BE-310: Protect sensitive properties from enumeration attacks

.lefthook.yml

@@ -29,7 +29,7 @@ pre-commit:
     rust:
       tags: [backend, style]
       glob: "*.rs"
-      run: cargo fmt -- {staged_files} || true
+      run: rustfmt {staged_files} || true
       stage_fixed: true
     toml:
       tags: [backend, style]

apps/hash-ai-worker-ts/src/activities/shared/dereference-entity-type.test.ts

@@ -1076,11 +1076,7 @@ describe("The dereferenceEntityType function", () => {
         "https://hash.ai/@test/types/entity-type/property-values-demo/v/4",
       subgraph: {
         ...testSubgraph,
-        vertices: mapGraphApiVerticesToVertices(
-          testSubgraph.vertices,
-          null,
-          true,
-        ),
+        vertices: mapGraphApiVerticesToVertices(testSubgraph.vertices),
       } as Subgraph,
     });
 

apps/hash-ai-worker-ts/src/activities/shared/find-existing-entity.ts

@@ -15,9 +15,8 @@ import type {
   CosineDistanceFilter,
   GraphApi,
 } from "@local/hash-graph-client";
-import { type HashEntity, queryEntities } from "@local/hash-graph-sdk/entity";
+import { HashEntity, queryEntities } from "@local/hash-graph-sdk/entity";
 import { queryEntityTypeSubgraph } from "@local/hash-graph-sdk/entity-type";
-import { mapGraphApiEntityToEntity } from "@local/hash-graph-sdk/subgraph";
 import type { ProposedEntity } from "@local/hash-isomorphic-utils/flows/types";
 import {
   almostFullOntologyResolveDepths,
@@ -213,9 +212,7 @@ export const findExistingEntity = async ({
         includePermissions: false,
       },
     ).then(({ entities }) =>
-      entities
-        .slice(0, 3)
-        .map((entity) => mapGraphApiEntityToEntity(entity, actorId)),
+      entities.slice(0, 3).map((entity) => new HashEntity(entity)),
     );
   }
 
@@ -251,9 +248,7 @@ export const findExistingEntity = async ({
           includePermissions: false,
         },
       ).then(({ entities }) =>
-        entities
-          .slice(0, 3)
-          .map((entity) => mapGraphApiEntityToEntity(entity, actorId)),
+        entities.slice(0, 3).map((entity) => new HashEntity(entity)),
       );
     }
   }

apps/hash-api/src/auth/create-auth-handlers.ts

@@ -8,10 +8,7 @@ import type { Express, Request, RequestHandler } from "express";
 
 import type { ImpureGraphContext } from "../graph/context-types";
 import type { User } from "../graph/knowledge/system-types/user";
-import {
-  createUser,
-  getUserByKratosIdentityId,
-} from "../graph/knowledge/system-types/user";
+import { createUser, getUser } from "../graph/knowledge/system-types/user";
 import { systemAccountId } from "../graph/system-account";
 import { hydraAdmin } from "./ory-hydra";
 import type { KratosUserIdentity } from "./ory-kratos";
@@ -140,10 +137,11 @@ export const getUserAndSession = async ({
       throw new Error("Could not find kratos identity for session");
     }
 
-    const { id: kratosIdentityId } = identity;
+    const { id: kratosIdentityId, traits } = identity as KratosUserIdentity;
 
-    const user = await getUserByKratosIdentityId(context, authentication, {
+    const user = await getUser(context, authentication, {
       kratosIdentityId,
+      emails: traits.emails,
     });
 
     if (!user) {
@@ -179,7 +177,7 @@ export const createAuthMiddleware = (params: {
         token: accessOrSessionToken,
       });
       if (introspectionResult.data.active && introspectionResult.data.sub) {
-        const user = await getUserByKratosIdentityId(
+        const user = await getUser(
           context,
           { actorId: publicUserAccountId },
           {

apps/hash-api/src/auth/ory-kratos.ts

@@ -17,7 +17,7 @@ export const kratosIdentityApi = new IdentityApi(
 
 export type KratosUserIdentityTraits = {
   shortname?: string;
-  emails: string[];
+  emails: [string, ...string[]];
 };
 
 export type KratosUserIdentity = Omit<Identity, "traits"> & {

apps/hash-api/src/graph/knowledge/primitive/entity.ts

@@ -159,6 +159,16 @@ export const countEntities: ImpureGraphFunction<
 > = async ({ graphApi }, { actorId }, params) =>
   graphApi.countEntities(actorId, params).then(({ data }) => data);
 
+type GetLatestEntityByIdFunction<
+  Properties extends
+    TypeIdsAndPropertiesForEntity = TypeIdsAndPropertiesForEntity,
+> = ImpureGraphFunction<
+  {
+    entityId: EntityId;
+  },
+  Promise<HashEntity<Properties>>
+>;
+
 /**
  * Get the latest edition of an entity by its entityId. See notes on params.
  *
@@ -178,13 +188,13 @@ export const countEntities: ImpureGraphFunction<
  *   2. if there is somehow more than one edition for the requested entityId at the current time, which is an internal
  *   fault
  */
-export const getLatestEntityById: ImpureGraphFunction<
-  {
-    entityId: EntityId;
-  },
-  Promise<HashEntity>
-> = async (context, authentication, params) => {
-  const { entityId } = params;
+export const getLatestEntityById = async <
+  Properties extends
+    TypeIdsAndPropertiesForEntity = TypeIdsAndPropertiesForEntity,
+>(
+  ...args: Parameters<GetLatestEntityByIdFunction<Properties>>
+): ReturnType<GetLatestEntityByIdFunction<Properties>> => {
+  const [context, authentication, { entityId }] = args;
 
   const [webId, entityUuid, draftId] = splitEntityId(entityId);
 
@@ -223,7 +233,7 @@ export const getLatestEntityById: ImpureGraphFunction<
 
   const {
     entities: [entity, ...unexpectedEntities],
-  } = await queryEntities(context, authentication, {
+  } = await queryEntities<Properties>(context, authentication, {
     filter: {
       all: allFilter,
     },
@@ -368,9 +378,9 @@ export const createEntityWithLinks = async <
        * pages which may affect this.
        */
       const entity = existingEntityId
-        ? ((await getLatestEntityById(context, authentication, {
+        ? await getLatestEntityById<Properties>(context, authentication, {
             entityId: existingEntityId,
-          })) as HashEntity<Properties>)
+          })
         : await createEntity<Properties>(context, authentication, {
             ...createParams,
             properties: definition.entityProperties!,

apps/hash-api/src/graph/knowledge/primitive/entity/after-create-entity-hooks.ts

@@ -30,7 +30,7 @@ import {
   getMentionedUsersInTextualContent,
   getTextById,
 } from "../../system-types/text";
-import { getUserById } from "../../system-types/user";
+import { getUser } from "../../system-types/user";
 import { checkPermissionsOnEntity } from "../entity";
 import type {
   AfterCreateEntityHook,
@@ -79,12 +79,18 @@ const commentCreateHookCallback: AfterCreateEntityHookCallback = async ({
       const pageAuthorAccountId =
         occurredInEntity.entity.metadata.provenance.createdById;
 
-      const pageAuthor = await getUserById(context, authentication, {
-        entityId: entityIdFromComponents(
-          pageAuthorAccountId as WebId,
-          pageAuthorAccountId as string as EntityUuid,
-        ),
+      const pageAuthorEntityId = entityIdFromComponents(
+        pageAuthorAccountId as WebId,
+        pageAuthorAccountId as string as EntityUuid,
+      );
+      const pageAuthor = await getUser(context, authentication, {
+        entityId: pageAuthorEntityId,
       });
+      if (!pageAuthor) {
+        throw new Error(
+          `User with entityId ${pageAuthorEntityId} doesn't exist or cannot be accessed by requesting user.`,
+        );
+      }
 
       const commentAuthor = await getCommentAuthor(context, authentication, {
         commentEntityId: comment.entity.metadata.recordId.entityId,
@@ -216,12 +222,18 @@ const hasTextCreateHookCallback: AfterCreateEntityHookCallback = async ({
     { textualContent },
   );
 
-  const triggeredByUser = await getUserById(context, authentication, {
-    entityId: entityIdFromComponents(
-      authentication.actorId as WebId,
-      authentication.actorId as string as EntityUuid,
-    ),
+  const triggeredByUserEntityId = entityIdFromComponents(
+    authentication.actorId as WebId,
+    authentication.actorId as string as EntityUuid,
+  );
+  const triggeredByUser = await getUser(context, authentication, {
+    entityId: triggeredByUserEntityId,
   });
+  if (!triggeredByUser) {
+    throw new Error(
+      `User with entityId ${triggeredByUserEntityId} doesn't exist or cannot be accessed by requesting user.`,
+    );
+  }
 
   await Promise.all([
     ...mentionedUsers

apps/hash-api/src/graph/knowledge/primitive/entity/after-update-entity-hooks/text-after-update-entity-hook-callback.ts

@@ -13,7 +13,7 @@ import {
   getMentionedUsersInTextualContent,
   getTextFromEntity,
 } from "../../../system-types/text";
-import { getUserById } from "../../../system-types/user";
+import { getUser } from "../../../system-types/user";
 import { checkPermissionsOnEntity } from "../../entity";
 import { getTextUpdateOccurredIn } from "../shared/mention-notification";
 import type { AfterUpdateEntityHookCallback } from "../update-entity-hooks";
@@ -79,13 +79,21 @@ export const textAfterUpdateEntityHookCallback: AfterUpdateEntityHookCallback =
         ),
     );
 
-    const triggeredByUser = await getUserById(context, authentication, {
-      entityId: entityIdFromComponents(
-        authentication.actorId as WebId,
-        authentication.actorId as string as EntityUuid,
-      ),
+    const triggeredByUserEntityId = entityIdFromComponents(
+      authentication.actorId as WebId,
+      authentication.actorId as string as EntityUuid,
+    );
+
+    const triggeredByUser = await getUser(context, authentication, {
+      entityId: triggeredByUserEntityId,
     });
 
+    if (!triggeredByUser) {
+      throw new Error(
+        `User with entityId ${triggeredByUserEntityId} doesn't exist or cannot be accessed by requesting user.`,
+      );
+    }
+
     await Promise.all([
       ...removedMentionedUsers.map(async (removedMentionedUser) => {
         const existingNotification = await getMentionNotification(

apps/hash-api/src/graph/knowledge/system-types/account.fields.ts

@@ -3,7 +3,7 @@ import type {
   PureGraphFunction,
 } from "../../context-types";
 import { getOrgByShortname } from "./org";
-import { getUserByShortname } from "./user";
+import { getUser } from "./user";
 
 /** @todo: enable admins to expand upon restricted shortnames block list */
 export const RESTRICTED_SHORTNAMES = [
@@ -124,7 +124,7 @@ export const shortnameIsTaken: ImpureGraphFunction<
    * @see https://linear.app/hash/issue/H-2989
    */
   return (
-    (await getUserByShortname(ctx, authentication, params)) !== null ||
+    (await getUser(ctx, authentication, params)) !== null ||
     (await getOrgByShortname(ctx, authentication, params)) !== null
   );
 };

apps/hash-api/src/graph/knowledge/system-types/file.ts

@@ -60,9 +60,13 @@ const generateCommonParameters = async (
   }
 
   if (fileEntityUpdateInput) {
-    const existingEntity = (await getLatestEntityById(ctx, authentication, {
-      entityId: fileEntityUpdateInput.existingFileEntityId,
-    })) as HashEntity<File>;
+    const existingEntity = await getLatestEntityById<File>(
+      ctx,
+      authentication,
+      {
+        entityId: fileEntityUpdateInput.existingFileEntityId,
+      },
+    );
 
     return {
       existingEntity,

apps/hash-api/src/graph/knowledge/system-types/text.ts

@@ -31,7 +31,7 @@ import { getCommentById } from "./comment";
 import type { Page } from "./page";
 import { getPageFromEntity } from "./page";
 import type { User } from "./user";
-import { getUserById } from "./user";
+import { getUser } from "./user";
 
 export type Text = {
   textualContent: TextToken[];
@@ -291,9 +291,16 @@ export const getMentionedUsersInTextualContent: ImpureGraphFunction<
         (mention, i, all) =>
           all.findIndex(({ entityId }) => entityId === mention.entityId) === i,
       )
-      .map(({ entityId }) =>
-        getUserById(context, authentication, { entityId }),
-      ),
+      .map(async ({ entityId }) => {
+        const user = await getUser(context, authentication, { entityId });
+
+        if (!user) {
+          throw new Error(
+            `User with entityId ${entityId} doesn't exist or cannot be accessed by requesting user.`,
+          );
+        }
+        return user;
+      }),
   );
 
   return mentionedUsers;