fix: create api key permissions

elibosley · elibosley · commit cefb644bd7fa · 2025-01-28T14:58:34.000-05:00
diff --git a/api/src/graphql/generated/api/operations.ts b/api/src/graphql/generated/api/operations.ts
@@ -94,10 +94,8 @@ export function AccessUrlInputSchema(): z.ZodObject<Properties<AccessUrlInput>>
 
 export function AddPermissionInputSchema(): z.ZodObject<Properties<AddPermissionInput>> {
   return z.object({
-    action: z.string(),
-    possession: z.string(),
-    resource: ResourceSchema,
-    role: RoleSchema
+    actions: z.array(z.string()),
+    resource: ResourceSchema
   })
 }
 
@@ -326,7 +324,8 @@ export function CreateApiKeyInputSchema(): z.ZodObject<Properties<CreateApiKeyIn
   return z.object({
     description: z.string().nullish(),
     name: z.string(),
-    roles: z.array(RoleSchema)
+    permissions: z.array(z.lazy(() => AddPermissionInputSchema())).nullish(),
+    roles: z.array(RoleSchema).nullish()
   })
 }
 
@@ -1230,7 +1229,8 @@ export function VmDomainSchema(): z.ZodObject<Properties<VmDomain>> {
 export function VmsSchema(): z.ZodObject<Properties<Vms>> {
   return z.object({
     __typename: z.literal('Vms').optional(),
-    domain: z.array(VmDomainSchema()).nullish()
+    domain: z.array(VmDomainSchema()).nullish(),
+    id: z.string()
   })
 }
 
diff --git a/api/src/graphql/generated/api/types.ts b/api/src/graphql/generated/api/types.ts
@@ -40,10 +40,8 @@ export type AccessUrlInput = {
 };
 
 export type AddPermissionInput = {
-  action: Scalars['String']['input'];
-  possession: Scalars['String']['input'];
+  actions: Array<Scalars['String']['input']>;
   resource: Resource;
-  role: Role;
 };
 
 export type AddRoleForApiKeyInput = {
@@ -350,7 +348,8 @@ export enum ContainerState {
 export type CreateApiKeyInput = {
   description?: InputMaybe<Scalars['String']['input']>;
   name: Scalars['String']['input'];
-  roles: Array<Role>;
+  permissions?: InputMaybe<Array<AddPermissionInput>>;
+  roles?: InputMaybe<Array<Role>>;
 };
 
 export type Devices = {
@@ -1682,6 +1681,7 @@ export enum VmState {
 export type Vms = {
   __typename?: 'Vms';
   domain?: Maybe<Array<VmDomain>>;
+  id: Scalars['ID']['output'];
 };
 
 export enum WAN_ACCESS_TYPE {
@@ -3090,6 +3090,7 @@ export type VmDomainResolvers<ContextType = Context, ParentType extends Resolver
 
 export type VmsResolvers<ContextType = Context, ParentType extends ResolversParentTypes['Vms'] = ResolversParentTypes['Vms']> = ResolversObject<{
   domain?: Resolver<Maybe<Array<ResolversTypes['VmDomain']>>, ParentType, ContextType>;
+  id?: Resolver<ResolversTypes['ID'], ParentType, ContextType>;
   __isTypeOf?: IsTypeOfResolverFn<ParentType, ContextType>;
 }>;
 
diff --git a/api/src/graphql/schema/types/auth/auth.graphql b/api/src/graphql/schema/types/auth/auth.graphql
@@ -25,14 +25,13 @@ type ApiKeyWithSecret {
 input CreateApiKeyInput {
     name: String!
     description: String
-    roles: [Role!]!
+    roles: [Role!]
+    permissions: [AddPermissionInput!]
 }
 
 input AddPermissionInput {
-    role: Role!
     resource: Resource!
-    action: String!
-    possession: String!
+    actions: [String!]!
 }
 
 input AddRoleForUserInput {
diff --git a/api/src/unraid-api/auth/api-key.service.ts b/api/src/unraid-api/auth/api-key.service.ts
@@ -13,12 +13,12 @@ import { ZodError } from 'zod';
 import { environment } from '@app/environment';
 import { ApiKeySchema, ApiKeyWithSecretSchema } from '@app/graphql/generated/api/operations';
 import {
+    AddPermissionInput,
     ApiKey,
     ApiKeyWithSecret,
     Permission,
     Resource,
     Role,
-    UserAccount,
 } from '@app/graphql/generated/api/types';
 import { getters, store } from '@app/store';
 import { updateUserConfig } from '@app/store/modules/config';
@@ -107,7 +107,7 @@ export class ApiKeyService implements OnModuleInit {
         name: string;
         description: string | undefined;
         roles?: Role[];
-        permissions?: Permission[];
+        permissions?: Permission[] | AddPermissionInput[];
         overwrite?: boolean;
     }): Promise<ApiKeyWithSecret> {
         const trimmedName = name?.trim();
diff --git a/api/src/unraid-api/exceptions/graphql-exceptions.filter.ts b/api/src/unraid-api/exceptions/graphql-exceptions.filter.ts
@@ -1,28 +1,26 @@
-import {
-    Catch,
-    type ArgumentsHost,
-    type ExceptionFilter,
-} from '@nestjs/common';
-import { GraphQLError } from 'graphql';
+import type { ArgumentsHost, ExceptionFilter } from '@nestjs/common';
+import { Catch } from '@nestjs/common';
+
 import { type FastifyReply } from 'fastify';
+import { GraphQLError } from 'graphql';
 
 @Catch(GraphQLError)
-export class GraphQLExceptionsFilter<T extends GraphQLError>
-    implements ExceptionFilter
-{
+export class GraphQLExceptionsFilter<T extends GraphQLError> implements ExceptionFilter {
     catch(exception: T, host: ArgumentsHost) {
         const ctx = host.switchToHttp();
         const response: FastifyReply<any> = ctx.getResponse<FastifyReply>();
 
-        response.code(200).send({
-            data: null,
-            errors: [
-                {
-                    message: exception.message,
-                    locations: exception.locations,
-                    path: exception.path,
-                },
-            ],
-        });
+        if (response.code) {
+            response.code(200).send({
+                data: null,
+                errors: [
+                    {
+                        message: exception.message,
+                        locations: exception.locations,
+                        path: exception.path,
+                    },
+                ],
+            });
+        }
     }
 }
diff --git a/api/src/unraid-api/graph/resolvers/auth/auth.resolver.ts b/api/src/unraid-api/graph/resolvers/auth/auth.resolver.ts
@@ -56,11 +56,12 @@ export class AuthResolver {
         @Args('input')
         input: CreateApiKeyInput
     ): Promise<ApiKeyWithSecret> {
-        const apiKey = await this.apiKeyService.create(
-            input.name,
-            input.description ?? undefined,
-            input.roles
-        );
+        const apiKey = await this.apiKeyService.create({
+            name: input.name,
+            description: input.description ?? undefined,
+            roles: input.roles ?? [],
+            permissions: input.permissions ?? [],
+        });
 
         await this.authService.syncApiKeyRoles(apiKey.id, apiKey.roles);
 
