From 172357dfd13e37782e95defff5ed93805eadfa62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Jedlicska?= <gergo@jedlicska.com>
Date: Fri, 28 Jul 2023 11:15:52 +0200
Subject: [PATCH] refactor(server): use auth pipeline server role validator for
 gql auth

---
 packages/server/modules/shared/index.js | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/packages/server/modules/shared/index.js b/packages/server/modules/shared/index.js
index db2c8d31e..ed25edc79 100644
--- a/packages/server/modules/shared/index.js
+++ b/packages/server/modules/shared/index.js
@@ -8,6 +8,10 @@ const {
   BranchSubscriptions
 } = require('@/modules/shared/utils/subscriptions')
 const { Roles } = require('@speckle/shared')
+const {
+  validateServerRole: authPipelineValidateServerRole,
+  authHasFailed
+} = require('@/modules/shared/authz')
 const { adminOverrideEnabled } = require('@/modules/shared/helpers/envHelper')
 
 const { ServerAcl: ServerAclSchema } = require('@/modules/core/dbSchema')
@@ -27,21 +31,11 @@ const getRoles = async () => {
  * @param  {string} requiredRole
  */
 async function validateServerRole(context, requiredRole) {
-  const roles = await getRoles()
-
-  if (!context.auth) throw new ForbiddenError('You must provide an auth token.')
-
-  const role = roles.find((r) => r.name === requiredRole)
-  const myRole = roles.find((r) => r.name === context.role)
-
-  if (!role) throw new ApolloError('Invalid server role specified')
-  if (!myRole)
-    throw new ForbiddenError('You do not have the required server role (null)')
-
-  if (context.role === Roles.Server.Admin) return true
-  if (myRole.weight >= role.weight) return true
-
-  throw new ForbiddenError('You do not have the required server role')
+  const { authResult } = await authPipelineValidateServerRole({ requiredRole })({
+    context
+  })
+  if (authHasFailed(authResult)) throw authResult.error
+  return true
 }
 
 /**