chore: actually validate API key privileges and refs

graph/resolver.go

@@ -8,6 +8,7 @@ import (
 	"gitlab.com/unboundsoftware/eventsourced/eventsourced"
 
 	"gitlab.com/unboundsoftware/schemas/cache"
+	"gitlab.com/unboundsoftware/schemas/middleware"
 )
 
 //go:generate go run github.com/99designs/gqlgen
@@ -27,6 +28,26 @@ type Resolver struct {
 	Cache      *cache.Cache
 }
 
+func (r *Resolver) apiKeyCanAccessRef(ctx context.Context, ref string, publish bool) (string, error) {
+	key, err := middleware.ApiKeyFromContext(ctx)
+	if err != nil {
+		return "", err
+	}
+	apiKey := r.Cache.ApiKeyByKey(key)
+	if publish && !apiKey.Publish {
+		return "", fmt.Errorf("provided API-key doesn't have publish privilege")
+	}
+	if !publish && !apiKey.Read {
+		return "", fmt.Errorf("provided API-key doesn't have read privilege")
+	}
+	for _, rr := range apiKey.Refs {
+		if rr == ref {
+			return apiKey.Name, nil
+		}
+	}
+	return "", fmt.Errorf("provided API-key doesn't have the required privilege on the requested Schema Ref")
+}
+
 func (r *Resolver) handler(ctx context.Context, aggregate eventsourced.Aggregate) (eventsourced.CommandHandler, error) {
 	return eventsourced.NewHandler(ctx, aggregate, r.EventStore, eventsourced.WithEventPublisher(r.Publisher))
 }