Fix workspace hydratation (#12452)

We must separate the concept of hydratation which happens at the request level (take the token and pass auth/user context), from the concept of authorization which happens at the query/endpoint/mutation level. Previously, hydratation exemption happened at the operation name level which is not correct because the operation name is meaningless and optional. Still this gave an impression of security by enforcing a blacklist. So in this PR we introduce linting rule that aim to achieve a similar behavior, now every api method has to have a guard. That way if and endpoint is not protected by AuthUserGuard or AuthWorspaceGuard, then it has to be stated explicitly next to its code. --------- Co-authored-by: Charles Bochet <charles@twenty.com>
2025-06-09 14:14:32 +02:00
parent 322c8a1852
commit ecf21774dd
37 changed files with 741 additions and 138 deletions
--- a/packages/twenty-server/src/engine/guards/tests/impersonate-guard.spec.ts
+++ b/packages/twenty-server/src/engine/guards/tests/impersonate-guard.spec.ts
--- a/packages/twenty-server/src/engine/guards/tests/public-endpoint.guard.spec.ts
+++ b/packages/twenty-server/src/engine/guards/tests/public-endpoint.guard.spec.ts
@ -0,0 +1,37 @@
+import { ExecutionContext } from '@nestjs/common';
+import { Test, TestingModule } from '@nestjs/testing';
+
+import { PublicEndpointGuard } from 'src/engine/guards/public-endpoint.guard';
+
+describe('PublicEndpointGuard', () => {
+  let guard: PublicEndpointGuard;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [PublicEndpointGuard],
+    }).compile();
+
+    guard = module.get<PublicEndpointGuard>(PublicEndpointGuard);
+  });
+
+  it('should be defined', () => {
+    expect(guard).toBeDefined();
+  });
+
+  it('should always return true for any execution context', () => {
+    const mockContext = {} as ExecutionContext;
+    const result = guard.canActivate(mockContext);
+
+    expect(result).toBe(true);
+  });
+
+  it('should return true even with null context', () => {
+    const result = guard.canActivate(null as any);
+
+    expect(result).toBe(true);
+  });
+
+  it('should be injectable', () => {
+    expect(guard).toBeInstanceOf(PublicEndpointGuard);
+  });
+});
--- a/packages/twenty-server/src/engine/guards/public-endpoint.guard.ts
+++ b/packages/twenty-server/src/engine/guards/public-endpoint.guard.ts
@ -0,0 +1,16 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+
+/**
+ * Guard that explicitly marks an endpoint as public/unprotected.
+ * This guard always returns true and serves as documentation
+ * that the endpoint is intentionally accessible without authentication.
+ *
+ * Usage: @UseGuards(PublicEndpointGuard)
+ */
+@Injectable()
+export class PublicEndpointGuard implements CanActivate {
+  canActivate(_context: ExecutionContext): boolean {
+    // Always allow access - this is an explicit marker for public endpoints
+    return true;
+  }
+}