
@UseFilters(BillingRestApiExceptionFilter)
export class BillingController {
@ -47,6 +50,7 @@ export class BillingController {
) {}
@Post(['webhooks/stripe'])
@UseGuards(PublicEndpointGuard)
async handleWebhooks(
@Headers('stripe-signature') signature: string,
@Req() req: RawBodyRequest<Request>,

4
packages/twenty-server/src/engine/core-modules/client-config/client-config.controller.ts
View File

@ -1,13 +1,15 @@
import { Controller, Get } from '@nestjs/common';
import { Controller, Get, UseGuards } from '@nestjs/common';
import { ClientConfig } from 'src/engine/core-modules/client-config/client-config.entity';
import { ClientConfigService } from 'src/engine/core-modules/client-config/services/client-config.service';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('/client-config')
export class ClientConfigController {
constructor(private readonly clientConfigService: ClientConfigService) {}
@Get()
@UseGuards(PublicEndpointGuard)
async getClientConfig(): Promise<ClientConfig> {
return this.clientConfigService.getClientConfig();
}

3
packages/twenty-server/src/engine/core-modules/client-config/client-config.resolver.ts
View File

@ -1,6 +1,8 @@
import { UseGuards } from '@nestjs/common';
import { Query, Resolver } from '@nestjs/graphql';
import { ClientConfigService } from 'src/engine/core-modules/client-config/services/client-config.service';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
import { ClientConfig } from './client-config.entity';
@ -9,6 +11,7 @@ export class ClientConfigResolver {
constructor(private clientConfigService: ClientConfigService) {}
@Query(() => ClientConfig)
@UseGuards(PublicEndpointGuard)
async clientConfig(): Promise<ClientConfig> {
return this.clientConfigService.getClientConfig();
}

4
packages/twenty-server/src/engine/core-modules/domain-manager/controllers/cloudflare.controller.ts
View File

@ -25,8 +25,8 @@ import { CustomDomainService } from 'src/engine/core-modules/domain-manager/serv
import { DomainManagerService } from 'src/engine/core-modules/domain-manager/services/domain-manager.service';
import { ExceptionHandlerService } from 'src/engine/core-modules/exception-handler/exception-handler.service';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
import { handleException } from 'src/engine/utils/global-exception-handler.util';
@Controller()
@UseFilters(AuthRestApiExceptionFilter)
export class CloudflareController {
@ -40,7 +40,7 @@ export class CloudflareController {
) {}
@Post(['cloudflare/custom-hostname-webhooks', 'webhooks/cloudflare'])
@UseGuards(CloudflareSecretMatchGuard)
@UseGuards(CloudflareSecretMatchGuard, PublicEndpointGuard)
async customHostnameWebhooks(@Req() req: Request, @Res() res: Response) {
if (!req.body?.data?.data?.hostname) {
handleException({

4
packages/twenty-server/src/engine/core-modules/email-verification/email-verification.resolver.ts
View File

@ -1,4 +1,4 @@
import { UseFilters } from '@nestjs/common';
import { UseFilters, UseGuards } from '@nestjs/common';
import { Args, Context, Mutation, Resolver } from '@nestjs/graphql';
import { SOURCE_LOCALE } from 'twenty-shared/translations';
@ -9,6 +9,7 @@ import { ResendEmailVerificationTokenOutput } from 'src/engine/core-modules/emai
import { EmailVerificationExceptionFilter } from 'src/engine/core-modules/email-verification/email-verification-exception-filter.util';
import { EmailVerificationService } from 'src/engine/core-modules/email-verification/services/email-verification.service';
import { I18nContext } from 'src/engine/core-modules/i18n/types/i18n-context.type';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Resolver()
@UseFilters(EmailVerificationExceptionFilter)
@ -19,6 +20,7 @@ export class EmailVerificationResolver {
) {}
@Mutation(() => ResendEmailVerificationTokenOutput)
@UseGuards(PublicEndpointGuard)
async resendEmailVerificationToken(
@Args()
resendEmailVerificationTokenInput: ResendEmailVerificationTokenInput,

2
packages/twenty-server/src/engine/core-modules/file/controllers/file.controller.ts
View File

@ -23,6 +23,7 @@ import { FileApiExceptionFilter } from 'src/engine/core-modules/file/filters/fil
import { FilePathGuard } from 'src/engine/core-modules/file/guards/file-path-guard';
import { FileService } from 'src/engine/core-modules/file/services/file.service';
import { extractFileInfoFromRequest } from 'src/engine/core-modules/file/utils/extract-file-info-from-request.utils';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('files')
@UseFilters(FileApiExceptionFilter)
@ -31,6 +32,7 @@ export class FileController {
constructor(private readonly fileService: FileService) {}
@Get('*/:filename')
@UseGuards(PublicEndpointGuard)
async getFile(
@Param() params: string[],
@Res() res: Response,

12
packages/twenty-server/src/engine/core-modules/health/controllers/health.controller.ts
View File

@ -1,4 +1,10 @@
import { BadRequestException, Controller, Get, Param } from '@nestjs/common';
import {
BadRequestException,
Controller,
Get,
Param,
UseGuards,
} from '@nestjs/common';
import { HealthCheck, HealthCheckService } from '@nestjs/terminus';
import { HealthIndicatorId } from 'src/engine/core-modules/health/enums/health-indicator-id.enum';
@ -7,6 +13,8 @@ import { ConnectedAccountHealth } from 'src/engine/core-modules/health/indicator
import { DatabaseHealthIndicator } from 'src/engine/core-modules/health/indicators/database.health';
import { RedisHealthIndicator } from 'src/engine/core-modules/health/indicators/redis.health';
import { WorkerHealthIndicator } from 'src/engine/core-modules/health/indicators/worker.health';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller('healthz')
export class HealthController {
constructor(
@ -19,12 +27,14 @@ export class HealthController {
) {}
@Get()
@UseGuards(PublicEndpointGuard)
@HealthCheck()
check() {
return this.health.check([]);
}
@Get(':indicatorId')
@UseGuards(PublicEndpointGuard)
@HealthCheck()
checkService(@Param('indicatorId') indicatorId: HealthIndicatorId) {
const checks = {

5
packages/twenty-server/src/engine/core-modules/open-api/open-api.controller.ts
View File

@ -1,14 +1,16 @@
import { Controller, Get, Req, Res } from '@nestjs/common';
import { Controller, Get, Req, Res, UseGuards } from '@nestjs/common';
import { Request, Response } from 'express';
import { OpenApiService } from 'src/engine/core-modules/open-api/open-api.service';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
@Controller()
export class OpenApiController {
constructor(private readonly openApiService: OpenApiService) {}
@Get(['open-api/core', 'rest/open-api/core'])
@UseGuards(PublicEndpointGuard)
async generateOpenApiSchemaCore(
@Req() request: Request,
@Res() res: Response,
@ -19,6 +21,7 @@ export class OpenApiController {
}
@Get(['open-api/metadata', 'rest/open-api/metadata'])
@UseGuards(PublicEndpointGuard)
async generateOpenApiSchemaMetaData(
@Req() request: Request,
@Res() res: Response,

6
packages/twenty-server/src/engine/core-modules/search/search.resolver.ts
View File

@ -1,12 +1,13 @@
import { UseFilters } from '@nestjs/common';
import { UseFilters, UseGuards } from '@nestjs/common';
import { Args, Query, Resolver } from '@nestjs/graphql';
import { SearchArgs } from 'src/engine/core-modules/search/dtos/search-args';
import { SearchResultConnectionDTO } from 'src/engine/core-modules/search/dtos/search-result-connection.dto';
import { SearchApiExceptionFilter } from 'src/engine/core-modules/search/filters/search-api-exception.filter';
import { SearchService } from 'src/engine/core-modules/search/services/search.service';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
import { SearchResultConnectionDTO } from 'src/engine/core-modules/search/dtos/search-result-connection.dto';
import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
@Resolver()
@UseFilters(SearchApiExceptionFilter)
@ -14,6 +15,7 @@ export class SearchResolver {
constructor(private readonly searchService: SearchService) {}
@Query(() => SearchResultConnectionDTO)
@UseGuards(WorkspaceAuthGuard)
async search(
@AuthWorkspace() workspace: Workspace,
@Args()

13
packages/twenty-server/src/engine/core-modules/workflow/controllers/workflow-trigger.controller.ts
View File

@ -1,9 +1,18 @@
import { Controller, Get, Param, Post, Req, UseFilters } from '@nestjs/common';
import {
Controller,
Get,
Param,
Post,
Req,
UseFilters,
UseGuards,
} from '@nestjs/common';
import { Request } from 'express';
import { isDefined } from 'twenty-shared/utils';
import { WorkflowTriggerRestApiExceptionFilter } from 'src/engine/core-modules/workflow/filters/workflow-trigger-rest-api-exception.filter';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
import { FieldActorSource } from 'src/engine/metadata-modules/field-metadata/composite-types/actor.composite-type';
import { TwentyORMManager } from 'src/engine/twenty-orm/twenty-orm.manager';
import {
@ -27,6 +36,7 @@ export class WorkflowTriggerController {
) {}
@Post('workflows/:workspaceId/:workflowId')
@UseGuards(PublicEndpointGuard)
async runWorkflowByPostRequest(
@Param('workspaceId') workspaceId: string,
@Param('workflowId') workflowId: string,
@ -40,6 +50,7 @@ export class WorkflowTriggerController {
}
@Get('workflows/:workspaceId/:workflowId')
@UseGuards(PublicEndpointGuard)
async runWorkflowByGetRequest(
@Param('workspaceId') workspaceId: string,
@Param('workflowId') workflowId: string,

4
packages/twenty-server/src/engine/core-modules/workspace/workspace.resolver.ts
View File

@ -24,6 +24,7 @@ import { DomainManagerService } from 'src/engine/core-modules/domain-manager/ser
import { FeatureFlagDTO } from 'src/engine/core-modules/feature-flag/dtos/feature-flag-dto';
import { FeatureFlagKey } from 'src/engine/core-modules/feature-flag/enums/feature-flag-key.enum';
import { FeatureFlagService } from 'src/engine/core-modules/feature-flag/services/feature-flag.service';
import { SignedFileDTO } from 'src/engine/core-modules/file/file-upload/dtos/signed-file.dto';
import { FileUploadService } from 'src/engine/core-modules/file/file-upload/services/file-upload.service';
import { FileService } from 'src/engine/core-modules/file/services/file.service';
import { TwentyConfigService } from 'src/engine/core-modules/twenty-config/twenty-config.service';
@ -43,6 +44,7 @@ import { AuthApiKey } from 'src/engine/decorators/auth/auth-api-key.decorator';
import { AuthUserWorkspaceId } from 'src/engine/decorators/auth/auth-user-workspace-id.decorator';
import { AuthUser } from 'src/engine/decorators/auth/auth-user.decorator';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
import { SettingsPermissionsGuard } from 'src/engine/guards/settings-permissions.guard';
import { UserAuthGuard } from 'src/engine/guards/user-auth.guard';
import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
@ -52,7 +54,6 @@ import { RoleDTO } from 'src/engine/metadata-modules/role/dtos/role.dto';
import { RoleService } from 'src/engine/metadata-modules/role/role.service';
import { GraphqlValidationExceptionFilter } from 'src/filters/graphql-validation-exception.filter';
import { streamToBuffer } from 'src/utils/stream-to-buffer';
import { SignedFileDTO } from 'src/engine/core-modules/file/file-upload/dtos/signed-file.dto';
import { Workspace } from './workspace.entity';
@ -283,6 +284,7 @@ export class WorkspaceResolver {
}
@Query(() => PublicWorkspaceDataOutput)
@UseGuards(PublicEndpointGuard)
async getPublicWorkspaceDataByDomain(
@Args('origin') origin: string,
): Promise<PublicWorkspaceDataOutput | undefined> {

3
packages/twenty-server/src/engine/decorators/auth/auth-user.decorator.ts
View File

@ -16,7 +16,8 @@ export const AuthUser = createParamDecorator(
if (!options?.allowUndefined && !request.user) {
throw new ForbiddenException(
"You're not authorized to do this. Note: This endpoint requires a user and won't work with just an API key.",
"You're not authorized to do this. " +
"Note: This endpoint requires a user and won't work with just an API key.",
);
}

21
packages/twenty-server/src/engine/decorators/auth/auth-workspace.decorator.ts
View File

@ -1,11 +1,28 @@
import { ExecutionContext, createParamDecorator } from '@nestjs/common';
import {
ExecutionContext,
InternalServerErrorException,
createParamDecorator,
} from '@nestjs/common';
import { getRequest } from 'src/utils/extract-request';
interface DecoratorOptions {
allowUndefined?: boolean;
}
export const AuthWorkspace = createParamDecorator(
(data: unknown, ctx: ExecutionContext) => {
(options: DecoratorOptions | undefined, ctx: ExecutionContext) => {
const request = getRequest(ctx);
if (!options?.allowUndefined && !request.workspace) {
// We're throwing an internal error and not a ForbiddenException
// because this should never happen, this is an extra security measure
// but Auth should be handled through the guards not the decorator
throw new InternalServerErrorException(
"You're not authorized to do this. This should not ever happen.",
);
}
return request.workspace;
},
);

0
packages/twenty-server/src/engine/guards/impersonate-guard.spec.ts → packages/twenty-server/src/engine/guards/__tests__/impersonate-guard.spec.ts
View File

37
packages/twenty-server/src/engine/guards/__tests__/public-endpoint.guard.spec.ts Normal file
View File

@ -0,0 +1,37 @@
import { ExecutionContext } from '@nestjs/common';
import { Test, TestingModule } from '@nestjs/testing';
import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
describe('PublicEndpointGuard', () => {
let guard: PublicEndpointGuard;
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [PublicEndpointGuard],
}).compile();
guard = module.get<PublicEndpointGuard>(PublicEndpointGuard);
});
it('should be defined', () => {
expect(guard).toBeDefined();
});
it('should always return true for any execution context', () => {
const mockContext = {} as ExecutionContext;
const result = guard.canActivate(mockContext);
expect(result).toBe(true);
});
it('should return true even with null context', () => {
const result = guard.canActivate(null as any);
expect(result).toBe(true);
});
it('should be injectable', () => {
expect(guard).toBeInstanceOf(PublicEndpointGuard);
});
});

16
packages/twenty-server/src/engine/guards/public-endpoint.guard.ts Normal file
View File

@ -0,0 +1,16 @@
import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
/**
* Guard that explicitly marks an endpoint as public/unprotected.
* This guard always returns true and serves as documentation
* that the endpoint is intentionally accessible without authentication.
*
* Usage: @UseGuards(PublicEndpointGuard)
*/
@Injectable()
export class PublicEndpointGuard implements CanActivate {
canActivate(_context: ExecutionContext): boolean {
// Always allow access - this is an explicit marker for public endpoints
return true;
}
}

4
packages/twenty-server/src/engine/metadata-modules/role/role.resolver.ts
View File

@ -17,6 +17,8 @@ import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { AuthWorkspaceMemberId } from 'src/engine/decorators/auth/auth-workspace-member-id.decorator';
import { AuthWorkspace } from 'src/engine/decorators/auth/auth-workspace.decorator';
import { SettingsPermissionsGuard } from 'src/engine/guards/settings-permissions.guard';
import { UserAuthGuard } from 'src/engine/guards/user-auth.guard';
import { WorkspaceAuthGuard } from 'src/engine/guards/workspace-auth.guard';
import { ObjectPermissionDTO } from 'src/engine/metadata-modules/object-permission/dtos/object-permission.dto';
import { UpsertObjectPermissionsInput } from 'src/engine/metadata-modules/object-permission/dtos/upsert-object-permissions.input';
import { ObjectPermissionService } from 'src/engine/metadata-modules/object-permission/object-permission.service';
@ -38,6 +40,7 @@ import { UserRoleService } from 'src/engine/metadata-modules/user-role/user-role
import { WorkspaceMemberWorkspaceEntity } from 'src/modules/workspace-member/standard-objects/workspace-member.workspace-entity';
@Resolver(() => RoleDTO)
@UseGuards(WorkspaceAuthGuard)
@UseGuards(SettingsPermissionsGuard(SettingPermissionType.ROLES))
@UseFilters(PermissionsGraphqlApiExceptionFilter)
export class RoleResolver {
@ -57,6 +60,7 @@ export class RoleResolver {
}
@Mutation(() => WorkspaceMember)
@UseGuards(UserAuthGuard)
async updateWorkspaceMemberRole(
@AuthWorkspace() workspace: Workspace,
@Args('workspaceMemberId') workspaceMemberId: string,

21
packages/twenty-server/src/engine/middlewares/constants/excluded-middleware-operations.constant.ts
View File

@ -1,21 +0,0 @@
export const EXCLUDED_MIDDLEWARE_OPERATIONS = [
'GetClientConfig',
'GetWorkspaceFromInviteHash',
'Track',
'TrackAnalytics',
'AuditTrack',
'CheckUserExists',
'GetLoginTokenFromCredentials',
'GetAuthTokensFromLoginToken',
'GetLoginTokenFromEmailVerificationToken',
'ResendEmailVerificationToken',
'SignUp',
'RenewToken',
'EmailPasswordResetLink',
'ValidatePasswordResetToken',
'UpdatePasswordViaResetToken',
'IntrospectionQuery',
'ExchangeAuthorizationCode',
'GetAuthorizationUrlForSSO',
'GetPublicWorkspaceDataByDomain',
] as const;

6
packages/twenty-server/src/engine/middlewares/graphql-hydrate-request-from-token.middleware.ts
View File

@ -11,12 +11,8 @@ export class GraphQLHydrateRequestFromTokenMiddleware
constructor(private readonly middlewareService: MiddlewareService) {}
async use(req: Request, res: Response, next: NextFunction) {
if (this.middlewareService.checkUnauthenticatedAccess(req)) {
return next();
}
try {
await this.middlewareService.authenticateGraphqlRequest(req);
await this.middlewareService.hydrateGraphqlRequest(req);
} catch (error) {
this.middlewareService.writeGraphqlResponseOnExceptionCaught(res, error);

52
packages/twenty-server/src/engine/middlewares/middleware.service.ts
View File

@ -4,6 +4,7 @@ import { Request, Response } from 'express';
import { isDefined } from 'twenty-shared/utils';
import { AuthException } from 'src/engine/core-modules/auth/auth.exception';
import { AuthGraphqlApiExceptionFilter } from 'src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter';
import { AccessTokenService } from 'src/engine/core-modules/auth/token/services/access-token.service';
import { AuthContext } from 'src/engine/core-modules/auth/types/auth-context.type';
import { getAuthExceptionRestStatus } from 'src/engine/core-modules/auth/utils/get-auth-exception-rest-status.util';
@ -13,8 +14,6 @@ import { JwtWrapperService } from 'src/engine/core-modules/jwt/services/jwt-wrap
import { DataSourceService } from 'src/engine/metadata-modules/data-source/data-source.service';
import { WorkspaceMetadataCacheService } from 'src/engine/metadata-modules/workspace-metadata-cache/services/workspace-metadata-cache.service';
import { INTERNAL_SERVER_ERROR } from 'src/engine/middlewares/constants/default-error-message.constant';
import { EXCLUDED_MIDDLEWARE_OPERATIONS } from 'src/engine/middlewares/constants/excluded-middleware-operations.constant';
import { GraphqlTokenValidationProxy } from 'src/engine/middlewares/utils/graphql-token-validation-utils';
import {
handleException,
handleExceptionAndConvertToGraphQLError,
@ -33,25 +32,12 @@ export class MiddlewareService {
private readonly jwtWrapperService: JwtWrapperService,
) {}
private excludedOperations = EXCLUDED_MIDDLEWARE_OPERATIONS;
public isTokenPresent(request: Request): boolean {
const token = this.jwtWrapperService.extractJwtFromRequest()(request);
return !!token;
}
public checkUnauthenticatedAccess(request: Request): boolean {
const { body } = request;
const isUserUnauthenticated = !this.isTokenPresent(request);
const isExcludedOperation =
!body?.operationName ||
this.excludedOperations.includes(body.operationName);
return isUserUnauthenticated && isExcludedOperation;
}
// eslint-disable-next-line @typescript-eslint/no-explicit-any
public writeRestResponseOnExceptionCaught(res: Response, error: any) {
const statusCode = this.getStatus(error);
@ -77,12 +63,24 @@ export class MiddlewareService {
// eslint-disable-next-line @typescript-eslint/no-explicit-any
public writeGraphqlResponseOnExceptionCaught(res: Response, error: any) {
const errors = [
handleExceptionAndConvertToGraphQLError(
error as Error,
this.exceptionHandlerService,
),
];
let errors;
if (error instanceof AuthException) {
try {
const authFilter = new AuthGraphqlApiExceptionFilter();
authFilter.catch(error);
} catch (transformedError) {
errors = [transformedError];
}
} else {
errors = [
handleExceptionAndConvertToGraphQLError(
error as Error,
this.exceptionHandlerService,
),
];
}
const statusCode = 200;
@ -99,7 +97,7 @@ export class MiddlewareService {
res.end();
}
public async authenticateRestRequest(request: Request) {
public async hydrateRestRequest(request: Request) {
const data = await this.accessTokenService.validateTokenByRequest(request);
const metadataVersion =
await this.workspaceStorageCacheService.getMetadataVersion(
@ -125,12 +123,12 @@ export class MiddlewareService {
this.bindDataToRequestObject(data, request, metadataVersion);
}
public async authenticateGraphqlRequest(request: Request) {
const graphqlTokenValidationProxy = new GraphqlTokenValidationProxy(
this.accessTokenService,
);
public async hydrateGraphqlRequest(request: Request) {
if (!this.isTokenPresent(request)) {
return;
}
const data = await graphqlTokenValidationProxy.validateToken(request);
const data = await this.accessTokenService.validateTokenByRequest(request);
const metadataVersion =
await this.workspaceStorageCacheService.getMetadataVersion(
data.workspace.id,

2
packages/twenty-server/src/engine/middlewares/rest-core.middleware.ts
View File

@ -10,7 +10,7 @@ export class RestCoreMiddleware implements NestMiddleware {
async use(req: Request, res: Response, next: NextFunction) {
try {
await this.middlewareService.authenticateRestRequest(req);
await this.middlewareService.hydrateRestRequest(req);
} catch (error) {
this.middlewareService.writeRestResponseOnExceptionCaught(res, error);

22
packages/twenty-server/src/engine/middlewares/utils/graphql-token-validation-utils.ts
View File

@ -1,22 +0,0 @@
import { Request } from 'express';
import { AuthGraphqlApiExceptionFilter } from 'src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter';
import { AccessTokenService } from 'src/engine/core-modules/auth/token/services/access-token.service';
export class GraphqlTokenValidationProxy {
private accessTokenService: AccessTokenService;
constructor(accessTokenService: AccessTokenService) {
this.accessTokenService = accessTokenService;
}
async validateToken(req: Request) {
try {
return await this.accessTokenService.validateTokenByRequest(req);
} catch (error) {
const authGraphqlApiExceptionFilter = new AuthGraphqlApiExceptionFilter();
throw authGraphqlApiExceptionFilter.catch(error);
}
}
}