From 96ffb925bda4fb73bb97e928be72fe7a5499768b Mon Sep 17 00:00:00 2001
From: Lukasz Ostrowski <lukasz.ostrowski@saleor.io>
Date: Thu, 16 Mar 2023 15:03:35 +0100
Subject: [PATCH] Fix Permission / AppPermission (#220)

---
 .changeset/fast-tigers-mate.md                 |  5 +++++
 src/handlers/next/create-protected-handler.ts  |  4 ++--
 src/handlers/next/process-protected-handler.ts |  4 ++--
 src/has-permissions-in-jwt-token.ts            |  4 ++--
 src/types.ts                                   | 10 +++++++---
 src/util/extract-user-from-jwt.ts              |  4 ++--
 src/verify-jwt.ts                              |  6 +++---
 7 files changed, 23 insertions(+), 14 deletions(-)
 create mode 100644 .changeset/fast-tigers-mate.md

diff --git a/.changeset/fast-tigers-mate.md b/.changeset/fast-tigers-mate.md
new file mode 100644
index 0000000..acd5ac1
--- /dev/null
+++ b/.changeset/fast-tigers-mate.md
@@ -0,0 +1,5 @@
+---
+"@saleor/app-sdk": patch
+---
+
+Restores MANAGE_APPS to Permissions, but remove it from AppPermissions
diff --git a/src/handlers/next/create-protected-handler.ts b/src/handlers/next/create-protected-handler.ts
index 9134f7a..ec74b17 100644
--- a/src/handlers/next/create-protected-handler.ts
+++ b/src/handlers/next/create-protected-handler.ts
@@ -2,7 +2,7 @@ import { NextApiHandler, NextApiRequest, NextApiResponse } from "next";
 
 import { APL } from "../../APL";
 import { createDebug } from "../../debug";
-import { AppPermission } from "../../types";
+import { Permission } from "../../types";
 import {
   processSaleorProtectedHandler,
   ProtectedHandlerError,
@@ -37,7 +37,7 @@ export const createProtectedHandler =
   (
     handlerFn: NextProtectedApiHandler,
     apl: APL,
-    requiredPermissions?: AppPermission[]
+    requiredPermissions?: Permission[]
   ): NextApiHandler =>
   (req, res) => {
     debug("Protected handler called");
diff --git a/src/handlers/next/process-protected-handler.ts b/src/handlers/next/process-protected-handler.ts
index d6834b8..519eec1 100644
--- a/src/handlers/next/process-protected-handler.ts
+++ b/src/handlers/next/process-protected-handler.ts
@@ -4,7 +4,7 @@ import { APL } from "../../APL";
 import { AuthData } from "../../APL/apl";
 import { createDebug } from "../../debug";
 import { getBaseUrl, getSaleorHeaders } from "../../headers";
-import { AppPermission } from "../../types";
+import { Permission } from "../../types";
 import { verifyJWT } from "../../verify-jwt";
 
 const debug = createDebug("processProtectedHandler");
@@ -39,7 +39,7 @@ export type ProtectedHandlerContext = {
 interface ProcessSaleorProtectedHandlerArgs {
   req: NextApiRequest;
   apl: APL;
-  requiredPermissions?: AppPermission[];
+  requiredPermissions?: Permission[];
 }
 
 type ProcessAsyncSaleorProtectedHandler = (
diff --git a/src/has-permissions-in-jwt-token.ts b/src/has-permissions-in-jwt-token.ts
index 7306488..0aba37f 100644
--- a/src/has-permissions-in-jwt-token.ts
+++ b/src/has-permissions-in-jwt-token.ts
@@ -1,12 +1,12 @@
 import { createDebug } from "./debug";
-import { AppPermission } from "./types";
+import { Permission } from "./types";
 import { DashboardTokenPayload } from "./verify-jwt";
 
 const debug = createDebug("checkJwtPermissions");
 
 export const hasPermissionsInJwtToken = (
   tokenData?: Pick<DashboardTokenPayload, "user_permissions">,
-  permissionsToCheckAgainst?: AppPermission[]
+  permissionsToCheckAgainst?: Permission[]
 ) => {
   debug(`Permissions required ${permissionsToCheckAgainst}`);
 
diff --git a/src/types.ts b/src/types.ts
index 6d7f82b..7ba0361 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -15,7 +15,7 @@ export type AppExtensionMount =
   | "ORDER_OVERVIEW_MORE_ACTIONS";
 
 /**
- * TODO: Extract from Saleor graphQL schema
+ * All permissions that users can have
  * Reference https://docs.saleor.io/docs/3.x/api-reference/enums/permission-enum
  */
 export type Permission =
@@ -40,9 +40,13 @@ export type Permission =
   | "MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
   | "MANAGE_SHIPPING"
   | "MANAGE_SETTINGS"
-  | "MANAGE_TRANSLATIONS";
+  | "MANAGE_TRANSLATIONS"
+  | "MANAGE_APPS";
 
-export type AppPermission = Permission;
+/**
+ * All permissions that App can have.
+ */
+export type AppPermission = Exclude<Permission, "MANAGE_APPS">;
 
 /**
  * @see https://github.com/saleor/saleor/blob/main/saleor/graphql/schema.graphql#L1505
diff --git a/src/util/extract-user-from-jwt.ts b/src/util/extract-user-from-jwt.ts
index 4e1fa10..b36a6d7 100644
--- a/src/util/extract-user-from-jwt.ts
+++ b/src/util/extract-user-from-jwt.ts
@@ -1,10 +1,10 @@
 import * as jose from "jose";
 
-import { AppPermission } from "../types";
+import { Permission } from "../types";
 
 type TokenUserPayload = {
   email: string;
-  userPermissions: AppPermission[];
+  userPermissions: Permission[];
 };
 
 export const extractUserFromJwt = (jwtToken: string): TokenUserPayload => {
diff --git a/src/verify-jwt.ts b/src/verify-jwt.ts
index e28ef3b..08bf3a6 100644
--- a/src/verify-jwt.ts
+++ b/src/verify-jwt.ts
@@ -2,21 +2,21 @@ import * as jose from "jose";
 
 import { createDebug } from "./debug";
 import { hasPermissionsInJwtToken } from "./has-permissions-in-jwt-token";
-import { AppPermission } from "./types";
+import { Permission } from "./types";
 import { getJwksUrlFromSaleorApiUrl } from "./urls";
 
 const debug = createDebug("verify-jwt");
 
 export interface DashboardTokenPayload extends jose.JWTPayload {
   app: string;
-  user_permissions: AppPermission[];
+  user_permissions: Permission[];
 }
 
 export interface verifyJWTArguments {
   appId: string;
   saleorApiUrl: string;
   token: string;
-  requiredPermissions?: AppPermission[];
+  requiredPermissions?: Permission[];
 }
 
 export const verifyJWT = async ({