Merge pull request #51 from yalla-coop/staging

265 - Restrict access to orders to only the order creator

Author: ajluker

DATABASE_OVERVIEW.md

@@ -0,0 +1,25 @@
+Overview of various Database tables and their purpose:
+
+**1. Users**
+This table manages authenticated user sessions that have access to the producer's system (users need to be authenticated via OIDC as a first step to access the producer app)
+
+**2. Sales Sessions**
+This table is used to store orders and their associated reservation dates (used to reserve draft order stock on Shopify). The reservation date equals the end dates of a sales session.
+
+**3. Orders**
+This table maps draft order IDs to completed order IDs, linking orders through different stages of processing.
+
+**4. Line Items**
+This table maintains a stable ID for line items using an external ID provided via the app's API. This helps track and manage line items even if Shopify updates its internal IDs which is the default behaviour when updating ongoing orders.
+
+**5. FDC Variants**
+This table tracks products tagged as FDC, making them accessible to Hubs.
+
+**6. Webhooks:**
+Every time Shopify triggers a webhook, a record is created in this table. It logs the webhook event and its associated details.
+
+**8. Shopify Sessions:**
+This table manages user sessions created and handled by Shopify, including session tokens and expiration details.
+
+
+

DEPLOYMENT_STRATEGY.md

@@ -0,0 +1,40 @@
+# Deployment Strategy for Jelastic Environments
+
+The application is stored on https://app.jpe.infomaniak.com/ and consists of various parts as described below:
+
+## 1. PRODUCTION Environment Setup
+
+### Application Server (Docker container)
+Runs the application and is connected to Shopify via the Application Dashboard (API Configuration Section)
+
+**Automated Deployments:**
+- Image Building: Docker images are built automatically via GitHub Actions. The build process triggers on code changes and commits.
+- Deployment Notification: GitHub Actions will ping Jelastic via a REST API call with deployment details once the build is complete.
+- Tagging: Use branch-sha_commit tags (e.g., main-2d478ef) to keep track of versions.
+
+**Logs:** 
+- Access logs in the run.log file within the Docker container for troubleshooting.
+  
+**Environment Variables:**
+- Configure necessary environment variables using the Variables popup in Jelastic.
+
+### Nginx Load Balancer:
+
+- Port Configuration: Configure Nginx to listen on relevant application port (HTTP) and proxy traffic to the appropriate internal nodes based on IP addresses via HTTPS.
+- SSL Configuration:
+  - Ensure Nginx is set up to handle SSL communication internally.
+  - Use the ssl.conf configuration file to set up SSL keys for secure communication between components.
+
+### Postgres Container:
+Stores the internal data store 
+- Links: Ensure proper linking between the Postgres container and other components.
+- Certificates: Use certificates to secure communication between the Postgres container and other services.
+
+### Creating new Environments:
+- Simplest way is to clone Environment by using the Jelastic environment cloning feature to duplicate the current setup.
+- This will create an exact replica of your existing environment.
+- Post-clone, adjust the following settings:
+  - Update environment-specific settings, such as IP addresses, secrets, and environment variables.
+  - Ensure any environment-specific configurations (e.g., database URLs, API keys) are updated.
+  
+![Bildschirmfoto 2024-09-05 um 13 27 29](https://github.com/user-attachments/assets/eadf8d6a-44e8-45f6-96f5-60ae5aeb2cf9)

README.md

@@ -52,3 +52,8 @@ yarn dev --reset
 ```bash
 yarn dev
 ```
+
+## Useful Resources
+- [Main Product Readme](https://github.com/yalla-coop/food-data-collaboration-producer/blob/staging/README_MAIN_PRODUCT.md)
+- [Database Overview](https://github.com/yalla-coop/food-data-collaboration-producer/blob/6af3fb3eeb328da489b2923fb2c0bc49cf704073/DATABASE_OVERVIEW.md)
+- [Deployment Strategy](https://github.com/yalla-coop/food-data-collaboration-producer/blob/6af3fb3eeb328da489b2923fb2c0bc49cf704073/DEPLOYMENT_STRATEGY.md)

web/database/orders/order_migration.sql

@@ -0,0 +1,6 @@
+ALTER TABLE orders ADD "owner_id" integer NOT NULL; 
+
+ALTER TABLE orders 
+ADD CONSTRAINT fk_user 
+FOREIGN KEY (owner_id) 
+REFERENCES users (id);

web/database/orders/orders.js

@@ -1,24 +1,33 @@
-import { pool } from '../connect.js'
+import { pool } from '../connect.js';
 
-export const createDraftOrder = async (draftOrderId) => {
-    const result = await pool.query(`
-            INSERT INTO orders (draft_order_id)
-            VALUES ($1)
+export const createDraftOrder = async (draftOrderId, openIdUserId) => {
+  const result = await pool.query(
+    `
+            INSERT INTO orders (draft_order_id, owner_id)
+            VALUES ($1, (SELECT "id" from users where user_id = $2))
             RETURNING *;
-        `, [draftOrderId]);
-    return result.rows;
+        `,
+    [draftOrderId, openIdUserId]
+  );
+  return result.rows;
 };
 
 export const completeDraftOrder = async (draftOrderId, completedOrderId) => {
-    const result = await pool.query(`
+  const result = await pool.query(
+    `
             UPDATE orders set completed_order_id = $2
             WHERE draft_order_id = $1
             RETURNING *;
-        `, [draftOrderId, completedOrderId]);
-    return result.rows;
+        `,
+    [draftOrderId, completedOrderId]
+  );
+  return result.rows;
 };
 
-export const getOrders = async () => {
-    const result = await pool.query(`SELECT draft_order_id as "draftOrderId", completed_order_id as "completedOrderId" from orders order by draft_order_id`, []);
-    return result.rows;
-}
+export const getOrder = async (draftOrderId, openIdUserId) => {
+  const result = await pool.query(
+    `SELECT draft_order_id as "draftOrderId", completed_order_id as "completedOrderId", owner_id as "ownerId" from orders where draft_order_id = $1 AND owner_id = (select id from users where user_id = $2)`,
+    [draftOrderId, openIdUserId]
+  );
+  return result.rows && result.rows.length === 1 ? result.rows[0] : null;
+};

web/database/orders/orders.spec.js

@@ -1,21 +1,36 @@
 import { pool } from '../connect';
-import {createDraftOrder, completeDraftOrder, getOrders} from './orders'
+import {createDraftOrder, completeDraftOrder, getOrder} from './orders'
 
 describe('orders', () => {
+
+    const openIdUserId = '08fcc438-1eb5-4c63-a8f4-894a3960351d';
+
+    const getOrders = async () => {
+        const result = await pool.query(`SELECT draft_order_id as "draftOrderId", completed_order_id as "completedOrderId", owner_id as "ownerId" from orders order by draft_order_id`, []);
+        return result.rows;
+    }
+
     beforeAll(async () => {
         await pool.query(`truncate table orders restart identity`);
     });
 
     it('Order can be created', async () => {
-        await createDraftOrder(55);
-        await createDraftOrder(56);
+        await createDraftOrder(55, openIdUserId);
+        await createDraftOrder(56, openIdUserId);
         const result = await getOrders();
-        expect(result).toStrictEqual([{draftOrderId: "55", completedOrderId: null}, {draftOrderId: "56", completedOrderId: null}])
+        expect(result).toStrictEqual([{draftOrderId: "55", completedOrderId: null, ownerId: 10}, {draftOrderId: "56", completedOrderId: null, ownerId: 10}])
+    });
+
+    it('Order can be retrieved', async () => {
+        expect(await getOrder(55, openIdUserId)).toStrictEqual({draftOrderId: "55", completedOrderId: null, ownerId: 10})
+        expect(await getOrder(55, 12345)).toStrictEqual(null)
+        expect(await getOrder(99, openIdUserId)).toStrictEqual(null)
     });
 
     it('Order can be completed', async () => {
         await completeDraftOrder(55, 654);
         const result = await getOrders();
-        expect(result).toStrictEqual([{draftOrderId: "55", completedOrderId: "654"}, {draftOrderId: "56", completedOrderId: null}])
+        expect(result).toStrictEqual([{draftOrderId: "55", completedOrderId: "654", ownerId: 10}, {draftOrderId: "56", completedOrderId: null, ownerId: 10}])
     })
-});
+});
+

web/database/orders/schema.sql

@@ -3,8 +3,12 @@ DROP TABLE IF EXISTS "orders" CASCADE;
 CREATE TABLE IF NOT EXISTS "orders" (
     "draft_order_id" bigint PRIMARY KEY,
     "completed_order_id" bigint NULL,
+    "owner_id" integer NOT NULL,
     "created_at" TIMESTAMP NOT NULL DEFAULT NOW(),
-    "updated_at" TIMESTAMP NOT NULL DEFAULT NOW()
+    "updated_at" TIMESTAMP NOT NULL DEFAULT NOW(),
+    CONSTRAINT fk_user
+      FOREIGN KEY(owner_id) 
+        REFERENCES users(id)
 );
 CREATE TRIGGER set_timestamp BEFORE
 UPDATE ON "orders" FOR EACH ROW EXECUTE PROCEDURE trigger_set_timestamp();

web/fdc-modules/orders/controllers/create-or-update-order-line.js

@@ -4,12 +4,19 @@ import { extractOrderLine, createDfcOrderLineFromShopify } from '../dfc/dfc-orde
 import { persistLineIdMappings } from './lineItemMappings.js'
 import * as orders from './shopify/orders.js';
 import * as ids from './shopify/ids.js'
-// transaction
+import { getOrder } from '../../../database/orders/orders.js';
+
 const createOrUpdateOrderLine = async (req, res) => {
     try {
         const session = await getSession(`${req.params.EnterpriseName}.myshopify.com`)
         const client = new shopify.api.clients.Graphql({ session });
 
+        const order = await getOrder(req.params.id, req.user.id);
+
+        if(!order) {
+            return res.status(403).send('You do not have permission to act on this order');
+        }
+
         const orderLine = await extractOrderLine(req.body)
 
         const {order: shopifyOrder} = await orders.findOrder(client, req.params.id, {});

web/fdc-modules/orders/controllers/create-order.js

@@ -21,6 +21,10 @@ const createOrder = async (req, res) => {
 
     const customerId = await findCustomer(client, req.user.id);
 
+    if (!customerId) {
+      return res.status(403).send(`Customer with email matching ${req.user.id} must exist in shopify for you to create an order`);
+    }
+
     const { order, saleSession } = await extractOrderAndLinesAndSalesSession(
       req.body
     );
@@ -37,7 +41,7 @@ const createOrder = async (req, res) => {
       shopifyLines
     );
 
-    await createDraftOrder(ids.extract(shopifyDraftOrder.id));
+    await createDraftOrder(ids.extract(shopifyDraftOrder.id), req.user.id);
     await createSalesSession(
       ids.extract(shopifyDraftOrder.id),
       saleSession.getEndDate()

web/fdc-modules/orders/controllers/get-all-orders.js

@@ -1,5 +1,6 @@
 import { getAllLineItems } from '../../../database/line_items/lineItems.js';
 import shopify from '../../../shopify.js';
+import { findCustomer } from './shopify/customer.js';
 import getSession from '../../../utils/getShopifySession.js';
 import { createBulkDfcOrderFromShopify } from '../dfc/dfc-order.js';
 import { findOrders } from './shopify/orders.js';
@@ -9,6 +10,12 @@ const getAllOrders = async (req, res) => {
         const session = await getSession(`${req.params.EnterpriseName}.myshopify.com`)
         const client = new shopify.api.clients.Graphql({ session });
 
+        const customerId = await findCustomer(client, req.user.id);
+
+        if (!customerId) {
+            return respond(res, await createBulkDfcOrderFromShopify([], [], req.params.EnterpriseName), null);
+        }
+
         const {before, after, first, last} = req.query;
 
         if ((before && after) || (before && first) || (after && last) && (before && !last) && (after && !first)){
@@ -17,17 +24,23 @@ const getAllOrders = async (req, res) => {
 
         const draftOrdersWithLineItemMappings = await getAllLineItems();
 
-        const {orders, pageInfo} = await findOrders(client, {before, after, first: Number(first), last: Number(last)});
+        const {orders, pageInfo} = await findOrders(client, customerId, {before, after, first: Number(first), last: Number(last)});
 
         const allDfcOrders = await createBulkDfcOrderFromShopify(orders, draftOrdersWithLineItemMappings, req.params.EnterpriseName);
 
-        res.type('application/json');
-        res.set("pageInfo", JSON.stringify(pageInfo));
-        res.send(allDfcOrders);
+        return respond(res, allDfcOrders, pageInfo);
     } catch (error) {
         console.error(error);
         res.status(500).end();
     }
 }
 
+function respond(res, graph, pageInfo) {
+    res.type('application/json');
+    if (pageInfo){
+        res.set("pageInfo", JSON.stringify(pageInfo));
+    }
+    res.send(graph);
+}
+
 export default getAllOrders

web/fdc-modules/orders/controllers/get-order-line.js

@@ -3,11 +3,19 @@ import getSession from '../../../utils/getShopifySession.js';
 import { createDfcOrderLineFromShopify } from '../dfc/dfc-order.js';
 import { findOrder } from './shopify/orders.js';
 import { getLineItems } from '../../../database/line_items/lineItems.js'
+import { getOrder } from '../../../database/orders/orders.js';
+
 const getOrderLine = async (req, res) => {
     try {
         const session = await getSession(`${req.params.EnterpriseName}.myshopify.com`)
         const client = new shopify.api.clients.Graphql({ session });
 
+        const order = await getOrder(req.params.id, req.user.id);
+
+        if(!order) {
+            return res.status(403).send('You do not have permission to act on this order');
+        }
+
         const { order: shopifyOrder } = await findOrder(client, req.params.id, {});
 
         if (!shopifyOrder) {

web/fdc-modules/orders/controllers/get-order-lines.js

@@ -3,11 +3,19 @@ import getSession from '../../../utils/getShopifySession.js';
 import { createDfcOrderLinesFromShopify } from '../dfc/dfc-order.js';
 import { findOrder } from './shopify/orders.js';
 import { getLineItems } from '../../../database/line_items/lineItems.js'
+import { getOrder } from '../../../database/orders/orders.js';
+
 const getOrderLines = async (req, res) => {
     try {
         const session = await getSession(`${req.params.EnterpriseName}.myshopify.com`)
         const client = new shopify.api.clients.Graphql({ session });
 
+        const order = await getOrder(req.params.id, req.user.id);
+
+        if(!order) {
+            return res.status(403).send('You do not have permission to act on this order');
+        }
+
         const {before, after, first, last} = req.query;
 
         if ((before && after) || (before && first) || (after && last) && (before && !last) && (after && !first)){

web/fdc-modules/orders/controllers/get-order.js

@@ -3,12 +3,19 @@ import getSession from '../../../utils/getShopifySession.js';
 import { createDfcOrderFromShopify } from '../dfc/dfc-order.js';
 import { findOrder } from './shopify/orders.js';
 import { getLineItems } from '../../../database/line_items/lineItems.js'
+import { getOrder as getOrderMetadata } from '../../../database/orders/orders.js';
 
 const getOrder = async (req, res) => {
     try {
         const session = await getSession(`${req.params.EnterpriseName}.myshopify.com`)
         const client = new shopify.api.clients.Graphql({ session });
 
+        const order = await getOrderMetadata(req.params.id, req.user.id);
+
+        if(!order) {
+            return res.status(403).send('You do not have permission to act on this order');
+        }
+
         const { order: shopifyOrder } = await findOrder(client, req.params.id, {});
 
         if (!shopifyOrder) {

web/fdc-modules/orders/controllers/shopify/customer.js

@@ -17,7 +17,7 @@ export async function findCustomer(client, customerEmail) {
     }
 
     if (response.data.customers.nodes.length < 1) {
-        throw new Error('Unable to find customer with email', customerEmail);
+        return null;
     }
 
     return response.data.customers.nodes[0].id

web/fdc-modules/orders/controllers/shopify/orders.js

@@ -63,11 +63,11 @@ export async function findOrder(client, orderId, { first, last, after, before })
     };
 }
 
-export async function findOrders(client, { first, last, after, before }) {
+export async function findOrders(client, customerId, { first, last, after, before }) {
 
     const query = `
     query findDraftOrders($first: Int, $last: Int, $after: String, $before: String) {
-        draftOrders(first: $first, last: $last, after: $after, before: $before, query: "tag:fdc") {
+        draftOrders(first: $first, last: $last, after: $after, before: $before, query: "tag:fdc AND customer_id:${ids.extract(customerId)}") {
             nodes {
                 id    
                 status   

web/fdc-modules/orders/controllers/update-order.js

@@ -5,17 +5,25 @@ import shopify from '../../../shopify.js';
 import getSession from '../../../utils/getShopifySession.js';
 import {
   createDfcOrderFromShopify,
-  extractOrderAndLines
+  extractOrderAndLines,
 } from '../dfc/dfc-order.js';
 import { persistLineIdMappings } from './lineItemMappings.js';
 import * as ids from './shopify/ids.js';
 import * as shopifyOrders from './shopify/orders.js';
 
-//todo: transaction
 const updateOrder = async (req, res) => {
   try {
     console.log('updating order with body:>> ', req.body);
     console.log('updating order with params :>> ', req.params);
+
+    const orderMetadata = await database.getOrder(req.params.id, req.user.id);
+
+    if (!orderMetadata) {
+      return res
+        .status(403)
+        .send('You do not have permission to act on this order');
+    }
+
     const session = await getSession(
       `${req.params.EnterpriseName}.myshopify.com`
     );