From fcf7a9fbca0c0fea90de8b3f5cba15023f273600 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Thu, 20 Jan 2022 17:51:45 +0100
Subject: [PATCH] fix broken login with existing token in local store

---
 backend/src/graphql/directive/isAuthorized.ts | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/backend/src/graphql/directive/isAuthorized.ts b/backend/src/graphql/directive/isAuthorized.ts
index 19cd7bcdb..b8b5e9772 100644
--- a/backend/src/graphql/directive/isAuthorized.ts
+++ b/backend/src/graphql/directive/isAuthorized.ts
@@ -8,16 +8,28 @@ import { RIGHTS } from '../../auth/RIGHTS'
 import { ServerUserRepository } from '../../typeorm/repository/ServerUser'
 import { getCustomRepository } from 'typeorm'
 import { UserRepository } from '../../typeorm/repository/User'
+import { INALIENABLE_RIGHTS } from '../../auth/INALIENABLE_RIGHTS'
 
 const isAuthorized: AuthChecker<any> = async ({ context }, rights) => {
   context.role = ROLE_UNAUTHORIZED // unauthorized user
 
   // Do we have a token?
   if (context.token) {
+    // Decode the token
     const decoded = decode(context.token)
     if (!decoded) {
-      // we always throw on an invalid token
-      throw new Error('403.13 - Client certificate revoked')
+      // Are all rights requested public?
+      const isInalienable = (<RIGHTS[]>rights).reduce(
+        (acc, right) => acc && INALIENABLE_RIGHTS.includes(right),
+        true,
+      )
+      if (isInalienable) {
+        // If public dont throw and permit access
+        return true
+      } else {
+        // Throw on a protected route
+        throw new Error('403.13 - Client certificate revoked')
+      }
     }
     // Set context pubKey
     context.pubKey = Buffer.from(decoded.pubKey).toString('hex')