Update BNF code to use username and password for auth.

This uses environment variables, that we also need to set on lagoon. Ontop of that, we set the GraphQL calls to be HTTPS.
danskernesdigitalebibliotek · Dec 12, 2024 · abd639f · abd639f
1 parent 9a56f67
commit abd639f
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 12 deletions.
diff --git a/.lagoon.yml b/.lagoon.yml
@@ -110,8 +110,9 @@ tasks:
             drush user:create patron --password="$PR_DRUPAL_PWD"
             drush user:role:add 'patron' patron
 
-            drush user:create graphql_consumer --password="$PR_DRUPAL_PWD"
-            drush user:role:add 'graphql_consumer' graphql_consumer
+            drush user:create $GRAPHQL_USER_NAME --password="$GRAPHQL_USER_PASSWORD"
+            drush user:role:add 'external_system' $GRAPHQL_USER_NAME
+            drush user:role:add 'graphql_consumer' $GRAPHQL_USER_NAME
           else
             echo "Test users already exist. Skipping creation..."
           fi

diff --git a/Taskfile.yml b/Taskfile.yml
@@ -231,6 +231,7 @@ tasks:
       - task dev:cli -- drush user:role:add 'patron' patron
 
       - task dev:cli -- drush user:create graphql_consumer --password="test"
+      - task dev:cli -- drush user:role:add 'external_system' graphql_consumer
       - task dev:cli -- drush user:role:add 'graphql_consumer' graphql_consumer
 
   dev:import-profile-translations:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -31,6 +31,10 @@ x-environment:
     LAGOON_ENVIRONMENT: 'local'
     LAGOON_ENVIRONMENT_TYPE: ${LAGOON_ENVIRONMENT_TYPE:-local}
     WEBROOT: web
+    GRAPHQL_USER_NAME: graphql_consumer
+    GRAPHQL_USER_PASSWORD: test
+    # @todo - what do we set this to?
+    BNF_SERVER_GRAPHQL_ENDPOINT: "https://localhost/graphql"
     # Uncomment if you like to have the system behave like in production
     #LAGOON_ENVIRONMENT_TYPE: production
 

diff --git a/web/modules/custom/bnf/bnf_client/src/Services/BnfExporter.php b/web/modules/custom/bnf/bnf_client/src/Services/BnfExporter.php
@@ -8,6 +8,7 @@
 use GuzzleHttp\Client;
 use Psr\Log\LoggerInterface;
 use function Safe\json_decode;
+use function Safe\parse_url;
 
 /**
  * Service, related to exporting our content to BNF.
@@ -51,18 +52,25 @@ public function exportNode(NodeInterface $node): void {
     }
     GRAPHQL;
 
-    // @todo This needs to be the server URL instead. What do we do about local
-    // development?
-    $bnf_server = $callback_url;
-
     try {
+      $bnf_server = (string) getenv('BNF_SERVER_GRAPHQL_ENDPOINT');
+
+      if (!filter_var($bnf_server, FILTER_VALIDATE_URL)) {
+        throw new \InvalidArgumentException('The provided BNF server URL is not valid.');
+      }
+
+      $parsed_url = parse_url($bnf_server);
+      $scheme = $parsed_url['scheme'] ?? NULL;
+
+      if ($scheme !== 'https') {
+        throw new \InvalidArgumentException('The BNF server URL must use HTTPS.');
+      }
+
       $response = $this->httpClient->post($bnf_server, [
         'headers' => [
           'Content-Type' => 'application/json',
         ],
-        // @todo Implement actual authentication. Is it OK to use
-        // username/password, or do we need to do oAuth as they do in React?
-        'auth' => ['graphql_consumer', 'test'],
+        'auth' => [getenv('GRAPHQL_USER_NAME'), getenv('GRAPHQL_USER_PASSWORD')],
         'json' => [
           'query' => $mutation,
         ],

diff --git a/web/modules/custom/bnf/src/Services/BnfImporter.php b/web/modules/custom/bnf/src/Services/BnfImporter.php
@@ -7,6 +7,7 @@
 use GuzzleHttp\Client;
 use Psr\Log\LoggerInterface;
 use function Safe\json_decode;
+use function Safe\parse_url;
 
 /**
  * Service related to importing content from an external source.
@@ -62,16 +63,31 @@ public function importNode(string $uuid, string $endpointUrl, string $nodeType =
 
     $client = new Client();
 
+    if (!filter_var($endpointUrl, FILTER_VALIDATE_URL)) {
+      throw new \InvalidArgumentException((string) $this->translation->translate(
+        'The provided callback URL is not valid.', [], ['context' => 'BNF']
+      ));
+    }
+
+    $parsed_url = parse_url($endpointUrl);
+    $scheme = $parsed_url['scheme'] ?? NULL;
+
+    if ($scheme !== 'https') {
+      throw new \InvalidArgumentException((string) $this->translation->translate(
+        'The provided callback URL must use HTTPS.', [], ['context' => 'BNF']
+      ));
+    }
+
     $response = $client->post($endpointUrl, [
       'headers' => [
         'Content-Type' => 'application/json',
       ],
-      // @todo Implement actual authentication. Is it OK to use
-      // username/password, or do we need to do oAuth as they do in React?
-      'auth' => ['graphql_consumer', 'test'],
+      'auth' => [getenv('GRAPHQL_USER_NAME'), getenv('GRAPHQL_USER_PASSWORD')],
       'json' => [
         'query' => $query,
       ],
+      // Make sure that the server is HTTPS.
+      'verify' => TRUE,
     ]);
 
     $data = json_decode($response->getBody()->getContents(), TRUE);