fix: issue 599, throw error if the given user context doesn't contain full id fields

packages/runtime/src/enhancements/policy/index.ts

@@ -5,9 +5,11 @@ import path from 'path';
 import semver from 'semver';
 import { PRISMA_MINIMUM_VERSION } from '../../constants';
 import { AuthUser, DbClientContract } from '../../types';
+import { hasAllFields } from '../../validation';
 import { getDefaultModelMeta } from '../model-meta';
 import { makeProxy } from '../proxy';
 import type { ModelMeta, PolicyDef, ZodSchemas } from '../types';
+import { getIdFields } from '../utils';
 import { PolicyProxyHandler } from './handler';
 
 /**
@@ -70,6 +72,21 @@ export function withPolicy<DbClient extends object>(
     const _modelMeta = options?.modelMeta ?? getDefaultModelMeta();
     const _zodSchemas = options?.zodSchemas ?? getDefaultZodSchemas();
 
+    // validate user context
+    if (context?.user) {
+        const idFields = getIdFields(_modelMeta, 'User');
+        if (
+            !hasAllFields(
+                context.user,
+                idFields.map((f) => f.name)
+            )
+        ) {
+            throw new Error(
+                `Invalid user context: must have valid ID field ${idFields.map((f) => `"${f.name}"`).join(', ')}`
+            );
+        }
+    }
+
     return makeProxy(
         prisma,
         _modelMeta,

packages/runtime/src/enhancements/utils.ts

@@ -18,9 +18,13 @@ export function getModelFields(data: object) {
  * Gets id fields for the given model.
  */
 export function getIdFields(modelMeta: ModelMeta, model: string, throwIfNotFound = false) {
-    const fields = modelMeta.fields[lowerCaseFirst(model)];
+    let fields = modelMeta.fields[lowerCaseFirst(model)];
     if (!fields) {
-        throw new Error(`Unable to load fields for ${model}`);
+        if (throwIfNotFound) {
+            throw new Error(`Unable to load fields for ${model}`);
+        } else {
+            fields = {};
+        }
     }
     const result = Object.values(fields).filter((f) => f.isId);
     if (result.length === 0 && throwIfNotFound) {

tests/integration/tests/enhancements/with-policy/auth.test.ts

@@ -113,8 +113,7 @@ describe('With Policy: auth() test', () => {
         const authDb = withPolicy();
         await expect(authDb.post.update({ where: { id: '1' }, data: { title: 'bcd' } })).toBeRejectedByPolicy();
 
-        const authDb1 = withPolicy({ id: null });
-        await expect(authDb1.post.update({ where: { id: '1' }, data: { title: 'bcd' } })).rejects.toThrow();
+        expect(() => withPolicy({ id: null })).toThrow(/Invalid user context/);
 
         const authDb2 = withPolicy({ id: 'user1' });
         await expect(authDb2.post.update({ where: { id: '1' }, data: { title: 'bcd' } })).toResolveTruthy();
@@ -148,9 +147,6 @@ describe('With Policy: auth() test', () => {
 
         await expect(db.post.update({ where: { id: '1' }, data: { title: 'bcd' } })).toBeRejectedByPolicy();
 
-        const authDb1 = withPolicy({ id: null });
-        await expect(authDb1.post.update({ where: { id: '1' }, data: { title: 'bcd' } })).rejects.toThrow();
-
         const authDb2 = withPolicy({ id: 'user1' });
         await expect(authDb2.post.update({ where: { id: '1' }, data: { title: 'bcd' } })).toResolveTruthy();
     });

tests/integration/tests/enhancements/with-policy/multi-id-fields.test.ts

@@ -124,7 +124,7 @@ describe('With Policy: multiple id fields', () => {
         await prisma.user.create({ data: { x: '1', y: '1' } });
         await prisma.user.create({ data: { x: '1', y: '2' } });
 
-        const anonDb = withPolicy({});
+        const anonDb = withPolicy();
 
         await expect(
             anonDb.m.create({ data: { owner: { connect: { x_y: { x: '1', y: '2' } } } } })