Add security to all queries (#148)

backend/app/graphql/__init__.py

@@ -6,14 +6,14 @@
 
 from .onsite_contact_mutations import OnsiteContactMutations
 from .onsite_contact_queries import OnsiteContactQueries
-from .example import ExampleQueries, ExampleMutations
 from .user_queries import UserQueries
 from .user_mutations import UserMutations
 from .services import services
 from ..services.implementations.user_service import UserService
 from ..services.implementations.email_service import EmailService
 from ..services.implementations.reminder_email_service import ReminderEmailService
 from ..services.implementations.auth_service import AuthService
+from ..services.implementations.mock_auth_service import MockAuthService
 from ..services.implementations.onsite_contact_service import OnsiteContactService
 from ..services.implementations.mock_email_service import MockEmailService
 from .auth import AuthMutations
@@ -27,7 +27,6 @@
 
 class RootQuery(
     # All queries listed here will be merged.
-    ExampleQueries,
     UserQueries,
     OnboardingRequestQueries,
     MealRequestQueries,
@@ -38,7 +37,6 @@ class RootQuery(
 
 class RootMutation(
     # All mutations listed here will be merged.
-    ExampleMutations,
     AuthMutations,
     OnboardingRequestMutations,
     MealRequestMutations,
@@ -58,7 +56,7 @@ def init_email_service(app):
     print("Initializing email service")
     if app.config["TESTING"]:
         os.environ["ENV"] = "testing"
-        print("Using mock email service in testings!")
+        print("Using mock email service in testing!")
         services["email_service"] = MockEmailService(
             logger=current_app.logger,
             credentials={},
@@ -79,6 +77,24 @@ def init_email_service(app):
         )
 
 
+def init_auth_service(app):
+    print("Initializing auth service")
+    if app.config["TESTING"]:
+        os.environ["ENV"] = "testing"
+        print("Using mock auth service in testing!")
+        services["auth_service"] = MockAuthService(
+            logger=current_app.logger,
+            user_service=services["user_service"],
+            email_service=services["email_service"],
+        )
+    else:
+        services["auth_service"] = AuthService(
+            logger=current_app.logger,
+            user_service=services["user_service"],
+            email_service=services["email_service"],
+        )
+
+
 def init_app(app):
     with app.app_context():
         init_email_service(app)
@@ -89,11 +105,7 @@ def init_app(app):
             logger=current_app.logger,
             onsite_contact_service=services["onsite_contact_service"],
         )
-        services["auth_service"] = AuthService(
-            logger=current_app.logger,
-            user_service=services["user_service"],
-            email_service=services["email_service"],
-        )
+        init_auth_service(app)
         services["onboarding_request_service"] = OnboardingRequestService(
             logger=current_app.logger, email_service=services["email_service"]
         )

backend/app/graphql/meal_request.py

@@ -1,6 +1,12 @@
 import graphene
 from graphql import GraphQLError
 from typing import List
+from .middleware.auth import (
+    secure_requestor_id,
+    requires_login,
+    requires_role,
+    secure_donor_id,
+)
 
 from .types import (
     Mutation,
@@ -76,6 +82,7 @@ class Arguments:
     # return values
     meal_requests = graphene.List(CreateMealRequestResponse)
 
+    @secure_requestor_id
     def mutate(
         self,
         info,
@@ -108,6 +115,8 @@ class Arguments:
 
     meal_request = graphene.Field(MealRequestResponse)
 
+    @secure_requestor_id
+    @requires_role("Donor")
     def mutate(
         self,
         info,
@@ -129,6 +138,9 @@ def mutate(
             if not meal_request:
                 raise Exception("Meal request not found")
 
+            print("requestor id is", requestor_id)
+
+            # TODO: Re-enable this check
             if (
                 requestor_role != "Admin"
                 and meal_request.donation_info["donor"]["id"] != requestor_id
@@ -162,6 +174,8 @@ class Arguments:
     # return values
     meal_request = graphene.Field(MealRequestResponse)
 
+    @secure_requestor_id
+    @requires_role("ASP")
     def mutate(
         self,
         info,
@@ -194,6 +208,7 @@ class Arguments:
 
     meal_requests = graphene.List(MealRequestResponse)
 
+    @requires_role("Donor")
     def mutate(
         self,
         info,
@@ -222,6 +237,7 @@ class Arguments:
     # return values (return updated meal request)
     meal_request = graphene.Field(MealRequestResponse)
 
+    @requires_role("Donor")
     def mutate(self, info, meal_request_id, requestor_id):
         user = services["user_service"]
         requestor_auth_id = user.get_auth_id_by_user_id(requestor_id)
@@ -249,6 +265,7 @@ class Arguments:
 
     meal_request = graphene.Field(MealRequestResponse)
 
+    @secure_requestor_id
     def mutate(self, info, meal_request_id, requestor_id):
         user = services["user_service"]
         requestor_auth_id = user.get_auth_id_by_user_id(requestor_id)
@@ -317,6 +334,7 @@ class MealRequestQueries(QueryList):
         ids=graphene.List(graphene.ID),
     )
 
+    @secure_requestor_id
     def resolve_getMealRequestById(
         self,
         info,
@@ -326,6 +344,7 @@ def resolve_getMealRequestById(
         meal_request = services["meal_request_service"].get_meal_request_by_id(id)
         return meal_request
 
+    @secure_requestor_id
     def resolve_getMealRequestsByIds(
         self,
         info,
@@ -335,6 +354,7 @@ def resolve_getMealRequestsByIds(
         meal_requests = services["meal_request_service"].get_meal_requests_by_ids(ids)
         return meal_requests
 
+    @requires_login
     def resolve_getMealRequestsByRequestorId(
         self,
         info,
@@ -388,6 +408,7 @@ def resolve_getMealRequestsByRequestorId(
         sort_by_date_direction=SortDirection(default_value=SortDirection.ASCENDING),
     )
 
+    @secure_donor_id
     def resolve_getMealRequestsByDonorId(
         self,
         info,