test(backend): quote create access control

interledger · Oct 31, 2024 · b404d12 · b404d12
1 parent 08d9668
commit b404d12
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 4 deletions.
diff --git a/packages/backend/src/graphql/resolvers/quote.test.ts b/packages/backend/src/graphql/resolvers/quote.test.ts
@@ -361,6 +361,41 @@ describe('Quote Resolvers', (): void => {
       }
       expect(createSpy).toHaveBeenCalledWith({ ...input, method: 'ilp' })
     })
+
+    test('cannot access', async (): Promise<void> => {
+      const spy = jest
+        .spyOn(walletAddressService, 'canAccess')
+        .mockImplementation(async () => false)
+
+      expect.assertions(3)
+      try {
+        await appContainer.apolloClient
+          .query({
+            query: gql`
+              mutation CreateQuote($input: CreateQuoteInput!) {
+                createQuote(input: $input) {
+                  quote {
+                    id
+                  }
+                }
+              }
+            `,
+            variables: { input }
+          })
+          .then((query): QuoteResponse => query.data?.createQuote)
+      } catch (error) {
+        expect(error).toBeInstanceOf(ApolloError)
+        expect((error as ApolloError).graphQLErrors).toContainEqual(
+          expect.objectContaining({
+            message: 'Unknown wallet address id input',
+            extensions: expect.objectContaining({
+              code: GraphQLErrorCode.BadUserInput
+            })
+          })
+        )
+      }
+      expect(spy).toHaveBeenCalled()
+    })
   })
 
   describe('Wallet address quotes', (): void => {

diff --git a/packages/backend/src/graphql/resolvers/quote.ts b/packages/backend/src/graphql/resolvers/quote.ts
@@ -43,10 +43,8 @@ export const getQuote: QueryResolvers<ApolloContext>['quote'] = async (
 
 export const createQuote: MutationResolvers<ApolloContext>['createQuote'] =
   async (parent, args, ctx): Promise<ResolversTypes['QuoteResponse']> => {
-    // ACCESS CONTROL CASE: Creates. If operator, OK. Else, get associated wallet address
-    // tenantId and compare to requestor's tenantId before creating.
     const walletAddressService = await ctx.container.use('walletAddressService')
-    const canAccess = walletAddressService.canAccess(
+    const canAccess = await walletAddressService.canAccess(
       ctx.isOperator,
       ctx.tenantId,
       args.input.walletAddressId

diff --git a/packages/backend/src/graphql/resolvers/wallet_address.ts b/packages/backend/src/graphql/resolvers/wallet_address.ts
@@ -170,7 +170,7 @@ export const updateWalletAddress: MutationResolvers<ApolloContext>['updateWallet
   }
 
 // TODO: access control? operator only, anyone, or tenanted?
-// Perhaps operator only? if tenanted will maybe need to fn
+// Perhaps operator only? if tenanted will maybe need fn
 // like existing processNextWalletAddresses that filters by tenant
 export const triggerWalletAddressEvents: MutationResolvers<ApolloContext>['triggerWalletAddressEvents'] =
   async (