Fix Permission / AppPermission (#220)

.changeset/fast-tigers-mate.md

@@ -0,0 +1,5 @@
+---
+"@saleor/app-sdk": patch
+---
+
+Restores MANAGE_APPS to Permissions, but remove it from AppPermissions

src/handlers/next/create-protected-handler.ts

@@ -2,7 +2,7 @@ import { NextApiHandler, NextApiRequest, NextApiResponse } from "next";
 
 import { APL } from "../../APL";
 import { createDebug } from "../../debug";
-import { AppPermission } from "../../types";
+import { Permission } from "../../types";
 import {
   processSaleorProtectedHandler,
   ProtectedHandlerError,
@@ -37,7 +37,7 @@ export const createProtectedHandler =
   (
     handlerFn: NextProtectedApiHandler,
     apl: APL,
-    requiredPermissions?: AppPermission[]
+    requiredPermissions?: Permission[]
   ): NextApiHandler =>
   (req, res) => {
     debug("Protected handler called");

src/handlers/next/process-protected-handler.ts

@@ -4,7 +4,7 @@ import { APL } from "../../APL";
 import { AuthData } from "../../APL/apl";
 import { createDebug } from "../../debug";
 import { getBaseUrl, getSaleorHeaders } from "../../headers";
-import { AppPermission } from "../../types";
+import { Permission } from "../../types";
 import { verifyJWT } from "../../verify-jwt";
 
 const debug = createDebug("processProtectedHandler");
@@ -39,7 +39,7 @@ export type ProtectedHandlerContext = {
 interface ProcessSaleorProtectedHandlerArgs {
   req: NextApiRequest;
   apl: APL;
-  requiredPermissions?: AppPermission[];
+  requiredPermissions?: Permission[];
 }
 
 type ProcessAsyncSaleorProtectedHandler = (

src/has-permissions-in-jwt-token.ts

@@ -1,12 +1,12 @@
 import { createDebug } from "./debug";
-import { AppPermission } from "./types";
+import { Permission } from "./types";
 import { DashboardTokenPayload } from "./verify-jwt";
 
 const debug = createDebug("checkJwtPermissions");
 
 export const hasPermissionsInJwtToken = (
   tokenData?: Pick<DashboardTokenPayload, "user_permissions">,
-  permissionsToCheckAgainst?: AppPermission[]
+  permissionsToCheckAgainst?: Permission[]
 ) => {
   debug(`Permissions required ${permissionsToCheckAgainst}`);
 

src/types.ts

@@ -15,7 +15,7 @@ export type AppExtensionMount =
   | "ORDER_OVERVIEW_MORE_ACTIONS";
 
 /**
- * TODO: Extract from Saleor graphQL schema
+ * All permissions that users can have
  * Reference https://docs.saleor.io/docs/3.x/api-reference/enums/permission-enum
  */
 export type Permission =
@@ -40,9 +40,13 @@ export type Permission =
   | "MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
   | "MANAGE_SHIPPING"
   | "MANAGE_SETTINGS"
-  | "MANAGE_TRANSLATIONS";
+  | "MANAGE_TRANSLATIONS"
+  | "MANAGE_APPS";
 
-export type AppPermission = Permission;
+/**
+ * All permissions that App can have.
+ */
+export type AppPermission = Exclude<Permission, "MANAGE_APPS">;
 
 /**
  * @see https://github.com/saleor/saleor/blob/main/saleor/graphql/schema.graphql#L1505

src/util/extract-user-from-jwt.ts

@@ -1,10 +1,10 @@
 import * as jose from "jose";
 
-import { AppPermission } from "../types";
+import { Permission } from "../types";
 
 type TokenUserPayload = {
   email: string;
-  userPermissions: AppPermission[];
+  userPermissions: Permission[];
 };
 
 export const extractUserFromJwt = (jwtToken: string): TokenUserPayload => {

src/verify-jwt.ts

@@ -2,21 +2,21 @@ import * as jose from "jose";
 
 import { createDebug } from "./debug";
 import { hasPermissionsInJwtToken } from "./has-permissions-in-jwt-token";
-import { AppPermission } from "./types";
+import { Permission } from "./types";
 import { getJwksUrlFromSaleorApiUrl } from "./urls";
 
 const debug = createDebug("verify-jwt");
 
 export interface DashboardTokenPayload extends jose.JWTPayload {
   app: string;
-  user_permissions: AppPermission[];
+  user_permissions: Permission[];
 }
 
 export interface verifyJWTArguments {
   appId: string;
   saleorApiUrl: string;
   token: string;
-  requiredPermissions?: AppPermission[];
+  requiredPermissions?: Permission[];
 }
 
 export const verifyJWT = async ({