Secured graphql playground #162-2

kdb-bot/src/bot_api/app_api_extension.py

@@ -2,12 +2,9 @@ from cpl_core.application import ApplicationExtensionABC
 from cpl_core.configuration import ConfigurationABC
 from cpl_core.dependency_injection import ServiceProviderABC
 
-from bot_api.abc.auth_service_abc import AuthServiceABC
-from bot_api.configuration.authentication_settings import AuthenticationSettings
 from bot_api.route.route import Route
 from bot_core.configuration.feature_flags_enum import FeatureFlagsEnum
 from bot_core.configuration.feature_flags_settings import FeatureFlagsSettings
-from bot_data.abc.auth_user_repository_abc import AuthUserRepositoryABC
 
 
 class AppApiExtension(ApplicationExtensionABC):
@@ -19,7 +16,4 @@ class AppApiExtension(ApplicationExtensionABC):
         if not feature_flags.get_flag(FeatureFlagsEnum.api_module):
             return
 
-        auth_settings: AuthenticationSettings = config.get_configuration(AuthenticationSettings)
+        Route.init_authorize()
-        auth_users: AuthUserRepositoryABC = services.get_service(AuthUserRepositoryABC)
-        auth: AuthServiceABC = services.get_service(AuthServiceABC)
-        Route.init_authorize(auth_users, auth)

kdb-bot/src/bot_api/controller/grahpql_controller.py

@@ -25,10 +25,15 @@ class GraphQLController:
         self._schema = schema
 
     @Route.get(f"{BasePath}/playground")
+    @Route.authorize(skip_in_dev=True)
     async def playground(self):
+        if self._env.environment_name != "development":
+            return "", 403
+
         return PLAYGROUND_HTML, 200
 
     @Route.post(f"{BasePath}")
+    @Route.authorize
     async def graphql(self):
         data = request.get_json()
 

kdb-bot/src/bot_api/route/route.py

@@ -2,6 +2,8 @@ import functools
 from functools import wraps
 from typing import Optional, Callable
 
+from cpl_core.dependency_injection import ServiceProviderABC
+from cpl_core.environment import ApplicationEnvironmentABC
 from flask import request, jsonify
 from flask_cors import cross_origin
 
@@ -18,19 +20,25 @@ class Route:
 
     _auth_users: Optional[AuthUserRepositoryABC] = None
     _auth: Optional[AuthServiceABC] = None
+    _env = "production"
 
     @classmethod
-    def init_authorize(cls, auth_users: AuthUserRepositoryABC, auth: AuthServiceABC):
+    @ServiceProviderABC.inject
+    def init_authorize(cls, env: ApplicationEnvironmentABC, auth_users: AuthUserRepositoryABC, auth: AuthServiceABC):
         cls._auth_users = auth_users
         cls._auth = auth
+        cls._env = env.environment_name
 
     @classmethod
-    def authorize(cls, f: Callable = None, role: AuthRoleEnum = None):
+    def authorize(cls, f: Callable = None, role: AuthRoleEnum = None, skip_in_dev=False):
         if f is None:
-            return functools.partial(cls.authorize, role=role)
+            return functools.partial(cls.authorize, role=role, skip_in_dev=skip_in_dev)
 
         @wraps(f)
         async def decorator(*args, **kwargs):
+            if skip_in_dev and cls._env == "development":
+                return await f(*args, **kwargs)
+
             token = None
             if "Authorization" in request.headers:
                 bearer = request.headers.get("Authorization")