From 98ed136c3e1eb03ba54a4faf1edb3f133461ece7 Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 18:10:39 -0700
Subject: [PATCH 001/138] GraphQL API WIP

---
 lib/ret/hub.ex                         | 16 ++++++++++++
 lib/ret_web/endpoint.ex                |  1 +
 lib/ret_web/resolvers/room_resolver.ex | 28 +++++++++++++++++++++
 lib/ret_web/router.ex                  |  7 ++++++
 lib/ret_web/schema.ex                  | 14 +++++++++++
 lib/ret_web/schema/room_types.ex       | 35 ++++++++++++++++++++++++++
 mix.exs                                |  4 +++
 mix.lock                               |  5 ++++
 8 files changed, 110 insertions(+)
 create mode 100644 lib/ret_web/resolvers/room_resolver.ex
 create mode 100644 lib/ret_web/schema.ex
 create mode 100644 lib/ret_web/schema/room_types.ex

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index f5c16b4ad..f16bf830a 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -133,6 +133,14 @@ defmodule Ret.Hub do
     |> changeset(scene_or_scene_listing, params)
   end
 
+  def create(params) do
+    scene_or_scene_listing = get_scene_or_scene_listing(params)
+
+    %Hub{}
+    |> changeset(scene_or_scene_listing, params)
+    |> Repo.insert()
+  end
+
   defp get_scene_or_scene_listing(params) do
     if is_nil(params["scene_id"]) do
       SceneListing.get_random_default_scene_listing()
@@ -148,6 +156,14 @@ defmodule Ret.Hub do
     end
   end
 
+  def get_public_rooms(page, page_size) do
+    Hub
+      |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
+      |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
+      |> order_by(desc: :inserted_at)
+      |> Repo.paginate(%{page: page, page_size: page_size})
+  end
+
   def changeset(%Hub{} = hub, %Scene{} = scene, attrs) do
     hub
     |> changeset(nil, attrs)
diff --git a/lib/ret_web/endpoint.ex b/lib/ret_web/endpoint.ex
index ec120ca14..dff9480b0 100644
--- a/lib/ret_web/endpoint.ex
+++ b/lib/ret_web/endpoint.ex
@@ -1,6 +1,7 @@
 defmodule RetWeb.Endpoint do
   use Phoenix.Endpoint, otp_app: :ret
   use Sentry.Phoenix.Endpoint
+  use Absinthe.Phoenix.Endpoint
 
   socket("/socket", RetWeb.SessionSocket, websocket: [check_origin: {RetWeb.Endpoint, :allowed_origin?, []}])
 
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
new file mode 100644
index 000000000..a333e56f6
--- /dev/null
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -0,0 +1,28 @@
+defmodule RetWeb.Resolvers.RoomResolver do
+  alias Ret.Hub
+
+  def list_rooms(_parent, _args, _resolutions) do
+    {:ok, IO.inspect(Hub.get_public_rooms(0, 10))}
+  end
+
+  def create_room(_parent, args, _resolutions) do
+    args
+    |> Hub.create()
+    |> case do
+      {:ok, room} ->
+        {:ok, room}
+
+      {:error, changeset} ->
+        {:error, extract_error_message(changeset)}
+    end
+  end
+
+  defp extract_error_message(changeset) do
+    Enum.map(changeset.errors, fn {field, {error, _details}} ->
+      [
+        field: field,
+        message: String.capitalize(error)
+      ]
+    end)
+  end
+end
\ No newline at end of file
diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 56e94c89d..3e302869a 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -142,6 +142,13 @@ defmodule RetWeb.Router do
     end
   end
 
+  scope "/api/v2", as: :api_v2 do
+    pipe_through([:parsed_body, :api] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
+
+    forward "/graphiql", Absinthe.Plug.GraphiQL, schema: RetWeb.Schema
+    forward "/", Absinthe.Plug, schema: RetWeb.Schema
+  end
+
   # Directly accessible APIs.
   # Permit direct file uploads without intermediate ALB/Cloudfront/CDN proxying.
   scope "/api", RetWeb do
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
new file mode 100644
index 000000000..13e0a46c4
--- /dev/null
+++ b/lib/ret_web/schema.ex
@@ -0,0 +1,14 @@
+defmodule RetWeb.Schema do
+  use Absinthe.Schema
+
+  import_types(Absinthe.Type.Custom)
+  import_types(RetWeb.Schema.RoomTypes)
+
+  query do
+    import_fields(:room_queries)
+  end
+
+  mutation do
+    import_fields(:room_mutations)
+  end
+end
\ No newline at end of file
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
new file mode 100644
index 000000000..a3faefbd5
--- /dev/null
+++ b/lib/ret_web/schema/room_types.ex
@@ -0,0 +1,35 @@
+defmodule RetWeb.Schema.RoomTypes do
+  use Absinthe.Schema.Notation
+  alias RetWeb.Resolvers
+
+  object :room do
+    field :hub_sid, :id, name: "id"
+    field :name, :string
+  end
+
+  object :room_list do
+    field(:total_entries, :integer)
+    field(:total_pages, :integer)
+    field(:page_number, :integer)
+    field(:page_size, :integer)
+    field(:entries, list_of(:room))
+  end
+
+  object :room_queries do
+    field :list_rooms, :room_list do
+      resolve(&Resolvers.RoomResolver.list_rooms/3)
+    end
+  end
+
+  object :room_mutations do
+    field :create_room, :room do
+      arg(:name, non_null(:string))
+
+      resolve(&Resolvers.RoomResolver.create_room/3)
+    end
+  end
+
+  object :room_subscriptions do
+    field :room_created, :room
+  end
+end
\ No newline at end of file
diff --git a/mix.exs b/mix.exs
index fc41a4973..ac7cff47a 100644
--- a/mix.exs
+++ b/mix.exs
@@ -41,6 +41,10 @@ defmodule Ret.Mixfile do
       # Avoid 3.4.0 for now bc https://github.com/elixir-ecto/ecto/issues/3246
       {:ecto, "~> 3.3.0"},
       {:ecto_sql, "~> 3.3.0"},
+      {:absinthe, "~> 1.4"},
+      {:dataloader, "~> 1.0.0"},
+      {:absinthe_plug, "~> 1.4"},
+      {:absinthe_phoenix, "~> 1.4.0"},
       {:postgrex, ">= 0.0.0"},
       {:phoenix_html, "~> 2.13"},
       {:phoenix_live_reload, "~> 1.2", only: :dev},
diff --git a/mix.lock b/mix.lock
index a18979f76..06b363ac9 100644
--- a/mix.lock
+++ b/mix.lock
@@ -1,4 +1,8 @@
 %{
+  "absinthe": {:hex, :absinthe, "1.4.16", "0933e4d9f12652b12115d5709c0293a1bf78a22578032e9ad0dad4efee6b9eb1", [:mix], [{:dataloader, "~> 1.0.0", [hex: :dataloader, repo: "hexpm", optional: true]}, {:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "076b8bd9552f4966ba1242f412f6c439b731169a36a0ddaaffcd3893828f5bf6"},
+  "absinthe_ecto": {:hex, :absinthe_ecto, "0.1.3", "420b68129e79fe4571a4838904ba03e282330d335da47729ad52ffd7b8c5fcb1", [:mix], [{:absinthe, "~> 1.3.0 or ~> 1.4.0", [hex: :absinthe, repo: "hexpm", optional: false]}, {:ecto, ">= 0.0.0", [hex: :ecto, repo: "hexpm", optional: false]}], "hexpm", "355b9db34abfab96ae1e025434b66e11002babcf4fe6b7144d26ff7548985f52"},
+  "absinthe_phoenix": {:hex, :absinthe_phoenix, "1.4.4", "af3b7b44483121f756ea0ec75a536b74f67cdd62ec6a34b9e58df1fb4662389e", [:mix], [{:absinthe, "~> 1.4.0", [hex: :absinthe, repo: "hexpm", optional: false]}, {:absinthe_plug, "~> 1.4.0", [hex: :absinthe_plug, repo: "hexpm", optional: false]}, {:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.4", [hex: :phoenix, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.13", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 1.0", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}], "hexpm", "54118c32ca00257b3cd3e616b3f9cee99e493d2399528334cbb5457e470400d3"},
+  "absinthe_plug": {:hex, :absinthe_plug, "1.4.7", "939b6b9e1c7abc6b399a5b49faa690a1fbb55b195c670aa35783b14b08ccec7a", [:mix], [{:absinthe, "~> 1.4.11", [hex: :absinthe, repo: "hexpm", optional: false]}, {:plug, "~> 1.3.2 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "c6ecb0e56a963287ac252d0563e5b33b84b300ce8203d3d1410dddb5dc6d08e9"},
   "artificery": {:hex, :artificery, "0.4.2", "3ded6e29e13113af52811c72f414d1e88f711410cac1b619ab3a2666bbd7efd4", [:mix], [], "hexpm", "514586f4312ef3709a3ccbd8e55f69455add235c1729656687bb781d10d0afdb"},
   "bamboo": {:hex, :bamboo, "1.4.0", "7b9201c49a843e4802061cf45692405b2c00efcf1cebf8b7b64f015ead072392", [:mix], [{:hackney, ">= 1.13.0", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "b9cad03bf38c7f37b6308876039355665b6ce09fefb46dc529cef4def912cffa"},
   "bamboo_smtp": {:hex, :bamboo_smtp, "1.7.0", "f0d213e18ced1f08b551a72221e9b8cfbf23d592b684e9aa1ef5250f4943ef9b", [:mix], [{:bamboo, "~> 1.2", [hex: :bamboo, repo: "hexpm", optional: false]}, {:gen_smtp, "~> 0.14.0", [hex: :gen_smtp, repo: "hexpm", optional: false]}], "hexpm", "6093e44cf93ae70c1e06637a80f71cb24b7a848777b20a52f7036431d7e02249"},
@@ -14,6 +18,7 @@
   "cowlib": {:hex, :cowlib, "2.7.3", "a7ffcd0917e6d50b4d5fb28e9e2085a0ceb3c97dea310505f7460ff5ed764ce9", [:rebar3], [], "hexpm", "1e1a3d176d52daebbecbbcdfd27c27726076567905c2a9d7398c54da9d225761"},
   "credo": {:hex, :credo, "1.3.2", "08d456dcf3c24da162d02953fb07267e444469d8dad3a2ae47794938ea467b3a", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "b11d28cce1f1f399dddffd42d8e21dcad783309e230f84b70267b1a5546468b6"},
   "crontab": {:hex, :crontab, "1.1.10", "dc9bb1f4299138d47bce38341f5dcbee0aa6c205e864fba7bc847f3b5cb48241", [:mix], [{:ecto, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm", "1347d889d1a0eda997990876b4894359e34bfbbd688acbb0ba28a2795ca40685"},
+  "dataloader": {:hex, :dataloader, "1.0.7", "58351b335673cf40601429bfed6c11fece6ce7ad169b2ac0f0fe83e716587391", [:mix], [{:ecto, ">= 0.0.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm", "12bf66478e4a5085d09dc96932d058c206ee8c219cc7691d12a40dc35c8cefaa"},
   "db_connection": {:hex, :db_connection, "2.2.1", "caee17725495f5129cb7faebde001dc4406796f12a62b8949f4ac69315080566", [:mix], [{:connection, "~> 1.0.2", [hex: :connection, repo: "hexpm", optional: false]}], "hexpm", "2b02ece62d9f983fcd40954e443b7d9e6589664380e5546b2b9b523cd0fb59e1"},
   "decimal": {:hex, :decimal, "1.8.1", "a4ef3f5f3428bdbc0d35374029ffcf4ede8533536fa79896dd450168d9acdf3c", [:mix], [], "hexpm", "3cb154b00225ac687f6cbd4acc4b7960027c757a5152b369923ead9ddbca7aec"},
   "deferred_config": {:hex, :deferred_config, "0.1.1", "ec912e9ee3c99b90a8d4bdec8fbd15309f4bd6729f30789e0ff6f595d06bbce5", [:mix], [], "hexpm", "2eb5311037feb4a6a5dbe3ecc5c98af7ea849730e5dbd9aee0f45c5dbccc3922"},

From 55b1260d7f47a7522fdc8ac47e82a93fa8852b6c Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 18:19:37 -0700
Subject: [PATCH 002/138] Fix formatting and remove inspect

---
 lib/ret/hub.ex                         | 8 ++++----
 lib/ret_web/resolvers/room_resolver.ex | 4 ++--
 lib/ret_web/schema.ex                  | 2 +-
 lib/ret_web/schema/room_types.ex       | 8 ++++----
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index f16bf830a..d3c328290 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -158,10 +158,10 @@ defmodule Ret.Hub do
 
   def get_public_rooms(page, page_size) do
     Hub
-      |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
-      |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
-      |> order_by(desc: :inserted_at)
-      |> Repo.paginate(%{page: page, page_size: page_size})
+    |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
+    |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
+    |> order_by(desc: :inserted_at)
+    |> Repo.paginate(%{page: page, page_size: page_size})
   end
 
   def changeset(%Hub{} = hub, %Scene{} = scene, attrs) do
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index a333e56f6..17d48c5e0 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -2,7 +2,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   alias Ret.Hub
 
   def list_rooms(_parent, _args, _resolutions) do
-    {:ok, IO.inspect(Hub.get_public_rooms(0, 10))}
+    {:ok, Hub.get_public_rooms(0, 10)}
   end
 
   def create_room(_parent, args, _resolutions) do
@@ -25,4 +25,4 @@ defmodule RetWeb.Resolvers.RoomResolver do
       ]
     end)
   end
-end
\ No newline at end of file
+end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 13e0a46c4..a3003a720 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -11,4 +11,4 @@ defmodule RetWeb.Schema do
   mutation do
     import_fields(:room_mutations)
   end
-end
\ No newline at end of file
+end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index a3faefbd5..1e1b40e4c 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -3,8 +3,8 @@ defmodule RetWeb.Schema.RoomTypes do
   alias RetWeb.Resolvers
 
   object :room do
-    field :hub_sid, :id, name: "id"
-    field :name, :string
+    field(:hub_sid, :id, name: "id")
+    field(:name, :string)
   end
 
   object :room_list do
@@ -30,6 +30,6 @@ defmodule RetWeb.Schema.RoomTypes do
   end
 
   object :room_subscriptions do
-    field :room_created, :room
+    field(:room_created, :room)
   end
-end
\ No newline at end of file
+end

From bd512d59d21ff91f2325838d3e1eedf2cbb6bc75 Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 18:47:00 -0700
Subject: [PATCH 003/138] Use a changeset error handling middleware

---
 .../middlewares/handle_changeset_errors.ex    | 15 +++++++++++++++
 lib/ret_web/resolvers/room_resolver.ex        | 19 +------------------
 lib/ret_web/schema.ex                         |  5 +++++
 3 files changed, 21 insertions(+), 18 deletions(-)
 create mode 100644 lib/ret_web/middlewares/handle_changeset_errors.ex

diff --git a/lib/ret_web/middlewares/handle_changeset_errors.ex b/lib/ret_web/middlewares/handle_changeset_errors.ex
new file mode 100644
index 000000000..a01f15778
--- /dev/null
+++ b/lib/ret_web/middlewares/handle_changeset_errors.ex
@@ -0,0 +1,15 @@
+defmodule RetWeb.Middlewares.HandleChangesetErrors do
+  @behaviour Absinthe.Middleware
+  def call(resolution, _) do
+    %{resolution |
+      errors: Enum.flat_map(resolution.errors, &handle_error/1)
+    }
+  end
+
+  defp handle_error(%Ecto.Changeset{} = changeset) do
+    changeset
+      |> Ecto.Changeset.traverse_errors(fn {err, _opts} -> err end)
+      |> Enum.map(fn({k,v}) -> "#{k}: #{v}" end)
+  end
+  defp handle_error(error), do: [error]
+end
\ No newline at end of file
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 17d48c5e0..dd655154c 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -6,23 +6,6 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def create_room(_parent, args, _resolutions) do
-    args
-    |> Hub.create()
-    |> case do
-      {:ok, room} ->
-        {:ok, room}
-
-      {:error, changeset} ->
-        {:error, extract_error_message(changeset)}
-    end
-  end
-
-  defp extract_error_message(changeset) do
-    Enum.map(changeset.errors, fn {field, {error, _details}} ->
-      [
-        field: field,
-        message: String.capitalize(error)
-      ]
-    end)
+    Hub.create(args)
   end
 end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index a3003a720..5acb2287b 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -1,6 +1,11 @@
 defmodule RetWeb.Schema do
   use Absinthe.Schema
 
+  def middleware(middleware, _field, %{identifier: :mutation}) do
+    middleware ++ [RetWeb.Middlewares.HandleChangesetErrors]
+  end
+  def middleware(middleware, _field, _object), do: middleware
+
   import_types(Absinthe.Type.Custom)
   import_types(RetWeb.Schema.RoomTypes)
 

From 3da617c737cc7fa4d008c90ca800698f52b085ca Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 19:18:44 -0700
Subject: [PATCH 004/138] Add pagination to public rooms query

---
 lib/ret/hub.ex                         | 4 ++--
 lib/ret/repo.ex                        | 2 +-
 lib/ret_web/resolvers/room_resolver.ex | 4 ++--
 lib/ret_web/schema/room_types.ex       | 2 ++
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index d3c328290..25649853d 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -156,12 +156,12 @@ defmodule Ret.Hub do
     end
   end
 
-  def get_public_rooms(page, page_size) do
+  def get_public_rooms(params) do
     Hub
     |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
     |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
     |> order_by(desc: :inserted_at)
-    |> Repo.paginate(%{page: page, page_size: page_size})
+    |> Repo.paginate(params)
   end
 
   def changeset(%Hub{} = hub, %Scene{} = scene, attrs) do
diff --git a/lib/ret/repo.ex b/lib/ret/repo.ex
index 188946024..987d9cb40 100644
--- a/lib/ret/repo.ex
+++ b/lib/ret/repo.ex
@@ -1,6 +1,6 @@
 defmodule Ret.Repo do
   use Ecto.Repo, otp_app: :ret, adapter: Ecto.Adapters.Postgres
-  use Scrivener, page_size: 20
+  use Scrivener, page_size: 20, max_page_size: 50
 
   def init(_, opts) do
     {:ok, Keyword.put(opts, :url, System.get_env("DATABASE_URL"))}
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index dd655154c..710d6dacd 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,8 +1,8 @@
 defmodule RetWeb.Resolvers.RoomResolver do
   alias Ret.Hub
 
-  def list_rooms(_parent, _args, _resolutions) do
-    {:ok, Hub.get_public_rooms(0, 10)}
+  def list_rooms(_parent, args, _resolutions) do
+    {:ok, Hub.get_public_rooms(args)}
   end
 
   def create_room(_parent, args, _resolutions) do
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 1e1b40e4c..a5739f4eb 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -17,6 +17,8 @@ defmodule RetWeb.Schema.RoomTypes do
 
   object :room_queries do
     field :list_rooms, :room_list do
+      arg(:page, :integer)
+      arg(:page_size, :integer)
       resolve(&Resolvers.RoomResolver.list_rooms/3)
     end
   end

From d396147cc1b30e8e8c9ecda259784327bef522ba Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 21:21:01 -0700
Subject: [PATCH 005/138] Add myRooms and authenticated routes

---
 lib/ret/hub.ex                         |  8 ++++++++
 lib/ret_web/context.ex                 | 25 +++++++++++++++++++++++++
 lib/ret_web/resolvers/room_resolver.ex | 10 +++++++++-
 lib/ret_web/router.ex                  |  7 +++++--
 lib/ret_web/schema/room_types.ex       | 10 ++++++++--
 5 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 lib/ret_web/context.ex

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 25649853d..464231b46 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -156,6 +156,14 @@ defmodule Ret.Hub do
     end
   end
 
+  def get_my_rooms(account, params) do
+    Hub
+    |> where([h], h.created_by_account_id == ^account.account_id)
+    |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
+    |> order_by(desc: :inserted_at)
+    |> Repo.paginate(params)
+  end
+
   def get_public_rooms(params) do
     Hub
     |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
diff --git a/lib/ret_web/context.ex b/lib/ret_web/context.ex
new file mode 100644
index 000000000..06b0db43f
--- /dev/null
+++ b/lib/ret_web/context.ex
@@ -0,0 +1,25 @@
+defmodule RetWeb.Context do
+  @behaviour Plug
+
+  import Plug.Conn
+  import Ecto.Query, only: [where: 2]
+
+  alias RetWeb.{Repo, User}
+
+  def init(opts), do: opts
+
+  def call(conn, _) do
+    context = build_context(conn)
+    Absinthe.Plug.put_options(conn, context: context)
+  end
+
+  def build_context(conn) do
+    account = Guardian.Plug.current_resource(conn)
+
+    if account do
+      %{account: account}
+    else
+      %{}
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 710d6dacd..1d3ea5f81 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,7 +1,15 @@
 defmodule RetWeb.Resolvers.RoomResolver do
   alias Ret.Hub
 
-  def list_rooms(_parent, args, _resolutions) do
+  def my_rooms(_parent, args, %{context: %{account: account} }) do
+    {:ok, Hub.get_my_rooms(account, args)}
+  end
+
+  def my_rooms(_parent, args, _resolutions) do
+    {:error, "Not authorized"}
+  end
+
+  def public_rooms(_parent, args, _resolutions) do
     {:ok, Hub.get_public_rooms(args)}
   end
 
diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 3e302869a..2074465b6 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -65,6 +65,10 @@ defmodule RetWeb.Router do
     plug(RetWeb.Plugs.RedirectToMainDomain)
   end
 
+  pipeline :graphql do
+    plug RetWeb.Context
+  end
+
   scope "/health", RetWeb do
     get("/", HealthController, :index)
   end
@@ -143,8 +147,7 @@ defmodule RetWeb.Router do
   end
 
   scope "/api/v2", as: :api_v2 do
-    pipe_through([:parsed_body, :api] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
-
+    pipe_through([:parsed_body, :api, :auth_optional, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
     forward "/graphiql", Absinthe.Plug.GraphiQL, schema: RetWeb.Schema
     forward "/", Absinthe.Plug, schema: RetWeb.Schema
   end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index a5739f4eb..7865d169a 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -16,10 +16,16 @@ defmodule RetWeb.Schema.RoomTypes do
   end
 
   object :room_queries do
-    field :list_rooms, :room_list do
+    field :my_rooms, :room_list do
       arg(:page, :integer)
       arg(:page_size, :integer)
-      resolve(&Resolvers.RoomResolver.list_rooms/3)
+      resolve(&Resolvers.RoomResolver.my_rooms/3)
+    end
+
+    field :public_rooms, :room_list do
+      arg(:page, :integer)
+      arg(:page_size, :integer)
+      resolve(&Resolvers.RoomResolver.public_rooms/3)
     end
   end
 

From 8ea148a70deb9007a65a7cdebb213086e1799274 Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 21:51:41 -0700
Subject: [PATCH 006/138] Add favorite rooms query

---
 lib/ret/hub.ex                         | 14 ++++++++++++--
 lib/ret_web/resolvers/room_resolver.ex |  8 ++++++++
 lib/ret_web/schema/room_types.ex       |  6 ++++++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 464231b46..5e06bfb21 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -24,7 +24,8 @@ defmodule Ret.Hub do
     RoomAssigner,
     BitFieldUtils,
     HubRoleMembership,
-    AppConfig
+    AppConfig,
+    AccountFavorite
   }
 
   alias Ret.Hub.{HubSlug}
@@ -158,12 +159,21 @@ defmodule Ret.Hub do
 
   def get_my_rooms(account, params) do
     Hub
-    |> where([h], h.created_by_account_id == ^account.account_id)
+    |> where([h], h.created_by_account_id == ^account.account_id and h.entry_mode == ^"allow")
     |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
     |> order_by(desc: :inserted_at)
     |> Repo.paginate(params)
   end
 
+  def get_favorite_rooms(account, params) do
+    Hub
+    |> where([h], h.entry_mode == ^"allow")
+    |> join(:inner, [h], f in AccountFavorite, on: f.hub_id == h.hub_id and f.account_id == ^account.account_id)
+    |> order_by([h, f], desc: f.last_activated_at)
+    |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
+    |> Repo.paginate(params)
+  end
+
   def get_public_rooms(params) do
     Hub
     |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 1d3ea5f81..6e8f5f98a 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -9,6 +9,14 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:error, "Not authorized"}
   end
 
+  def favorite_rooms(_parent, args, %{context: %{account: account} }) do
+    {:ok, Hub.get_favorite_rooms(account, args)}
+  end
+
+  def favorite_rooms(_parent, args, _resolutions) do
+    {:error, "Not authorized"}
+  end
+
   def public_rooms(_parent, args, _resolutions) do
     {:ok, Hub.get_public_rooms(args)}
   end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 7865d169a..408d04ab6 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -27,6 +27,12 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:page_size, :integer)
       resolve(&Resolvers.RoomResolver.public_rooms/3)
     end
+
+    field :favorite_rooms, :room_list do
+      arg(:page, :integer)
+      arg(:page_size, :integer)
+      resolve(&Resolvers.RoomResolver.favorite_rooms/3)
+    end
   end
 
   object :room_mutations do

From c28f8fb9c9e0ada2e718407602407e45f6fcda3f Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Wed, 15 Jul 2020 23:57:10 -0700
Subject: [PATCH 007/138] Add more room and scene fields

---
 lib/ret/hub.ex                         | 14 +++++++
 lib/ret_web/resolvers/room_resolver.ex | 41 +++++++++++++++++++++
 lib/ret_web/schema.ex                  |  1 +
 lib/ret_web/schema/room_types.ex       | 51 ++++++++++++++++++++++++++
 lib/ret_web/schema/scene_types.ex      | 23 ++++++++++++
 5 files changed, 130 insertions(+)
 create mode 100644 lib/ret_web/schema/scene_types.ex

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 5e06bfb21..62ffcfd3c 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -383,6 +383,15 @@ defmodule Ret.Hub do
     hub.room_size || AppConfig.get_cached_config_value("features|default_room_size")
   end
 
+  def scene_or_scene_listing_for(%Hub{} = hub) do
+    case hub.scene || hub.scene_listing do
+      nil -> nil
+      %Scene{state: :removed} -> nil
+      %SceneListing{state: :delisted} -> nil
+      scene -> scene
+    end
+  end
+
   defp changeset_for_new_entry_code(%Hub{} = hub) do
     hub
     |> Ecto.Changeset.change()
@@ -576,6 +585,11 @@ defmodule Ret.Hub do
     |> Map.new(fn {k, v} -> {Atom.to_string(k), v} end)
   end
 
+  def member_permissions_for_hub_as_atoms(%Hub{} = hub) do
+    hub.member_permissions
+    |> BitFieldUtils.permissions_to_map(@member_permissions)
+  end
+
   # The account argument here can be a Ret.Account, a Ret.OAuthProvider or nil.
   def perms_for_account(%Ret.Hub{} = hub, account) do
     %{
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 6e8f5f98a..5b19963e5 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,5 +1,6 @@
 defmodule RetWeb.Resolvers.RoomResolver do
   alias Ret.Hub
+  import Canada, only: [can?: 2]
 
   def my_rooms(_parent, args, %{context: %{account: account} }) do
     {:ok, Hub.get_my_rooms(account, args)}
@@ -24,4 +25,44 @@ defmodule RetWeb.Resolvers.RoomResolver do
   def create_room(_parent, args, _resolutions) do
     Hub.create(args)
   end
+
+  def embed_token(hub, _args, %{context: %{account: account} }) do
+    if account |> can?(embed_hub(hub)) do
+      {:ok, hub.embed_token}
+    else
+      {:ok, nil}  
+    end
+  end
+
+  def embed_token(_hub, _args, _resolutions) do
+    {:ok, nil}
+  end
+
+  def port(_hub, _args, _resolutions) do
+    {:ok, Hub.janus_port()}
+  end
+
+  def turn(_hub, _args, _resolutions) do
+    {:ok, Hub.generate_turn_info()}
+  end  
+
+  def member_permissions(hub, _args, _resolutions) do
+    {:ok, Hub.member_permissions_for_hub_as_atoms(hub)}
+  end
+
+  def room_size(hub, _args, _resolutions) do
+    {:ok, Hub.room_size_for(hub)}
+  end
+
+  def member_count(hub, _args, _resolutions) do
+    {:ok, Hub.member_count_for(hub)}
+  end
+
+  def lobby_count(hub, _args, _resolutions) do
+    {:ok, Hub.lobby_count_for(hub)}
+  end
+
+  def scene(hub, _args, _resolutions) do
+    {:ok, Hub.scene_or_scene_listing_for(hub)}
+  end
 end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 5acb2287b..22608b276 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -8,6 +8,7 @@ defmodule RetWeb.Schema do
 
   import_types(Absinthe.Type.Custom)
   import_types(RetWeb.Schema.RoomTypes)
+  import_types(RetWeb.Schema.SceneTypes)
 
   query do
     import_fields(:room_queries)
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 408d04ab6..26d43ba82 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -2,9 +2,60 @@ defmodule RetWeb.Schema.RoomTypes do
   use Absinthe.Schema.Notation
   alias RetWeb.Resolvers
 
+  object :turn_transport do
+    field(:port, :integer)
+  end
+
+  object :turn_info do
+    field(:credential, :string)
+    field(:enabled, :boolean)
+    field(:transports, list_of(:turn_transport))
+    field(:username, :string)
+  end
+
+  object :member_permissions do
+    field(:spawn_and_move_media, :boolean)
+    field(:spawn_camera, :boolean)
+    field(:spawn_drawing, :boolean)
+    field(:pin_objects, :boolean)
+    field(:spawn_emoji, :boolean)
+    field(:fly, :boolean)
+  end
+
   object :room do
     field(:hub_sid, :id, name: "id")
     field(:name, :string)
+    field(:slug, :string)
+    field(:description, :string)
+    field(:allow_promotion, :boolean)
+    field(:entry_code, :string)
+    field(:entry_mode, :string)
+    field(:host, :string)
+    field(:port, :integer) do
+      resolve(&Resolvers.RoomResolver.port/3)
+    end
+    field(:turn, :turn_info) do
+      resolve(&Resolvers.RoomResolver.turn/3)
+    end
+    field(:embed_token, :string) do
+      resolve(&Resolvers.RoomResolver.embed_token/3)
+    end
+    field(:member_permissions, :member_permissions) do
+      resolve(&Resolvers.RoomResolver.member_permissions/3)
+    end
+    field(:room_size, :integer) do
+      resolve(&Resolvers.RoomResolver.room_size/3)
+    end
+    field(:member_count, :integer) do
+      resolve(&Resolvers.RoomResolver.member_count/3)
+    end
+    field(:lobby_count, :integer) do
+      resolve(&Resolvers.RoomResolver.lobby_count/3)
+    end
+    field(:scene, :scene_or_scene_listing) do
+      resolve(&Resolvers.RoomResolver.scene/3)
+    end
+    # TODO: Figure out user_data
   end
 
   object :room_list do
diff --git a/lib/ret_web/schema/scene_types.ex b/lib/ret_web/schema/scene_types.ex
new file mode 100644
index 000000000..2c19153a7
--- /dev/null
+++ b/lib/ret_web/schema/scene_types.ex
@@ -0,0 +1,23 @@
+defmodule RetWeb.Schema.SceneTypes do
+  use Absinthe.Schema.Notation
+  alias RetWeb.Resolvers
+  alias Ret.{Scene, SceneListing}
+
+  union :scene_or_scene_listing do
+    types [:scene, :scene_listing]
+    resolve_type fn
+      %Scene{}, _ -> :scene
+      %SceneListing{}, _ -> :scene_listing
+    end
+  end
+
+  object :scene do
+    field(:scene_sid, :id, name: "id")
+    field(:name, :string)
+  end
+
+  object :scene_listing do
+    field(:scene_listing_sid, :id, name: "id")
+    field(:name, :string)
+  end
+end

From 6e718e1551cfa3e76ddc2d41b77c449c1cc0b36f Mon Sep 17 00:00:00 2001
From: Robert Long <robert@robertlong.me>
Date: Thu, 16 Jul 2020 00:52:42 -0700
Subject: [PATCH 008/138] Use dataloader for batch fetching scenes

---
 lib/ret/hub.ex                   |  3 ---
 lib/ret/scene.ex                 |  7 +++++++
 lib/ret_web/schema.ex            | 14 ++++++++++++++
 lib/ret_web/schema/room_types.ex |  4 +++-
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 62ffcfd3c..b97020b9b 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -160,7 +160,6 @@ defmodule Ret.Hub do
   def get_my_rooms(account, params) do
     Hub
     |> where([h], h.created_by_account_id == ^account.account_id and h.entry_mode == ^"allow")
-    |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
     |> order_by(desc: :inserted_at)
     |> Repo.paginate(params)
   end
@@ -170,14 +169,12 @@ defmodule Ret.Hub do
     |> where([h], h.entry_mode == ^"allow")
     |> join(:inner, [h], f in AccountFavorite, on: f.hub_id == h.hub_id and f.account_id == ^account.account_id)
     |> order_by([h, f], desc: f.last_activated_at)
-    |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
     |> Repo.paginate(params)
   end
 
   def get_public_rooms(params) do
     Hub
     |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
-    |> preload(scene: [:screenshot_owned_file], scene_listing: [:scene, :screenshot_owned_file])
     |> order_by(desc: :inserted_at)
     |> Repo.paginate(params)
   end
diff --git a/lib/ret/scene.ex b/lib/ret/scene.ex
index cbc4cbe5e..cc30c3fa8 100644
--- a/lib/ret/scene.ex
+++ b/lib/ret/scene.ex
@@ -9,6 +9,7 @@ end
 defmodule Ret.Scene do
   use Ecto.Schema
   import Ecto.Changeset
+  import Ecto.Query
 
   alias Ret.{Repo, Scene, SceneListing, Project, Storage}
   alias Ret.Scene.{SceneSlug}
@@ -54,6 +55,12 @@ defmodule Ret.Scene do
     timestamps()
   end
 
+  # Dataloader
+  def data(), do: Dataloader.Ecto.new(Repo, query: &query/2)
+  # Guard against loading removed or delested scenes/scene listings
+  def query(Scene, _), do: from s in Scene, where: s.state != ^:removed
+  def query(SceneListing, _), do: from sl in SceneListing, where: sl.state != ^:delisted
+
   def scene_or_scene_listing_by_sid(sid) do
     Scene |> Repo.get_by(scene_sid: sid) ||
       SceneListing |> Repo.get_by(scene_listing_sid: sid) |> Repo.preload(scene: Scene.scene_preloads())
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 22608b276..47fc2f83a 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -1,5 +1,6 @@
 defmodule RetWeb.Schema do
   use Absinthe.Schema
+  alias Ret.Scene
 
   def middleware(middleware, _field, %{identifier: :mutation}) do
     middleware ++ [RetWeb.Middlewares.HandleChangesetErrors]
@@ -17,4 +18,17 @@ defmodule RetWeb.Schema do
   mutation do
     import_fields(:room_mutations)
   end
+
+  def context(ctx) do
+    loader =
+      Dataloader.new
+      |> Dataloader.add_source(Scene, Scene.data())
+  
+    Map.put(ctx, :loader, loader)
+  end
+  
+  def plugins do
+    [Absinthe.Middleware.Dataloader] ++ Absinthe.Plugin.defaults()
+  end
+  
 end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 26d43ba82..0a2b3a2a1 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -1,6 +1,8 @@
 defmodule RetWeb.Schema.RoomTypes do
   use Absinthe.Schema.Notation
   alias RetWeb.Resolvers
+  alias Ret.Scene
+  import Absinthe.Resolution.Helpers, only: [dataloader: 1]
 
   object :turn_transport do
     field(:port, :integer)
@@ -53,7 +55,7 @@ defmodule RetWeb.Schema.RoomTypes do
       resolve(&Resolvers.RoomResolver.lobby_count/3)
     end
     field(:scene, :scene_or_scene_listing) do
-      resolve(&Resolvers.RoomResolver.scene/3)
+      resolve(dataloader(Scene))
     end
     # TODO: Figure out user_data
   end

From b269d9ba81c791567f03b3f2f405562d592d50ba Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 11:26:09 -0700
Subject: [PATCH 009/138] Fix typo in comment

---
 lib/ret/scene.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret/scene.ex b/lib/ret/scene.ex
index cc30c3fa8..e4a1a761a 100644
--- a/lib/ret/scene.ex
+++ b/lib/ret/scene.ex
@@ -57,7 +57,7 @@ defmodule Ret.Scene do
 
   # Dataloader
   def data(), do: Dataloader.Ecto.new(Repo, query: &query/2)
-  # Guard against loading removed or delested scenes/scene listings
+  # Guard against loading removed scenes or delisted scene listings
   def query(Scene, _), do: from s in Scene, where: s.state != ^:removed
   def query(SceneListing, _), do: from sl in SceneListing, where: sl.state != ^:delisted
 

From ada62762aac46c74137bbe9e64c8e1cebe35fb1e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 11:26:28 -0700
Subject: [PATCH 010/138] specify preferred json codec

---
 lib/ret_web/router.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 2074465b6..539b1c8a9 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -148,7 +148,7 @@ defmodule RetWeb.Router do
 
   scope "/api/v2", as: :api_v2 do
     pipe_through([:parsed_body, :api, :auth_optional, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
-    forward "/graphiql", Absinthe.Plug.GraphiQL, schema: RetWeb.Schema
+    forward "/graphiql", Absinthe.Plug.GraphiQL, json_codec: Jason, schema: RetWeb.Schema
     forward "/", Absinthe.Plug, schema: RetWeb.Schema
   end
 

From bdc1f8d846f7f56331b123c0a9fd0d3a0c6b3c80 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:09:04 -0700
Subject: [PATCH 011/138] Add test cases for room query

---
 test/api/v2/room_query_test.exs | 86 +++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 test/api/v2/room_query_test.exs

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
new file mode 100644
index 000000000..24c14e2d9
--- /dev/null
+++ b/test/api/v2/room_query_test.exs
@@ -0,0 +1,86 @@
+defmodule RoomQueryTest do
+  @moduledoc """
+  Test absinthe queries on rooms
+  """
+
+  use ExUnit.Case
+  use RetWeb.ConnCase
+  import Ret.TestHelpers
+
+  setup_all do
+    Absinthe.Test.prime(RetWeb.Schema)
+  end
+
+  test "anyone can query for public rooms", %{conn: conn} do
+    account = create_random_account()
+    scene = create_scene(account)
+    {:ok, hub: public_hub} = create_public_hub(%{scene: scene})
+
+    query = """
+    query {
+      publicRooms {
+       entries {
+         id
+       }
+      }
+    }
+    """
+
+    res =
+      conn
+      |> post("/api/v2/graphiql", %{
+        "query" => query,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+
+    rooms = res["data"]["publicRooms"]["entries"]
+    assert List.first(rooms)["id"] == public_hub.hub_sid
+  end
+
+  test "private room queries require authentication", %{conn: conn} do
+    account = create_random_account()
+    scene = create_scene(account)
+    {:ok, hub: hub} = create_hub(%{scene: scene})
+    hub
+    |> Ret.Repo.preload(created_by_account: [])
+    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+    |> Ret.Repo.update!()
+
+    query = """
+    query {
+      myRooms {
+       entries {
+         id
+       }
+      }
+    }
+    """
+
+    # Query without auth header
+    res =
+      conn
+      |> post("/api/v2/graphiql", %{
+        "query" => query,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+    assert is_nil(res["data"]["myRooms"])
+    error = List.first(res["errors"])
+    assert error["message"] == "Not authorized"
+    assert List.first(error["path"]) == "myRooms"
+
+    # Query with auth header
+    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
+    auth_res =
+      conn
+      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> post("/api/v2/graphiql", %{
+        "query" => query,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+    rooms = auth_res["data"]["myRooms"]["entries"]
+    assert List.first(rooms)["id"] == hub.hub_sid
+  end
+end

From 125769cc09fa48e4be788fd772fc03313acf7654 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:38:30 -0700
Subject: [PATCH 012/138] DRY up tests

---
 test/api/v2/room_query_test.exs | 162 +++++++++++++++++++++++++++-----
 1 file changed, 137 insertions(+), 25 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 24c14e2d9..c4a28f1ca 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -11,12 +11,7 @@ defmodule RoomQueryTest do
     Absinthe.Test.prime(RetWeb.Schema)
   end
 
-  test "anyone can query for public rooms", %{conn: conn} do
-    account = create_random_account()
-    scene = create_scene(account)
-    {:ok, hub: public_hub} = create_public_hub(%{scene: scene})
-
-    query = """
+  @query_public_rooms """
     query {
       publicRooms {
        entries {
@@ -24,12 +19,48 @@ defmodule RoomQueryTest do
        }
       }
     }
-    """
+  """
+
+  @query_my_rooms """
+    query {
+      myRooms {
+       entries {
+         id
+       }
+      }
+    }
+  """
+
+  @query_favorite_rooms """
+    query {
+      favoriteRooms {
+       entries {
+         id
+       }
+      }
+    }
+  """
+
+  setup _context do
+    account = create_random_account()
+    account2 = create_random_account()
+    scene = create_scene(account)
+    {:ok, hub: hub} = create_hub(%{scene: scene})
+    {:ok, hub: public_hub} = create_public_hub(%{scene: scene})
+
+    %{
+      account: account,
+      account2: account2,
+      hub: hub,
+      public_hub: public_hub
+    }
+  end
 
+  test "anyone can query for public rooms", %{conn: conn, public_hub: public_hub} do
     res =
       conn
       |> post("/api/v2/graphiql", %{
-        "query" => query,
+        "query" => @query_public_rooms,
         "variables" => "{}"
       })
       |> json_response(200)
@@ -38,49 +69,130 @@ defmodule RoomQueryTest do
     assert List.first(rooms)["id"] == public_hub.hub_sid
   end
 
-  test "private room queries require authentication", %{conn: conn} do
-    account = create_random_account()
-    scene = create_scene(account)
-    {:ok, hub: hub} = create_hub(%{scene: scene})
+  test "cannot query my rooms without authentication", %{conn: conn, account: account, hub: hub} do
     hub
     |> Ret.Repo.preload(created_by_account: [])
     |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
     |> Ret.Repo.update!()
 
-    query = """
-    query {
-      myRooms {
-       entries {
-         id
-       }
-      }
-    }
-    """
-
     # Query without auth header
     res =
       conn
       |> post("/api/v2/graphiql", %{
-        "query" => query,
+        "query" => @query_my_rooms,
         "variables" => "{}"
       })
       |> json_response(200)
+
     assert is_nil(res["data"]["myRooms"])
     error = List.first(res["errors"])
     assert error["message"] == "Not authorized"
     assert List.first(error["path"]) == "myRooms"
+  end
+
+  test "anyone can query for their own rooms when authenticated", %{
+    conn: conn,
+    account: account,
+    hub: hub
+  } do
+    hub
+    |> Ret.Repo.preload(created_by_account: [])
+    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+    |> Ret.Repo.update!()
 
-    # Query with auth header
     {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
+
+    auth_res =
+      conn
+      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> post("/api/v2/graphiql", %{
+        "query" => @query_my_rooms,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+
+    rooms = auth_res["data"]["myRooms"]["entries"]
+    assert List.first(rooms)["id"] == hub.hub_sid
+  end
+
+  test "my rooms only returns my own rooms", %{conn: conn, account: account, account2: account2, hub: hub} do
+    hub
+    |> Ret.Repo.preload(created_by_account: [])
+    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+    |> Ret.Repo.update!()
+
+    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account2)
+
     auth_res =
       conn
       |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
       |> post("/api/v2/graphiql", %{
-        "query" => query,
+        "query" => @query_my_rooms,
         "variables" => "{}"
       })
       |> json_response(200)
+
     rooms = auth_res["data"]["myRooms"]["entries"]
+    assert Enum.empty?(rooms)
+  end
+
+  test "cannot query favorite rooms without authentication", %{conn: conn, account: account, hub: hub} do
+    Ret.AccountFavorite.ensure_favorited(hub, account)
+
+    # Query without auth header
+    res =
+      conn
+      |> post("/api/v2/graphiql", %{
+        "query" => @query_favorite_rooms,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+
+    assert is_nil(res["data"]["favoriteRooms"])
+    error = List.first(res["errors"])
+    assert error["message"] == "Not authorized"
+    assert List.first(error["path"]) == "favoriteRooms"
+  end
+
+  test "anyone can query favorite rooms when authenticated", %{conn: conn, account: account, hub: hub} do
+    Ret.AccountFavorite.ensure_favorited(hub, account)
+
+    # Query with auth header
+    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
+
+    res =
+      conn
+      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> post("/api/v2/graphiql", %{
+        "query" => @query_favorite_rooms,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+
+    rooms = res["data"]["favoriteRooms"]["entries"]
     assert List.first(rooms)["id"] == hub.hub_sid
   end
+
+  test "favorite rooms only returns your own favorites", %{
+    conn: conn,
+    account: account,
+    account2: account2,
+    hub: hub
+  } do
+    Ret.AccountFavorite.ensure_favorited(hub, account)
+
+    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account2)
+
+    res =
+      conn
+      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> post("/api/v2/graphiql", %{
+        "query" => @query_favorite_rooms,
+        "variables" => "{}"
+      })
+      |> json_response(200)
+
+    rooms = res["data"]["favoriteRooms"]["entries"]
+    assert Enum.empty?(rooms)
+  end
 end

From 6883a09413e682f80bbee8d601230e863500dd9d Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:39:32 -0700
Subject: [PATCH 013/138] Remove unused "variables" from tests

---
 test/api/v2/room_query_test.exs | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index c4a28f1ca..154117113 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -60,8 +60,7 @@ defmodule RoomQueryTest do
     res =
       conn
       |> post("/api/v2/graphiql", %{
-        "query" => @query_public_rooms,
-        "variables" => "{}"
+        "query" => @query_public_rooms
       })
       |> json_response(200)
 
@@ -79,8 +78,7 @@ defmodule RoomQueryTest do
     res =
       conn
       |> post("/api/v2/graphiql", %{
-        "query" => @query_my_rooms,
-        "variables" => "{}"
+        "query" => @query_my_rooms
       })
       |> json_response(200)
 
@@ -106,8 +104,7 @@ defmodule RoomQueryTest do
       conn
       |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
       |> post("/api/v2/graphiql", %{
-        "query" => @query_my_rooms,
-        "variables" => "{}"
+        "query" => @query_my_rooms
       })
       |> json_response(200)
 
@@ -127,8 +124,7 @@ defmodule RoomQueryTest do
       conn
       |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
       |> post("/api/v2/graphiql", %{
-        "query" => @query_my_rooms,
-        "variables" => "{}"
+        "query" => @query_my_rooms
       })
       |> json_response(200)
 
@@ -143,8 +139,7 @@ defmodule RoomQueryTest do
     res =
       conn
       |> post("/api/v2/graphiql", %{
-        "query" => @query_favorite_rooms,
-        "variables" => "{}"
+        "query" => @query_favorite_rooms
       })
       |> json_response(200)
 
@@ -164,8 +159,7 @@ defmodule RoomQueryTest do
       conn
       |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
       |> post("/api/v2/graphiql", %{
-        "query" => @query_favorite_rooms,
-        "variables" => "{}"
+        "query" => @query_favorite_rooms
       })
       |> json_response(200)
 
@@ -187,8 +181,7 @@ defmodule RoomQueryTest do
       conn
       |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
       |> post("/api/v2/graphiql", %{
-        "query" => @query_favorite_rooms,
-        "variables" => "{}"
+        "query" => @query_favorite_rooms
       })
       |> json_response(200)
 

From 1a5853f69397abf8403f9682413d2c836cb0ff0c Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:43:43 -0700
Subject: [PATCH 014/138] DRY : add assign_creator function

---
 test/api/v2/room_query_test.exs | 15 +++------------
 test/support/test_helpers.ex    |  8 ++++++++
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 154117113..e20edb24c 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -69,10 +69,7 @@ defmodule RoomQueryTest do
   end
 
   test "cannot query my rooms without authentication", %{conn: conn, account: account, hub: hub} do
-    hub
-    |> Ret.Repo.preload(created_by_account: [])
-    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-    |> Ret.Repo.update!()
+    assign_creator(hub, account)
 
     # Query without auth header
     res =
@@ -93,10 +90,7 @@ defmodule RoomQueryTest do
     account: account,
     hub: hub
   } do
-    hub
-    |> Ret.Repo.preload(created_by_account: [])
-    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-    |> Ret.Repo.update!()
+    assign_creator(hub, account)
 
     {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
 
@@ -113,10 +107,7 @@ defmodule RoomQueryTest do
   end
 
   test "my rooms only returns my own rooms", %{conn: conn, account: account, account2: account2, hub: hub} do
-    hub
-    |> Ret.Repo.preload(created_by_account: [])
-    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-    |> Ret.Repo.update!()
+    assign_creator(hub, account)
 
     {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account2)
 
diff --git a/test/support/test_helpers.ex b/test/support/test_helpers.ex
index b57418f80..583c947ef 100644
--- a/test/support/test_helpers.ex
+++ b/test/support/test_helpers.ex
@@ -212,4 +212,12 @@ defmodule Ret.TestHelpers do
 
     conn |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
   end
+
+  def assign_creator(hub, account) do
+    hub
+    |> Ret.Repo.preload(created_by_account: [])
+    |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+    |> Ret.Repo.update!()
+  end
+
 end

From b585a8c751a2074a6c6a43065708bc4424022e69 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:46:06 -0700
Subject: [PATCH 015/138] Rename put_auth_header_for_email

---
 test/ret_web/controllers/api/app_config_controller_test.exs | 4 ++--
 test/ret_web/controllers/api/hub_controller_test.exs        | 2 +-
 test/support/conn_case.ex                                   | 2 +-
 test/support/test_helpers.ex                                | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/ret_web/controllers/api/app_config_controller_test.exs b/test/ret_web/controllers/api/app_config_controller_test.exs
index eed31a809..3f515fc56 100644
--- a/test/ret_web/controllers/api/app_config_controller_test.exs
+++ b/test/ret_web/controllers/api/app_config_controller_test.exs
@@ -8,7 +8,7 @@ defmodule RetWeb.AppConfigControllerTest do
 
   test "admins can create app configs", %{conn: conn} do
     conn
-    |> Ret.TestHelpers.put_auth_header_for_account("admin@mozilla.com")
+    |> Ret.TestHelpers.put_auth_header_for_email("admin@mozilla.com")
     |> create_app_config(%{"test-config" => "foo"})
     |> response(200)
 
@@ -18,7 +18,7 @@ defmodule RetWeb.AppConfigControllerTest do
   test "non-admins cannot create app configs", %{conn: conn} do
     %{status: 401} =
       conn
-      |> Ret.TestHelpers.put_auth_header_for_account("test2@mozilla.com")
+      |> Ret.TestHelpers.put_auth_header_for_email("test2@mozilla.com")
       |> create_app_config(%{"test-config" => "bar"})
   end
 
diff --git a/test/ret_web/controllers/api/hub_controller_test.exs b/test/ret_web/controllers/api/hub_controller_test.exs
index 6f848214a..59c6dc5e7 100644
--- a/test/ret_web/controllers/api/hub_controller_test.exs
+++ b/test/ret_web/controllers/api/hub_controller_test.exs
@@ -28,7 +28,7 @@ defmodule RetWeb.HubControllerTest do
     disabled_account |> Ecto.Changeset.change(state: :disabled) |> Ret.Repo.update!()
 
     conn
-    |> put_auth_header_for_account("disabled_account@mozilla.com")
+    |> put_auth_header_for_email("disabled_account@mozilla.com")
     |> create_hub("Test Hub")
     |> response(401)
   end
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
index 7fdd8f9ee..a7538b1bd 100644
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@@ -37,7 +37,7 @@ defmodule RetWeb.ConnCase do
 
     conn =
       if tags[:authenticated] do
-        conn |> Ret.TestHelpers.put_auth_header_for_account("test@mozilla.com")
+        conn |> Ret.TestHelpers.put_auth_header_for_email("test@mozilla.com")
       else
         conn
       end
diff --git a/test/support/test_helpers.ex b/test/support/test_helpers.ex
index 583c947ef..c956ee054 100644
--- a/test/support/test_helpers.ex
+++ b/test/support/test_helpers.ex
@@ -204,7 +204,7 @@ defmodule Ret.TestHelpers do
     File.rm_rf(Application.get_env(:ret, Storage)[:storage_path])
   end
 
-  def put_auth_header_for_account(conn, email) do
+  def put_auth_header_for_email(conn, email) do
     {:ok, token, _claims} =
       email
       |> Ret.Account.find_or_create_account_for_email()

From 002f1e948b01cf5d6ac44d5cd34779badbc0fff6 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:51:38 -0700
Subject: [PATCH 016/138] DRY: put_auth_header_for_account

---
 test/api/v2/room_query_test.exs | 17 ++++-------------
 test/support/test_helpers.ex    | 10 +++++-----
 2 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index e20edb24c..68a09344f 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -92,11 +92,9 @@ defmodule RoomQueryTest do
   } do
     assign_creator(hub, account)
 
-    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
-
     auth_res =
       conn
-      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> put_auth_header_for_account(account)
       |> post("/api/v2/graphiql", %{
         "query" => @query_my_rooms
       })
@@ -109,11 +107,9 @@ defmodule RoomQueryTest do
   test "my rooms only returns my own rooms", %{conn: conn, account: account, account2: account2, hub: hub} do
     assign_creator(hub, account)
 
-    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account2)
-
     auth_res =
       conn
-      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> put_auth_header_for_account(account2)
       |> post("/api/v2/graphiql", %{
         "query" => @query_my_rooms
       })
@@ -143,12 +139,9 @@ defmodule RoomQueryTest do
   test "anyone can query favorite rooms when authenticated", %{conn: conn, account: account, hub: hub} do
     Ret.AccountFavorite.ensure_favorited(hub, account)
 
-    # Query with auth header
-    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
-
     res =
       conn
-      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> put_auth_header_for_account(account)
       |> post("/api/v2/graphiql", %{
         "query" => @query_favorite_rooms
       })
@@ -166,11 +159,9 @@ defmodule RoomQueryTest do
   } do
     Ret.AccountFavorite.ensure_favorited(hub, account)
 
-    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account2)
-
     res =
       conn
-      |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
+      |> put_auth_header_for_account(account2)
       |> post("/api/v2/graphiql", %{
         "query" => @query_favorite_rooms
       })
diff --git a/test/support/test_helpers.ex b/test/support/test_helpers.ex
index c956ee054..3955bba41 100644
--- a/test/support/test_helpers.ex
+++ b/test/support/test_helpers.ex
@@ -205,10 +205,11 @@ defmodule Ret.TestHelpers do
   end
 
   def put_auth_header_for_email(conn, email) do
-    {:ok, token, _claims} =
-      email
-      |> Ret.Account.find_or_create_account_for_email()
-      |> Ret.Guardian.encode_and_sign()
+    put_auth_header_for_account(conn, Ret.Account.find_or_create_account_for_email(email))
+  end
+
+  def put_auth_header_for_account(conn, account) do
+    {:ok, token, _claims} = Ret.Guardian.encode_and_sign(account)
 
     conn |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
   end
@@ -219,5 +220,4 @@ defmodule Ret.TestHelpers do
     |> Ret.Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
     |> Ret.Repo.update!()
   end
-
 end

From 66d8c4af5fc8fbc5abc9e7fcf8e53ad566df5d7e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:53:40 -0700
Subject: [PATCH 017/138] DRY: graphql query

---
 test/api/v2/room_query_test.exs | 45 +++++++++++----------------------
 1 file changed, 15 insertions(+), 30 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 68a09344f..a82f98d8d 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -56,13 +56,18 @@ defmodule RoomQueryTest do
     }
   end
 
+  defp query(conn, query) do
+    conn
+    |> post("/api/v2/graphiql", %{
+      "query" => "#{query}"
+    })
+    |> json_response(200)
+  end
+
   test "anyone can query for public rooms", %{conn: conn, public_hub: public_hub} do
     res =
       conn
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_public_rooms
-      })
-      |> json_response(200)
+      |> query(@query_public_rooms)
 
     rooms = res["data"]["publicRooms"]["entries"]
     assert List.first(rooms)["id"] == public_hub.hub_sid
@@ -71,13 +76,9 @@ defmodule RoomQueryTest do
   test "cannot query my rooms without authentication", %{conn: conn, account: account, hub: hub} do
     assign_creator(hub, account)
 
-    # Query without auth header
     res =
       conn
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_my_rooms
-      })
-      |> json_response(200)
+      |> query(@query_my_rooms)
 
     assert is_nil(res["data"]["myRooms"])
     error = List.first(res["errors"])
@@ -95,10 +96,7 @@ defmodule RoomQueryTest do
     auth_res =
       conn
       |> put_auth_header_for_account(account)
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_my_rooms
-      })
-      |> json_response(200)
+      |> query(@query_my_rooms)
 
     rooms = auth_res["data"]["myRooms"]["entries"]
     assert List.first(rooms)["id"] == hub.hub_sid
@@ -110,10 +108,7 @@ defmodule RoomQueryTest do
     auth_res =
       conn
       |> put_auth_header_for_account(account2)
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_my_rooms
-      })
-      |> json_response(200)
+      |> query(@query_my_rooms)
 
     rooms = auth_res["data"]["myRooms"]["entries"]
     assert Enum.empty?(rooms)
@@ -122,13 +117,9 @@ defmodule RoomQueryTest do
   test "cannot query favorite rooms without authentication", %{conn: conn, account: account, hub: hub} do
     Ret.AccountFavorite.ensure_favorited(hub, account)
 
-    # Query without auth header
     res =
       conn
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_favorite_rooms
-      })
-      |> json_response(200)
+      |> query(@query_favorite_rooms)
 
     assert is_nil(res["data"]["favoriteRooms"])
     error = List.first(res["errors"])
@@ -142,10 +133,7 @@ defmodule RoomQueryTest do
     res =
       conn
       |> put_auth_header_for_account(account)
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_favorite_rooms
-      })
-      |> json_response(200)
+      |> query(@query_favorite_rooms)
 
     rooms = res["data"]["favoriteRooms"]["entries"]
     assert List.first(rooms)["id"] == hub.hub_sid
@@ -162,10 +150,7 @@ defmodule RoomQueryTest do
     res =
       conn
       |> put_auth_header_for_account(account2)
-      |> post("/api/v2/graphiql", %{
-        "query" => @query_favorite_rooms
-      })
-      |> json_response(200)
+      |> query(@query_favorite_rooms)
 
     rooms = res["data"]["favoriteRooms"]["entries"]
     assert Enum.empty?(rooms)

From b7c55e57dd407b390add133ef24fed015fc8e39d Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 14:58:12 -0700
Subject: [PATCH 018/138] Don't need to hit the iql api

---
 test/api/v2/room_query_test.exs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index a82f98d8d..e9563725d 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -58,7 +58,7 @@ defmodule RoomQueryTest do
 
   defp query(conn, query) do
     conn
-    |> post("/api/v2/graphiql", %{
+    |> post("/api/v2/", %{
       "query" => "#{query}"
     })
     |> json_response(200)

From 96d27c8ef76f7e7297678ea3c4992d663b40ec4d Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 15:31:55 -0700
Subject: [PATCH 019/138] Test room creation. Add default creator assignment

---
 lib/ret_web/resolvers/room_resolver.ex | 21 +++++++--
 test/api/v2/room_query_test.exs        | 65 ++++++++++++++++++++------
 2 files changed, 66 insertions(+), 20 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 5b19963e5..b590b9019 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -2,7 +2,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   alias Ret.Hub
   import Canada, only: [can?: 2]
 
-  def my_rooms(_parent, args, %{context: %{account: account} }) do
+  def my_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_my_rooms(account, args)}
   end
 
@@ -10,7 +10,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:error, "Not authorized"}
   end
 
-  def favorite_rooms(_parent, args, %{context: %{account: account} }) do
+  def favorite_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_favorite_rooms(account, args)}
   end
 
@@ -22,15 +22,26 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:ok, Hub.get_public_rooms(args)}
   end
 
+  def create_room(_parent, args, %{context: %{account: account}}) do
+    {:ok, hub} = Hub.create(args)
+
+    hub
+    |> Ret.Repo.preload(Hub.hub_preloads())
+    |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+    |> Ret.Repo.update!()
+
+    {:ok, hub}
+  end
+
   def create_room(_parent, args, _resolutions) do
     Hub.create(args)
   end
 
-  def embed_token(hub, _args, %{context: %{account: account} }) do
+  def embed_token(hub, _args, %{context: %{account: account}}) do
     if account |> can?(embed_hub(hub)) do
       {:ok, hub.embed_token}
     else
-      {:ok, nil}  
+      {:ok, nil}
     end
   end
 
@@ -44,7 +55,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
 
   def turn(_hub, _args, _resolutions) do
     {:ok, Hub.generate_turn_info()}
-  end  
+  end
 
   def member_permissions(hub, _args, _resolutions) do
     {:ok, Hub.member_permissions_for_hub_as_atoms(hub)}
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index e9563725d..be174fd95 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -41,6 +41,23 @@ defmodule RoomQueryTest do
     }
   """
 
+  @mutation_create_room """
+    mutation MyCooLmutatuon($roomName: String!){
+      createRoom (name: $roomName) {
+        id
+      }
+    }
+  """
+
+  defp do_graphql_action(conn, query, variables \\ %{}) do
+    conn
+    |> post("/api/v2/", %{
+      "query" => "#{query}",
+      "variables" => variables
+    })
+    |> json_response(200)
+  end
+
   setup _context do
     account = create_random_account()
     account2 = create_random_account()
@@ -56,18 +73,10 @@ defmodule RoomQueryTest do
     }
   end
 
-  defp query(conn, query) do
-    conn
-    |> post("/api/v2/", %{
-      "query" => "#{query}"
-    })
-    |> json_response(200)
-  end
-
   test "anyone can query for public rooms", %{conn: conn, public_hub: public_hub} do
     res =
       conn
-      |> query(@query_public_rooms)
+      |> do_graphql_action(@query_public_rooms)
 
     rooms = res["data"]["publicRooms"]["entries"]
     assert List.first(rooms)["id"] == public_hub.hub_sid
@@ -78,7 +87,7 @@ defmodule RoomQueryTest do
 
     res =
       conn
-      |> query(@query_my_rooms)
+      |> do_graphql_action(@query_my_rooms)
 
     assert is_nil(res["data"]["myRooms"])
     error = List.first(res["errors"])
@@ -96,7 +105,7 @@ defmodule RoomQueryTest do
     auth_res =
       conn
       |> put_auth_header_for_account(account)
-      |> query(@query_my_rooms)
+      |> do_graphql_action(@query_my_rooms)
 
     rooms = auth_res["data"]["myRooms"]["entries"]
     assert List.first(rooms)["id"] == hub.hub_sid
@@ -108,7 +117,7 @@ defmodule RoomQueryTest do
     auth_res =
       conn
       |> put_auth_header_for_account(account2)
-      |> query(@query_my_rooms)
+      |> do_graphql_action(@query_my_rooms)
 
     rooms = auth_res["data"]["myRooms"]["entries"]
     assert Enum.empty?(rooms)
@@ -119,7 +128,7 @@ defmodule RoomQueryTest do
 
     res =
       conn
-      |> query(@query_favorite_rooms)
+      |> do_graphql_action(@query_favorite_rooms)
 
     assert is_nil(res["data"]["favoriteRooms"])
     error = List.first(res["errors"])
@@ -133,7 +142,7 @@ defmodule RoomQueryTest do
     res =
       conn
       |> put_auth_header_for_account(account)
-      |> query(@query_favorite_rooms)
+      |> do_graphql_action(@query_favorite_rooms)
 
     rooms = res["data"]["favoriteRooms"]["entries"]
     assert List.first(rooms)["id"] == hub.hub_sid
@@ -150,9 +159,35 @@ defmodule RoomQueryTest do
     res =
       conn
       |> put_auth_header_for_account(account2)
-      |> query(@query_favorite_rooms)
+      |> do_graphql_action(@query_favorite_rooms)
 
     rooms = res["data"]["favoriteRooms"]["entries"]
     assert Enum.empty?(rooms)
   end
+
+  test "anyone can create a room", %{
+    conn: conn
+  } do
+    res =
+      conn
+      |> do_graphql_action(@mutation_create_room, %{roomName: "my fun room"})
+
+    id = res["data"]["createRoom"]["id"]
+    assert !is_nil(id)
+    hub = Ret.Repo.get_by(Ret.Hub, hub_sid: id)
+    assert hub.name =~ "my fun room"
+  end
+
+  test "Creating a room while authenticated assigns the creator", %{
+    conn: conn,
+    account: account
+  } do
+    res =
+      conn
+      |> put_auth_header_for_account(account)
+      |> do_graphql_action(@mutation_create_room, %{roomName: "my fun room"})
+
+    hub = Ret.Repo.get_by(Ret.Hub, hub_sid: res["data"]["createRoom"]["id"])
+    assert hub.created_by_account_id == account.account_id
+  end
 end

From 6b4c0b6666067120fb52d19548f91a271ed0c832 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 15:35:53 -0700
Subject: [PATCH 020/138] Specify json_codec

---
 lib/ret_web/router.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 539b1c8a9..4816f9a57 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -149,7 +149,7 @@ defmodule RetWeb.Router do
   scope "/api/v2", as: :api_v2 do
     pipe_through([:parsed_body, :api, :auth_optional, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
     forward "/graphiql", Absinthe.Plug.GraphiQL, json_codec: Jason, schema: RetWeb.Schema
-    forward "/", Absinthe.Plug, schema: RetWeb.Schema
+    forward "/", Absinthe.Plug, json_codec: Jason, schema: RetWeb.Schema
   end
 
   # Directly accessible APIs.

From fec37538a579a77ceba96886da122577d92748e4 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 15:42:06 -0700
Subject: [PATCH 021/138] Add room name to mutation result

---
 test/api/v2/room_query_test.exs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index be174fd95..175f5c0c9 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -44,7 +44,8 @@ defmodule RoomQueryTest do
   @mutation_create_room """
     mutation MyCooLmutatuon($roomName: String!){
       createRoom (name: $roomName) {
-        id
+        id,
+        name
       }
     }
   """
@@ -168,14 +169,16 @@ defmodule RoomQueryTest do
   test "anyone can create a room", %{
     conn: conn
   } do
+    roomName = "my fun room"
     res =
       conn
-      |> do_graphql_action(@mutation_create_room, %{roomName: "my fun room"})
+      |> do_graphql_action(@mutation_create_room, %{roomName: roomName})
 
     id = res["data"]["createRoom"]["id"]
     assert !is_nil(id)
     hub = Ret.Repo.get_by(Ret.Hub, hub_sid: id)
-    assert hub.name =~ "my fun room"
+    assert hub.name == res["data"]["createRoom"]["name"]
+    assert hub.name == roomName
   end
 
   test "Creating a room while authenticated assigns the creator", %{

From 012d0405ef87557d43484ce1052607e12483601b Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 16:44:26 -0700
Subject: [PATCH 022/138] Test pagination

---
 test/api/v2/room_query_test.exs | 54 +++++++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 6 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 175f5c0c9..62d85a486 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -22,11 +22,15 @@ defmodule RoomQueryTest do
   """
 
   @query_my_rooms """
-    query {
-      myRooms {
+    query ($page: Int, $page_size: Int){
+      myRooms (page: $page, page_size: $page_size){
        entries {
          id
        }
+       total_entries
+       total_pages
+       page_number
+       page_size
       }
     }
   """
@@ -42,7 +46,7 @@ defmodule RoomQueryTest do
   """
 
   @mutation_create_room """
-    mutation MyCooLmutatuon($roomName: String!){
+    mutation ($roomName: String!){
       createRoom (name: $roomName) {
         id,
         name
@@ -69,6 +73,7 @@ defmodule RoomQueryTest do
     %{
       account: account,
       account2: account2,
+      scene: scene,
       hub: hub,
       public_hub: public_hub
     }
@@ -169,16 +174,17 @@ defmodule RoomQueryTest do
   test "anyone can create a room", %{
     conn: conn
   } do
-    roomName = "my fun room"
+    room_name = "my fun room"
+
     res =
       conn
-      |> do_graphql_action(@mutation_create_room, %{roomName: roomName})
+      |> do_graphql_action(@mutation_create_room, %{roomName: room_name})
 
     id = res["data"]["createRoom"]["id"]
     assert !is_nil(id)
     hub = Ret.Repo.get_by(Ret.Hub, hub_sid: id)
     assert hub.name == res["data"]["createRoom"]["name"]
-    assert hub.name == roomName
+    assert hub.name == room_name
   end
 
   test "Creating a room while authenticated assigns the creator", %{
@@ -193,4 +199,40 @@ defmodule RoomQueryTest do
     hub = Ret.Repo.get_by(Ret.Hub, hub_sid: res["data"]["createRoom"]["id"])
     assert hub.created_by_account_id == account.account_id
   end
+
+  test "The room query api paginates results", %{
+    conn: conn,
+    scene: scene,
+    account: account
+  } do
+    for _n <- 1..50 do
+      {:ok, hub: hub} = create_hub(%{scene: scene})
+      assign_creator(hub, account)
+    end
+
+    response =
+      conn
+      |> put_auth_header_for_account(account)
+      |> do_graphql_action(@query_my_rooms)
+
+    assert length(response["data"]["myRooms"]["entries"]) === response["data"]["myRooms"]["page_size"]
+  end
+
+  test "The room query api paginates results 2", %{
+    conn: conn,
+    scene: scene,
+    account: account
+  } do
+    for _n <- 1..50 do
+      {:ok, hub: hub} = create_hub(%{scene: scene})
+      assign_creator(hub, account)
+    end
+
+    response =
+      conn
+      |> put_auth_header_for_account(account)
+      |> do_graphql_action(@query_my_rooms, %{page: 3, page_size: 24})
+
+    assert length(response["data"]["myRooms"]["entries"]) === 2
+  end
 end

From 0e3f85e7c723085d9ff15f29f33e134bed620fc5 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 16:48:16 -0700
Subject: [PATCH 023/138] Fix warnings

---
 lib/ret_web/context.ex                 | 7 +------
 lib/ret_web/resolvers/room_resolver.ex | 4 ++--
 lib/ret_web/schema/scene_types.ex      | 1 -
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/lib/ret_web/context.ex b/lib/ret_web/context.ex
index 06b0db43f..1ee555e80 100644
--- a/lib/ret_web/context.ex
+++ b/lib/ret_web/context.ex
@@ -1,11 +1,6 @@
 defmodule RetWeb.Context do
   @behaviour Plug
 
-  import Plug.Conn
-  import Ecto.Query, only: [where: 2]
-
-  alias RetWeb.{Repo, User}
-
   def init(opts), do: opts
 
   def call(conn, _) do
@@ -22,4 +17,4 @@ defmodule RetWeb.Context do
       %{}
     end
   end
-end
\ No newline at end of file
+end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index b590b9019..3fe0102ee 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -6,7 +6,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:ok, Hub.get_my_rooms(account, args)}
   end
 
-  def my_rooms(_parent, args, _resolutions) do
+  def my_rooms(_parent, _args, _resolutions) do
     {:error, "Not authorized"}
   end
 
@@ -14,7 +14,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:ok, Hub.get_favorite_rooms(account, args)}
   end
 
-  def favorite_rooms(_parent, args, _resolutions) do
+  def favorite_rooms(_parent, _args, _resolutions) do
     {:error, "Not authorized"}
   end
 
diff --git a/lib/ret_web/schema/scene_types.ex b/lib/ret_web/schema/scene_types.ex
index 2c19153a7..a17905c5d 100644
--- a/lib/ret_web/schema/scene_types.ex
+++ b/lib/ret_web/schema/scene_types.ex
@@ -1,6 +1,5 @@
 defmodule RetWeb.Schema.SceneTypes do
   use Absinthe.Schema.Notation
-  alias RetWeb.Resolvers
   alias Ret.{Scene, SceneListing}
 
   union :scene_or_scene_listing do

From 8f2611c5a82f4b618e643e24754415490d3fcbb0 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 30 Jul 2020 16:56:03 -0700
Subject: [PATCH 024/138] Formatting

---
 lib/ret/scene.ex                                   |  4 ++--
 lib/ret_web/middlewares/handle_changeset_errors.ex | 11 +++++------
 lib/ret_web/schema.ex                              |  8 ++++----
 lib/ret_web/schema/room_types.ex                   |  9 +++++++++
 lib/ret_web/schema/scene_types.ex                  |  7 ++++---
 5 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/lib/ret/scene.ex b/lib/ret/scene.ex
index e4a1a761a..e509b27f6 100644
--- a/lib/ret/scene.ex
+++ b/lib/ret/scene.ex
@@ -58,8 +58,8 @@ defmodule Ret.Scene do
   # Dataloader
   def data(), do: Dataloader.Ecto.new(Repo, query: &query/2)
   # Guard against loading removed scenes or delisted scene listings
-  def query(Scene, _), do: from s in Scene, where: s.state != ^:removed
-  def query(SceneListing, _), do: from sl in SceneListing, where: sl.state != ^:delisted
+  def query(Scene, _), do: from(s in Scene, where: s.state != ^:removed)
+  def query(SceneListing, _), do: from(sl in SceneListing, where: sl.state != ^:delisted)
 
   def scene_or_scene_listing_by_sid(sid) do
     Scene |> Repo.get_by(scene_sid: sid) ||
diff --git a/lib/ret_web/middlewares/handle_changeset_errors.ex b/lib/ret_web/middlewares/handle_changeset_errors.ex
index a01f15778..cf2c81ae7 100644
--- a/lib/ret_web/middlewares/handle_changeset_errors.ex
+++ b/lib/ret_web/middlewares/handle_changeset_errors.ex
@@ -1,15 +1,14 @@
 defmodule RetWeb.Middlewares.HandleChangesetErrors do
   @behaviour Absinthe.Middleware
   def call(resolution, _) do
-    %{resolution |
-      errors: Enum.flat_map(resolution.errors, &handle_error/1)
-    }
+    %{resolution | errors: Enum.flat_map(resolution.errors, &handle_error/1)}
   end
 
   defp handle_error(%Ecto.Changeset{} = changeset) do
     changeset
-      |> Ecto.Changeset.traverse_errors(fn {err, _opts} -> err end)
-      |> Enum.map(fn({k,v}) -> "#{k}: #{v}" end)
+    |> Ecto.Changeset.traverse_errors(fn {err, _opts} -> err end)
+    |> Enum.map(fn {k, v} -> "#{k}: #{v}" end)
   end
+
   defp handle_error(error), do: [error]
-end
\ No newline at end of file
+end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 47fc2f83a..8df97402d 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -5,6 +5,7 @@ defmodule RetWeb.Schema do
   def middleware(middleware, _field, %{identifier: :mutation}) do
     middleware ++ [RetWeb.Middlewares.HandleChangesetErrors]
   end
+
   def middleware(middleware, _field, _object), do: middleware
 
   import_types(Absinthe.Type.Custom)
@@ -21,14 +22,13 @@ defmodule RetWeb.Schema do
 
   def context(ctx) do
     loader =
-      Dataloader.new
+      Dataloader.new()
       |> Dataloader.add_source(Scene, Scene.data())
-  
+
     Map.put(ctx, :loader, loader)
   end
-  
+
   def plugins do
     [Absinthe.Middleware.Dataloader] ++ Absinthe.Plugin.defaults()
   end
-  
 end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 0a2b3a2a1..2092d465f 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -33,30 +33,39 @@ defmodule RetWeb.Schema.RoomTypes do
     field(:entry_code, :string)
     field(:entry_mode, :string)
     field(:host, :string)
+
     field(:port, :integer) do
       resolve(&Resolvers.RoomResolver.port/3)
     end
+
     field(:turn, :turn_info) do
       resolve(&Resolvers.RoomResolver.turn/3)
     end
+
     field(:embed_token, :string) do
       resolve(&Resolvers.RoomResolver.embed_token/3)
     end
+
     field(:member_permissions, :member_permissions) do
       resolve(&Resolvers.RoomResolver.member_permissions/3)
     end
+
     field(:room_size, :integer) do
       resolve(&Resolvers.RoomResolver.room_size/3)
     end
+
     field(:member_count, :integer) do
       resolve(&Resolvers.RoomResolver.member_count/3)
     end
+
     field(:lobby_count, :integer) do
       resolve(&Resolvers.RoomResolver.lobby_count/3)
     end
+
     field(:scene, :scene_or_scene_listing) do
       resolve(dataloader(Scene))
     end
+
     # TODO: Figure out user_data
   end
 
diff --git a/lib/ret_web/schema/scene_types.ex b/lib/ret_web/schema/scene_types.ex
index a17905c5d..5db059926 100644
--- a/lib/ret_web/schema/scene_types.ex
+++ b/lib/ret_web/schema/scene_types.ex
@@ -3,11 +3,12 @@ defmodule RetWeb.Schema.SceneTypes do
   alias Ret.{Scene, SceneListing}
 
   union :scene_or_scene_listing do
-    types [:scene, :scene_listing]
-    resolve_type fn
+    types([:scene, :scene_listing])
+
+    resolve_type(fn
       %Scene{}, _ -> :scene
       %SceneListing{}, _ -> :scene_listing
-    end
+    end)
   end
 
   object :scene do

From e60ddff7b6a4a6c5214b2f23c3936c4f0ef14abf Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 17 Aug 2020 14:22:44 -0700
Subject: [PATCH 025/138] Add mutation for updating room name

---
 lib/ret_web/api_ecto_error_helpers.ex  | 80 ++++++++++++++++++++++++++
 lib/ret_web/resolvers/room_resolver.ex | 51 +++++++++++++++-
 lib/ret_web/schema/room_types.ex       | 12 ++++
 3 files changed, 140 insertions(+), 3 deletions(-)
 create mode 100644 lib/ret_web/api_ecto_error_helpers.ex

diff --git a/lib/ret_web/api_ecto_error_helpers.ex b/lib/ret_web/api_ecto_error_helpers.ex
new file mode 100644
index 000000000..a6be576cf
--- /dev/null
+++ b/lib/ret_web/api_ecto_error_helpers.ex
@@ -0,0 +1,80 @@
+defmodule RetWeb.ApiEctoErrorHelpers do
+  # https://medium.com/@imanhodjaev/organising-absithe-and-ecto-errors-2a2257ccdff6
+
+  alias Ecto.Changeset
+
+  @doc """
+  Transform `%Ecto.Changeset{}` errors to a map
+  containing field name as a key on which validation
+  error happened and it's formatted message.
+  For example:
+  ```
+  %{
+    "title": "title length should be at least 8 characters"
+    ...
+  }
+  ```
+  """
+  def to_api_errors(%Changeset{} = changeset) do
+    changeset
+    |> format_errors()
+    |> concat_errors()
+  end
+
+  # @doc """
+  # Wrap context actions with Ecto.
+  # If action succeeds then the result tuple returned.
+  # If changeset errors happen then all errors transformed
+  # into convenient form of list of maps with fields on
+  # which validations failed.
+  # Else `unknown` error returned.
+  # """
+  # def action_wrapped(fun) do
+  #   case fun.() do
+  #     {:ok, result} ->
+  #       {:ok, result}
+
+  #     {:error, changeset = %Changeset{}} ->
+  #       {
+  #         :error,
+  #         %{
+  #           message: "Changeset errors occurred",
+  #           code: :schema_errors,
+  #           errors: to_api_errors(changeset)
+  #         }
+  #       }
+
+  #     # Case for our standard errors in `IdpWeb.Schema.Errors`
+  #     {:error, %{code: _}} = error ->
+  #       error
+
+  #     {:error, _} ->
+  #       {
+  #         :error,
+  #         %{
+  #           message: "Oops! Unknown error",
+  #           code: :oops
+  #         }
+  #       }
+  #   end
+  # end
+
+  # Extract and interpolate all errors from
+  # `Changeset.errors` and return a map.
+  defp format_errors(%Changeset{} = changeset) do
+    Changeset.traverse_errors(changeset, fn {msg, opts} ->
+      Enum.reduce(opts, msg, fn {key, value}, formatted_msg ->
+        formatted_msg |> String.replace("%{#{key}}", to_string(value))
+      end)
+    end)
+  end
+
+  # Get all errors from `format_errors/1` and
+  # join their messages into a single string
+  # separated by ","
+  defp concat_errors(errors) do
+    Enum.reduce(errors, errors, fn {key, value}, map ->
+      map |> Map.put(key, Enum.join(value, ", "))
+    end)
+  end
+end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 3fe0102ee..3669f0137 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,6 +1,7 @@
 defmodule RetWeb.Resolvers.RoomResolver do
-  alias Ret.Hub
+  alias Ret.{Hub, Repo}
   import Canada, only: [can?: 2]
+  import RetWeb.ApiEctoErrorHelpers
 
   def my_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_my_rooms(account, args)}
@@ -26,9 +27,9 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:ok, hub} = Hub.create(args)
 
     hub
-    |> Ret.Repo.preload(Hub.hub_preloads())
+    |> Repo.preload(Hub.hub_preloads())
     |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-    |> Ret.Repo.update!()
+    |> Repo.update!()
 
     {:ok, hub}
   end
@@ -76,4 +77,48 @@ defmodule RetWeb.Resolvers.RoomResolver do
   def scene(hub, _args, _resolutions) do
     {:ok, Hub.scene_or_scene_listing_for(hub)}
   end
+
+  def update_room(_, %{id: hub_sid} = args, %{context: %{account: account}}) do
+    hub =
+      Hub
+      |> Repo.get_by(hub_sid: hub_sid)
+      |> Repo.preload([:hub_role_memberships, :hub_bindings])
+
+    case hub do
+      nil ->
+        {:error, "Cannot find room with id " <> hub_sid}
+
+      _ ->
+        case can?(account, update_roles(hub)) do
+          false ->
+            {:error, "Account does not have permission to update this hub."}
+
+          true ->
+            changeset =
+              hub
+              |> Hub.add_attrs_to_changeset(args)
+
+            #              |> Hub.add_member_permissions_to_changeset(args)
+            #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
+
+            case changeset do
+              %{valid?: false} ->
+                {:error,
+                 %{
+                   message: "Changeset errors occurred",
+                   code: :schema_errors,
+                   errors: to_api_errors(changeset)
+                 }}
+
+              _ ->
+                updated_hub =
+                  changeset
+                  |> Repo.update!()
+                  |> Repo.preload(Hub.hub_preloads())
+
+                {:ok, updated_hub}
+            end
+        end
+    end
+  end
 end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 2092d465f..f026044e1 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -103,6 +103,18 @@ defmodule RetWeb.Schema.RoomTypes do
 
       resolve(&Resolvers.RoomResolver.create_room/3)
     end
+    field :update_room, :room do
+      arg(:id, :string)
+      arg(:name, :string)
+      # arg(:description, :string)
+      # arg(:room_size, :integer)
+      # arg(:scene_id, :string)
+      # TODO: promotion
+      # TODO: add/remove owner
+      # TODO: member_permissions
+
+      resolve(&Resolvers.RoomResolver.update_room/3)
+    end
   end
 
   object :room_subscriptions do

From 2f4c8bbc88a244af1ce5c01adfeb7d9b03065eba Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 09:08:52 -0700
Subject: [PATCH 026/138] Add capabilities to room resolver

---
 lib/ret/hub.ex                         | 10 +++++
 lib/ret_web/resolvers/room_resolver.ex | 60 +++++++++++++++-----------
 lib/ret_web/schema/room_types.ex       |  6 +--
 3 files changed, 49 insertions(+), 27 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index b97020b9b..047f4e422 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -150,6 +150,13 @@ defmodule Ret.Hub do
     end
   end
 
+  def get_scene_or_scene_listing_by_id(nil) do
+    SceneListing.get_random_default_scene_listing()
+  end
+  def get_scene_or_scene_listing_by_id(id) do
+    Scene.scene_or_scene_listing_by_sid(id)
+  end
+
   def get_by_entry_code_string(entry_code_string) when is_binary(entry_code_string) do
     case Integer.parse(entry_code_string) do
       {entry_code, _} -> Hub |> Repo.get_by(entry_code: entry_code)
@@ -161,6 +168,7 @@ defmodule Ret.Hub do
     Hub
     |> where([h], h.created_by_account_id == ^account.account_id and h.entry_mode == ^"allow")
     |> order_by(desc: :inserted_at)
+    |> preload(^Hub.hub_preloads())
     |> Repo.paginate(params)
   end
 
@@ -169,6 +177,7 @@ defmodule Ret.Hub do
     |> where([h], h.entry_mode == ^"allow")
     |> join(:inner, [h], f in AccountFavorite, on: f.hub_id == h.hub_id and f.account_id == ^account.account_id)
     |> order_by([h, f], desc: f.last_activated_at)
+    |> preload(^Hub.hub_preloads())
     |> Repo.paginate(params)
   end
 
@@ -176,6 +185,7 @@ defmodule Ret.Hub do
     Hub
     |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
     |> order_by(desc: :inserted_at)
+    |> preload(^Hub.hub_preloads())
     |> Repo.paginate(params)
   end
 
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 3669f0137..1be9b6373 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,7 +1,8 @@
 defmodule RetWeb.Resolvers.RoomResolver do
-  alias Ret.{Hub, Repo}
+  alias Ret.{Hub, Repo, Scene, SceneListing}
   import Canada, only: [can?: 2]
   import RetWeb.ApiEctoErrorHelpers
+  import Ecto.Changeset, only: [put_assoc: 3, change: 1]
 
   def my_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_my_rooms(account, args)}
@@ -94,29 +95,40 @@ defmodule RetWeb.Resolvers.RoomResolver do
             {:error, "Account does not have permission to update this hub."}
 
           true ->
-            changeset =
-              hub
-              |> Hub.add_attrs_to_changeset(args)
-
-            #              |> Hub.add_member_permissions_to_changeset(args)
-            #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
-
-            case changeset do
-              %{valid?: false} ->
-                {:error,
-                 %{
-                   message: "Changeset errors occurred",
-                   code: :schema_errors,
-                   errors: to_api_errors(changeset)
-                 }}
-
-              _ ->
-                updated_hub =
-                  changeset
-                  |> Repo.update!()
-                  |> Repo.preload(Hub.hub_preloads())
-
-                {:ok, updated_hub}
+            scene_id = Map.get(args, :scene_id, nil)
+            scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
+
+            if scene_id && is_nil(scene_or_scene_listing) do
+              {:error, "Cannot find scene with id " <> scene_id}
+            else
+              changeset =
+                if scene_or_scene_listing,
+                  do: Hub.changeset_for_new_scene(hub, scene_or_scene_listing),
+                  else: change(hub)
+
+              changeset = Hub.add_attrs_to_changeset(changeset, args)
+
+              # TODO: Member permissions #              |> Hub.add_member_permissions_to_changeset(args)
+              # TODO: Promotions         #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
+
+              case changeset do
+                %{valid?: false} ->
+                  {:error,
+                   %{
+                     message: "Changeset errors occurred",
+                     code: :schema_errors,
+                     errors: to_api_errors(changeset)
+                   }}
+
+                _ ->
+                  updated_hub =
+                    changeset
+                    |> Repo.update!()
+                    |> Repo.preload(Hub.hub_preloads())
+
+                  # TODO: Broadcast changes on hub_channel so room occupants know about changes
+                  {:ok, updated_hub}
+              end
             end
         end
     end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index f026044e1..3f007d2a3 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -106,9 +106,9 @@ defmodule RetWeb.Schema.RoomTypes do
     field :update_room, :room do
       arg(:id, :string)
       arg(:name, :string)
-      # arg(:description, :string)
-      # arg(:room_size, :integer)
-      # arg(:scene_id, :string)
+      arg(:description, :string)
+      arg(:room_size, :integer)
+      arg(:scene_id, :string)
       # TODO: promotion
       # TODO: add/remove owner
       # TODO: member_permissions

From ee0a66c32fdf6e30e0c2dc3d47def757d5759a6e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 11:03:07 -0700
Subject: [PATCH 027/138] Refactor for readability

---
 lib/ret_web/auth_error_handler.ex      |   9 +++
 lib/ret_web/resolvers/room_resolver.ex | 101 +++++++++++++------------
 lib/ret_web/schema/room_types.ex       |   3 +-
 3 files changed, 64 insertions(+), 49 deletions(-)

diff --git a/lib/ret_web/auth_error_handler.ex b/lib/ret_web/auth_error_handler.ex
index 717125b16..6ba2b7351 100644
--- a/lib/ret_web/auth_error_handler.ex
+++ b/lib/ret_web/auth_error_handler.ex
@@ -1,8 +1,17 @@
 defmodule RetWeb.Guardian.AuthErrorHandler do
+  @moduledoc false
   import Plug.Conn
 
   def auth_error(conn, {type, _reason}, _opts) do
     body = Poison.encode!(%{error: to_string(type)})
     send_resp(conn, 401, body)
+    # TODO: GraphQL endpoint errors should be formatted with absinthe_plug
+    #  "data" => %{ "action" => null  }
+    #  "errors" => [
+    #    %{
+    #      "message" => "Some error messages",
+    #      "locations" => [%{"line" => 1, "column" => 2}]
+    #    }
+    #  ]
   end
 end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 1be9b6373..cf8eda29b 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -80,57 +80,62 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def update_room(_, %{id: hub_sid} = args, %{context: %{account: account}}) do
-    hub =
-      Hub
-      |> Repo.get_by(hub_sid: hub_sid)
-      |> Repo.preload([:hub_role_memberships, :hub_bindings])
+    hub = Hub |> Repo.get_by(hub_sid: hub_sid) |> Repo.preload([:hub_role_memberships, :hub_bindings])
+    update_room_with_account(hub, account, args)
+  end
+
+  defp update_room_with_account(nil, _account, %{id: hub_sid}) do
+    {:error, "Cannot find room with id " <> hub_sid}
+  end
+
+  defp update_room_with_account(hub, account, args) do
+    case can?(account, update_roles(hub)) do
+      false ->
+        {:error, "Account does not have permission to update this hub."}
+
+      true ->
+        # TODO: Member permissions #              |> Hub.add_member_permissions_to_changeset(args)
+        # TODO: Promotions         #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
+        try_do_update_room(changeset_for_update_room(hub, args))
+    end
+  end
+
+  defp changeset_for_update_room(hub, %{scene_id: scene_id} = args) do
+    scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
 
-    case hub do
-      nil ->
-        {:error, "Cannot find room with id " <> hub_sid}
+    if is_nil(scene_or_scene_listing) do
+      {:error, "Cannot find scene with id " <> scene_id}
+    else
+      Hub.changeset_for_new_scene(hub, scene_or_scene_listing)
+      |> Hub.add_attrs_to_changeset(args)
+    end
+  end
+
+  defp changeset_for_update_room(hub, args) do
+    Hub.add_attrs_to_changeset(change(hub), args)
+  end
+
+  defp try_do_update_room(changeset) do
+    case changeset do
+      {:error, reason} ->
+        {:error, reason}
+
+      %{valid?: false} ->
+        {:error,
+         %{
+           message: "Changeset errors occurred",
+           code: :schema_errors,
+           errors: to_api_errors(changeset)
+         }}
 
       _ ->
-        case can?(account, update_roles(hub)) do
-          false ->
-            {:error, "Account does not have permission to update this hub."}
-
-          true ->
-            scene_id = Map.get(args, :scene_id, nil)
-            scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
-
-            if scene_id && is_nil(scene_or_scene_listing) do
-              {:error, "Cannot find scene with id " <> scene_id}
-            else
-              changeset =
-                if scene_or_scene_listing,
-                  do: Hub.changeset_for_new_scene(hub, scene_or_scene_listing),
-                  else: change(hub)
-
-              changeset = Hub.add_attrs_to_changeset(changeset, args)
-
-              # TODO: Member permissions #              |> Hub.add_member_permissions_to_changeset(args)
-              # TODO: Promotions         #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
-
-              case changeset do
-                %{valid?: false} ->
-                  {:error,
-                   %{
-                     message: "Changeset errors occurred",
-                     code: :schema_errors,
-                     errors: to_api_errors(changeset)
-                   }}
-
-                _ ->
-                  updated_hub =
-                    changeset
-                    |> Repo.update!()
-                    |> Repo.preload(Hub.hub_preloads())
-
-                  # TODO: Broadcast changes on hub_channel so room occupants know about changes
-                  {:ok, updated_hub}
-              end
-            end
-        end
+        updated_hub =
+          changeset
+          |> Repo.update!()
+          |> Repo.preload(Hub.hub_preloads())
+
+        # TODO: Broadcast changes on hub_channel so room occupants know about changes
+        {:ok, updated_hub}
     end
   end
 end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 3f007d2a3..c448100f8 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -103,8 +103,9 @@ defmodule RetWeb.Schema.RoomTypes do
 
       resolve(&Resolvers.RoomResolver.create_room/3)
     end
+
     field :update_room, :room do
-      arg(:id, :string)
+      arg(:id, non_null(:string))
       arg(:name, :string)
       arg(:description, :string)
       arg(:room_size, :integer)

From 4afe9d6443d67e6ba6ffc3dfba8bf599480a16b6 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 13:56:01 -0700
Subject: [PATCH 028/138] Broadcast changes to anyone connected to the hub
 channel

---
 lib/ret_web/resolvers/room_resolver.ex | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index cf8eda29b..a5e86c2d1 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,5 +1,6 @@
 defmodule RetWeb.Resolvers.RoomResolver do
   alias Ret.{Hub, Repo, Scene, SceneListing}
+  alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
   import RetWeb.ApiEctoErrorHelpers
   import Ecto.Changeset, only: [put_assoc: 3, change: 1]
@@ -96,7 +97,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
       true ->
         # TODO: Member permissions #              |> Hub.add_member_permissions_to_changeset(args)
         # TODO: Promotions         #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
-        try_do_update_room(changeset_for_update_room(hub, args))
+        try_do_update_room(hub, changeset_for_update_room(hub, args), account)
     end
   end
 
@@ -115,7 +116,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     Hub.add_attrs_to_changeset(change(hub), args)
   end
 
-  defp try_do_update_room(changeset) do
+  defp try_do_update_room(hub, changeset, account) do
     case changeset do
       {:error, reason} ->
         {:error, reason}
@@ -134,7 +135,24 @@ defmodule RetWeb.Resolvers.RoomResolver do
           |> Repo.update!()
           |> Repo.preload(Hub.hub_preloads())
 
-        # TODO: Broadcast changes on hub_channel so room occupants know about changes
+        updated_hub = Ret.Repo.preload(updated_hub, Hub.hub_preloads())
+
+        response =
+          HubView.render("show.json", %{
+            hub: updated_hub,
+            embeddable: account |> can?(embed_hub(updated_hub))
+          })
+          |> Map.put(:stale_fields, [
+            "name",
+            "description",
+            "member_permissions",
+            "room_size",
+            "allow_promotion",
+            "scene"
+          ])
+
+        RetWeb.Endpoint.broadcast!("hub:" <> updated_hub.hub_sid, "hub_refresh_by_api", response)
+
         {:ok, updated_hub}
     end
   end

From 5a818956155d32a792f09419bc13ad250d8baf91 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 16:00:00 -0700
Subject: [PATCH 029/138] Add ability to update member_permissions

---
 lib/ret/hub.ex                                | 30 +++++++++++++++++--
 .../controllers/api/v1/hub_controller.ex      | 14 ++-------
 lib/ret_web/resolvers/room_resolver.ex        | 25 +++++++++-------
 lib/ret_web/schema/room_types.ex              | 11 ++++++-
 4 files changed, 54 insertions(+), 26 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 047f4e422..053e8fd3c 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -153,6 +153,7 @@ defmodule Ret.Hub do
   def get_scene_or_scene_listing_by_id(nil) do
     SceneListing.get_random_default_scene_listing()
   end
+
   def get_scene_or_scene_listing_by_id(id) do
     Scene.scene_or_scene_listing_by_sid(id)
   end
@@ -230,9 +231,9 @@ defmodule Ret.Hub do
     attrs["member_permissions"] |> Map.new(fn {k, v} -> {String.to_atom(k), v} end) |> member_permissions_to_int
   end
 
-  def add_member_permissions_update_to_changeset(changeset, hub, attrs) do
+  defp add_member_permissions_update_to_changeset(changeset, hub, member_permissions) do
     member_permissions =
-      Map.merge(member_permissions_for_hub(hub), attrs["member_permissions"])
+      Map.merge(member_permissions_for_hub(hub), member_permissions)
       |> Map.new(fn {k, v} -> {String.to_atom(k), v} end)
       |> member_permissions_to_int
 
@@ -597,6 +598,31 @@ defmodule Ret.Hub do
     |> BitFieldUtils.permissions_to_map(@member_permissions)
   end
 
+  def maybe_add_member_permissions(changeset, hub, %{"member_permissions" => member_permissions} = hub_params) do
+    add_member_permissions_update_to_changeset(
+      changeset,
+      hub,
+      member_permissions
+    )
+  end
+
+  def maybe_add_member_permissions(changeset, hub, %{:member_permissions => member_permissions} = hub_params) do
+    add_member_permissions_update_to_changeset(
+      changeset,
+      hub,
+      Map.new(member_permissions, fn {k, v} -> {Atom.to_string(k), v} end)
+    )
+  end
+
+  def maybe_add_member_permissions(changeset, _hub, _params) do
+    changeset
+  end
+
+  def maybe_add_promotion(changeset, account, hub, %{"allow_promotion" => _} = hub_params),
+    do: changeset |> Hub.maybe_add_promotion_to_changeset(account, hub, hub_params)
+
+  def maybe_add_promotion(changeset, _account, _hub, _), do: changeset
+
   # The account argument here can be a Ret.Account, a Ret.OAuthProvider or nil.
   def perms_for_account(%Ret.Hub{} = hub, account) do
     %{
diff --git a/lib/ret_web/controllers/api/v1/hub_controller.ex b/lib/ret_web/controllers/api/v1/hub_controller.ex
index f9ae36661..c873a85b3 100644
--- a/lib/ret_web/controllers/api/v1/hub_controller.ex
+++ b/lib/ret_web/controllers/api/v1/hub_controller.ex
@@ -68,8 +68,8 @@ defmodule RetWeb.Api.V1.HubController do
       hub
       |> Hub.add_attrs_to_changeset(hub_params)
       |> maybe_add_new_scene(scene)
-      |> maybe_add_member_permissions(hub, hub_params)
-      |> maybe_add_promotion(account, hub, hub_params)
+      |> Hub.maybe_add_member_permissions(hub, hub_params)
+      |> Hub.maybe_add_promotion(account, hub, hub_params)
 
     hub = changeset |> Repo.update!() |> Repo.preload(Hub.hub_preloads())
 
@@ -80,16 +80,6 @@ defmodule RetWeb.Api.V1.HubController do
 
   defp maybe_add_new_scene(changeset, scene), do: changeset |> Hub.add_new_scene_to_changeset(scene)
 
-  defp maybe_add_member_permissions(changeset, hub, %{"member_permissions" => %{}} = hub_params),
-    do: changeset |> Hub.add_member_permissions_update_to_changeset(hub, hub_params)
-
-  defp maybe_add_member_permissions(changeset, _hub, _), do: changeset
-
-  defp maybe_add_promotion(changeset, account, hub, %{"allow_promotion" => _} = hub_params),
-    do: changeset |> Hub.maybe_add_promotion_to_changeset(account, hub, hub_params)
-
-  defp maybe_add_promotion(changeset, _account, _hub, _), do: changeset
-
   def delete(conn, %{"id" => hub_sid}) do
     Hub
     |> Repo.get_by(hub_sid: hub_sid)
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index a5e86c2d1..61799645d 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -95,25 +95,29 @@ defmodule RetWeb.Resolvers.RoomResolver do
         {:error, "Account does not have permission to update this hub."}
 
       true ->
-        # TODO: Member permissions #              |> Hub.add_member_permissions_to_changeset(args)
-        # TODO: Promotions         #              |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
-        try_do_update_room(hub, changeset_for_update_room(hub, args), account)
+        changeset =
+          hub
+          |> Hub.add_attrs_to_changeset(args)
+          |> Hub.maybe_add_member_permissions(hub, args)
+          |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
+          |> maybe_add_new_scene_to_changeset(args)
+
+        try_do_update_room(hub, changeset, account)
     end
   end
 
-  defp changeset_for_update_room(hub, %{scene_id: scene_id} = args) do
+  defp maybe_add_new_scene_to_changeset(changeset, %{scene_id: scene_id}) do
     scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
 
     if is_nil(scene_or_scene_listing) do
       {:error, "Cannot find scene with id " <> scene_id}
     else
-      Hub.changeset_for_new_scene(hub, scene_or_scene_listing)
-      |> Hub.add_attrs_to_changeset(args)
+      Hub.add_new_scene_to_changeset(changeset, scene_or_scene_listing)
     end
   end
 
-  defp changeset_for_update_room(hub, args) do
-    Hub.add_attrs_to_changeset(change(hub), args)
+  defp maybe_add_new_scene_to_changeset(changeset, _args) do
+    changeset
   end
 
   defp try_do_update_room(hub, changeset, account) do
@@ -135,8 +139,6 @@ defmodule RetWeb.Resolvers.RoomResolver do
           |> Repo.update!()
           |> Repo.preload(Hub.hub_preloads())
 
-        updated_hub = Ret.Repo.preload(updated_hub, Hub.hub_preloads())
-
         response =
           HubView.render("show.json", %{
             hub: updated_hub,
@@ -148,7 +150,8 @@ defmodule RetWeb.Resolvers.RoomResolver do
             "member_permissions",
             "room_size",
             "allow_promotion",
-            "scene"
+            "scene",
+            "member_permissions"
           ])
 
         RetWeb.Endpoint.broadcast!("hub:" <> updated_hub.hub_sid, "hub_refresh_by_api", response)
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index c448100f8..0d849164a 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -15,6 +15,15 @@ defmodule RetWeb.Schema.RoomTypes do
     field(:username, :string)
   end
 
+  input_object :input_member_permissions do
+    field(:spawn_and_move_media, :boolean)
+    field(:spawn_camera, :boolean)
+    field(:spawn_drawing, :boolean)
+    field(:pin_objects, :boolean)
+    field(:spawn_emoji, :boolean)
+    field(:fly, :boolean)
+  end
+
   object :member_permissions do
     field(:spawn_and_move_media, :boolean)
     field(:spawn_camera, :boolean)
@@ -110,9 +119,9 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:description, :string)
       arg(:room_size, :integer)
       arg(:scene_id, :string)
+      arg(:member_permissions, :input_member_permissions)
       # TODO: promotion
       # TODO: add/remove owner
-      # TODO: member_permissions
 
       resolve(&Resolvers.RoomResolver.update_room/3)
     end

From 81726e77b290faf4dbca1d8a3c980fd3d75acb33 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 16:04:45 -0700
Subject: [PATCH 030/138] Remove unused vars

---
 lib/ret/hub.ex                         | 4 ++--
 lib/ret_web/resolvers/room_resolver.ex | 7 +++----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 053e8fd3c..8471369d7 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -598,7 +598,7 @@ defmodule Ret.Hub do
     |> BitFieldUtils.permissions_to_map(@member_permissions)
   end
 
-  def maybe_add_member_permissions(changeset, hub, %{"member_permissions" => member_permissions} = hub_params) do
+  def maybe_add_member_permissions(changeset, hub, %{"member_permissions" => member_permissions}) do
     add_member_permissions_update_to_changeset(
       changeset,
       hub,
@@ -606,7 +606,7 @@ defmodule Ret.Hub do
     )
   end
 
-  def maybe_add_member_permissions(changeset, hub, %{:member_permissions => member_permissions} = hub_params) do
+  def maybe_add_member_permissions(changeset, hub, %{:member_permissions => member_permissions}) do
     add_member_permissions_update_to_changeset(
       changeset,
       hub,
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 61799645d..6b39ab6e3 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,9 +1,8 @@
 defmodule RetWeb.Resolvers.RoomResolver do
-  alias Ret.{Hub, Repo, Scene, SceneListing}
+  alias Ret.{Hub, Repo}
   alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
   import RetWeb.ApiEctoErrorHelpers
-  import Ecto.Changeset, only: [put_assoc: 3, change: 1]
 
   def my_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_my_rooms(account, args)}
@@ -102,7 +101,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
           |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
           |> maybe_add_new_scene_to_changeset(args)
 
-        try_do_update_room(hub, changeset, account)
+        try_do_update_room(changeset, account)
     end
   end
 
@@ -120,7 +119,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     changeset
   end
 
-  defp try_do_update_room(hub, changeset, account) do
+  defp try_do_update_room(changeset, account) do
     case changeset do
       {:error, reason} ->
         {:error, reason}

From 15d6475976c5d130fc5b4218ca4773f4b5742557 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 17:24:07 -0700
Subject: [PATCH 031/138] Add some documentation for the API

---
 guides/api.md | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 237 insertions(+)
 create mode 100644 guides/api.md

diff --git a/guides/api.md b/guides/api.md
new file mode 100644
index 000000000..b66ad3062
--- /dev/null
+++ b/guides/api.md
@@ -0,0 +1,237 @@
+# Overview
+Reticulum includes a [GraphQL](https://graphql.org/) API to better allow you to customize the app to your specific needs. 
+
+## Accessing the API
+The API can be accessed by sending `GET` or `POST` requests to `/api/v2/`.
+Requests can be sent in code with an `HTTP` client library, on the command line with a tool like `curl`, with a GraphQL-specific client library, or any other tool that speaks `HTTP`. There is also an interactive GUI for accessing the API available at `/api/v2/graphiql`. 
+
+## Authenticating requests
+Most requests sent to the API need to be authenticated. To authenticate a request, add the http header `Authorization` with value `Bearer: <your API token>`. Currently, your API token is the same as your account token, which you can find with the following steps:
+- Navigate to the homepage
+- Sign in
+- Open the developer console of your browser. (
+Instructions for opening the console in firefox: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Opening_the_Web_Console
+Instructions for chrome: https://developers.google.com/web/tools/chrome-devtools/open)
+- Type `window.APP.store.state.credentials.token` into the console and press enter.
+- Your token should be returned surrounded by quotations marks (`"<your API token here>"`)
+
+It is likely that the authentication method will change in future releases of the API to include something like API tokens whose permissions can be limited to specific scopes, so that people are not encouraged to share admin account tokens. Sharing account tokens is dangerous - don't do it.
+
+## Passing arguments
+We use a library called [`absinthe`](http://absinthe-graphql.org/) to power the `GraphQL` API. This library automatically converts between `camelCase` (a typical convention in `javascript`) and `snake_case` (a typical convention in `elixir`). For this reason, you will send and receive arguments and values in `camelCase`, but will see the corresponding values in `elixir` code as `snake_case`.
+
+## Rooms
+The following examples show the capabilities of creating, querying, and modifying rooms. The code for these commands and object types can be found in [`/lib/ret_web/schema/room_types.ex`](./lib/ret_web/schema/room_types.ex)
+
+### Create a room
+Request:
+```
+mutation {
+  createRoom(name:"My Fun Get-Together"){
+    id
+  }
+}
+```
+Response:
+```js
+{
+  "data": {
+    "createRoom": {
+      "id": "3FqxixG"
+    }
+  }
+}
+```
+
+### Querying Rooms
+Room queries return a `RoomList` object, which paginates responses. For a specific page or page size, pass the `page` or `pageSize` arguments along with  the request. 
+
+#### My rooms
+Request:
+```
+query {
+  myRooms(page: 1, pageSize: 10) {
+    entries {
+      name,
+      id,
+      scene {
+        ... on Scene {
+          id,
+          name
+        }
+        ... on SceneListing{
+          id,
+          name
+        }
+      }
+    }
+  }
+}
+```
+Response:
+```js
+{
+  "data": {
+    "myRooms": {
+      "entries": [
+        {
+          "id": "3FqxixG",
+          "name": "My Fun Get-Together",
+          "scene": null
+        },
+        {
+          "id": "FmNKVjL",
+          "name": "Foo",
+          "scene": {
+            "id": "tXkCgJw",
+            "name": "Crater 2"
+          }
+        },
+        "scene": {
+          "id": "74VD2Et",
+          "name": "Crater"
+        }
+      ]
+    }
+  }
+}
+```
+
+#### Query my favorite rooms
+Request:
+```
+query {
+  myFavorites {
+    entries {
+      name,
+      id
+    }
+  }
+}
+```
+Response:
+```js
+{
+  "data": {
+    "favoriteRooms": {
+      "entries": [
+        {
+          "id": "4jByd2w",
+          "name": "Uniform Ready Social"
+        },
+        {
+          "id": "5wQhhbG",
+          "name": "Angelic Vibrant Spot"
+        },
+        {
+          "id": "RmNv2k2",
+          "name": "Golden Perfect Volume"
+        },
+      ]
+    }
+  }
+}
+```
+
+
+#### Query public rooms
+Request:
+```
+query {
+  publicRooms {
+    entries {
+      name,
+      id
+    }
+  }
+}
+```
+Response:
+```js
+{
+  "data": {
+    "publicRooms": {
+      "entries": [
+        {
+          "id": "z7LQiNi",
+          "name": "Big Time Room"
+        },
+        {
+          "id": "SVnhCWq",
+          "name": "sdafasdf"
+        }
+      ]
+    }
+  }
+}
+```
+
+### Updating rooms
+#### Set room properties like `name`, `description`, and `roomSize`
+```
+mutation {
+  updateRoom(
+    id:"FmNKVjL", 
+    name:"Foo bar baz", 
+    description:"Some description", 
+    roomSize:15,
+  ) {
+    id
+  }
+}
+```
+#### Change the scene of a given room:
+```
+mutation {
+  updateRoom(
+    id:"FmNKVjL", 
+    sceneId: "74VD2Et",
+  ) {
+    id
+  }
+}
+```
+
+#### Change member permissions in the room:
+```
+mutation {
+  updateRoom(
+    id:"FmNKVjL", 
+    memberPermissions: {
+      fly: true,
+      spawnEmoji: true,
+      spawnDrawing: true,
+      pin_objects: false,
+      spawnCamera: false,
+      spawnAndMoveMedia: true
+    }
+  ) {
+    id
+  }
+}
+```
+### Change everything all in one go:
+
+```
+mutation {
+  updateRoom(
+    id:"FmNKVjL", 
+    name:"Foo bar baz", 
+    description:"Some description", 
+    roomSize:15,
+    sceneId: "74VD2Et",
+    #sceneId: "tXkCgJw"
+     memberPermissions: {
+      fly: true,
+      spawnEmoji: true,
+      spawnDrawing: true,
+      spawnCamera: false,
+      spawnAndMoveMedia: true
+    }
+  ) {
+    id
+  }
+}
+```
+
+

From c5e89ebdb32bf26c24c16c1886a5da7a2fd2b656 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 17:27:27 -0700
Subject: [PATCH 032/138] Fixup doc

---
 guides/api.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/guides/api.md b/guides/api.md
index b66ad3062..f33dbb8b8 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -21,7 +21,7 @@ It is likely that the authentication method will change in future releases of th
 We use a library called [`absinthe`](http://absinthe-graphql.org/) to power the `GraphQL` API. This library automatically converts between `camelCase` (a typical convention in `javascript`) and `snake_case` (a typical convention in `elixir`). For this reason, you will send and receive arguments and values in `camelCase`, but will see the corresponding values in `elixir` code as `snake_case`.
 
 ## Rooms
-The following examples show the capabilities of creating, querying, and modifying rooms. The code for these commands and object types can be found in [`/lib/ret_web/schema/room_types.ex`](./lib/ret_web/schema/room_types.ex)
+The following examples show the capabilities of creating, querying, and modifying rooms. The code for these commands and object types can be found in [`/lib/ret_web/schema/room_types.ex`](../lib/ret_web/schema/room_types.ex)
 
 ### Create a room
 Request:
@@ -201,7 +201,7 @@ mutation {
       fly: true,
       spawnEmoji: true,
       spawnDrawing: true,
-      pin_objects: false,
+      pinObjects: false,
       spawnCamera: false,
       spawnAndMoveMedia: true
     }
@@ -220,11 +220,11 @@ mutation {
     description:"Some description", 
     roomSize:15,
     sceneId: "74VD2Et",
-    #sceneId: "tXkCgJw"
-     memberPermissions: {
+    memberPermissions: {
       fly: true,
       spawnEmoji: true,
       spawnDrawing: true,
+      pinObjects: false,
       spawnCamera: false,
       spawnAndMoveMedia: true
     }

From 5dc75b3d03b955d74690f66a89f4fb9780b4a04e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 24 Aug 2020 19:37:39 -0700
Subject: [PATCH 033/138] Add ability to modify allow_promotion

---
 lib/ret/hub.ex                         | 5 ++++-
 lib/ret_web/resolvers/room_resolver.ex | 2 +-
 lib/ret_web/schema/room_types.ex       | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 8471369d7..310ce1316 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -254,7 +254,7 @@ defmodule Ret.Hub do
   end
 
   def add_promotion_to_changeset(changeset, attrs) do
-    changeset |> put_change(:allow_promotion, !!attrs["allow_promotion"])
+    changeset |> put_change(:allow_promotion, !!attrs["allow_promotion"] || !!attrs.allow_promotion)
   end
 
   def changeset_for_new_seen_occupant_count(%Hub{} = hub, occupant_count) do
@@ -621,6 +621,9 @@ defmodule Ret.Hub do
   def maybe_add_promotion(changeset, account, hub, %{"allow_promotion" => _} = hub_params),
     do: changeset |> Hub.maybe_add_promotion_to_changeset(account, hub, hub_params)
 
+  def maybe_add_promotion(changeset, account, hub, %{allow_promotion: _} = hub_params),
+    do: changeset |> Hub.maybe_add_promotion_to_changeset(account, hub, hub_params)
+
   def maybe_add_promotion(changeset, _account, _hub, _), do: changeset
 
   # The account argument here can be a Ret.Account, a Ret.OAuthProvider or nil.
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 6b39ab6e3..c4badc267 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -98,7 +98,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
           hub
           |> Hub.add_attrs_to_changeset(args)
           |> Hub.maybe_add_member_permissions(hub, args)
-          |> Hub.maybe_add_promotion_to_changeset(account, hub, args)
+          |> Hub.maybe_add_promotion(account, hub, args)
           |> maybe_add_new_scene_to_changeset(args)
 
         try_do_update_room(changeset, account)
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 0d849164a..9f968ad7d 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -120,7 +120,7 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:room_size, :integer)
       arg(:scene_id, :string)
       arg(:member_permissions, :input_member_permissions)
-      # TODO: promotion
+      arg(:allow_promotion, :boolean)
       # TODO: add/remove owner
 
       resolve(&Resolvers.RoomResolver.update_room/3)

From 57a052f2ee6d088689ffd62a84783150dbcc6a27 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 26 Aug 2020 12:20:12 -0700
Subject: [PATCH 034/138] Add descriptions to graphql objects/fields

---
 lib/ret_web/schema/room_types.ex | 78 ++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 9f968ad7d..23490912d 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -4,73 +4,114 @@ defmodule RetWeb.Schema.RoomTypes do
   alias Ret.Scene
   import Absinthe.Resolution.Helpers, only: [dataloader: 1]
 
+  @desc "Public TLS port number used for TURN"
   object :turn_transport do
+    @desc "Public TLS port number used for TURN"
     field(:port, :integer)
   end
 
+  @desc "TURN information for DLTS over TURN fallback, when enabled"
   object :turn_info do
+    @desc "Cryptographic credential, good for two minutes"
     field(:credential, :string)
+    @desc "Whether TURN is enabled/configured"
     field(:enabled, :boolean)
+    @desc "List of public TLS ports"
     field(:transports, list_of(:turn_transport))
+    @desc "Username, good for two minutes"
     field(:username, :string)
   end
 
+  @desc "Permissions for participants in the room"
   input_object :input_member_permissions do
+    @desc "Allows non-admin participants to spawn and move media"
     field(:spawn_and_move_media, :boolean)
+    @desc "Allows non-admin participants to spawn in-game cameras"
     field(:spawn_camera, :boolean)
+    @desc "Allows non-admin participants to draw with a pen"
     field(:spawn_drawing, :boolean)
+    @desc "Allows non-admin participants to pin media to the room"
     field(:pin_objects, :boolean)
+    @desc "Allows non-admin participants to spawn emoji"
     field(:spawn_emoji, :boolean)
+    @desc "Allows non-admin participants to toggle fly mode"
     field(:fly, :boolean)
   end
 
+  @desc "Permissions for participants in the room"
   object :member_permissions do
+    @desc "Allows non-admin participants to spawn and move media"
     field(:spawn_and_move_media, :boolean)
+    @desc "Allows non-admin participants to spawn in-game cameras"
     field(:spawn_camera, :boolean)
+    @desc "Allows non-admin participants to draw with a pen"
     field(:spawn_drawing, :boolean)
+    @desc "Allows non-admin participants to pin media to the room"
     field(:pin_objects, :boolean)
+    @desc "Allows non-admin participants to spawn emoji"
     field(:spawn_emoji, :boolean)
+    @desc "Allows non-admin participants to toggle fly mode"
     field(:fly, :boolean)
   end
 
+  @desc "A room"
   object :room do
+    @desc "The room's unique ID"
     field(:hub_sid, :id, name: "id")
+    @desc "The room's name"
     field(:name, :string)
+    @desc "The room's name as it appears at the end of its URL"
     field(:slug, :string)
+    @desc "A description of the room"
     field(:description, :string)
+    @desc "Makes this room public, while it is still open"
     field(:allow_promotion, :boolean)
+    @desc "Temporary entry code"
     field(:entry_code, :string)
+    @desc "Whether the room is open or closed"
     field(:entry_mode, :string)
+    @desc "The host server associated with this room via the load balancer"
     field(:host, :string)
 
+    @desc "The port number used to connect to the host server"
     field(:port, :integer) do
+      @desc "The port number used to connect to the host server"
       resolve(&Resolvers.RoomResolver.port/3)
     end
 
+    @desc "TURN information for DLTS over TURN fallback, when enabled"
     field(:turn, :turn_info) do
       resolve(&Resolvers.RoomResolver.turn/3)
     end
 
+    @desc """
+    Can be used to remove the X-Frame-Options header that is usually served to the Hubs client when this room is loaded, so that the client can access this room from a <frame>, <iframe>, <embed> or <object>.
+    """
     field(:embed_token, :string) do
       resolve(&Resolvers.RoomResolver.embed_token/3)
     end
 
+    @desc "Permissions for participants in the room"
     field(:member_permissions, :member_permissions) do
       resolve(&Resolvers.RoomResolver.member_permissions/3)
     end
 
+    @desc "Number of participants allowed to enter the room"
     field(:room_size, :integer) do
       resolve(&Resolvers.RoomResolver.room_size/3)
     end
 
+    @desc "Number of participants in the room as avatars"
     field(:member_count, :integer) do
       resolve(&Resolvers.RoomResolver.member_count/3)
     end
 
+    @desc "Number of participants in the room lobby"
     field(:lobby_count, :integer) do
       resolve(&Resolvers.RoomResolver.lobby_count/3)
     end
 
+    @desc "Scene currently associated with the room"
     field(:scene, :scene_or_scene_listing) do
       resolve(dataloader(Scene))
     end
@@ -78,48 +119,85 @@ defmodule RetWeb.Schema.RoomTypes do
     # TODO: Figure out user_data
   end
 
+  @desc """
+  A list of rooms, with metadata for paging
+  """
   object :room_list do
+    @desc "Total number of rooms for the given query"
     field(:total_entries, :integer)
+    @desc "Total number of pages for the given query"
     field(:total_pages, :integer)
+    @desc "Page number returned for this query"
     field(:page_number, :integer)
+    @desc "Number of rooms per page"
     field(:page_size, :integer)
+    @desc "The list of rooms"
     field(:entries, list_of(:room))
   end
 
+  @desc """
+  Queries designed to return lists of rooms
+  """
   object :room_queries do
+    @desc """
+    Returns a list of rooms created by the given user, identified by the authorization token.
+    """
     field :my_rooms, :room_list do
+      @desc "The desired page of data to return"
       arg(:page, :integer)
+      @desc "The number of entries per page"
       arg(:page_size, :integer)
       resolve(&Resolvers.RoomResolver.my_rooms/3)
     end
 
+    @desc """
+    Returns a list of public rooms.
+    """
     field :public_rooms, :room_list do
+      @desc "The desired page of data to return"
       arg(:page, :integer)
+      @desc "The number of entries per page"
       arg(:page_size, :integer)
       resolve(&Resolvers.RoomResolver.public_rooms/3)
     end
 
+    @desc """
+    Returns a list of rooms favorited by the given user, identified by the authorization token.
+    """
     field :favorite_rooms, :room_list do
+      @desc "The desired page of data to return"
       arg(:page, :integer)
+      @desc "The number of entries per page"
       arg(:page_size, :integer)
       resolve(&Resolvers.RoomResolver.favorite_rooms/3)
     end
   end
 
+  @desc "Entry point for mutating the database"
   object :room_mutations do
+    @desc "Create a room with the given properties"
     field :create_room, :room do
+      @desc "The room name"
       arg(:name, non_null(:string))
 
       resolve(&Resolvers.RoomResolver.create_room/3)
     end
 
+    @desc "Update properties of the room specified by the given id"
     field :update_room, :room do
+      @desc "The id of the room to update"
       arg(:id, non_null(:string))
+      @desc "The room name"
       arg(:name, :string)
+      @desc "A description of the room"
       arg(:description, :string)
+      @desc "The number of participants allowed into the room from the lobby at any given time"
       arg(:room_size, :integer)
+      @desc "The id of the scene to associate with the room"
       arg(:scene_id, :string)
+      @desc "The permissions non-admin participants should have in the room"
       arg(:member_permissions, :input_member_permissions)
+      @desc "Make this room public (while it is open)"
       arg(:allow_promotion, :boolean)
       # TODO: add/remove owner
 

From 20328ed6aa98a92c02ec6b8758ac2b6796728330 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 26 Aug 2020 12:33:39 -0700
Subject: [PATCH 035/138] Add descriptions to scene types

---
 lib/ret_web/schema/scene_types.ex | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/ret_web/schema/scene_types.ex b/lib/ret_web/schema/scene_types.ex
index 5db059926..afb871189 100644
--- a/lib/ret_web/schema/scene_types.ex
+++ b/lib/ret_web/schema/scene_types.ex
@@ -2,6 +2,7 @@ defmodule RetWeb.Schema.SceneTypes do
   use Absinthe.Schema.Notation
   alias Ret.{Scene, SceneListing}
 
+  @desc "A scene or a scene listing"
   union :scene_or_scene_listing do
     types([:scene, :scene_listing])
 
@@ -11,13 +12,19 @@ defmodule RetWeb.Schema.SceneTypes do
     end)
   end
 
+  @desc "A scene"
   object :scene do
+    @desc "The scene id"
     field(:scene_sid, :id, name: "id")
+    @desc "The scene name"
     field(:name, :string)
   end
 
+  @desc "A scene listing (which allows the creator to change the underlying scene assets"
   object :scene_listing do
+    @desc "The scene listing id"
     field(:scene_listing_sid, :id, name: "id")
+    @desc "The scene listing name"
     field(:name, :string)
   end
 end

From 67dd3c0cc77a7ba7f1382e06c68f5d604d77fa83 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 26 Aug 2020 17:09:01 -0700
Subject: [PATCH 036/138] Match on Repo.update errors

---
 lib/ret_web/api_ecto_error_helpers.ex  | 80 ---------------------
 lib/ret_web/resolvers/room_resolver.ex | 96 ++++++++++++++------------
 2 files changed, 50 insertions(+), 126 deletions(-)
 delete mode 100644 lib/ret_web/api_ecto_error_helpers.ex

diff --git a/lib/ret_web/api_ecto_error_helpers.ex b/lib/ret_web/api_ecto_error_helpers.ex
deleted file mode 100644
index a6be576cf..000000000
--- a/lib/ret_web/api_ecto_error_helpers.ex
+++ /dev/null
@@ -1,80 +0,0 @@
-defmodule RetWeb.ApiEctoErrorHelpers do
-  # https://medium.com/@imanhodjaev/organising-absithe-and-ecto-errors-2a2257ccdff6
-
-  alias Ecto.Changeset
-
-  @doc """
-  Transform `%Ecto.Changeset{}` errors to a map
-  containing field name as a key on which validation
-  error happened and it's formatted message.
-  For example:
-  ```
-  %{
-    "title": "title length should be at least 8 characters"
-    ...
-  }
-  ```
-  """
-  def to_api_errors(%Changeset{} = changeset) do
-    changeset
-    |> format_errors()
-    |> concat_errors()
-  end
-
-  # @doc """
-  # Wrap context actions with Ecto.
-  # If action succeeds then the result tuple returned.
-  # If changeset errors happen then all errors transformed
-  # into convenient form of list of maps with fields on
-  # which validations failed.
-  # Else `unknown` error returned.
-  # """
-  # def action_wrapped(fun) do
-  #   case fun.() do
-  #     {:ok, result} ->
-  #       {:ok, result}
-
-  #     {:error, changeset = %Changeset{}} ->
-  #       {
-  #         :error,
-  #         %{
-  #           message: "Changeset errors occurred",
-  #           code: :schema_errors,
-  #           errors: to_api_errors(changeset)
-  #         }
-  #       }
-
-  #     # Case for our standard errors in `IdpWeb.Schema.Errors`
-  #     {:error, %{code: _}} = error ->
-  #       error
-
-  #     {:error, _} ->
-  #       {
-  #         :error,
-  #         %{
-  #           message: "Oops! Unknown error",
-  #           code: :oops
-  #         }
-  #       }
-  #   end
-  # end
-
-  # Extract and interpolate all errors from
-  # `Changeset.errors` and return a map.
-  defp format_errors(%Changeset{} = changeset) do
-    Changeset.traverse_errors(changeset, fn {msg, opts} ->
-      Enum.reduce(opts, msg, fn {key, value}, formatted_msg ->
-        formatted_msg |> String.replace("%{#{key}}", to_string(value))
-      end)
-    end)
-  end
-
-  # Get all errors from `format_errors/1` and
-  # join their messages into a single string
-  # separated by ","
-  defp concat_errors(errors) do
-    Enum.reduce(errors, errors, fn {key, value}, map ->
-      map |> Map.put(key, Enum.join(value, ", "))
-    end)
-  end
-end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index c4badc267..350ffd2e3 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -1,8 +1,10 @@
 defmodule RetWeb.Resolvers.RoomResolver do
+  @moduledoc """
+  Resolvers for room queries and mutations via the graphql API
+  """
   alias Ret.{Hub, Repo}
   alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
-  import RetWeb.ApiEctoErrorHelpers
 
   def my_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_my_rooms(account, args)}
@@ -25,14 +27,16 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def create_room(_parent, args, %{context: %{account: account}}) do
-    {:ok, hub} = Hub.create(args)
+    case Hub.create(args) do
+      {:ok, hub} ->
+        hub
+        |> Repo.preload(Hub.hub_preloads())
+        |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+        |> Repo.update()
 
-    hub
-    |> Repo.preload(Hub.hub_preloads())
-    |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-    |> Repo.update!()
-
-    {:ok, hub}
+      {:error, reason} ->
+        {:error, reason}
+    end
   end
 
   def create_room(_parent, args, _resolutions) do
@@ -75,9 +79,9 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:ok, Hub.lobby_count_for(hub)}
   end
 
-  def scene(hub, _args, _resolutions) do
-    {:ok, Hub.scene_or_scene_listing_for(hub)}
-  end
+  # def scene(hub, _args, _resolutions) do
+  #  {:ok, Hub.scene_or_scene_listing_for(hub)}
+  # end
 
   def update_room(_, %{id: hub_sid} = args, %{context: %{account: account}}) do
     hub = Hub |> Repo.get_by(hub_sid: hub_sid) |> Repo.preload([:hub_role_memberships, :hub_bindings])
@@ -119,43 +123,43 @@ defmodule RetWeb.Resolvers.RoomResolver do
     changeset
   end
 
+  defp try_do_update_room({:error, reason}, _) do
+    {:error, reason}
+  end
+
   defp try_do_update_room(changeset, account) do
-    case changeset do
-      {:error, reason} ->
-        {:error, reason}
+    case changeset |> Repo.update() do
+      {:error, changeset} ->
+        {:error, changeset}
 
-      %{valid?: false} ->
-        {:error,
-         %{
-           message: "Changeset errors occurred",
-           code: :schema_errors,
-           errors: to_api_errors(changeset)
-         }}
-
-      _ ->
-        updated_hub =
-          changeset
-          |> Repo.update!()
-          |> Repo.preload(Hub.hub_preloads())
-
-        response =
-          HubView.render("show.json", %{
-            hub: updated_hub,
-            embeddable: account |> can?(embed_hub(updated_hub))
-          })
-          |> Map.put(:stale_fields, [
-            "name",
-            "description",
-            "member_permissions",
-            "room_size",
-            "allow_promotion",
-            "scene",
-            "member_permissions"
-          ])
-
-        RetWeb.Endpoint.broadcast!("hub:" <> updated_hub.hub_sid, "hub_refresh_by_api", response)
-
-        {:ok, updated_hub}
+      {:ok, hub} ->
+        hub = Repo.preload(hub, Hub.hub_preloads())
+
+        case broadcast_hub_refresh(hub, account) do
+          {:error, reason} -> {:error, reason}
+          :ok -> {:ok, hub}
+        end
     end
   end
+
+  defp broadcast_hub_refresh(hub, account) do
+    payload =
+      HubView.render("show.json", %{
+        hub: hub,
+        embeddable: account |> can?(embed_hub(hub))
+      })
+      |> Map.put(:stale_fields, [
+        # TODO: Only include fields that have changed in stale_fields
+        "name",
+        "description",
+        "member_permissions",
+        "room_size",
+        "allow_promotion",
+        "scene",
+        "member_permissions"
+      ])
+
+    # TODO: Update client so we can use hub_refresh without socket_id
+    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh_by_api", payload)
+  end
 end

From 342c16523065b6fa659fc4904d914786885e46a8 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 26 Aug 2020 17:35:53 -0700
Subject: [PATCH 037/138] Make specifying a room name optional. Add other
 fields

---
 lib/ret_web/resolvers/room_resolver.ex |  7 ++++++-
 lib/ret_web/schema/room_types.ex       | 12 +++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 350ffd2e3..242202c89 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -27,10 +27,15 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def create_room(_parent, args, %{context: %{account: account}}) do
+    args = Map.put(args, :name, Map.get(args, :name, "Delightful Cooperative Meetup"))
+
     case Hub.create(args) do
       {:ok, hub} ->
         hub
-        |> Repo.preload(Hub.hub_preloads())
+        |> Hub.add_attrs_to_changeset(args)
+        |> Hub.maybe_add_member_permissions(hub, args)
+        |> Hub.maybe_add_promotion(account, hub, args)
+        |> maybe_add_new_scene_to_changeset(args)
         |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
         |> Repo.update()
 
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 23490912d..67a412309 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -178,7 +178,17 @@ defmodule RetWeb.Schema.RoomTypes do
     @desc "Create a room with the given properties"
     field :create_room, :room do
       @desc "The room name"
-      arg(:name, non_null(:string))
+      arg(:name, :string)
+      @desc "A description of the room"
+      arg(:description, :string)
+      @desc "The number of participants allowed into the room from the lobby at any given time"
+      arg(:room_size, :integer)
+      @desc "The id of the scene to associate with the room"
+      arg(:scene_id, :string)
+      @desc "The permissions non-admin participants should have in the room"
+      arg(:member_permissions, :input_member_permissions)
+      @desc "Make this room public (while it is open)"
+      arg(:allow_promotion, :boolean)
 
       resolve(&Resolvers.RoomResolver.create_room/3)
     end

From 1b06615f65b3fd08ce95d6099c4ff914238f0225 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 28 Aug 2020 10:36:03 -0700
Subject: [PATCH 038/138] Authorization is enforced on a per-resolver basis

---
 lib/ret_web/auth_error_handler.ex      | 8 --------
 lib/ret_web/resolvers/room_resolver.ex | 4 ++++
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/lib/ret_web/auth_error_handler.ex b/lib/ret_web/auth_error_handler.ex
index 6ba2b7351..11d81664a 100644
--- a/lib/ret_web/auth_error_handler.ex
+++ b/lib/ret_web/auth_error_handler.ex
@@ -5,13 +5,5 @@ defmodule RetWeb.Guardian.AuthErrorHandler do
   def auth_error(conn, {type, _reason}, _opts) do
     body = Poison.encode!(%{error: to_string(type)})
     send_resp(conn, 401, body)
-    # TODO: GraphQL endpoint errors should be formatted with absinthe_plug
-    #  "data" => %{ "action" => null  }
-    #  "errors" => [
-    #    %{
-    #      "message" => "Some error messages",
-    #      "locations" => [%{"line" => 1, "column" => 2}]
-    #    }
-    #  ]
   end
 end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 242202c89..b889e8c4e 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -93,6 +93,10 @@ defmodule RetWeb.Resolvers.RoomResolver do
     update_room_with_account(hub, account, args)
   end
 
+  def update_room(_, _, _) do
+    {:error, "Not authorized"}
+  end
+
   defp update_room_with_account(nil, _account, %{id: hub_sid}) do
     {:error, "Cannot find room with id " <> hub_sid}
   end

From 568548f2e410dc6fb8ec77d203e4a38edb1a94e3 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 9 Sep 2020 14:08:21 -0700
Subject: [PATCH 039/138] Fix failing test case for allow_promotion

---
 lib/ret/hub.ex                         |  3 ++-
 lib/ret_web/resolvers/room_resolver.ex | 23 ++++++++++++++++-------
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 310ce1316..a0846951d 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -254,7 +254,8 @@ defmodule Ret.Hub do
   end
 
   def add_promotion_to_changeset(changeset, attrs) do
-    changeset |> put_change(:allow_promotion, !!attrs["allow_promotion"] || !!attrs.allow_promotion)
+    changeset
+    |> put_change(:allow_promotion, Map.get(attrs, "allow_promotion", false) || Map.get(attrs, :allow_promotion, false))
   end
 
   def changeset_for_new_seen_occupant_count(%Hub{} = hub, occupant_count) do
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index b889e8c4e..058ae0d7a 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -27,17 +27,26 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def create_room(_parent, args, %{context: %{account: account}}) do
+    # TODO: Pick random default name
     args = Map.put(args, :name, Map.get(args, :name, "Delightful Cooperative Meetup"))
 
     case Hub.create(args) do
       {:ok, hub} ->
-        hub
-        |> Hub.add_attrs_to_changeset(args)
-        |> Hub.maybe_add_member_permissions(hub, args)
-        |> Hub.maybe_add_promotion(account, hub, args)
-        |> maybe_add_new_scene_to_changeset(args)
-        |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-        |> Repo.update()
+        case hub
+             |> Hub.add_attrs_to_changeset(args)
+             |> Hub.maybe_add_member_permissions(hub, args)
+             |> Hub.maybe_add_promotion(account, hub, args)
+             |> maybe_add_new_scene_to_changeset(args)
+             |> Repo.update() do
+          {:ok, hub} ->
+            hub
+            |> Repo.preload(Hub.hub_preloads())
+            |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+            |> Repo.update()
+
+          {:error, reason} ->
+            {:error, reason}
+        end
 
       {:error, reason} ->
         {:error, reason}

From f8f84776837060d496ef752e6ac2ead26ec46297 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 9 Sep 2020 14:27:09 -0700
Subject: [PATCH 040/138] Add helper script for setting Authorization header

---
 assets/js/insert-auth-header.js | 60 +++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 assets/js/insert-auth-header.js

diff --git a/assets/js/insert-auth-header.js b/assets/js/insert-auth-header.js
new file mode 100644
index 000000000..d896d26be
--- /dev/null
+++ b/assets/js/insert-auth-header.js
@@ -0,0 +1,60 @@
+// Helper script that inserts the Authorization header into
+// the graphiql interface when the user is logged in.
+// TODO: Figure out how to run this when graphiql loads.
+{
+  function hasAuthHeader() {
+    const headers = document.querySelector(".headers .table tbody");
+    if (!headers) return false;
+
+    let hasAuth = false;
+    for (let i = 0; i < headers.children.length; i++) {
+      const title = headers.children[i].children[0].innerText;
+      if (title === "Authorization") {
+        hasAuth = true;
+      }
+    }
+    return hasAuth;
+  }
+
+  function setValue(element, value) {
+    let lastValue = element.value;
+    element.value = value;
+    let event = new Event("input", { target: element, bubbles: true });
+    // React 15
+    event.simulated = true;
+    // React 16
+    let tracker = element._valueTracker;
+    if (tracker) {
+      tracker.setValue(lastValue);
+    }
+    element.dispatchEvent(event);
+  }
+
+  async function setAuthHeader() {
+    const store =
+      localStorage &&
+      localStorage.___hubs_store &&
+      JSON.parse(localStorage.___hubs_store);
+    const token = store && store.credentials && store.credentials.token;
+    if (!token) {
+      console.log("Not signed in. Cannot auto-fill Authorization header.");
+      return;
+    }
+
+    const addButton = document.querySelector(".header-add.btn");
+    addButton.click();
+
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    const nameField = document.querySelector(
+      ".modal-body > form:nth-child(1) > div:nth-child(1) > div:nth-child(2) > input:nth-child(1)"
+    );
+    setValue(nameField, "Authorization");
+    const valueField = document.querySelector("#value-input");
+    setValue(valueField, `bearer: ${token}`);
+    const okButton = document.querySelector(".btn-primary");
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    okButton.click();
+  }
+
+  setAuthHeader();
+}

From dcc867249a954031ec9f49ff0a89f88059b2a623 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 9 Sep 2020 14:32:39 -0700
Subject: [PATCH 041/138] Remove duplicate field

---
 lib/ret_web/resolvers/room_resolver.ex | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 058ae0d7a..292aa40a0 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -173,8 +173,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
         "member_permissions",
         "room_size",
         "allow_promotion",
-        "scene",
-        "member_permissions"
+        "scene"
       ])
 
     # TODO: Update client so we can use hub_refresh without socket_id

From 634f0f401355fe247caf7c3e6ea6cb490491edc9 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 18 Sep 2020 11:53:08 -0700
Subject: [PATCH 042/138] Setup guardian_db and ApiTokens

---
 config/dev.exs                                |  11 ++
 config/test.exs                               |  11 ++
 lib/ret/api_token.ex                          | 100 ++++++++++++++++++
 mix.exs                                       |   1 +
 mix.lock                                      |   1 +
 .../migrations/20200918180620_guardiandb.exs  |  17 +++
 .../migrations/20200918180620_guardiandb.exs  |  17 +++
 test/ret/api_token_test.exs                   |  31 ++++++
 8 files changed, 189 insertions(+)
 create mode 100644 lib/ret/api_token.ex
 create mode 100644 priv/repo/migrations/20200918180620_guardiandb.exs
 create mode 100644 priv/session_lock_repo/migrations/20200918180620_guardiandb.exs
 create mode 100644 test/ret/api_token_test.exs

diff --git a/config/dev.exs b/config/dev.exs
index 6cf1fd03a..77757a3a5 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -187,6 +187,17 @@ config :ret, Ret.Guardian,
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX",
   ttl: {12, :weeks}
 
+config :ret, Ret.ApiToken,
+  secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
+  ttl: {2, :hours}
+
+config :guardian, Guardian.DB,
+  repo: Ret.Repo,
+  schema_name: "guardian_tokens", # Would like to call this api_tokens -- would need to edit the template/migrations
+  token_types: ["api"],
+  sweep_interval: 10
+# TODO: sweep_interval doesn't need configuration if we disable sweep
+
 config :web_push_encryption, :vapid_details,
   subject: "mailto:admin@mozilla.com",
   public_key: "BAb03820kHYuqIvtP6QuCKZRshvv_zp5eDtqkuwCUAxASBZMQbFZXzv8kjYOuLGF16A3k8qYnIN10_4asB-Aw7w",
diff --git a/config/test.exs b/config/test.exs
index 6af51574e..286a4cb16 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -47,6 +47,17 @@ config :ret, Ret.Guardian,
   issuer: "ret",
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX"
 
+config :ret, Ret.ApiToken,
+  secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
+  ttl: {2, :hours}
+
+config :guardian, Guardian.DB,
+  repo: Ret.Repo,
+  schema_name: "guardian_tokens", # Would like to call this api_tokens -- would need to edit the template/migrations
+  token_types: ["api"],
+  sweep_interval: 10
+# TODO: sweep_interval doesn't need configuration if we disable sweep
+
 config :ret, Ret.Storage,
   storage_path: "storage/test",
   ttl: 60 * 60 * 24
diff --git a/lib/ret/api_token.ex b/lib/ret/api_token.ex
new file mode 100644
index 000000000..d126e5400
--- /dev/null
+++ b/lib/ret/api_token.ex
@@ -0,0 +1,100 @@
+defmodule Ret.ApiPermissions do
+  @moduledoc """
+  A collection of permissions that can be bestowed on an ApiToken
+  """
+
+  use Bitwise
+
+  @none 0x0000_0000
+  @all 0xFFFF_FFFF
+  @permissions %{
+    (1 <<< 0) => :rooms_mutation_create_room,
+    (1 <<< 1) => :rooms_mutation_update_room,
+    (1 <<< 2) => :rooms_query_created_rooms,
+    (1 <<< 3) => :rooms_query_favorite_rooms,
+    (1 <<< 4) => :rooms_query_public_rooms,
+    (1 <<< 5) => :unused,
+    (1 <<< 6) => :unused,
+    (1 <<< 7) => :unused,
+    (1 <<< 8) => :unused,
+    (1 <<< 9) => :unused,
+    (1 <<< 10) => :unused,
+    (1 <<< 11) => :unused,
+    (1 <<< 12) => :unused,
+    (1 <<< 13) => :unused,
+    (1 <<< 14) => :unused,
+    (1 <<< 15) => :unused,
+    (1 <<< 16) => :unused,
+    (1 <<< 17) => :unused,
+    (1 <<< 18) => :unused,
+    (1 <<< 19) => :unused,
+    (1 <<< 20) => :unused,
+    (1 <<< 21) => :unused,
+    (1 <<< 22) => :unused,
+    (1 <<< 23) => :unused,
+    (1 <<< 24) => :unused,
+    (1 <<< 25) => :unused,
+    (1 <<< 26) => :unused,
+    (1 <<< 27) => :unused,
+    (1 <<< 28) => :unused,
+    (1 <<< 29) => :unused,
+    (1 <<< 30) => :unused,
+    (1 <<< 31) => :unused
+  }
+
+  defp permissions_to_map(bit_field) do
+    bit_field |> BitFieldUtils.permissions_to_map(@permissions)
+  end
+end
+
+defmodule Ret.ApiToken do
+  @moduledoc """
+  ApiTokens determine what actions are allowed to be taken via the public API.
+  """
+  use Guardian, otp_app: :ret, secret_fetcher: Ret.ApiTokenSecretFetcher
+
+  def subject_for_token(_, _), do: {:ok, nil}
+
+  def resource_from_claims(_), do: nil
+
+  # TODO: Where to add permissions?
+  # TODO: Where to set token_type to "api" (insert "typ" => "api" into claims map)
+
+  # guadian hooks for guardian_db
+  def after_encode_and_sign(resource, claims, token, _options) do
+    with {:ok, _} <- Guardian.DB.after_encode_and_sign(resource, claims["typ"], claims, token) do
+      {:ok, token}
+    end
+  end
+
+  def on_verify(claims, token, _options) do
+    with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
+      {:ok, claims}
+    end
+  end
+
+  def on_refresh({old_token, old_claims}, {new_token, new_claims}, _options) do
+    with {:ok, _, _} <- Guardian.DB.on_refresh({old_token, old_claims}, {new_token, new_claims}) do
+      {:ok, {old_token, old_claims}, {new_token, new_claims}}
+    end
+  end
+
+  def on_revoke(claims, token, _options) do
+    with {:ok, _} <- Guardian.DB.on_revoke(claims, token) do
+      {:ok, claims}
+    end
+  end
+end
+
+defmodule Ret.ApiTokenSecretFetcher do
+  @moduledoc false
+  def fetch_signing_secret(_mod, _opts) do
+    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+  end
+
+  def fetch_verifying_secret(_mod, _token_headers, _opts) do
+    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+  end
+
+  #TODO: How to set configuration for prod?
+end
diff --git a/mix.exs b/mix.exs
index fc41a4973..b67f4fa86 100644
--- a/mix.exs
+++ b/mix.exs
@@ -66,6 +66,7 @@ defmodule Ret.Mixfile do
       {:bamboo, "~> 1.3"},
       {:bamboo_smtp, "~> 1.7"},
       {:guardian, "~> 1.2"},
+      {:guardian_db, "~> 2.0"},
       {:canary, "~> 1.1.1"},
       {:temp, "~> 0.4"},
       {:timex, "~> 3.6"},
diff --git a/mix.lock b/mix.lock
index a18979f76..acc71046a 100644
--- a/mix.lock
+++ b/mix.lock
@@ -33,6 +33,7 @@
   "gen_stage": {:hex, :gen_stage, "0.14.3", "d0c66f1c87faa301c1a85a809a3ee9097a4264b2edf7644bf5c123237ef732bf", [:mix], [], "hexpm", "8453e2289d94c3199396eb517d65d6715ef26bcae0ee83eb5ff7a84445458d76"},
   "gettext": {:hex, :gettext, "0.17.4", "f13088e1ec10ce01665cf25f5ff779e7df3f2dc71b37084976cf89d1aa124d5c", [:mix], [], "hexpm", "3c75b5ea8288e2ee7ea503ff9e30dfe4d07ad3c054576a6e60040e79a801e14d"},
   "guardian": {:hex, :guardian, "1.2.1", "bdc8dd3dbf0fb7216cb6f91c11831faa1a64d39cdaed9a611e37f2413e584983", [:mix], [{:jose, "~> 1.8", [hex: :jose, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "723fc404edfb7bd5cba4cd83329b352037f102aa97468f44e58ac7f47c136a98"},
+  "guardian_db": {:hex, :guardian_db, "2.0.3", "18c847efbf7ec3c0dd44c7aecaeeb2777588bbb8d2073ffc36e71037108b3be6", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "~> 3.1", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:guardian, "~> 1.0 or ~> 2.0", [hex: :guardian, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "17306e09498bca379fb8eded2ac44d7690f738ca14b17080d06a948d034ea087"},
   "hackney": {:hex, :hackney, "1.15.2", "07e33c794f8f8964ee86cebec1a8ed88db5070e52e904b8f12209773c1036085", [:rebar3], [{:certifi, "2.5.1", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "6.0.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "1.0.1", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~>1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "1.1.5", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}], "hexpm", "e0100f8ef7d1124222c11ad362c857d3df7cb5f4204054f9f0f4a728666591fc"},
   "httpoison": {:hex, :httpoison, "1.6.2", "ace7c8d3a361cebccbed19c283c349b3d26991eff73a1eaaa8abae2e3c8089b6", [:mix], [{:hackney, "~> 1.15 and >= 1.15.2", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "aa2c74bd271af34239a3948779612f87df2422c2fdcfdbcec28d9c105f0773fe"},
   "idna": {:hex, :idna, "6.0.0", "689c46cbcdf3524c44d5f3dde8001f364cd7608a99556d8fbd8239a5798d4c10", [:rebar3], [{:unicode_util_compat, "0.4.1", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "4bdd305eb64e18b0273864920695cb18d7a2021f31a11b9c5fbcd9a253f936e2"},
diff --git a/priv/repo/migrations/20200918180620_guardiandb.exs b/priv/repo/migrations/20200918180620_guardiandb.exs
new file mode 100644
index 000000000..aa4b99d8d
--- /dev/null
+++ b/priv/repo/migrations/20200918180620_guardiandb.exs
@@ -0,0 +1,17 @@
+defmodule Ret.Repo.Migrations.CreateGuardianDBTokensTable do
+  use Ecto.Migration
+
+  def change do
+    create table(:guardian_tokens, primary_key: false) do
+      add(:jti, :string, primary_key: true)
+      add(:aud, :string, primary_key: true)
+      add(:typ, :string)
+      add(:iss, :string)
+      add(:sub, :string)
+      add(:exp, :bigint)
+      add(:jwt, :text)
+      add(:claims, :map)
+      timestamps()
+    end
+  end
+end
diff --git a/priv/session_lock_repo/migrations/20200918180620_guardiandb.exs b/priv/session_lock_repo/migrations/20200918180620_guardiandb.exs
new file mode 100644
index 000000000..aa4b99d8d
--- /dev/null
+++ b/priv/session_lock_repo/migrations/20200918180620_guardiandb.exs
@@ -0,0 +1,17 @@
+defmodule Ret.Repo.Migrations.CreateGuardianDBTokensTable do
+  use Ecto.Migration
+
+  def change do
+    create table(:guardian_tokens, primary_key: false) do
+      add(:jti, :string, primary_key: true)
+      add(:aud, :string, primary_key: true)
+      add(:typ, :string)
+      add(:iss, :string)
+      add(:sub, :string)
+      add(:exp, :bigint)
+      add(:jwt, :text)
+      add(:claims, :map)
+      timestamps()
+    end
+  end
+end
diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
new file mode 100644
index 000000000..3d4526ac5
--- /dev/null
+++ b/test/ret/api_token_test.exs
@@ -0,0 +1,31 @@
+defmodule Ret.ApiTokenTest do
+  use Ret.DataCase
+
+  # alias Ecto.{Changeset}
+  # alias Ret.{Account, Guardian, Repo}
+
+  test "Creating a token puts it in the database" do
+    {:ok, token, _claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
+
+    [%{jwt: jwt}] = Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt]))
+    assert jwt == token
+  end
+
+  test "Tokens can be validated" do
+    {:ok, token, claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
+    {:ok, decoded_claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+
+    Enum.each(["aud", "exp", "iat", "iss", "jti", "nbf", "sub", "typ"], fn x ->
+      assert Map.get(claims, x) === Map.get(decoded_claims, x)
+    end)
+
+    assert claims === decoded_claims
+  end
+
+  test "Tokens can be revoked" do
+    {:ok, token, _claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
+    assert Enum.count(Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt]))) === 1
+    Guardian.revoke(Ret.ApiToken, token)
+    assert Enum.empty?(Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt])))
+  end
+end

From 6de2ca2cf2446110a4d8279a83d2474e843afc27 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 18 Sep 2020 12:03:40 -0700
Subject: [PATCH 043/138] Show that revoked token cannot be verified in test

---
 test/ret/api_token_test.exs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
index 3d4526ac5..5e0912722 100644
--- a/test/ret/api_token_test.exs
+++ b/test/ret/api_token_test.exs
@@ -6,7 +6,6 @@ defmodule Ret.ApiTokenTest do
 
   test "Creating a token puts it in the database" do
     {:ok, token, _claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
-
     [%{jwt: jwt}] = Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt]))
     assert jwt == token
   end
@@ -18,14 +17,15 @@ defmodule Ret.ApiTokenTest do
     Enum.each(["aud", "exp", "iat", "iss", "jti", "nbf", "sub", "typ"], fn x ->
       assert Map.get(claims, x) === Map.get(decoded_claims, x)
     end)
-
     assert claims === decoded_claims
   end
 
   test "Tokens can be revoked" do
     {:ok, token, _claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
+    {:ok, _claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
     assert Enum.count(Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt]))) === 1
     Guardian.revoke(Ret.ApiToken, token)
     assert Enum.empty?(Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt])))
+    {:error, :token_not_found} = Guardian.decode_and_verify(Ret.ApiToken, token)
   end
 end

From 8c0e869472a37ae5e92888c6c90bdc58388d95b6 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 18 Sep 2020 16:38:21 -0700
Subject: [PATCH 044/138] Confer permissions onto api tokens

---
 lib/ret/api_permissions.ex          | 47 +++++++++++++++++
 lib/ret/api_token.ex                | 78 +++++------------------------
 lib/ret/api_token_generator.ex      | 34 +++++++++++++
 lib/ret/api_token_secret_fetcher.ex | 11 ++++
 test/ret/api_token_test.exs         | 57 +++++++++++++++------
 5 files changed, 145 insertions(+), 82 deletions(-)
 create mode 100644 lib/ret/api_permissions.ex
 create mode 100644 lib/ret/api_token_generator.ex
 create mode 100644 lib/ret/api_token_secret_fetcher.ex

diff --git a/lib/ret/api_permissions.ex b/lib/ret/api_permissions.ex
new file mode 100644
index 000000000..d928e1edb
--- /dev/null
+++ b/lib/ret/api_permissions.ex
@@ -0,0 +1,47 @@
+defmodule Ret.ApiPermissions do
+  @moduledoc """
+  Helper module for defining permissions and scopes
+  """
+
+  def perms_for_account() do
+    perms_for_scopes([scope_default(), scope_rooms_user()])
+  end
+
+  def default_permissions() do
+    perms_for_scopes([scope_default()])
+  end
+
+  defp permissions do
+    [
+      :rooms_mutation_create_room,
+      :rooms_mutation_update_room,
+      :rooms_query_created_rooms,
+      :rooms_query_favorite_rooms,
+      :rooms_query_public_rooms
+    ]
+  end
+
+  defp scope_default do
+    [
+      :rooms_mutation_create_room,
+      :rooms_query_public_rooms
+    ]
+  end
+
+  defp scope_rooms_user do
+    [
+      :rooms_mutation_create_room,
+      :rooms_mutation_update_room,
+      :rooms_query_created_rooms,
+      :rooms_query_favorite_rooms
+    ]
+  end
+
+  defp perms_for_scopes(scopes) when is_list(scopes) do
+    no_permissions = Map.new(permissions(), fn perm -> {perm, false} end)
+
+    Enum.reduce(Enum.concat(scopes), no_permissions, fn perm, acc ->
+      Map.put(acc, perm, true)
+    end)
+  end
+end
diff --git a/lib/ret/api_token.ex b/lib/ret/api_token.ex
index d126e5400..176c1638a 100644
--- a/lib/ret/api_token.ex
+++ b/lib/ret/api_token.ex
@@ -1,66 +1,25 @@
-defmodule Ret.ApiPermissions do
-  @moduledoc """
-  A collection of permissions that can be bestowed on an ApiToken
-  """
-
-  use Bitwise
-
-  @none 0x0000_0000
-  @all 0xFFFF_FFFF
-  @permissions %{
-    (1 <<< 0) => :rooms_mutation_create_room,
-    (1 <<< 1) => :rooms_mutation_update_room,
-    (1 <<< 2) => :rooms_query_created_rooms,
-    (1 <<< 3) => :rooms_query_favorite_rooms,
-    (1 <<< 4) => :rooms_query_public_rooms,
-    (1 <<< 5) => :unused,
-    (1 <<< 6) => :unused,
-    (1 <<< 7) => :unused,
-    (1 <<< 8) => :unused,
-    (1 <<< 9) => :unused,
-    (1 <<< 10) => :unused,
-    (1 <<< 11) => :unused,
-    (1 <<< 12) => :unused,
-    (1 <<< 13) => :unused,
-    (1 <<< 14) => :unused,
-    (1 <<< 15) => :unused,
-    (1 <<< 16) => :unused,
-    (1 <<< 17) => :unused,
-    (1 <<< 18) => :unused,
-    (1 <<< 19) => :unused,
-    (1 <<< 20) => :unused,
-    (1 <<< 21) => :unused,
-    (1 <<< 22) => :unused,
-    (1 <<< 23) => :unused,
-    (1 <<< 24) => :unused,
-    (1 <<< 25) => :unused,
-    (1 <<< 26) => :unused,
-    (1 <<< 27) => :unused,
-    (1 <<< 28) => :unused,
-    (1 <<< 29) => :unused,
-    (1 <<< 30) => :unused,
-    (1 <<< 31) => :unused
-  }
-
-  defp permissions_to_map(bit_field) do
-    bit_field |> BitFieldUtils.permissions_to_map(@permissions)
-  end
-end
-
 defmodule Ret.ApiToken do
   @moduledoc """
   ApiTokens determine what actions are allowed to be taken via the public API.
   """
   use Guardian, otp_app: :ret, secret_fetcher: Ret.ApiTokenSecretFetcher
 
+  import Ecto.Query
+
+  alias Ret.{Account, Repo}
+
+  def subject_for_token(%Account{} = account, _), do: {:ok, to_string(account.account_id)}
   def subject_for_token(_, _), do: {:ok, nil}
 
-  def resource_from_claims(_), do: nil
+  def resource_from_claims(%{"sub" => nil}), do: nil
+
+  def resource_from_claims(%{"sub" => account_id}) do
+    result_for_account(Repo.one(where(Account, [a], a.account_id == ^account_id)))
+  end
 
-  # TODO: Where to add permissions?
-  # TODO: Where to set token_type to "api" (insert "typ" => "api" into claims map)
+  defp result_for_account(%Account{} = account), do: {:ok, account}
+  defp result_for_account(nil), do: {:error, "Account not found"}
 
-  # guadian hooks for guardian_db
   def after_encode_and_sign(resource, claims, token, _options) do
     with {:ok, _} <- Guardian.DB.after_encode_and_sign(resource, claims["typ"], claims, token) do
       {:ok, token}
@@ -85,16 +44,3 @@ defmodule Ret.ApiToken do
     end
   end
 end
-
-defmodule Ret.ApiTokenSecretFetcher do
-  @moduledoc false
-  def fetch_signing_secret(_mod, _opts) do
-    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
-  end
-
-  def fetch_verifying_secret(_mod, _token_headers, _opts) do
-    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
-  end
-
-  #TODO: How to set configuration for prod?
-end
diff --git a/lib/ret/api_token_generator.ex b/lib/ret/api_token_generator.ex
new file mode 100644
index 000000000..8e899a5f5
--- /dev/null
+++ b/lib/ret/api_token_generator.ex
@@ -0,0 +1,34 @@
+defmodule Ret.ApiTokenGenerator do
+  @moduledoc """
+  Generate API tokens with appropriate scope
+  """
+  alias Ret.{Account, ApiToken, ApiPermissions}
+
+  defp default_claims() do
+    %{aud: "ret", typ: "api"}
+  end
+
+  defp default_options() do
+    [ttl: {5, :minutes}]
+  end
+
+  def gen_token() do
+    ApiToken.encode_and_sign(
+      nil,
+      Map.merge(ApiPermissions.default_permissions(), default_claims()),
+      default_options()
+    )
+  end
+
+  def gen_token_for_account(%Account{} = account) do
+    ApiToken.encode_and_sign(
+      account,
+      Map.merge(ApiPermissions.perms_for_account(), default_claims()),
+      default_options()
+    )
+  end
+
+  def gen_token_for_account(_account) do
+    {:error, "Did not specify account."}
+  end
+end
diff --git a/lib/ret/api_token_secret_fetcher.ex b/lib/ret/api_token_secret_fetcher.ex
new file mode 100644
index 000000000..4c2966978
--- /dev/null
+++ b/lib/ret/api_token_secret_fetcher.ex
@@ -0,0 +1,11 @@
+# TODO: How to set configuration for prod?
+defmodule Ret.ApiTokenSecretFetcher do
+  @moduledoc false
+  def fetch_signing_secret(_mod, _opts) do
+    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+  end
+
+  def fetch_verifying_secret(_mod, _token_headers, _opts) do
+    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+  end
+end
diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
index 5e0912722..712888582 100644
--- a/test/ret/api_token_test.exs
+++ b/test/ret/api_token_test.exs
@@ -1,31 +1,56 @@
 defmodule Ret.ApiTokenTest do
   use Ret.DataCase
 
-  # alias Ecto.{Changeset}
-  # alias Ret.{Account, Guardian, Repo}
+  alias Ret.ApiTokenGenerator, as: Generator
 
-  test "Creating a token puts it in the database" do
-    {:ok, token, _claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
-    [%{jwt: jwt}] = Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt]))
+  defp token_query do
+    from("guardian_tokens", select: [:jti, :aud, :jwt, :claims])
+  end
+
+  test "Generating an api token puts it in the database" do
+    {:ok, token, _claims} = Generator.gen_token()
+    [%{jwt: jwt}] = Repo.all(token_query())
     assert jwt == token
   end
 
-  test "Tokens can be validated" do
-    {:ok, token, claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
-    {:ok, decoded_claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+  test "Api tokens encode default permissions" do
+    {:ok, token, _claims} = Generator.gen_token()
+    {:ok, claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    assert Map.get(claims, "rooms_mutation_create_room")
+    assert Map.get(claims, "rooms_mutation_update_room") === false
+  end
 
-    Enum.each(["aud", "exp", "iat", "iss", "jti", "nbf", "sub", "typ"], fn x ->
-      assert Map.get(claims, x) === Map.get(decoded_claims, x)
-    end)
-    assert claims === decoded_claims
+  test "Api tokens generated with an account encode more permissions" do
+    account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
+    {:ok, token, _claims} = Generator.gen_token_for_account(account)
+    {:ok, claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    assert Map.get(claims, "rooms_mutation_create_room")
+    assert Map.get(claims, "rooms_mutation_update_room")
   end
 
-  test "Tokens can be revoked" do
-    {:ok, token, _claims} = Guardian.encode_and_sign(Ret.ApiToken, %{foo: :bar}, %{aud: "ret", typ: "api"})
+  test "Api tokens can be revoked" do
+    {:ok, token, _claims} = Generator.gen_token()
+    [%{jwt: jwt}] = Repo.all(token_query())
+    assert jwt == token
     {:ok, _claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
-    assert Enum.count(Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt]))) === 1
+
     Guardian.revoke(Ret.ApiToken, token)
-    assert Enum.empty?(Repo.all(from("guardian_tokens", select: [:jti, :aud, :jwt])))
+    assert Enum.empty?(Repo.all(token_query()))
+
     {:error, :token_not_found} = Guardian.decode_and_verify(Ret.ApiToken, token)
   end
+
+  test "Api tokens can be associated with an account" do
+    account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
+    {:ok, token, _claims} = Generator.gen_token_for_account(account)
+    {:ok, resource, _claims} = Guardian.resource_from_token(Ret.ApiToken, token)
+    assert resource.account_id === account.account_id
+  end
+
+  test "Revoked tokens cannot recover accounts" do
+    account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
+    {:ok, token, _claims} = Generator.gen_token_for_account(account)
+    Guardian.revoke(Ret.ApiToken, token)
+    {:error, :token_not_found} = Guardian.resource_from_token(Ret.ApiToken, token)
+  end
 end

From c8ac2329d44ca261f40ff7bb1462871f7acdbd44 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 28 Sep 2020 16:48:33 -0700
Subject: [PATCH 045/138] Remove hub_refresh_by_api

---
 lib/ret_web/resolvers/room_resolver.ex | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 292aa40a0..4d79577c8 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -176,7 +176,6 @@ defmodule RetWeb.Resolvers.RoomResolver do
         "scene"
       ])
 
-    # TODO: Update client so we can use hub_refresh without socket_id
-    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh_by_api", payload)
+    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh", payload)
   end
 end

From 3841cbb64a6c75788b867c71a660dd8752eda7f7 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 29 Sep 2020 14:19:59 -0700
Subject: [PATCH 046/138] Add primitive timing info as middleware

---
 lib/ret_web/middlewares/timing.ex | 70 +++++++++++++++++++++++++++++++
 lib/ret_web/schema.ex             |  6 ++-
 2 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 lib/ret_web/middlewares/timing.ex

diff --git a/lib/ret_web/middlewares/timing.ex b/lib/ret_web/middlewares/timing.ex
new file mode 100644
index 000000000..5bf2f21b4
--- /dev/null
+++ b/lib/ret_web/middlewares/timing.ex
@@ -0,0 +1,70 @@
+defmodule RetWeb.Middlewares.TimingUtil do
+  @moduledoc false
+  def add_timing_info(%Absinthe.Resolution{private: private} = resolution, identifier, key, value) do
+    timing = Map.get(private, :timing) || %{}
+    info = Map.put(Map.get(timing, identifier) || %{}, key, value)
+
+    %{
+      resolution
+      | private: Map.put(private, :timing, Map.put(timing, identifier, info))
+    }
+  end
+end
+
+defmodule RetWeb.Middlewares.StartTiming do
+  @moduledoc false
+
+  import RetWeb.Middlewares.TimingUtil, only: [add_timing_info: 4]
+
+  @behavior Absinthe.Middleware
+  def call(resolution, _) do
+    add_timing_info(resolution, resolution.definition.schema_node.identifier, :started_at, NaiveDateTime.utc_now())
+  end
+end
+
+defmodule RetWeb.Middlewares.EndTiming do
+  @moduledoc false
+
+  import RetWeb.Middlewares.TimingUtil, only: [add_timing_info: 4]
+
+  @behavior Absinthe.Middleware
+  def call(resolution, _) do
+    add_timing_info(resolution, resolution.definition.schema_node.identifier, :ended_at, NaiveDateTime.utc_now())
+  end
+end
+
+defmodule RetWeb.Middlewares.InspectTiming do
+  @moduledoc false
+
+  @behavior Absinthe.Middleware
+  def call(resolution, _) do
+    case resolution do
+      %{private: %{timing: timing}} ->
+        inspect_timing_info(timing)
+
+      _ ->
+        nil
+    end
+
+    resolution
+  end
+
+  defp inspect_timing_info(timing) do
+    Enum.each(timing, fn item ->
+      case item do
+        {identifier, %{started_at: started_at, ended_at: ended_at}} ->
+          diff = NaiveDateTime.diff(ended_at, started_at, :microsecond)
+          IO.inspect(Atom.to_string(identifier) <> " took #{diff} microseconds to run.")
+
+        {identifier, _} ->
+          IO.puts(
+            "Cannot log diff of identifier because it lacks timing info started_at and ended_at: " <>
+              Atom.to_string(identifier)
+          )
+
+        _ ->
+          nil
+      end
+    end)
+  end
+end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 8df97402d..c079cfd2f 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -2,8 +2,10 @@ defmodule RetWeb.Schema do
   use Absinthe.Schema
   alias Ret.Scene
 
-  def middleware(middleware, _field, %{identifier: :mutation}) do
-    middleware ++ [RetWeb.Middlewares.HandleChangesetErrors]
+  def middleware(middleware, _field, %{identifier: identifier}) do
+    [RetWeb.Middlewares.StartTiming] ++
+      middleware ++
+      [RetWeb.Middlewares.HandleChangesetErrors, RetWeb.Middlewares.EndTiming, RetWeb.Middlewares.InspectTiming]
   end
 
   def middleware(middleware, _field, _object), do: middleware

From 01a6331b053de8af3ef0c3a52c292688135fd466 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 29 Sep 2020 16:20:25 -0700
Subject: [PATCH 047/138] Build up middleware incrementally

---
 lib/ret_web/schema.ex | 41 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index c079cfd2f..b65188236 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -1,14 +1,45 @@
 defmodule RetWeb.Schema do
+  @moduledoc false
+
   use Absinthe.Schema
   alias Ret.Scene
 
-  def middleware(middleware, _field, %{identifier: identifier}) do
-    [RetWeb.Middlewares.StartTiming] ++
-      middleware ++
-      [RetWeb.Middlewares.HandleChangesetErrors, RetWeb.Middlewares.EndTiming, RetWeb.Middlewares.InspectTiming]
+  alias RetWeb.Middlewares.{HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
+
+  def middleware(middleware, field, object) do
+    middleware = verify_scopes(middleware, field, object)
+    middleware = maybe_add_handle_changeset_errors(middleware, field, object)
+    middleware = maybe_add_timing(middleware, field, object)
+  end
+
+  defp verify_scopes(middleware, field, object) do
+    # TODO
+    middleware
+  end
+
+  defp maybe_add_handle_changeset_errors(middleware, _field, %{identifier: :mutation}) do
+    middleware ++ [HandleChangesetErrors]
   end
 
-  def middleware(middleware, _field, _object), do: middleware
+  defp maybe_add_handle_changeset_errors(middleware, _field, _object) do
+    middleware
+  end
+
+  @timing_ids [
+    :my_rooms,
+    :public_rooms,
+    :favorite_rooms,
+    :create_room,
+    :update_room
+  ]
+
+  defp maybe_add_timing(middleware, %{identifier: identifier}, _object) when identifier in @timing_ids do
+    [StartTiming] ++ middleware ++ [EndTiming, InspectTiming]
+  end
+
+  defp maybe_add_timing(middleware, _field, _object) do
+    middleware
+  end
 
   import_types(Absinthe.Type.Custom)
   import_types(RetWeb.Schema.RoomTypes)

From 18b4b621a13dcb2941c8120a5bb63a1d93925d0f Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 29 Sep 2020 17:46:47 -0700
Subject: [PATCH 048/138] Verify the permissions on graphql api usage

---
 config/dev.exs                             |  2 +-
 lib/ret/api_permissions.ex                 |  1 -
 lib/ret/api_token.ex                       |  2 ++
 lib/ret/json_schema_api_error_formatter.ex |  1 +
 lib/ret_web/api_token_auth_pipeline.ex     | 22 +++++++++++++
 lib/ret_web/auth_optional_pipeline.ex      |  1 +
 lib/ret_web/context.ex                     |  8 ++---
 lib/ret_web/middlewares/verify_scopes.ex   | 36 ++++++++++++++++++++++
 lib/ret_web/router.ex                      |  5 +--
 lib/ret_web/schema.ex                      | 18 ++++++++---
 test/api/v2/room_query_test.exs            |  2 +-
 11 files changed, 84 insertions(+), 14 deletions(-)
 create mode 100644 lib/ret_web/api_token_auth_pipeline.ex
 create mode 100644 lib/ret_web/middlewares/verify_scopes.ex

diff --git a/config/dev.exs b/config/dev.exs
index 77757a3a5..728675e3a 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -189,7 +189,7 @@ config :ret, Ret.Guardian,
 
 config :ret, Ret.ApiToken,
   secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
-  ttl: {2, :hours}
+  ttl: {2, :weeks}
 
 config :guardian, Guardian.DB,
   repo: Ret.Repo,
diff --git a/lib/ret/api_permissions.ex b/lib/ret/api_permissions.ex
index d928e1edb..53b823e84 100644
--- a/lib/ret/api_permissions.ex
+++ b/lib/ret/api_permissions.ex
@@ -30,7 +30,6 @@ defmodule Ret.ApiPermissions do
 
   defp scope_rooms_user do
     [
-      :rooms_mutation_create_room,
       :rooms_mutation_update_room,
       :rooms_query_created_rooms,
       :rooms_query_favorite_rooms
diff --git a/lib/ret/api_token.ex b/lib/ret/api_token.ex
index 176c1638a..152584568 100644
--- a/lib/ret/api_token.ex
+++ b/lib/ret/api_token.ex
@@ -27,6 +27,8 @@ defmodule Ret.ApiToken do
   end
 
   def on_verify(claims, token, _options) do
+    IO.inspect("verifying token")
+    IO.inspect(token)
     with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
       {:ok, claims}
     end
diff --git a/lib/ret/json_schema_api_error_formatter.ex b/lib/ret/json_schema_api_error_formatter.ex
index 7cb3a2f12..5ca6a6cd2 100644
--- a/lib/ret/json_schema_api_error_formatter.ex
+++ b/lib/ret/json_schema_api_error_formatter.ex
@@ -1,4 +1,5 @@
 defmodule Ret.JsonSchemaApiErrorFormatter do
+  @moduledoc false
   def format(errors) do
     ExJsonSchema.Validator.Error.StringFormatter.format(errors)
     |> Enum.map(&{:MALFORMED_RECORD, elem(&1, 0), elem(&1, 1)})
diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
new file mode 100644
index 000000000..d933067cf
--- /dev/null
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -0,0 +1,22 @@
+defmodule RetWeb.ApiTokenAuthPipeline do
+  @moduledoc false
+  use Guardian.Plug.Pipeline,
+    otp_app: :ret,
+    module: Ret.ApiToken,
+    error_handler: RetWeb.ApiTokenAuthErrorHandler
+
+  plug(Guardian.Plug.VerifyHeader, realm: "Bearer", claims: %{"typ" => "api"})
+  plug(Guardian.Plug.LoadResource, allow_blank: true)
+end
+
+defmodule RetWeb.ApiTokenAuthErrorHandler do
+  @moduledoc false
+  import Plug.Conn
+
+  def auth_error(conn, {type, _reason}, _opts) do
+    # TODO
+    IO.inspect("Error")
+    IO.inspect(type)
+    conn
+  end
+end
diff --git a/lib/ret_web/auth_optional_pipeline.ex b/lib/ret_web/auth_optional_pipeline.ex
index fe3fef456..bd861bfc7 100644
--- a/lib/ret_web/auth_optional_pipeline.ex
+++ b/lib/ret_web/auth_optional_pipeline.ex
@@ -1,4 +1,5 @@
 defmodule RetWeb.Guardian.AuthOptionalPipeline do
+  @moduledoc false
   use Guardian.Plug.Pipeline,
     otp_app: :ret,
     module: Ret.Guardian,
diff --git a/lib/ret_web/context.ex b/lib/ret_web/context.ex
index 1ee555e80..73c7eed0e 100644
--- a/lib/ret_web/context.ex
+++ b/lib/ret_web/context.ex
@@ -1,4 +1,5 @@
 defmodule RetWeb.Context do
+  @moduledoc false
   @behaviour Plug
 
   def init(opts), do: opts
@@ -9,12 +10,9 @@ defmodule RetWeb.Context do
   end
 
   def build_context(conn) do
+    claims = Guardian.Plug.current_claims(conn)
     account = Guardian.Plug.current_resource(conn)
 
-    if account do
-      %{account: account}
-    else
-      %{}
-    end
+    %{claims: claims, account: account}
   end
 end
diff --git a/lib/ret_web/middlewares/verify_scopes.ex b/lib/ret_web/middlewares/verify_scopes.ex
new file mode 100644
index 000000000..a73741ee5
--- /dev/null
+++ b/lib/ret_web/middlewares/verify_scopes.ex
@@ -0,0 +1,36 @@
+defmodule RetWeb.Middlewares.VerifyScopes do
+  @moduledoc false
+
+  alias Ret.ApiPermissions
+
+  @behavior Absinthe.Middleware
+  def call(resolution, _) do
+    action = resolution.definition.schema_node.identifier
+
+    case resolution.context do
+      %{claims: claims} ->
+        if verify_scope(action, claims) do
+          resolution
+        else
+          Absinthe.Resolution.put_result(resolution, {:error, "unauthorized " <> Atom.to_string(action)})
+        end
+
+      _ ->
+        Absinthe.Resolution.put_result(resolution, {:error, "unauthorized"})
+    end
+  end
+
+  @action_to_permission %{
+    create_room: :rooms_mutation_create_room,
+    update_room: :rooms_mutation_update_room,
+    my_rooms: :rooms_query_created_rooms,
+    public_rooms: :rooms_query_public_rooms,
+    favorite_rooms: :rooms_query_favorite_rooms
+  }
+
+  defp verify_scope(action, claims) do
+    IO.inspect(action)
+    IO.inspect(claims)
+    IO.inspect(Map.get(claims, Atom.to_string(Map.get(@action_to_permission, action))))
+  end
+end
diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 4816f9a57..d55172c67 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -66,6 +66,7 @@ defmodule RetWeb.Router do
   end
 
   pipeline :graphql do
+    plug RetWeb.ApiTokenAuthPipeline
     plug RetWeb.Context
   end
 
@@ -146,8 +147,8 @@ defmodule RetWeb.Router do
     end
   end
 
-  scope "/api/v2", as: :api_v2 do
-    pipe_through([:parsed_body, :api, :auth_optional, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
+  scope "/api/v2_alpha", as: :api_v2_alpha do
+    pipe_through([:parsed_body, :api, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
     forward "/graphiql", Absinthe.Plug.GraphiQL, json_codec: Jason, schema: RetWeb.Schema
     forward "/", Absinthe.Plug, json_codec: Jason, schema: RetWeb.Schema
   end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index b65188236..9aa9d6a94 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -2,9 +2,9 @@ defmodule RetWeb.Schema do
   @moduledoc false
 
   use Absinthe.Schema
-  alias Ret.Scene
+  alias Ret.{Scene, ApiPermissions}
 
-  alias RetWeb.Middlewares.{HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
+  alias RetWeb.Middlewares.{VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
 
   def middleware(middleware, field, object) do
     middleware = verify_scopes(middleware, field, object)
@@ -12,8 +12,18 @@ defmodule RetWeb.Schema do
     middleware = maybe_add_timing(middleware, field, object)
   end
 
-  defp verify_scopes(middleware, field, object) do
-    # TODO
+  @auth_fields [
+    :my_rooms,
+    :public_rooms,
+    :favorite_rooms,
+    :create_room,
+    :update_room
+  ]
+
+  defp verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
+    [VerifyScopes] ++ middleware
+  end
+  defp verify_scopes(middleware, _field, _object) do
     middleware
   end
 
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 62d85a486..18ba4289f 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -56,7 +56,7 @@ defmodule RoomQueryTest do
 
   defp do_graphql_action(conn, query, variables \\ %{}) do
     conn
-    |> post("/api/v2/", %{
+    |> post("/api/v2_alpha/", %{
       "query" => "#{query}",
       "variables" => variables
     })

From 02c76c3be98f70786eeedc11fc87884fe40071cd Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 29 Sep 2020 19:47:58 -0700
Subject: [PATCH 049/138] Start handling auth_errors in the plug

---
 lib/ret/api_token_generator.ex         |  3 ++-
 lib/ret_web/api_token_auth_pipeline.ex | 12 +++++++++---
 lib/ret_web/schema.ex                  |  6 +++---
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/lib/ret/api_token_generator.ex b/lib/ret/api_token_generator.ex
index 8e899a5f5..954a9a852 100644
--- a/lib/ret/api_token_generator.ex
+++ b/lib/ret/api_token_generator.ex
@@ -9,7 +9,8 @@ defmodule Ret.ApiTokenGenerator do
   end
 
   defp default_options() do
-    [ttl: {5, :minutes}]
+    # TODO: This should be taken from env -- not overwritten here
+    [ttl: {8, :hours}]
   end
 
   def gen_token() do
diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index d933067cf..52806fe72 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -13,10 +13,16 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
   @moduledoc false
   import Plug.Conn
 
-  def auth_error(conn, {type, _reason}, _opts) do
-    # TODO
-    IO.inspect("Error")
+  def auth_error(conn, {:invalid_token, :token_expired}, opts) do
+    IO.inspect("token_expired")
+    # Need to prevent halting so that we can return these errors in graphql response
+    # https://github.com/ueberauth/guardian/issues/401#issuecomment-367756347
+    opts = Keyword.put(opts, :halt, false)
+    conn
+  end
+  def auth_error(conn, {type, reason}, _opts) do
     IO.inspect(type)
+    IO.inspect(reason)
     conn
   end
 end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 9aa9d6a94..3b1d33172 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -7,7 +7,7 @@ defmodule RetWeb.Schema do
   alias RetWeb.Middlewares.{VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
 
   def middleware(middleware, field, object) do
-    middleware = verify_scopes(middleware, field, object)
+    middleware = maybe_verify_scopes(middleware, field, object)
     middleware = maybe_add_handle_changeset_errors(middleware, field, object)
     middleware = maybe_add_timing(middleware, field, object)
   end
@@ -20,10 +20,10 @@ defmodule RetWeb.Schema do
     :update_room
   ]
 
-  defp verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
+  defp maybe_verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
     [VerifyScopes] ++ middleware
   end
-  defp verify_scopes(middleware, _field, _object) do
+  defp maybe_verify_scopes(middleware, _field, _object) do
     middleware
   end
 

From 028c3ae59b3380114d88e4e0a1e9fa5d29b4caca Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 29 Sep 2020 19:51:06 -0700
Subject: [PATCH 050/138] Update guardian so we can avoid halt on error

---
 lib/ret_web/api_token_auth_pipeline.ex | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index 52806fe72..0dfdb2b3b 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -17,6 +17,8 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
     IO.inspect("token_expired")
     # Need to prevent halting so that we can return these errors in graphql response
     # https://github.com/ueberauth/guardian/issues/401#issuecomment-367756347
+    # Updating Guardian to a release that includes this option
+    # https://github.com/ueberauth/guardian/releases/tag/2.1.0
     opts = Keyword.put(opts, :halt, false)
     conn
   end

From 693204d1173e5e4864634a0a27111f0edb2dca2b Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 29 Sep 2020 20:12:41 -0700
Subject: [PATCH 051/138] Add guardian_phoenix after guardian upgrade

---
 lib/ret_web/api_token_auth_pipeline.ex   |  6 ++----
 lib/ret_web/middlewares/verify_scopes.ex |  4 ++++
 mix.exs                                  |  3 ++-
 mix.lock                                 | 15 ++++++++-------
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index 0dfdb2b3b..325aa2b6f 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -5,7 +5,7 @@ defmodule RetWeb.ApiTokenAuthPipeline do
     module: Ret.ApiToken,
     error_handler: RetWeb.ApiTokenAuthErrorHandler
 
-  plug(Guardian.Plug.VerifyHeader, realm: "Bearer", claims: %{"typ" => "api"})
+  plug(Guardian.Plug.VerifyHeader, realm: "Bearer", halt: false)
   plug(Guardian.Plug.LoadResource, allow_blank: true)
 end
 
@@ -19,12 +19,10 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
     # https://github.com/ueberauth/guardian/issues/401#issuecomment-367756347
     # Updating Guardian to a release that includes this option
     # https://github.com/ueberauth/guardian/releases/tag/2.1.0
-    opts = Keyword.put(opts, :halt, false)
     conn
   end
   def auth_error(conn, {type, reason}, _opts) do
-    IO.inspect(type)
-    IO.inspect(reason)
+    # TODO: Write type/reason into conn, to be pulled reported by graphql middleware
     conn
   end
 end
diff --git a/lib/ret_web/middlewares/verify_scopes.ex b/lib/ret_web/middlewares/verify_scopes.ex
index a73741ee5..251b7bee6 100644
--- a/lib/ret_web/middlewares/verify_scopes.ex
+++ b/lib/ret_web/middlewares/verify_scopes.ex
@@ -8,6 +8,10 @@ defmodule RetWeb.Middlewares.VerifyScopes do
     action = resolution.definition.schema_node.identifier
 
     case resolution.context do
+      %{claims: nil} ->
+        #TODO write reason from plug
+        Absinthe.Resolution.put_result(resolution, {:error, "unauthorized : no claims"})
+
       %{claims: claims} ->
         if verify_scope(action, claims) do
           resolution
diff --git a/mix.exs b/mix.exs
index d9572da4c..2efb01f3d 100644
--- a/mix.exs
+++ b/mix.exs
@@ -69,7 +69,8 @@ defmodule Ret.Mixfile do
       {:secure_random, "~> 0.5"},
       {:bamboo, "~> 1.3"},
       {:bamboo_smtp, "~> 1.7"},
-      {:guardian, "~> 1.2"},
+      {:guardian, "~> 2.1.1"},
+      {:guardian_phoenix, "~> 2.0"},
       {:guardian_db, "~> 2.0"},
       {:canary, "~> 1.1.1"},
       {:temp, "~> 0.4"},
diff --git a/mix.lock b/mix.lock
index 1a37a8bac..3a6da0596 100644
--- a/mix.lock
+++ b/mix.lock
@@ -20,7 +20,7 @@
   "crontab": {:hex, :crontab, "1.1.10", "dc9bb1f4299138d47bce38341f5dcbee0aa6c205e864fba7bc847f3b5cb48241", [:mix], [{:ecto, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm", "1347d889d1a0eda997990876b4894359e34bfbbd688acbb0ba28a2795ca40685"},
   "dataloader": {:hex, :dataloader, "1.0.7", "58351b335673cf40601429bfed6c11fece6ce7ad169b2ac0f0fe83e716587391", [:mix], [{:ecto, ">= 0.0.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm", "12bf66478e4a5085d09dc96932d058c206ee8c219cc7691d12a40dc35c8cefaa"},
   "db_connection": {:hex, :db_connection, "2.2.1", "caee17725495f5129cb7faebde001dc4406796f12a62b8949f4ac69315080566", [:mix], [{:connection, "~> 1.0.2", [hex: :connection, repo: "hexpm", optional: false]}], "hexpm", "2b02ece62d9f983fcd40954e443b7d9e6589664380e5546b2b9b523cd0fb59e1"},
-  "decimal": {:hex, :decimal, "1.8.1", "a4ef3f5f3428bdbc0d35374029ffcf4ede8533536fa79896dd450168d9acdf3c", [:mix], [], "hexpm", "3cb154b00225ac687f6cbd4acc4b7960027c757a5152b369923ead9ddbca7aec"},
+  "decimal": {:hex, :decimal, "1.9.0", "83e8daf59631d632b171faabafb4a9f4242c514b0a06ba3df493951c08f64d07", [:mix], [], "hexpm", "b1f2343568eed6928f3e751cf2dffde95bfaa19dd95d09e8a9ea92ccfd6f7d85"},
   "deferred_config": {:hex, :deferred_config, "0.1.1", "ec912e9ee3c99b90a8d4bdec8fbd15309f4bd6729f30789e0ff6f595d06bbce5", [:mix], [], "hexpm", "2eb5311037feb4a6a5dbe3ecc5c98af7ea849730e5dbd9aee0f45c5dbccc3922"},
   "distillery": {:hex, :distillery, "2.1.1", "f9332afc2eec8a1a2b86f22429e068ef35f84a93ea1718265e740d90dd367814", [:mix], [{:artificery, "~> 0.2", [hex: :artificery, repo: "hexpm", optional: false]}], "hexpm", "bbc7008b0161a6f130d8d903b5b3232351fccc9c31a991f8fcbf2a12ace22995"},
   "download": {:git, "https://github.com/gfodor/download.git", "3c341da4a9c3c8fface65d968b4068bd3078b405", [branch: "reticulum/master"]},
@@ -37,8 +37,9 @@
   "gen_smtp": {:hex, :gen_smtp, "0.14.0", "39846a03522456077c6429b4badfd1d55e5e7d0fdfb65e935b7c5e38549d9202", [:rebar3], [], "hexpm", "d32d796c947fa35dc5e8f20706877bb8c8584b16c4eedf3315083f983959d82b"},
   "gen_stage": {:hex, :gen_stage, "0.14.3", "d0c66f1c87faa301c1a85a809a3ee9097a4264b2edf7644bf5c123237ef732bf", [:mix], [], "hexpm", "8453e2289d94c3199396eb517d65d6715ef26bcae0ee83eb5ff7a84445458d76"},
   "gettext": {:hex, :gettext, "0.17.4", "f13088e1ec10ce01665cf25f5ff779e7df3f2dc71b37084976cf89d1aa124d5c", [:mix], [], "hexpm", "3c75b5ea8288e2ee7ea503ff9e30dfe4d07ad3c054576a6e60040e79a801e14d"},
-  "guardian": {:hex, :guardian, "1.2.1", "bdc8dd3dbf0fb7216cb6f91c11831faa1a64d39cdaed9a611e37f2413e584983", [:mix], [{:jose, "~> 1.8", [hex: :jose, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "723fc404edfb7bd5cba4cd83329b352037f102aa97468f44e58ac7f47c136a98"},
+  "guardian": {:hex, :guardian, "2.1.1", "1f02b349f6ba765647cc834036a8d76fa4bd65605342fe3a031df3c99d0d411a", [:mix], [{:jose, "~> 1.8", [hex: :jose, repo: "hexpm", optional: false]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "189b87ba7ce6b40d6ba029138098b96ffc4ae78f229f5b39539b9141af8bf0f8"},
   "guardian_db": {:hex, :guardian_db, "2.0.3", "18c847efbf7ec3c0dd44c7aecaeeb2777588bbb8d2073ffc36e71037108b3be6", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "~> 3.1", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:guardian, "~> 1.0 or ~> 2.0", [hex: :guardian, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "17306e09498bca379fb8eded2ac44d7690f738ca14b17080d06a948d034ea087"},
+  "guardian_phoenix": {:hex, :guardian_phoenix, "2.0.1", "89a817265af09a6ddf7cb1e77f17ffca90cea2db10ff888375ef34502b2731b1", [:mix], [{:guardian, "~> 2.0", [hex: :guardian, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: false]}], "hexpm", "21f439246715192b231f228680465d1ed5fbdf01555a4a3b17165532f5f9a08c"},
   "hackney": {:hex, :hackney, "1.15.2", "07e33c794f8f8964ee86cebec1a8ed88db5070e52e904b8f12209773c1036085", [:rebar3], [{:certifi, "2.5.1", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "6.0.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "1.0.1", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~>1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "1.1.5", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}], "hexpm", "e0100f8ef7d1124222c11ad362c857d3df7cb5f4204054f9f0f4a728666591fc"},
   "httpoison": {:hex, :httpoison, "1.6.2", "ace7c8d3a361cebccbed19c283c349b3d26991eff73a1eaaa8abae2e3c8089b6", [:mix], [{:hackney, "~> 1.15 and >= 1.15.2", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "aa2c74bd271af34239a3948779612f87df2422c2fdcfdbcec28d9c105f0773fe"},
   "idna": {:hex, :idna, "6.0.0", "689c46cbcdf3524c44d5f3dde8001f364cd7608a99556d8fbd8239a5798d4c10", [:rebar3], [{:unicode_util_compat, "0.4.1", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "4bdd305eb64e18b0273864920695cb18d7a2021f31a11b9c5fbcd9a253f936e2"},
@@ -46,7 +47,7 @@
   "jose": {:hex, :jose, "1.10.1", "16d8e460dae7203c6d1efa3f277e25b5af8b659febfc2f2eb4bacf87f128b80a", [:mix, :rebar3], [], "hexpm", "3c7ddc8a9394b92891db7c2771da94bf819834a1a4c92e30857b7d582e2f8257"},
   "jumper": {:hex, :jumper, "1.0.1", "3c00542ef1a83532b72269fab9f0f0c82bf23a35e27d278bfd9ed0865cecabff", [:mix], [], "hexpm", "318c59078ac220e966d27af3646026db9b5a5e6703cb2aa3e26bcfaba65b7433"},
   "metrics": {:hex, :metrics, "1.0.1", "25f094dea2cda98213cecc3aeff09e940299d950904393b2a29d191c346a8486", [:rebar3], [], "hexpm", "69b09adddc4f74a40716ae54d140f93beb0fb8978d8636eaded0c31b6f099f16"},
-  "mime": {:hex, :mime, "1.3.1", "30ce04ab3175b6ad0bdce0035cba77bba68b813d523d1aac73d9781b4d193cf8", [:mix], [], "hexpm", "6cbe761d6a0ca5a31a0931bf4c63204bceb64538e664a8ecf784a9a6f3b875f1"},
+  "mime": {:hex, :mime, "1.4.0", "5066f14944b470286146047d2f73518cf5cca82f8e4815cf35d196b58cf07c47", [:mix], [], "hexpm", "75fa42c4228ea9a23f70f123c74ba7cece6a03b1fd474fe13f6a7a85c6ea4ff6"},
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
   "mix_test_watch": {:hex, :mix_test_watch, "1.0.2", "34900184cbbbc6b6ed616ed3a8ea9b791f9fd2088419352a6d3200525637f785", [:mix], [{:file_system, "~> 0.2.1 or ~> 0.3", [hex: :file_system, repo: "hexpm", optional: false]}], "hexpm", "47ac558d8b06f684773972c6d04fcc15590abdb97aeb7666da19fcbfdc441a07"},
   "mutex": {:hex, :mutex, "1.1.3", "d7e19f96fe19d6d97583bf12ca1ec182bbf14619b7568592cc461135de1c3b81", [:mix], [], "hexpm"},
@@ -55,14 +56,14 @@
   "open_graph": {:hex, :open_graph, "0.0.4", "0790882d5735286abc8391b37d2707613ecd74ebdc5340be664d3df345cd8cae", [:mix], [{:httpoison, "~> 1.5", [hex: :httpoison, repo: "hexpm", optional: false]}], "hexpm", "a22a8ddaf9f881af38d519ced463627c37a8dea49a35cc27efdb9f2b839b9049"},
   "parse_trans": {:hex, :parse_trans, "3.3.0", "09765507a3c7590a784615cfd421d101aec25098d50b89d7aa1d66646bc571c1", [:rebar3], [], "hexpm", "17ef63abde837ad30680ea7f857dd9e7ced9476cdd7b0394432af4bfc241b960"},
   "peerage": {:hex, :peerage, "1.0.3", "945c3dfc407215b89682c65198d004028df0fa772bfea4d2cc9bb4e39e8be9a0", [:mix], [{:deferred_config, "~> 0.1.1", [hex: :deferred_config, repo: "hexpm", optional: false]}], "hexpm", "c9a3316be955f65da1ec39ef891b4c15f2f13bec7bd8d84ef3cdc9fd633d889b"},
-  "phoenix": {:hex, :phoenix, "1.4.16", "2cbbe0c81e6601567c44cc380c33aa42a1372ac1426e3de3d93ac448a7ec4308", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 1.1", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:plug, "~> 1.8.1 or ~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 1.0 or ~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "856cc1a032fa53822737413cf51aa60e750525d7ece7d1c0576d90d7c0f05c24"},
+  "phoenix": {:hex, :phoenix, "1.4.17", "1b1bd4cff7cfc87c94deaa7d60dd8c22e04368ab95499483c50640ef3bd838d8", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 1.1", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:plug, "~> 1.8.1 or ~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 1.0 or ~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "3a8e5d7a3d76d452bb5fb86e8b7bd115f737e4f8efe202a463d4aeb4a5809611"},
   "phoenix_ecto": {:hex, :phoenix_ecto, "4.1.0", "a044d0756d0464c5a541b4a0bf4bcaf89bffcaf92468862408290682c73ae50d", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.9", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "c5e666a341ff104d0399d8f0e4ff094559b2fde13a5985d4cb5023b2c2ac558b"},
   "phoenix_html": {:hex, :phoenix_html, "2.14.1", "7dabafadedb552db142aacbd1f11de1c0bbaa247f90c449ca549d5e30bbc66b4", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "536d5200ad37fecfe55b3241d90b7a8c3a2ca60cd012fc065f776324fa9ab0a9"},
   "phoenix_live_reload": {:hex, :phoenix_live_reload, "1.2.1", "274a4b07c4adbdd7785d45a8b0bb57634d0b4f45b18d2c508b26c0344bd59b8f", [:mix], [{:file_system, "~> 0.2.1 or ~> 0.3", [hex: :file_system, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.4", [hex: :phoenix, repo: "hexpm", optional: false]}], "hexpm", "41b4103a2fa282cfd747d377233baf213c648fdcc7928f432937676532490eee"},
   "phoenix_pubsub": {:hex, :phoenix_pubsub, "1.1.2", "496c303bdf1b2e98a9d26e89af5bba3ab487ba3a3735f74bf1f4064d2a845a3e", [:mix], [], "hexpm", "1f13f9f0f3e769a667a6b6828d29dec37497a082d195cc52dbef401a9b69bf38"},
-  "plug": {:hex, :plug, "1.10.0", "6508295cbeb4c654860845fb95260737e4a8838d34d115ad76cd487584e2fc4d", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "422a9727e667be1bf5ab1de03be6fa0ad67b775b2d84ed908f3264415ef29d4a"},
+  "plug": {:hex, :plug, "1.10.4", "41eba7d1a2d671faaf531fa867645bd5a3dce0957d8e2a3f398ccff7d2ef017f", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "ad1e233fe73d2eec56616568d260777b67f53148a999dc2d048f4eb9778fe4a0"},
   "plug_attack": {:hex, :plug_attack, "0.4.2", "0413707429210b890e21758902ac720a4e06c0350453df9954da3d4ca4bac5d8", [:mix], [{:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "e9a2b1786e1d180d295b5974d337f0952de007eaf081f11d075aa1be65347288"},
-  "plug_cowboy": {:hex, :plug_cowboy, "2.1.2", "8b0addb5908c5238fac38e442e81b6fcd32788eaa03246b4d55d147c47c5805e", [:mix], [{:cowboy, "~> 2.5", [hex: :cowboy, repo: "hexpm", optional: false]}, {:plug, "~> 1.7", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "7d722581ce865a237e14da6d946f92704101740a256bd13ec91e63c0b122fc70"},
+  "plug_cowboy": {:hex, :plug_cowboy, "2.1.3", "38999a3e85e39f0e6bdfdf820761abac61edde1632cfebbacc445cdcb6ae1333", [:mix], [{:cowboy, "~> 2.5", [hex: :cowboy, repo: "hexpm", optional: false]}, {:plug, "~> 1.7", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "056f41f814dbb38ea44613e0f613b3b2b2f2c6afce64126e252837669eba84db"},
   "plug_crypto": {:hex, :plug_crypto, "1.1.2", "bdd187572cc26dbd95b87136290425f2b580a116d3fb1f564216918c9730d227", [:mix], [], "hexpm", "6b8b608f895b6ffcfad49c37c7883e8df98ae19c6a28113b02aa1e9c5b22d6b5"},
   "poison": {:hex, :poison, "3.1.0", "d9eb636610e096f86f25d9a46f35a9facac35609a7591b3be3326e99a0484665", [:mix], [], "hexpm", "fec8660eb7733ee4117b85f55799fd3833eb769a6df71ccf8903e8dc5447cfce"},
   "postgrex": {:hex, :postgrex, "0.15.3", "5806baa8a19a68c4d07c7a624ccdb9b57e89cbc573f1b98099e3741214746ae4", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:db_connection, "~> 2.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}], "hexpm", "4737ce62a31747b4c63c12b20c62307e51bb4fcd730ca0c32c280991e0606c90"},
@@ -79,7 +80,7 @@
   "slugger": {:hex, :slugger, "0.3.0", "efc667ab99eee19a48913ccf3d038b1fb9f165fa4fbf093be898b8099e61b6ed", [:mix], [], "hexpm", "20d0ded0e712605d1eae6c5b4889581c3460d92623a930ddda91e0e609b5afba"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.5", "6eaf7ad16cb568bb01753dbbd7a95ff8b91c7979482b95f38443fe2c8852a79b", [:make, :mix, :rebar3], [], "hexpm", "13104d7897e38ed7f044c4de953a6c28597d1c952075eb2e328bc6d6f2bfc496"},
   "statix": {:hex, :statix, "1.4.0", "c822abd1e60e62828e8460e932515d0717aa3c089b44cc3f795d43b94570b3a8", [:mix], [], "hexpm", "507373cc80925a9b6856cb14ba17f6125552434314f6613c907d295a09d1a375"},
-  "telemetry": {:hex, :telemetry, "0.4.1", "ae2718484892448a24470e6aa341bc847c3277bfb8d4e9289f7474d752c09c7f", [:rebar3], [], "hexpm", "4738382e36a0a9a2b6e25d67c960e40e1a2c95560b9f936d8e29de8cd858480f"},
+  "telemetry": {:hex, :telemetry, "0.4.2", "2808c992455e08d6177322f14d3bdb6b625fbcfd233a73505870d8738a2f4599", [:rebar3], [], "hexpm", "2d1419bd9dda6a206d7b5852179511722e2b18812310d304620c7bd92a13fcef"},
   "temp": {:hex, :temp, "0.4.7", "2c78482cc2294020a4bc0c95950b907ff386523367d4e63308a252feffbea9f2", [:mix], [], "hexpm", "6af19e7d6a85a427478be1021574d1ae2a1e1b90882586f06bde76c63cd03e0d"},
   "the_end": {:git, "https://github.com/mozillareality/the_end.git", "978ce97bec3ec754182fa72e24a82eab935a5853", [branch: "bug/phoenix-14"]},
   "timex": {:hex, :timex, "3.6.1", "efdf56d0e67a6b956cc57774353b0329c8ab7726766a11547e529357ffdc1d56", [:mix], [{:combine, "~> 0.10", [hex: :combine, repo: "hexpm", optional: false]}, {:gettext, "~> 0.10", [hex: :gettext, repo: "hexpm", optional: false]}, {:tzdata, "~> 0.1.8 or ~> 0.5 or ~> 1.0.0", [hex: :tzdata, repo: "hexpm", optional: false]}], "hexpm", "f354efb2400dd7a80fd9eb6c8419068c4f632da4ac47f3d8822d6e33f08bc852"},

From 1d9feddb5709fce61f4780f7432eff8530c21f3c Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 1 Oct 2020 16:13:35 -0700
Subject: [PATCH 052/138] Fix tests. Check for token in middleware.

---
 lib/ret/api_token.ex                          |   2 -
 lib/ret_web/api_token_auth_pipeline.ex        |  12 +-
 lib/ret_web/context.ex                        |  10 +-
 lib/ret_web/middleware.ex                     |  62 +++++++++
 lib/ret_web/middleware/auth_error_util.ex     |  12 ++
 .../handle_changeset_errors.ex                |   3 +-
 .../{middlewares => middleware}/timing.ex     |  18 +--
 .../verify_scopes.ex                          |  39 +++---
 lib/ret_web/middleware/verify_token.ex        |  23 ++++
 lib/ret_web/schema.ex                         |  47 +------
 test/api/v2/room_query_test.exs               | 122 +++++-------------
 test/support/test_helpers.ex                  |   4 +
 12 files changed, 176 insertions(+), 178 deletions(-)
 create mode 100644 lib/ret_web/middleware.ex
 create mode 100644 lib/ret_web/middleware/auth_error_util.ex
 rename lib/ret_web/{middlewares => middleware}/handle_changeset_errors.ex (84%)
 rename lib/ret_web/{middlewares => middleware}/timing.ex (78%)
 rename lib/ret_web/{middlewares => middleware}/verify_scopes.ex (50%)
 create mode 100644 lib/ret_web/middleware/verify_token.ex

diff --git a/lib/ret/api_token.ex b/lib/ret/api_token.ex
index 152584568..176c1638a 100644
--- a/lib/ret/api_token.ex
+++ b/lib/ret/api_token.ex
@@ -27,8 +27,6 @@ defmodule Ret.ApiToken do
   end
 
   def on_verify(claims, token, _options) do
-    IO.inspect("verifying token")
-    IO.inspect(token)
     with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
       {:ok, claims}
     end
diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index 325aa2b6f..c2f030d7a 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -13,16 +13,8 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
   @moduledoc false
   import Plug.Conn
 
-  def auth_error(conn, {:invalid_token, :token_expired}, opts) do
-    IO.inspect("token_expired")
-    # Need to prevent halting so that we can return these errors in graphql response
-    # https://github.com/ueberauth/guardian/issues/401#issuecomment-367756347
-    # Updating Guardian to a release that includes this option
-    # https://github.com/ueberauth/guardian/releases/tag/2.1.0
-    conn
-  end
-  def auth_error(conn, {type, reason}, _opts) do
-    # TODO: Write type/reason into conn, to be pulled reported by graphql middleware
+  def auth_error(conn, {failure_type, reason}, _opts) do
+    conn = assign(conn, :auth_error, {failure_type, reason})
     conn
   end
 end
diff --git a/lib/ret_web/context.ex b/lib/ret_web/context.ex
index 73c7eed0e..0db4d6629 100644
--- a/lib/ret_web/context.ex
+++ b/lib/ret_web/context.ex
@@ -10,9 +10,11 @@ defmodule RetWeb.Context do
   end
 
   def build_context(conn) do
-    claims = Guardian.Plug.current_claims(conn)
-    account = Guardian.Plug.current_resource(conn)
-
-    %{claims: claims, account: account}
+    %{
+      auth_error: conn.assigns[:auth_error],
+      claims: Guardian.Plug.current_claims(conn),
+      account: Guardian.Plug.current_resource(conn),
+      token: Guardian.Plug.current_token(conn)
+    }
   end
 end
diff --git a/lib/ret_web/middleware.ex b/lib/ret_web/middleware.ex
new file mode 100644
index 000000000..7adde35e0
--- /dev/null
+++ b/lib/ret_web/middleware.ex
@@ -0,0 +1,62 @@
+defmodule RetWeb.Middleware do
+  @moduledoc "Adds absinthe middleware on matching fields/objects"
+
+  alias RetWeb.Middleware.{VerifyToken, VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
+
+  def build_middleware(middleware, field, object) do
+    # TODO: Order matters here, and is precarious. Should insert or not insert middleware in a known order as a result of the matches
+    middleware = maybe_add_handle_changeset_errors(middleware, field, object)
+    middleware = maybe_add_verify_scopes(middleware, field, object)
+    middleware = maybe_add_verify_token(middleware, field, object)
+    middleware = maybe_add_timing(middleware, field, object)
+    middleware
+  end
+
+  @auth_fields [
+    :my_rooms,
+    :public_rooms,
+    :favorite_rooms,
+    :create_room,
+    :update_room
+  ]
+
+  defp maybe_add_verify_token(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
+    [VerifyToken] ++ middleware
+  end
+
+  defp maybe_add_verify_token(middleware, _field, _object) do
+    middleware
+  end
+
+  defp maybe_add_verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
+    [VerifyScopes] ++ middleware
+  end
+
+  defp maybe_add_verify_scopes(middleware, _field, _object) do
+    middleware
+  end
+
+  defp maybe_add_handle_changeset_errors(middleware, _field, %{identifier: :mutation}) do
+    middleware ++ [HandleChangesetErrors]
+  end
+
+  defp maybe_add_handle_changeset_errors(middleware, _field, _object) do
+    middleware
+  end
+
+  @timing_ids [
+    :my_rooms,
+    :public_rooms,
+    :favorite_rooms,
+    :create_room,
+    :update_room
+  ]
+
+  defp maybe_add_timing(middleware, %{identifier: identifier}, _object) when identifier in @timing_ids do
+    [StartTiming] ++ middleware ++ [EndTiming, InspectTiming]
+  end
+
+  defp maybe_add_timing(middleware, _field, _object) do
+    middleware
+  end
+end
diff --git a/lib/ret_web/middleware/auth_error_util.ex b/lib/ret_web/middleware/auth_error_util.ex
new file mode 100644
index 000000000..abad92a30
--- /dev/null
+++ b/lib/ret_web/middleware/auth_error_util.ex
@@ -0,0 +1,12 @@
+defmodule RetWeb.Middleware.AuthErrorUtil do
+  @moduledoc "Helper for returning auth errors in a uniform way in graphql api"
+
+  import Absinthe.Resolution, only: [put_result: 2]
+
+  def return_error(resolution, type, message) do
+    put_result(
+      resolution,
+      {:error, [type: type, message: message]}
+    )
+  end
+end
diff --git a/lib/ret_web/middlewares/handle_changeset_errors.ex b/lib/ret_web/middleware/handle_changeset_errors.ex
similarity index 84%
rename from lib/ret_web/middlewares/handle_changeset_errors.ex
rename to lib/ret_web/middleware/handle_changeset_errors.ex
index cf2c81ae7..26839584d 100644
--- a/lib/ret_web/middlewares/handle_changeset_errors.ex
+++ b/lib/ret_web/middleware/handle_changeset_errors.ex
@@ -1,4 +1,5 @@
-defmodule RetWeb.Middlewares.HandleChangesetErrors do
+defmodule RetWeb.Middleware.HandleChangesetErrors do
+  @moduledoc false
   @behaviour Absinthe.Middleware
   def call(resolution, _) do
     %{resolution | errors: Enum.flat_map(resolution.errors, &handle_error/1)}
diff --git a/lib/ret_web/middlewares/timing.ex b/lib/ret_web/middleware/timing.ex
similarity index 78%
rename from lib/ret_web/middlewares/timing.ex
rename to lib/ret_web/middleware/timing.ex
index 5bf2f21b4..d4a636e71 100644
--- a/lib/ret_web/middlewares/timing.ex
+++ b/lib/ret_web/middleware/timing.ex
@@ -1,4 +1,4 @@
-defmodule RetWeb.Middlewares.TimingUtil do
+defmodule RetWeb.Middleware.TimingUtil do
   @moduledoc false
   def add_timing_info(%Absinthe.Resolution{private: private} = resolution, identifier, key, value) do
     timing = Map.get(private, :timing) || %{}
@@ -11,32 +11,32 @@ defmodule RetWeb.Middlewares.TimingUtil do
   end
 end
 
-defmodule RetWeb.Middlewares.StartTiming do
+defmodule RetWeb.Middleware.StartTiming do
   @moduledoc false
 
-  import RetWeb.Middlewares.TimingUtil, only: [add_timing_info: 4]
+  import RetWeb.Middleware.TimingUtil, only: [add_timing_info: 4]
 
-  @behavior Absinthe.Middleware
+  @behaviour Absinthe.Middleware
   def call(resolution, _) do
     add_timing_info(resolution, resolution.definition.schema_node.identifier, :started_at, NaiveDateTime.utc_now())
   end
 end
 
-defmodule RetWeb.Middlewares.EndTiming do
+defmodule RetWeb.Middleware.EndTiming do
   @moduledoc false
 
-  import RetWeb.Middlewares.TimingUtil, only: [add_timing_info: 4]
+  import RetWeb.Middleware.TimingUtil, only: [add_timing_info: 4]
 
-  @behavior Absinthe.Middleware
+  @behaviour Absinthe.Middleware
   def call(resolution, _) do
     add_timing_info(resolution, resolution.definition.schema_node.identifier, :ended_at, NaiveDateTime.utc_now())
   end
 end
 
-defmodule RetWeb.Middlewares.InspectTiming do
+defmodule RetWeb.Middleware.InspectTiming do
   @moduledoc false
 
-  @behavior Absinthe.Middleware
+  @behaviour Absinthe.Middleware
   def call(resolution, _) do
     case resolution do
       %{private: %{timing: timing}} ->
diff --git a/lib/ret_web/middlewares/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
similarity index 50%
rename from lib/ret_web/middlewares/verify_scopes.ex
rename to lib/ret_web/middleware/verify_scopes.ex
index 251b7bee6..a74856db5 100644
--- a/lib/ret_web/middlewares/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -1,40 +1,39 @@
-defmodule RetWeb.Middlewares.VerifyScopes do
+defmodule RetWeb.Middleware.VerifyScopes do
   @moduledoc false
 
-  alias Ret.ApiPermissions
+  import RetWeb.Middleware.AuthErrorUtil, only: [return_error: 3]
+
+  @action_to_permission %{
+    create_room: :rooms_mutation_create_room,
+    update_room: :rooms_mutation_update_room,
+    my_rooms: :rooms_query_created_rooms,
+    public_rooms: :rooms_query_public_rooms,
+    favorite_rooms: :rooms_query_favorite_rooms
+  }
+
+  @behaviour Absinthe.Middleware
+  def call(%{state: :resolved} = resolution, _) do
+    resolution
+  end
 
-  @behavior Absinthe.Middleware
   def call(resolution, _) do
     action = resolution.definition.schema_node.identifier
 
     case resolution.context do
-      %{claims: nil} ->
-        #TODO write reason from plug
-        Absinthe.Resolution.put_result(resolution, {:error, "unauthorized : no claims"})
-
       %{claims: claims} ->
         if verify_scope(action, claims) do
           resolution
         else
-          Absinthe.Resolution.put_result(resolution, {:error, "unauthorized " <> Atom.to_string(action)})
+          missing_permission = Atom.to_string(Map.get(@action_to_permission, action))
+          return_error(resolution, :unauthorized_scopes, "Token does not have permission: #{missing_permission}.")
         end
 
       _ ->
-        Absinthe.Resolution.put_result(resolution, {:error, "unauthorized"})
+        return_error(resolution, :unauthorized, "Token is missing permissions.")
     end
   end
 
-  @action_to_permission %{
-    create_room: :rooms_mutation_create_room,
-    update_room: :rooms_mutation_update_room,
-    my_rooms: :rooms_query_created_rooms,
-    public_rooms: :rooms_query_public_rooms,
-    favorite_rooms: :rooms_query_favorite_rooms
-  }
-
   defp verify_scope(action, claims) do
-    IO.inspect(action)
-    IO.inspect(claims)
-    IO.inspect(Map.get(claims, Atom.to_string(Map.get(@action_to_permission, action))))
+    Map.get(claims, Atom.to_string(Map.get(@action_to_permission, action)))
   end
 end
diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
new file mode 100644
index 000000000..dc21c3c21
--- /dev/null
+++ b/lib/ret_web/middleware/verify_token.ex
@@ -0,0 +1,23 @@
+defmodule RetWeb.Middleware.VerifyToken do
+  @moduledoc false
+
+  @behaviour Absinthe.Middleware
+
+  import RetWeb.Middleware.AuthErrorUtil, only: [return_error: 3]
+
+  def call(%{context: %{token: nil}} = resolution, _) do
+    return_error(
+      resolution,
+      :auth_error_token_is_missing,
+      "Missing api token in authorization header required for access"
+    )
+  end
+
+  def call(%{context: %{auth_error: {type, reason}}} = resolution, _) do
+    return_error(resolution, type, reason)
+  end
+
+  def call(resolution, _) do
+    resolution
+  end
+end
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 3b1d33172..4e928676c 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -2,53 +2,12 @@ defmodule RetWeb.Schema do
   @moduledoc false
 
   use Absinthe.Schema
-  alias Ret.{Scene, ApiPermissions}
+  alias Ret.Scene
 
-  alias RetWeb.Middlewares.{VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
+  import RetWeb.Middleware, only: [build_middleware: 3]
 
   def middleware(middleware, field, object) do
-    middleware = maybe_verify_scopes(middleware, field, object)
-    middleware = maybe_add_handle_changeset_errors(middleware, field, object)
-    middleware = maybe_add_timing(middleware, field, object)
-  end
-
-  @auth_fields [
-    :my_rooms,
-    :public_rooms,
-    :favorite_rooms,
-    :create_room,
-    :update_room
-  ]
-
-  defp maybe_verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
-    [VerifyScopes] ++ middleware
-  end
-  defp maybe_verify_scopes(middleware, _field, _object) do
-    middleware
-  end
-
-  defp maybe_add_handle_changeset_errors(middleware, _field, %{identifier: :mutation}) do
-    middleware ++ [HandleChangesetErrors]
-  end
-
-  defp maybe_add_handle_changeset_errors(middleware, _field, _object) do
-    middleware
-  end
-
-  @timing_ids [
-    :my_rooms,
-    :public_rooms,
-    :favorite_rooms,
-    :create_room,
-    :update_room
-  ]
-
-  defp maybe_add_timing(middleware, %{identifier: identifier}, _object) when identifier in @timing_ids do
-    [StartTiming] ++ middleware ++ [EndTiming, InspectTiming]
-  end
-
-  defp maybe_add_timing(middleware, _field, _object) do
-    middleware
+    build_middleware(middleware, field, object)
   end
 
   import_types(Absinthe.Type.Custom)
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 18ba4289f..a5930418f 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -6,6 +6,7 @@ defmodule RoomQueryTest do
   use ExUnit.Case
   use RetWeb.ConnCase
   import Ret.TestHelpers
+  alias Ret.ApiTokenGenerator
 
   setup_all do
     Absinthe.Test.prime(RetWeb.Schema)
@@ -69,141 +70,85 @@ defmodule RoomQueryTest do
     scene = create_scene(account)
     {:ok, hub: hub} = create_hub(%{scene: scene})
     {:ok, hub: public_hub} = create_public_hub(%{scene: scene})
+    {:ok, token, _claims} = ApiTokenGenerator.gen_token_for_account(account)
+    {:ok, limited_token, _claims} = ApiTokenGenerator.gen_token()
 
     %{
       account: account,
       account2: account2,
       scene: scene,
       hub: hub,
-      public_hub: public_hub
+      public_hub: public_hub,
+      token: token,
+      limited_token: limited_token
     }
   end
 
-  test "anyone can query for public rooms", %{conn: conn, public_hub: public_hub} do
+  test "Cannot query without a token", %{conn: conn} do
+    res = conn |> do_graphql_action(@query_public_rooms)
+    assert hd(res["errors"])["type"] === "auth_error_token_is_missing"
+  end
+
+  test "Can query public rooms with limited token", %{conn: conn, public_hub: public_hub, limited_token: limited_token} do
     res =
       conn
+      |> put_auth_header_for_token(limited_token)
       |> do_graphql_action(@query_public_rooms)
 
     rooms = res["data"]["publicRooms"]["entries"]
     assert List.first(rooms)["id"] == public_hub.hub_sid
   end
 
-  test "cannot query my rooms without authentication", %{conn: conn, account: account, hub: hub} do
+  test "Cannot query my rooms with limited token", %{
+    conn: conn,
+    account: account,
+    hub: hub,
+    limited_token: limited_token
+  } do
     assign_creator(hub, account)
 
     res =
       conn
+      |> put_auth_header_for_token(limited_token)
       |> do_graphql_action(@query_my_rooms)
 
-    assert is_nil(res["data"]["myRooms"])
-    error = List.first(res["errors"])
-    assert error["message"] == "Not authorized"
-    assert List.first(error["path"]) == "myRooms"
+    assert hd(res["errors"])["type"] === "unauthorized_scopes"
   end
 
-  test "anyone can query for their own rooms when authenticated", %{
+  test "Can query my rooms with appropriate token", %{
     conn: conn,
     account: account,
-    hub: hub
+    hub: hub,
+    token: token
   } do
     assign_creator(hub, account)
 
     auth_res =
       conn
-      |> put_auth_header_for_account(account)
+      |> put_auth_header_for_token(token)
       |> do_graphql_action(@query_my_rooms)
 
     rooms = auth_res["data"]["myRooms"]["entries"]
     assert List.first(rooms)["id"] == hub.hub_sid
   end
 
-  test "my rooms only returns my own rooms", %{conn: conn, account: account, account2: account2, hub: hub} do
-    assign_creator(hub, account)
+  test "my rooms only returns my own rooms", %{conn: conn, account2: account2, hub: hub, token: token} do
+    assign_creator(hub, account2)
 
     auth_res =
       conn
-      |> put_auth_header_for_account(account2)
+      |> put_auth_header_for_token(token)
       |> do_graphql_action(@query_my_rooms)
 
     rooms = auth_res["data"]["myRooms"]["entries"]
     assert Enum.empty?(rooms)
   end
 
-  test "cannot query favorite rooms without authentication", %{conn: conn, account: account, hub: hub} do
-    Ret.AccountFavorite.ensure_favorited(hub, account)
-
-    res =
-      conn
-      |> do_graphql_action(@query_favorite_rooms)
-
-    assert is_nil(res["data"]["favoriteRooms"])
-    error = List.first(res["errors"])
-    assert error["message"] == "Not authorized"
-    assert List.first(error["path"]) == "favoriteRooms"
-  end
-
-  test "anyone can query favorite rooms when authenticated", %{conn: conn, account: account, hub: hub} do
-    Ret.AccountFavorite.ensure_favorited(hub, account)
-
-    res =
-      conn
-      |> put_auth_header_for_account(account)
-      |> do_graphql_action(@query_favorite_rooms)
-
-    rooms = res["data"]["favoriteRooms"]["entries"]
-    assert List.first(rooms)["id"] == hub.hub_sid
-  end
-
-  test "favorite rooms only returns your own favorites", %{
-    conn: conn,
-    account: account,
-    account2: account2,
-    hub: hub
-  } do
-    Ret.AccountFavorite.ensure_favorited(hub, account)
-
-    res =
-      conn
-      |> put_auth_header_for_account(account2)
-      |> do_graphql_action(@query_favorite_rooms)
-
-    rooms = res["data"]["favoriteRooms"]["entries"]
-    assert Enum.empty?(rooms)
-  end
-
-  test "anyone can create a room", %{
-    conn: conn
-  } do
-    room_name = "my fun room"
-
-    res =
-      conn
-      |> do_graphql_action(@mutation_create_room, %{roomName: room_name})
-
-    id = res["data"]["createRoom"]["id"]
-    assert !is_nil(id)
-    hub = Ret.Repo.get_by(Ret.Hub, hub_sid: id)
-    assert hub.name == res["data"]["createRoom"]["name"]
-    assert hub.name == room_name
-  end
-
-  test "Creating a room while authenticated assigns the creator", %{
-    conn: conn,
-    account: account
-  } do
-    res =
-      conn
-      |> put_auth_header_for_account(account)
-      |> do_graphql_action(@mutation_create_room, %{roomName: "my fun room"})
-
-    hub = Ret.Repo.get_by(Ret.Hub, hub_sid: res["data"]["createRoom"]["id"])
-    assert hub.created_by_account_id == account.account_id
-  end
-
   test "The room query api paginates results", %{
     conn: conn,
     scene: scene,
-    account: account
+    account: account,
+    token: token
   } do
     for _n <- 1..50 do
       {:ok, hub: hub} = create_hub(%{scene: scene})
@@ -212,7 +157,7 @@ defmodule RoomQueryTest do
 
     response =
       conn
-      |> put_auth_header_for_account(account)
+      |> put_auth_header_for_token(token)
       |> do_graphql_action(@query_my_rooms)
 
     assert length(response["data"]["myRooms"]["entries"]) === response["data"]["myRooms"]["page_size"]
@@ -221,7 +166,8 @@ defmodule RoomQueryTest do
   test "The room query api paginates results 2", %{
     conn: conn,
     scene: scene,
-    account: account
+    account: account,
+    token: token
   } do
     for _n <- 1..50 do
       {:ok, hub: hub} = create_hub(%{scene: scene})
@@ -230,7 +176,7 @@ defmodule RoomQueryTest do
 
     response =
       conn
-      |> put_auth_header_for_account(account)
+      |> put_auth_header_for_token(token)
       |> do_graphql_action(@query_my_rooms, %{page: 3, page_size: 24})
 
     assert length(response["data"]["myRooms"]["entries"]) === 2
diff --git a/test/support/test_helpers.ex b/test/support/test_helpers.ex
index 3955bba41..74c431410 100644
--- a/test/support/test_helpers.ex
+++ b/test/support/test_helpers.ex
@@ -23,6 +23,10 @@ defmodule Ret.TestHelpers do
 
   def auth_with_account(conn, account) do
     {:ok, token, _claims} = account |> Ret.Guardian.encode_and_sign()
+    put_auth_header_for_token(conn, token)
+  end
+
+  def put_auth_header_for_token(conn, token) do
     conn |> Plug.Conn.put_req_header("authorization", "bearer: " <> token)
   end
 

From 5f03033ba9f82b489469a0ef4bbeff2230a90ffe Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 1 Oct 2020 16:33:23 -0700
Subject: [PATCH 053/138] Tighten up error handling / reporting

---
 lib/ret_web/api_token_auth_pipeline.ex |  7 +++--
 lib/ret_web/middleware/verify_token.ex | 12 ++++++---
 test/api/v2/room_query_test.exs        | 36 +++++++++++++-------------
 3 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index c2f030d7a..f901bf2ad 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -13,8 +13,11 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
   @moduledoc false
   import Plug.Conn
 
+  def auth_error(conn, {failure_type, %ArgumentError{message: reason}}, _opts) do
+    assign(conn, :auth_error, {failure_type, reason})
+  end
+
   def auth_error(conn, {failure_type, reason}, _opts) do
-    conn = assign(conn, :auth_error, {failure_type, reason})
-    conn
+    assign(conn, :auth_error, {failure_type, reason})
   end
 end
diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
index dc21c3c21..9c0b6a257 100644
--- a/lib/ret_web/middleware/verify_token.ex
+++ b/lib/ret_web/middleware/verify_token.ex
@@ -5,6 +5,14 @@ defmodule RetWeb.Middleware.VerifyToken do
 
   import RetWeb.Middleware.AuthErrorUtil, only: [return_error: 3]
 
+  def call(%{context: %{auth_error: {_type, :token_not_found}}} = resolution, _) do
+    return_error(resolution, :auth_error_token_was_revoked, "The api token has been revoked.")
+  end
+
+  def call(%{context: %{auth_error: {type, reason}}} = resolution, _) do
+    return_error(resolution, type, reason)
+  end
+
   def call(%{context: %{token: nil}} = resolution, _) do
     return_error(
       resolution,
@@ -13,10 +21,6 @@ defmodule RetWeb.Middleware.VerifyToken do
     )
   end
 
-  def call(%{context: %{auth_error: {type, reason}}} = resolution, _) do
-    return_error(resolution, type, reason)
-  end
-
   def call(resolution, _) do
     resolution
   end
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index a5930418f..aa50b9071 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -36,24 +36,24 @@ defmodule RoomQueryTest do
     }
   """
 
-  @query_favorite_rooms """
-    query {
-      favoriteRooms {
-       entries {
-         id
-       }
-      }
-    }
-  """
-
-  @mutation_create_room """
-    mutation ($roomName: String!){
-      createRoom (name: $roomName) {
-        id,
-        name
-      }
-    }
-  """
+  # @query_favorite_rooms """
+  #  query {
+  #    favoriteRooms {
+  #     entries {
+  #       id
+  #     }
+  #    }
+  #  }
+  # """
+
+  # @mutation_create_room """
+  #  mutation ($roomName: String!){
+  #    createRoom (name: $roomName) {
+  #      id,
+  #      name
+  #    }
+  #  }
+  # """
 
   defp do_graphql_action(conn, query, variables \\ %{}) do
     conn

From 5aa730c42e03743aeb35975642e4a90101ae87cd Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 1 Oct 2020 19:50:16 -0700
Subject: [PATCH 054/138] Add TODO's from talking with Dom

---
 lib/ret/hub.ex                            |  7 +++++++
 lib/ret_web/api_token_auth_pipeline.ex    |  1 +
 lib/ret_web/context.ex                    |  2 ++
 lib/ret_web/middleware.ex                 | 13 ++++++++++++-
 lib/ret_web/middleware/auth_error_util.ex |  2 ++
 lib/ret_web/middleware/verify_scopes.ex   | 11 +++++++++++
 lib/ret_web/middleware/verify_token.ex    |  1 +
 lib/ret_web/resolvers/room_resolver.ex    |  4 ++++
 8 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 186a9b4dc..5eaa8b09d 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -663,6 +663,13 @@ defmodule Ret.Hub do
     do: %{owner: hub |> is_owner?(account.account_id), creator: hub |> is_creator?(account.account_id), signed_in: true}
 end
 
+# # TODO: Canada Can implementation for api token
+# defimpl Canada.Can, for: Ret.ApiToken do
+#   def can?(%Ret.ApiToken{} = token, :view_room, %Hub{} = hub) do
+#     hub.entry_mode.public || token.claims.superuser
+#   end
+# end
+
 defimpl Canada.Can, for: Ret.Account do
   alias Ret.{Hub, AppConfig}
 
diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index f901bf2ad..375fd2af2 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -14,6 +14,7 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
   import Plug.Conn
 
   def auth_error(conn, {failure_type, %ArgumentError{message: reason}}, _opts) do
+    # TODO: Is assigns the right place for this info?
     assign(conn, :auth_error, {failure_type, reason})
   end
 
diff --git a/lib/ret_web/context.ex b/lib/ret_web/context.ex
index 0db4d6629..932e1bfe4 100644
--- a/lib/ret_web/context.ex
+++ b/lib/ret_web/context.ex
@@ -1,3 +1,4 @@
+  # TODO: Naming: Absinthe Context?
 defmodule RetWeb.Context do
   @moduledoc false
   @behaviour Plug
@@ -10,6 +11,7 @@ defmodule RetWeb.Context do
   end
 
   def build_context(conn) do
+    # TODO: Should we be adding to context instead of overwriting?
     %{
       auth_error: conn.assigns[:auth_error],
       claims: Guardian.Plug.current_claims(conn),
diff --git a/lib/ret_web/middleware.ex b/lib/ret_web/middleware.ex
index 7adde35e0..8e773fd5c 100644
--- a/lib/ret_web/middleware.ex
+++ b/lib/ret_web/middleware.ex
@@ -1,7 +1,7 @@
 defmodule RetWeb.Middleware do
   @moduledoc "Adds absinthe middleware on matching fields/objects"
 
-  alias RetWeb.Middleware.{VerifyToken, VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
+  alias RetWeb.Middleware.{LogMiddleware, VerifyToken, VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
 
   def build_middleware(middleware, field, object) do
     # TODO: Order matters here, and is precarious. Should insert or not insert middleware in a known order as a result of the matches
@@ -12,6 +12,9 @@ defmodule RetWeb.Middleware do
     middleware
   end
 
+  # TODO: What is the best way to make sure that fields _have_ to be authed, and there's no way to get around this check
+  # This is incomplete : should check each resource individually. E.g. "Show me five rooms" but we return 3 of them and 2 are auth errors.
+  # TODO: Auth on room objects (and other resources)
   @auth_fields [
     :my_rooms,
     :public_rooms,
@@ -28,6 +31,14 @@ defmodule RetWeb.Middleware do
     middleware
   end
 
+  @auth_objects [
+    :room
+  ]
+
+  defp maybe_add_verify_scopes(middleware, _field, %{identifier: identifier}) when identifier in @auth_objects do
+    [LogMiddleware] ++ middleware
+  end
+
   defp maybe_add_verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
     [VerifyScopes] ++ middleware
   end
diff --git a/lib/ret_web/middleware/auth_error_util.ex b/lib/ret_web/middleware/auth_error_util.ex
index abad92a30..909eb9cfe 100644
--- a/lib/ret_web/middleware/auth_error_util.ex
+++ b/lib/ret_web/middleware/auth_error_util.ex
@@ -1,8 +1,10 @@
+# TODO: Naming: not really related to auth
 defmodule RetWeb.Middleware.AuthErrorUtil do
   @moduledoc "Helper for returning auth errors in a uniform way in graphql api"
 
   import Absinthe.Resolution, only: [put_result: 2]
 
+  # TODO: message is not always a string but needs to be. e.g. Authorization: bearer: foo
   def return_error(resolution, type, message) do
     put_result(
       resolution,
diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
index a74856db5..d1bb95567 100644
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -37,3 +37,14 @@ defmodule RetWeb.Middleware.VerifyScopes do
     Map.get(claims, Atom.to_string(Map.get(@action_to_permission, action)))
   end
 end
+
+defmodule RetWeb.Middleware.LogMiddleware do
+  @moduledoc false
+
+  @behaviour Absinthe.Middleware
+
+  def call(resolution, _) do
+    IO.inspect(resolution.definition.schema_node.identifier)
+    resolution
+  end
+end
diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
index 9c0b6a257..aafb3e80f 100644
--- a/lib/ret_web/middleware/verify_token.ex
+++ b/lib/ret_web/middleware/verify_token.ex
@@ -6,6 +6,7 @@ defmodule RetWeb.Middleware.VerifyToken do
   import RetWeb.Middleware.AuthErrorUtil, only: [return_error: 3]
 
   def call(%{context: %{auth_error: {_type, :token_not_found}}} = resolution, _) do
+    # TODO: Maybe not say revoked. Just token not found.
     return_error(resolution, :auth_error_token_was_revoked, "The api token has been revoked.")
   end
 
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 4d79577c8..870d3aabb 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -6,6 +6,9 @@ defmodule RetWeb.Resolvers.RoomResolver do
   alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
 
+  # TODO: Pass account and token. Use a function like, "rooms_for_user(account, token) do
+  # if can? (:do_the_thing)
+  # end"
   def my_rooms(_parent, args, %{context: %{account: account}}) do
     {:ok, Hub.get_my_rooms(account, args)}
   end
@@ -111,6 +114,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   defp update_room_with_account(hub, account, args) do
+    # TODO: Should be update rooms?
     case can?(account, update_roles(hub)) do
       false ->
         {:error, "Account does not have permission to update this hub."}

From 61e097d84423314b3079af08d9336a45acd03401 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 9 Oct 2020 11:00:28 -0700
Subject: [PATCH 055/138] Rename return_error -> put_error_result

---
 lib/ret_web/middleware/auth_error_util.ex | 2 +-
 lib/ret_web/middleware/verify_scopes.ex   | 7 +++----
 lib/ret_web/middleware/verify_token.ex    | 8 ++++----
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/lib/ret_web/middleware/auth_error_util.ex b/lib/ret_web/middleware/auth_error_util.ex
index 909eb9cfe..e3ed518a7 100644
--- a/lib/ret_web/middleware/auth_error_util.ex
+++ b/lib/ret_web/middleware/auth_error_util.ex
@@ -5,7 +5,7 @@ defmodule RetWeb.Middleware.AuthErrorUtil do
   import Absinthe.Resolution, only: [put_result: 2]
 
   # TODO: message is not always a string but needs to be. e.g. Authorization: bearer: foo
-  def return_error(resolution, type, message) do
+  def put_error_result(resolution, type, message) do
     put_result(
       resolution,
       {:error, [type: type, message: message]}
diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
index d1bb95567..194c9098d 100644
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -1,7 +1,7 @@
 defmodule RetWeb.Middleware.VerifyScopes do
   @moduledoc false
 
-  import RetWeb.Middleware.AuthErrorUtil, only: [return_error: 3]
+  import RetWeb.Middleware.AuthErrorUtil, only: [put_error_result: 3]
 
   @action_to_permission %{
     create_room: :rooms_mutation_create_room,
@@ -25,11 +25,11 @@ defmodule RetWeb.Middleware.VerifyScopes do
           resolution
         else
           missing_permission = Atom.to_string(Map.get(@action_to_permission, action))
-          return_error(resolution, :unauthorized_scopes, "Token does not have permission: #{missing_permission}.")
+          put_error_result(resolution, :unauthorized_scopes, "Token does not have permission: #{missing_permission}.")
         end
 
       _ ->
-        return_error(resolution, :unauthorized, "Token is missing permissions.")
+        put_error_result(resolution, :unauthorized, "Token is missing permissions.")
     end
   end
 
@@ -44,7 +44,6 @@ defmodule RetWeb.Middleware.LogMiddleware do
   @behaviour Absinthe.Middleware
 
   def call(resolution, _) do
-    IO.inspect(resolution.definition.schema_node.identifier)
     resolution
   end
 end
diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
index aafb3e80f..0a6cd023d 100644
--- a/lib/ret_web/middleware/verify_token.ex
+++ b/lib/ret_web/middleware/verify_token.ex
@@ -3,19 +3,19 @@ defmodule RetWeb.Middleware.VerifyToken do
 
   @behaviour Absinthe.Middleware
 
-  import RetWeb.Middleware.AuthErrorUtil, only: [return_error: 3]
+  import RetWeb.Middleware.AuthErrorUtil, only: [put_error_result: 3]
 
   def call(%{context: %{auth_error: {_type, :token_not_found}}} = resolution, _) do
     # TODO: Maybe not say revoked. Just token not found.
-    return_error(resolution, :auth_error_token_was_revoked, "The api token has been revoked.")
+    put_error_result(resolution, :auth_error_token_was_revoked, "The api token has been revoked.")
   end
 
   def call(%{context: %{auth_error: {type, reason}}} = resolution, _) do
-    return_error(resolution, type, reason)
+    put_error_result(resolution, type, reason)
   end
 
   def call(%{context: %{token: nil}} = resolution, _) do
-    return_error(
+    put_error_result(
       resolution,
       :auth_error_token_is_missing,
       "Missing api token in authorization header required for access"

From 81c84e82eca78931f613406d8a80e55bec5e3ac4 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 9 Oct 2020 11:33:09 -0700
Subject: [PATCH 056/138] Rename Context -> AddAbsintheContext

---
 lib/ret_web/context.ex | 23 +++++++++--------------
 lib/ret_web/router.ex  |  2 +-
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/lib/ret_web/context.ex b/lib/ret_web/context.ex
index 932e1bfe4..ef526758d 100644
--- a/lib/ret_web/context.ex
+++ b/lib/ret_web/context.ex
@@ -1,22 +1,17 @@
-  # TODO: Naming: Absinthe Context?
-defmodule RetWeb.Context do
+defmodule RetWeb.AddAbsintheContext do
   @moduledoc false
   @behaviour Plug
 
   def init(opts), do: opts
 
   def call(conn, _) do
-    context = build_context(conn)
-    Absinthe.Plug.put_options(conn, context: context)
-  end
-
-  def build_context(conn) do
-    # TODO: Should we be adding to context instead of overwriting?
-    %{
-      auth_error: conn.assigns[:auth_error],
-      claims: Guardian.Plug.current_claims(conn),
-      account: Guardian.Plug.current_resource(conn),
-      token: Guardian.Plug.current_token(conn)
-    }
+    Absinthe.Plug.put_options(conn,
+      context: %{
+        auth_error: conn.assigns[:auth_error],
+        claims: Guardian.Plug.current_claims(conn),
+        account: Guardian.Plug.current_resource(conn),
+        token: Guardian.Plug.current_token(conn)
+      }
+    )
   end
 end
diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index d55172c67..30dc4c8f5 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -67,7 +67,7 @@ defmodule RetWeb.Router do
 
   pipeline :graphql do
     plug RetWeb.ApiTokenAuthPipeline
-    plug RetWeb.Context
+    plug RetWeb.AddAbsintheContext
   end
 
   scope "/health", RetWeb do

From 5c6b08c0c497b5fd19681b69ae30f188d2fccc4e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 9 Oct 2020 11:34:13 -0700
Subject: [PATCH 057/138] Rename context.ex -> add_absinthe_context.ex

---
 lib/ret_web/{context.ex => add_absinthe_context.ex} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename lib/ret_web/{context.ex => add_absinthe_context.ex} (100%)

diff --git a/lib/ret_web/context.ex b/lib/ret_web/add_absinthe_context.ex
similarity index 100%
rename from lib/ret_web/context.ex
rename to lib/ret_web/add_absinthe_context.ex

From d9caf598ed0713802a4c40c63045ade02878edae Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 9 Oct 2020 16:54:49 -0700
Subject: [PATCH 058/138] Remove unused middleware. Rename PutErrorResult

---
 lib/ret_web/middleware.ex                              | 10 +---------
 .../{auth_error_util.ex => put_error_result.ex}        |  3 +--
 lib/ret_web/middleware/verify_scopes.ex                |  2 +-
 lib/ret_web/middleware/verify_token.ex                 |  2 +-
 4 files changed, 4 insertions(+), 13 deletions(-)
 rename lib/ret_web/middleware/{auth_error_util.ex => put_error_result.ex} (80%)

diff --git a/lib/ret_web/middleware.ex b/lib/ret_web/middleware.ex
index 8e773fd5c..b8aa8f30e 100644
--- a/lib/ret_web/middleware.ex
+++ b/lib/ret_web/middleware.ex
@@ -1,7 +1,7 @@
 defmodule RetWeb.Middleware do
   @moduledoc "Adds absinthe middleware on matching fields/objects"
 
-  alias RetWeb.Middleware.{LogMiddleware, VerifyToken, VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
+  alias RetWeb.Middleware.{VerifyToken, VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
 
   def build_middleware(middleware, field, object) do
     # TODO: Order matters here, and is precarious. Should insert or not insert middleware in a known order as a result of the matches
@@ -31,14 +31,6 @@ defmodule RetWeb.Middleware do
     middleware
   end
 
-  @auth_objects [
-    :room
-  ]
-
-  defp maybe_add_verify_scopes(middleware, _field, %{identifier: identifier}) when identifier in @auth_objects do
-    [LogMiddleware] ++ middleware
-  end
-
   defp maybe_add_verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
     [VerifyScopes] ++ middleware
   end
diff --git a/lib/ret_web/middleware/auth_error_util.ex b/lib/ret_web/middleware/put_error_result.ex
similarity index 80%
rename from lib/ret_web/middleware/auth_error_util.ex
rename to lib/ret_web/middleware/put_error_result.ex
index e3ed518a7..835ed3a9c 100644
--- a/lib/ret_web/middleware/auth_error_util.ex
+++ b/lib/ret_web/middleware/put_error_result.ex
@@ -1,5 +1,4 @@
-# TODO: Naming: not really related to auth
-defmodule RetWeb.Middleware.AuthErrorUtil do
+defmodule RetWeb.Middleware.PutErrorResult do
   @moduledoc "Helper for returning auth errors in a uniform way in graphql api"
 
   import Absinthe.Resolution, only: [put_result: 2]
diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
index 194c9098d..49dd96bae 100644
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -1,7 +1,7 @@
 defmodule RetWeb.Middleware.VerifyScopes do
   @moduledoc false
 
-  import RetWeb.Middleware.AuthErrorUtil, only: [put_error_result: 3]
+  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
 
   @action_to_permission %{
     create_room: :rooms_mutation_create_room,
diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
index 0a6cd023d..7e2e61272 100644
--- a/lib/ret_web/middleware/verify_token.ex
+++ b/lib/ret_web/middleware/verify_token.ex
@@ -3,7 +3,7 @@ defmodule RetWeb.Middleware.VerifyToken do
 
   @behaviour Absinthe.Middleware
 
-  import RetWeb.Middleware.AuthErrorUtil, only: [put_error_result: 3]
+  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
 
   def call(%{context: %{auth_error: {_type, :token_not_found}}} = resolution, _) do
     # TODO: Maybe not say revoked. Just token not found.

From 85301be5f1a393c6d8fccd7a5b7b27681e932488 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 9 Oct 2020 17:56:14 -0700
Subject: [PATCH 059/138] Add mix task for generating api tokens

---
 lib/mix/tasks/generate_api_token.ex | 41 +++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 lib/mix/tasks/generate_api_token.ex

diff --git a/lib/mix/tasks/generate_api_token.ex b/lib/mix/tasks/generate_api_token.ex
new file mode 100644
index 000000000..7faa584de
--- /dev/null
+++ b/lib/mix/tasks/generate_api_token.ex
@@ -0,0 +1,41 @@
+defmodule Mix.Tasks.GenerateApiToken do
+  @moduledoc "Generates an Api Token for the given account email"
+
+  use Mix.Task
+
+  alias Ret.{Account, ApiTokenGenerator}
+
+  @impl Mix.Task
+  def run(_) do
+    email =
+      "Enter email address of the user whose account will be associated in this token: [foo@bar.com]\n"
+      |> Mix.shell().prompt()
+      |> String.trim()
+
+    Mix.Task.run("app.start")
+
+    case Account.account_for_email(email) do
+      nil ->
+        Mix.shell().error("Could not find account for the given email address: #{email}")
+
+      account ->
+        IO.puts("Account found:")
+        account
+        |> Inspect.Algebra.to_doc(%Inspect.Opts{})
+        |> Inspect.Algebra.format(80)
+        |> IO.puts()
+        #IO.inspect(account)
+
+        if Mix.shell().yes?("Generate token for this account [#{email}]?") do
+          gen_token_for_account(account)
+        end
+    end
+  end
+
+  defp gen_token_for_account(account) do
+    case ApiTokenGenerator.gen_token_for_account(account) do
+      {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
+      {:error, reason} -> Mix.shell().error("Error: #{reason}")
+    end
+  end
+end

From edb17af75e0ed968da673bdc95ec08bc432c8097 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 9 Oct 2020 18:02:35 -0700
Subject: [PATCH 060/138] Remove unused middleware

---
 lib/ret_web/middleware/verify_scopes.ex | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
index 49dd96bae..cca112b36 100644
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -37,13 +37,3 @@ defmodule RetWeb.Middleware.VerifyScopes do
     Map.get(claims, Atom.to_string(Map.get(@action_to_permission, action)))
   end
 end
-
-defmodule RetWeb.Middleware.LogMiddleware do
-  @moduledoc false
-
-  @behaviour Absinthe.Middleware
-
-  def call(resolution, _) do
-    resolution
-  end
-end

From b7eabe20ab64dca9f63a347eb74726828f8ab2d2 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 12 Oct 2020 20:36:56 -0700
Subject: [PATCH 061/138] Implement scopes and app_tokens

This commit
- adds scopes
- adds app_tokens
- fixes middleware
- checks scopes later in resolution
---
 lib/ret/api/rooms.ex                          | 49 +++++++++++++
 lib/ret/api/scopes.ex                         | 14 ++++
 lib/ret/api_token.ex                          | 34 ++++++++-
 lib/ret/api_token_generator.ex                | 22 +-----
 lib/ret_web/add_absinthe_context.ex           | 17 -----
 lib/ret_web/api_token_auth_pipeline.ex        | 16 ++--
 lib/ret_web/middleware.ex                     | 73 ++++++-------------
 .../handle_api_token_auth_errors.ex           | 27 +++++++
 lib/ret_web/middleware/timing.ex              |  5 +-
 lib/ret_web/middleware/verify_resource.ex     | 27 +++++++
 lib/ret_web/middleware/verify_scopes.ex       | 37 +++-------
 lib/ret_web/middleware/verify_token.ex        | 23 +++---
 lib/ret_web/plugs/add_absinthe_context.ex     | 20 +++++
 lib/ret_web/resolvers/room_resolver.ex        | 35 ++++++---
 test/api/v2/room_query_test.exs               | 19 ++---
 15 files changed, 265 insertions(+), 153 deletions(-)
 create mode 100644 lib/ret/api/rooms.ex
 create mode 100644 lib/ret/api/scopes.ex
 delete mode 100644 lib/ret_web/add_absinthe_context.ex
 create mode 100644 lib/ret_web/middleware/handle_api_token_auth_errors.ex
 create mode 100644 lib/ret_web/middleware/verify_resource.ex
 create mode 100644 lib/ret_web/plugs/add_absinthe_context.ex

diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
new file mode 100644
index 000000000..c7feb0cc7
--- /dev/null
+++ b/lib/ret/api/rooms.ex
@@ -0,0 +1,49 @@
+defmodule Ret.Api.Rooms do
+  @moduledoc "Functions for accessing rooms in an authenticated way"
+
+  alias Ret.{Account, Hub}
+  alias Ret.Api.Scopes
+
+  # App tokens allowed to get any rooms
+  def authed_get_rooms_created_by(%Account{} = account, {:reticulum_app_token, scopes}, params) do
+    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+      {:ok, Hub.get_my_rooms(account, params)}
+    end
+  end
+
+  # Account matches resource
+  def authed_get_rooms_created_by(%Account{} = account, {account, scopes}, params) do
+    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+      {:ok, Hub.get_my_rooms(account, params)}
+    end
+  end
+
+  def authed_get_rooms_created_by(_, _) do
+    {:error, :unauthorized}
+  end
+
+  # App tokens allowed to get any rooms
+  def authed_get_favorite_rooms_of(%Account{} = account, {:reticulum_app_token, scopes}, params) do
+    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+      {:ok, Hub.get_favorite_rooms(account, params)}
+    end
+  end
+
+  # Account matches resource
+  def authed_get_favorite_rooms_of(%Account{} = account, {account, scopes}, params) do
+    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+      {:ok, Hub.get_favorite_rooms(account, params)}
+    end
+  end
+
+  def authed_get_favorite_rooms_of(_, _) do
+    {:error, :unauthorized}
+  end
+
+  # App tokens allowed to get any rooms
+  def authed_get_public_rooms(scopes, params) do
+    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+      {:ok, Hub.get_public_rooms(params)}
+    end
+  end
+end
diff --git a/lib/ret/api/scopes.ex b/lib/ret/api/scopes.ex
new file mode 100644
index 000000000..2050b8afe
--- /dev/null
+++ b/lib/ret/api/scopes.ex
@@ -0,0 +1,14 @@
+defmodule Ret.Api.Scopes do
+  @moduledoc false
+  def read_rooms, do: Atom.to_string(:read_rooms)
+  def write_rooms, do: Atom.to_string(:write_rooms)
+  def create_accounts, do: Atom.to_string(:create_accounts)
+
+  def ensure_has_scope(scopes, scope) do
+    if scope in scopes do
+      :ok
+    else
+      {:error, "Missing scope #{Atom.to_string(scope)}"}
+    end
+  end
+end
diff --git a/lib/ret/api_token.ex b/lib/ret/api_token.ex
index 176c1638a..e27dab914 100644
--- a/lib/ret/api_token.ex
+++ b/lib/ret/api_token.ex
@@ -6,12 +6,23 @@ defmodule Ret.ApiToken do
 
   import Ecto.Query
 
-  alias Ret.{Account, Repo}
+  alias Ret.{Account, Repo, ApiToken}
+  alias Ret.Api.Scopes
+
+  @app_token_string "reticulum_app_token"
+  @app_token_atom :reticulum_app_token
 
   def subject_for_token(%Account{} = account, _), do: {:ok, to_string(account.account_id)}
+  def subject_for_token(@app_token_atom, _), do: {:ok, @app_token_string}
   def subject_for_token(_, _), do: {:ok, nil}
 
-  def resource_from_claims(%{"sub" => nil}), do: nil
+  def resource_from_claims(%{"sub" => nil}) do
+    {:error, "No subject in token"}
+  end
+
+  def resource_from_claims(%{"sub" => @app_token_string}) do
+    {:ok, @app_token_atom}
+  end
 
   def resource_from_claims(%{"sub" => account_id}) do
     result_for_account(Repo.one(where(Account, [a], a.account_id == ^account_id)))
@@ -43,4 +54,23 @@ defmodule Ret.ApiToken do
       {:ok, claims}
     end
   end
+
+  @default_claims %{aud: "ret", typ: "api", scopes: []}
+  @default_options [ttl: {8, :hours}]
+
+  def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
+    ApiToken.encode_and_sign(
+      @app_token_atom,
+      Map.put(@default_claims, :scopes, scopes),
+      @default_options
+    )
+  end
+
+  def gen_token_for_account(%Account{} = account, scopes \\ [Scopes.read_rooms(), Scopes.write_rooms()]) do
+    ApiToken.encode_and_sign(
+      account,
+      Map.put(@default_claims, :scopes, scopes),
+      @default_options
+    )
+  end
 end
diff --git a/lib/ret/api_token_generator.ex b/lib/ret/api_token_generator.ex
index 954a9a852..6a8f8831e 100644
--- a/lib/ret/api_token_generator.ex
+++ b/lib/ret/api_token_generator.ex
@@ -1,32 +1,16 @@
+# TODO: Remove this file
 defmodule Ret.ApiTokenGenerator do
   @moduledoc """
   Generate API tokens with appropriate scope
   """
   alias Ret.{Account, ApiToken, ApiPermissions}
 
-  defp default_claims() do
-    %{aud: "ret", typ: "api"}
-  end
-
-  defp default_options() do
-    # TODO: This should be taken from env -- not overwritten here
-    [ttl: {8, :hours}]
-  end
-
   def gen_token() do
-    ApiToken.encode_and_sign(
-      nil,
-      Map.merge(ApiPermissions.default_permissions(), default_claims()),
-      default_options()
-    )
+    ApiToken.gen_app_token()
   end
 
   def gen_token_for_account(%Account{} = account) do
-    ApiToken.encode_and_sign(
-      account,
-      Map.merge(ApiPermissions.perms_for_account(), default_claims()),
-      default_options()
-    )
+    ApiToken.gen_token_for_account(account)
   end
 
   def gen_token_for_account(_account) do
diff --git a/lib/ret_web/add_absinthe_context.ex b/lib/ret_web/add_absinthe_context.ex
deleted file mode 100644
index ef526758d..000000000
--- a/lib/ret_web/add_absinthe_context.ex
+++ /dev/null
@@ -1,17 +0,0 @@
-defmodule RetWeb.AddAbsintheContext do
-  @moduledoc false
-  @behaviour Plug
-
-  def init(opts), do: opts
-
-  def call(conn, _) do
-    Absinthe.Plug.put_options(conn,
-      context: %{
-        auth_error: conn.assigns[:auth_error],
-        claims: Guardian.Plug.current_claims(conn),
-        account: Guardian.Plug.current_resource(conn),
-        token: Guardian.Plug.current_token(conn)
-      }
-    )
-  end
-end
diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/api_token_auth_pipeline.ex
index 375fd2af2..2158c7cf9 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/api_token_auth_pipeline.ex
@@ -6,19 +6,25 @@ defmodule RetWeb.ApiTokenAuthPipeline do
     error_handler: RetWeb.ApiTokenAuthErrorHandler
 
   plug(Guardian.Plug.VerifyHeader, realm: "Bearer", halt: false)
-  plug(Guardian.Plug.LoadResource, allow_blank: true)
+  plug(Guardian.Plug.LoadResource, allow_blank: true, halt: false)
 end
 
 defmodule RetWeb.ApiTokenAuthErrorHandler do
   @moduledoc false
-  import Plug.Conn
 
   def auth_error(conn, {failure_type, %ArgumentError{message: reason}}, _opts) do
-    # TODO: Is assigns the right place for this info?
-    assign(conn, :auth_error, {failure_type, reason})
+    append_error(conn, failure_type, reason)
   end
 
   def auth_error(conn, {failure_type, reason}, _opts) do
-    assign(conn, :auth_error, {failure_type, reason})
+    append_error(conn, failure_type, reason)
+  end
+
+  defp append_error(conn, failure_type, reason) do
+    Plug.Conn.assign(
+      conn,
+      :api_token_auth_errors,
+      (conn.assigns[:api_token_auth_errors] || []) ++ [{failure_type, reason}]
+    )
   end
 end
diff --git a/lib/ret_web/middleware.ex b/lib/ret_web/middleware.ex
index b8aa8f30e..aac5a26e8 100644
--- a/lib/ret_web/middleware.ex
+++ b/lib/ret_web/middleware.ex
@@ -1,51 +1,16 @@
 defmodule RetWeb.Middleware do
   @moduledoc "Adds absinthe middleware on matching fields/objects"
 
-  alias RetWeb.Middleware.{VerifyToken, VerifyScopes, HandleChangesetErrors, StartTiming, EndTiming, InspectTiming}
-
-  def build_middleware(middleware, field, object) do
-    # TODO: Order matters here, and is precarious. Should insert or not insert middleware in a known order as a result of the matches
-    middleware = maybe_add_handle_changeset_errors(middleware, field, object)
-    middleware = maybe_add_verify_scopes(middleware, field, object)
-    middleware = maybe_add_verify_token(middleware, field, object)
-    middleware = maybe_add_timing(middleware, field, object)
-    middleware
-  end
-
-  # TODO: What is the best way to make sure that fields _have_ to be authed, and there's no way to get around this check
-  # This is incomplete : should check each resource individually. E.g. "Show me five rooms" but we return 3 of them and 2 are auth errors.
-  # TODO: Auth on room objects (and other resources)
-  @auth_fields [
-    :my_rooms,
-    :public_rooms,
-    :favorite_rooms,
-    :create_room,
-    :update_room
-  ]
-
-  defp maybe_add_verify_token(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
-    [VerifyToken] ++ middleware
-  end
-
-  defp maybe_add_verify_token(middleware, _field, _object) do
-    middleware
-  end
-
-  defp maybe_add_verify_scopes(middleware, %{identifier: identifier}, _object) when identifier in @auth_fields do
-    [VerifyScopes] ++ middleware
-  end
-
-  defp maybe_add_verify_scopes(middleware, _field, _object) do
-    middleware
-  end
-
-  defp maybe_add_handle_changeset_errors(middleware, _field, %{identifier: :mutation}) do
-    middleware ++ [HandleChangesetErrors]
-  end
-
-  defp maybe_add_handle_changeset_errors(middleware, _field, _object) do
-    middleware
-  end
+  alias RetWeb.Middleware.{
+    VerifyToken,
+    VerifyResource,
+    VerifyScopes,
+    HandleApiTokenAuthErrors,
+    HandleChangesetErrors,
+    StartTiming,
+    EndTiming,
+    InspectTiming
+  }
 
   @timing_ids [
     :my_rooms,
@@ -55,11 +20,17 @@ defmodule RetWeb.Middleware do
     :update_room
   ]
 
-  defp maybe_add_timing(middleware, %{identifier: identifier}, _object) when identifier in @timing_ids do
-    [StartTiming] ++ middleware ++ [EndTiming, InspectTiming]
-  end
-
-  defp maybe_add_timing(middleware, _field, _object) do
-    middleware
+  def build_middleware(middleware, %{identifier: field_id} = _field, _object) do
+    include_timing = field_id in @timing_ids
+
+    if(include_timing, do: [StartTiming], else: []) ++
+      [HandleApiTokenAuthErrors] ++
+      [VerifyToken] ++
+      [VerifyResource] ++
+      [VerifyScopes] ++
+      middleware ++
+      [HandleChangesetErrors] ++
+      if(include_timing, do: [EndTiming], else: []) ++
+      if(include_timing, do: [InspectTiming], else: [])
   end
 end
diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
new file mode 100644
index 000000000..3104a397a
--- /dev/null
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -0,0 +1,27 @@
+defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
+  @moduledoc false
+
+  @behaviour Absinthe.Middleware
+
+  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
+
+  def call(%{state: :resolved} = resolution, _) do
+    resolution
+  end
+
+  def call(%{context: %{api_token_auth_errors: errors}} = resolution, _) do
+    case length(errors) do
+      0 ->
+        resolution
+
+      _ ->
+        # Just report the first error
+        {type, reason} = Enum.at(errors, 0)
+        put_error_result(resolution, type, reason)
+    end
+  end
+
+  def call(resolution, _) do
+    put_error_result(resolution, :internal_server_error, "The context was built incorrectly")
+  end
+end
diff --git a/lib/ret_web/middleware/timing.ex b/lib/ret_web/middleware/timing.ex
index d4a636e71..4f99a8ec9 100644
--- a/lib/ret_web/middleware/timing.ex
+++ b/lib/ret_web/middleware/timing.ex
@@ -54,12 +54,13 @@ defmodule RetWeb.Middleware.InspectTiming do
       case item do
         {identifier, %{started_at: started_at, ended_at: ended_at}} ->
           diff = NaiveDateTime.diff(ended_at, started_at, :microsecond)
-          IO.inspect(Atom.to_string(identifier) <> " took #{diff} microseconds to run.")
+          IO.puts("#{Atom.to_string(identifier)} took #{diff} microseconds to run.")
 
         {identifier, _} ->
           IO.puts(
-            "Cannot log diff of identifier because it lacks timing info started_at and ended_at: " <>
+            "Cannot log diff of identifier because it lacks timing info started_at and ended_at: #{
               Atom.to_string(identifier)
+            }"
           )
 
         _ ->
diff --git a/lib/ret_web/middleware/verify_resource.ex b/lib/ret_web/middleware/verify_resource.ex
new file mode 100644
index 000000000..b8b3a62c7
--- /dev/null
+++ b/lib/ret_web/middleware/verify_resource.ex
@@ -0,0 +1,27 @@
+defmodule RetWeb.Middleware.VerifyResource do
+  @moduledoc false
+
+  @behaviour Absinthe.Middleware
+
+  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
+
+  def call(%{state: :resolved} = resolution, _) do
+    resolution
+  end
+
+  def call(%{context: %{resource: :reticulum_app_token}} = resolution, _) do
+    resolution
+  end
+
+  def call(%{context: %{resource: %Ret.Account{}}} = resolution, _) do
+    resolution
+  end
+
+  def call(resolution, _) do
+    put_error_result(
+      resolution,
+      :resource_not_found,
+      "Could not find resource associated with this api access token"
+    )
+  end
+end
diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
index cca112b36..93f092bc6 100644
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -1,39 +1,24 @@
 defmodule RetWeb.Middleware.VerifyScopes do
   @moduledoc false
 
-  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
+  @behaviour Absinthe.Middleware
 
-  @action_to_permission %{
-    create_room: :rooms_mutation_create_room,
-    update_room: :rooms_mutation_update_room,
-    my_rooms: :rooms_query_created_rooms,
-    public_rooms: :rooms_query_public_rooms,
-    favorite_rooms: :rooms_query_favorite_rooms
-  }
+  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
 
-  @behaviour Absinthe.Middleware
   def call(%{state: :resolved} = resolution, _) do
     resolution
   end
 
-  def call(resolution, _) do
-    action = resolution.definition.schema_node.identifier
-
-    case resolution.context do
-      %{claims: claims} ->
-        if verify_scope(action, claims) do
-          resolution
-        else
-          missing_permission = Atom.to_string(Map.get(@action_to_permission, action))
-          put_error_result(resolution, :unauthorized_scopes, "Token does not have permission: #{missing_permission}.")
-        end
-
-      _ ->
-        put_error_result(resolution, :unauthorized, "Token is missing permissions.")
-    end
+  # TODO: Should an :api scope be required to make any requests to the api?
+  def call(%{context: %{scopes: scopes}} = resolution, _) when is_list(scopes) do
+    resolution
   end
 
-  defp verify_scope(action, claims) do
-    Map.get(claims, Atom.to_string(Map.get(@action_to_permission, action)))
+  def call(resolution, _) do
+    put_error_result(
+      resolution,
+      :scopes_not_found,
+      "Could not find scopes associated with this api access token"
+    )
   end
 end
diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
index 7e2e61272..acf472127 100644
--- a/lib/ret_web/middleware/verify_token.ex
+++ b/lib/ret_web/middleware/verify_token.ex
@@ -5,24 +5,27 @@ defmodule RetWeb.Middleware.VerifyToken do
 
   import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
 
-  def call(%{context: %{auth_error: {_type, :token_not_found}}} = resolution, _) do
-    # TODO: Maybe not say revoked. Just token not found.
-    put_error_result(resolution, :auth_error_token_was_revoked, "The api token has been revoked.")
-  end
-
-  def call(%{context: %{auth_error: {type, reason}}} = resolution, _) do
-    put_error_result(resolution, type, reason)
+  def call(%{state: :resolved} = resolution, _) do
+    resolution
   end
 
   def call(%{context: %{token: nil}} = resolution, _) do
     put_error_result(
       resolution,
-      :auth_error_token_is_missing,
-      "Missing api token in authorization header required for access"
+      :api_access_token_not_found,
+      "No API Access Token was found in an authorization header."
     )
   end
 
-  def call(resolution, _) do
+  def call(%{context: %{token: _token}} = resolution, _) do
     resolution
   end
+
+  def call(resolution, _) do
+    put_error_result(
+      resolution,
+      :api_access_token_not_found,
+      "No API Access Token was found in an authorization header."
+    )
+  end
 end
diff --git a/lib/ret_web/plugs/add_absinthe_context.ex b/lib/ret_web/plugs/add_absinthe_context.ex
new file mode 100644
index 000000000..b07a39e41
--- /dev/null
+++ b/lib/ret_web/plugs/add_absinthe_context.ex
@@ -0,0 +1,20 @@
+defmodule RetWeb.AddAbsintheContext do
+  @moduledoc false
+  @behaviour Plug
+
+  def init(opts), do: opts
+
+  def call(conn, _) do
+    claims = Guardian.Plug.current_claims(conn)
+
+    Absinthe.Plug.put_options(conn,
+      context: %{
+        api_token_auth_errors: conn.assigns[:api_token_auth_errors] || [],
+        resource: Guardian.Plug.current_resource(conn),
+        scopes: claims && claims["scopes"],
+        token: Guardian.Plug.current_token(conn),
+        claims: claims
+      }
+    )
+  end
+end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 870d3aabb..71f7d0f39 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -2,31 +2,42 @@ defmodule RetWeb.Resolvers.RoomResolver do
   @moduledoc """
   Resolvers for room queries and mutations via the graphql API
   """
-  alias Ret.{Hub, Repo}
+  alias Ret.{Hub, Account, Repo, RoomAccessApi}
   alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
 
-  # TODO: Pass account and token. Use a function like, "rooms_for_user(account, token) do
-  # if can? (:do_the_thing)
-  # end"
-  def my_rooms(_parent, args, %{context: %{account: account}}) do
-    {:ok, Hub.get_my_rooms(account, args)}
+  def my_rooms(_parent, args, %{context: %{resource: :reticulum_app_token, scopes: scopes}}) do
+    # TODO: Get account from arguments
+    {:error, [type: :not_yet_implemented, message: "Not yet implemented for app tokens"]}
+  end
+
+  def my_rooms(_parent, args, %{context: %{resource: %Account{} = account, scopes: scopes}}) do
+    Ret.Api.Rooms.authed_get_rooms_created_by(account, {account, scopes}, args)
   end
 
   def my_rooms(_parent, _args, _resolutions) do
-    {:error, "Not authorized"}
+    {:error, [type: :unauthorized, message: "Unauthorized access"]}
+  end
+
+  def favorite_rooms(_parent, args, %{context: %{resource: :reticulum_app_token, scopes: scopes}}) do
+    # TODO: Get account from arguments
+    {:error, [type: :not_yet_implemented, message: "Not yet implemented for app tokens"]}
   end
 
-  def favorite_rooms(_parent, args, %{context: %{account: account}}) do
-    {:ok, Hub.get_favorite_rooms(account, args)}
+  def favorite_rooms(_parent, args, %{context: %{resource: %Account{} = account, scopes: scopes}}) do
+    Ret.Api.Rooms.authed_get_favorite_rooms_of(account, {account, scopes}, args)
   end
 
   def favorite_rooms(_parent, _args, _resolutions) do
-    {:error, "Not authorized"}
+    {:error, [type: :unauthorized, message: "Unauthorized access"]}
+  end
+
+  def public_rooms(_parent, args, %{context: %{scopes: scopes}}) do
+    Ret.Api.Rooms.authed_get_public_rooms(scopes, args)
   end
 
-  def public_rooms(_parent, args, _resolutions) do
-    {:ok, Hub.get_public_rooms(args)}
+  def public_rooms(_, _, _) do
+    {:error, [type: :unauthorized, message: "Unauthorized access"]}
   end
 
   def create_room(_parent, args, %{context: %{account: account}}) do
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index aa50b9071..79fae24c1 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -71,7 +71,7 @@ defmodule RoomQueryTest do
     {:ok, hub: hub} = create_hub(%{scene: scene})
     {:ok, hub: public_hub} = create_public_hub(%{scene: scene})
     {:ok, token, _claims} = ApiTokenGenerator.gen_token_for_account(account)
-    {:ok, limited_token, _claims} = ApiTokenGenerator.gen_token()
+    {:ok, app_token, _claims} = ApiTokenGenerator.gen_token()
 
     %{
       account: account,
@@ -80,39 +80,40 @@ defmodule RoomQueryTest do
       hub: hub,
       public_hub: public_hub,
       token: token,
-      limited_token: limited_token
+      app_token: app_token
     }
   end
 
   test "Cannot query without a token", %{conn: conn} do
     res = conn |> do_graphql_action(@query_public_rooms)
-    assert hd(res["errors"])["type"] === "auth_error_token_is_missing"
+    assert hd(res["errors"])["type"] === "api_access_token_not_found"
   end
 
-  test "Can query public rooms with limited token", %{conn: conn, public_hub: public_hub, limited_token: limited_token} do
+  test "Can query public rooms with app token", %{conn: conn, public_hub: public_hub, app_token: app_token} do
     res =
       conn
-      |> put_auth_header_for_token(limited_token)
+      |> put_auth_header_for_token(app_token)
       |> do_graphql_action(@query_public_rooms)
 
     rooms = res["data"]["publicRooms"]["entries"]
     assert List.first(rooms)["id"] == public_hub.hub_sid
   end
 
-  test "Cannot query my rooms with limited token", %{
+  test "Cannot query my rooms with app token without specifying account", %{
     conn: conn,
     account: account,
     hub: hub,
-    limited_token: limited_token
+    app_token: app_token
   } do
     assign_creator(hub, account)
 
     res =
       conn
-      |> put_auth_header_for_token(limited_token)
+      |> put_auth_header_for_token(app_token)
       |> do_graphql_action(@query_my_rooms)
 
-    assert hd(res["errors"])["type"] === "unauthorized_scopes"
+    # TODO: Fix this test when implemented
+    assert hd(res["errors"])["type"] === "not_yet_implemented"
   end
 
   test "Can query my rooms with appropriate token", %{

From 6db7fcf5c1aa0acb1a4366c8a7bccd06dc9faa3b Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 12 Oct 2020 20:44:35 -0700
Subject: [PATCH 062/138] Modify helper mix task for generating tokens

---
 lib/mix/tasks/generate_api_token.ex | 38 ++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/lib/mix/tasks/generate_api_token.ex b/lib/mix/tasks/generate_api_token.ex
index 7faa584de..3092de834 100644
--- a/lib/mix/tasks/generate_api_token.ex
+++ b/lib/mix/tasks/generate_api_token.ex
@@ -3,10 +3,29 @@ defmodule Mix.Tasks.GenerateApiToken do
 
   use Mix.Task
 
-  alias Ret.{Account, ApiTokenGenerator}
+  alias Ret.{Account, ApiToken}
 
   @impl Mix.Task
   def run(_) do
+    user_or_app =
+      "Generate user token or app token? [user or app]"
+      |> Mix.shell().prompt()
+      |> String.trim()
+
+    case user_or_app do
+      "user" ->
+        gen_user_token()
+
+      "app" ->
+        gen_app_token()
+
+      _ ->
+        Mix.shell().error("Input not recognized. Type \"user\" or \"app\".")
+        run([])
+    end
+  end
+
+  defp gen_user_token() do
     email =
       "Enter email address of the user whose account will be associated in this token: [foo@bar.com]\n"
       |> Mix.shell().prompt()
@@ -20,11 +39,13 @@ defmodule Mix.Tasks.GenerateApiToken do
 
       account ->
         IO.puts("Account found:")
+
         account
         |> Inspect.Algebra.to_doc(%Inspect.Opts{})
         |> Inspect.Algebra.format(80)
         |> IO.puts()
-        #IO.inspect(account)
+
+        # IO.inspect(account)
 
         if Mix.shell().yes?("Generate token for this account [#{email}]?") do
           gen_token_for_account(account)
@@ -32,8 +53,19 @@ defmodule Mix.Tasks.GenerateApiToken do
     end
   end
 
+  defp gen_app_token() do
+    if Mix.shell().yes?("Are you sure you want to generate an app token?") do
+      Mix.Task.run("app.start")
+
+      case ApiToken.gen_app_token() do
+        {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
+        {:error, reason} -> Mix.shell().error("Error: #{reason}")
+      end
+    end
+  end
+
   defp gen_token_for_account(account) do
-    case ApiTokenGenerator.gen_token_for_account(account) do
+    case ApiToken.gen_token_for_account(account) do
       {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
       {:error, reason} -> Mix.shell().error("Error: #{reason}")
     end

From f365bca7ad31be004610a319279026be397262c4 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 13 Oct 2020 13:58:34 -0700
Subject: [PATCH 063/138] Remove insert auth header helper

---
 assets/js/insert-auth-header.js | 60 ---------------------------------
 1 file changed, 60 deletions(-)
 delete mode 100644 assets/js/insert-auth-header.js

diff --git a/assets/js/insert-auth-header.js b/assets/js/insert-auth-header.js
deleted file mode 100644
index d896d26be..000000000
--- a/assets/js/insert-auth-header.js
+++ /dev/null
@@ -1,60 +0,0 @@
-// Helper script that inserts the Authorization header into
-// the graphiql interface when the user is logged in.
-// TODO: Figure out how to run this when graphiql loads.
-{
-  function hasAuthHeader() {
-    const headers = document.querySelector(".headers .table tbody");
-    if (!headers) return false;
-
-    let hasAuth = false;
-    for (let i = 0; i < headers.children.length; i++) {
-      const title = headers.children[i].children[0].innerText;
-      if (title === "Authorization") {
-        hasAuth = true;
-      }
-    }
-    return hasAuth;
-  }
-
-  function setValue(element, value) {
-    let lastValue = element.value;
-    element.value = value;
-    let event = new Event("input", { target: element, bubbles: true });
-    // React 15
-    event.simulated = true;
-    // React 16
-    let tracker = element._valueTracker;
-    if (tracker) {
-      tracker.setValue(lastValue);
-    }
-    element.dispatchEvent(event);
-  }
-
-  async function setAuthHeader() {
-    const store =
-      localStorage &&
-      localStorage.___hubs_store &&
-      JSON.parse(localStorage.___hubs_store);
-    const token = store && store.credentials && store.credentials.token;
-    if (!token) {
-      console.log("Not signed in. Cannot auto-fill Authorization header.");
-      return;
-    }
-
-    const addButton = document.querySelector(".header-add.btn");
-    addButton.click();
-
-    await new Promise((resolve) => setTimeout(resolve, 100));
-    const nameField = document.querySelector(
-      ".modal-body > form:nth-child(1) > div:nth-child(1) > div:nth-child(2) > input:nth-child(1)"
-    );
-    setValue(nameField, "Authorization");
-    const valueField = document.querySelector("#value-input");
-    setValue(valueField, `bearer: ${token}`);
-    const okButton = document.querySelector(".btn-primary");
-    await new Promise((resolve) => setTimeout(resolve, 100));
-    okButton.click();
-  }
-
-  setAuthHeader();
-}

From e699e8bcf941753edc879e77c31370ce7536f529 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 16 Oct 2020 15:07:17 -0700
Subject: [PATCH 064/138] Minor changes

---
 lib/ret/api_token.ex                               | 4 ++--
 lib/ret_web/middleware/verify_resource.ex          | 1 +
 lib/ret_web/middleware/verify_scopes.ex            | 1 -
 lib/ret_web/{ => plugs}/api_token_auth_pipeline.ex | 4 ++--
 lib/ret_web/resolvers/room_resolver.ex             | 1 +
 5 files changed, 6 insertions(+), 5 deletions(-)
 rename lib/ret_web/{ => plugs}/api_token_auth_pipeline.ex (84%)

diff --git a/lib/ret/api_token.ex b/lib/ret/api_token.ex
index e27dab914..e65fea943 100644
--- a/lib/ret/api_token.ex
+++ b/lib/ret/api_token.ex
@@ -14,7 +14,7 @@ defmodule Ret.ApiToken do
 
   def subject_for_token(%Account{} = account, _), do: {:ok, to_string(account.account_id)}
   def subject_for_token(@app_token_atom, _), do: {:ok, @app_token_string}
-  def subject_for_token(_, _), do: {:ok, nil}
+  def subject_for_token(_, _), do: {:error, "Must pass account or #{@app_token_string}"}
 
   def resource_from_claims(%{"sub" => nil}) do
     {:error, "No subject in token"}
@@ -55,7 +55,7 @@ defmodule Ret.ApiToken do
     end
   end
 
-  @default_claims %{aud: "ret", typ: "api", scopes: []}
+  @default_claims %{aud: "ret", iss: "ret", typ: "access", scopes: []}
   @default_options [ttl: {8, :hours}]
 
   def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
diff --git a/lib/ret_web/middleware/verify_resource.ex b/lib/ret_web/middleware/verify_resource.ex
index b8b3a62c7..adfa333ea 100644
--- a/lib/ret_web/middleware/verify_resource.ex
+++ b/lib/ret_web/middleware/verify_resource.ex
@@ -1,3 +1,4 @@
+# TODO: This is probably unnecessary
 defmodule RetWeb.Middleware.VerifyResource do
   @moduledoc false
 
diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
index 93f092bc6..f44378343 100644
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ b/lib/ret_web/middleware/verify_scopes.ex
@@ -9,7 +9,6 @@ defmodule RetWeb.Middleware.VerifyScopes do
     resolution
   end
 
-  # TODO: Should an :api scope be required to make any requests to the api?
   def call(%{context: %{scopes: scopes}} = resolution, _) when is_list(scopes) do
     resolution
   end
diff --git a/lib/ret_web/api_token_auth_pipeline.ex b/lib/ret_web/plugs/api_token_auth_pipeline.ex
similarity index 84%
rename from lib/ret_web/api_token_auth_pipeline.ex
rename to lib/ret_web/plugs/api_token_auth_pipeline.ex
index 2158c7cf9..f5237b14d 100644
--- a/lib/ret_web/api_token_auth_pipeline.ex
+++ b/lib/ret_web/plugs/api_token_auth_pipeline.ex
@@ -5,8 +5,8 @@ defmodule RetWeb.ApiTokenAuthPipeline do
     module: Ret.ApiToken,
     error_handler: RetWeb.ApiTokenAuthErrorHandler
 
-  plug(Guardian.Plug.VerifyHeader, realm: "Bearer", halt: false)
-  plug(Guardian.Plug.LoadResource, allow_blank: true, halt: false)
+  plug(Guardian.Plug.VerifyHeader, halt: false)
+  plug(Guardian.Plug.LoadResource, halt: false)
 end
 
 defmodule RetWeb.ApiTokenAuthErrorHandler do
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 71f7d0f39..e02dd9485 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -11,6 +11,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:error, [type: :not_yet_implemented, message: "Not yet implemented for app tokens"]}
   end
 
+  # TODO: Create a "ResolvedApiToken" struct instead of passing {resource, scopes} tuples
   def my_rooms(_parent, args, %{context: %{resource: %Account{} = account, scopes: scopes}}) do
     Ret.Api.Rooms.authed_get_rooms_created_by(account, {account, scopes}, args)
   end

From f96f2262ea64e9ce5e8504d98e280d2eea082833 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 16 Oct 2020 15:12:04 -0700
Subject: [PATCH 065/138] Remove unnecessary middleware

---
 lib/ret_web/middleware.ex                     |  4 ---
 .../handle_api_token_auth_errors.ex           |  1 +
 lib/ret_web/middleware/verify_resource.ex     | 28 -------------------
 lib/ret_web/middleware/verify_scopes.ex       | 23 ---------------
 4 files changed, 1 insertion(+), 55 deletions(-)
 delete mode 100644 lib/ret_web/middleware/verify_resource.ex
 delete mode 100644 lib/ret_web/middleware/verify_scopes.ex

diff --git a/lib/ret_web/middleware.ex b/lib/ret_web/middleware.ex
index aac5a26e8..6ae737587 100644
--- a/lib/ret_web/middleware.ex
+++ b/lib/ret_web/middleware.ex
@@ -3,8 +3,6 @@ defmodule RetWeb.Middleware do
 
   alias RetWeb.Middleware.{
     VerifyToken,
-    VerifyResource,
-    VerifyScopes,
     HandleApiTokenAuthErrors,
     HandleChangesetErrors,
     StartTiming,
@@ -26,8 +24,6 @@ defmodule RetWeb.Middleware do
     if(include_timing, do: [StartTiming], else: []) ++
       [HandleApiTokenAuthErrors] ++
       [VerifyToken] ++
-      [VerifyResource] ++
-      [VerifyScopes] ++
       middleware ++
       [HandleChangesetErrors] ++
       if(include_timing, do: [EndTiming], else: []) ++
diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index 3104a397a..0c9f1a50e 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -21,6 +21,7 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
     end
   end
 
+  # I ran into this case in testing. TODO: Figure out why (and if) it's still happening and fix
   def call(resolution, _) do
     put_error_result(resolution, :internal_server_error, "The context was built incorrectly")
   end
diff --git a/lib/ret_web/middleware/verify_resource.ex b/lib/ret_web/middleware/verify_resource.ex
deleted file mode 100644
index adfa333ea..000000000
--- a/lib/ret_web/middleware/verify_resource.ex
+++ /dev/null
@@ -1,28 +0,0 @@
-# TODO: This is probably unnecessary
-defmodule RetWeb.Middleware.VerifyResource do
-  @moduledoc false
-
-  @behaviour Absinthe.Middleware
-
-  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
-
-  def call(%{state: :resolved} = resolution, _) do
-    resolution
-  end
-
-  def call(%{context: %{resource: :reticulum_app_token}} = resolution, _) do
-    resolution
-  end
-
-  def call(%{context: %{resource: %Ret.Account{}}} = resolution, _) do
-    resolution
-  end
-
-  def call(resolution, _) do
-    put_error_result(
-      resolution,
-      :resource_not_found,
-      "Could not find resource associated with this api access token"
-    )
-  end
-end
diff --git a/lib/ret_web/middleware/verify_scopes.ex b/lib/ret_web/middleware/verify_scopes.ex
deleted file mode 100644
index f44378343..000000000
--- a/lib/ret_web/middleware/verify_scopes.ex
+++ /dev/null
@@ -1,23 +0,0 @@
-defmodule RetWeb.Middleware.VerifyScopes do
-  @moduledoc false
-
-  @behaviour Absinthe.Middleware
-
-  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
-
-  def call(%{state: :resolved} = resolution, _) do
-    resolution
-  end
-
-  def call(%{context: %{scopes: scopes}} = resolution, _) when is_list(scopes) do
-    resolution
-  end
-
-  def call(resolution, _) do
-    put_error_result(
-      resolution,
-      :scopes_not_found,
-      "Could not find scopes associated with this api access token"
-    )
-  end
-end

From 69902c7dda92dc22cfc3a78ec4c875eef89eaa33 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Fri, 16 Oct 2020 16:11:00 -0700
Subject: [PATCH 066/138] Rename Ret.ApiToken -> Ret.Api.Token

---
 config/dev.exs                               |  2 +-
 lib/ret/{api_token.ex => api/token.ex}       |  2 +-
 lib/ret/api_token_secret_fetcher.ex          |  4 ++--
 lib/ret/hub.ex                               | 16 ++++++++++++++--
 lib/ret_web/plugs/api_token_auth_pipeline.ex |  2 +-
 test/ret/api_token_test.exs                  | 16 ++++++++--------
 6 files changed, 27 insertions(+), 15 deletions(-)
 rename lib/ret/{api_token.ex => api/token.ex} (98%)

diff --git a/config/dev.exs b/config/dev.exs
index 728675e3a..109f39b36 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -187,7 +187,7 @@ config :ret, Ret.Guardian,
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX",
   ttl: {12, :weeks}
 
-config :ret, Ret.ApiToken,
+config :ret, Ret.Api.Token,
   secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
   ttl: {2, :weeks}
 
diff --git a/lib/ret/api_token.ex b/lib/ret/api/token.ex
similarity index 98%
rename from lib/ret/api_token.ex
rename to lib/ret/api/token.ex
index e65fea943..46c86a525 100644
--- a/lib/ret/api_token.ex
+++ b/lib/ret/api/token.ex
@@ -1,4 +1,4 @@
-defmodule Ret.ApiToken do
+defmodule Ret.Api.Token do
   @moduledoc """
   ApiTokens determine what actions are allowed to be taken via the public API.
   """
diff --git a/lib/ret/api_token_secret_fetcher.ex b/lib/ret/api_token_secret_fetcher.ex
index 4c2966978..3e2dcd5d2 100644
--- a/lib/ret/api_token_secret_fetcher.ex
+++ b/lib/ret/api_token_secret_fetcher.ex
@@ -2,10 +2,10 @@
 defmodule Ret.ApiTokenSecretFetcher do
   @moduledoc false
   def fetch_signing_secret(_mod, _opts) do
-    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+    {:ok, Application.get_env(:ret, Ret.Api.Token)[:secret_key] |> JOSE.JWK.from_oct()}
   end
 
   def fetch_verifying_secret(_mod, _token_headers, _opts) do
-    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+    {:ok, Application.get_env(:ret, Ret.Api.Token)[:secret_key] |> JOSE.JWK.from_oct()}
   end
 end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 5eaa8b09d..6830d1018 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -664,8 +664,8 @@ defmodule Ret.Hub do
 end
 
 # # TODO: Canada Can implementation for api token
-# defimpl Canada.Can, for: Ret.ApiToken do
-#   def can?(%Ret.ApiToken{} = token, :view_room, %Hub{} = hub) do
+# defimpl Canada.Can, for: Ret.Api.Token do
+#   def can?(%Ret.Api.Token{} = token, :view_room, %Hub{} = hub) do
 #     hub.entry_mode.public || token.claims.superuser
 #   end
 # end
@@ -818,3 +818,15 @@ defimpl Canada.Can, for: Atom do
 
   def can?(_, _, _), do: false
 end
+
+defimpl Canada.Can, for: {resource, scopes} do
+  def can?({:reticulum_app_token, scopes}, :update_room, room) do
+    Scopes.ensure_has_scope(scopes, Scopes.write_rooms())
+    && can?(resource, :update_room, room)
+  end
+end
+
+defimpl Canada.Can, for: :reticulum_app_token do
+  def can?(_, :access_admin_panel, _), do: false
+  def can?(_, _, %Hub{}), do: true
+end
diff --git a/lib/ret_web/plugs/api_token_auth_pipeline.ex b/lib/ret_web/plugs/api_token_auth_pipeline.ex
index f5237b14d..f824d65f5 100644
--- a/lib/ret_web/plugs/api_token_auth_pipeline.ex
+++ b/lib/ret_web/plugs/api_token_auth_pipeline.ex
@@ -2,7 +2,7 @@ defmodule RetWeb.ApiTokenAuthPipeline do
   @moduledoc false
   use Guardian.Plug.Pipeline,
     otp_app: :ret,
-    module: Ret.ApiToken,
+    module: Ret.Api.Token,
     error_handler: RetWeb.ApiTokenAuthErrorHandler
 
   plug(Guardian.Plug.VerifyHeader, halt: false)
diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
index 712888582..a88ec1ad2 100644
--- a/test/ret/api_token_test.exs
+++ b/test/ret/api_token_test.exs
@@ -15,7 +15,7 @@ defmodule Ret.ApiTokenTest do
 
   test "Api tokens encode default permissions" do
     {:ok, token, _claims} = Generator.gen_token()
-    {:ok, claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
     assert Map.get(claims, "rooms_mutation_create_room")
     assert Map.get(claims, "rooms_mutation_update_room") === false
   end
@@ -23,7 +23,7 @@ defmodule Ret.ApiTokenTest do
   test "Api tokens generated with an account encode more permissions" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = Generator.gen_token_for_account(account)
-    {:ok, claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
     assert Map.get(claims, "rooms_mutation_create_room")
     assert Map.get(claims, "rooms_mutation_update_room")
   end
@@ -32,25 +32,25 @@ defmodule Ret.ApiTokenTest do
     {:ok, token, _claims} = Generator.gen_token()
     [%{jwt: jwt}] = Repo.all(token_query())
     assert jwt == token
-    {:ok, _claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:ok, _claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
 
-    Guardian.revoke(Ret.ApiToken, token)
+    Guardian.revoke(Ret.Api.Token, token)
     assert Enum.empty?(Repo.all(token_query()))
 
-    {:error, :token_not_found} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:error, :token_not_found} = Guardian.decode_and_verify(Ret.Api.Token, token)
   end
 
   test "Api tokens can be associated with an account" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = Generator.gen_token_for_account(account)
-    {:ok, resource, _claims} = Guardian.resource_from_token(Ret.ApiToken, token)
+    {:ok, resource, _claims} = Guardian.resource_from_token(Ret.Api.Token, token)
     assert resource.account_id === account.account_id
   end
 
   test "Revoked tokens cannot recover accounts" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = Generator.gen_token_for_account(account)
-    Guardian.revoke(Ret.ApiToken, token)
-    {:error, :token_not_found} = Guardian.resource_from_token(Ret.ApiToken, token)
+    Guardian.revoke(Ret.Api.Token, token)
+    {:error, :token_not_found} = Guardian.resource_from_token(Ret.Api.Token, token)
   end
 end

From f652f0cee02287c9ff7dfffdace39024b4970d4c Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 13:13:23 -0700
Subject: [PATCH 067/138] Update room access pattern for user and app tokens

---
 lib/ret/api/can_credentials.ex               | 33 +++++++++++
 lib/ret/api/credentials.ex                   | 27 +++++++++
 lib/ret/api/rooms.ex                         | 46 +++++----------
 lib/ret/api/token.ex                         | 26 +--------
 lib/ret/api/token_utils.ex                   | 26 +++++++++
 lib/ret/api_token_generator.ex               | 19 ------
 lib/ret/hub.ex                               | 12 ----
 lib/ret_web/middleware.ex                    |  2 -
 lib/ret_web/middleware/put_error_result.ex   | 12 +++-
 lib/ret_web/plugs/add_absinthe_context.ex    | 31 ++++++----
 lib/ret_web/plugs/api_token_auth_pipeline.ex |  2 +-
 lib/ret_web/resolvers/resolver_error.ex      |  6 ++
 lib/ret_web/resolvers/room_resolver.ex       | 61 +++++++++++++++-----
 test/ret/api_token_test.exs                  | 14 ++---
 14 files changed, 195 insertions(+), 122 deletions(-)
 create mode 100644 lib/ret/api/can_credentials.ex
 create mode 100644 lib/ret/api/credentials.ex
 create mode 100644 lib/ret/api/token_utils.ex
 delete mode 100644 lib/ret/api_token_generator.ex
 create mode 100644 lib/ret_web/resolvers/resolver_error.ex

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
new file mode 100644
index 000000000..5c7dc7c8a
--- /dev/null
+++ b/lib/ret/api/can_credentials.ex
@@ -0,0 +1,33 @@
+defimpl Canada.Can, for: Ret.Api.Credentials do
+  alias Ret.{Account}
+  alias Ret.Api.{Credentials, Scopes}
+
+  def can?(
+        %Credentials{resource: :reticulum_app_token, scopes: scopes},
+        action,
+        %Account{}
+      )
+      when action in [:get_rooms_created_by, :get_favorite_rooms_of] do
+    Scopes.read_rooms() in scopes
+  end
+
+  def can?(
+        %Credentials{resource: %Account{} = account, scopes: scopes},
+        action,
+        %Account{} = account
+      )
+      when action in [:get_rooms_created_by, :get_favorite_rooms_of] do
+    Scopes.read_rooms() in scopes
+  end
+
+  def can?(
+        %Credentials{scopes: scopes},
+        :get_public_rooms,
+        _
+      ) do
+    IO.inspect("hello world")
+    Scopes.read_rooms() in scopes
+  end
+
+  def can?(_, _, _), do: false
+end
diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
new file mode 100644
index 000000000..41ee51179
--- /dev/null
+++ b/lib/ret/api/credentials.ex
@@ -0,0 +1,27 @@
+defmodule Ret.Api.Credentials do
+  @moduledoc """
+  Credentials for API access. Created by decoding/validating ApiTokens
+  """
+
+  alias Ret.Account
+  alias Ret.Api.Scopes
+
+  @enforce_keys [:resource, :scopes]
+  defstruct [:resource, :scopes]
+
+  def from_resource_and_claims(:reticulum_app_token, %{"scopes" => scopes}) do
+    with credentials <- %__MODULE__{resource: :reticulum_app_token, scopes: scopes} do
+      {:ok, credentials}
+    end
+  end
+
+  def from_resource_and_claims(%Account{} = resource, %{"scopes" => scopes}) do
+    with credentials <- %__MODULE__{resource: resource, scopes: scopes} do
+      {:ok, credentials}
+    end
+  end
+
+  def from_resource_and_claims(_, _) do
+    {:error, "Invalid credentials"}
+  end
+end
diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index c7feb0cc7..ddc70c64a 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -2,48 +2,32 @@ defmodule Ret.Api.Rooms do
   @moduledoc "Functions for accessing rooms in an authenticated way"
 
   alias Ret.{Account, Hub}
-  alias Ret.Api.Scopes
+  alias Ret.Api.{Credentials}
+
+  import Canada, only: [can?: 2]
 
   # App tokens allowed to get any rooms
-  def authed_get_rooms_created_by(%Account{} = account, {:reticulum_app_token, scopes}, params) do
-    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+  def authed_get_rooms_created_by(%Account{} = account, %Credentials{} = credentials, params) do
+    if can?(credentials, get_rooms_created_by(account)) do
       {:ok, Hub.get_my_rooms(account, params)}
+    else
+      {:error, :invalid_credentials}
     end
   end
 
-  # Account matches resource
-  def authed_get_rooms_created_by(%Account{} = account, {account, scopes}, params) do
-    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+  def authed_get_favorite_rooms_of(%Account{} = account, %Credentials{} = credentials, params) do
+    if can?(credentials, get_favorite_rooms_of(account)) do
       {:ok, Hub.get_my_rooms(account, params)}
+    else
+      {:error, :invalid_credentials}
     end
   end
 
-  def authed_get_rooms_created_by(_, _) do
-    {:error, :unauthorized}
-  end
-
-  # App tokens allowed to get any rooms
-  def authed_get_favorite_rooms_of(%Account{} = account, {:reticulum_app_token, scopes}, params) do
-    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
-      {:ok, Hub.get_favorite_rooms(account, params)}
-    end
-  end
-
-  # Account matches resource
-  def authed_get_favorite_rooms_of(%Account{} = account, {account, scopes}, params) do
-    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
-      {:ok, Hub.get_favorite_rooms(account, params)}
-    end
-  end
-
-  def authed_get_favorite_rooms_of(_, _) do
-    {:error, :unauthorized}
-  end
-
-  # App tokens allowed to get any rooms
-  def authed_get_public_rooms(scopes, params) do
-    with :ok <- Scopes.ensure_has_scope(scopes, Scopes.read_rooms()) do
+  def authed_get_public_rooms(%Credentials{} = credentials, params) do
+    if can?(credentials, get_public_rooms(nil)) do
       {:ok, Hub.get_public_rooms(params)}
+    else
+      {:error, :invalid_credentials}
     end
   end
 end
diff --git a/lib/ret/api/token.ex b/lib/ret/api/token.ex
index 46c86a525..d27ea0ff6 100644
--- a/lib/ret/api/token.ex
+++ b/lib/ret/api/token.ex
@@ -6,14 +6,13 @@ defmodule Ret.Api.Token do
 
   import Ecto.Query
 
-  alias Ret.{Account, Repo, ApiToken}
+  alias Ret.{Account, Repo}
   alias Ret.Api.Scopes
 
   @app_token_string "reticulum_app_token"
-  @app_token_atom :reticulum_app_token
 
   def subject_for_token(%Account{} = account, _), do: {:ok, to_string(account.account_id)}
-  def subject_for_token(@app_token_atom, _), do: {:ok, @app_token_string}
+  def subject_for_token(:reticulum_app_token, _), do: {:ok, @app_token_string}
   def subject_for_token(_, _), do: {:error, "Must pass account or #{@app_token_string}"}
 
   def resource_from_claims(%{"sub" => nil}) do
@@ -21,7 +20,7 @@ defmodule Ret.Api.Token do
   end
 
   def resource_from_claims(%{"sub" => @app_token_string}) do
-    {:ok, @app_token_atom}
+    {:ok, :reticulum_app_token}
   end
 
   def resource_from_claims(%{"sub" => account_id}) do
@@ -54,23 +53,4 @@ defmodule Ret.Api.Token do
       {:ok, claims}
     end
   end
-
-  @default_claims %{aud: "ret", iss: "ret", typ: "access", scopes: []}
-  @default_options [ttl: {8, :hours}]
-
-  def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
-    ApiToken.encode_and_sign(
-      @app_token_atom,
-      Map.put(@default_claims, :scopes, scopes),
-      @default_options
-    )
-  end
-
-  def gen_token_for_account(%Account{} = account, scopes \\ [Scopes.read_rooms(), Scopes.write_rooms()]) do
-    ApiToken.encode_and_sign(
-      account,
-      Map.put(@default_claims, :scopes, scopes),
-      @default_options
-    )
-  end
 end
diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
new file mode 100644
index 000000000..064419365
--- /dev/null
+++ b/lib/ret/api/token_utils.ex
@@ -0,0 +1,26 @@
+defmodule Ret.Api.TokenUtils do
+  @moduledoc """
+  Utility functions for generating API access tokens.
+  """
+  @default_claims %{aud: "ret", iss: "ret", typ: "access", scopes: []}
+  @default_options [ttl: {8, :hours}]
+
+  alias Ret.Account
+  alias Ret.Api.{Token, Scopes}
+
+  def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
+    Token.encode_and_sign(
+      :reticulum_app_token,
+      Map.put(@default_claims, :scopes, scopes),
+      @default_options
+    )
+  end
+
+  def gen_token_for_account(%Account{} = account, scopes \\ [Scopes.read_rooms(), Scopes.write_rooms()]) do
+    Token.encode_and_sign(
+      account,
+      Map.put(@default_claims, :scopes, scopes),
+      @default_options
+    )
+  end
+end
diff --git a/lib/ret/api_token_generator.ex b/lib/ret/api_token_generator.ex
deleted file mode 100644
index 6a8f8831e..000000000
--- a/lib/ret/api_token_generator.ex
+++ /dev/null
@@ -1,19 +0,0 @@
-# TODO: Remove this file
-defmodule Ret.ApiTokenGenerator do
-  @moduledoc """
-  Generate API tokens with appropriate scope
-  """
-  alias Ret.{Account, ApiToken, ApiPermissions}
-
-  def gen_token() do
-    ApiToken.gen_app_token()
-  end
-
-  def gen_token_for_account(%Account{} = account) do
-    ApiToken.gen_token_for_account(account)
-  end
-
-  def gen_token_for_account(_account) do
-    {:error, "Did not specify account."}
-  end
-end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 6830d1018..6bbb265be 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -818,15 +818,3 @@ defimpl Canada.Can, for: Atom do
 
   def can?(_, _, _), do: false
 end
-
-defimpl Canada.Can, for: {resource, scopes} do
-  def can?({:reticulum_app_token, scopes}, :update_room, room) do
-    Scopes.ensure_has_scope(scopes, Scopes.write_rooms())
-    && can?(resource, :update_room, room)
-  end
-end
-
-defimpl Canada.Can, for: :reticulum_app_token do
-  def can?(_, :access_admin_panel, _), do: false
-  def can?(_, _, %Hub{}), do: true
-end
diff --git a/lib/ret_web/middleware.ex b/lib/ret_web/middleware.ex
index 6ae737587..7d7416bc9 100644
--- a/lib/ret_web/middleware.ex
+++ b/lib/ret_web/middleware.ex
@@ -2,7 +2,6 @@ defmodule RetWeb.Middleware do
   @moduledoc "Adds absinthe middleware on matching fields/objects"
 
   alias RetWeb.Middleware.{
-    VerifyToken,
     HandleApiTokenAuthErrors,
     HandleChangesetErrors,
     StartTiming,
@@ -23,7 +22,6 @@ defmodule RetWeb.Middleware do
 
     if(include_timing, do: [StartTiming], else: []) ++
       [HandleApiTokenAuthErrors] ++
-      [VerifyToken] ++
       middleware ++
       [HandleChangesetErrors] ++
       if(include_timing, do: [EndTiming], else: []) ++
diff --git a/lib/ret_web/middleware/put_error_result.ex b/lib/ret_web/middleware/put_error_result.ex
index 835ed3a9c..25d171e8d 100644
--- a/lib/ret_web/middleware/put_error_result.ex
+++ b/lib/ret_web/middleware/put_error_result.ex
@@ -3,7 +3,17 @@ defmodule RetWeb.Middleware.PutErrorResult do
 
   import Absinthe.Resolution, only: [put_result: 2]
 
-  # TODO: message is not always a string but needs to be. e.g. Authorization: bearer: foo
+  def put_error_result(resolution, :no_resource_found, _message) do
+    put_result(
+      resolution,
+      {:error,
+       [
+         type: :missing_or_invalid_credentials,
+         message: "API access token is missing or invalid. Did you add an authorization: bearer <your_token> header?"
+       ]}
+    )
+  end
+
   def put_error_result(resolution, type, message) do
     put_result(
       resolution,
diff --git a/lib/ret_web/plugs/add_absinthe_context.ex b/lib/ret_web/plugs/add_absinthe_context.ex
index b07a39e41..e1bcf6b82 100644
--- a/lib/ret_web/plugs/add_absinthe_context.ex
+++ b/lib/ret_web/plugs/add_absinthe_context.ex
@@ -2,19 +2,30 @@ defmodule RetWeb.AddAbsintheContext do
   @moduledoc false
   @behaviour Plug
 
+  alias Ret.Api.Credentials
+
   def init(opts), do: opts
 
   def call(conn, _) do
-    claims = Guardian.Plug.current_claims(conn)
+    auth_errors = conn.assigns[:api_token_auth_errors] || []
+
+    context =
+      case Credentials.from_resource_and_claims(
+             Guardian.Plug.current_resource(conn),
+             Guardian.Plug.current_claims(conn)
+           ) do
+        {:ok, credentials} ->
+          %{
+            api_token_auth_errors: auth_errors,
+            credentials: credentials
+          }
+
+        {:error, reason} ->
+          %{
+            api_token_auth_errors: auth_errors ++ [{:invalid_credentials, reason}]
+          }
+      end
 
-    Absinthe.Plug.put_options(conn,
-      context: %{
-        api_token_auth_errors: conn.assigns[:api_token_auth_errors] || [],
-        resource: Guardian.Plug.current_resource(conn),
-        scopes: claims && claims["scopes"],
-        token: Guardian.Plug.current_token(conn),
-        claims: claims
-      }
-    )
+    Absinthe.Plug.put_options(conn, context: context)
   end
 end
diff --git a/lib/ret_web/plugs/api_token_auth_pipeline.ex b/lib/ret_web/plugs/api_token_auth_pipeline.ex
index f824d65f5..d2d9d864d 100644
--- a/lib/ret_web/plugs/api_token_auth_pipeline.ex
+++ b/lib/ret_web/plugs/api_token_auth_pipeline.ex
@@ -20,7 +20,7 @@ defmodule RetWeb.ApiTokenAuthErrorHandler do
     append_error(conn, failure_type, reason)
   end
 
-  defp append_error(conn, failure_type, reason) do
+  def append_error(conn, failure_type, reason) do
     Plug.Conn.assign(
       conn,
       :api_token_auth_errors,
diff --git a/lib/ret_web/resolvers/resolver_error.ex b/lib/ret_web/resolvers/resolver_error.ex
new file mode 100644
index 000000000..422f93365
--- /dev/null
+++ b/lib/ret_web/resolvers/resolver_error.ex
@@ -0,0 +1,6 @@
+defmodule RetWeb.Resolvers.ResolverError do
+  @moduledoc false
+  def resolver_error(type, reason) do
+    {:error, [type: type, message: reason]}
+  end
+end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index e02dd9485..d8d85e0f2 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -3,42 +3,71 @@ defmodule RetWeb.Resolvers.RoomResolver do
   Resolvers for room queries and mutations via the graphql API
   """
   alias Ret.{Hub, Account, Repo, RoomAccessApi}
+  alias Ret.Api.Credentials
   alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
+  import RetWeb.Resolvers.ResolverError, only: [resolver_error: 2]
 
-  def my_rooms(_parent, args, %{context: %{resource: :reticulum_app_token, scopes: scopes}}) do
-    # TODO: Get account from arguments
-    {:error, [type: :not_yet_implemented, message: "Not yet implemented for app tokens"]}
+  def my_rooms(_parent, args, %{
+        context: %{
+          credentials: %Credentials{
+            resource: :reticulum_app_token
+          }
+        }
+      }) do
+    resolver_error(:not_implemented, "Not implemented for app tokens")
   end
 
-  # TODO: Create a "ResolvedApiToken" struct instead of passing {resource, scopes} tuples
-  def my_rooms(_parent, args, %{context: %{resource: %Account{} = account, scopes: scopes}}) do
-    Ret.Api.Rooms.authed_get_rooms_created_by(account, {account, scopes}, args)
+  def my_rooms(_parent, args, %{
+        context: %{
+          credentials:
+            %Credentials{
+              resource: %Account{} = account
+            } = credentials
+        }
+      }) do
+    Ret.Api.Rooms.authed_get_rooms_created_by(account, credentials, args)
   end
 
   def my_rooms(_parent, _args, _resolutions) do
-    {:error, [type: :unauthorized, message: "Unauthorized access"]}
+    resolver_error(:unauthorized, "Unauthorized access")
   end
 
-  def favorite_rooms(_parent, args, %{context: %{resource: :reticulum_app_token, scopes: scopes}}) do
-    # TODO: Get account from arguments
-    {:error, [type: :not_yet_implemented, message: "Not yet implemented for app tokens"]}
+  def favorite_rooms(_parent, args, %{
+        context: %{
+          credentials: %Credentials{
+            resource: :reticulum_app_token
+          }
+        }
+      }) do
+    resolver_error(:not_implemented, "Not implemented for app tokens")
   end
 
-  def favorite_rooms(_parent, args, %{context: %{resource: %Account{} = account, scopes: scopes}}) do
-    Ret.Api.Rooms.authed_get_favorite_rooms_of(account, {account, scopes}, args)
+  def favorite_rooms(_parent, args, %{
+        context: %{
+          credentials:
+            %Credentials{
+              resource: %Account{} = account
+            } = credentials
+        }
+      }) do
+    Ret.Api.Rooms.authed_get_favorite_rooms_of(account, credentials, args)
   end
 
   def favorite_rooms(_parent, _args, _resolutions) do
-    {:error, [type: :unauthorized, message: "Unauthorized access"]}
+    resolver_error(:unauthorized, "Unauthorized access")
   end
 
-  def public_rooms(_parent, args, %{context: %{scopes: scopes}}) do
-    Ret.Api.Rooms.authed_get_public_rooms(scopes, args)
+  def public_rooms(_parent, args, %{
+        context: %{
+          credentials: %Credentials{} = credentials
+        }
+      }) do
+    Ret.Api.Rooms.authed_get_public_rooms(credentials, args)
   end
 
   def public_rooms(_, _, _) do
-    {:error, [type: :unauthorized, message: "Unauthorized access"]}
+    resolver_error(:unauthorized, "Unauthorized access")
   end
 
   def create_room(_parent, args, %{context: %{account: account}}) do
diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
index a88ec1ad2..465d6755c 100644
--- a/test/ret/api_token_test.exs
+++ b/test/ret/api_token_test.exs
@@ -1,20 +1,20 @@
 defmodule Ret.ApiTokenTest do
   use Ret.DataCase
 
-  alias Ret.ApiTokenGenerator, as: Generator
+  alias Ret.Api.TokenUtils
 
   defp token_query do
     from("guardian_tokens", select: [:jti, :aud, :jwt, :claims])
   end
 
   test "Generating an api token puts it in the database" do
-    {:ok, token, _claims} = Generator.gen_token()
+    {:ok, token, _claims} = TokenUtils.gen_app_token()
     [%{jwt: jwt}] = Repo.all(token_query())
     assert jwt == token
   end
 
   test "Api tokens encode default permissions" do
-    {:ok, token, _claims} = Generator.gen_token()
+    {:ok, token, _claims} = TokenUtils.gen_app_token()
     {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
     assert Map.get(claims, "rooms_mutation_create_room")
     assert Map.get(claims, "rooms_mutation_update_room") === false
@@ -22,14 +22,14 @@ defmodule Ret.ApiTokenTest do
 
   test "Api tokens generated with an account encode more permissions" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
-    {:ok, token, _claims} = Generator.gen_token_for_account(account)
+    {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
     {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
     assert Map.get(claims, "rooms_mutation_create_room")
     assert Map.get(claims, "rooms_mutation_update_room")
   end
 
   test "Api tokens can be revoked" do
-    {:ok, token, _claims} = Generator.gen_token()
+    {:ok, token, _claims} = TokenUtils.gen_app_token()
     [%{jwt: jwt}] = Repo.all(token_query())
     assert jwt == token
     {:ok, _claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
@@ -42,14 +42,14 @@ defmodule Ret.ApiTokenTest do
 
   test "Api tokens can be associated with an account" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
-    {:ok, token, _claims} = Generator.gen_token_for_account(account)
+    {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
     {:ok, resource, _claims} = Guardian.resource_from_token(Ret.Api.Token, token)
     assert resource.account_id === account.account_id
   end
 
   test "Revoked tokens cannot recover accounts" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
-    {:ok, token, _claims} = Generator.gen_token_for_account(account)
+    {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
     Guardian.revoke(Ret.Api.Token, token)
     {:error, :token_not_found} = Guardian.resource_from_token(Ret.Api.Token, token)
   end

From 9a5c0899b2e02d19f86431692676cd1b0c3f9ce0 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 13:24:12 -0700
Subject: [PATCH 068/138] Fix tests and warnings

---
 config/dev.exs                             |  6 ++----
 config/test.exs                            |  7 ++-----
 lib/mix/tasks/generate_api_token.ex        |  7 ++++---
 lib/ret/api/token.ex                       |  1 -
 lib/ret_web/middleware/put_error_result.ex |  4 ++--
 lib/ret_web/resolvers/room_resolver.ex     |  4 ++--
 test/api/v2/room_query_test.exs            | 10 +++++-----
 7 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/config/dev.exs b/config/dev.exs
index 109f39b36..ba41df05b 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -193,10 +193,8 @@ config :ret, Ret.Api.Token,
 
 config :guardian, Guardian.DB,
   repo: Ret.Repo,
-  schema_name: "guardian_tokens", # Would like to call this api_tokens -- would need to edit the template/migrations
-  token_types: ["api"],
-  sweep_interval: 10
-# TODO: sweep_interval doesn't need configuration if we disable sweep
+  # Would like to call this api_tokens -- would need to edit the template/migrations
+  schema_name: "guardian_tokens"
 
 config :web_push_encryption, :vapid_details,
   subject: "mailto:admin@mozilla.com",
diff --git a/config/test.exs b/config/test.exs
index 286a4cb16..e94c8f44d 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -47,16 +47,13 @@ config :ret, Ret.Guardian,
   issuer: "ret",
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX"
 
-config :ret, Ret.ApiToken,
+config :ret, Ret.Api.Token,
   secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
   ttl: {2, :hours}
 
 config :guardian, Guardian.DB,
   repo: Ret.Repo,
-  schema_name: "guardian_tokens", # Would like to call this api_tokens -- would need to edit the template/migrations
-  token_types: ["api"],
-  sweep_interval: 10
-# TODO: sweep_interval doesn't need configuration if we disable sweep
+  schema_name: "guardian_tokens" # Would like to call this api_tokens -- would need to edit the template/migrations
 
 config :ret, Ret.Storage,
   storage_path: "storage/test",
diff --git a/lib/mix/tasks/generate_api_token.ex b/lib/mix/tasks/generate_api_token.ex
index 3092de834..3d0e23e11 100644
--- a/lib/mix/tasks/generate_api_token.ex
+++ b/lib/mix/tasks/generate_api_token.ex
@@ -3,7 +3,8 @@ defmodule Mix.Tasks.GenerateApiToken do
 
   use Mix.Task
 
-  alias Ret.{Account, ApiToken}
+  alias Ret.{Account}
+  alias Ret.Api.TokenUtils
 
   @impl Mix.Task
   def run(_) do
@@ -57,7 +58,7 @@ defmodule Mix.Tasks.GenerateApiToken do
     if Mix.shell().yes?("Are you sure you want to generate an app token?") do
       Mix.Task.run("app.start")
 
-      case ApiToken.gen_app_token() do
+      case TokenUtils.gen_app_token() do
         {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
         {:error, reason} -> Mix.shell().error("Error: #{reason}")
       end
@@ -65,7 +66,7 @@ defmodule Mix.Tasks.GenerateApiToken do
   end
 
   defp gen_token_for_account(account) do
-    case ApiToken.gen_token_for_account(account) do
+    case TokenUtils.gen_token_for_account(account) do
       {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
       {:error, reason} -> Mix.shell().error("Error: #{reason}")
     end
diff --git a/lib/ret/api/token.ex b/lib/ret/api/token.ex
index d27ea0ff6..28b26c626 100644
--- a/lib/ret/api/token.ex
+++ b/lib/ret/api/token.ex
@@ -7,7 +7,6 @@ defmodule Ret.Api.Token do
   import Ecto.Query
 
   alias Ret.{Account, Repo}
-  alias Ret.Api.Scopes
 
   @app_token_string "reticulum_app_token"
 
diff --git a/lib/ret_web/middleware/put_error_result.ex b/lib/ret_web/middleware/put_error_result.ex
index 25d171e8d..97a332647 100644
--- a/lib/ret_web/middleware/put_error_result.ex
+++ b/lib/ret_web/middleware/put_error_result.ex
@@ -8,8 +8,8 @@ defmodule RetWeb.Middleware.PutErrorResult do
       resolution,
       {:error,
        [
-         type: :missing_or_invalid_credentials,
-         message: "API access token is missing or invalid. Did you add an authorization: bearer <your_token> header?"
+         type: :api_access_token_invalid_or_not_found,
+         message: "API access token is invalid or missing. Did you add an authorization: bearer <your_token> header?"
        ]}
     )
   end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index d8d85e0f2..77073beb9 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -8,7 +8,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   import Canada, only: [can?: 2]
   import RetWeb.Resolvers.ResolverError, only: [resolver_error: 2]
 
-  def my_rooms(_parent, args, %{
+  def my_rooms(_parent, _args, %{
         context: %{
           credentials: %Credentials{
             resource: :reticulum_app_token
@@ -33,7 +33,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
     resolver_error(:unauthorized, "Unauthorized access")
   end
 
-  def favorite_rooms(_parent, args, %{
+  def favorite_rooms(_parent, _args, %{
         context: %{
           credentials: %Credentials{
             resource: :reticulum_app_token
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 79fae24c1..0a042e21f 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -6,7 +6,7 @@ defmodule RoomQueryTest do
   use ExUnit.Case
   use RetWeb.ConnCase
   import Ret.TestHelpers
-  alias Ret.ApiTokenGenerator
+  alias Ret.Api.TokenUtils
 
   setup_all do
     Absinthe.Test.prime(RetWeb.Schema)
@@ -70,8 +70,8 @@ defmodule RoomQueryTest do
     scene = create_scene(account)
     {:ok, hub: hub} = create_hub(%{scene: scene})
     {:ok, hub: public_hub} = create_public_hub(%{scene: scene})
-    {:ok, token, _claims} = ApiTokenGenerator.gen_token_for_account(account)
-    {:ok, app_token, _claims} = ApiTokenGenerator.gen_token()
+    {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
+    {:ok, app_token, _claims} = TokenUtils.gen_app_token()
 
     %{
       account: account,
@@ -86,7 +86,7 @@ defmodule RoomQueryTest do
 
   test "Cannot query without a token", %{conn: conn} do
     res = conn |> do_graphql_action(@query_public_rooms)
-    assert hd(res["errors"])["type"] === "api_access_token_not_found"
+    assert hd(res["errors"])["type"] === "api_access_token_invalid_or_not_found"
   end
 
   test "Can query public rooms with app token", %{conn: conn, public_hub: public_hub, app_token: app_token} do
@@ -113,7 +113,7 @@ defmodule RoomQueryTest do
       |> do_graphql_action(@query_my_rooms)
 
     # TODO: Fix this test when implemented
-    assert hd(res["errors"])["type"] === "not_yet_implemented"
+    assert hd(res["errors"])["type"] === "not_implemented"
   end
 
   test "Can query my rooms with appropriate token", %{

From dc45130f04be1fd1cda531ca6652594337e464bb Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 19:58:12 -0700
Subject: [PATCH 069/138] Generate random room names

---
 lib/ret/random_room_names.ex           | 673 +++++++++++++++++++++++++
 lib/ret_web/resolvers/room_resolver.ex |   3 +-
 2 files changed, 674 insertions(+), 2 deletions(-)
 create mode 100644 lib/ret/random_room_names.ex

diff --git a/lib/ret/random_room_names.ex b/lib/ret/random_room_names.ex
new file mode 100644
index 000000000..35531107a
--- /dev/null
+++ b/lib/ret/random_room_names.ex
@@ -0,0 +1,673 @@
+defmodule Ret.RandomRoomNames do
+  @moduledoc false
+
+  @adjectives [
+    "able",
+    "absolute",
+    "acceptable",
+    "acclaimed",
+    "accomplished",
+    "accurate",
+    "aching",
+    "acrobatic",
+    "adorable",
+    "adventurous",
+    "basic",
+    "belated",
+    "beloved",
+    "calm",
+    "candid",
+    "capital",
+    "carefree",
+    "caring",
+    "cautious",
+    "celebrated",
+    "charming",
+    "daring",
+    "darling",
+    "dearest",
+    "each",
+    "eager",
+    "early",
+    "earnest",
+    "easy",
+    "easygoing",
+    "ecstatic",
+    "edible",
+    "fabulous",
+    "fair",
+    "faithful",
+    "familiar",
+    "famous",
+    "fancy",
+    "fantastic",
+    "far",
+    "generous",
+    "gentle",
+    "genuine",
+    "giant",
+    "handmade",
+    "handsome",
+    "handy",
+    "happy",
+    "icy",
+    "ideal",
+    "identical",
+    "keen",
+    "lasting",
+    "lavish",
+    "magnificent",
+    "majestic",
+    "mammoth",
+    "marvelous",
+    "natural",
+    "obedient",
+    "palatable",
+    "parched",
+    "passionate",
+    "pastel",
+    "peaceful",
+    "perfect",
+    "perfumed",
+    "quaint",
+    "qualified",
+    "radiant",
+    "rapid",
+    "rare",
+    "safe",
+    "sandy",
+    "satisfied",
+    "scaly",
+    "scarce",
+    "scared",
+    "scary",
+    "scented",
+    "scientific",
+    "secret",
+    "sentimental",
+    "talkative",
+    "tangible",
+    "tart",
+    "tasty",
+    "tattered",
+    "teeming",
+    "ultimate",
+    "uncommon",
+    "unconscious",
+    "understated",
+    "warm",
+    "active",
+    "adept",
+    "admirable",
+    "admired",
+    "adorable",
+    "adored",
+    "advanced",
+    "affectionate",
+    "beneficial",
+    "best",
+    "better",
+    "big",
+    "cheerful",
+    "cheery",
+    "chief",
+    "chilly",
+    "classic",
+    "clean",
+    "clear",
+    "clever",
+    "decent",
+    "decisive",
+    "deep",
+    "defiant",
+    "definitive",
+    "delectable",
+    "delicious",
+    "elaborate",
+    "elastic",
+    "elated",
+    "elegant",
+    "elementary",
+    "elliptical",
+    "fast",
+    "favorable",
+    "favorite",
+    "fearless",
+    "gifted",
+    "glamorous",
+    "gleaming",
+    "glittering",
+    "harmonious",
+    "imaginative",
+    "immense",
+    "jealous",
+    "kind",
+    "leafy",
+    "legal",
+    "mature",
+    "mean",
+    "nautical",
+    "neat",
+    "necessary",
+    "needy",
+    "oddball",
+    "offbeat",
+    "periodic",
+    "perky",
+    "personal",
+    "pertinent",
+    "petty",
+    "quarterly",
+    "ready",
+    "real",
+    "realistic",
+    "reasonable",
+    "regal",
+    "serene",
+    "shabby",
+    "sharp",
+    "shiny",
+    "showy",
+    "shy",
+    "silky",
+    "tempting",
+    "tense",
+    "terrific",
+    "testy",
+    "thankful",
+    "uniform",
+    "unique",
+    "vast",
+    "weary",
+    "wee",
+    "welcome",
+    "agile",
+    "alarmed",
+    "alert",
+    "alive",
+    "bleak",
+    "blissful",
+    "blushing",
+    "coarse",
+    "colorful",
+    "colossal",
+    "comfortable",
+    "compassionate",
+    "complete",
+    "delightful",
+    "dense",
+    "dependable",
+    "dependent",
+    "descriptive",
+    "detailed",
+    "determined",
+    "devoted",
+    "different",
+    "eminent",
+    "emotional",
+    "enchanted",
+    "enchanting",
+    "energetic",
+    "enormous",
+    "fine",
+    "finished",
+    "firm",
+    "firsthand",
+    "fixed",
+    "flashy",
+    "flawless",
+    "glorious",
+    "glossy",
+    "golden",
+    "good",
+    "gorgeous",
+    "graceful",
+    "healthy",
+    "heartfelt",
+    "hearty",
+    "helpful",
+    "impartial",
+    "impressive",
+    "jolly",
+    "jovial",
+    "lighthearted",
+    "likable",
+    "lined",
+    "mellow",
+    "melodic",
+    "memorable",
+    "mild",
+    "new",
+    "opulent",
+    "playful",
+    "pleasant",
+    "pleasing",
+    "plump",
+    "plush",
+    "polished",
+    "polite",
+    "reliable",
+    "relieved",
+    "remarkable",
+    "remote",
+    "respectful",
+    "responsible",
+    "simple",
+    "simplistic",
+    "sizzling",
+    "sleepy",
+    "slight",
+    "slim",
+    "smart",
+    "smooth",
+    "snappy",
+    "snoopy",
+    "thirsty",
+    "this",
+    "thorough",
+    "those",
+    "thoughtful",
+    "united",
+    "vibrant",
+    "vicious",
+    "wellmade",
+    "whimsical",
+    "whirlwind",
+    "zesty",
+    "amazing",
+    "ambitious",
+    "ample",
+    "amused",
+    "amusing",
+    "ancient",
+    "angelic",
+    "antique",
+    "bold",
+    "bossy",
+    "both",
+    "bouncy",
+    "bountiful",
+    "complex",
+    "conscious",
+    "considerate",
+    "constant",
+    "content",
+    "conventional",
+    "cooked",
+    "cool",
+    "cooperative",
+    "diligent",
+    "dimwitted",
+    "direct",
+    "discrete",
+    "envious",
+    "essential",
+    "ethical",
+    "euphoric",
+    "flippant",
+    "fluffy",
+    "flustered",
+    "focused",
+    "fond",
+    "gracious",
+    "grand",
+    "grandiose",
+    "granular",
+    "grateful",
+    "grave",
+    "great",
+    "hidden",
+    "high",
+    "hilarious",
+    "homely",
+    "incomparable",
+    "incredible",
+    "infamous",
+    "joyful",
+    "lively",
+    "loathsome",
+    "lonely",
+    "long",
+    "mindless",
+    "miniature",
+    "minor",
+    "misty",
+    "next",
+    "nice",
+    "nifty",
+    "nimble",
+    "orderly",
+    "organic",
+    "ornate",
+    "popular",
+    "posh",
+    "positive",
+    "potable",
+    "powerful",
+    "powerless",
+    "precious",
+    "present",
+    "prestigious",
+    "quick",
+    "rewarding",
+    "rich",
+    "right",
+    "sociable",
+    "soft",
+    "solid",
+    "some",
+    "sophisticated",
+    "soulful",
+    "sparkling",
+    "spectacular",
+    "speedy",
+    "spicy",
+    "spiffy",
+    "spirited",
+    "spiteful",
+    "splendid",
+    "spotless",
+    "spry",
+    "thrifty",
+    "tidy",
+    "tight",
+    "timely",
+    "tinted",
+    "unruly",
+    "untimely",
+    "violet",
+    "wicked",
+    "wide",
+    "wild",
+    "willing",
+    "winding",
+    "windy",
+    "zigzag",
+    "apprehensive",
+    "appropriate",
+    "artistic",
+    "assured",
+    "astonishing",
+    "bright",
+    "brilliant",
+    "bronze",
+    "coordinated",
+    "courageous",
+    "courteous",
+    "crafty",
+    "crazy",
+    "creamy",
+    "creative",
+    "crisp",
+    "distant",
+    "distinct",
+    "downright",
+    "evergreen",
+    "everlasting",
+    "every",
+    "evil",
+    "excellent",
+    "excitable",
+    "exemplary",
+    "exhausted",
+    "forthright",
+    "fortunate",
+    "fragrant",
+    "frank",
+    "free",
+    "frequent",
+    "fresh",
+    "friendly",
+    "frightened",
+    "frigid",
+    "gripping",
+    "grounded",
+    "honest",
+    "honorable",
+    "honored",
+    "hopeful",
+    "hospitable",
+    "hot",
+    "huge",
+    "infatuated",
+    "infinite",
+    "informal",
+    "insistent",
+    "instructive",
+    "juicy",
+    "jumbo",
+    "knowing",
+    "knowledgeable",
+    "longterm",
+    "loud",
+    "lovable",
+    "loving",
+    "modern",
+    "modest",
+    "monumental",
+    "normal",
+    "notable",
+    "outgoing",
+    "precious",
+    "pretty",
+    "prickly",
+    "primary",
+    "pristine",
+    "private",
+    "prize",
+    "productive",
+    "profitable",
+    "quiet",
+    "quintessential",
+    "roasted",
+    "robust",
+    "square",
+    "squiggly",
+    "stable",
+    "staid",
+    "starry",
+    "steel",
+    "stimulating",
+    "striking",
+    "striped",
+    "strong",
+    "studious",
+    "stunning",
+    "tough",
+    "trained",
+    "treasured",
+    "tremendous",
+    "triangular",
+    "tricky",
+    "unused",
+    "unusual",
+    "upbeat",
+    "virtual",
+    "witty",
+    "wonderful",
+    "wooden",
+    "worldly",
+    "youthful",
+    "attached",
+    "attentive",
+    "attractive",
+    "austere",
+    "authentic",
+    "automatic",
+    "aware",
+    "awesome",
+    "bubbly",
+    "bustling",
+    "busy",
+    "buttery",
+    "cuddly",
+    "cultured",
+    "curly",
+    "curvy",
+    "cute",
+    "cylindrical",
+    "downright",
+    "dramatic",
+    "excited",
+    "exciting",
+    "exotic",
+    "experienced",
+    "expert",
+    "frosty",
+    "fruitful",
+    "full",
+    "fumbling",
+    "funny",
+    "fussy",
+    "growing",
+    "grown",
+    "gummy",
+    "humble",
+    "humongous",
+    "hungry",
+    "intelligent",
+    "interesting",
+    "known",
+    "kooky",
+    "loyal",
+    "lucky",
+    "luminous",
+    "lustrous",
+    "luxurious",
+    "multicolored",
+    "mysterious",
+    "noteworthy",
+    "numb",
+    "nutritious",
+    "outstanding",
+    "overjoyed",
+    "proper",
+    "proud",
+    "prudent",
+    "punctual",
+    "puny",
+    "pure",
+    "puzzled",
+    "puzzling",
+    "quirky",
+    "stupendous",
+    "sturdy",
+    "stylish",
+    "subdued",
+    "subtle",
+    "sunny",
+    "super",
+    "superb",
+    "supportive",
+    "surprised",
+    "sweet",
+    "swift",
+    "sympathetic",
+    "trivial",
+    "trusting",
+    "trustworthy",
+    "trusty",
+    "truthful",
+    "twin",
+    "usable",
+    "used",
+    "useful",
+    "utilized",
+    "vital",
+    "vivid",
+    "worried",
+    "worthwhile",
+    "worthy",
+    "writhing",
+    "wry",
+    "yummy",
+    "chocolate",
+    "crimson",
+    "cyan",
+    "fuchsia",
+    "gold",
+    "honeydew",
+    "lime",
+    "linen",
+    "magenta",
+    "olive",
+    "peru",
+    "salmon",
+    "seashell",
+    "sienna",
+    "snow",
+    "thistle",
+    "tomato",
+    "transparent",
+    "turquoise",
+    "violet"
+  ]
+
+  @nouns [
+    "space",
+    "land",
+    "world",
+    "universe",
+    "plane",
+    "room",
+    "nation",
+    "plaza",
+    "gathering",
+    "meetup",
+    "get together",
+    "conclave",
+    "party",
+    "domain",
+    "dominion",
+    "realm",
+    "square",
+    "commons",
+    "park",
+    "cosmos",
+    "sphere",
+    "terrain",
+    "spot",
+    "zone",
+    "area",
+    "tract",
+    "turf",
+    "place",
+    "territory",
+    "volume",
+    "camp",
+    "picnic",
+    "outing",
+    "vacation",
+    "adventure",
+    "exploration",
+    "outing",
+    "walkabout",
+    "safari",
+    "venture",
+    "roundtable",
+    "barbecue",
+    "celebration",
+    "festivity",
+    "gala",
+    "shindig",
+    "social",
+    "convention",
+    "assembly",
+    "congregation",
+    "rendezvous",
+    "huddle",
+    "meet",
+    "soiree"
+  ]
+
+  defp random_from(words) do
+    Enum.at(words, :rand.uniform(length(words)) - 1)
+  end
+
+  def generate_room_name() do
+    [@adjectives, @adjectives, @nouns]
+    |> Stream.map(&random_from/1)
+    |> Stream.map(&String.capitalize(&1))
+    |> Enum.join(" ")
+  end
+end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 77073beb9..b97b0c8b7 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -71,8 +71,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def create_room(_parent, args, %{context: %{account: account}}) do
-    # TODO: Pick random default name
-    args = Map.put(args, :name, Map.get(args, :name, "Delightful Cooperative Meetup"))
+    args = Map.put(args, :name, Map.get(args, :name, Ret.RandomRoomNames.generate_room_name()))
 
     case Hub.create(args) do
       {:ok, hub} ->

From 5084f616a77b74009978efc448f394b2f2d869ff Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 21:24:58 -0700
Subject: [PATCH 070/138] Reimplement create and update room with auth

---
 lib/mix/tasks/generate_api_token.ex    |   2 -
 lib/ret/api/can_credentials.ex         |  42 ++++++-
 lib/ret/api/rooms.ex                   | 153 ++++++++++++++++++++++++-
 lib/ret/hub.ex                         |  14 +++
 lib/ret_web/resolvers/room_resolver.ex | 138 +++++-----------------
 5 files changed, 236 insertions(+), 113 deletions(-)

diff --git a/lib/mix/tasks/generate_api_token.ex b/lib/mix/tasks/generate_api_token.ex
index 3d0e23e11..0e16f1eb7 100644
--- a/lib/mix/tasks/generate_api_token.ex
+++ b/lib/mix/tasks/generate_api_token.ex
@@ -46,8 +46,6 @@ defmodule Mix.Tasks.GenerateApiToken do
         |> Inspect.Algebra.format(80)
         |> IO.puts()
 
-        # IO.inspect(account)
-
         if Mix.shell().yes?("Generate token for this account [#{email}]?") do
           gen_token_for_account(account)
         end
diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index 5c7dc7c8a..979995e99 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -1,5 +1,6 @@
 defimpl Canada.Can, for: Ret.Api.Credentials do
-  alias Ret.{Account}
+  import Canada, only: [can?: 2]
+  alias Ret.{Account, Hub}
   alias Ret.Api.{Credentials, Scopes}
 
   def can?(
@@ -25,9 +26,46 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
         :get_public_rooms,
         _
       ) do
-    IO.inspect("hello world")
     Scopes.read_rooms() in scopes
   end
 
+  def can?(
+        %Credentials{scopes: scopes},
+        :create_room,
+        _
+      ) do
+    Scopes.write_rooms() in scopes
+  end
+
+  def can?(%Credentials{resource: :reticulum_app_token, scopes: scopes}, :embed_hub, %Hub{} = hub) do
+    Scopes.read_rooms() in scopes
+  end
+
+  def can?(%Credentials{resource: %Account{} = account, scopes: scopes}, :embed_hub, %Hub{} = hub) do
+    Scopes.read_rooms() in scopes && can?(account, embed_hub(hub))
+  end
+
+  def can?(
+        %Credentials{resource: :reticulum_app_token, scopes: scopes},
+        :update_room,
+        %Hub{} = hub
+      ) do
+    IO.inspect("Allowed to update this hub?")
+    IO.inspect(:reticulum_app_token)
+    IO.inspect(hub)
+    Scopes.read_rooms() in scopes
+  end
+
+  def can?(
+        %Credentials{resource: %Account{} = account, scopes: scopes},
+        :update_room,
+        %Hub{} = hub
+      ) do
+    IO.inspect("Allowed to update this hub?")
+    IO.inspect(account)
+    IO.inspect(hub)
+    Scopes.read_rooms() in scopes && can?(account, update_hub(hub))
+  end
+
   def can?(_, _, _), do: false
 end
diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index ddc70c64a..d2167bbd7 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -1,12 +1,20 @@
 defmodule Ret.Api.Rooms do
   @moduledoc "Functions for accessing rooms in an authenticated way"
 
-  alias Ret.{Account, Hub}
+  alias Ret.{Account, Hub, Repo}
+  alias RetWeb.Api.V1.HubView
   alias Ret.Api.{Credentials}
 
   import Canada, only: [can?: 2]
 
-  # App tokens allowed to get any rooms
+  def authed_get_embed_token(%Credentials{} = credentials, hub) do
+    if can?(credentials, embed_hub(hub)) do
+      {:ok, hub.embed_token}
+    else
+      {:ok, nil}
+    end
+  end
+
   def authed_get_rooms_created_by(%Account{} = account, %Credentials{} = credentials, params) do
     if can?(credentials, get_rooms_created_by(account)) do
       {:ok, Hub.get_my_rooms(account, params)}
@@ -30,4 +38,145 @@ defmodule Ret.Api.Rooms do
       {:error, :invalid_credentials}
     end
   end
+
+  defp do_create_room(%Account{} = account, params) do
+    random_name = Ret.RandomRoomNames.generate_room_name()
+    params = Map.put(params, :name, Map.get(params, :name, random_name))
+
+    with {:ok, hub} <- Hub.create(params),
+         {:ok, hub} <-
+           hub
+           |> Hub.add_attrs_to_changeset(params)
+           |> Hub.maybe_add_member_permissions(hub, params)
+           |> Hub.maybe_add_promotion(account, hub, params)
+           |> Hub.maybe_add_new_scene_to_changeset(params)
+           |> Repo.update() do
+      hub
+      |> Repo.preload(Hub.hub_preloads())
+      |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
+      |> Repo.update()
+    end
+  end
+
+  defp do_create_room(:reticulum_app_token, params) do
+    params = Map.put(params, :name, Map.get(params, :name, Ret.RandomRoomNames.generate_room_name()))
+
+    with {:ok, hub} <- Hub.create(params) do
+      hub
+      |> Hub.add_attrs_to_changeset(params)
+      |> Hub.maybe_add_member_permissions(hub, params)
+      |> Hub.maybe_add_new_scene_to_changeset(params)
+      |> Repo.update()
+    end
+  end
+
+  def authed_create_room(%Credentials{resource: resource} = credentials, params) do
+    if can?(credentials, create_room(nil)) do
+      do_create_room(resource, params)
+    else
+      {:error, :invalid_credentials}
+    end
+  end
+
+  def authed_update_room(hub, %Credentials{resource: resource} = credentials, params) do
+    if can?(credentials, update_room(hub)) do
+      do_update_room(hub, resource, params)
+    else
+      {:error, :invalid_credentials}
+    end
+  end
+
+  defp do_update_room(hub, resource, params) do
+    update_room_with_resource(hub, resource, params)
+  end
+
+  # TODO: DRY up the update_room flow
+  defp update_room_with_resource(hub, :reticulum_app_token, params) do
+    hub
+    |> Hub.add_attrs_to_changeset(params)
+    |> Hub.maybe_add_member_permissions(hub, params)
+    |> Hub.maybe_add_new_scene_to_changeset(params)
+    |> try_do_update_room(:reticulum_app_token)
+  end
+
+  defp update_room_with_resource(hub, %Account{} = account, params) do
+    hub
+    |> Hub.add_attrs_to_changeset(params)
+    |> Hub.maybe_add_member_permissions(hub, params)
+    |> Hub.maybe_add_promotion(account, hub, params)
+    |> Hub.maybe_add_new_scene_to_changeset(params)
+    |> try_do_update_room(account)
+  end
+
+  defp try_do_update_room({:error, reason}, _) do
+    {:error, reason}
+  end
+
+  defp try_do_update_room(changeset, :reticulum_app_token) do
+    case changeset |> Repo.update() do
+      {:error, changeset} ->
+        {:error, changeset}
+
+      {:ok, hub} ->
+        hub = Repo.preload(hub, Hub.hub_preloads())
+
+        case broadcast_hub_refresh(hub, :reticulum_app_token) do
+          {:error, reason} -> {:error, reason}
+          :ok -> {:ok, hub}
+        end
+    end
+  end
+
+  defp try_do_update_room(changeset, account) do
+    case changeset |> Repo.update() do
+      {:error, changeset} ->
+        {:error, changeset}
+
+      {:ok, hub} ->
+        hub = Repo.preload(hub, Hub.hub_preloads())
+
+        case broadcast_hub_refresh(hub, account) do
+          {:error, reason} -> {:error, reason}
+          :ok -> {:ok, hub}
+        end
+    end
+  end
+
+  defp broadcast_hub_refresh(hub, :reticulum_app_token) do
+    payload =
+      HubView.render("show.json", %{
+        hub: hub,
+        embeddable: true
+      })
+      |> Map.put(:stale_fields, [
+        # TODO: Only include fields that have changed in stale_fields
+        "name",
+        "description",
+        "member_permissions",
+        "room_size",
+        "allow_promotion",
+        "scene"
+      ])
+
+    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh", payload)
+  end
+
+  defp broadcast_hub_refresh(hub, %Account{} = account) do
+    payload =
+      HubView.render("show.json", %{
+        hub: hub,
+        embeddable: account |> can?(embed_hub(hub))
+      })
+      |> Map.put(:stale_fields, [
+        # TODO: Only include fields that have changed in stale_fields
+        "name",
+        "description",
+        "member_permissions",
+        "room_size",
+        "allow_promotion",
+        "scene"
+      ])
+
+    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh", payload)
+  end
 end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 6bbb265be..9aab10158 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -267,6 +267,20 @@ defmodule Ret.Hub do
     end
   end
 
+  def maybe_add_new_scene_to_changeset(changeset, %{scene_id: scene_id}) do
+    scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
+
+    if is_nil(scene_or_scene_listing) do
+      {:error, "Cannot find scene with id " <> scene_id}
+    else
+      Hub.add_new_scene_to_changeset(changeset, scene_or_scene_listing)
+    end
+  end
+
+  def maybe_add_new_scene_to_changeset(changeset, _args) do
+    changeset
+  end
+
   def changeset_for_new_seen_occupant_count(%Hub{} = hub, occupant_count) do
     new_max_occupant_count = max(hub.max_occupant_count, occupant_count)
 
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index b97b0c8b7..048d6b2eb 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -4,7 +4,6 @@ defmodule RetWeb.Resolvers.RoomResolver do
   """
   alias Ret.{Hub, Account, Repo, RoomAccessApi}
   alias Ret.Api.Credentials
-  alias RetWeb.Api.V1.{HubView}
   import Canada, only: [can?: 2]
   import RetWeb.Resolvers.ResolverError, only: [resolver_error: 2]
 
@@ -70,46 +69,28 @@ defmodule RetWeb.Resolvers.RoomResolver do
     resolver_error(:unauthorized, "Unauthorized access")
   end
 
-  def create_room(_parent, args, %{context: %{account: account}}) do
-    args = Map.put(args, :name, Map.get(args, :name, Ret.RandomRoomNames.generate_room_name()))
-
-    case Hub.create(args) do
-      {:ok, hub} ->
-        case hub
-             |> Hub.add_attrs_to_changeset(args)
-             |> Hub.maybe_add_member_permissions(hub, args)
-             |> Hub.maybe_add_promotion(account, hub, args)
-             |> maybe_add_new_scene_to_changeset(args)
-             |> Repo.update() do
-          {:ok, hub} ->
-            hub
-            |> Repo.preload(Hub.hub_preloads())
-            |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-            |> Repo.update()
-
-          {:error, reason} ->
-            {:error, reason}
-        end
-
-      {:error, reason} ->
-        {:error, reason}
-    end
+  def create_room(_parent, args, %{
+        context: %{
+          credentials: %Credentials{} = credentials
+        }
+      }) do
+    Ret.Api.Rooms.authed_create_room(credentials, args)
   end
 
-  def create_room(_parent, args, _resolutions) do
-    Hub.create(args)
+  def create_room(_parent, _args, _resolutions) do
+    resolver_error(:unauthorized, "Unauthorized access")
   end
 
-  def embed_token(hub, _args, %{context: %{account: account}}) do
-    if account |> can?(embed_hub(hub)) do
-      {:ok, hub.embed_token}
-    else
-      {:ok, nil}
-    end
+  def embed_token(hub, _args, %{
+        context: %{
+          credentials: %Credentials{} = credentials
+        }
+      }) do
+    Ret.Api.Rooms.authed_get_embed_token(credentials, hub)
   end
 
   def embed_token(_hub, _args, _resolutions) do
-    {:ok, nil}
+    resolver_error(:unauthorized, "Unauthorized access")
   end
 
   def port(_hub, _args, _resolutions) do
@@ -140,86 +121,29 @@ defmodule RetWeb.Resolvers.RoomResolver do
   #  {:ok, Hub.scene_or_scene_listing_for(hub)}
   # end
 
-  def update_room(_, %{id: hub_sid} = args, %{context: %{account: account}}) do
+  def update_room(_parent, %{id: hub_sid} = args, %{
+        context: %{
+          credentials: %Credentials{} = credentials
+        }
+      }) do
     hub = Hub |> Repo.get_by(hub_sid: hub_sid) |> Repo.preload([:hub_role_memberships, :hub_bindings])
-    update_room_with_account(hub, account, args)
-  end
-
-  def update_room(_, _, _) do
-    {:error, "Not authorized"}
-  end
 
-  defp update_room_with_account(nil, _account, %{id: hub_sid}) do
-    {:error, "Cannot find room with id " <> hub_sid}
-  end
-
-  defp update_room_with_account(hub, account, args) do
-    # TODO: Should be update rooms?
-    case can?(account, update_roles(hub)) do
-      false ->
-        {:error, "Account does not have permission to update this hub."}
-
-      true ->
-        changeset =
-          hub
-          |> Hub.add_attrs_to_changeset(args)
-          |> Hub.maybe_add_member_permissions(hub, args)
-          |> Hub.maybe_add_promotion(account, hub, args)
-          |> maybe_add_new_scene_to_changeset(args)
-
-        try_do_update_room(changeset, account)
-    end
-  end
-
-  defp maybe_add_new_scene_to_changeset(changeset, %{scene_id: scene_id}) do
-    scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
-
-    if is_nil(scene_or_scene_listing) do
-      {:error, "Cannot find scene with id " <> scene_id}
+    if is_nil(hub) do
+      {:error, "Cannot find room with id: " <> hub_sid}
     else
-      Hub.add_new_scene_to_changeset(changeset, scene_or_scene_listing)
+      Ret.Api.Rooms.authed_update_room(hub, credentials, args)
     end
   end
 
-  defp maybe_add_new_scene_to_changeset(changeset, _args) do
-    changeset
-  end
-
-  defp try_do_update_room({:error, reason}, _) do
-    {:error, reason}
-  end
-
-  defp try_do_update_room(changeset, account) do
-    case changeset |> Repo.update() do
-      {:error, changeset} ->
-        {:error, changeset}
-
-      {:ok, hub} ->
-        hub = Repo.preload(hub, Hub.hub_preloads())
-
-        case broadcast_hub_refresh(hub, account) do
-          {:error, reason} -> {:error, reason}
-          :ok -> {:ok, hub}
-        end
-    end
+  def update_room(_parent, _args, %{
+        context: %{
+          credentials: %Credentials{} = credentials
+        }
+      }) do
+    {:error, :did_not_specify_room_id}
   end
 
-  defp broadcast_hub_refresh(hub, account) do
-    payload =
-      HubView.render("show.json", %{
-        hub: hub,
-        embeddable: account |> can?(embed_hub(hub))
-      })
-      |> Map.put(:stale_fields, [
-        # TODO: Only include fields that have changed in stale_fields
-        "name",
-        "description",
-        "member_permissions",
-        "room_size",
-        "allow_promotion",
-        "scene"
-      ])
-
-    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh", payload)
+  def update_room(_parent, _args, _resolutions) do
+    resolver_error(:unauthorized, "Unauthorized access")
   end
 end

From 05d800811302f22ba9fd80c57ad3fa102e9f0d0a Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 21:29:18 -0700
Subject: [PATCH 071/138] Add some notes for graphiql testing

---
 graphiql_notes.org | 76 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 graphiql_notes.org

diff --git a/graphiql_notes.org b/graphiql_notes.org
new file mode 100644
index 000000000..90cbb5bed
--- /dev/null
+++ b/graphiql_notes.org
@@ -0,0 +1,76 @@
+* graphiql testing
+
+A useful test setup in graphiql is to have each of the following three queries set up with:
+- A valid user token
+- A valid app token
+- No token
+
+I'll add automated tests for these soon.
+
+** Get rooms
+
+#+BEGIN_EXAMPLE
+query {
+  myRooms(page: 1, pageSize: 3) {
+    entries {
+      name,
+      description,
+      id,
+      memberPermissions{
+        fly
+      }
+    }
+  }
+  
+  favoriteRooms(page: 1, pageSize: 3) {
+    entries {
+      name,
+      id,
+      memberPermissions{
+        fly
+      }
+    }
+  }
+  
+   publicRooms(page: 1, pageSize: 3) {
+    entries {
+      name,
+      id,
+      memberPermissions{
+        fly
+      }
+    }
+  }
+}
+#+END_EXAMPLE
+
+** Create rooms
+#+BEGIN_EXAMPLE
+mutation {
+  createRoom(description: "A room with a view") {
+    id,
+    name,
+    allowPromotion,
+    memberPermissions{
+      fly
+    },
+    embedToken
+  }
+}
+#+END_EXAMPLE
+
+** Update rooms
+#+BEGIN_EXAMPLE
+mutation {
+  updateRoom(id: "maJCnRD", description: "A room with a viewwwwwww") {
+    description,
+    id,
+    name,
+    allowPromotion,
+    memberPermissions{
+      fly
+    },
+    embedToken
+  }
+}
+#+END_EXAMPLE

From a279ce511ff67b82d398e06a8854569d368f44df Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 21:31:14 -0700
Subject: [PATCH 072/138] Remove unused middleware

---
 lib/ret_web/middleware/verify_token.ex | 31 --------------------------
 1 file changed, 31 deletions(-)
 delete mode 100644 lib/ret_web/middleware/verify_token.ex

diff --git a/lib/ret_web/middleware/verify_token.ex b/lib/ret_web/middleware/verify_token.ex
deleted file mode 100644
index acf472127..000000000
--- a/lib/ret_web/middleware/verify_token.ex
+++ /dev/null
@@ -1,31 +0,0 @@
-defmodule RetWeb.Middleware.VerifyToken do
-  @moduledoc false
-
-  @behaviour Absinthe.Middleware
-
-  import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
-
-  def call(%{state: :resolved} = resolution, _) do
-    resolution
-  end
-
-  def call(%{context: %{token: nil}} = resolution, _) do
-    put_error_result(
-      resolution,
-      :api_access_token_not_found,
-      "No API Access Token was found in an authorization header."
-    )
-  end
-
-  def call(%{context: %{token: _token}} = resolution, _) do
-    resolution
-  end
-
-  def call(resolution, _) do
-    put_error_result(
-      resolution,
-      :api_access_token_not_found,
-      "No API Access Token was found in an authorization header."
-    )
-  end
-end

From b9a717531705a8f5c8ae2341d4c00c727d480894 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 21:33:34 -0700
Subject: [PATCH 073/138] Remove commented code

---
 lib/ret/hub.ex | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 9aab10158..3556d4cb4 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -677,13 +677,6 @@ defmodule Ret.Hub do
     do: %{owner: hub |> is_owner?(account.account_id), creator: hub |> is_creator?(account.account_id), signed_in: true}
 end
 
-# # TODO: Canada Can implementation for api token
-# defimpl Canada.Can, for: Ret.Api.Token do
-#   def can?(%Ret.Api.Token{} = token, :view_room, %Hub{} = hub) do
-#     hub.entry_mode.public || token.claims.superuser
-#   end
-# end
-
 defimpl Canada.Can, for: Ret.Account do
   alias Ret.{Hub, AppConfig}
 

From 82108fd6e43974d509e8ea261db76bcd7f698b30 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 21:34:23 -0700
Subject: [PATCH 074/138] Remove unused permissions

---
 lib/ret/api_permissions.ex | 46 --------------------------------------
 1 file changed, 46 deletions(-)
 delete mode 100644 lib/ret/api_permissions.ex

diff --git a/lib/ret/api_permissions.ex b/lib/ret/api_permissions.ex
deleted file mode 100644
index 53b823e84..000000000
--- a/lib/ret/api_permissions.ex
+++ /dev/null
@@ -1,46 +0,0 @@
-defmodule Ret.ApiPermissions do
-  @moduledoc """
-  Helper module for defining permissions and scopes
-  """
-
-  def perms_for_account() do
-    perms_for_scopes([scope_default(), scope_rooms_user()])
-  end
-
-  def default_permissions() do
-    perms_for_scopes([scope_default()])
-  end
-
-  defp permissions do
-    [
-      :rooms_mutation_create_room,
-      :rooms_mutation_update_room,
-      :rooms_query_created_rooms,
-      :rooms_query_favorite_rooms,
-      :rooms_query_public_rooms
-    ]
-  end
-
-  defp scope_default do
-    [
-      :rooms_mutation_create_room,
-      :rooms_query_public_rooms
-    ]
-  end
-
-  defp scope_rooms_user do
-    [
-      :rooms_mutation_update_room,
-      :rooms_query_created_rooms,
-      :rooms_query_favorite_rooms
-    ]
-  end
-
-  defp perms_for_scopes(scopes) when is_list(scopes) do
-    no_permissions = Map.new(permissions(), fn perm -> {perm, false} end)
-
-    Enum.reduce(Enum.concat(scopes), no_permissions, fn perm, acc ->
-      Map.put(acc, perm, true)
-    end)
-  end
-end

From a386b8fc2ae85b2db50e4d550ed0eaa5ba98783b Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 19 Oct 2020 21:36:29 -0700
Subject: [PATCH 075/138] Remove IO.inspect

---
 lib/ret/api/can_credentials.ex | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index 979995e99..5b75f1a74 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -50,9 +50,6 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
         :update_room,
         %Hub{} = hub
       ) do
-    IO.inspect("Allowed to update this hub?")
-    IO.inspect(:reticulum_app_token)
-    IO.inspect(hub)
     Scopes.read_rooms() in scopes
   end
 
@@ -61,9 +58,6 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
         :update_room,
         %Hub{} = hub
       ) do
-    IO.inspect("Allowed to update this hub?")
-    IO.inspect(account)
-    IO.inspect(hub)
     Scopes.read_rooms() in scopes && can?(account, update_hub(hub))
   end
 

From b876e8632c95dd483dc98d7755ba46303cd64432 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 09:31:45 -0700
Subject: [PATCH 076/138] Fix warnings

---
 lib/ret/api/can_credentials.ex         | 4 ++--
 lib/ret_web/resolvers/room_resolver.ex | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index 5b75f1a74..f5460a8c2 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -37,7 +37,7 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
     Scopes.write_rooms() in scopes
   end
 
-  def can?(%Credentials{resource: :reticulum_app_token, scopes: scopes}, :embed_hub, %Hub{} = hub) do
+  def can?(%Credentials{resource: :reticulum_app_token, scopes: scopes}, :embed_hub, %Hub{}) do
     Scopes.read_rooms() in scopes
   end
 
@@ -48,7 +48,7 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
   def can?(
         %Credentials{resource: :reticulum_app_token, scopes: scopes},
         :update_room,
-        %Hub{} = hub
+        %Hub{}
       ) do
     Scopes.read_rooms() in scopes
   end
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 048d6b2eb..d4077a75e 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -2,9 +2,8 @@ defmodule RetWeb.Resolvers.RoomResolver do
   @moduledoc """
   Resolvers for room queries and mutations via the graphql API
   """
-  alias Ret.{Hub, Account, Repo, RoomAccessApi}
+  alias Ret.{Hub, Account, Repo}
   alias Ret.Api.Credentials
-  import Canada, only: [can?: 2]
   import RetWeb.Resolvers.ResolverError, only: [resolver_error: 2]
 
   def my_rooms(_parent, _args, %{
@@ -137,10 +136,11 @@ defmodule RetWeb.Resolvers.RoomResolver do
 
   def update_room(_parent, _args, %{
         context: %{
-          credentials: %Credentials{} = credentials
+          credentials: %Credentials{}
         }
       }) do
-    {:error, :did_not_specify_room_id}
+    # TODO: This should be handled via non_null requirement
+    resolver_error(:missing_room_id, "You must specify a room id.")
   end
 
   def update_room(_parent, _args, _resolutions) do

From 1de05d78efd6e17623a3cf81ac2d30c4e48c4fc2 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 10:23:50 -0700
Subject: [PATCH 077/138] Implement can? for :reticulum_app_token

---
 lib/ret/api/can_credentials.ex | 44 ++++++++++++----------------------
 lib/ret/hub.ex                 | 19 ++++++++++++++-
 2 files changed, 33 insertions(+), 30 deletions(-)

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index f5460a8c2..0b616c5ec 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -4,21 +4,19 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
   alias Ret.Api.{Credentials, Scopes}
 
   def can?(
-        %Credentials{resource: :reticulum_app_token, scopes: scopes},
-        action,
-        %Account{}
-      )
-      when action in [:get_rooms_created_by, :get_favorite_rooms_of] do
-    Scopes.read_rooms() in scopes
+        %Credentials{resource: resource, scopes: scopes},
+        :get_rooms_created_by,
+        %Account{} = account
+      ) do
+    Scopes.read_rooms() in scopes and can?(resource, get_rooms_created_by(account))
   end
 
   def can?(
-        %Credentials{resource: %Account{} = account, scopes: scopes},
-        action,
+        %Credentials{resource: resource, scopes: scopes},
+        :get_favorite_rooms_of,
         %Account{} = account
-      )
-      when action in [:get_rooms_created_by, :get_favorite_rooms_of] do
-    Scopes.read_rooms() in scopes
+      ) do
+    Scopes.read_rooms() in scopes and can?(resource, get_favorite_rooms_of(account))
   end
 
   def can?(
@@ -30,35 +28,23 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
   end
 
   def can?(
-        %Credentials{scopes: scopes},
+        %Credentials{resource: resource, scopes: scopes},
         :create_room,
         _
       ) do
-    Scopes.write_rooms() in scopes
+    Scopes.write_rooms() in scopes && can?(resource, create_hub(nil))
   end
 
-  def can?(%Credentials{resource: :reticulum_app_token, scopes: scopes}, :embed_hub, %Hub{}) do
-    Scopes.read_rooms() in scopes
-  end
-
-  def can?(%Credentials{resource: %Account{} = account, scopes: scopes}, :embed_hub, %Hub{} = hub) do
-    Scopes.read_rooms() in scopes && can?(account, embed_hub(hub))
-  end
-
-  def can?(
-        %Credentials{resource: :reticulum_app_token, scopes: scopes},
-        :update_room,
-        %Hub{}
-      ) do
-    Scopes.read_rooms() in scopes
+  def can?(%Credentials{resource: resource, scopes: scopes}, :embed_hub, %Hub{} = hub) do
+    Scopes.read_rooms() in scopes && can?(resource, embed_hub(hub))
   end
 
   def can?(
-        %Credentials{resource: %Account{} = account, scopes: scopes},
+        %Credentials{resource: resource, scopes: scopes},
         :update_room,
         %Hub{} = hub
       ) do
-    Scopes.read_rooms() in scopes && can?(account, update_hub(hub))
+    Scopes.read_rooms() in scopes && can?(resource, update_hub(hub))
   end
 
   def can?(_, _, _), do: false
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 3556d4cb4..5c5baf45d 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -752,6 +752,10 @@ defimpl Canada.Can, for: Ret.Account do
     hub |> Hub.has_member_permission?(action) or hub |> Ret.Hub.is_owner?(account_id)
   end
 
+  @self_allowed_actions [:get_rooms_created_by, :get_favorite_rooms_of]
+  # Allow accounts to access their own rooms
+  def can?(%Ret.Account{} = account, action, account) when action in @self_allowed_actions, do: true
+
   # Create hubs
   def can?(%Ret.Account{is_admin: true}, :create_hub, _), do: true
 
@@ -802,7 +806,19 @@ end
 defimpl Canada.Can, for: Atom do
   alias Ret.{AppConfig, Hub}
 
-  @object_actions [:spawn_and_move_media, :spawn_camera, :spawn_drawing, :pin_objects, :spawn_emoji, :fly]
+  @api_actions [
+    :get_rooms_created_by,
+    :get_favorite_rooms_of,
+    :get_public_rooms,
+    :create_hub,
+    :update_hub,
+    :embed_hub
+  ]
+  def can?(:reticulum_app_token, action, _) when action in @api_actions do
+    true
+  end
+
+  def can?(:reticulum_app_token, _, _), do: false
 
   # Always deny access to non-enterable hubs
   def can?(_, :join_hub, %Ret.Hub{entry_mode: :deny}), do: false
@@ -811,6 +827,7 @@ defimpl Canada.Can, for: Atom do
   def can?(_, :join_hub, %Ret.Hub{hub_bindings: []}),
     do: !AppConfig.get_cached_config_value("features|require_account_for_join")
 
+  @object_actions [:spawn_and_move_media, :spawn_camera, :spawn_drawing, :pin_objects, :spawn_emoji, :fly]
   # Object permissions for anonymous users are based on member permission settings
   def can?(_account, action, hub) when action in @object_actions do
     hub |> Hub.has_member_permission?(action)

From e2eec9b33765c6352fb0873560f5002abe9a4e67 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 10:24:03 -0700
Subject: [PATCH 078/138] Put generated token onto clipboard

---
 lib/mix/tasks/generate_api_token.ex | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/mix/tasks/generate_api_token.ex b/lib/mix/tasks/generate_api_token.ex
index 0e16f1eb7..ab00fe89a 100644
--- a/lib/mix/tasks/generate_api_token.ex
+++ b/lib/mix/tasks/generate_api_token.ex
@@ -57,16 +57,24 @@ defmodule Mix.Tasks.GenerateApiToken do
       Mix.Task.run("app.start")
 
       case TokenUtils.gen_app_token() do
-        {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
-        {:error, reason} -> Mix.shell().error("Error: #{reason}")
+        {:ok, token, _claims} ->
+          Mix.shell().info("Successfully generated token:\n#{token}")
+          :os.cmd('echo #{token} | xclip')
+
+        {:error, reason} ->
+          Mix.shell().error("Error: #{reason}")
       end
     end
   end
 
   defp gen_token_for_account(account) do
     case TokenUtils.gen_token_for_account(account) do
-      {:ok, token, _claims} -> Mix.shell().info("Successfully generated token:\n#{token}")
-      {:error, reason} -> Mix.shell().error("Error: #{reason}")
+      {:ok, token, _claims} ->
+        Mix.shell().info("Successfully generated token:\n#{token}")
+        :os.cmd('echo #{token} | xclip')
+
+      {:error, reason} ->
+        Mix.shell().error("Error: #{reason}")
     end
   end
 end

From 6f5a4e69f17c7aa55553317cbc0b906735a2d211 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 10:26:09 -0700
Subject: [PATCH 079/138] Check permissions for getting public rooms

---
 lib/ret/api/can_credentials.ex | 4 ++--
 lib/ret/hub.ex                 | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index 0b616c5ec..c2c8ae232 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -20,11 +20,11 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
   end
 
   def can?(
-        %Credentials{scopes: scopes},
+        %Credentials{resource: resource, scopes: scopes},
         :get_public_rooms,
         _
       ) do
-    Scopes.read_rooms() in scopes
+    Scopes.read_rooms() in scopes and can?(resource, get_public_rooms(nil))
   end
 
   def can?(
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 5c5baf45d..cf6c76642 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -756,6 +756,8 @@ defimpl Canada.Can, for: Ret.Account do
   # Allow accounts to access their own rooms
   def can?(%Ret.Account{} = account, action, account) when action in @self_allowed_actions, do: true
 
+  def can?(%Ret.Account{} = account, :get_public_rooms, _), do: true
+
   # Create hubs
   def can?(%Ret.Account{is_admin: true}, :create_hub, _), do: true
 

From f121458162d0d47206d2faa707b29a5b701a2a95 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 10:34:24 -0700
Subject: [PATCH 080/138] Remove unused function

---
 lib/ret/api/scopes.ex | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/lib/ret/api/scopes.ex b/lib/ret/api/scopes.ex
index 2050b8afe..10cd1d04c 100644
--- a/lib/ret/api/scopes.ex
+++ b/lib/ret/api/scopes.ex
@@ -3,12 +3,4 @@ defmodule Ret.Api.Scopes do
   def read_rooms, do: Atom.to_string(:read_rooms)
   def write_rooms, do: Atom.to_string(:write_rooms)
   def create_accounts, do: Atom.to_string(:create_accounts)
-
-  def ensure_has_scope(scopes, scope) do
-    if scope in scopes do
-      :ok
-    else
-      {:error, "Missing scope #{Atom.to_string(scope)}"}
-    end
-  end
 end

From 2eb49341fb72f4b3fccbf6809edaff62501dbe68 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 10:37:12 -0700
Subject: [PATCH 081/138] Remove unused function

---
 lib/ret_web/resolvers/room_resolver.ex | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index d4077a75e..dadaf8f68 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -134,15 +134,6 @@ defmodule RetWeb.Resolvers.RoomResolver do
     end
   end
 
-  def update_room(_parent, _args, %{
-        context: %{
-          credentials: %Credentials{}
-        }
-      }) do
-    # TODO: This should be handled via non_null requirement
-    resolver_error(:missing_room_id, "You must specify a room id.")
-  end
-
   def update_room(_parent, _args, _resolutions) do
     resolver_error(:unauthorized, "Unauthorized access")
   end

From 497d97c0f0abb5adbcc7e63169302bc1ee95bfc3 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 21 Oct 2020 11:45:45 -0700
Subject: [PATCH 082/138] Remove outdated tests

---
 lib/ret/hub.ex              |  2 +-
 test/ret/api_token_test.exs | 15 ---------------
 2 files changed, 1 insertion(+), 16 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index cf6c76642..da99b2ea1 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -756,7 +756,7 @@ defimpl Canada.Can, for: Ret.Account do
   # Allow accounts to access their own rooms
   def can?(%Ret.Account{} = account, action, account) when action in @self_allowed_actions, do: true
 
-  def can?(%Ret.Account{} = account, :get_public_rooms, _), do: true
+  def can?(%Ret.Account{}, :get_public_rooms, _), do: true
 
   # Create hubs
   def can?(%Ret.Account{is_admin: true}, :create_hub, _), do: true
diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
index 465d6755c..c65350d64 100644
--- a/test/ret/api_token_test.exs
+++ b/test/ret/api_token_test.exs
@@ -13,21 +13,6 @@ defmodule Ret.ApiTokenTest do
     assert jwt == token
   end
 
-  test "Api tokens encode default permissions" do
-    {:ok, token, _claims} = TokenUtils.gen_app_token()
-    {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
-    assert Map.get(claims, "rooms_mutation_create_room")
-    assert Map.get(claims, "rooms_mutation_update_room") === false
-  end
-
-  test "Api tokens generated with an account encode more permissions" do
-    account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
-    {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
-    {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
-    assert Map.get(claims, "rooms_mutation_create_room")
-    assert Map.get(claims, "rooms_mutation_update_room")
-  end
-
   test "Api tokens can be revoked" do
     {:ok, token, _claims} = TokenUtils.gen_app_token()
     [%{jwt: jwt}] = Repo.all(token_query())

From 550863cf68e96ce8697bf3450af4ca73030ed31f Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 22 Oct 2020 16:43:08 -0700
Subject: [PATCH 083/138] Add comments

---
 lib/ret/hub.ex                         | 7 ++++---
 lib/ret_web/resolvers/room_resolver.ex | 7 +++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index da99b2ea1..141ccd632 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -754,7 +754,8 @@ defimpl Canada.Can, for: Ret.Account do
 
   @self_allowed_actions [:get_rooms_created_by, :get_favorite_rooms_of]
   # Allow accounts to access their own rooms
-  def can?(%Ret.Account{} = account, action, account) when action in @self_allowed_actions, do: true
+  def can?(%Ret.Account{} = a, action, %Ret.Account{} = b) when action in @self_allowed_actions,
+    do: a.account_id == b.account_id
 
   def can?(%Ret.Account{}, :get_public_rooms, _), do: true
 
@@ -806,8 +807,6 @@ end
 
 # Permissions for un-authenticated clients
 defimpl Canada.Can, for: Atom do
-  alias Ret.{AppConfig, Hub}
-
   @api_actions [
     :get_rooms_created_by,
     :get_favorite_rooms_of,
@@ -822,6 +821,8 @@ defimpl Canada.Can, for: Atom do
 
   def can?(:reticulum_app_token, _, _), do: false
 
+  alias Ret.{AppConfig, Hub}
+
   # Always deny access to non-enterable hubs
   def can?(_, :join_hub, %Ret.Hub{entry_mode: :deny}), do: false
 
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index dadaf8f68..62c143465 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -93,26 +93,32 @@ defmodule RetWeb.Resolvers.RoomResolver do
   end
 
   def port(_hub, _args, _resolutions) do
+    # No permission check needed
     {:ok, Hub.janus_port()}
   end
 
   def turn(_hub, _args, _resolutions) do
+    # No permission check needed
     {:ok, Hub.generate_turn_info()}
   end
 
   def member_permissions(hub, _args, _resolutions) do
+    # No permission check needed
     {:ok, Hub.member_permissions_for_hub_as_atoms(hub)}
   end
 
   def room_size(hub, _args, _resolutions) do
+    # No permission check needed
     {:ok, Hub.room_size_for(hub)}
   end
 
   def member_count(hub, _args, _resolutions) do
+    # No permission check needed
     {:ok, Hub.member_count_for(hub)}
   end
 
   def lobby_count(hub, _args, _resolutions) do
+    # No permission check needed
     {:ok, Hub.lobby_count_for(hub)}
   end
 
@@ -125,6 +131,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
           credentials: %Credentials{} = credentials
         }
       }) do
+    # TODO: Move hub lookup into api/rooms.ex
     hub = Hub |> Repo.get_by(hub_sid: hub_sid) |> Repo.preload([:hub_role_memberships, :hub_bindings])
 
     if is_nil(hub) do

From 7f1c1cb6524723e8afa3f7bd67d9e2ae7a9d2f3e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 22 Oct 2020 16:58:48 -0700
Subject: [PATCH 084/138] Lengthen ttl

---
 lib/ret/api/token_utils.ex | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
index 064419365..26c656f02 100644
--- a/lib/ret/api/token_utils.ex
+++ b/lib/ret/api/token_utils.ex
@@ -3,7 +3,8 @@ defmodule Ret.Api.TokenUtils do
   Utility functions for generating API access tokens.
   """
   @default_claims %{aud: "ret", iss: "ret", typ: "access", scopes: []}
-  @default_options [ttl: {8, :hours}]
+  # TODO: When should tokens expire?
+  @default_options [ttl: {8, :weeks}]
 
   alias Ret.Account
   alias Ret.Api.{Token, Scopes}

From 9f23b27b5c3e9d3f215d4098eb8436c7e13dc60e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 27 Oct 2020 23:57:31 -0700
Subject: [PATCH 085/138] Create API token module. Replace jwt's in API

---
 lib/ret/account.ex                            |   8 ++
 lib/ret/api/can_credentials.ex                |  68 +++++++++--
 lib/ret/api/credentials.ex                    | 110 ++++++++++++++++--
 lib/ret/api/rooms.ex                          |  31 ++---
 lib/ret/api/scopes.ex                         |  13 ++-
 lib/ret/api/token.ex                          |  52 ++-------
 lib/ret/api/token_module.ex                   | 101 ++++++++++++++++
 lib/ret/api/token_utils.ex                    |  20 ++--
 lib/ret/enums.ex                              |   2 +
 .../handle_api_token_auth_errors.ex           |  10 ++
 lib/ret_web/plugs/add_absinthe_context.ex     |  28 ++---
 lib/ret_web/plugs/api_token_auth_pipeline.ex  |   1 -
 lib/ret_web/resolvers/room_resolver.ex        |  19 ++-
 .../migrations/20200918180620_guardiandb.exs  |  17 ---
 ...201027202054_add_api_credentials_table.exs |  23 ++++
 .../migrations/20200918180620_guardiandb.exs  |  17 ---
 16 files changed, 361 insertions(+), 159 deletions(-)
 create mode 100644 lib/ret/api/token_module.ex
 delete mode 100644 priv/repo/migrations/20200918180620_guardiandb.exs
 create mode 100644 priv/repo/migrations/20201027202054_add_api_credentials_table.exs
 delete mode 100644 priv/session_lock_repo/migrations/20200918180620_guardiandb.exs

diff --git a/lib/ret/account.ex b/lib/ret/account.ex
index 3a052c0a1..d56f20076 100644
--- a/lib/ret/account.ex
+++ b/lib/ret/account.ex
@@ -24,6 +24,14 @@ defmodule Ret.Account do
     timestamps()
   end
 
+  def query do
+    from(account in Account)
+  end
+
+  def where_account_id_is(query, id) do
+    from(account in query, where: account.account_id == ^id)
+  end
+
   def has_accounts?(), do: from(a in Account, limit: 1) |> Repo.exists?()
   def has_admin_accounts?(), do: from(a in Account, limit: 1) |> where(is_admin: true) |> Repo.exists?()
   def exists_for_email?(email), do: account_for_email(email) != nil
diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index c2c8ae232..b0544cdd7 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -4,47 +4,91 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
   alias Ret.Api.{Credentials, Scopes}
 
   def can?(
-        %Credentials{resource: resource, scopes: scopes},
+        %Credentials{subject_type: :app, scopes: scopes},
         :get_rooms_created_by,
         %Account{} = account
       ) do
-    Scopes.read_rooms() in scopes and can?(resource, get_rooms_created_by(account))
+    Scopes.read_rooms() in scopes and can?(:reticulum_app_token, get_rooms_created_by(account))
   end
 
   def can?(
-        %Credentials{resource: resource, scopes: scopes},
+        %Credentials{subject_type: :account, account: subject, scopes: scopes},
+        :get_rooms_created_by,
+        %Account{} = account
+      ) do
+    Scopes.read_rooms() in scopes and can?(subject, get_rooms_created_by(account))
+  end
+
+  def can?(
+        %Credentials{subject_type: :app, scopes: scopes},
+        :get_favorite_rooms_of,
+        %Account{} = account
+      ) do
+    Scopes.read_rooms() in scopes and can?(:reticulum_app_token, get_favorite_rooms_of(account))
+  end
+
+  def can?(
+        %Credentials{subject_type: :account, account: subject, scopes: scopes},
         :get_favorite_rooms_of,
         %Account{} = account
       ) do
-    Scopes.read_rooms() in scopes and can?(resource, get_favorite_rooms_of(account))
+    Scopes.read_rooms() in scopes and can?(subject, get_favorite_rooms_of(account))
+  end
+
+  def can?(
+        %Credentials{subject_type: :app, scopes: scopes},
+        :get_public_rooms,
+        _
+      ) do
+    Scopes.read_rooms() in scopes and can?(:reticulum_app_token, get_public_rooms(nil))
   end
 
   def can?(
-        %Credentials{resource: resource, scopes: scopes},
+        %Credentials{subject_type: :account, account: subject, scopes: scopes},
         :get_public_rooms,
         _
       ) do
-    Scopes.read_rooms() in scopes and can?(resource, get_public_rooms(nil))
+    Scopes.read_rooms() in scopes and can?(subject, get_public_rooms(nil))
+  end
+
+  def can?(
+        %Credentials{subject_type: :app, scopes: scopes},
+        :create_room,
+        _
+      ) do
+    Scopes.write_rooms() in scopes && can?(:reticulum_app_token, create_hub(nil))
   end
 
   def can?(
-        %Credentials{resource: resource, scopes: scopes},
+        %Credentials{subject_type: :account, account: subject, scopes: scopes},
         :create_room,
         _
       ) do
-    Scopes.write_rooms() in scopes && can?(resource, create_hub(nil))
+    Scopes.write_rooms() in scopes && can?(subject, create_hub(nil))
   end
 
-  def can?(%Credentials{resource: resource, scopes: scopes}, :embed_hub, %Hub{} = hub) do
-    Scopes.read_rooms() in scopes && can?(resource, embed_hub(hub))
+  def can?(%Credentials{subject_type: :app, scopes: scopes}, :embed_hub, %Hub{} = hub) do
+    Scopes.read_rooms() in scopes && can?(:reticulum_app_token, embed_hub(hub))
+  end
+
+  def can?(%Credentials{subject_type: :account, account: subject, scopes: scopes}, :embed_hub, %Hub{} = hub) do
+    Scopes.read_rooms() in scopes && can?(subject, embed_hub(hub))
+  end
+
+  def can?(
+        %Credentials{subject_type: :app, scopes: scopes},
+        :update_room,
+        %Hub{} = hub
+      ) do
+    Scopes.read_rooms() in scopes && can?(:reticulum_app_token, update_hub(hub))
   end
 
   def can?(
-        %Credentials{resource: resource, scopes: scopes},
+        %Credentials{subject_type: :account, account: subject, scopes: scopes},
         :update_room,
         %Hub{} = hub
       ) do
-    Scopes.read_rooms() in scopes && can?(resource, update_hub(hub))
+    Scopes.read_rooms() in scopes && can?(subject, update_hub(hub))
   end
 
   def can?(_, _, _), do: false
diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 41ee51179..2b4ab09f5 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -1,27 +1,113 @@
 defmodule Ret.Api.Credentials do
   @moduledoc """
-  Credentials for API access. Created by decoding/validating ApiTokens
+  Credentials for API access.
   """
+  alias Ret.Api.Credentials
 
   alias Ret.Account
   alias Ret.Api.Scopes
 
-  @enforce_keys [:resource, :scopes]
-  defstruct [:resource, :scopes]
+  use Ecto.Schema
+  import Ecto.Query, only: [from: 2]
+  import Ecto.Changeset
 
-  def from_resource_and_claims(:reticulum_app_token, %{"scopes" => scopes}) do
-    with credentials <- %__MODULE__{resource: :reticulum_app_token, scopes: scopes} do
-      {:ok, credentials}
-    end
+  @schema_prefix "ret0"
+  @primary_key {:api_credentials_id, :id, autogenerate: true}
+
+  schema "api_credentials" do
+    field(:api_credentials_sid, :string)
+    field(:token_hash, :string)
+    field(:subject_type, Ret.Api.TokenSubjectType)
+    field(:issued_at, :utc_datetime)
+    field(:expires_at, :utc_datetime)
+    field(:is_revoked, :boolean)
+    field(:scopes, {:array, Ret.Api.ScopeType})
+
+    belongs_to(:account, Account, references: :account_id)
+    timestamps()
+  end
+
+  def create_new_api_credentials(options) do
+    %Credentials{}
+    |> changeset(options)
+    |> Ret.Repo.insert()
+  end
+
+  defp changeset(%Credentials{} = credentials, %{
+         token_hash: token_hash,
+         subject_type: subject_type,
+         scopes: scopes,
+         account: account
+       }) do
+    credentials
+    |> change()
+    |> add_api_credentials_sid_to_changeset
+    |> add_token_hash_to_changeset(token_hash)
+    |> add_subject_type_to_changeset(subject_type)
+    |> add_issued_at_to_changeset(Timex.now() |> DateTime.truncate(:second))
+    |> add_expires_at_to_changeset(Timex.now() |> Timex.shift(years: 1) |> DateTime.truncate(:second))
+    |> add_is_revoked_to_changeset(false)
+    |> add_scopes_to_changeset(scopes)
+    |> add_account_id_to_changeset((account && account.account_id) || nil)
+    |> unique_constraint(:api_credentials_sid)
+    |> unique_constraint(:token_hash)
+  end
+
+  defp add_api_credentials_sid_to_changeset(changeset) do
+    put_change(changeset, :api_credentials_sid, Ret.Sids.generate_sid())
+  end
+
+  defp add_token_hash_to_changeset(changeset, token_hash) do
+    put_change(changeset, :token_hash, token_hash)
+  end
+
+  defp add_subject_type_to_changeset(changeset, subject_type) do
+    put_change(changeset, :subject_type, subject_type)
+  end
+
+  defp add_issued_at_to_changeset(changeset, issued_at) do
+    put_change(changeset, :issued_at, issued_at)
+  end
+
+  defp add_expires_at_to_changeset(changeset, expires_at) do
+    put_change(changeset, :expires_at, expires_at)
+  end
+
+  defp add_is_revoked_to_changeset(changeset, is_revoked) do
+    put_change(changeset, :is_revoked, is_revoked)
+  end
+
+  defp add_scopes_to_changeset(changeset, scopes) do
+    put_change(changeset, :scopes, scopes)
+  end
+
+  defp add_account_id_to_changeset(changeset, account_id) do
+    put_change(changeset, :account_id, account_id)
+  end
+
+  def query do
+    from(c in Credentials, left_join: a in Account, on: c.account_id == a.account_id, preload: [account: a])
+  end
+
+  def where_sid_is(query, sid) do
+    from([credential, _account] in query,
+      where: credential.api_credentials_sid == ^sid
+    )
+  end
+
+  def where_token_hash_is(query, hash) do
+    from([credential, _account] in query,
+      where: credential.token_hash == ^hash
+    )
   end
 
-  def from_resource_and_claims(%Account{} = resource, %{"scopes" => scopes}) do
-    with credentials <- %__MODULE__{resource: resource, scopes: scopes} do
-      {:ok, credentials}
-    end
+  def where_account_is(query, %Account{account_id: id}) do
+    from([credential, _account] in query,
+      where: credential.account_id == ^id
+    )
   end
 
   def from_resource_and_claims(_, _) do
-    {:error, "Invalid credentials"}
+    {:error, "not implemented"}
   end
 end
diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index d2167bbd7..30792429a 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -39,7 +39,7 @@ defmodule Ret.Api.Rooms do
     end
   end
 
-  defp do_create_room(%Account{} = account, params) do
+  defp do_create_room(%Credentials{subject_type: :account, account: account}, params) do
     random_name = Ret.RandomRoomNames.generate_room_name()
     params = Map.put(params, :name, Map.get(params, :name, random_name))
 
@@ -58,7 +58,7 @@ defmodule Ret.Api.Rooms do
     end
   end
 
-  defp do_create_room(:reticulum_app_token, params) do
+  defp do_create_room(%Credentials{subject_type: :app}, params) do
     params = Map.put(params, :name, Map.get(params, :name, Ret.RandomRoomNames.generate_room_name()))
 
     with {:ok, hub} <- Hub.create(params) do
@@ -70,28 +70,29 @@ defmodule Ret.Api.Rooms do
     end
   end
 
-  def authed_create_room(%Credentials{resource: resource} = credentials, params) do
+  def authed_create_room(%Credentials{} = credentials, params) do
     if can?(credentials, create_room(nil)) do
-      do_create_room(resource, params)
+      do_create_room(credentials, params)
     else
       {:error, :invalid_credentials}
     end
   end
 
-  def authed_update_room(hub, %Credentials{resource: resource} = credentials, params) do
-    if can?(credentials, update_room(hub)) do
-      do_update_room(hub, resource, params)
+  def authed_update_room(hub_sid, %Credentials{} = credentials, params) do
+    hub = Hub |> Repo.get_by(hub_sid: hub_sid) |> Repo.preload([:hub_role_memberships, :hub_bindings])
+
+    if is_nil(hub) do
+      {:error, "Cannot find room with id: " <> hub_sid}
     else
-      {:error, :invalid_credentials}
+      if can?(credentials, update_room(hub)) do
+        do_update_room(hub, credentials, params)
+      else
+        {:error, :invalid_credentials}
+      end
     end
   end
 
-  defp do_update_room(hub, resource, params) do
-    update_room_with_resource(hub, resource, params)
-  end
-
-  # TODO: DRY up the update_room flow
-  defp update_room_with_resource(hub, :reticulum_app_token, params) do
+  defp do_update_room(hub, %Credentials{subject_type: :app}, params) do
     hub
     |> Hub.add_attrs_to_changeset(params)
     |> Hub.maybe_add_member_permissions(hub, params)
@@ -99,7 +100,7 @@ defmodule Ret.Api.Rooms do
     |> try_do_update_room(:reticulum_app_token)
   end
 
-  defp update_room_with_resource(hub, %Account{} = account, params) do
+  defp do_update_room(hub, %Credentials{subject_type: :account, account: account}, params) do
     hub
     |> Hub.add_attrs_to_changeset(params)
     |> Hub.maybe_add_member_permissions(hub, params)
diff --git a/lib/ret/api/scopes.ex b/lib/ret/api/scopes.ex
index 10cd1d04c..52865627f 100644
--- a/lib/ret/api/scopes.ex
+++ b/lib/ret/api/scopes.ex
@@ -1,6 +1,13 @@
 defmodule Ret.Api.Scopes do
   @moduledoc false
-  def read_rooms, do: Atom.to_string(:read_rooms)
-  def write_rooms, do: Atom.to_string(:write_rooms)
-  def create_accounts, do: Atom.to_string(:create_accounts)
+  def read_rooms, do: :read_rooms
+  def write_rooms, do: :write_rooms
+  def create_accounts, do: :create_accounts
+
+  def all_scopes,
+    do: [
+      read_rooms(),
+      write_rooms(),
+      create_accounts()
+    ]
 end
diff --git a/lib/ret/api/token.ex b/lib/ret/api/token.ex
index 28b26c626..e47215947 100644
--- a/lib/ret/api/token.ex
+++ b/lib/ret/api/token.ex
@@ -2,54 +2,24 @@ defmodule Ret.Api.Token do
   @moduledoc """
   ApiTokens determine what actions are allowed to be taken via the public API.
   """
-  use Guardian, otp_app: :ret, secret_fetcher: Ret.ApiTokenSecretFetcher
+  use Guardian, token_module: Ret.Api.TokenModule, otp_app: :ret, secret_fetcher: Ret.ApiTokenSecretFetcher
 
   import Ecto.Query
 
   alias Ret.{Account, Repo}
+  alias Ret.Api.Credentials
 
-  @app_token_string "reticulum_app_token"
+  def subject_for_token(_, _), do: {:ok, nil}
 
-  def subject_for_token(%Account{} = account, _), do: {:ok, to_string(account.account_id)}
-  def subject_for_token(:reticulum_app_token, _), do: {:ok, @app_token_string}
-  def subject_for_token(_, _), do: {:error, "Must pass account or #{@app_token_string}"}
-
-  def resource_from_claims(%{"sub" => nil}) do
-    {:error, "No subject in token"}
-  end
-
-  def resource_from_claims(%{"sub" => @app_token_string}) do
-    {:ok, :reticulum_app_token}
-  end
-
-  def resource_from_claims(%{"sub" => account_id}) do
-    result_for_account(Repo.one(where(Account, [a], a.account_id == ^account_id)))
-  end
-
-  defp result_for_account(%Account{} = account), do: {:ok, account}
-  defp result_for_account(nil), do: {:error, "Account not found"}
-
-  def after_encode_and_sign(resource, claims, token, _options) do
-    with {:ok, _} <- Guardian.DB.after_encode_and_sign(resource, claims["typ"], claims, token) do
-      {:ok, token}
-    end
-  end
-
-  def on_verify(claims, token, _options) do
-    with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
-      {:ok, claims}
-    end
-  end
-
-  def on_refresh({old_token, old_claims}, {new_token, new_claims}, _options) do
-    with {:ok, _, _} <- Guardian.DB.on_refresh({old_token, old_claims}, {new_token, new_claims}) do
-      {:ok, {old_token, old_claims}, {new_token, new_claims}}
-    end
+  def resource_from_claims(%Credentials{} = credentials) do
+    IO.inspect("creds:")
+    IO.inspect(credentials)
+    credentials
   end
 
-  def on_revoke(claims, token, _options) do
-    with {:ok, _} <- Guardian.DB.on_revoke(claims, token) do
-      {:ok, claims}
-    end
+  def resource_from_claims(claims) do
+    IO.inspect("claims:")
+    IO.inspect(claims)
+    nil
   end
 end
diff --git a/lib/ret/api/token_module.ex b/lib/ret/api/token_module.ex
new file mode 100644
index 000000000..62c448f77
--- /dev/null
+++ b/lib/ret/api/token_module.ex
@@ -0,0 +1,101 @@
+defmodule Ret.Api.TokenModule do
+  @moduledoc """
+  This module should not be used directly.
+
+  It is intended to be used by Guardian.
+  """
+  alias Ret.{Account, Repo}
+  alias Ret.Api.Credentials
+  @behaviour Guardian.Token
+
+  @doc """
+  Cannot peek API Tokens
+  """
+  def peek(_mod, _token), do: nil
+
+  @doc """
+  Do not need to generate a token_id here
+  """
+  def token_id, do: nil
+
+  @doc """
+  Builds the default claims for API tokens.
+  """
+  def build_claims(mod, resource, sub, claims \\ %{}, options \\ []) do
+    {:ok, claims}
+  end
+
+  defp ensure_atom(x) when is_atom(x), do: x
+  defp ensure_atom(x) when is_binary(x), do: String.to_atom(x)
+
+  defp get_account(id) when is_nil(id) do
+    {:ok, nil}
+  end
+
+  defp get_account(id) do
+    case Account.query()
+         |> Account.where_account_id_is(id)
+         |> Repo.one() do
+      nil -> {:error, "Could not find account"}
+      account -> {:ok, account}
+    end
+  end
+
+  @doc """
+  Create a token.
+  """
+  def create_token(_mod, claims, _options \\ []) do
+    token = SecureRandom.urlsafe_base64()
+    account_id = Map.get(claims, "account_id", nil)
+
+    case get_account(account_id) do
+      {:ok, account_or_nil} ->
+        case Ret.Api.Credentials.create_new_api_credentials(%{
+               subject_type: ensure_atom(Map.get(claims, "subject_type")),
+               scopes: Map.get(claims, "scopes"),
+               account: account_or_nil,
+               token_hash: Ret.Crypto.hash(token)
+             }) do
+          {:ok, credentials} -> {:ok, token}
+          _ -> {:error, "Failed to create token for claims."}
+        end
+
+      {:error, reason} ->
+        {:error, "Failed to create token for claims."}
+    end
+  end
+
+  @doc """
+  Decodes the token and validates the signature.
+  """
+  def decode_token(_mod, token, _options \\ []) do
+    case Credentials.query()
+         |> Credentials.where_token_hash_is(Ret.Crypto.hash(token))
+         |> Ret.Repo.one() do
+      nil -> {:error, :credentials_not_found}
+      credentials -> {:ok, credentials}
+    end
+  end
+
+  @doc """
+  Verifies the claims.
+  """
+  def verify_claims(mod, claims, options) do
+    {:ok, claims}
+  end
+
+  @doc """
+  Revoke a token
+  """
+  def revoke(_mod, claims, _token, _options), do: {:ok, claims}
+
+  @doc """
+  Refresh the token
+  """
+  def refresh(_mod, _old_token, _options), do: nil
+
+  @doc """
+  Exchange a token of one type to another.
+  """
+  def exchange(_mod, _old_token, _from_type, _to_type, _options), do: nil
+end
diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
index 26c656f02..f4afcb1d0 100644
--- a/lib/ret/api/token_utils.ex
+++ b/lib/ret/api/token_utils.ex
@@ -10,18 +10,18 @@ defmodule Ret.Api.TokenUtils do
   alias Ret.Api.{Token, Scopes}
 
   def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
-    Token.encode_and_sign(
-      :reticulum_app_token,
-      Map.put(@default_claims, :scopes, scopes),
-      @default_options
-    )
+    Token.encode_and_sign(nil, %{
+      subject_type: :app,
+      scopes: scopes,
+      account_id: nil
+    })
   end
 
   def gen_token_for_account(%Account{} = account, scopes \\ [Scopes.read_rooms(), Scopes.write_rooms()]) do
-    Token.encode_and_sign(
-      account,
-      Map.put(@default_claims, :scopes, scopes),
-      @default_options
-    )
+    Token.encode_and_sign(nil, %{
+      subject_type: :account,
+      scopes: scopes,
+      account_id: account.account_id
+    })
   end
 end
diff --git a/lib/ret/enums.ex b/lib/ret/enums.ex
index 89cd8614a..3e4f22e7c 100644
--- a/lib/ret/enums.ex
+++ b/lib/ret/enums.ex
@@ -11,3 +11,5 @@ defenum(Ret.Avatar.State, :avatar_state, [:active, :removed], schema: "ret0")
 defenum(Ret.AvatarListing.State, :avatar_listing_state, [:active, :delisted, :removed], schema: "ret0")
 defenum(Ret.Account.State, :account_state, [:enabled, :disabled], schema: "ret0")
 defenum(Ret.Asset.Type, :asset_type, [:image, :video, :model, :audio], schema: "ret0")
+defenum(Ret.Api.TokenSubjectType, :api_token_subject_type, [:app, :account], schema: "ret0")
+defenum(Ret.Api.ScopeType, :api_scope_type, Ret.Api.Scopes.all_scopes, schema: "ret0")
diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index 0c9f1a50e..8a9dddfcb 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -21,6 +21,16 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
     end
   end
 
+  def call(%{context: %{credentials: nil}} = resolution, _) do
+    put_error_result(resolution, :invalid_credentials, "Could not find credentials for this token.")
+  end
+
+  # TODO: Check for expiration
+  # TODO: Audit error messages to decide which we want to return
+  def call(%{context: %{credentials: %Ret.Api.Credentials{is_revoked: true}}} = resolution, _) do
+    put_error_result(resolution, :invalid_credentials, "Token is revoked")
+  end
+
   # I ran into this case in testing. TODO: Figure out why (and if) it's still happening and fix
   def call(resolution, _) do
     put_error_result(resolution, :internal_server_error, "The context was built incorrectly")
diff --git a/lib/ret_web/plugs/add_absinthe_context.ex b/lib/ret_web/plugs/add_absinthe_context.ex
index e1bcf6b82..34adaa1f7 100644
--- a/lib/ret_web/plugs/add_absinthe_context.ex
+++ b/lib/ret_web/plugs/add_absinthe_context.ex
@@ -7,25 +7,15 @@ defmodule RetWeb.AddAbsintheContext do
   def init(opts), do: opts
 
   def call(conn, _) do
-    auth_errors = conn.assigns[:api_token_auth_errors] || []
-
-    context =
-      case Credentials.from_resource_and_claims(
-             Guardian.Plug.current_resource(conn),
-             Guardian.Plug.current_claims(conn)
-           ) do
-        {:ok, credentials} ->
-          %{
-            api_token_auth_errors: auth_errors,
-            credentials: credentials
-          }
-
-        {:error, reason} ->
-          %{
-            api_token_auth_errors: auth_errors ++ [{:invalid_credentials, reason}]
-          }
-      end
+    Absinthe.Plug.put_options(conn, context: build_context(conn))
+  end
 
-    Absinthe.Plug.put_options(conn, context: context)
+  defp build_context(conn) do
+    auth_errors = conn.assigns[:api_token_auth_errors] || []
+    credentials = Guardian.Plug.current_claims(conn)
+    %{
+      api_token_auth_errors: auth_errors,
+      credentials: credentials
+    }
   end
 end
diff --git a/lib/ret_web/plugs/api_token_auth_pipeline.ex b/lib/ret_web/plugs/api_token_auth_pipeline.ex
index d2d9d864d..8747f7a18 100644
--- a/lib/ret_web/plugs/api_token_auth_pipeline.ex
+++ b/lib/ret_web/plugs/api_token_auth_pipeline.ex
@@ -6,7 +6,6 @@ defmodule RetWeb.ApiTokenAuthPipeline do
     error_handler: RetWeb.ApiTokenAuthErrorHandler
 
   plug(Guardian.Plug.VerifyHeader, halt: false)
-  plug(Guardian.Plug.LoadResource, halt: false)
 end
 
 defmodule RetWeb.ApiTokenAuthErrorHandler do
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 62c143465..452b29188 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -9,7 +9,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   def my_rooms(_parent, _args, %{
         context: %{
           credentials: %Credentials{
-            resource: :reticulum_app_token
+            subject_type: :app
           }
         }
       }) do
@@ -20,7 +20,8 @@ defmodule RetWeb.Resolvers.RoomResolver do
         context: %{
           credentials:
             %Credentials{
-              resource: %Account{} = account
+              subject_type: :account,
+              account: account
             } = credentials
         }
       }) do
@@ -34,7 +35,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   def favorite_rooms(_parent, _args, %{
         context: %{
           credentials: %Credentials{
-            resource: :reticulum_app_token
+            subject_type: :app
           }
         }
       }) do
@@ -45,7 +46,8 @@ defmodule RetWeb.Resolvers.RoomResolver do
         context: %{
           credentials:
             %Credentials{
-              resource: %Account{} = account
+              subject_type: :account,
+              account: account
             } = credentials
         }
       }) do
@@ -131,14 +133,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
           credentials: %Credentials{} = credentials
         }
       }) do
-    # TODO: Move hub lookup into api/rooms.ex
-    hub = Hub |> Repo.get_by(hub_sid: hub_sid) |> Repo.preload([:hub_role_memberships, :hub_bindings])
-
-    if is_nil(hub) do
-      {:error, "Cannot find room with id: " <> hub_sid}
-    else
-      Ret.Api.Rooms.authed_update_room(hub, credentials, args)
-    end
+    Ret.Api.Rooms.authed_update_room(hub_sid, credentials, args)
   end
 
   def update_room(_parent, _args, _resolutions) do
diff --git a/priv/repo/migrations/20200918180620_guardiandb.exs b/priv/repo/migrations/20200918180620_guardiandb.exs
deleted file mode 100644
index aa4b99d8d..000000000
--- a/priv/repo/migrations/20200918180620_guardiandb.exs
+++ /dev/null
@@ -1,17 +0,0 @@
-defmodule Ret.Repo.Migrations.CreateGuardianDBTokensTable do
-  use Ecto.Migration
-
-  def change do
-    create table(:guardian_tokens, primary_key: false) do
-      add(:jti, :string, primary_key: true)
-      add(:aud, :string, primary_key: true)
-      add(:typ, :string)
-      add(:iss, :string)
-      add(:sub, :string)
-      add(:exp, :bigint)
-      add(:jwt, :text)
-      add(:claims, :map)
-      timestamps()
-    end
-  end
-end
diff --git a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
new file mode 100644
index 000000000..8dda8fb54
--- /dev/null
+++ b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
@@ -0,0 +1,23 @@
+defmodule Ret.Repo.Migrations.AddApiCredentialsTable do
+  use Ecto.Migration
+
+  def change do
+    Ret.Api.TokenSubjectType.create_type()
+    Ret.Api.ScopeType.create_type()
+
+    create table(:api_credentials, primary_key: false) do
+      add(:api_credentials_id, :bigint, default: fragment("ret0.next_id()"), primary_key: true)
+      add(:token_hash, :string)
+      add(:api_credentials_sid, :string)
+      add(:issued_at, :utc_datetime)
+      add(:expires_at, :utc_datetime)
+      add(:is_revoked, :boolean)
+      add(:scopes, {:array, :api_scope_type})
+      add(:subject_type, :api_token_subject_type)
+      add(:account_id, references(:accounts, column: :account_id))
+      timestamps()
+    end
+
+    create(index(:api_credentials, [:token_hash], unique: true))
+  end
+end
diff --git a/priv/session_lock_repo/migrations/20200918180620_guardiandb.exs b/priv/session_lock_repo/migrations/20200918180620_guardiandb.exs
deleted file mode 100644
index aa4b99d8d..000000000
--- a/priv/session_lock_repo/migrations/20200918180620_guardiandb.exs
+++ /dev/null
@@ -1,17 +0,0 @@
-defmodule Ret.Repo.Migrations.CreateGuardianDBTokensTable do
-  use Ecto.Migration
-
-  def change do
-    create table(:guardian_tokens, primary_key: false) do
-      add(:jti, :string, primary_key: true)
-      add(:aud, :string, primary_key: true)
-      add(:typ, :string)
-      add(:iss, :string)
-      add(:sub, :string)
-      add(:exp, :bigint)
-      add(:jwt, :text)
-      add(:claims, :map)
-      timestamps()
-    end
-  end
-end

From dfaf3f81160f4ea2153c4b9f36debf40d8869781 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 00:01:23 -0700
Subject: [PATCH 086/138] Remove guardian db

---
 config/dev.exs  | 5 -----
 config/test.exs | 4 ----
 mix.exs         | 1 -
 mix.lock        | 1 -
 4 files changed, 11 deletions(-)

diff --git a/config/dev.exs b/config/dev.exs
index ba41df05b..b625fd36a 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -191,11 +191,6 @@ config :ret, Ret.Api.Token,
   secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
   ttl: {2, :weeks}
 
-config :guardian, Guardian.DB,
-  repo: Ret.Repo,
-  # Would like to call this api_tokens -- would need to edit the template/migrations
-  schema_name: "guardian_tokens"
-
 config :web_push_encryption, :vapid_details,
   subject: "mailto:admin@mozilla.com",
   public_key: "BAb03820kHYuqIvtP6QuCKZRshvv_zp5eDtqkuwCUAxASBZMQbFZXzv8kjYOuLGF16A3k8qYnIN10_4asB-Aw7w",
diff --git a/config/test.exs b/config/test.exs
index e94c8f44d..3af5a0ac7 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -51,10 +51,6 @@ config :ret, Ret.Api.Token,
   secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
   ttl: {2, :hours}
 
-config :guardian, Guardian.DB,
-  repo: Ret.Repo,
-  schema_name: "guardian_tokens" # Would like to call this api_tokens -- would need to edit the template/migrations
-
 config :ret, Ret.Storage,
   storage_path: "storage/test",
   ttl: 60 * 60 * 24
diff --git a/mix.exs b/mix.exs
index 2efb01f3d..b6cb9b9f2 100644
--- a/mix.exs
+++ b/mix.exs
@@ -71,7 +71,6 @@ defmodule Ret.Mixfile do
       {:bamboo_smtp, "~> 1.7"},
       {:guardian, "~> 2.1.1"},
       {:guardian_phoenix, "~> 2.0"},
-      {:guardian_db, "~> 2.0"},
       {:canary, "~> 1.1.1"},
       {:temp, "~> 0.4"},
       {:timex, "~> 3.6"},
diff --git a/mix.lock b/mix.lock
index 3a6da0596..65e488b6c 100644
--- a/mix.lock
+++ b/mix.lock
@@ -38,7 +38,6 @@
   "gen_stage": {:hex, :gen_stage, "0.14.3", "d0c66f1c87faa301c1a85a809a3ee9097a4264b2edf7644bf5c123237ef732bf", [:mix], [], "hexpm", "8453e2289d94c3199396eb517d65d6715ef26bcae0ee83eb5ff7a84445458d76"},
   "gettext": {:hex, :gettext, "0.17.4", "f13088e1ec10ce01665cf25f5ff779e7df3f2dc71b37084976cf89d1aa124d5c", [:mix], [], "hexpm", "3c75b5ea8288e2ee7ea503ff9e30dfe4d07ad3c054576a6e60040e79a801e14d"},
   "guardian": {:hex, :guardian, "2.1.1", "1f02b349f6ba765647cc834036a8d76fa4bd65605342fe3a031df3c99d0d411a", [:mix], [{:jose, "~> 1.8", [hex: :jose, repo: "hexpm", optional: false]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "189b87ba7ce6b40d6ba029138098b96ffc4ae78f229f5b39539b9141af8bf0f8"},
-  "guardian_db": {:hex, :guardian_db, "2.0.3", "18c847efbf7ec3c0dd44c7aecaeeb2777588bbb8d2073ffc36e71037108b3be6", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "~> 3.1", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:guardian, "~> 1.0 or ~> 2.0", [hex: :guardian, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "17306e09498bca379fb8eded2ac44d7690f738ca14b17080d06a948d034ea087"},
   "guardian_phoenix": {:hex, :guardian_phoenix, "2.0.1", "89a817265af09a6ddf7cb1e77f17ffca90cea2db10ff888375ef34502b2731b1", [:mix], [{:guardian, "~> 2.0", [hex: :guardian, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: false]}], "hexpm", "21f439246715192b231f228680465d1ed5fbdf01555a4a3b17165532f5f9a08c"},
   "hackney": {:hex, :hackney, "1.15.2", "07e33c794f8f8964ee86cebec1a8ed88db5070e52e904b8f12209773c1036085", [:rebar3], [{:certifi, "2.5.1", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "6.0.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "1.0.1", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~>1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "1.1.5", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}], "hexpm", "e0100f8ef7d1124222c11ad362c857d3df7cb5f4204054f9f0f4a728666591fc"},
   "httpoison": {:hex, :httpoison, "1.6.2", "ace7c8d3a361cebccbed19c283c349b3d26991eff73a1eaaa8abae2e3c8089b6", [:mix], [{:hackney, "~> 1.15 and >= 1.15.2", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "aa2c74bd271af34239a3948779612f87df2422c2fdcfdbcec28d9c105f0773fe"},

From 884893bf0c64ac9c4b3af9d3d61ff5c9227a8e42 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 00:10:06 -0700
Subject: [PATCH 087/138] Remove unused secrets

---
 config/dev.exs                      |  4 ----
 config/test.exs                     |  4 ----
 lib/ret/api/token.ex                | 10 +---------
 lib/ret/api_token_secret_fetcher.ex | 11 -----------
 4 files changed, 1 insertion(+), 28 deletions(-)
 delete mode 100644 lib/ret/api_token_secret_fetcher.ex

diff --git a/config/dev.exs b/config/dev.exs
index b625fd36a..6cf1fd03a 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -187,10 +187,6 @@ config :ret, Ret.Guardian,
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX",
   ttl: {12, :weeks}
 
-config :ret, Ret.Api.Token,
-  secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
-  ttl: {2, :weeks}
-
 config :web_push_encryption, :vapid_details,
   subject: "mailto:admin@mozilla.com",
   public_key: "BAb03820kHYuqIvtP6QuCKZRshvv_zp5eDtqkuwCUAxASBZMQbFZXzv8kjYOuLGF16A3k8qYnIN10_4asB-Aw7w",
diff --git a/config/test.exs b/config/test.exs
index 3af5a0ac7..6af51574e 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -47,10 +47,6 @@ config :ret, Ret.Guardian,
   issuer: "ret",
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX"
 
-config :ret, Ret.Api.Token,
-  secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
-  ttl: {2, :hours}
-
 config :ret, Ret.Storage,
   storage_path: "storage/test",
   ttl: 60 * 60 * 24
diff --git a/lib/ret/api/token.ex b/lib/ret/api/token.ex
index e47215947..aa4052bfc 100644
--- a/lib/ret/api/token.ex
+++ b/lib/ret/api/token.ex
@@ -2,7 +2,7 @@ defmodule Ret.Api.Token do
   @moduledoc """
   ApiTokens determine what actions are allowed to be taken via the public API.
   """
-  use Guardian, token_module: Ret.Api.TokenModule, otp_app: :ret, secret_fetcher: Ret.ApiTokenSecretFetcher
+  use Guardian, token_module: Ret.Api.TokenModule, otp_app: :ret
 
   import Ecto.Query
 
@@ -12,14 +12,6 @@ defmodule Ret.Api.Token do
   def subject_for_token(_, _), do: {:ok, nil}
 
   def resource_from_claims(%Credentials{} = credentials) do
-    IO.inspect("creds:")
-    IO.inspect(credentials)
     credentials
   end
-
-  def resource_from_claims(claims) do
-    IO.inspect("claims:")
-    IO.inspect(claims)
-    nil
-  end
 end
diff --git a/lib/ret/api_token_secret_fetcher.ex b/lib/ret/api_token_secret_fetcher.ex
deleted file mode 100644
index 3e2dcd5d2..000000000
--- a/lib/ret/api_token_secret_fetcher.ex
+++ /dev/null
@@ -1,11 +0,0 @@
-# TODO: How to set configuration for prod?
-defmodule Ret.ApiTokenSecretFetcher do
-  @moduledoc false
-  def fetch_signing_secret(_mod, _opts) do
-    {:ok, Application.get_env(:ret, Ret.Api.Token)[:secret_key] |> JOSE.JWK.from_oct()}
-  end
-
-  def fetch_verifying_secret(_mod, _token_headers, _opts) do
-    {:ok, Application.get_env(:ret, Ret.Api.Token)[:secret_key] |> JOSE.JWK.from_oct()}
-  end
-end

From 3040fb4795dbdeda7df4989ac98c229d3d2cf5de Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 00:11:53 -0700
Subject: [PATCH 088/138] Remove unused function

---
 lib/ret/api/credentials.ex | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 2b4ab09f5..bfabd6b4d 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -106,8 +106,4 @@ defmodule Ret.Api.Credentials do
       where: credential.account_id == ^id
     )
   end
-
-  def from_resource_and_claims(_, _) do
-    {:error, "not implemented"}
-  end
 end

From 8dc209c6a38a67410a5f8370baaa56051367bc62 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 00:13:01 -0700
Subject: [PATCH 089/138] Removed unused alias/import

---
 lib/ret/api/credentials.ex | 1 -
 lib/ret/api/token.ex       | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index bfabd6b4d..00f6377ba 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -5,7 +5,6 @@ defmodule Ret.Api.Credentials do
   alias Ret.Api.Credentials
 
   alias Ret.Account
-  alias Ret.Api.Scopes
 
   use Ecto.Schema
   import Ecto.Query, only: [from: 2]
diff --git a/lib/ret/api/token.ex b/lib/ret/api/token.ex
index aa4052bfc..c5264de26 100644
--- a/lib/ret/api/token.ex
+++ b/lib/ret/api/token.ex
@@ -4,9 +4,6 @@ defmodule Ret.Api.Token do
   """
   use Guardian, token_module: Ret.Api.TokenModule, otp_app: :ret
 
-  import Ecto.Query
-
-  alias Ret.{Account, Repo}
   alias Ret.Api.Credentials
 
   def subject_for_token(_, _), do: {:ok, nil}

From c88e0a0b89ccc3d1e04e8b5386bebaf5ff844c70 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 00:32:07 -0700
Subject: [PATCH 090/138] (Re)Implement revoke for tokens

---
 lib/ret/api/can_credentials.ex                    |  8 ++++++++
 lib/ret/api/credentials.ex                        |  7 +++++++
 lib/ret/api/token_module.ex                       |  4 +++-
 lib/ret/api/token_utils.ex                        |  4 ----
 .../middleware/handle_api_token_auth_errors.ex    | 15 ++++-----------
 5 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index b0544cdd7..b525baf0d 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -3,6 +3,14 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
   alias Ret.{Account, Hub}
   alias Ret.Api.{Credentials, Scopes}
 
+  def can?(
+        %Credentials{is_revoked: true},
+        _action,
+        _resource
+      ) do
+    false
+  end
+
   def can?(
         %Credentials{subject_type: :app, scopes: scopes},
         :get_rooms_created_by,
diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 00f6377ba..689dbd49a 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -84,6 +84,13 @@ defmodule Ret.Api.Credentials do
     put_change(changeset, :account_id, account_id)
   end
 
+  def revoke(credentials) do
+    credentials
+    |> change()
+    |> add_is_revoked_to_changeset(true)
+    |> Ret.Repo.update()
+  end
+
   def query do
     from(c in Credentials, left_join: a in Account, on: c.account_id == a.account_id, preload: [account: a])
   end
diff --git a/lib/ret/api/token_module.ex b/lib/ret/api/token_module.ex
index 62c448f77..fa562ed11 100644
--- a/lib/ret/api/token_module.ex
+++ b/lib/ret/api/token_module.ex
@@ -87,7 +87,9 @@ defmodule Ret.Api.TokenModule do
   @doc """
   Revoke a token
   """
-  def revoke(_mod, claims, _token, _options), do: {:ok, claims}
+  def revoke(_mod, %Credentials{} = claims, _token, _options) do
+    Ret.Api.Credentials.revoke(claims)
+  end
 
   @doc """
   Refresh the token
diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
index f4afcb1d0..edb74c1b1 100644
--- a/lib/ret/api/token_utils.ex
+++ b/lib/ret/api/token_utils.ex
@@ -2,10 +2,6 @@ defmodule Ret.Api.TokenUtils do
   @moduledoc """
   Utility functions for generating API access tokens.
   """
-  @default_claims %{aud: "ret", iss: "ret", typ: "access", scopes: []}
-  # TODO: When should tokens expire?
-  @default_options [ttl: {8, :weeks}]
-
   alias Ret.Account
   alias Ret.Api.{Token, Scopes}
 
diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index 8a9dddfcb..bbe1a9db1 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -9,24 +9,17 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
     resolution
   end
 
-  def call(%{context: %{api_token_auth_errors: errors}} = resolution, _) do
-    case length(errors) do
-      0 ->
-        resolution
-
-      _ ->
-        # Just report the first error
-        {type, reason} = Enum.at(errors, 0)
-        put_error_result(resolution, type, reason)
-    end
+  def call(%{context: %{api_token_auth_errors: errors}} = resolution, _) when is_list(errors) and length(errors) > 0 do
+    {type, reason} = Enum.at(errors, 0)
+    put_error_result(resolution, type, reason)
   end
 
   def call(%{context: %{credentials: nil}} = resolution, _) do
+    IO.inspect("no credentials!!")
     put_error_result(resolution, :invalid_credentials, "Could not find credentials for this token.")
   end
 
   # TODO: Check for expiration
-  # TODO: Audit error messages to decide which we want to return
   def call(%{context: %{credentials: %Ret.Api.Credentials{is_revoked: true}}} = resolution, _) do
     put_error_result(resolution, :invalid_credentials, "Token is revoked")
   end

From 272003df8dd69d724a67fef84b7808035ca28008 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 12:34:24 -0700
Subject: [PATCH 091/138] Fix introspection queries and invalid token errors

---
 lib/ret/api/token_module.ex                   |  4 +-
 .../handle_api_token_auth_errors.ex           | 38 ++++++++++++++++---
 lib/ret_web/plugs/add_absinthe_context.ex     | 16 +++++---
 lib/ret_web/schema/room_types.ex              |  2 +
 4 files changed, 48 insertions(+), 12 deletions(-)

diff --git a/lib/ret/api/token_module.ex b/lib/ret/api/token_module.ex
index fa562ed11..da3a9f23a 100644
--- a/lib/ret/api/token_module.ex
+++ b/lib/ret/api/token_module.ex
@@ -72,7 +72,9 @@ defmodule Ret.Api.TokenModule do
     case Credentials.query()
          |> Credentials.where_token_hash_is(Ret.Crypto.hash(token))
          |> Ret.Repo.one() do
-      nil -> {:error, :credentials_not_found}
+      # Don't want to return the error at this level,
+      # so we pass it along for graphql to handle
+      nil -> {:ok, {:error, :invalid_token}}
       credentials -> {:ok, credentials}
     end
   end
diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index bbe1a9db1..1effcd62e 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -9,23 +9,49 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
     resolution
   end
 
+  # Don't enforce tokens on introspection queries
+  @graphql_inspection_types [
+    :__schema,
+    :__type,
+    :__directive,
+    :__directivelocation,
+    :__enumvalue,
+    :__field,
+    :__inputvalue,
+    :__typekind
+  ]
+  def call(%{parent_type: %{identifier: identifier}} = resolution, _) when identifier in @graphql_inspection_types do
+    resolution
+  end
+
   def call(%{context: %{api_token_auth_errors: errors}} = resolution, _) when is_list(errors) and length(errors) > 0 do
+    IO.inspect(errors)
     {type, reason} = Enum.at(errors, 0)
     put_error_result(resolution, type, reason)
   end
 
   def call(%{context: %{credentials: nil}} = resolution, _) do
-    IO.inspect("no credentials!!")
-    put_error_result(resolution, :invalid_credentials, "Could not find credentials for this token.")
+    put_error_result(
+      resolution,
+      :api_access_token_not_found,
+      "Failed to find api access token when searching for header 'Authorization: Bearer <your_api_access_token>'"
+    )
   end
 
-  # TODO: Check for expiration
   def call(%{context: %{credentials: %Ret.Api.Credentials{is_revoked: true}}} = resolution, _) do
     put_error_result(resolution, :invalid_credentials, "Token is revoked")
   end
 
-  # I ran into this case in testing. TODO: Figure out why (and if) it's still happening and fix
-  def call(resolution, _) do
-    put_error_result(resolution, :internal_server_error, "The context was built incorrectly")
+  def call(%{context: %{credentials: %Ret.Api.Credentials{expires_at: expires_at}}} = resolution, _) do
+    if Timex.before?(expires_at, Timex.now()) do
+      put_error_result(resolution, :token_expired, "Token expired")
+    else
+      resolution
+    end
   end
+
+  # # TODO: Remove
+  # def call(resolution, _) do
+  #   put_error_result(resolution, :unknown_server_error, "Could not validate token/credentials")
+  # end
 end
diff --git a/lib/ret_web/plugs/add_absinthe_context.ex b/lib/ret_web/plugs/add_absinthe_context.ex
index 34adaa1f7..a5d495092 100644
--- a/lib/ret_web/plugs/add_absinthe_context.ex
+++ b/lib/ret_web/plugs/add_absinthe_context.ex
@@ -12,10 +12,16 @@ defmodule RetWeb.AddAbsintheContext do
 
   defp build_context(conn) do
     auth_errors = conn.assigns[:api_token_auth_errors] || []
-    credentials = Guardian.Plug.current_claims(conn)
-    %{
-      api_token_auth_errors: auth_errors,
-      credentials: credentials
-    }
+
+    case Guardian.Plug.current_claims(conn) do
+      {:error, :invalid_token} ->
+        %{api_token_auth_errors: [{:invalid_token, "Invalid token error. Could not find credentials."}] ++ auth_errors}
+
+      credentials ->
+        %{
+          api_token_auth_errors: auth_errors,
+          credentials: credentials
+        }
+    end
   end
 end
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 67a412309..250df279f 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -1,4 +1,6 @@
 defmodule RetWeb.Schema.RoomTypes do
+  @moduledoc "GraphQL Schema"
+
   use Absinthe.Schema.Notation
   alias RetWeb.Resolvers
   alias Ret.Scene

From c5096c7c13bbc76fb6596ba9dbf9eeed4f595f64 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 13:20:38 -0700
Subject: [PATCH 092/138] Check for introspection types how Absinthe does

---
 .../middleware/handle_api_token_auth_errors.ex    | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index 1effcd62e..a20f89b93 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -10,22 +10,13 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
   end
 
   # Don't enforce tokens on introspection queries
-  @graphql_inspection_types [
-    :__schema,
-    :__type,
-    :__directive,
-    :__directivelocation,
-    :__enumvalue,
-    :__field,
-    :__inputvalue,
-    :__typekind
-  ]
-  def call(%{parent_type: %{identifier: identifier}} = resolution, _) when identifier in @graphql_inspection_types do
+  # Source: Absinthe.Introspection.type?
+  # https://github.com/absinthe-graphql/absinthe/blob/cdb8c39beb6a79b03a5095fffbe761e0dd9918ac/lib/absinthe/introspection.ex#L106
+  def call(%{parent_type: %{name: "__" <> _}} = resolution, _) do
     resolution
   end
 
   def call(%{context: %{api_token_auth_errors: errors}} = resolution, _) when is_list(errors) and length(errors) > 0 do
-    IO.inspect(errors)
     {type, reason} = Enum.at(errors, 0)
     put_error_result(resolution, type, reason)
   end

From 75a2087d1b2b970382fda31361991eeab9fe2dcd Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 15:03:45 -0700
Subject: [PATCH 093/138] Fix warnings

---
 lib/ret/api/token_module.ex               | 8 ++++----
 lib/ret_web/plugs/add_absinthe_context.ex | 2 --
 lib/ret_web/resolvers/room_resolver.ex    | 2 +-
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/lib/ret/api/token_module.ex b/lib/ret/api/token_module.ex
index da3a9f23a..6c5d981a9 100644
--- a/lib/ret/api/token_module.ex
+++ b/lib/ret/api/token_module.ex
@@ -21,7 +21,7 @@ defmodule Ret.Api.TokenModule do
   @doc """
   Builds the default claims for API tokens.
   """
-  def build_claims(mod, resource, sub, claims \\ %{}, options \\ []) do
+  def build_claims(_mod, _resource, _sub, claims \\ %{}, _options \\ []) do
     {:ok, claims}
   end
 
@@ -56,11 +56,11 @@ defmodule Ret.Api.TokenModule do
                account: account_or_nil,
                token_hash: Ret.Crypto.hash(token)
              }) do
-          {:ok, credentials} -> {:ok, token}
+          {:ok, _credentials} -> {:ok, token}
           _ -> {:error, "Failed to create token for claims."}
         end
 
-      {:error, reason} ->
+      {:error, _reason} ->
         {:error, "Failed to create token for claims."}
     end
   end
@@ -82,7 +82,7 @@ defmodule Ret.Api.TokenModule do
   @doc """
   Verifies the claims.
   """
-  def verify_claims(mod, claims, options) do
+  def verify_claims(_mod, claims, _options) do
     {:ok, claims}
   end
 
diff --git a/lib/ret_web/plugs/add_absinthe_context.ex b/lib/ret_web/plugs/add_absinthe_context.ex
index a5d495092..f84a2621a 100644
--- a/lib/ret_web/plugs/add_absinthe_context.ex
+++ b/lib/ret_web/plugs/add_absinthe_context.ex
@@ -2,8 +2,6 @@ defmodule RetWeb.AddAbsintheContext do
   @moduledoc false
   @behaviour Plug
 
-  alias Ret.Api.Credentials
-
   def init(opts), do: opts
 
   def call(conn, _) do
diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index 452b29188..cff521cf0 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -2,7 +2,7 @@ defmodule RetWeb.Resolvers.RoomResolver do
   @moduledoc """
   Resolvers for room queries and mutations via the graphql API
   """
-  alias Ret.{Hub, Account, Repo}
+  alias Ret.Hub
   alias Ret.Api.Credentials
   import RetWeb.Resolvers.ResolverError, only: [resolver_error: 2]
 

From 6c229905a3bcf2d21d62e7c073363d7170d0931e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 15:04:53 -0700
Subject: [PATCH 094/138] Remove TODO

---
 test/api/v2/room_query_test.exs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 0a042e21f..49cdae9e4 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -112,7 +112,6 @@ defmodule RoomQueryTest do
       |> put_auth_header_for_token(app_token)
       |> do_graphql_action(@query_my_rooms)
 
-    # TODO: Fix this test when implemented
     assert hd(res["errors"])["type"] === "not_implemented"
   end
 

From d3bf7879c8388682097d27768821fb5dd20c4d5d Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 15:32:38 -0700
Subject: [PATCH 095/138] Fix tests

---
 lib/ret/api/token.ex            |  6 ++++-
 lib/ret/api/token_module.ex     | 14 +++++++----
 test/api/v2/room_query_test.exs |  2 +-
 test/ret/api_token_test.exs     | 42 ++++++++++++++++-----------------
 4 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/lib/ret/api/token.ex b/lib/ret/api/token.ex
index c5264de26..4c2d71d25 100644
--- a/lib/ret/api/token.ex
+++ b/lib/ret/api/token.ex
@@ -9,6 +9,10 @@ defmodule Ret.Api.Token do
   def subject_for_token(_, _), do: {:ok, nil}
 
   def resource_from_claims(%Credentials{} = credentials) do
-    credentials
+    {:ok, credentials}
+  end
+
+  def resource_from_claims(_) do
+    {:error, :invalid_token}
   end
 end
diff --git a/lib/ret/api/token_module.ex b/lib/ret/api/token_module.ex
index 6c5d981a9..ac7b0c73e 100644
--- a/lib/ret/api/token_module.ex
+++ b/lib/ret/api/token_module.ex
@@ -9,9 +9,15 @@ defmodule Ret.Api.TokenModule do
   @behaviour Guardian.Token
 
   @doc """
-  Cannot peek API Tokens
+  No concept of validating signature so we just decode the token
   """
-  def peek(_mod, _token), do: nil
+  def peek(mod, token) do
+    case decode_token(mod, token) do
+      {:ok, %Credentials{} = credentials} -> %{claims: credentials}
+      {:ok, {:error, _reason}} -> nil
+      _ -> nil
+    end
+  end
 
   @doc """
   Do not need to generate a token_id here
@@ -89,8 +95,8 @@ defmodule Ret.Api.TokenModule do
   @doc """
   Revoke a token
   """
-  def revoke(_mod, %Credentials{} = claims, _token, _options) do
-    Ret.Api.Credentials.revoke(claims)
+  def revoke(_mod, %Credentials{} = credentials, _token, _options) do
+    Ret.Api.Credentials.revoke(credentials)
   end
 
   @doc """
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 49cdae9e4..19315803c 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -86,7 +86,7 @@ defmodule RoomQueryTest do
 
   test "Cannot query without a token", %{conn: conn} do
     res = conn |> do_graphql_action(@query_public_rooms)
-    assert hd(res["errors"])["type"] === "api_access_token_invalid_or_not_found"
+    assert hd(res["errors"])["type"] === "api_access_token_not_found"
   end
 
   test "Can query public rooms with app token", %{conn: conn, public_hub: public_hub, app_token: app_token} do
diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
index c65350d64..330448874 100644
--- a/test/ret/api_token_test.exs
+++ b/test/ret/api_token_test.exs
@@ -1,41 +1,39 @@
 defmodule Ret.ApiTokenTest do
   use Ret.DataCase
 
-  alias Ret.Api.TokenUtils
-
-  defp token_query do
-    from("guardian_tokens", select: [:jti, :aud, :jwt, :claims])
-  end
+  alias Ret.{Crypto, Repo}
+  alias Ret.Api.{TokenUtils, Credentials}
 
   test "Generating an api token puts it in the database" do
     {:ok, token, _claims} = TokenUtils.gen_app_token()
-    [%{jwt: jwt}] = Repo.all(token_query())
-    assert jwt == token
+    expected_hash = Crypto.hash(token)
+
+    %Credentials{token_hash: token_hash} =
+      Repo.one(Credentials.query() |> Credentials.where_token_hash_is(expected_hash))
+
+    assert expected_hash == token_hash
   end
 
   test "Api tokens can be revoked" do
     {:ok, token, _claims} = TokenUtils.gen_app_token()
-    [%{jwt: jwt}] = Repo.all(token_query())
-    assert jwt == token
-    {:ok, _claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
+    expected_hash = Crypto.hash(token)
 
-    Guardian.revoke(Ret.Api.Token, token)
-    assert Enum.empty?(Repo.all(token_query()))
+    {:ok, %Credentials{token_hash: token_hash, is_revoked: is_revoked}} =
+      Guardian.decode_and_verify(Ret.Api.Token, token)
 
-    {:error, :token_not_found} = Guardian.decode_and_verify(Ret.Api.Token, token)
-  end
+    assert expected_hash == token_hash
+    assert is_revoked == false
 
-  test "Api tokens can be associated with an account" do
-    account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
-    {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
-    {:ok, resource, _claims} = Guardian.resource_from_token(Ret.Api.Token, token)
-    assert resource.account_id === account.account_id
+    Ret.Api.Token.revoke(token)
+
+    {:ok, %Credentials{is_revoked: is_revoked_2}} = Guardian.decode_and_verify(Ret.Api.Token, token)
+    assert is_revoked_2 == true
   end
 
-  test "Revoked tokens cannot recover accounts" do
+  test "Api tokens can be associated with an account" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = TokenUtils.gen_token_for_account(account)
-    Guardian.revoke(Ret.Api.Token, token)
-    {:error, :token_not_found} = Guardian.resource_from_token(Ret.Api.Token, token)
+    {:ok, credentials, _claims} = Guardian.resource_from_token(Ret.Api.Token, token)
+    assert credentials.account_id === account.account_id
   end
 end

From 300bf33f75b8183f7b8f393fc991d794b9ae7194 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 15:33:17 -0700
Subject: [PATCH 096/138] Add sample graphiql workspace

---
 ...raphiql-workspace-2020-10-28-15-28-39.json | 574 ++++++++++++++++++
 1 file changed, 574 insertions(+)
 create mode 100644 test/api/v2/graphiql-workspace-2020-10-28-15-28-39.json

diff --git a/test/api/v2/graphiql-workspace-2020-10-28-15-28-39.json b/test/api/v2/graphiql-workspace-2020-10-28-15-28-39.json
new file mode 100644
index 000000000..d6d4f54ed
--- /dev/null
+++ b/test/api/v2/graphiql-workspace-2020-10-28-15-28-39.json
@@ -0,0 +1,574 @@
+{
+  "key": "graphiql",
+  "lastId": 10,
+  "tabIds": [
+    "tab1",
+    "tab2",
+    "tab4",
+    "tab5",
+    "tab6",
+    "tab7",
+    "tab8",
+    "tab9",
+    "tab10"
+  ],
+  "closedTabs": [
+    {
+      "id": "tab3",
+      "name": "No Token",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1
+    }
+  ],
+  "defaultUrl": "https://localhost:4000/api/v2/graphiql",
+  "defaultWebsocketUrl": "",
+  "defaultQuery": "",
+  "defaultVariables": "",
+  "defaultProxy": false,
+  "defaultHeaders": [],
+  "usedUrls": [
+    "https://hubs.local:4000/api/v2_alpha/graphiql",
+    "https://localhost:4000/api/v2_alpha/graphiql",
+    "https://localhost:4000/api/v2alpha/graphiql",
+    "https://localhost:4000/api/v2/graphiql"
+  ],
+  "recentHeaders": [
+    {
+      "name": "Authorization",
+      "value": "Bearer fsaf"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer c2FxcWtyTUNNOVVzd1VMVGZGeExSZz09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer NHhKdGRUQWpRTzVPTzJ5Y0Q0UC9nZz09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer cm5KbU8zbHEwOS83VitNaGVWall3UT09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer U0NhWUozNVF4TEpRTTJtTGNGa01jUT09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDg2Njc3OTYsImlhdCI6MTYwMzgyOTM5NiwiaXNzIjoiIiwianRpIjoiNzBmODI1MWMtZjE2YS00YThlLTg2MDYtNTZkNDE5ZjU4NzljIiwibmJmIjoxNjAzODI5Mzk1LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjczMTAzODUxODcxMjcyOTY0MCIsInR5cCI6ImFjY2VzcyJ9.YGfqokwxtIQsmnNT21uOKoLAqlHx6cpI3mYrkQIxSniGIOewL84ckwfGcF9v54ZHkNR4bY8Cd_fqE2DfZKEO2g"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDg2Njc3NTQsImlhdCI6MTYwMzgyOTM1NCwiaXNzIjoiIiwianRpIjoiZTQ3MDA2NGQtYmFhNy00M2YzLTllNDgtZGU3MDg0MGRkMDU1IiwibmJmIjoxNjAzODI5MzUzLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.kbzMkcxbMGoyh95cbS3QvgGx8ikgVCSeeMfeX3FJhLml8cBp_1apNT_CxOEQlSgRkm-Rppck975cVoqWVnR9_Q"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDM0Mzk0ODIsImlhdCI6MTYwMzQxMDY4MiwiaXNzIjoiIiwianRpIjoiMmE2NTRlNDMtOGUyNi00NzRhLTlhN2UtZjBjMWFjZTJkOWU1IiwibmJmIjoxNjAzNDEwNjgxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.9RaT1l8c5nK7nhd1EUWUgiOd01wDCMseUmRrK-AleGvwbgfm9Vp2rjc18ifg0cwPJfpPuDyrxGY8E3WWgqpVFA"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDM0MzkzMTcsImlhdCI6MTYwMzQxMDUxNywiaXNzIjoiIiwianRpIjoiZjVkOTU0ODYtYmZhNS00ZTI5LWExYzgtMGUwMmE1MmYxZjllIiwibmJmIjoxNjAzNDEwNTE2LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.dRKjTCYaPP-ogwLnCDfor4G90kn2vkaqGsjflxfRbwNwfHl0KNt4W99RWMomAtlxtegULOHDI08hrz6rsPjN_g"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDM0Mjc2NzQsImlhdCI6MTYwMzM5ODg3NCwiaXNzIjoiIiwianRpIjoiMzJkZGU0NWUtZjkxNS00NWJmLTk4NTktZGIyYmUzZDEyZmQ1IiwibmJmIjoxNjAzMzk4ODczLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.9bzlZkoKnvFsf9Qm9Vmw-Prl3vPlNFku3S2S0J3owi18kjIhO_baIIGTkASG_yNL1aofnfFMCOjUFxhM80PrFw"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer   # def can?(%Ret.Account{} = account, action, account) when action in @self_allowed_actions, do: true"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer foo"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg3NzAsImlhdCI6MTYwMzI5OTk3MCwiaXNzIjoiIiwianRpIjoiOTQyZmViN2MtN2YwOS00YWQ0LWExMmEtYjkyNTVjMDY3NDExIiwibmJmIjoxNjAzMjk5OTY5LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.maRV8uXxt3a66E0e7muIkKYNVFERWMzYmmZg7JY1NQ0-UbjVSmC64RqbBz7IuJ5OUckAGAHCjYU7QbML3hILjg"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg3MzIsImlhdCI6MTYwMzI5OTkzMiwiaXNzIjoiIiwianRpIjoiYjlmYjAzZGYtMGU2Yi00ZjlhLWFkYTgtZmZiNjk1MmI2ODgyIiwibmJmIjoxNjAzMjk5OTMxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.Ot-jOYrb6Fl-SD7BDmSUZT248JqOLOCsvDmeXb0jbJCheOTXi5WWu__Tnb-uGDVbXSM9LyCSA_1KJ_s_tH96yQ"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg1NDcsImlhdCI6MTYwMzI5OTc0NywiaXNzIjoiIiwianRpIjoiZjIxYjc1MzYtMDkxYi00MjEzLTllODgtNjQ2NmFlY2IyYzY0IiwibmJmIjoxNjAzMjk5NzQ2LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.pHeNOxSTyaSabHepEJr6oe9FwhopHpp21Q0yb5KQ8ENk3mcGLSjZGlFe2L81u5TFgazvWE9eCV8_jqdXhFAS9w"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg0NTIsImlhdCI6MTYwMzI5OTY1MiwiaXNzIjoiIiwianRpIjoiOTNjZjk3MzQtNWVkYy00OTQ4LWI1NjctNjQ2MmQxNGFkMjFiIiwibmJmIjoxNjAzMjk5NjUxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.47dOWjFahvS-rR-2pHqs_8ufHzFO1BNTNYP4x_AsHmzB_KfAnTEIgSgVL2ory9qsmgCtfMbsAFwZ4dpUXoOItw"
+    },
+    {
+      "name": "authorization",
+      "value": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg0NTIsImlhdCI6MTYwMzI5OTY1MiwiaXNzIjoiIiwianRpIjoiOTNjZjk3MzQtNWVkYy00OTQ4LWI1NjctNjQ2MmQxNGFkMjFiIiwibmJmIjoxNjAzMjk5NjUxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.47dOWjFahvS-rR-2pHqs_8ufHzFO1BNTNYP4x_AsHmzB_KfAnTEIgSgVL2ory9qsmgCtfMbsAFwZ4dpUXoOItw"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMxNjgwMzQsImlhdCI6MTYwMzEzOTIzNCwiaXNzIjoiIiwianRpIjoiMDU3MWJmNzAtNWQzYi00MTUyLTliYTEtN2IxZmMyODczNGU1IiwibmJmIjoxNjAzMTM5MjMzLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.CL6aN3u0ZTwIdQpIxvSJ00s1tSwkikP83K7J5owPhRlIFf_s0dpSr7YLRKdnHGEw5IKgS9MxQgVwiRUiaW_8Nw"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMxNjc5MzMsImlhdCI6MTYwMzEzOTEzMywiaXNzIjoiIiwianRpIjoiOWMxMzc5ZWEtYTI0ZS00ODhjLTk3M2UtZTBkMjQ0ZjZhYzc5IiwibmJmIjoxNjAzMTM5MTMyLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.Ixj2ptMiqJp6w5s3B4Ochrfwkzx2BE_5UlHuV8-cluha1AarakeZbneKCkGCNTVNciU3ezLvSjZ-OVr1d7iCnA"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMxNTQ4NDMsImlhdCI6MTYwMzEyNjA0MywiaXNzIjoiIiwianRpIjoiMjBiM2NlM2QtYmU4NC00MzZmLThkOGQtYTBmOTU3ZGY3MTc4IiwibmJmIjoxNjAzMTI2MDQyLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.VkB2dZzTVApgaANFvVs8wHr-msbh6ll2kRQtmTtig5UigNnB1m7OP-CHga-v0MnGXQOOa5gVXI3tY2pDKAUKew"
+    }
+  ],
+  "maxTabHistory": 20,
+  "maxUrlHistory": 20,
+  "maxHistory": 20,
+  "savedQueries": [],
+  "activeId": "tab10",
+  "tabs": [
+    {
+      "id": "tab1",
+      "name": "[app] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer cm5KbU8zbHEwOS83VitNaGVWall3UT09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "\nquery {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n    favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms {\n    entries (page: 2) {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  publicRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  publicRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(name:\"foo\"){\n    id,\n    description,\n    slug\n  }\n  \n  \n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  \n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2f\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  \n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  foo: updateRoom(id:\"2M6Po2\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  updateRoom(id:\"2M6Poe2\", name:\"bar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  foo: updateRoom(id:\"2M6Poe2\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  updateRoom(id:\"2M6Poe2\", name:\"bar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2\", name:\"foo\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"TkpzrAS\", name:\"bfffar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"TkpzrAS\", name:\"bar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2\", name:\"bar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"TkpzrAS\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"TkpzrAS\\\", name:\\\"bfffar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  foo: updateRoom(id:\\\"2M6Poe2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  foo: updateRoom(id:\\\"2M6Po2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2f\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  \\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  \\n}\"},{\"query\":\"mutation {\\n  createRoom(name:\\\"foo\\\"){\\n    id,\\n    description,\\n    slug\\n  }\\n  \\n  \\n}\"},{\"query\":\"query {\\n  publicRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  publicRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms {\\n    entries (page: 2) {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n    favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"\\nquery {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab2",
+      "name": "[user] queries",
+      "url": "https://hubs.local:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer U0NhWUozNVF4TEpRTTJtTGNGa01jUT09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n publicRooms(page: 1, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n publicRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"query {\\n publicRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n publicRooms(page: 1, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1
+    },
+    {
+      "id": "tab4",
+      "name": "[app] createRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer cm5KbU8zbHEwOS83VitNaGVWall3UT09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions\n      fly\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"}]}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab5",
+      "name": "[user] createRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer U0NhWUozNVF4TEpRTTJtTGNGa01jUT09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"}]}",
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab6",
+      "name": "[app] updateRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer NHhKdGRUQWpRTzVPTzJ5Y0Q0UC9nZz09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with an APP view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"A room with an APP view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"fggggg view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"fffff view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"Aasddas view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"EzqydXp\", description: \"Aasddas view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with an APP view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"EzqydXp\\\", description: \\\"Aasddas view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"Aasddas view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"fffff view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"fggggg view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"A room with an APP view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"7VkWtfB\\\", description: \\\"A room with an APP view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab7",
+      "name": "[user] updateRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer U0NhWUozNVF4TEpRTTJtTGNGa01jUT09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with a USER view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with aa USER view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with a USER view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"A room with a USER view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"Aasddas view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"Aasdddwith a view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"A roddddwith a view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"A roddddwith a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"iwwu7e3\", description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with a USER view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"iwwu7e3\\\", description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"A roddddwith a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"A roddddwith a view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"Aasdddwith a view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"Aasddas view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"A room with a USER view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"7VkWtfB\\\", description: \\\"A room with a USER view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"7VkWtfB\\\", description: \\\"A room with aa USER view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"7VkWtfB\\\", description: \\\"A room with a USER view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:editorFlex": 1,
+      "graphiql:docExplorerOpen": true,
+      "graphiql:variableEditorHeight": 200
+    },
+    {
+      "id": "tab8",
+      "name": "[revoked token] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer c2FxcWtyTUNNOVVzd1VMVGZGeExSZz09"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "",
+          "variables": null
+        },
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:editorFlex": 1,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"}]}"
+    },
+    {
+      "id": "tab9",
+      "name": "[no token] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms{\n    entries{\n      id\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms{\\n    entries{\\n      id\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab10",
+      "name": "[invalid token] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer foo"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:variables": "",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"}]}",
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350
+    }
+  ]
+}
\ No newline at end of file

From a32f8402373b91384423da305ea25cc2de0b8a59 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 15:37:06 -0700
Subject: [PATCH 097/138] Format

---
 lib/ret/enums.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret/enums.ex b/lib/ret/enums.ex
index 3e4f22e7c..580b1bebb 100644
--- a/lib/ret/enums.ex
+++ b/lib/ret/enums.ex
@@ -12,4 +12,4 @@ defenum(Ret.AvatarListing.State, :avatar_listing_state, [:active, :delisted, :re
 defenum(Ret.Account.State, :account_state, [:enabled, :disabled], schema: "ret0")
 defenum(Ret.Asset.Type, :asset_type, [:image, :video, :model, :audio], schema: "ret0")
 defenum(Ret.Api.TokenSubjectType, :api_token_subject_type, [:app, :account], schema: "ret0")
-defenum(Ret.Api.ScopeType, :api_scope_type, Ret.Api.Scopes.all_scopes, schema: "ret0")
+defenum(Ret.Api.ScopeType, :api_scope_type, Ret.Api.Scopes.all_scopes(), schema: "ret0")

From 6f810a4e2ddfaa770c42dd0d6be5eff83fda71ac Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 16:45:41 -0700
Subject: [PATCH 098/138] Update API Guide

---
 guides/api.md | 249 ++++++--------------------------------------------
 1 file changed, 27 insertions(+), 222 deletions(-)

diff --git a/guides/api.md b/guides/api.md
index f33dbb8b8..1c5961f97 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -1,237 +1,42 @@
 # Overview
-Reticulum includes a [GraphQL](https://graphql.org/) API to better allow you to customize the app to your specific needs. 
+Reticulum includes a [GraphQL](https://graphql.org/) API to better allow you to write plugins or customize the app to your needs. 
 
 ## Accessing the API
-The API can be accessed by sending `GET` or `POST` requests to `/api/v2/`.
-Requests can be sent in code with an `HTTP` client library, on the command line with a tool like `curl`, with a GraphQL-specific client library, or any other tool that speaks `HTTP`. There is also an interactive GUI for accessing the API available at `/api/v2/graphiql`. 
+The API can be accessed by sending `GET` or `POST` requests to `/api/v2_alpha/` with a valid GraphQL document in the request body. Note: This path is subject to change as we get out of early testing.
 
-## Authenticating requests
-Most requests sent to the API need to be authenticated. To authenticate a request, add the http header `Authorization` with value `Bearer: <your API token>`. Currently, your API token is the same as your account token, which you can find with the following steps:
-- Navigate to the homepage
-- Sign in
-- Open the developer console of your browser. (
-Instructions for opening the console in firefox: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Opening_the_Web_Console
-Instructions for chrome: https://developers.google.com/web/tools/chrome-devtools/open)
-- Type `window.APP.store.state.credentials.token` into the console and press enter.
-- Your token should be returned surrounded by quotations marks (`"<your API token here>"`)
+Requests can be sent by a variety of standard tools:
+- an `HTTP` client library, 
+- a command line tool like `curl`, 
+- a GraphQL-specific client library, 
+- any other tool that speaks `HTTP`. 
 
-It is likely that the authentication method will change in future releases of the API to include something like API tokens whose permissions can be limited to specific scopes, so that people are not encouraged to share admin account tokens. Sharing account tokens is dangerous - don't do it.
+Reticulum ships with [GraphiQL](https://github.com/graphql/graphiql/tree/main/packages/graphiql#graphiql), a graphical interactive in-browser GraphQL IDE that makes it easy to test and learn the API. It can be accessed by navigating to `<your_hubs_cloud_endpoint>/api/v2_alpha/graphiql`. [This example workspace](../test/api/v2/graphiql-workspace-2020-10-28-15-28-39.json) demonstrates several queries and can be loaded into the GraphiQL interface. You will have to generate and supply your own API access tokens.
 
-## Passing arguments
-We use a library called [`absinthe`](http://absinthe-graphql.org/) to power the `GraphQL` API. This library automatically converts between `camelCase` (a typical convention in `javascript`) and `snake_case` (a typical convention in `elixir`). For this reason, you will send and receive arguments and values in `camelCase`, but will see the corresponding values in `elixir` code as `snake_case`.
+## Authentication and Authorization
+Most requests require an API Access Token for authentication and authorization. 
 
-## Rooms
-The following examples show the capabilities of creating, querying, and modifying rooms. The code for these commands and object types can be found in [`/lib/ret_web/schema/room_types.ex`](../lib/ret_web/schema/room_types.ex)
+### API Access Token Types
+There are two types of API Access Tokens: 
+- `:account` tokens act on behalf of a specific user
+- `:app` tokens act on behalf of the hubs cloud itself
 
-### Create a room
-Request:
-```
-mutation {
-  createRoom(name:"My Fun Get-Together"){
-    id
-  }
-}
-```
-Response:
-```js
-{
-  "data": {
-    "createRoom": {
-      "id": "3FqxixG"
-    }
-  }
-}
-```
+### Scopes
+When generating API Access Tokens, you specify which `scopes` to grant that token. Scopes allow the token to be used to perform specific actions.
 
-### Querying Rooms
-Room queries return a `RoomList` object, which paginates responses. For a specific page or page size, pass the `page` or `pageSize` arguments along with  the request. 
+| Scope | API Action | Allowed Token Types | 
+| ---            | :--        |         :-: |      
+| `read_rooms` | `myRooms` | `account` |
+| `read_rooms` | `favoriteRooms` | `account` |
+| `read_rooms` | `publicRooms` | `account`, `app` |
+| `write_rooms` | `createRoom` | `account`, `app` |
+| `write_rooms` | `updateRoom` | `account`, `app` |
 
-#### My rooms
-Request:
-```
-query {
-  myRooms(page: 1, pageSize: 10) {
-    entries {
-      name,
-      id,
-      scene {
-        ... on Scene {
-          id,
-          name
-        }
-        ... on SceneListing{
-          id,
-          name
-        }
-      }
-    }
-  }
-}
-```
-Response:
-```js
-{
-  "data": {
-    "myRooms": {
-      "entries": [
-        {
-          "id": "3FqxixG",
-          "name": "My Fun Get-Together",
-          "scene": null
-        },
-        {
-          "id": "FmNKVjL",
-          "name": "Foo",
-          "scene": {
-            "id": "tXkCgJw",
-            "name": "Crater 2"
-          }
-        },
-        "scene": {
-          "id": "74VD2Et",
-          "name": "Crater"
-        }
-      ]
-    }
-  }
-}
-```
+Scopes, actions, and token types are expected to expand over time.
 
-#### Query my favorite rooms
-Request:
-```
-query {
-  myFavorites {
-    entries {
-      name,
-      id
-    }
-  }
-}
-```
-Response:
-```js
-{
-  "data": {
-    "favoriteRooms": {
-      "entries": [
-        {
-          "id": "4jByd2w",
-          "name": "Uniform Ready Social"
-        },
-        {
-          "id": "5wQhhbG",
-          "name": "Angelic Vibrant Spot"
-        },
-        {
-          "id": "RmNv2k2",
-          "name": "Golden Perfect Volume"
-        },
-      ]
-    }
-  }
-}
-```
+Tokens can be generated in the interface at `/api`. (TODO: Build interface.)
 
+### Using API Access Tokens
 
-#### Query public rooms
-Request:
-```
-query {
-  publicRooms {
-    entries {
-      name,
-      id
-    }
-  }
-}
-```
-Response:
-```js
-{
-  "data": {
-    "publicRooms": {
-      "entries": [
-        {
-          "id": "z7LQiNi",
-          "name": "Big Time Room"
-        },
-        {
-          "id": "SVnhCWq",
-          "name": "sdafasdf"
-        }
-      ]
-    }
-  }
-}
-```
-
-### Updating rooms
-#### Set room properties like `name`, `description`, and `roomSize`
-```
-mutation {
-  updateRoom(
-    id:"FmNKVjL", 
-    name:"Foo bar baz", 
-    description:"Some description", 
-    roomSize:15,
-  ) {
-    id
-  }
-}
-```
-#### Change the scene of a given room:
-```
-mutation {
-  updateRoom(
-    id:"FmNKVjL", 
-    sceneId: "74VD2Et",
-  ) {
-    id
-  }
-}
-```
-
-#### Change member permissions in the room:
-```
-mutation {
-  updateRoom(
-    id:"FmNKVjL", 
-    memberPermissions: {
-      fly: true,
-      spawnEmoji: true,
-      spawnDrawing: true,
-      pinObjects: false,
-      spawnCamera: false,
-      spawnAndMoveMedia: true
-    }
-  ) {
-    id
-  }
-}
-```
-### Change everything all in one go:
-
-```
-mutation {
-  updateRoom(
-    id:"FmNKVjL", 
-    name:"Foo bar baz", 
-    description:"Some description", 
-    roomSize:15,
-    sceneId: "74VD2Et",
-    memberPermissions: {
-      fly: true,
-      spawnEmoji: true,
-      spawnDrawing: true,
-      pinObjects: false,
-      spawnCamera: false,
-      spawnAndMoveMedia: true
-    }
-  ) {
-    id
-  }
-}
-```
+To attach an API Access Token to a request, add the `HTTP` header `Authorization` with value `Bearer: <your API token>`. 
 
 

From 8a2e6f4400c03c765f436d0faea865fc7bc09c5e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 16:46:49 -0700
Subject: [PATCH 099/138] Remove graphiql notes

---
 graphiql_notes.org | 76 ----------------------------------------------
 1 file changed, 76 deletions(-)
 delete mode 100644 graphiql_notes.org

diff --git a/graphiql_notes.org b/graphiql_notes.org
deleted file mode 100644
index 90cbb5bed..000000000
--- a/graphiql_notes.org
+++ /dev/null
@@ -1,76 +0,0 @@
-* graphiql testing
-
-A useful test setup in graphiql is to have each of the following three queries set up with:
-- A valid user token
-- A valid app token
-- No token
-
-I'll add automated tests for these soon.
-
-** Get rooms
-
-#+BEGIN_EXAMPLE
-query {
-  myRooms(page: 1, pageSize: 3) {
-    entries {
-      name,
-      description,
-      id,
-      memberPermissions{
-        fly
-      }
-    }
-  }
-  
-  favoriteRooms(page: 1, pageSize: 3) {
-    entries {
-      name,
-      id,
-      memberPermissions{
-        fly
-      }
-    }
-  }
-  
-   publicRooms(page: 1, pageSize: 3) {
-    entries {
-      name,
-      id,
-      memberPermissions{
-        fly
-      }
-    }
-  }
-}
-#+END_EXAMPLE
-
-** Create rooms
-#+BEGIN_EXAMPLE
-mutation {
-  createRoom(description: "A room with a view") {
-    id,
-    name,
-    allowPromotion,
-    memberPermissions{
-      fly
-    },
-    embedToken
-  }
-}
-#+END_EXAMPLE
-
-** Update rooms
-#+BEGIN_EXAMPLE
-mutation {
-  updateRoom(id: "maJCnRD", description: "A room with a viewwwwwww") {
-    description,
-    id,
-    name,
-    allowPromotion,
-    memberPermissions{
-      fly
-    },
-    embedToken
-  }
-}
-#+END_EXAMPLE

From 737b7160a94b6cf0cabdd147435c36243ec81583 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 16:51:24 -0700
Subject: [PATCH 100/138] Update scopes table in guide

---
 guides/api.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/guides/api.md b/guides/api.md
index 1c5961f97..36abdf904 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -23,13 +23,11 @@ There are two types of API Access Tokens:
 ### Scopes
 When generating API Access Tokens, you specify which `scopes` to grant that token. Scopes allow the token to be used to perform specific actions.
 
-| Scope | API Action | Allowed Token Types | 
+| Scope | Allowed Token Types | API Actions |
 | ---            | :--        |         :-: |      
-| `read_rooms` | `myRooms` | `account` |
-| `read_rooms` | `favoriteRooms` | `account` |
-| `read_rooms` | `publicRooms` | `account`, `app` |
-| `write_rooms` | `createRoom` | `account`, `app` |
-| `write_rooms` | `updateRoom` | `account`, `app` |
+| `read_rooms` | `account`, `app` | `myRooms`, `favoriteRooms`, `publicRooms` |
+| `write_rooms` | `account`, `app` | `createRoom`, `updateRoom` |
+| `create_accounts` | `app` | `createAccount` (not yet implemented) |
 
 Scopes, actions, and token types are expected to expand over time.
 

From 04ee343fa9f4d326d5929e84b83c274599226d44 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 16:52:32 -0700
Subject: [PATCH 101/138] Update formatting in guide

---
 guides/api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/api.md b/guides/api.md
index 36abdf904..108e9a32f 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -24,7 +24,7 @@ There are two types of API Access Tokens:
 When generating API Access Tokens, you specify which `scopes` to grant that token. Scopes allow the token to be used to perform specific actions.
 
 | Scope | Allowed Token Types | API Actions |
-| ---            | :--        |         :-: |      
+| :-:            | :-:        |         --- |      
 | `read_rooms` | `account`, `app` | `myRooms`, `favoriteRooms`, `publicRooms` |
 | `write_rooms` | `account`, `app` | `createRoom`, `updateRoom` |
 | `create_accounts` | `app` | `createAccount` (not yet implemented) |

From 8d0d6df108a8cf2990f8586ddd52a0bf0a479eab Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 16:53:34 -0700
Subject: [PATCH 102/138] Update justification in guide table

---
 guides/api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/api.md b/guides/api.md
index 108e9a32f..bb4a89069 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -24,7 +24,7 @@ There are two types of API Access Tokens:
 When generating API Access Tokens, you specify which `scopes` to grant that token. Scopes allow the token to be used to perform specific actions.
 
 | Scope | Allowed Token Types | API Actions |
-| :-:            | :-:        |         --- |      
+| --:            | :-:        |         --- |      
 | `read_rooms` | `account`, `app` | `myRooms`, `favoriteRooms`, `publicRooms` |
 | `write_rooms` | `account`, `app` | `createRoom`, `updateRoom` |
 | `create_accounts` | `app` | `createAccount` (not yet implemented) |

From 560da978a594be56dee0ada9ab30a82717cddd1f Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 17:00:27 -0700
Subject: [PATCH 103/138] Remove unused error message

---
 lib/ret_web/middleware/put_error_result.ex | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/lib/ret_web/middleware/put_error_result.ex b/lib/ret_web/middleware/put_error_result.ex
index 97a332647..fff8678de 100644
--- a/lib/ret_web/middleware/put_error_result.ex
+++ b/lib/ret_web/middleware/put_error_result.ex
@@ -3,17 +3,6 @@ defmodule RetWeb.Middleware.PutErrorResult do
 
   import Absinthe.Resolution, only: [put_result: 2]
 
-  def put_error_result(resolution, :no_resource_found, _message) do
-    put_result(
-      resolution,
-      {:error,
-       [
-         type: :api_access_token_invalid_or_not_found,
-         message: "API access token is invalid or missing. Did you add an authorization: bearer <your_token> header?"
-       ]}
-    )
-  end
-
   def put_error_result(resolution, type, message) do
     put_result(
       resolution,

From 275cfde5a160e02874bb0212b5e58a433039beef Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 17:07:01 -0700
Subject: [PATCH 104/138] Move dataloader config

---
 lib/ret/api/dataloader.ex | 11 +++++++++++
 lib/ret/scene.ex          |  7 -------
 lib/ret_web/schema.ex     |  3 +--
 3 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100644 lib/ret/api/dataloader.ex

diff --git a/lib/ret/api/dataloader.ex b/lib/ret/api/dataloader.ex
new file mode 100644
index 000000000..cc73be3bf
--- /dev/null
+++ b/lib/ret/api/dataloader.ex
@@ -0,0 +1,11 @@
+defmodule Ret.Api.Dataloader do
+  @moduledoc "Configuration for dataloader"
+
+  import Ecto.Query
+  alias Ret.{Repo, Scene, SceneListing}
+
+  def source(), do: Dataloader.Ecto.new(Repo, query: &query/2)
+  # Guard against loading removed scenes or delisted scene listings
+  def query(Scene, _), do: from(s in Scene, where: s.state != ^:removed)
+  def query(SceneListing, _), do: from(sl in SceneListing, where: sl.state != ^:delisted)
+end
diff --git a/lib/ret/scene.ex b/lib/ret/scene.ex
index e509b27f6..cbc4cbe5e 100644
--- a/lib/ret/scene.ex
+++ b/lib/ret/scene.ex
@@ -9,7 +9,6 @@ end
 defmodule Ret.Scene do
   use Ecto.Schema
   import Ecto.Changeset
-  import Ecto.Query
 
   alias Ret.{Repo, Scene, SceneListing, Project, Storage}
   alias Ret.Scene.{SceneSlug}
@@ -55,12 +54,6 @@ defmodule Ret.Scene do
     timestamps()
   end
 
-  # Dataloader
-  def data(), do: Dataloader.Ecto.new(Repo, query: &query/2)
-  # Guard against loading removed scenes or delisted scene listings
-  def query(Scene, _), do: from(s in Scene, where: s.state != ^:removed)
-  def query(SceneListing, _), do: from(sl in SceneListing, where: sl.state != ^:delisted)
-
   def scene_or_scene_listing_by_sid(sid) do
     Scene |> Repo.get_by(scene_sid: sid) ||
       SceneListing |> Repo.get_by(scene_listing_sid: sid) |> Repo.preload(scene: Scene.scene_preloads())
diff --git a/lib/ret_web/schema.ex b/lib/ret_web/schema.ex
index 4e928676c..fe4b8b770 100644
--- a/lib/ret_web/schema.ex
+++ b/lib/ret_web/schema.ex
@@ -2,7 +2,6 @@ defmodule RetWeb.Schema do
   @moduledoc false
 
   use Absinthe.Schema
-  alias Ret.Scene
 
   import RetWeb.Middleware, only: [build_middleware: 3]
 
@@ -25,7 +24,7 @@ defmodule RetWeb.Schema do
   def context(ctx) do
     loader =
       Dataloader.new()
-      |> Dataloader.add_source(Scene, Scene.data())
+      |> Dataloader.add_source(:db, Ret.Api.Dataloader.source())
 
     Map.put(ctx, :loader, loader)
   end

From 617a3bf5148d918110faceaeaa20dfc0a916cbf3 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 28 Oct 2020 17:42:24 -0700
Subject: [PATCH 105/138] Change title of guide

---
 guides/api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/api.md b/guides/api.md
index bb4a89069..8e21db616 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -1,4 +1,4 @@
-# Overview
+# Hubs Server API
 Reticulum includes a [GraphQL](https://graphql.org/) API to better allow you to write plugins or customize the app to your needs. 
 
 ## Accessing the API

From 59153bfacdf6d0303e96d69bd12967f4d5b4a562 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 12 Nov 2020 16:01:07 -0800
Subject: [PATCH 106/138] Do not assume xclip exists

---
 lib/mix/tasks/generate_api_token.ex | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/mix/tasks/generate_api_token.ex b/lib/mix/tasks/generate_api_token.ex
index ab00fe89a..f58dd8b51 100644
--- a/lib/mix/tasks/generate_api_token.ex
+++ b/lib/mix/tasks/generate_api_token.ex
@@ -59,7 +59,6 @@ defmodule Mix.Tasks.GenerateApiToken do
       case TokenUtils.gen_app_token() do
         {:ok, token, _claims} ->
           Mix.shell().info("Successfully generated token:\n#{token}")
-          :os.cmd('echo #{token} | xclip')
 
         {:error, reason} ->
           Mix.shell().error("Error: #{reason}")
@@ -71,7 +70,6 @@ defmodule Mix.Tasks.GenerateApiToken do
     case TokenUtils.gen_token_for_account(account) do
       {:ok, token, _claims} ->
         Mix.shell().info("Successfully generated token:\n#{token}")
-        :os.cmd('echo #{token} | xclip')
 
       {:error, reason} ->
         Mix.shell().error("Error: #{reason}")

From 0df81f4a8fe9375b5d1dc875a34c4a2a8f393161 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 12 Nov 2020 16:01:53 -0800
Subject: [PATCH 107/138] Check write_rooms scope to allow update_hub

---
 lib/ret/api/can_credentials.ex | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/ret/api/can_credentials.ex b/lib/ret/api/can_credentials.ex
index b525baf0d..4d003d757 100644
--- a/lib/ret/api/can_credentials.ex
+++ b/lib/ret/api/can_credentials.ex
@@ -88,7 +88,7 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
         :update_room,
         %Hub{} = hub
       ) do
-    Scopes.read_rooms() in scopes && can?(:reticulum_app_token, update_hub(hub))
+    Scopes.write_rooms() in scopes && can?(:reticulum_app_token, update_hub(hub))
   end
 
   def can?(
@@ -96,7 +96,7 @@ defimpl Canada.Can, for: Ret.Api.Credentials do
         :update_room,
         %Hub{} = hub
       ) do
-    Scopes.read_rooms() in scopes && can?(subject, update_hub(hub))
+    Scopes.write_rooms() in scopes && can?(subject, update_hub(hub))
   end
 
   def can?(_, _, _), do: false

From c856764ccf124696a369aeaf01c35a2d54676556 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 12 Nov 2020 16:06:04 -0800
Subject: [PATCH 108/138] Remove things from documentation that are not done

---
 guides/api.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/guides/api.md b/guides/api.md
index 8e21db616..66a457fdd 100644
--- a/guides/api.md
+++ b/guides/api.md
@@ -23,15 +23,14 @@ There are two types of API Access Tokens:
 ### Scopes
 When generating API Access Tokens, you specify which `scopes` to grant that token. Scopes allow the token to be used to perform specific actions.
 
-| Scope | Allowed Token Types | API Actions |
-| --:            | :-:        |         --- |      
-| `read_rooms` | `account`, `app` | `myRooms`, `favoriteRooms`, `publicRooms` |
-| `write_rooms` | `account`, `app` | `createRoom`, `updateRoom` |
-| `create_accounts` | `app` | `createAccount` (not yet implemented) |
+| Scope | API Actions |
+| --:            |         --- |      
+| `read_rooms` | `myRooms`, `favoriteRooms`, `publicRooms` |
+| `write_rooms` | `createRoom`, `updateRoom` |
 
 Scopes, actions, and token types are expected to expand over time.
 
-Tokens can be generated in the interface at `/api`. (TODO: Build interface.)
+Tokens can be generated on the command line with `mix generate_api_token`. Soon this method will be replaced with a web API and interface.
 
 ### Using API Access Tokens
 

From aa718aeb682d318dcc341fade8d20cc70bd5501e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 12 Nov 2020 16:45:13 -0800
Subject: [PATCH 109/138] Check hub_bindings before allowed embeds

---
 lib/ret/api/rooms.ex |  2 +-
 lib/ret/hub.ex       | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index 30792429a..1c4e0031e 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -147,7 +147,7 @@ defmodule Ret.Api.Rooms do
     payload =
       HubView.render("show.json", %{
         hub: hub,
-        embeddable: true
+        embeddable: can?(:reticulum_app_token, embed_hub(hub))
       })
       |> Map.put(:stale_fields, [
         # TODO: Only include fields that have changed in stale_fields
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 141ccd632..a3c872558 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -807,18 +807,27 @@ end
 
 # Permissions for un-authenticated clients
 defimpl Canada.Can, for: Atom do
-  @api_actions [
+  @allowed_app_token_actions [
     :get_rooms_created_by,
     :get_favorite_rooms_of,
     :get_public_rooms,
     :create_hub,
     :update_hub,
-    :embed_hub
   ]
-  def can?(:reticulum_app_token, action, _) when action in @api_actions do
+  def can?(:reticulum_app_token, action, _) when action in @allowed_app_token_actions do
     true
   end
 
+  # Bound hubs - Always prevent embedding and role assignment (since it's dictated by binding)
+  def can?(:reticulum_app_token, action, %Ret.Hub{hub_bindings: hub_bindings})
+      when hub_bindings |> length > 0 and action in [:embed_hub, :update_roles],
+      do: false
+
+  # Allow app tokens to act like owners/creators if the room has no bindings
+  def can?(:reticulum_app_token, action, %Ret.Hub{hub_bindings: hub_bindings})
+      when action in [:embed_hub, :update_roles],
+      do: true
+
   def can?(:reticulum_app_token, _, _), do: false
 
   alias Ret.{AppConfig, Hub}

From f8919ab1e234ba160a219544a0aed512e67dad71 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 17:02:13 -0800
Subject: [PATCH 110/138] Remove API credentials expiration

---
 lib/ret/api/credentials.ex                    |  6 ------
 .../handle_api_token_auth_errors.ex           | 21 +++++++------------
 ...201027202054_add_api_credentials_table.exs |  1 -
 3 files changed, 7 insertions(+), 21 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 689dbd49a..9383f9fb8 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -18,7 +18,6 @@ defmodule Ret.Api.Credentials do
     field(:token_hash, :string)
     field(:subject_type, Ret.Api.TokenSubjectType)
     field(:issued_at, :utc_datetime)
-    field(:expires_at, :utc_datetime)
     field(:is_revoked, :boolean)
     field(:scopes, {:array, Ret.Api.ScopeType})
 
@@ -44,7 +43,6 @@ defmodule Ret.Api.Credentials do
     |> add_token_hash_to_changeset(token_hash)
     |> add_subject_type_to_changeset(subject_type)
     |> add_issued_at_to_changeset(Timex.now() |> DateTime.truncate(:second))
-    |> add_expires_at_to_changeset(Timex.now() |> Timex.shift(years: 1) |> DateTime.truncate(:second))
     |> add_is_revoked_to_changeset(false)
     |> add_scopes_to_changeset(scopes)
     |> add_account_id_to_changeset((account && account.account_id) || nil)
@@ -68,10 +66,6 @@ defmodule Ret.Api.Credentials do
     put_change(changeset, :issued_at, issued_at)
   end
 
-  defp add_expires_at_to_changeset(changeset, expires_at) do
-    put_change(changeset, :expires_at, expires_at)
-  end
-
   defp add_is_revoked_to_changeset(changeset, is_revoked) do
     put_change(changeset, :is_revoked, is_revoked)
   end
diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index a20f89b93..e294f6df1 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -5,12 +5,14 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
 
   import RetWeb.Middleware.PutErrorResult, only: [put_error_result: 3]
 
+  alias Ret.Api.Credentials
+
   def call(%{state: :resolved} = resolution, _) do
     resolution
   end
 
-  # Don't enforce tokens on introspection queries
-  # Source: Absinthe.Introspection.type?
+  # Don't enforce authentication on introspection queries
+  # See Absinthe.Introspection.type?
   # https://github.com/absinthe-graphql/absinthe/blob/cdb8c39beb6a79b03a5095fffbe761e0dd9918ac/lib/absinthe/introspection.ex#L106
   def call(%{parent_type: %{name: "__" <> _}} = resolution, _) do
     resolution
@@ -29,20 +31,11 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
     )
   end
 
-  def call(%{context: %{credentials: %Ret.Api.Credentials{is_revoked: true}}} = resolution, _) do
+  def call(%{context: %{credentials: %Credentials{is_revoked: true}}} = resolution, _) do
     put_error_result(resolution, :invalid_credentials, "Token is revoked")
   end
 
-  def call(%{context: %{credentials: %Ret.Api.Credentials{expires_at: expires_at}}} = resolution, _) do
-    if Timex.before?(expires_at, Timex.now()) do
-      put_error_result(resolution, :token_expired, "Token expired")
-    else
-      resolution
-    end
+  def call(%{context: %{credentials: %Credentials{}}} = resolution, _) do
+    resolution
   end
-
-  # # TODO: Remove
-  # def call(resolution, _) do
-  #   put_error_result(resolution, :unknown_server_error, "Could not validate token/credentials")
-  # end
 end
diff --git a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
index 8dda8fb54..994f575d9 100644
--- a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
+++ b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
@@ -10,7 +10,6 @@ defmodule Ret.Repo.Migrations.AddApiCredentialsTable do
       add(:token_hash, :string)
       add(:api_credentials_sid, :string)
       add(:issued_at, :utc_datetime)
-      add(:expires_at, :utc_datetime)
       add(:is_revoked, :boolean)
       add(:scopes, {:array, :api_scope_type})
       add(:subject_type, :api_token_subject_type)

From a088b2fd2120f8f3464bbc79cecbd217172e699c Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 17:23:45 -0800
Subject: [PATCH 111/138] Include rooms whose entry mode is invite

---
 lib/ret/hub.ex                   | 8 ++++----
 lib/ret_web/schema/room_types.ex | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index a3c872558..db2121df6 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -168,7 +168,7 @@ defmodule Ret.Hub do
 
   def get_my_rooms(account, params) do
     Hub
-    |> where([h], h.created_by_account_id == ^account.account_id and h.entry_mode == ^"allow")
+    |> where([h], h.created_by_account_id == ^account.account_id and h.entry_mode in ^["allow", "invite"])
     |> order_by(desc: :inserted_at)
     |> preload(^Hub.hub_preloads())
     |> Repo.paginate(params)
@@ -176,7 +176,7 @@ defmodule Ret.Hub do
 
   def get_favorite_rooms(account, params) do
     Hub
-    |> where([h], h.entry_mode == ^"allow")
+    |> where([h], h.entry_mode in ^["allow", "invite"])
     |> join(:inner, [h], f in AccountFavorite, on: f.hub_id == h.hub_id and f.account_id == ^account.account_id)
     |> order_by([h, f], desc: f.last_activated_at)
     |> preload(^Hub.hub_preloads())
@@ -185,7 +185,7 @@ defmodule Ret.Hub do
 
   def get_public_rooms(params) do
     Hub
-    |> where([h], h.allow_promotion and h.entry_mode == ^"allow")
+    |> where([h], h.allow_promotion and h.entry_mode in ^["allow", "invite"])
     |> order_by(desc: :inserted_at)
     |> preload(^Hub.hub_preloads())
     |> Repo.paginate(params)
@@ -812,7 +812,7 @@ defimpl Canada.Can, for: Atom do
     :get_favorite_rooms_of,
     :get_public_rooms,
     :create_hub,
-    :update_hub,
+    :update_hub
   ]
   def can?(:reticulum_app_token, action, _) when action in @allowed_app_token_actions do
     true
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 250df279f..162b8f680 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -66,11 +66,11 @@ defmodule RetWeb.Schema.RoomTypes do
     field(:slug, :string)
     @desc "A description of the room"
     field(:description, :string)
-    @desc "Makes this room public, while it is still open"
+    @desc "Makes this room as public (while it is still open)"
     field(:allow_promotion, :boolean)
     @desc "Temporary entry code"
     field(:entry_code, :string)
-    @desc "Whether the room is open or closed"
+    @desc "Determines if entry is allowed, denied, or by-invite-only. (Values are \"allow\", \"deny\", or \"invite\".)"
     field(:entry_mode, :string)
     @desc "The host server associated with this room via the load balancer"
     field(:host, :string)

From 8ef4ba1254af1be2d9e3db3cb996c4ab1268ddae Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 17:26:01 -0800
Subject: [PATCH 112/138] Return more specific token error: :token_revoked

---
 lib/ret_web/middleware/handle_api_token_auth_errors.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret_web/middleware/handle_api_token_auth_errors.ex b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
index e294f6df1..510464fe3 100644
--- a/lib/ret_web/middleware/handle_api_token_auth_errors.ex
+++ b/lib/ret_web/middleware/handle_api_token_auth_errors.ex
@@ -32,7 +32,7 @@ defmodule RetWeb.Middleware.HandleApiTokenAuthErrors do
   end
 
   def call(%{context: %{credentials: %Credentials{is_revoked: true}}} = resolution, _) do
-    put_error_result(resolution, :invalid_credentials, "Token is revoked")
+    put_error_result(resolution, :token_revoked, "Token is revoked")
   end
 
   def call(%{context: %{credentials: %Credentials{}}} = resolution, _) do

From 6d19640e7e4225fd971d69c96869a47b0bb04f6f Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 17:47:00 -0800
Subject: [PATCH 113/138] Return scene or scene_listing in room result

---
 lib/ret_web/resolvers/room_resolver.ex | 7 ++++---
 lib/ret_web/schema/room_types.ex       | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/ret_web/resolvers/room_resolver.ex b/lib/ret_web/resolvers/room_resolver.ex
index cff521cf0..7a57ecb4c 100644
--- a/lib/ret_web/resolvers/room_resolver.ex
+++ b/lib/ret_web/resolvers/room_resolver.ex
@@ -124,9 +124,10 @@ defmodule RetWeb.Resolvers.RoomResolver do
     {:ok, Hub.lobby_count_for(hub)}
   end
 
-  # def scene(hub, _args, _resolutions) do
-  #  {:ok, Hub.scene_or_scene_listing_for(hub)}
-  # end
+  def scene(hub, _args, _resolutions) do
+    # No permission check needed
+    {:ok, Hub.scene_or_scene_listing_for(hub)}
+  end
 
   def update_room(_parent, %{id: hub_sid} = args, %{
         context: %{
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 162b8f680..4018116c2 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -115,7 +115,7 @@ defmodule RetWeb.Schema.RoomTypes do
 
     @desc "Scene currently associated with the room"
     field(:scene, :scene_or_scene_listing) do
-      resolve(dataloader(Scene))
+      resolve(&Resolvers.RoomResolver.scene/3)
     end
 
     # TODO: Figure out user_data

From e7aa1614b81a6742be22312a99b862afd1575244 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 18:17:39 -0800
Subject: [PATCH 114/138] Add json scalar type for user_data

---
 lib/ret/hub.ex                          |  4 +--
 lib/ret_web/schema/room_types.ex        | 11 +++++--
 lib/ret_web/schema/types/custom/json.ex | 38 +++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 lib/ret_web/schema/types/custom/json.ex

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index db2121df6..58207d154 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -820,11 +820,11 @@ defimpl Canada.Can, for: Atom do
 
   # Bound hubs - Always prevent embedding and role assignment (since it's dictated by binding)
   def can?(:reticulum_app_token, action, %Ret.Hub{hub_bindings: hub_bindings})
-      when hub_bindings |> length > 0 and action in [:embed_hub, :update_roles],
+      when length(hub_bindings) > 0 and action in [:embed_hub, :update_roles],
       do: false
 
   # Allow app tokens to act like owners/creators if the room has no bindings
-  def can?(:reticulum_app_token, action, %Ret.Hub{hub_bindings: hub_bindings})
+  def can?(:reticulum_app_token, action, %Ret.Hub{})
       when action in [:embed_hub, :update_roles],
       do: true
 
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 4018116c2..85bf3b397 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -3,8 +3,8 @@ defmodule RetWeb.Schema.RoomTypes do
 
   use Absinthe.Schema.Notation
   alias RetWeb.Resolvers
-  alias Ret.Scene
-  import Absinthe.Resolution.Helpers, only: [dataloader: 1]
+
+  import_types(RetWeb.Schema.Types.Custom.JSON)
 
   @desc "Public TLS port number used for TURN"
   object :turn_transport do
@@ -118,7 +118,8 @@ defmodule RetWeb.Schema.RoomTypes do
       resolve(&Resolvers.RoomResolver.scene/3)
     end
 
-    # TODO: Figure out user_data
+    @desc "Arbitrary json data associated with the room"
+    field(:user_data, :json)
   end
 
   @desc """
@@ -191,6 +192,8 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:member_permissions, :input_member_permissions)
       @desc "Make this room public (while it is open)"
       arg(:allow_promotion, :boolean)
+      @desc "Arbitrary json data associated with this room"
+      arg(:user_data, :json)
 
       resolve(&Resolvers.RoomResolver.create_room/3)
     end
@@ -211,6 +214,8 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:member_permissions, :input_member_permissions)
       @desc "Make this room public (while it is open)"
       arg(:allow_promotion, :boolean)
+      @desc "Arbitrary json data associated with this room"
+      arg(:user_data, :json)
       # TODO: add/remove owner
 
       resolve(&Resolvers.RoomResolver.update_room/3)
diff --git a/lib/ret_web/schema/types/custom/json.ex b/lib/ret_web/schema/types/custom/json.ex
new file mode 100644
index 000000000..03e1e3ab8
--- /dev/null
+++ b/lib/ret_web/schema/types/custom/json.ex
@@ -0,0 +1,38 @@
+# From https://github.com/absinthe-graphql/absinthe/wiki/Scalar-Recipes#json-using-jason
+defmodule RetWeb.Schema.Types.Custom.JSON do
+  @moduledoc """
+  The Json scalar type allows arbitrary JSON values to be passed in and out.
+  Requires `{ :jason, "~> 1.1" }` package: https://github.com/michalmuskala/jason
+  """
+  use Absinthe.Schema.Notation
+
+  scalar :json, name: "Json" do
+    description("""
+    The `Json` scalar type represents arbitrary json string data, represented as UTF-8
+    character sequences. The Json type is most often used to represent a free-form
+    human-readable json string.
+    """)
+
+    serialize(&encode/1)
+    parse(&decode/1)
+  end
+
+  @spec decode(Absinthe.Blueprint.Input.String.t()) :: {:ok, term()} | :error
+  @spec decode(Absinthe.Blueprint.Input.Null.t()) :: {:ok, nil}
+  defp decode(%Absinthe.Blueprint.Input.String{value: value}) do
+    case Jason.decode(value) do
+      {:ok, result} -> {:ok, result}
+      _ -> :error
+    end
+  end
+
+  defp decode(%Absinthe.Blueprint.Input.Null{}) do
+    {:ok, nil}
+  end
+
+  defp decode(_) do
+    :error
+  end
+
+  defp encode(value), do: value
+end

From 6d1999b80c22348a7890f8a6031b84b10f8efbd7 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 18:31:44 -0800
Subject: [PATCH 115/138] Add missing close parenthesis

---
 lib/ret_web/schema/scene_types.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret_web/schema/scene_types.ex b/lib/ret_web/schema/scene_types.ex
index afb871189..6070c50e4 100644
--- a/lib/ret_web/schema/scene_types.ex
+++ b/lib/ret_web/schema/scene_types.ex
@@ -20,7 +20,7 @@ defmodule RetWeb.Schema.SceneTypes do
     field(:name, :string)
   end
 
-  @desc "A scene listing (which allows the creator to change the underlying scene assets"
+  @desc "A scene listing (which allows the creator to change the underlying scene assets)"
   object :scene_listing do
     @desc "The scene listing id"
     field(:scene_listing_sid, :id, name: "id")

From 465f6379311abc35b4538881e2f4363ebc74de9a Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 18:41:35 -0800
Subject: [PATCH 116/138] Add indexes and prevent null in credentials table
 schema

---
 .../20201027202054_add_api_credentials_table.exs   | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
index 994f575d9..a17eb49da 100644
--- a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
+++ b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
@@ -7,16 +7,18 @@ defmodule Ret.Repo.Migrations.AddApiCredentialsTable do
 
     create table(:api_credentials, primary_key: false) do
       add(:api_credentials_id, :bigint, default: fragment("ret0.next_id()"), primary_key: true)
-      add(:token_hash, :string)
-      add(:api_credentials_sid, :string)
-      add(:issued_at, :utc_datetime)
-      add(:is_revoked, :boolean)
-      add(:scopes, {:array, :api_scope_type})
-      add(:subject_type, :api_token_subject_type)
+      add(:token_hash, :string, null: false)
+      add(:api_credentials_sid, :string, null: false)
+      add(:issued_at, :utc_datetime, null: false)
+      add(:is_revoked, :boolean, null: false)
+      add(:scopes, {:array, :api_scope_type}, null: false)
+      add(:subject_type, :api_token_subject_type, null: false)
       add(:account_id, references(:accounts, column: :account_id))
       timestamps()
     end
 
     create(index(:api_credentials, [:token_hash], unique: true))
+    create(index(:api_credentials, [:api_credentials_sid], unique: true))
+    create(index(:api_credentials, [:account_id]))
   end
 end

From 6afdb178ea0471852edba55cac4fbbc3eb5d151b Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 18:44:42 -0800
Subject: [PATCH 117/138] Fix query for favorite rooms

---
 lib/ret/api/rooms.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index 1c4e0031e..e9ba24142 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -25,7 +25,7 @@ defmodule Ret.Api.Rooms do
 
   def authed_get_favorite_rooms_of(%Account{} = account, %Credentials{} = credentials, params) do
     if can?(credentials, get_favorite_rooms_of(account)) do
-      {:ok, Hub.get_my_rooms(account, params)}
+      {:ok, Hub.get_favorite_rooms(account, params)}
     else
       {:error, :invalid_credentials}
     end

From 0c9638f4a0524debcc12061c56b13c78ff38f9d8 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 18:48:22 -0800
Subject: [PATCH 118/138] Define internal functions with defp

---
 lib/ret/hub.ex | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 58207d154..0a57c5ea8 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -151,11 +151,11 @@ defmodule Ret.Hub do
     end
   end
 
-  def get_scene_or_scene_listing_by_id(nil) do
+  defp get_scene_or_scene_listing_by_id(nil) do
     SceneListing.get_random_default_scene_listing()
   end
 
-  def get_scene_or_scene_listing_by_id(id) do
+  defp get_scene_or_scene_listing_by_id(id) do
     Scene.scene_or_scene_listing_by_sid(id)
   end
 

From 9009d96b4a74d11a12ee3cd54dbfe1fca6b0b2a2 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 19:27:11 -0800
Subject: [PATCH 119/138] Fix call to internal function

---
 lib/ret/hub.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 0a57c5ea8..838d5d25e 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -268,7 +268,7 @@ defmodule Ret.Hub do
   end
 
   def maybe_add_new_scene_to_changeset(changeset, %{scene_id: scene_id}) do
-    scene_or_scene_listing = Hub.get_scene_or_scene_listing_by_id(scene_id)
+    scene_or_scene_listing = get_scene_or_scene_listing_by_id(scene_id)
 
     if is_nil(scene_or_scene_listing) do
       {:error, "Cannot find scene with id " <> scene_id}

From 4923a6668c34b9b1d7aab521232afaa55a206224 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 21:00:29 -0800
Subject: [PATCH 120/138] Remove max_page_size

This parameter affects existing API calls.
While I do not think it will cause any issues, I am removing
it for now because I want the changes to be isolated to the
new API as much as possible. I'd be happy to reintroduce this
later as-is, or before release if it targets this API specifically.
---
 lib/ret/repo.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret/repo.ex b/lib/ret/repo.ex
index 987d9cb40..188946024 100644
--- a/lib/ret/repo.ex
+++ b/lib/ret/repo.ex
@@ -1,6 +1,6 @@
 defmodule Ret.Repo do
   use Ecto.Repo, otp_app: :ret, adapter: Ecto.Adapters.Postgres
-  use Scrivener, page_size: 20, max_page_size: 50
+  use Scrivener, page_size: 20
 
   def init(_, opts) do
     {:ok, Keyword.put(opts, :url, System.get_env("DATABASE_URL"))}

From 016d73701778b7b403f3609185d4fc7fee94d96f Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 23:22:52 -0800
Subject: [PATCH 121/138] Fix credential changeset validation/constraints

---
 lib/ret/api/credentials.ex  | 100 ++++++++++++++++++++----------------
 lib/ret/api/token_module.ex |   8 ++-
 2 files changed, 59 insertions(+), 49 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 9383f9fb8..b39c2dfe6 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -9,6 +9,7 @@ defmodule Ret.Api.Credentials do
   use Ecto.Schema
   import Ecto.Query, only: [from: 2]
   import Ecto.Changeset
+  alias Ret.Api.{TokenSubjectType, ScopeType}
 
   @schema_prefix "ret0"
   @primary_key {:api_credentials_id, :id, autogenerate: true}
@@ -16,72 +17,83 @@ defmodule Ret.Api.Credentials do
   schema "api_credentials" do
     field(:api_credentials_sid, :string)
     field(:token_hash, :string)
-    field(:subject_type, Ret.Api.TokenSubjectType)
+    field(:subject_type, TokenSubjectType)
     field(:issued_at, :utc_datetime)
     field(:is_revoked, :boolean)
-    field(:scopes, {:array, Ret.Api.ScopeType})
+    field(:scopes, {:array, ScopeType})
 
     belongs_to(:account, Account, references: :account_id)
     timestamps()
   end
 
-  def create_new_api_credentials(options) do
-    %Credentials{}
-    |> changeset(options)
-    |> Ret.Repo.insert()
+  @required_keys [:api_credentials_sid, :token_hash, :subject_type, :issued_at, :is_revoked, :scopes]
+  @permitted_keys @required_keys
+
+  def generate_credentials(%{subject_type: _st, scopes: _sc, account_or_nil: account_or_nil} = params) do
+    token = SecureRandom.urlsafe_base64()
+
+    params =
+      Map.merge(params, %{
+        api_credentials_sid: Ret.Sids.generate_sid(),
+        token_hash: Ret.Crypto.hash(token),
+        issued_at: Timex.now() |> DateTime.truncate(:second),
+        is_revoked: false
+      })
+
+    case %Credentials{}
+         |> change()
+         |> cast(params, @permitted_keys)
+         |> maybe_put_assoc_account(account_or_nil)
+         |> validate_required(@required_keys)
+         |> validate_change(:subject_type, &validate_subject_type/2)
+         |> validate_change(:scopes, &validate_scopes_type/2)
+         |> unique_constraint(:api_credentials_sid)
+         |> unique_constraint(:token_hash)
+         # TODO: We can pass multiple fields to unique_contraint when we update ecto
+         # https://github.com/elixir-ecto/ecto/pull/3276
+         |> Ret.Repo.insert() do
+      {:ok, credentials} ->
+        {:ok, token, credentials}
+
+      {:error, reason} ->
+        {:error, reason}
+    end
   end
 
-  defp changeset(%Credentials{} = credentials, %{
-         token_hash: token_hash,
-         subject_type: subject_type,
-         scopes: scopes,
-         account: account
-       }) do
-    credentials
-    |> change()
-    |> add_api_credentials_sid_to_changeset
-    |> add_token_hash_to_changeset(token_hash)
-    |> add_subject_type_to_changeset(subject_type)
-    |> add_issued_at_to_changeset(Timex.now() |> DateTime.truncate(:second))
-    |> add_is_revoked_to_changeset(false)
-    |> add_scopes_to_changeset(scopes)
-    |> add_account_id_to_changeset((account && account.account_id) || nil)
-    |> unique_constraint(:api_credentials_sid)
-    |> unique_constraint(:token_hash)
-  end
-
-  defp add_api_credentials_sid_to_changeset(changeset) do
-    put_change(changeset, :api_credentials_sid, Ret.Sids.generate_sid())
-  end
-
-  defp add_token_hash_to_changeset(changeset, token_hash) do
-    put_change(changeset, :token_hash, token_hash)
-  end
-
-  defp add_subject_type_to_changeset(changeset, subject_type) do
-    put_change(changeset, :subject_type, subject_type)
+  defp maybe_put_assoc_account(changeset, %Account{} = account) do
+    put_assoc(changeset, :account, account)
   end
 
-  defp add_issued_at_to_changeset(changeset, issued_at) do
-    put_change(changeset, :issued_at, issued_at)
+  defp maybe_put_assoc_account(changeset, nil) do
+    changeset
   end
 
-  defp add_is_revoked_to_changeset(changeset, is_revoked) do
-    put_change(changeset, :is_revoked, is_revoked)
+  defp validate_scopes_type(:scopes, scopes) do
+    Enum.reduce(scopes, [], fn scope, errors ->
+      errors ++ validate_single_scope_type(scope)
+    end)
   end
 
-  defp add_scopes_to_changeset(changeset, scopes) do
-    put_change(changeset, :scopes, scopes)
+  defp validate_single_scope_type(scope) do
+    if ScopeType.valid_value?(scope) do
+      []
+    else
+      [invalid_scope: "Unrecognized scope type. Got #{scope}."]
+    end
   end
 
-  defp add_account_id_to_changeset(changeset, account_id) do
-    put_change(changeset, :account_id, account_id)
+  defp validate_subject_type(:subject_type, subject_type) do
+    if TokenSubjectType.valid_value?(subject_type) do
+      []
+    else
+      [subject_type: "Unrecognized subject type. Must be app or account. Got #{subject_type}."]
+    end
   end
 
   def revoke(credentials) do
     credentials
     |> change()
-    |> add_is_revoked_to_changeset(true)
+    |> put_change(:is_revoked, true)
     |> Ret.Repo.update()
   end
 
diff --git a/lib/ret/api/token_module.ex b/lib/ret/api/token_module.ex
index ac7b0c73e..ecb5cb06a 100644
--- a/lib/ret/api/token_module.ex
+++ b/lib/ret/api/token_module.ex
@@ -51,18 +51,16 @@ defmodule Ret.Api.TokenModule do
   Create a token.
   """
   def create_token(_mod, claims, _options \\ []) do
-    token = SecureRandom.urlsafe_base64()
     account_id = Map.get(claims, "account_id", nil)
 
     case get_account(account_id) do
       {:ok, account_or_nil} ->
-        case Ret.Api.Credentials.create_new_api_credentials(%{
+        case Ret.Api.Credentials.generate_credentials(%{
                subject_type: ensure_atom(Map.get(claims, "subject_type")),
                scopes: Map.get(claims, "scopes"),
-               account: account_or_nil,
-               token_hash: Ret.Crypto.hash(token)
+               account_or_nil: account_or_nil
              }) do
-          {:ok, _credentials} -> {:ok, token}
+          {:ok, token, _credentials} -> {:ok, token}
           _ -> {:error, "Failed to create token for claims."}
         end
 

From 832898bfef040e02496ffa1178c935a2e80c02eb Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 23:46:52 -0800
Subject: [PATCH 122/138] Do not have all tokens end in "09"

---
 lib/ret/api/credentials.ex | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index b39c2dfe6..1db9b3e15 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -30,7 +30,9 @@ defmodule Ret.Api.Credentials do
   @permitted_keys @required_keys
 
   def generate_credentials(%{subject_type: _st, scopes: _sc, account_or_nil: account_or_nil} = params) do
-    token = SecureRandom.urlsafe_base64()
+    # Use 18 bytes (not 16, the default) to avoid having all tokens end in "09"
+    # See https://github.com/patricksrobertson/secure_random.ex/issues/11
+    token = SecureRandom.urlsafe_base64(18)
 
     params =
       Map.merge(params, %{

From 50f7df661526dcb68b24fa2913cfb787c6f48a04 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 23:49:35 -0800
Subject: [PATCH 123/138] Prefix the sid to the rest of the token

---
 lib/ret/api/credentials.ex | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 1db9b3e15..c26eea315 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -30,13 +30,16 @@ defmodule Ret.Api.Credentials do
   @permitted_keys @required_keys
 
   def generate_credentials(%{subject_type: _st, scopes: _sc, account_or_nil: account_or_nil} = params) do
+    sid = Ret.Sids.generate_sid()
+
     # Use 18 bytes (not 16, the default) to avoid having all tokens end in "09"
     # See https://github.com/patricksrobertson/secure_random.ex/issues/11
-    token = SecureRandom.urlsafe_base64(18)
+    # Prefix the sid to the rest of the token for ease of management
+    token = "#{sid}_#{SecureRandom.urlsafe_base64(18)}"
 
     params =
       Map.merge(params, %{
-        api_credentials_sid: Ret.Sids.generate_sid(),
+        api_credentials_sid: sid,
         token_hash: Ret.Crypto.hash(token),
         issued_at: Timex.now() |> DateTime.truncate(:second),
         is_revoked: false

From ec55da468a7317b38247551f7cb9e63f827931b2 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 16 Nov 2020 23:53:41 -0800
Subject: [PATCH 124/138] Update comment for Can impl for Atom

---
 lib/ret/hub.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 838d5d25e..5f47a70a2 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -805,7 +805,7 @@ defimpl Canada.Can, for: Ret.OAuthProvider do
   def can?(_, _, _), do: false
 end
 
-# Permissions for un-authenticated clients
+# Permissions for app tokens and un-authenticated clients
 defimpl Canada.Can, for: Atom do
   @allowed_app_token_actions [
     :get_rooms_created_by,

From 0eabfb34be332aa7a0322e0267356313f7173d66 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 17 Nov 2020 19:34:23 -0800
Subject: [PATCH 125/138] Add create_room function for api

WIP new create room (continued)
---
 lib/ret/api/rooms.ex              |  33 +------
 lib/ret/hub.ex                    | 155 +++++++++++++++++++++++++++++-
 lib/ret_web/schema/room_types.ex  |  13 ++-
 lib/ret_web/schema/scene_types.ex |   1 +
 4 files changed, 168 insertions(+), 34 deletions(-)

diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index e9ba24142..dfeb2e0e3 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -39,40 +39,9 @@ defmodule Ret.Api.Rooms do
     end
   end
 
-  defp do_create_room(%Credentials{subject_type: :account, account: account}, params) do
-    random_name = Ret.RandomRoomNames.generate_room_name()
-    params = Map.put(params, :name, Map.get(params, :name, random_name))
-
-    with {:ok, hub} <- Hub.create(params),
-         {:ok, hub} <-
-           hub
-           |> Hub.add_attrs_to_changeset(params)
-           |> Hub.maybe_add_member_permissions(hub, params)
-           |> Hub.maybe_add_promotion(account, hub, params)
-           |> Hub.maybe_add_new_scene_to_changeset(params)
-           |> Repo.update() do
-      hub
-      |> Repo.preload(Hub.hub_preloads())
-      |> Hub.changeset_for_creator_assignment(account, hub.creator_assignment_token)
-      |> Repo.update()
-    end
-  end
-
-  defp do_create_room(%Credentials{subject_type: :app}, params) do
-    params = Map.put(params, :name, Map.get(params, :name, Ret.RandomRoomNames.generate_room_name()))
-
-    with {:ok, hub} <- Hub.create(params) do
-      hub
-      |> Hub.add_attrs_to_changeset(params)
-      |> Hub.maybe_add_member_permissions(hub, params)
-      |> Hub.maybe_add_new_scene_to_changeset(params)
-      |> Repo.update()
-    end
-  end
-
   def authed_create_room(%Credentials{} = credentials, params) do
     if can?(credentials, create_room(nil)) do
-      do_create_room(credentials, params)
+      Hub.create_room(params, credentials.account)
     else
       {:error, :invalid_credentials}
     end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 5f47a70a2..483bec259 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -116,6 +116,149 @@ defmodule Ret.Hub do
     timestamps()
   end
 
+  @required_keys [
+    :name,
+    :hub_sid,
+    :host,
+    :entry_code,
+    :entry_code_expires_at,
+    :embed_token,
+    :embedded,
+    :member_permissions,
+    :max_occupant_count,
+    :spawned_object_types,
+    :entry_mode,
+    :allow_promotion,
+    :room_size
+  ]
+  @permitted_keys [
+    :creator_assignment_token,
+    :description,
+    :default_environment_gltf_bundle_url,
+    :user_data,
+    :last_active_at | @required_keys
+  ]
+
+  # TODO: This function was created for use in the public API.
+  #       It would be good to revisit this and the alternatives below
+  #       so that there did not need to be as many variations.
+  def create_room(params, account) do
+    params =
+      Map.merge(
+        %{
+          name: Ret.RandomRoomNames.generate_room_name(),
+          hub_sid: Ret.Sids.generate_sid(),
+          host: RoomAssigner.get_available_host(nil),
+          entry_code: generate_entry_code!(),
+          entry_code_expires_at:
+            Timex.now()
+            |> Timex.shift(hours: @entry_code_expiration_hours)
+            |> DateTime.truncate(:second),
+          creator_assignment_token: SecureRandom.hex(),
+          embed_token: SecureRandom.hex(),
+          embedded: false,
+          member_permissions:
+            if Ret.AppConfig.get_config_bool("features|permissive_rooms") do
+              member_permissions_to_int(@default_member_permissions)
+            else
+              member_permissions_to_int(@default_restrictive_member_permissions)
+            end,
+          default_environment_gltf_bundle_url: nil,
+          entry_mode: :allow,
+          allow_promotion: false,
+          room_size: AppConfig.get_cached_config_value("features|default_room_size")
+        },
+        params
+      )
+
+    result =
+      %Hub{}
+      |> change()
+      |> cast(params, @permitted_keys)
+      |> add_account_to_changeset(account)
+      |> maybe_add_scene_info(params)
+      |> HubSlug.maybe_generate_slug()
+      |> validate_required(@required_keys)
+      |> validate_length(:name, max: 64)
+      |> validate_length(:description, max: 64_000)
+      |> validate_number(:room_size,
+        greater_than_or_equal_to: 0,
+        less_than_or_equal_to: AppConfig.get_cached_config_value("features|max_room_size")
+      )
+      |> unique_constraint(:hub_sid)
+      |> unique_constraint(:entry_code)
+      |> Repo.insert()
+
+    case result do
+      {:ok, hub} ->
+        {:ok, Repo.preload(hub, hub_preloads())}
+
+      _ ->
+        result
+    end
+  end
+
+  defp maybe_add_scene_info(changeset, params) do
+    case try_get_scene_from_params(params) do
+      {:ok, %{default_environment_gltf_bundle_url: url}} ->
+        changeset
+        |> cast(%{default_environment_gltf_bundle_url: url}, [:default_environment_gltf_bundle_url])
+        # TODO: Should we validate the format of the URL?
+        |> validate_required([:default_environment_gltf_bundle_url])
+
+      {:ok, %{scene_or_scene_listing: nil}} ->
+        # No default scene listing to fallback to. Leave it blank.
+        changeset
+
+      {:ok, %{scene_or_scene_listing: scene_or_scene_listing}} ->
+        add_new_scene_assoc_to_changeset(changeset, scene_or_scene_listing)
+
+      {:error, %{key: key, message: message}} ->
+        add_error(changeset, key, message)
+    end
+  end
+
+  # Helper for finding the scene, scene_listing, or environment_gltf_bundle_url
+  defp try_get_scene_from_params(%{scene_id: _id, scene_url: _url}) do
+    {:error,
+     %{key: :scene_id, message: "Cannot specify both scene_id and scene_url. Choose one or the other (or neither)."}}
+  end
+
+  defp try_get_scene_from_params(%{scene_url: url}) do
+    endpoint_host = RetWeb.Endpoint.host()
+
+    case url |> URI.parse() do
+      %URI{host: ^endpoint_host, path: "/scenes/" <> scene_path} ->
+        scene_or_scene_listing = scene_path |> String.split("/") |> Enum.at(0) |> Scene.scene_or_scene_listing_by_sid()
+
+        if is_nil(scene_or_scene_listing) do
+          {:error, %{key: :scene_url, message: "Cannot find scene with url: " <> url}}
+        else
+          {:ok, %{scene_or_scene_listing: scene_or_scene_listing}}
+        end
+
+      _ ->
+        {:ok, %{default_environment_gltf_bundle_url: url}}
+    end
+  end
+
+  defp try_get_scene_from_params(%{scene_id: id}) do
+    scene_or_scene_listing = Scene.scene_or_scene_listing_by_sid(id)
+
+    if is_nil(scene_or_scene_listing) do
+      {:error, %{key: :scene_id, message: "Cannot find scene with id: " <> id}}
+    else
+      {:ok, %{scene_or_scene_listing: scene_or_scene_listing}}
+    end
+  end
+
+  defp try_get_scene_from_params(_params) do
+    case SceneListing.get_random_default_scene_listing() do
+      nil -> {:ok, %{scene_or_scene_listing: nil}}
+      scene_listing -> {:ok, %{scene_or_scene_listing: scene_listing}}
+    end
+  end
+
   # Create new room, inserts into db
   # returns newly created %Hub
   def create_new_room(%{"name" => _name} = params, true = _add_to_db) do
@@ -310,6 +453,16 @@ defmodule Ret.Hub do
     |> add_new_scene_to_changeset(scene_listing)
   end
 
+  def add_new_scene_assoc_to_changeset(changeset, %Scene{} = scene) do
+    changeset
+    |> put_assoc(:scene, scene)
+  end
+
+  def add_new_scene_assoc_to_changeset(changeset, %SceneListing{} = scene_listing) do
+    changeset
+    |> put_assoc(:scene_listing, scene_listing)
+  end
+
   def add_new_scene_to_changeset(changeset, %Scene{} = scene) do
     changeset
     |> put_change(:scene_id, scene.scene_id)
@@ -420,7 +573,7 @@ defmodule Ret.Hub do
       nil -> nil
       %Scene{state: :removed} -> nil
       %SceneListing{state: :delisted} -> nil
-      scene -> scene
+      scene_or_scene_listing -> scene_or_scene_listing
     end
   end
 
diff --git a/lib/ret_web/schema/room_types.ex b/lib/ret_web/schema/room_types.ex
index 85bf3b397..dfb6047fa 100644
--- a/lib/ret_web/schema/room_types.ex
+++ b/lib/ret_web/schema/room_types.ex
@@ -3,7 +3,6 @@ defmodule RetWeb.Schema.RoomTypes do
 
   use Absinthe.Schema.Notation
   alias RetWeb.Resolvers
-
   import_types(RetWeb.Schema.Types.Custom.JSON)
 
   @desc "Public TLS port number used for TURN"
@@ -93,6 +92,11 @@ defmodule RetWeb.Schema.RoomTypes do
       resolve(&Resolvers.RoomResolver.embed_token/3)
     end
 
+    @desc """
+    Can be used to assign the room creator. (It will be blank if the room creator is already assigned.)
+    """
+    field(:creator_assignment_token, :string)
+
     @desc "Permissions for participants in the room"
     field(:member_permissions, :member_permissions) do
       resolve(&Resolvers.RoomResolver.member_permissions/3)
@@ -118,6 +122,9 @@ defmodule RetWeb.Schema.RoomTypes do
       resolve(&Resolvers.RoomResolver.scene/3)
     end
 
+    @desc "Default environment gltf bundle url associated with the room (instead of a scene or scene listing)"
+    field(:default_environment_gltf_bundle_url, :string)
+
     @desc "Arbitrary json data associated with the room"
     field(:user_data, :json)
   end
@@ -188,6 +195,8 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:room_size, :integer)
       @desc "The id of the scene to associate with the room"
       arg(:scene_id, :string)
+      @desc "The url of the scene to associate with the room"
+      arg(:scene_url, :string)
       @desc "The permissions non-admin participants should have in the room"
       arg(:member_permissions, :input_member_permissions)
       @desc "Make this room public (while it is open)"
@@ -210,6 +219,8 @@ defmodule RetWeb.Schema.RoomTypes do
       arg(:room_size, :integer)
       @desc "The id of the scene to associate with the room"
       arg(:scene_id, :string)
+      @desc "The url of the scene to associate with the room"
+      arg(:scene_url, :string)
       @desc "The permissions non-admin participants should have in the room"
       arg(:member_permissions, :input_member_permissions)
       @desc "Make this room public (while it is open)"
diff --git a/lib/ret_web/schema/scene_types.ex b/lib/ret_web/schema/scene_types.ex
index 6070c50e4..81b8de524 100644
--- a/lib/ret_web/schema/scene_types.ex
+++ b/lib/ret_web/schema/scene_types.ex
@@ -9,6 +9,7 @@ defmodule RetWeb.Schema.SceneTypes do
     resolve_type(fn
       %Scene{}, _ -> :scene
       %SceneListing{}, _ -> :scene_listing
+      _, _ -> nil
     end)
   end
 

From 4d1d9c8c1f5c05e8ac8e5dc26c023ac2b2b18177 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 18 Nov 2020 23:29:18 -0800
Subject: [PATCH 126/138] Fixup scene changes and member permissions

---
 lib/ret/api/rooms.ex |  58 ++--------
 lib/ret/hub.ex       | 262 ++++++++++++++++++++++++++-----------------
 2 files changed, 171 insertions(+), 149 deletions(-)

diff --git a/lib/ret/api/rooms.ex b/lib/ret/api/rooms.ex
index dfeb2e0e3..8889dd342 100644
--- a/lib/ret/api/rooms.ex
+++ b/lib/ret/api/rooms.ex
@@ -63,18 +63,20 @@ defmodule Ret.Api.Rooms do
 
   defp do_update_room(hub, %Credentials{subject_type: :app}, params) do
     hub
+    |> Repo.preload(Hub.hub_preloads())
     |> Hub.add_attrs_to_changeset(params)
     |> Hub.maybe_add_member_permissions(hub, params)
-    |> Hub.maybe_add_new_scene_to_changeset(params)
+    |> Hub.add_scene_changes_to_changeset(params)
     |> try_do_update_room(:reticulum_app_token)
   end
 
   defp do_update_room(hub, %Credentials{subject_type: :account, account: account}, params) do
     hub
+    |> Repo.preload(Hub.hub_preloads())
     |> Hub.add_attrs_to_changeset(params)
     |> Hub.maybe_add_member_permissions(hub, params)
     |> Hub.maybe_add_promotion(account, hub, params)
-    |> Hub.maybe_add_new_scene_to_changeset(params)
+    |> Hub.add_scene_changes_to_changeset(params)
     |> try_do_update_room(account)
   end
 
@@ -82,7 +84,7 @@ defmodule Ret.Api.Rooms do
     {:error, reason}
   end
 
-  defp try_do_update_room(changeset, :reticulum_app_token) do
+  defp try_do_update_room(changeset, subject) do
     case changeset |> Repo.update() do
       {:error, changeset} ->
         {:error, changeset}
@@ -90,62 +92,20 @@ defmodule Ret.Api.Rooms do
       {:ok, hub} ->
         hub = Repo.preload(hub, Hub.hub_preloads())
 
-        case broadcast_hub_refresh(hub, :reticulum_app_token) do
+        case broadcast_hub_refresh(hub, subject, Map.keys(changeset.changes) |> Enum.map(&Atom.to_string(&1))) do
           {:error, reason} -> {:error, reason}
           :ok -> {:ok, hub}
         end
     end
   end
 
-  defp try_do_update_room(changeset, account) do
-    case changeset |> Repo.update() do
-      {:error, changeset} ->
-        {:error, changeset}
-
-      {:ok, hub} ->
-        hub = Repo.preload(hub, Hub.hub_preloads())
-
-        case broadcast_hub_refresh(hub, account) do
-          {:error, reason} -> {:error, reason}
-          :ok -> {:ok, hub}
-        end
-    end
-  end
-
-  defp broadcast_hub_refresh(hub, :reticulum_app_token) do
-    payload =
-      HubView.render("show.json", %{
-        hub: hub,
-        embeddable: can?(:reticulum_app_token, embed_hub(hub))
-      })
-      |> Map.put(:stale_fields, [
-        # TODO: Only include fields that have changed in stale_fields
-        "name",
-        "description",
-        "member_permissions",
-        "room_size",
-        "allow_promotion",
-        "scene"
-      ])
-
-    RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh", payload)
-  end
-
-  defp broadcast_hub_refresh(hub, %Account{} = account) do
+  defp broadcast_hub_refresh(hub, subject, stale_fields) do
     payload =
       HubView.render("show.json", %{
         hub: hub,
-        embeddable: account |> can?(embed_hub(hub))
+        embeddable: subject |> can?(embed_hub(hub))
       })
-      |> Map.put(:stale_fields, [
-        # TODO: Only include fields that have changed in stale_fields
-        "name",
-        "description",
-        "member_permissions",
-        "room_size",
-        "allow_promotion",
-        "scene"
-      ])
+      |> Map.put(:stale_fields, stale_fields)
 
     RetWeb.Endpoint.broadcast("hub:" <> hub.hub_sid, "hub_refresh", payload)
   end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 483bec259..e27e99bdc 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -101,8 +101,8 @@ defmodule Ret.Hub do
     field(:spawned_object_types, :integer, default: 0)
     field(:entry_mode, Ret.Hub.EntryMode)
     field(:user_data, :map)
-    belongs_to(:scene, Ret.Scene, references: :scene_id)
-    belongs_to(:scene_listing, Ret.SceneListing, references: :scene_listing_id)
+    belongs_to(:scene, Ret.Scene, references: :scene_id, on_replace: :nilify)
+    belongs_to(:scene_listing, Ret.SceneListing, references: :scene_listing_id, on_replace: :nilify)
     has_many(:web_push_subscriptions, Ret.WebPushSubscription, foreign_key: :hub_id)
     belongs_to(:created_by_account, Ret.Account, references: :account_id)
     has_many(:hub_invites, Ret.HubInvite, foreign_key: :hub_id)
@@ -123,108 +123,124 @@ defmodule Ret.Hub do
     :entry_code,
     :entry_code_expires_at,
     :embed_token,
-    :embedded,
     :member_permissions,
     :max_occupant_count,
     :spawned_object_types,
-    :entry_mode,
-    :allow_promotion,
     :room_size
   ]
   @permitted_keys [
     :creator_assignment_token,
     :description,
+    :embedded,
     :default_environment_gltf_bundle_url,
     :user_data,
-    :last_active_at | @required_keys
+    :last_active_at,
+    :entry_mode,
+    :allow_promotion | @required_keys
   ]
 
   # TODO: This function was created for use in the public API.
   #       It would be good to revisit this and the alternatives below
   #       so that there did not need to be as many variations.
-  def create_room(params, account) do
-    params =
-      Map.merge(
-        %{
-          name: Ret.RandomRoomNames.generate_room_name(),
-          hub_sid: Ret.Sids.generate_sid(),
-          host: RoomAssigner.get_available_host(nil),
-          entry_code: generate_entry_code!(),
-          entry_code_expires_at:
-            Timex.now()
-            |> Timex.shift(hours: @entry_code_expiration_hours)
-            |> DateTime.truncate(:second),
-          creator_assignment_token: SecureRandom.hex(),
-          embed_token: SecureRandom.hex(),
-          embedded: false,
-          member_permissions:
-            if Ret.AppConfig.get_config_bool("features|permissive_rooms") do
-              member_permissions_to_int(@default_member_permissions)
-            else
-              member_permissions_to_int(@default_restrictive_member_permissions)
-            end,
-          default_environment_gltf_bundle_url: nil,
-          entry_mode: :allow,
-          allow_promotion: false,
-          room_size: AppConfig.get_cached_config_value("features|default_room_size")
-        },
-        params
-      )
-
-    result =
-      %Hub{}
-      |> change()
-      |> cast(params, @permitted_keys)
-      |> add_account_to_changeset(account)
-      |> maybe_add_scene_info(params)
-      |> HubSlug.maybe_generate_slug()
-      |> validate_required(@required_keys)
-      |> validate_length(:name, max: 64)
-      |> validate_length(:description, max: 64_000)
-      |> validate_number(:room_size,
-        greater_than_or_equal_to: 0,
-        less_than_or_equal_to: AppConfig.get_cached_config_value("features|max_room_size")
-      )
-      |> unique_constraint(:hub_sid)
-      |> unique_constraint(:entry_code)
-      |> Repo.insert()
+  def create_room(params, account_or_nil) do
+    with {:ok, params} <- parse_member_permissions(params) do
+      params =
+        Map.merge(
+          %{
+            name: Ret.RandomRoomNames.generate_room_name(),
+            hub_sid: Ret.Sids.generate_sid(),
+            host: RoomAssigner.get_available_host(nil),
+            entry_code: generate_entry_code!(),
+            entry_code_expires_at:
+              Timex.now()
+              |> Timex.shift(hours: @entry_code_expiration_hours)
+              |> DateTime.truncate(:second),
+            creator_assignment_token: SecureRandom.hex(),
+            embed_token: SecureRandom.hex(),
+            member_permissions: default_member_permissions(),
+            room_size: AppConfig.get_cached_config_value("features|default_room_size")
+          },
+          params
+        )
+
+      result =
+        %Hub{}
+        |> change()
+        |> cast(params, @permitted_keys)
+        |> add_account_to_changeset(account_or_nil)
+        |> add_scene_changes_to_changeset(params)
+        |> HubSlug.maybe_generate_slug()
+        |> validate_required(@required_keys)
+        |> validate_length(:name, max: 64)
+        |> validate_length(:description, max: 64_000)
+        |> validate_number(:room_size,
+          greater_than_or_equal_to: 0,
+          less_than_or_equal_to: AppConfig.get_cached_config_value("features|max_room_size")
+        )
+        |> unique_constraint(:hub_sid)
+        |> unique_constraint(:entry_code)
+        |> Repo.insert()
+
+      case result do
+        {:ok, hub} ->
+          {:ok, Repo.preload(hub, hub_preloads())}
+
+        _ ->
+          result
+      end
+    end
+  end
 
-    case result do
-      {:ok, hub} ->
-        {:ok, Repo.preload(hub, hub_preloads())}
+  # TODO: Clean up handling of member_permissions so that it is
+  # clear everywhere whether we are dealing with a map or an int
+  defp parse_member_permissions(%{member_permissions: map} = params) when is_map(map) do
+    case Hub.lenient_member_permissions_to_int(map) do
+      {:ok, member_permissions} ->
+        {:ok, %{params | member_permissions: member_permissions}}
 
-      _ ->
-        result
+      {ArgumentError, e} ->
+        {:error, e}
     end
   end
 
-  defp maybe_add_scene_info(changeset, params) do
-    case try_get_scene_from_params(params) do
-      {:ok, %{default_environment_gltf_bundle_url: url}} ->
-        changeset
-        |> cast(%{default_environment_gltf_bundle_url: url}, [:default_environment_gltf_bundle_url])
-        # TODO: Should we validate the format of the URL?
-        |> validate_required([:default_environment_gltf_bundle_url])
-
-      {:ok, %{scene_or_scene_listing: nil}} ->
-        # No default scene listing to fallback to. Leave it blank.
-        changeset
+  defp parse_member_permissions(%{member_permissions: nil} = params) do
+    {:ok, Map.delete(params, :member_permissions)}
+  end
 
-      {:ok, %{scene_or_scene_listing: scene_or_scene_listing}} ->
-        add_new_scene_assoc_to_changeset(changeset, scene_or_scene_listing)
+  defp parse_member_permissions(params) do
+    {:ok, params}
+  end
 
-      {:error, %{key: key, message: message}} ->
-        add_error(changeset, key, message)
+  defp default_member_permissions() do
+    if Ret.AppConfig.get_config_bool("features|permissive_rooms") do
+      member_permissions_to_int(@default_member_permissions)
+    else
+      member_permissions_to_int(@default_restrictive_member_permissions)
     end
   end
 
-  # Helper for finding the scene, scene_listing, or environment_gltf_bundle_url
-  defp try_get_scene_from_params(%{scene_id: _id, scene_url: _url}) do
+  def add_scene_changes_to_changeset(changeset, %{} = params) do
+    add_scene_changes(changeset, scene_change_from_params(params))
+  end
+
+  defp scene_change_from_params(%{scene_id: nil, scene_url: nil}) do
+    :nilify
+  end
+
+  defp scene_change_from_params(%{scene_id: _id, scene_url: _url}) do
     {:error,
      %{key: :scene_id, message: "Cannot specify both scene_id and scene_url. Choose one or the other (or neither)."}}
   end
 
-  defp try_get_scene_from_params(%{scene_url: url}) do
+  defp scene_change_from_params(%{scene_url: nil}) do
+    :nilify
+  end
+
+  defp scene_change_from_params(%{scene_id: nil}) do
+    :nilify
+  end
+
+  defp scene_change_from_params(%{scene_url: url}) do
     endpoint_host = RetWeb.Endpoint.host()
 
     case url |> URI.parse() do
@@ -234,29 +250,66 @@ defmodule Ret.Hub do
         if is_nil(scene_or_scene_listing) do
           {:error, %{key: :scene_url, message: "Cannot find scene with url: " <> url}}
         else
-          {:ok, %{scene_or_scene_listing: scene_or_scene_listing}}
+          scene_or_scene_listing
         end
 
       _ ->
-        {:ok, %{default_environment_gltf_bundle_url: url}}
+        url
     end
   end
 
-  defp try_get_scene_from_params(%{scene_id: id}) do
+  defp scene_change_from_params(%{scene_id: id}) do
     scene_or_scene_listing = Scene.scene_or_scene_listing_by_sid(id)
 
     if is_nil(scene_or_scene_listing) do
       {:error, %{key: :scene_id, message: "Cannot find scene with id: " <> id}}
     else
-      {:ok, %{scene_or_scene_listing: scene_or_scene_listing}}
+      scene_or_scene_listing
     end
   end
 
-  defp try_get_scene_from_params(_params) do
-    case SceneListing.get_random_default_scene_listing() do
-      nil -> {:ok, %{scene_or_scene_listing: nil}}
-      scene_listing -> {:ok, %{scene_or_scene_listing: scene_listing}}
-    end
+  defp scene_change_from_params(_params) do
+    nil
+  end
+
+  defp add_scene_changes(changeset, {:error, %{key: key, message: message}}) do
+    add_error(changeset, key, message)
+  end
+
+  defp add_scene_changes(changeset, nil) do
+    # No scene info in params. Leave unchanged
+    changeset
+  end
+
+  defp add_scene_changes(changeset, :nilify) do
+    # Clear scene info
+    changeset
+    |> put_change(:default_environment_gltf_bundle_url, nil)
+    |> put_assoc(:scene, nil)
+    |> put_assoc(:scene_listing, nil)
+  end
+
+  defp add_scene_changes(changeset, %Scene{} = scene) do
+    changeset
+    |> put_assoc(:scene, scene)
+    |> put_assoc(:scene_listing, nil)
+    |> put_change(:default_environment_gltf_bundle_url, nil)
+  end
+
+  defp add_scene_changes(changeset, %SceneListing{} = scene_listing) do
+    changeset
+    |> put_assoc(:scene, nil)
+    |> put_assoc(:scene_listing, scene_listing)
+    |> put_change(:default_environment_gltf_bundle_url, nil)
+  end
+
+  defp add_scene_changes(changeset, url) do
+    changeset
+    |> cast(%{default_environment_gltf_bundle_url: url}, [:default_environment_gltf_bundle_url])
+    # TODO: Should we validate the format of the URL?
+    |> validate_required([:default_environment_gltf_bundle_url])
+    |> put_assoc(:scene, nil)
+    |> put_assoc(:scene_listing, nil)
   end
 
   # Create new room, inserts into db
@@ -453,16 +506,6 @@ defmodule Ret.Hub do
     |> add_new_scene_to_changeset(scene_listing)
   end
 
-  def add_new_scene_assoc_to_changeset(changeset, %Scene{} = scene) do
-    changeset
-    |> put_assoc(:scene, scene)
-  end
-
-  def add_new_scene_assoc_to_changeset(changeset, %SceneListing{} = scene_listing) do
-    changeset
-    |> put_assoc(:scene_listing, scene_listing)
-  end
-
   def add_new_scene_to_changeset(changeset, %Scene{} = scene) do
     changeset
     |> put_change(:scene_id, scene.scene_id)
@@ -743,17 +786,32 @@ defmodule Ret.Hub do
     is_creator?(hub, account_id) || hub_role_memberships |> Enum.any?(&(&1.account_id === account_id))
   end
 
-  def member_permissions_to_int(%{} = member_permissions) do
+  @doc """
+  Lenient version of member permissions conversion
+  Does not throw on invalid permissions
+  """
+  def lenient_member_permissions_to_int(%{} = member_permissions) do
     invalid_member_permissions = member_permissions |> Map.drop(@member_permissions_keys) |> Map.keys()
 
     if invalid_member_permissions |> Enum.count() > 0 do
-      raise ArgumentError, "Invalid permissions #{invalid_member_permissions |> Enum.join(", ")}"
+      {ArgumentError, "Invalid permissions #{invalid_member_permissions |> Enum.join(", ")}"}
     end
 
-    @member_permissions
-    |> Enum.reduce(0, fn {val, member_permission}, acc ->
-      if(member_permissions[member_permission], do: val, else: 0) + acc
-    end)
+    {:ok,
+     @member_permissions
+     |> Enum.reduce(0, fn {val, member_permission}, acc ->
+       if(member_permissions[member_permission], do: val, else: 0) + acc
+     end)}
+  end
+
+  # TODO: Rename (lenient_)member_permissions_to_int
+  # to follow the elixir pattern of using an exclamation mark (!)
+  # to indicate possibly raising an error
+  def member_permissions_to_int(%{} = member_permissions) do
+    case lenient_member_permissions_to_int(member_permissions) do
+      {ArgumentError, e} -> raise ArgumentError, e
+      {:ok, int} -> int
+    end
   end
 
   def has_member_permission?(%Hub{} = hub, member_permission) do
@@ -783,6 +841,10 @@ defmodule Ret.Hub do
     )
   end
 
+  def maybe_add_member_permissions(changeset, _hub, %{:member_permissions => nil}) do
+    changeset
+  end
+
   def maybe_add_member_permissions(changeset, hub, %{:member_permissions => member_permissions}) do
     add_member_permissions_update_to_changeset(
       changeset,

From ec9cd680fa3b995a235d88d6de6cec950b318659 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 18 Nov 2020 23:36:38 -0800
Subject: [PATCH 127/138] Fix member perm parsing: return ArgumentError

---
 lib/ret/hub.ex | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index e27e99bdc..0740069e3 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -795,13 +795,13 @@ defmodule Ret.Hub do
 
     if invalid_member_permissions |> Enum.count() > 0 do
       {ArgumentError, "Invalid permissions #{invalid_member_permissions |> Enum.join(", ")}"}
+    else
+      {:ok,
+       @member_permissions
+       |> Enum.reduce(0, fn {val, member_permission}, acc ->
+         if(member_permissions[member_permission], do: val, else: 0) + acc
+       end)}
     end
-
-    {:ok,
-     @member_permissions
-     |> Enum.reduce(0, fn {val, member_permission}, acc ->
-       if(member_permissions[member_permission], do: val, else: 0) + acc
-     end)}
   end
 
   # TODO: Rename (lenient_)member_permissions_to_int
@@ -809,8 +809,11 @@ defmodule Ret.Hub do
   # to indicate possibly raising an error
   def member_permissions_to_int(%{} = member_permissions) do
     case lenient_member_permissions_to_int(member_permissions) do
-      {ArgumentError, e} -> raise ArgumentError, e
-      {:ok, int} -> int
+      {:ok, int} ->
+        int
+
+      {ArgumentError, e} ->
+        raise ArgumentError, e
     end
   end
 

From 7059fdd9074b53a1c0920053ba943d7e7b406477 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Thu, 19 Nov 2020 00:12:55 -0800
Subject: [PATCH 128/138] Remove unused test queries

---
 test/api/v2/room_query_test.exs | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 19315803c..087f507c6 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -36,25 +36,6 @@ defmodule RoomQueryTest do
     }
   """
 
-  # @query_favorite_rooms """
-  #  query {
-  #    favoriteRooms {
-  #     entries {
-  #       id
-  #     }
-  #    }
-  #  }
-  # """
-
-  # @mutation_create_room """
-  #  mutation ($roomName: String!){
-  #    createRoom (name: $roomName) {
-  #      id,
-  #      name
-  #    }
-  #  }
-  # """
-
   defp do_graphql_action(conn, query, variables \\ %{}) do
     conn
     |> post("/api/v2_alpha/", %{

From 461de6065495a5c4630d34ab72321dce239f91f2 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 7 Dec 2020 15:27:33 -0800
Subject: [PATCH 129/138] Update workspace

---
 ...raphiql-workspace-2020-12-07-15-26-56.json | 739 ++++++++++++++++++
 1 file changed, 739 insertions(+)
 create mode 100644 test/api/v2/graphiql-workspace-2020-12-07-15-26-56.json

diff --git a/test/api/v2/graphiql-workspace-2020-12-07-15-26-56.json b/test/api/v2/graphiql-workspace-2020-12-07-15-26-56.json
new file mode 100644
index 000000000..2ac54e2c5
--- /dev/null
+++ b/test/api/v2/graphiql-workspace-2020-12-07-15-26-56.json
@@ -0,0 +1,739 @@
+{
+  "key": "graphiql",
+  "lastId": 11,
+  "tabIds": [
+    "tab1",
+    "tab2",
+    "tab4",
+    "tab5",
+    "tab6",
+    "tab7",
+    "tab8",
+    "tab9",
+    "tab10"
+  ],
+  "closedTabs": [
+    {
+      "id": "tab11",
+      "name": "Query 10",
+      "url": "https://localhost:4000/api/v2/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [],
+      "graphiql:query": "",
+      "graphiql:variables": "",
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab3",
+      "name": "No Token",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1
+    }
+  ],
+  "defaultUrl": "https://localhost:4000/api/v2/graphiql",
+  "defaultWebsocketUrl": "",
+  "defaultQuery": "",
+  "defaultVariables": "",
+  "defaultProxy": false,
+  "defaultHeaders": [],
+  "usedUrls": [
+    "https://hubs.local:4000/api/v2_alpha/graphiql",
+    "https://localhost:4000/api/v2_alpha/graphiql",
+    "https://localhost:4000/api/v2alpha/graphiql",
+    "https://localhost:4000/api/v2/graphiql"
+  ],
+  "recentHeaders": [
+    {
+      "name": "Authorization",
+      "value": "Bearer 3u3Tz8U_UFhEdUNZT3dUUmRxc2JPQW05N0JVVW9O"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer 7usAt24_bjJhR2ZLd1RpRzdnbGlBMDF0UThOMDg3"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer 7usAt24_bjJhR2ZLd1RpRzdnbGlBMDF0UThOMDg"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer fsaf"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer c2FxcWtyTUNNOVVzd1VMVGZGeExSZz09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer NHhKdGRUQWpRTzVPTzJ5Y0Q0UC9nZz09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer cm5KbU8zbHEwOS83VitNaGVWall3UT09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer U0NhWUozNVF4TEpRTTJtTGNGa01jUT09"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDg2Njc3OTYsImlhdCI6MTYwMzgyOTM5NiwiaXNzIjoiIiwianRpIjoiNzBmODI1MWMtZjE2YS00YThlLTg2MDYtNTZkNDE5ZjU4NzljIiwibmJmIjoxNjAzODI5Mzk1LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjczMTAzODUxODcxMjcyOTY0MCIsInR5cCI6ImFjY2VzcyJ9.YGfqokwxtIQsmnNT21uOKoLAqlHx6cpI3mYrkQIxSniGIOewL84ckwfGcF9v54ZHkNR4bY8Cd_fqE2DfZKEO2g"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDg2Njc3NTQsImlhdCI6MTYwMzgyOTM1NCwiaXNzIjoiIiwianRpIjoiZTQ3MDA2NGQtYmFhNy00M2YzLTllNDgtZGU3MDg0MGRkMDU1IiwibmJmIjoxNjAzODI5MzUzLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.kbzMkcxbMGoyh95cbS3QvgGx8ikgVCSeeMfeX3FJhLml8cBp_1apNT_CxOEQlSgRkm-Rppck975cVoqWVnR9_Q"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDM0Mzk0ODIsImlhdCI6MTYwMzQxMDY4MiwiaXNzIjoiIiwianRpIjoiMmE2NTRlNDMtOGUyNi00NzRhLTlhN2UtZjBjMWFjZTJkOWU1IiwibmJmIjoxNjAzNDEwNjgxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.9RaT1l8c5nK7nhd1EUWUgiOd01wDCMseUmRrK-AleGvwbgfm9Vp2rjc18ifg0cwPJfpPuDyrxGY8E3WWgqpVFA"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDM0MzkzMTcsImlhdCI6MTYwMzQxMDUxNywiaXNzIjoiIiwianRpIjoiZjVkOTU0ODYtYmZhNS00ZTI5LWExYzgtMGUwMmE1MmYxZjllIiwibmJmIjoxNjAzNDEwNTE2LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.dRKjTCYaPP-ogwLnCDfor4G90kn2vkaqGsjflxfRbwNwfHl0KNt4W99RWMomAtlxtegULOHDI08hrz6rsPjN_g"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDM0Mjc2NzQsImlhdCI6MTYwMzM5ODg3NCwiaXNzIjoiIiwianRpIjoiMzJkZGU0NWUtZjkxNS00NWJmLTk4NTktZGIyYmUzZDEyZmQ1IiwibmJmIjoxNjAzMzk4ODczLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.9bzlZkoKnvFsf9Qm9Vmw-Prl3vPlNFku3S2S0J3owi18kjIhO_baIIGTkASG_yNL1aofnfFMCOjUFxhM80PrFw"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer   # def can?(%Ret.Account{} = account, action, account) when action in @self_allowed_actions, do: true"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer foo"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg3NzAsImlhdCI6MTYwMzI5OTk3MCwiaXNzIjoiIiwianRpIjoiOTQyZmViN2MtN2YwOS00YWQ0LWExMmEtYjkyNTVjMDY3NDExIiwibmJmIjoxNjAzMjk5OTY5LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.maRV8uXxt3a66E0e7muIkKYNVFERWMzYmmZg7JY1NQ0-UbjVSmC64RqbBz7IuJ5OUckAGAHCjYU7QbML3hILjg"
+    },
+    {
+      "name": "Authorization",
+      "value": "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg3MzIsImlhdCI6MTYwMzI5OTkzMiwiaXNzIjoiIiwianRpIjoiYjlmYjAzZGYtMGU2Yi00ZjlhLWFkYTgtZmZiNjk1MmI2ODgyIiwibmJmIjoxNjAzMjk5OTMxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.Ot-jOYrb6Fl-SD7BDmSUZT248JqOLOCsvDmeXb0jbJCheOTXi5WWu__Tnb-uGDVbXSM9LyCSA_1KJ_s_tH96yQ"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg1NDcsImlhdCI6MTYwMzI5OTc0NywiaXNzIjoiIiwianRpIjoiZjIxYjc1MzYtMDkxYi00MjEzLTllODgtNjQ2NmFlY2IyYzY0IiwibmJmIjoxNjAzMjk5NzQ2LCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIiwiY3JlYXRlX2FjY291bnRzIl0sInN1YiI6InJldGljdWx1bV9hcHBfdG9rZW4iLCJ0eXAiOiJhY2Nlc3MifQ.pHeNOxSTyaSabHepEJr6oe9FwhopHpp21Q0yb5KQ8ENk3mcGLSjZGlFe2L81u5TFgazvWE9eCV8_jqdXhFAS9w"
+    },
+    {
+      "name": "authorization",
+      "value": "bearer: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg0NTIsImlhdCI6MTYwMzI5OTY1MiwiaXNzIjoiIiwianRpIjoiOTNjZjk3MzQtNWVkYy00OTQ4LWI1NjctNjQ2MmQxNGFkMjFiIiwibmJmIjoxNjAzMjk5NjUxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.47dOWjFahvS-rR-2pHqs_8ufHzFO1BNTNYP4x_AsHmzB_KfAnTEIgSgVL2ory9qsmgCtfMbsAFwZ4dpUXoOItw"
+    },
+    {
+      "name": "authorization",
+      "value": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXQiLCJleHAiOjE2MDMzMjg0NTIsImlhdCI6MTYwMzI5OTY1MiwiaXNzIjoiIiwianRpIjoiOTNjZjk3MzQtNWVkYy00OTQ4LWI1NjctNjQ2MmQxNGFkMjFiIiwibmJmIjoxNjAzMjk5NjUxLCJzY29wZXMiOlsicmVhZF9yb29tcyIsIndyaXRlX3Jvb21zIl0sInN1YiI6IjYzNDAyOTgyNzk3NTgwNjk4MCIsInR5cCI6ImFjY2VzcyJ9.47dOWjFahvS-rR-2pHqs_8ufHzFO1BNTNYP4x_AsHmzB_KfAnTEIgSgVL2ory9qsmgCtfMbsAFwZ4dpUXoOItw"
+    }
+  ],
+  "maxTabHistory": 20,
+  "maxUrlHistory": 20,
+  "maxHistory": 20,
+  "savedQueries": [
+    {
+      "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", name:\"hello world!!!\", description: \"A  room with a USER view\", allowPromotion: true, sceneId:\"tXkCgJw\", sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", name:\"hello world!!!\", description: \"A  room with a USER view\", allowPromotion: true, sceneId:\"tXkCgJw\", sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    },
+    {
+      "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n    }\n  }\n}",
+      "variables": ""
+    }
+  ],
+  "activeId": "tab9",
+  "tabs": [
+    {
+      "id": "tab1",
+      "name": "[app] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer 3u3Tz8U_UFhEdUNZT3dUUmRxc2JPQW05N0JVVW9O"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n      creatorAssignmentToken,\n      defaultEnvironmentGltfBundleUrl,\n      scene {\n        ... on Scene {\n          name,\n          id\n        }\n        ... on SceneListing {\n          name,\n          id\n        }\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n      creatorAssignmentToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "\nquery {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n    favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms {\n    entries (page: 2) {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  publicRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  publicRooms {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(name:\"foo\"){\n    id,\n    description,\n    slug\n  }\n  \n  \n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  \n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2f\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  \n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  foo: updateRoom(id:\"2M6Po2\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  updateRoom(id:\"2M6Poe2\", name:\"bar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  foo: updateRoom(id:\"2M6Poe2\", name:\"foo\") {\n    id,\n    name\n  },\n  \n  updateRoom(id:\"2M6Poe2\", name:\"bar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"2M6Poe2\", name:\"foo\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id:\"TkpzrAS\", name:\"bfffar\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n      creatorAssignmentToken,\n      defaultEnvironmentGltfBundleUrl,\n      scene {\n        ... on Scene {\n          name,\n          id\n        }\n        ... on SceneListing {\n          name,\n          id\n        }\n      }\n    }\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  updateRoom(id:\\\"TkpzrAS\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"TkpzrAS\\\", name:\\\"bfffar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  foo: updateRoom(id:\\\"2M6Poe2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  foo: updateRoom(id:\\\"2M6Po2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"bar\\\") {\\n    id,\\n    name\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2f\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  \\n}\"},{\"query\":\"mutation {\\n  updateRoom(id:\\\"2M6Poe2\\\", name:\\\"foo\\\") {\\n    id,\\n    name\\n  },\\n  \\n  \\n}\"},{\"query\":\"mutation {\\n  createRoom(name:\\\"foo\\\"){\\n    id,\\n    description,\\n    slug\\n  }\\n  \\n  \\n}\"},{\"query\":\"query {\\n  publicRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  publicRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms {\\n    entries (page: 2) {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n    favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"\\nquery {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      },\\n      creatorAssignmentToken,\\n      defaultEnvironmentGltfBundleUrl,\\n      scene {\\n        ... on Scene {\\n          name,\\n          id\\n        }\\n        ... on SceneListing {\\n          name,\\n          id\\n        }\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab2",
+      "name": "[user] queries",
+      "url": "https://hubs.local:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer 7usAt24_bjJhR2ZLd1RpRzdnbGlBMDF0UThOMDg3"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n      creatorAssignmentToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n          defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n          defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n          defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n          defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n      scene {\n        ...on Scene {\n          name,\n          id\n        }\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n publicRooms(page: 1, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n publicRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms(page: 2, pageSize: 5) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      },\n      creatorAssignmentToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n          defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n          defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n    }\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"query {\\n publicRooms(page: 2, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n publicRooms(page: 1, pageSize: 5) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      },\\n      scene {\\n        ...on Scene {\\n          name,\\n          id\\n        }\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      },\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n          defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n          defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      },\\n      creatorAssignmentToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n          defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n          defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1
+    },
+    {
+      "id": "tab4",
+      "name": "[app] createRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer 3u3Tz8U_UFhEdUNZT3dUUmRxc2JPQW05N0JVVW9O"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", allowPromotion:true) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    creatorAssignmentToken,\n    roomSize\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", allowPromotion:true) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    creatorAssignmentToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", allowPromotion:true) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions\n      fly\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  createRoom(description: \"A room with a view\", allowPromotion:true) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    creatorAssignmentToken,\n    roomSize\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", allowPromotion:true) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", allowPromotion:true) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    creatorAssignmentToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", allowPromotion:true) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    creatorAssignmentToken,\\n    roomSize\\n  }\\n}\"}]}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab5",
+      "name": "[user] createRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer 7usAt24_bjJhR2ZLd1RpRzdnbGlBMDF0UThOMDg3"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: true,\n      spawnEmoji:true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: \"hi\",\n      spawnEmoji:true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: nil,\n      spawnEmoji:true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false,\n      foo: true,\n      spawnEmoji:true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false,\n      spawnEmoji:true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"https://hubs.local:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"foo\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"tXkCgJw\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneId:\"foo\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl:\"foo\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\", sceneUrl: \"localhost:4000/foo/bar/\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  createRoom(\n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: true,\n      spawnEmoji:true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    defaultEnvironmentGltfBundleUrl,\n    creatorAssignmentToken,\n    scene {\n      ... on Scene {\n        name,\n        id\n      }\n      ... on SceneListing{\n        name,\n        id\n      }\n    }\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneUrl: \\\"localhost:4000/foo/bar/\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneUrl:\\\"foo\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneId:\\\"foo\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneId:\\\"tXkCgJw\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneId:\\\"tXkCgJw\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneUrl:\\\"foo\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneUrl:\\\"https://hubs.local:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneId:\\\"tXkCgJw\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneId:\\\"tXkCgJw\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\", sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(\\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(\\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false,\\n      spawnEmoji:true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(\\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false,\\n      foo: true,\\n      spawnEmoji:true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(\\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: nil,\\n      spawnEmoji:true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(\\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: \\\"hi\\\",\\n      spawnEmoji:true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"},{\"query\":\"mutation {\\n  createRoom(\\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: true,\\n      spawnEmoji:true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    defaultEnvironmentGltfBundleUrl,\\n    creatorAssignmentToken,\\n    scene {\\n      ... on Scene {\\n        name,\\n        id\\n      }\\n      ... on SceneListing{\\n        name,\\n        id\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab6",
+      "name": "[app] updateRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with an APP view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"A room with an APP view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"fggggg view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"fffff view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"maJCnRD\", description: \"Aasddas view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(id: \"EzqydXp\", description: \"Aasddas view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  createRoom(description: \"A room with a view\") {\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  updateRoom(id: \"7VkWtfB\", description: \"A room with an APP view\") {\n    description,\n    id,\n    name,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken\n  }\n}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  createRoom(description: \\\"A room with a view\\\") {\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"EzqydXp\\\", description: \\\"Aasddas view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"Aasddas view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"fffff view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"fggggg view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"maJCnRD\\\", description: \\\"A room with an APP view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(id: \\\"7VkWtfB\\\", description: \\\"A room with an APP view\\\") {\\n    description,\\n    id,\\n    name,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab7",
+      "name": "[user] updateRoom",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer 7usAt24_bjJhR2ZLd1RpRzdnbGlBMDF0UThOMDg3"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"cfq2p8i\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    sceneId: \"tXkCgJw\",\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl: null\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"cfq2p8i\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    #sceneId: \"tXkCgJw\",\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl: null\n    sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    #sceneId: \"tXkCgJw\",\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl: null\n    sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    sceneId: \"tXkCgJw\",\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl: null\n   # sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    sceneId: \"tXkCgJw\",\n    memberPermissions: {\n      fly: false\n    }\n    sceneUrl: null\n   # sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    memberPermissions: {\n      fly: false\n    }\n    sceneUrl: null\n   # sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    memberPermissions: {\n      fly: false\n    }\n    sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId: null,\n    memberPermissions: {\n      fly: false\n    }\n    sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false\n    \n}\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: null\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: true,\n      spawnEmoji: true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false,\n      spawnEmoji: true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false,\n      spawnEmoji: true\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    memberPermissions{\n      fly: false\n    }\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    sceneId:null,\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId:\"tXkCgJw\",\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "mutation {\n  updateRoom(\n    id: \"7VkWtfB\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId:\"tXkCgJw\",\n    sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "mutation {\n  updateRoom(\n    id: \"cfq2p8i\", \n    name:\"hello world!!!\", \n    description: \"A  room with a USER view\",\n    allowPromotion: true, \n    #sceneId: null,\n    sceneId: \"tXkCgJw\",\n    memberPermissions: {\n      fly: false\n    }\n    #sceneUrl: null\n    #sceneUrl:\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\"\n  ) {\n    description,\n    id,\n    name,\n    defaultEnvironmentGltfBundleUrl,\n    allowPromotion,\n    memberPermissions{\n      fly,\n      spawnEmoji\n    },\n    embedToken,\n    scene {\n      ... on Scene{\n        name,\n        id\n      }\n    }\n\n  }\n}",
+      "graphiql:queries": "{\"queries\":[{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n   sceneId:\\\"tXkCgJw\\\",\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId:\\\"tXkCgJw\\\",\\n    sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId:\\\"tXkCgJw\\\",\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false,\\n      spawnEmoji: true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false,\\n      spawnEmoji: true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: true,\\n      spawnEmoji: true\\n    }\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: null\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId:null,\\n    memberPermissions: {\\n      fly: false\\n    \\n}\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    sceneId: null,\\n    memberPermissions: {\\n      fly: false\\n    }\\n    sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    memberPermissions: {\\n      fly: false\\n    }\\n    sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    memberPermissions: {\\n      fly: false\\n    }\\n    sceneUrl: null\\n   # sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    sceneId: \\\"tXkCgJw\\\",\\n    memberPermissions: {\\n      fly: false\\n    }\\n    sceneUrl: null\\n   # sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    sceneId: \\\"tXkCgJw\\\",\\n    memberPermissions: {\\n      fly: false\\n    }\\n    #sceneUrl: null\\n   # sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"7VkWtfB\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    #sceneId: \\\"tXkCgJw\\\",\\n    memberPermissions: {\\n      fly: false\\n    }\\n    #sceneUrl: null\\n    sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\",\"variables\":\"\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"cfq2p8i\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    #sceneId: \\\"tXkCgJw\\\",\\n    memberPermissions: {\\n      fly: false\\n    }\\n    #sceneUrl: null\\n    sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\"},{\"query\":\"mutation {\\n  updateRoom(\\n    id: \\\"cfq2p8i\\\", \\n    name:\\\"hello world!!!\\\", \\n    description: \\\"A  room with a USER view\\\",\\n    allowPromotion: true, \\n    #sceneId: null,\\n    sceneId: \\\"tXkCgJw\\\",\\n    memberPermissions: {\\n      fly: false\\n    }\\n    #sceneUrl: null\\n    #sceneUrl:\\\"https://localhost:8080/assets/models/LoadingEnvironment-570a9f69a9509eb8a039c9ff93ccfdca.glb\\\"\\n  ) {\\n    description,\\n    id,\\n    name,\\n    defaultEnvironmentGltfBundleUrl,\\n    allowPromotion,\\n    memberPermissions{\\n      fly,\\n      spawnEmoji\\n    },\\n    embedToken,\\n    scene {\\n      ... on Scene{\\n        name,\\n        id\\n      }\\n    }\\n\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200
+    },
+    {
+      "id": "tab8",
+      "name": "[revoked token] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "",
+          "variables": null
+        },
+        {
+          "query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  \n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:editorFlex": 1,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  \\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"}]}"
+    },
+    {
+      "id": "tab9",
+      "name": "[no token] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        },
+        {
+          "query": "query {\n  myRooms{\n    entries{\n      id\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:editorFlex": 1,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms{\\n    entries{\\n      id\\n    }\\n  }\\n}\"},{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\"}]}",
+      "graphiql:docExplorerWidth": 350
+    },
+    {
+      "id": "tab10",
+      "name": "[invalid token] queries",
+      "url": "https://localhost:4000/api/v2_alpha/graphiql",
+      "websocketUrl": "",
+      "proxy": false,
+      "headers": [
+        {
+          "name": "Authorization",
+          "value": "Bearer foo"
+        }
+      ],
+      "collapsed": false,
+      "maxHistory": 20,
+      "history": [
+        {
+          "query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+          "variables": null
+        }
+      ],
+      "graphiql:query": "query {\n  myRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      description,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n  favoriteRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n  \n   publicRooms(page: 1, pageSize: 3) {\n    entries {\n      name,\n      id,\n      memberPermissions{\n        fly\n      }\n    }\n  }\n}",
+      "graphiql:docExplorerWidth": 350,
+      "graphiql:editorFlex": 1,
+      "graphiql:variableEditorHeight": 200,
+      "graphiql:queries": "{\"queries\":[{\"query\":\"query {\\n  myRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      description,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n  favoriteRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n  \\n   publicRooms(page: 1, pageSize: 3) {\\n    entries {\\n      name,\\n      id,\\n      memberPermissions{\\n        fly\\n      }\\n    }\\n  }\\n}\",\"variables\":\"\"}]}"
+    }
+  ]
+}
\ No newline at end of file

From 4bdde03670d25ad4fd3ccb40bc9eb7c7d88d408e Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Sun, 13 Dec 2020 18:41:06 -0800
Subject: [PATCH 130/138] PR feedback

---
 lib/ret/api/credentials.ex       |  2 +-
 lib/ret_web/middleware/timing.ex | 33 +++++++++++++++-----------------
 2 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index c26eea315..dc94dc271 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -35,7 +35,7 @@ defmodule Ret.Api.Credentials do
     # Use 18 bytes (not 16, the default) to avoid having all tokens end in "09"
     # See https://github.com/patricksrobertson/secure_random.ex/issues/11
     # Prefix the sid to the rest of the token for ease of management
-    token = "#{sid}_#{SecureRandom.urlsafe_base64(18)}"
+    token = "#{sid}.#{SecureRandom.urlsafe_base64(18)}"
 
     params =
       Map.merge(params, %{
diff --git a/lib/ret_web/middleware/timing.ex b/lib/ret_web/middleware/timing.ex
index 4f99a8ec9..a50f4498f 100644
--- a/lib/ret_web/middleware/timing.ex
+++ b/lib/ret_web/middleware/timing.ex
@@ -40,7 +40,8 @@ defmodule RetWeb.Middleware.InspectTiming do
   def call(resolution, _) do
     case resolution do
       %{private: %{timing: timing}} ->
-        inspect_timing_info(timing)
+        log_timing_info(timing)
+        nil
 
       _ ->
         nil
@@ -49,23 +50,19 @@ defmodule RetWeb.Middleware.InspectTiming do
     resolution
   end
 
-  defp inspect_timing_info(timing) do
-    Enum.each(timing, fn item ->
-      case item do
-        {identifier, %{started_at: started_at, ended_at: ended_at}} ->
-          diff = NaiveDateTime.diff(ended_at, started_at, :microsecond)
-          IO.puts("#{Atom.to_string(identifier)} took #{diff} microseconds to run.")
+  defp log_timing_info(_timing) do
+    nil
+  end
 
-        {identifier, _} ->
-          IO.puts(
-            "Cannot log diff of identifier because it lacks timing info started_at and ended_at: #{
-              Atom.to_string(identifier)
-            }"
-          )
+  # # TODO: Log these metrics with something like :telemetry or Statix
+  # defp log_timing_info(timing) do
+  #   Enum.each(timing, fn
+  #     {identifier, %{started_at: started_at, ended_at: ended_at}} ->
+  #       diff = NaiveDateTime.diff(ended_at, started_at, :microsecond)
+  #       IO.puts("#{Atom.to_string(identifier)} took #{diff} microseconds to run.")
 
-        _ ->
-          nil
-      end
-    end)
-  end
+  #     _ ->
+  #       nil
+  #   end)
+  # end
 end

From 70bb8a51101b8b24951bde3e25a6fffa780c79a7 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Mon, 14 Dec 2020 11:23:06 -0800
Subject: [PATCH 131/138] Remove issued_at field

---
 lib/ret/api/credentials.ex                                    | 4 +---
 .../migrations/20201027202054_add_api_credentials_table.exs   | 1 -
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index dc94dc271..8922e57d8 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -18,7 +18,6 @@ defmodule Ret.Api.Credentials do
     field(:api_credentials_sid, :string)
     field(:token_hash, :string)
     field(:subject_type, TokenSubjectType)
-    field(:issued_at, :utc_datetime)
     field(:is_revoked, :boolean)
     field(:scopes, {:array, ScopeType})
 
@@ -26,7 +25,7 @@ defmodule Ret.Api.Credentials do
     timestamps()
   end
 
-  @required_keys [:api_credentials_sid, :token_hash, :subject_type, :issued_at, :is_revoked, :scopes]
+  @required_keys [:api_credentials_sid, :token_hash, :subject_type, :is_revoked, :scopes]
   @permitted_keys @required_keys
 
   def generate_credentials(%{subject_type: _st, scopes: _sc, account_or_nil: account_or_nil} = params) do
@@ -41,7 +40,6 @@ defmodule Ret.Api.Credentials do
       Map.merge(params, %{
         api_credentials_sid: sid,
         token_hash: Ret.Crypto.hash(token),
-        issued_at: Timex.now() |> DateTime.truncate(:second),
         is_revoked: false
       })
 
diff --git a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
index a17eb49da..96499110a 100644
--- a/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
+++ b/priv/repo/migrations/20201027202054_add_api_credentials_table.exs
@@ -9,7 +9,6 @@ defmodule Ret.Repo.Migrations.AddApiCredentialsTable do
       add(:api_credentials_id, :bigint, default: fragment("ret0.next_id()"), primary_key: true)
       add(:token_hash, :string, null: false)
       add(:api_credentials_sid, :string, null: false)
-      add(:issued_at, :utc_datetime, null: false)
       add(:is_revoked, :boolean, null: false)
       add(:scopes, {:array, :api_scope_type}, null: false)
       add(:subject_type, :api_token_subject_type, null: false)

From a02026d4eb578cba038237e40c0400ffe71a0efb Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Tue, 8 Dec 2020 17:36:19 -0800
Subject: [PATCH 132/138] Add (regular) API to manage (graphql) credentials

---
 lib/ret/api/credentials.ex                    |  10 +-
 lib/ret/api/token_utils.ex                    |  98 +++++-
 lib/ret/hub.ex                                |  40 +++
 .../api/v2/credentials_controller.ex          | 132 ++++++++
 lib/ret_web/router.ex                         |   9 +
 lib/ret_web/views/api/v2/credentials_view.ex  |  42 +++
 .../api/credentials_controller_test.exs       | 306 ++++++++++++++++++
 7 files changed, 632 insertions(+), 5 deletions(-)
 create mode 100644 lib/ret_web/controllers/api/v2/credentials_controller.ex
 create mode 100644 lib/ret_web/views/api/v2/credentials_view.ex
 create mode 100644 test/ret_web/controllers/api/credentials_controller_test.exs

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 8922e57d8..8083e9a9b 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -71,7 +71,7 @@ defmodule Ret.Api.Credentials do
     changeset
   end
 
-  defp validate_scopes_type(:scopes, scopes) do
+  def validate_scopes_type(:scopes, scopes) do
     Enum.reduce(scopes, [], fn scope, errors ->
       errors ++ validate_single_scope_type(scope)
     end)
@@ -85,11 +85,11 @@ defmodule Ret.Api.Credentials do
     end
   end
 
-  defp validate_subject_type(:subject_type, subject_type) do
+  def validate_subject_type(:subject_type, subject_type) do
     if TokenSubjectType.valid_value?(subject_type) do
       []
     else
-      [subject_type: "Unrecognized subject type. Must be app or account. Got #{subject_type}."]
+      [invalid_subject_type: "Unrecognized subject type. Must be app or account. Got #{subject_type}."]
     end
   end
 
@@ -121,4 +121,8 @@ defmodule Ret.Api.Credentials do
       where: credential.account_id == ^id
     )
   end
+
+  def app_token_query() do
+    from(c in Credentials, where: c.subject_type == ^:app)
+  end
 end
diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
index edb74c1b1..a1c3bc303 100644
--- a/lib/ret/api/token_utils.ex
+++ b/lib/ret/api/token_utils.ex
@@ -2,8 +2,10 @@ defmodule Ret.Api.TokenUtils do
   @moduledoc """
   Utility functions for generating API access tokens.
   """
-  alias Ret.Account
-  alias Ret.Api.{Token, Scopes}
+  alias Ret.{Account, Repo}
+  alias Ret.Api.{Credentials, Token, Scopes}
+
+  import Canada, only: [can?: 2]
 
   def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
     Token.encode_and_sign(nil, %{
@@ -20,4 +22,96 @@ defmodule Ret.Api.TokenUtils do
       account_id: account.account_id
     })
   end
+
+  defp ensure_atom(x) when is_atom(x), do: x
+  defp ensure_atom(x) when is_binary(x), do: String.to_atom(x)
+
+  # TODO Should we permit the creation of tokens
+  # on behalf of other accounts like this?
+  defp account_id_from_args(%Account{}, %{"account_id" => account_id}) do
+    account_id
+  end
+
+  defp account_id_from_args(%Account{} = account, _params) do
+    account.account_id
+  end
+
+  defp validate_account_id(%Account{account_id: account_id}, account_id) do
+    []
+  end
+
+  defp validate_account_id(%Account{}, account_id) do
+    case Account.query()
+         |> Account.where_account_id_is(account_id)
+         |> Repo.one() do
+      %Account{} ->
+        []
+
+      nil ->
+        [account_id: "Invalid account id #{account_id}"]
+    end
+  end
+
+  def to_claims(%Account{} = account, %{"subject_type" => subject_type, "scopes" => scopes} = params) do
+    account_id = account_id_from_args(account, params)
+
+    case to_claims(account, account_id, scopes, subject_type) do
+      errors when is_list(errors) ->
+        {:error, errors}
+
+      claims ->
+        {:ok, claims}
+    end
+  end
+
+  defp to_claims(%Account{} = account, account_id, scopes, subject_type) do
+    with [] <-
+           validate_account_id(account, account_id) ++
+             Credentials.validate_scopes_type(:scopes, scopes) ++
+             Credentials.validate_subject_type(:subject_type, subject_type) do
+      # It is safe to cast user-provided strings to atoms here
+      # because we validated that the strings match our atoms
+      # (i.e. with &valid_value?/1 from ecto_enum's defenum )
+      %{
+        account_id: account_id,
+        subject_type: ensure_atom(subject_type),
+        scopes: Enum.map(scopes, &ensure_atom/1)
+      }
+    end
+  end
+
+  def authed_create_credentials(account, claims) do
+    if can?(account, create_credentials(claims)) do
+      Token.encode_and_sign(nil, claims)
+    else
+      {:error, :unauthorized}
+    end
+  end
+
+  def authed_list_credentials(account, subject_type) do
+    if can?(account, list_credentials(subject_type)) do
+      list_credentials(account, subject_type)
+    else
+      {:error, :unauthorized}
+    end
+  end
+
+  defp list_credentials(account, :account) do
+    Credentials.query()
+    |> Credentials.where_account_is(account)
+    |> Repo.all()
+  end
+
+  defp list_credentials(_account, :app) do
+    Credentials.app_token_query()
+    |> Repo.all()
+  end
+
+  def authed_revoke_credentials(account, credentials) do
+    if can?(account, revoke_credentials(credentials)) do
+      Credentials.revoke(credentials)
+    else
+      {:error, :unauthorized}
+    end
+  end
 end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 0740069e3..23930d19d 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -897,6 +897,46 @@ end
 
 defimpl Canada.Can, for: Ret.Account do
   alias Ret.{Hub, AppConfig}
+  alias Ret.Api.{Scopes, Credentials}
+
+  def can?(%Ret.Account{}, :create_credentials, %{subject_type: :account, scopes: scopes}) do
+    # TODO: Is it correct to disallow the create_accounts scope for account type tokens?
+    # If so, why? Do we need to enforce this everywhere?
+    Scopes.create_accounts() not in scopes
+  end
+
+  def can?(%Ret.Account{is_admin: is_admin}, :create_credentials, %{subject_type: :app}) do
+    is_admin
+  end
+
+  def can?(%Ret.Account{}, :create_credentials, _params) do
+    false
+  end
+
+  def can?(%Ret.Account{is_admin: is_admin}, :list_credentials, :app) do
+    is_admin
+  end
+
+  def can?(%Ret.Account{}, :list_credentials, :account) do
+    # TODO: Allow admins to disable this in config
+    true
+  end
+
+  def can?(%Ret.Account{}, :list_credentials, _subject_type) do
+    false
+  end
+
+  def can?(%Ret.Account{account_id: account_id}, :revoke_credentials, %Credentials{account_id: account_id}) do
+    true
+  end
+
+  def can?(%Ret.Account{is_admin: true}, :revoke_credentials, %Credentials{}) do
+    true
+  end
+
+  def can?(%Ret.Account{}, :revoke_credentials, %Credentials{}) do
+    false
+  end
 
   @owner_actions [:update_hub, :close_hub, :embed_hub, :kick_users, :mute_users]
   @object_actions [:spawn_and_move_media, :spawn_camera, :spawn_drawing, :pin_objects, :spawn_emoji, :fly]
diff --git a/lib/ret_web/controllers/api/v2/credentials_controller.ex b/lib/ret_web/controllers/api/v2/credentials_controller.ex
new file mode 100644
index 000000000..c0c66db09
--- /dev/null
+++ b/lib/ret_web/controllers/api/v2/credentials_controller.ex
@@ -0,0 +1,132 @@
+defmodule RetWeb.Api.V2.CredentialsController do
+  use RetWeb, :controller
+
+  alias Ret.{Repo}
+  alias Ret.Api.Credentials
+  alias Ecto.Changeset
+
+  import Ret.Api.TokenUtils,
+    only: [to_claims: 2, authed_create_credentials: 2, authed_list_credentials: 2, authed_revoke_credentials: 2]
+
+  # Limit to 1 TPS
+  # TODO : I copied this from other controllers. Is this an appropriate limit? -John
+  plug(RetWeb.Plugs.RateLimit when action in [:create, :update])
+
+  def index(conn, %{"app" => _anything} = _params) do
+    handle_list_credentials_result(conn, authed_list_credentials(Guardian.Plug.current_resource(conn), :app))
+  end
+
+  def index(conn, _params) do
+    handle_list_credentials_result(conn, authed_list_credentials(Guardian.Plug.current_resource(conn), :account))
+  end
+
+  def show(conn, %{"id" => credentials_sid}) do
+    case Credentials.query()
+         |> Credentials.where_sid_is(credentials_sid)
+         |> Repo.one() do
+      nil ->
+        render_errors(conn, 400, {:error, "Invalid request"})
+
+      credentials ->
+        conn
+        |> put_resp_header("content-type", "application/json")
+        |> put_status(200)
+        |> render("show.json", credentials: credentials)
+    end
+  end
+
+  def create(conn, params) do
+    account = Guardian.Plug.current_resource(conn)
+
+    case to_claims(account, params) do
+      {:ok, claims} ->
+        handle_create_credentials_result(conn, authed_create_credentials(account, claims))
+
+      {:error, reason} ->
+        render_errors(conn, 400, reason)
+    end
+  end
+
+  def update(conn, %{"id" => credentials_sid, "revoke" => _anything}) do
+    account = Guardian.Plug.current_resource(conn)
+
+    case Credentials.query()
+         |> Credentials.where_sid_is(credentials_sid)
+         |> Repo.one() do
+      nil ->
+        render_errors(conn, 400, {:error, "Invalid request"})
+
+      credentials ->
+        handle_revoke_credentials_result(conn, authed_revoke_credentials(account, credentials))
+    end
+  end
+
+  defp handle_list_credentials_result(conn, {:error, :unauthorized}) do
+    render_errors(conn, 401, {:unauthorized, "You do not have permission to view these credentials."})
+  end
+
+  defp handle_list_credentials_result(conn, {:error, reason}) do
+    render_errors(conn, 400, reason)
+  end
+
+  defp handle_list_credentials_result(conn, credentials) do
+    conn
+    |> put_resp_header("content-type", "application/json")
+    |> put_status(200)
+    |> render("index.json", credentials: credentials)
+  end
+
+  defp handle_create_credentials_result(conn, {:error, :unauthorized}) do
+    render_errors(conn, 401, {:unauthorized, "You do not have permission to create these credentials."})
+  end
+
+  defp handle_create_credentials_result(conn, {:error, reason}) do
+    render_errors(conn, 400, reason)
+  end
+
+  defp handle_create_credentials_result(conn, {:ok, token, _claims}) do
+    # Lookup credentials because token creation returns the
+    # claims map, not the credentials object written to DB.
+    credentials =
+      Credentials.query()
+      |> Credentials.where_token_hash_is(Ret.Crypto.hash(token))
+      |> Repo.one()
+
+    conn
+    |> put_resp_header("content-type", "application/json")
+    |> put_status(200)
+    |> render("show.json", token: token, credentials: credentials)
+  end
+
+  defp handle_revoke_credentials_result(conn, {:error, :unauthorized}) do
+    render_errors(conn, 401, {:unauthorized, "You do not have permission to revoke these credentials."})
+  end
+
+  defp handle_revoke_credentials_result(conn, {:error, reason}) do
+    render_errors(conn, 400, reason)
+  end
+
+  defp handle_revoke_credentials_result(conn, {:ok, credentials}) do
+    conn
+    |> put_resp_header("content-type", "application/json")
+    |> put_status(200)
+    |> render("show.json", credentials: credentials)
+  end
+
+  defp render_errors(conn, status, errors) when is_list(errors) do
+    conn
+    |> put_resp_header("content-type", "application/json")
+    |> put_status(status)
+    |> render("errors.json", errors: errors)
+  end
+
+  defp render_errors(conn, status, %Changeset{} = changeset) do
+    render_errors(conn, status,
+      errors: changeset |> Ecto.Changeset.traverse_errors(fn {err, _opts} -> err end) |> Enum.to_list()
+    )
+  end
+
+  defp render_errors(conn, status, error) do
+    render_errors(conn, status, List.wrap(error))
+  end
+end
diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 30dc4c8f5..19e5dae8b 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -147,6 +147,15 @@ defmodule RetWeb.Router do
     end
   end
 
+  scope "/api/v2_alpha", RetWeb do
+    pipe_through(
+      [:secure_headers, :parsed_body, :api, :auth_required] ++
+        if(Mix.env() == :prod, do: [:ssl_only, :canonicalize_domain], else: [])
+    )
+
+    resources("/credentials", Api.V2.CredentialsController, only: [:create, :index, :update, :show])
+  end
+
   scope "/api/v2_alpha", as: :api_v2_alpha do
     pipe_through([:parsed_body, :api, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
     forward "/graphiql", Absinthe.Plug.GraphiQL, json_codec: Jason, schema: RetWeb.Schema
diff --git a/lib/ret_web/views/api/v2/credentials_view.ex b/lib/ret_web/views/api/v2/credentials_view.ex
new file mode 100644
index 000000000..4b0f10313
--- /dev/null
+++ b/lib/ret_web/views/api/v2/credentials_view.ex
@@ -0,0 +1,42 @@
+defmodule RetWeb.Api.V2.CredentialsView do
+  use RetWeb, :view
+
+  defp render_credentials(credentials) do
+    %{
+      id: credentials.api_credentials_sid,
+      subject_type: credentials.subject_type,
+      is_revoked: credentials.is_revoked,
+      scopes: credentials.scopes,
+      account_id: credentials.account_id,
+      inserted_at: credentials.inserted_at,
+      updated_at: credentials.updated_at,
+      token: nil
+    }
+  end
+
+  def render("index.json", %{credentials: credentials}) when is_list(credentials) do
+    %{
+      credentials: Enum.map(credentials, fn c -> render_credentials(c) end)
+    }
+  end
+
+  def render("show.json", %{token: token, credentials: credentials}) do
+    %{
+      credentials: [Map.merge(render_credentials(credentials), %{token: token})]
+    }
+  end
+
+  def render("show.json", %{credentials: credentials}) do
+    render("show.json", %{credentials: credentials, token: nil})
+  end
+
+  def render("errors.json", %{errors: errors}) when is_list(errors) do
+    %{
+      errors: Enum.map(errors, fn e -> render_error(e) end)
+    }
+  end
+
+  defp render_error({failure_type, message}) do
+    %{failure_type: failure_type, message: message}
+  end
+end
diff --git a/test/ret_web/controllers/api/credentials_controller_test.exs b/test/ret_web/controllers/api/credentials_controller_test.exs
new file mode 100644
index 000000000..085b02b5a
--- /dev/null
+++ b/test/ret_web/controllers/api/credentials_controller_test.exs
@@ -0,0 +1,306 @@
+defmodule RetWeb.CredentialsControllerTest do
+  use RetWeb.ConnCase
+  import Ret.TestHelpers, only: [create_account: 2, put_auth_header_for_account: 2]
+  alias Ret.Api.Scopes
+
+  @endpoint RetWeb.Endpoint
+
+  setup %{conn: conn} do
+    {
+      :ok,
+      conn: conn,
+      account: create_account("nonadmin", false),
+      admin_account: create_account("admin", true),
+      list: credentials_path(conn, :index, []),
+      create: credentials_path(conn, :create)
+    }
+  end
+
+  defp valid_scopes() do
+    [Scopes.read_rooms(), Scopes.write_rooms()]
+  end
+
+  defp app_only_scopes() do
+    [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]
+  end
+
+  defp params(scopes, subject_type) do
+    [scopes: scopes, subject_type: subject_type]
+  end
+
+  test "Accounts must authenticate to access credentials API.", %{
+    account: account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    conn
+    |> put_auth_header_for_account(account)
+    |> get(list)
+    |> json_response(200)
+
+    conn |> get(list) |> response(401)
+
+    conn
+    |> put_auth_header_for_account(account)
+    |> post(create, params(valid_scopes(), :account))
+    |> json_response(200)
+
+    conn |> post(create, params(valid_scopes(), :account)) |> response(401)
+  end
+
+  test "Account credentials can be created and listed", %{
+    account: account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 0
+
+    conn
+    |> put_auth_header_for_account(account)
+    |> post(create, params(valid_scopes(), :account))
+    |> json_response(200)
+
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 1
+  end
+
+  test "App credentials can be created and listed", %{
+    admin_account: admin_account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    assert conn
+           |> put_auth_header_for_account(admin_account)
+           |> get(list, app: true)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 0
+
+    conn
+    |> put_auth_header_for_account(admin_account)
+    |> post(create, params(valid_scopes(), :app))
+    |> json_response(200)
+
+    assert conn
+           |> put_auth_header_for_account(admin_account)
+           |> get(list, app: true)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 1
+  end
+
+  test "Account must be admin to manage app credentials", %{
+    admin_account: admin_account,
+    account: account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    conn
+    |> put_auth_header_for_account(account)
+    |> get(list, app: true)
+    |> response(401)
+
+    conn
+    |> put_auth_header_for_account(admin_account)
+    |> get(list, app: true)
+    |> json_response(200)
+
+    conn
+    |> put_auth_header_for_account(account)
+    |> post(create, params(valid_scopes(), :app))
+    |> response(401)
+
+    conn
+    |> put_auth_header_for_account(admin_account)
+    |> post(create, params(valid_scopes(), :app))
+    |> json_response(200)
+  end
+
+  test "Certain scopes are only valid for account tokens", %{
+    admin_account: admin_account,
+    conn: conn,
+    create: create
+  } do
+    assert conn
+           |> put_auth_header_for_account(admin_account)
+           |> post(create, params(app_only_scopes(), :account))
+           |> json_response(401)
+           |> Map.get("errors")
+           |> hd()
+           |> Map.get("failure_type") === "unauthorized"
+
+    assert conn
+           |> put_auth_header_for_account(admin_account)
+           |> post(create, params(app_only_scopes(), :app))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 1
+  end
+
+  test "Scopes and subject types must be valid", %{
+    account: account,
+    conn: conn,
+    create: create
+  } do
+    errors =
+      conn
+      |> put_auth_header_for_account(account)
+      |> post(create, params([:not_a_valid_scope, :another_invalid_scope], :not_a_valid_subject_type))
+      |> json_response(400)
+      |> Map.get("errors")
+
+    assert Enum.at(errors, 0)["failure_type"] == "invalid_scope"
+    assert Enum.at(errors, 1)["failure_type"] == "invalid_scope"
+    assert Enum.at(errors, 2)["failure_type"] == "invalid_subject_type"
+  end
+
+  test "Credentials omit the token in all but the first response", %{
+    account: account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    refute conn
+           |> put_auth_header_for_account(account)
+           |> post(create, params(valid_scopes(), :account))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("token")
+           |> is_nil()
+
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("token")
+           |> is_nil()
+  end
+
+  test "Accounts can revoke their own credentials", %{
+    account: account,
+    conn: conn,
+    create: create
+  } do
+    creds =
+      conn
+      |> put_auth_header_for_account(account)
+      |> post(create, params(valid_scopes(), :account))
+      |> json_response(200)
+      |> Map.get("credentials")
+      |> hd()
+
+    refute Map.get(creds, "is_revoked")
+
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> patch(credentials_path(conn, :update, Map.get(creds, "id"), revoke: true))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("is_revoked")
+  end
+
+  test "Non-admins cannot revoke credentials they do not own", %{
+    account: account,
+    conn: conn,
+    create: create
+  } do
+    another_account = create_account("another_account", false)
+
+    creds =
+      conn
+      |> put_auth_header_for_account(another_account)
+      |> post(create, params(valid_scopes(), :account))
+      |> json_response(200)
+      |> Map.get("credentials")
+      |> hd()
+
+    refute Map.get(creds, "is_revoked")
+
+    sid = Map.get(creds, "id")
+
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> patch(credentials_path(conn, :update, sid, revoke: true))
+           |> json_response(401)
+
+    refute conn
+           |> put_auth_header_for_account(another_account)
+           |> get(credentials_path(conn, :show, sid))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("is_revoked")
+
+    assert conn
+           |> put_auth_header_for_account(another_account)
+           |> patch(credentials_path(conn, :update, sid, revoke: true))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("is_revoked")
+  end
+
+  test "Admins can revoke any credentials", %{
+    admin_account: admin_account,
+    account: account,
+    conn: conn,
+    create: create
+  } do
+    another_admin_account = create_account("another_admin", true)
+
+    # Admins can revoke app tokens they do not own
+    creds =
+      conn
+      |> put_auth_header_for_account(another_admin_account)
+      |> post(create, params(valid_scopes(), :app))
+      |> json_response(200)
+      |> Map.get("credentials")
+      |> hd()
+
+    refute Map.get(creds, "is_revoked")
+
+    assert conn
+           |> put_auth_header_for_account(admin_account)
+           |> patch(credentials_path(conn, :update, Map.get(creds, "id"), revoke: true))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("is_revoked")
+
+    # Admins can revoke account tokens they do not own
+    creds =
+      conn
+      |> put_auth_header_for_account(account)
+      |> post(create, params(valid_scopes(), :account))
+      |> json_response(200)
+      |> Map.get("credentials")
+      |> hd()
+
+    refute Map.get(creds, "is_revoked")
+
+    assert conn
+           |> put_auth_header_for_account(admin_account)
+           |> patch(credentials_path(conn, :update, Map.get(creds, "id"), revoke: true))
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> hd()
+           |> Map.get("is_revoked")
+  end
+end

From 2b633c11aa80633d88dd264f7b152fd71e174475 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Wed, 9 Dec 2020 20:03:54 -0800
Subject: [PATCH 133/138] Expand admin account permissions

Allow admin accounts to create creds on behalf of other accounts
---
 lib/ret/hub.ex                                | 13 ++++-
 .../api/credentials_controller_test.exs       | 56 +++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 23930d19d..5a9ead48a 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -899,12 +899,23 @@ defimpl Canada.Can, for: Ret.Account do
   alias Ret.{Hub, AppConfig}
   alias Ret.Api.{Scopes, Credentials}
 
-  def can?(%Ret.Account{}, :create_credentials, %{subject_type: :account, scopes: scopes}) do
+  # Non-admin accounts can create their own account tokens
+  def can?(%Ret.Account{account_id: account_id}, :create_credentials, %{
+        subject_type: :account,
+        scopes: scopes,
+        account_id: account_id
+      }) do
     # TODO: Is it correct to disallow the create_accounts scope for account type tokens?
     # If so, why? Do we need to enforce this everywhere?
     Scopes.create_accounts() not in scopes
   end
 
+  # Admin accounts can create tokens on behalf of other users
+  # TODO: Should we even allow this?
+  def can?(%Ret.Account{is_admin: true}, :create_credentials, %{subject_type: :account, scopes: scopes}) do
+    Scopes.create_accounts() not in scopes
+  end
+
   def can?(%Ret.Account{is_admin: is_admin}, :create_credentials, %{subject_type: :app}) do
     is_admin
   end
diff --git a/test/ret_web/controllers/api/credentials_controller_test.exs b/test/ret_web/controllers/api/credentials_controller_test.exs
index 085b02b5a..84da5c916 100644
--- a/test/ret_web/controllers/api/credentials_controller_test.exs
+++ b/test/ret_web/controllers/api/credentials_controller_test.exs
@@ -75,6 +75,62 @@ defmodule RetWeb.CredentialsControllerTest do
            |> Enum.count() === 1
   end
 
+  # TODO: Should this be allowed?
+  test "Admins accounts can create credentials on behalf of other accounts", %{
+    account: account,
+    admin_account: admin_account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 0
+
+    conn
+    |> put_auth_header_for_account(admin_account)
+    |> post(create, params(valid_scopes(), :account) ++ [account_id: account.account_id])
+    |> json_response(200)
+
+    assert conn
+           |> put_auth_header_for_account(account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 1
+  end
+
+  test "Non-admins cannot create credentials on behalf of other accounts", %{
+    account: account,
+    conn: conn,
+    list: list,
+    create: create
+  } do
+    another_account = create_account("another_account", false)
+
+    assert conn
+           |> put_auth_header_for_account(another_account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 0
+
+    conn
+    |> put_auth_header_for_account(account)
+    |> post(create, params(valid_scopes(), :account) ++ [account_id: another_account.account_id])
+    |> json_response(401)
+
+    assert conn
+           |> put_auth_header_for_account(another_account)
+           |> get(list)
+           |> json_response(200)
+           |> Map.get("credentials")
+           |> Enum.count() === 0
+  end
+
   test "App credentials can be created and listed", %{
     admin_account: admin_account,
     conn: conn,

From e448b99658f15fa30f8573963d76abde08928c06 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Sun, 13 Dec 2020 18:48:02 -0800
Subject: [PATCH 134/138] Remove create_accounts scope

---
 lib/ret/api/scopes.ex                         |  4 +--
 lib/ret/api/token_utils.ex                    |  2 +-
 lib/ret/hub.ex                                |  6 ++---
 .../api/credentials_controller_test.exs       | 25 -------------------
 4 files changed, 4 insertions(+), 33 deletions(-)

diff --git a/lib/ret/api/scopes.ex b/lib/ret/api/scopes.ex
index 52865627f..f3739a730 100644
--- a/lib/ret/api/scopes.ex
+++ b/lib/ret/api/scopes.ex
@@ -2,12 +2,10 @@ defmodule Ret.Api.Scopes do
   @moduledoc false
   def read_rooms, do: :read_rooms
   def write_rooms, do: :write_rooms
-  def create_accounts, do: :create_accounts
 
   def all_scopes,
     do: [
       read_rooms(),
-      write_rooms(),
-      create_accounts()
+      write_rooms()
     ]
 end
diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
index a1c3bc303..0d97aa671 100644
--- a/lib/ret/api/token_utils.ex
+++ b/lib/ret/api/token_utils.ex
@@ -7,7 +7,7 @@ defmodule Ret.Api.TokenUtils do
 
   import Canada, only: [can?: 2]
 
-  def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]) do
+  def gen_app_token(scopes \\ [Scopes.read_rooms(), Scopes.write_rooms()]) do
     Token.encode_and_sign(nil, %{
       subject_type: :app,
       scopes: scopes,
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 5a9ead48a..61f1a819d 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -905,15 +905,13 @@ defimpl Canada.Can, for: Ret.Account do
         scopes: scopes,
         account_id: account_id
       }) do
-    # TODO: Is it correct to disallow the create_accounts scope for account type tokens?
-    # If so, why? Do we need to enforce this everywhere?
-    Scopes.create_accounts() not in scopes
+    true
   end
 
   # Admin accounts can create tokens on behalf of other users
   # TODO: Should we even allow this?
   def can?(%Ret.Account{is_admin: true}, :create_credentials, %{subject_type: :account, scopes: scopes}) do
-    Scopes.create_accounts() not in scopes
+    true
   end
 
   def can?(%Ret.Account{is_admin: is_admin}, :create_credentials, %{subject_type: :app}) do
diff --git a/test/ret_web/controllers/api/credentials_controller_test.exs b/test/ret_web/controllers/api/credentials_controller_test.exs
index 84da5c916..6947ccd95 100644
--- a/test/ret_web/controllers/api/credentials_controller_test.exs
+++ b/test/ret_web/controllers/api/credentials_controller_test.exs
@@ -20,10 +20,6 @@ defmodule RetWeb.CredentialsControllerTest do
     [Scopes.read_rooms(), Scopes.write_rooms()]
   end
 
-  defp app_only_scopes() do
-    [Scopes.read_rooms(), Scopes.write_rooms(), Scopes.create_accounts()]
-  end
-
   defp params(scopes, subject_type) do
     [scopes: scopes, subject_type: subject_type]
   end
@@ -185,27 +181,6 @@ defmodule RetWeb.CredentialsControllerTest do
     |> json_response(200)
   end
 
-  test "Certain scopes are only valid for account tokens", %{
-    admin_account: admin_account,
-    conn: conn,
-    create: create
-  } do
-    assert conn
-           |> put_auth_header_for_account(admin_account)
-           |> post(create, params(app_only_scopes(), :account))
-           |> json_response(401)
-           |> Map.get("errors")
-           |> hd()
-           |> Map.get("failure_type") === "unauthorized"
-
-    assert conn
-           |> put_auth_header_for_account(admin_account)
-           |> post(create, params(app_only_scopes(), :app))
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 1
-  end
-
   test "Scopes and subject types must be valid", %{
     account: account,
     conn: conn,

From 80c275d0b933c99418e84980ad0599a15d92f9b3 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Sun, 13 Dec 2020 18:57:12 -0800
Subject: [PATCH 135/138] Create test helper

---
 .../api/credentials_controller_test.exs       | 67 +++++--------------
 1 file changed, 18 insertions(+), 49 deletions(-)

diff --git a/test/ret_web/controllers/api/credentials_controller_test.exs b/test/ret_web/controllers/api/credentials_controller_test.exs
index 6947ccd95..0f110f144 100644
--- a/test/ret_web/controllers/api/credentials_controller_test.exs
+++ b/test/ret_web/controllers/api/credentials_controller_test.exs
@@ -24,8 +24,18 @@ defmodule RetWeb.CredentialsControllerTest do
     [scopes: scopes, subject_type: subject_type]
   end
 
+  defp count_credentials(conn, account) do
+    conn
+    |> put_auth_header_for_account(account)
+    |> get(credentials_path(conn, :index, []))
+    |> json_response(200)
+    |> Map.get("credentials")
+    |> Enum.count()
+  end
+
   test "Accounts must authenticate to access credentials API.", %{
     account: account,
+    admin_account: admin_account,
     conn: conn,
     list: list,
     create: create
@@ -51,27 +61,16 @@ defmodule RetWeb.CredentialsControllerTest do
     list: list,
     create: create
   } do
-    assert conn
-           |> put_auth_header_for_account(account)
-           |> get(list)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 0
+    assert count_credentials(conn, account) === 0
 
     conn
     |> put_auth_header_for_account(account)
     |> post(create, params(valid_scopes(), :account))
     |> json_response(200)
 
-    assert conn
-           |> put_auth_header_for_account(account)
-           |> get(list)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 1
+    assert count_credentials(conn, account) === 1
   end
 
-  # TODO: Should this be allowed?
   test "Admins accounts can create credentials on behalf of other accounts", %{
     account: account,
     admin_account: admin_account,
@@ -79,24 +78,14 @@ defmodule RetWeb.CredentialsControllerTest do
     list: list,
     create: create
   } do
-    assert conn
-           |> put_auth_header_for_account(account)
-           |> get(list)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 0
+    assert count_credentials(conn, account) === 0
 
     conn
     |> put_auth_header_for_account(admin_account)
     |> post(create, params(valid_scopes(), :account) ++ [account_id: account.account_id])
     |> json_response(200)
 
-    assert conn
-           |> put_auth_header_for_account(account)
-           |> get(list)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 1
+    assert count_credentials(conn, account) === 1
   end
 
   test "Non-admins cannot create credentials on behalf of other accounts", %{
@@ -107,24 +96,14 @@ defmodule RetWeb.CredentialsControllerTest do
   } do
     another_account = create_account("another_account", false)
 
-    assert conn
-           |> put_auth_header_for_account(another_account)
-           |> get(list)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 0
+    assert count_credentials(conn, another_account) === 0
 
     conn
     |> put_auth_header_for_account(account)
     |> post(create, params(valid_scopes(), :account) ++ [account_id: another_account.account_id])
     |> json_response(401)
 
-    assert conn
-           |> put_auth_header_for_account(another_account)
-           |> get(list)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 0
+    assert count_credentials(conn, another_account) === 0
   end
 
   test "App credentials can be created and listed", %{
@@ -133,24 +112,14 @@ defmodule RetWeb.CredentialsControllerTest do
     list: list,
     create: create
   } do
-    assert conn
-           |> put_auth_header_for_account(admin_account)
-           |> get(list, app: true)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 0
+    assert count_credentials(conn, admin_account) === 0
 
     conn
     |> put_auth_header_for_account(admin_account)
     |> post(create, params(valid_scopes(), :app))
     |> json_response(200)
 
-    assert conn
-           |> put_auth_header_for_account(admin_account)
-           |> get(list, app: true)
-           |> json_response(200)
-           |> Map.get("credentials")
-           |> Enum.count() === 1
+    assert count_credentials(conn, admin_account) === 1
   end
 
   test "Account must be admin to manage app credentials", %{

From 3b49320937d68f03e52ee35295c7699088888186 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Sun, 13 Dec 2020 20:39:05 -0800
Subject: [PATCH 136/138] PR Feedback

---
 lib/ret/api/credentials.ex                    | 18 ++---
 lib/ret/api/token_utils.ex                    | 64 ++++++++--------
 lib/ret/hub.ex                                | 23 +-----
 .../api/v2/credentials_controller.ex          |  9 +--
 .../api/credentials_controller_test.exs       | 75 +++++++++----------
 5 files changed, 79 insertions(+), 110 deletions(-)

diff --git a/lib/ret/api/credentials.ex b/lib/ret/api/credentials.ex
index 8083e9a9b..b6b4c7cc4 100644
--- a/lib/ret/api/credentials.ex
+++ b/lib/ret/api/credentials.ex
@@ -48,8 +48,8 @@ defmodule Ret.Api.Credentials do
          |> cast(params, @permitted_keys)
          |> maybe_put_assoc_account(account_or_nil)
          |> validate_required(@required_keys)
-         |> validate_change(:subject_type, &validate_subject_type/2)
-         |> validate_change(:scopes, &validate_scopes_type/2)
+         |> validate_change(:subject_type, &validate_field/2)
+         |> validate_change(:scopes, &validate_field/2)
          |> unique_constraint(:api_credentials_sid)
          |> unique_constraint(:token_hash)
          # TODO: We can pass multiple fields to unique_contraint when we update ecto
@@ -71,12 +71,6 @@ defmodule Ret.Api.Credentials do
     changeset
   end
 
-  def validate_scopes_type(:scopes, scopes) do
-    Enum.reduce(scopes, [], fn scope, errors ->
-      errors ++ validate_single_scope_type(scope)
-    end)
-  end
-
   defp validate_single_scope_type(scope) do
     if ScopeType.valid_value?(scope) do
       []
@@ -85,7 +79,13 @@ defmodule Ret.Api.Credentials do
     end
   end
 
-  def validate_subject_type(:subject_type, subject_type) do
+  def validate_field(:scopes, scopes) do
+    Enum.reduce(scopes, [], fn scope, errors ->
+      errors ++ validate_single_scope_type(scope)
+    end)
+  end
+
+  def validate_field(:subject_type, subject_type) do
     if TokenSubjectType.valid_value?(subject_type) do
       []
     else
diff --git a/lib/ret/api/token_utils.ex b/lib/ret/api/token_utils.ex
index 0d97aa671..15d725797 100644
--- a/lib/ret/api/token_utils.ex
+++ b/lib/ret/api/token_utils.ex
@@ -26,57 +26,55 @@ defmodule Ret.Api.TokenUtils do
   defp ensure_atom(x) when is_atom(x), do: x
   defp ensure_atom(x) when is_binary(x), do: String.to_atom(x)
 
-  # TODO Should we permit the creation of tokens
-  # on behalf of other accounts like this?
   defp account_id_from_args(%Account{}, %{"account_id" => account_id}) do
+    # This account wants to create credentials on behalf of another account
     account_id
   end
 
   defp account_id_from_args(%Account{} = account, _params) do
+    # This account wants to create credentials for itself
     account.account_id
   end
 
   defp validate_account_id(%Account{account_id: account_id}, account_id) do
+    # Skip a trip to the DB if account is creating credentials for itself
     []
   end
 
   defp validate_account_id(%Account{}, account_id) do
-    case Account.query()
-         |> Account.where_account_id_is(account_id)
-         |> Repo.one() do
-      %Account{} ->
-        []
-
-      nil ->
-        [account_id: "Invalid account id #{account_id}"]
-    end
+    # Make sure the given account_id refers to an account that actually exists
+    validate_field(:account_id, account_id)
   end
 
-  def to_claims(%Account{} = account, %{"subject_type" => subject_type, "scopes" => scopes} = params) do
-    account_id = account_id_from_args(account, params)
-
-    case to_claims(account, account_id, scopes, subject_type) do
-      errors when is_list(errors) ->
-        {:error, errors}
-
-      claims ->
-        {:ok, claims}
+  defp validate_field(:account_id, account_id) do
+    if Account.query()
+       |> Account.where_account_id_is(account_id)
+       |> Repo.exists?() do
+      []
+    else
+      [account_id: "Invalid account id #{account_id}"]
     end
   end
 
-  defp to_claims(%Account{} = account, account_id, scopes, subject_type) do
-    with [] <-
-           validate_account_id(account, account_id) ++
-             Credentials.validate_scopes_type(:scopes, scopes) ++
-             Credentials.validate_subject_type(:subject_type, subject_type) do
-      # It is safe to cast user-provided strings to atoms here
-      # because we validated that the strings match our atoms
-      # (i.e. with &valid_value?/1 from ecto_enum's defenum )
-      %{
-        account_id: account_id,
-        subject_type: ensure_atom(subject_type),
-        scopes: Enum.map(scopes, &ensure_atom/1)
-      }
+  def to_claims(%Account{} = account, %{"subject_type" => subject_type, "scopes" => scopes} = params) do
+    account_id_for_claims = account_id_from_args(account, params)
+
+    case validate_account_id(account, account_id_for_claims) ++
+           Credentials.validate_field(:scopes, scopes) ++
+           Credentials.validate_field(:subject_type, subject_type) do
+      [] ->
+        # It is safe to cast user-provided strings to atoms here
+        # because we validated that the strings match our atoms
+        # (with &valid_value?/1 from ecto_enum)
+        {:ok,
+         %{
+           account_id: account_id_for_claims,
+           subject_type: ensure_atom(subject_type),
+           scopes: Enum.map(scopes, &ensure_atom/1)
+         }}
+
+      error_list ->
+        {:error, error_list}
     end
   end
 
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
index 61f1a819d..9ba3b3a7f 100644
--- a/lib/ret/hub.ex
+++ b/lib/ret/hub.ex
@@ -897,31 +897,12 @@ end
 
 defimpl Canada.Can, for: Ret.Account do
   alias Ret.{Hub, AppConfig}
-  alias Ret.Api.{Scopes, Credentials}
-
-  # Non-admin accounts can create their own account tokens
-  def can?(%Ret.Account{account_id: account_id}, :create_credentials, %{
-        subject_type: :account,
-        scopes: scopes,
-        account_id: account_id
-      }) do
-    true
-  end
-
-  # Admin accounts can create tokens on behalf of other users
-  # TODO: Should we even allow this?
-  def can?(%Ret.Account{is_admin: true}, :create_credentials, %{subject_type: :account, scopes: scopes}) do
-    true
-  end
+  alias Ret.Api.Credentials
 
-  def can?(%Ret.Account{is_admin: is_admin}, :create_credentials, %{subject_type: :app}) do
+  def can?(%Ret.Account{is_admin: is_admin}, :create_credentials, _params) do
     is_admin
   end
 
-  def can?(%Ret.Account{}, :create_credentials, _params) do
-    false
-  end
-
   def can?(%Ret.Account{is_admin: is_admin}, :list_credentials, :app) do
     is_admin
   end
diff --git a/lib/ret_web/controllers/api/v2/credentials_controller.ex b/lib/ret_web/controllers/api/v2/credentials_controller.ex
index c0c66db09..757a5b572 100644
--- a/lib/ret_web/controllers/api/v2/credentials_controller.ex
+++ b/lib/ret_web/controllers/api/v2/credentials_controller.ex
@@ -9,7 +9,6 @@ defmodule RetWeb.Api.V2.CredentialsController do
     only: [to_claims: 2, authed_create_credentials: 2, authed_list_credentials: 2, authed_revoke_credentials: 2]
 
   # Limit to 1 TPS
-  # TODO : I copied this from other controllers. Is this an appropriate limit? -John
   plug(RetWeb.Plugs.RateLimit when action in [:create, :update])
 
   def index(conn, %{"app" => _anything} = _params) do
@@ -21,9 +20,7 @@ defmodule RetWeb.Api.V2.CredentialsController do
   end
 
   def show(conn, %{"id" => credentials_sid}) do
-    case Credentials.query()
-         |> Credentials.where_sid_is(credentials_sid)
-         |> Repo.one() do
+    case Repo.get_by(Credentials, api_credentials_sid: credentials_sid) do
       nil ->
         render_errors(conn, 400, {:error, "Invalid request"})
 
@@ -42,8 +39,8 @@ defmodule RetWeb.Api.V2.CredentialsController do
       {:ok, claims} ->
         handle_create_credentials_result(conn, authed_create_credentials(account, claims))
 
-      {:error, reason} ->
-        render_errors(conn, 400, reason)
+      {:error, error_list} ->
+        render_errors(conn, 400, error_list)
     end
   end
 
diff --git a/test/ret_web/controllers/api/credentials_controller_test.exs b/test/ret_web/controllers/api/credentials_controller_test.exs
index 0f110f144..5c0558aa8 100644
--- a/test/ret_web/controllers/api/credentials_controller_test.exs
+++ b/test/ret_web/controllers/api/credentials_controller_test.exs
@@ -24,7 +24,7 @@ defmodule RetWeb.CredentialsControllerTest do
     [scopes: scopes, subject_type: subject_type]
   end
 
-  defp count_credentials(conn, account) do
+  defp get_credentials_count(conn, account) do
     conn
     |> put_auth_header_for_account(account)
     |> get(credentials_path(conn, :index, []))
@@ -33,6 +33,12 @@ defmodule RetWeb.CredentialsControllerTest do
     |> Enum.count()
   end
 
+  defp create_credentials_for_another_account(conn, creator_account, account) do
+    conn
+    |> put_auth_header_for_account(creator_account)
+    |> post(credentials_path(conn, :create), params(valid_scopes(), :account) ++ [account_id: account.account_id])
+  end
+
   test "Accounts must authenticate to access credentials API.", %{
     account: account,
     admin_account: admin_account,
@@ -48,7 +54,7 @@ defmodule RetWeb.CredentialsControllerTest do
     conn |> get(list) |> response(401)
 
     conn
-    |> put_auth_header_for_account(account)
+    |> put_auth_header_for_account(admin_account)
     |> post(create, params(valid_scopes(), :account))
     |> json_response(200)
 
@@ -56,70 +62,60 @@ defmodule RetWeb.CredentialsControllerTest do
   end
 
   test "Account credentials can be created and listed", %{
-    account: account,
+    admin_account: admin_account,
     conn: conn,
-    list: list,
     create: create
   } do
-    assert count_credentials(conn, account) === 0
+    assert get_credentials_count(conn, admin_account) === 0
 
     conn
-    |> put_auth_header_for_account(account)
+    |> put_auth_header_for_account(admin_account)
     |> post(create, params(valid_scopes(), :account))
     |> json_response(200)
 
-    assert count_credentials(conn, account) === 1
+    assert get_credentials_count(conn, admin_account) === 1
   end
 
   test "Admins accounts can create credentials on behalf of other accounts", %{
     account: account,
     admin_account: admin_account,
-    conn: conn,
-    list: list,
-    create: create
+    conn: conn
   } do
-    assert count_credentials(conn, account) === 0
+    assert get_credentials_count(conn, account) === 0
 
-    conn
-    |> put_auth_header_for_account(admin_account)
-    |> post(create, params(valid_scopes(), :account) ++ [account_id: account.account_id])
+    create_credentials_for_another_account(conn, admin_account, account)
     |> json_response(200)
 
-    assert count_credentials(conn, account) === 1
+    assert get_credentials_count(conn, account) === 1
   end
 
   test "Non-admins cannot create credentials on behalf of other accounts", %{
     account: account,
-    conn: conn,
-    list: list,
-    create: create
+    conn: conn
   } do
     another_account = create_account("another_account", false)
 
-    assert count_credentials(conn, another_account) === 0
+    assert get_credentials_count(conn, another_account) === 0
 
-    conn
-    |> put_auth_header_for_account(account)
-    |> post(create, params(valid_scopes(), :account) ++ [account_id: another_account.account_id])
+    create_credentials_for_another_account(conn, account, another_account)
     |> json_response(401)
 
-    assert count_credentials(conn, another_account) === 0
+    assert get_credentials_count(conn, another_account) === 0
   end
 
   test "App credentials can be created and listed", %{
     admin_account: admin_account,
     conn: conn,
-    list: list,
     create: create
   } do
-    assert count_credentials(conn, admin_account) === 0
+    assert get_credentials_count(conn, admin_account) === 0
 
     conn
     |> put_auth_header_for_account(admin_account)
     |> post(create, params(valid_scopes(), :app))
     |> json_response(200)
 
-    assert count_credentials(conn, admin_account) === 1
+    assert get_credentials_count(conn, admin_account) === 1
   end
 
   test "Account must be admin to manage app credentials", %{
@@ -151,13 +147,13 @@ defmodule RetWeb.CredentialsControllerTest do
   end
 
   test "Scopes and subject types must be valid", %{
-    account: account,
+    admin_account: admin_account,
     conn: conn,
     create: create
   } do
     errors =
       conn
-      |> put_auth_header_for_account(account)
+      |> put_auth_header_for_account(admin_account)
       |> post(create, params([:not_a_valid_scope, :another_invalid_scope], :not_a_valid_subject_type))
       |> json_response(400)
       |> Map.get("errors")
@@ -168,13 +164,13 @@ defmodule RetWeb.CredentialsControllerTest do
   end
 
   test "Credentials omit the token in all but the first response", %{
-    account: account,
+    admin_account: admin_account,
     conn: conn,
     list: list,
     create: create
   } do
     refute conn
-           |> put_auth_header_for_account(account)
+           |> put_auth_header_for_account(admin_account)
            |> post(create, params(valid_scopes(), :account))
            |> json_response(200)
            |> Map.get("credentials")
@@ -183,7 +179,7 @@ defmodule RetWeb.CredentialsControllerTest do
            |> is_nil()
 
     assert conn
-           |> put_auth_header_for_account(account)
+           |> put_auth_header_for_account(admin_account)
            |> get(list)
            |> json_response(200)
            |> Map.get("credentials")
@@ -193,14 +189,13 @@ defmodule RetWeb.CredentialsControllerTest do
   end
 
   test "Accounts can revoke their own credentials", %{
+    admin_account: admin_account,
     account: account,
-    conn: conn,
-    create: create
+    conn: conn
   } do
     creds =
       conn
-      |> put_auth_header_for_account(account)
-      |> post(create, params(valid_scopes(), :account))
+      |> create_credentials_for_another_account(admin_account, account)
       |> json_response(200)
       |> Map.get("credentials")
       |> hd()
@@ -217,16 +212,15 @@ defmodule RetWeb.CredentialsControllerTest do
   end
 
   test "Non-admins cannot revoke credentials they do not own", %{
+    admin_account: admin_account,
     account: account,
-    conn: conn,
-    create: create
+    conn: conn
   } do
     another_account = create_account("another_account", false)
 
     creds =
       conn
-      |> put_auth_header_for_account(another_account)
-      |> post(create, params(valid_scopes(), :account))
+      |> create_credentials_for_another_account(admin_account, another_account)
       |> json_response(200)
       |> Map.get("credentials")
       |> hd()
@@ -287,8 +281,7 @@ defmodule RetWeb.CredentialsControllerTest do
     # Admins can revoke account tokens they do not own
     creds =
       conn
-      |> put_auth_header_for_account(account)
-      |> post(create, params(valid_scopes(), :account))
+      |> create_credentials_for_another_account(another_admin_account, account)
       |> json_response(200)
       |> Map.get("credentials")
       |> hd()

From ca9ab0098c339785e4f80312091b88cf1cf00fb6 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Sun, 13 Dec 2020 22:44:20 -0800
Subject: [PATCH 137/138] Require a server-level flag for graphql api

---
 .../plugs/require_public_api_access.ex        | 13 ++++++++++
 lib/ret_web/router.ex                         |  8 +++++--
 test/api/v2/room_query_test.exs               | 24 +++++++++++++++++++
 .../api/credentials_controller_test.exs       | 23 ++++++++++++++++++
 4 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 lib/ret_web/plugs/require_public_api_access.ex

diff --git a/lib/ret_web/plugs/require_public_api_access.ex b/lib/ret_web/plugs/require_public_api_access.ex
new file mode 100644
index 000000000..7ec07cec1
--- /dev/null
+++ b/lib/ret_web/plugs/require_public_api_access.ex
@@ -0,0 +1,13 @@
+defmodule RetWeb.Plugs.RequirePublicApiAccess do
+  import Plug.Conn
+
+  def init([]), do: []
+
+  def call(conn, []) do
+    if Ret.AppConfig.get_config_bool("features|public_api_access") do
+      conn
+    else
+      conn |> send_resp(404, "") |> halt()
+    end
+  end
+end
diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 19e5dae8b..43695089b 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -32,6 +32,10 @@ defmodule RetWeb.Router do
     plug(:accepts, ["json"])
   end
 
+  pipeline :public_api_access do
+    plug(RetWeb.Plugs.RequirePublicApiAccess)
+  end
+
   pipeline :proxy_api do
     plug(:accepts, ["json"])
     plug(RetWeb.Plugs.RewriteAuthorizationHeaderToPerms)
@@ -149,7 +153,7 @@ defmodule RetWeb.Router do
 
   scope "/api/v2_alpha", RetWeb do
     pipe_through(
-      [:secure_headers, :parsed_body, :api, :auth_required] ++
+      [:secure_headers, :parsed_body, :api, :public_api_access, :auth_required] ++
         if(Mix.env() == :prod, do: [:ssl_only, :canonicalize_domain], else: [])
     )
 
@@ -157,7 +161,7 @@ defmodule RetWeb.Router do
   end
 
   scope "/api/v2_alpha", as: :api_v2_alpha do
-    pipe_through([:parsed_body, :api, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
+    pipe_through([:parsed_body, :api, :public_api_access, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
     forward "/graphiql", Absinthe.Plug.GraphiQL, json_codec: Jason, schema: RetWeb.Schema
     forward "/", Absinthe.Plug, json_codec: Jason, schema: RetWeb.Schema
   end
diff --git a/test/api/v2/room_query_test.exs b/test/api/v2/room_query_test.exs
index 087f507c6..816bf7064 100644
--- a/test/api/v2/room_query_test.exs
+++ b/test/api/v2/room_query_test.exs
@@ -7,6 +7,7 @@ defmodule RoomQueryTest do
   use RetWeb.ConnCase
   import Ret.TestHelpers
   alias Ret.Api.TokenUtils
+  alias Ret.AppConfig
 
   setup_all do
     Absinthe.Test.prime(RetWeb.Schema)
@@ -46,6 +47,8 @@ defmodule RoomQueryTest do
   end
 
   setup _context do
+    AppConfig.set_config_value("features|public_api_access", true)
+
     account = create_random_account()
     account2 = create_random_account()
     scene = create_scene(account)
@@ -162,4 +165,25 @@ defmodule RoomQueryTest do
 
     assert length(response["data"]["myRooms"]["entries"]) === 2
   end
+
+  test "Public API Access has to be enabled on the server", %{conn: conn, public_hub: public_hub, app_token: app_token} do
+    AppConfig.set_config_value("features|public_api_access", false)
+
+    conn
+    |> put_auth_header_for_token(app_token)
+    |> post("/api/v2_alpha/", %{
+      "query" => "#{@query_public_rooms}"
+    })
+    |> response(404)
+
+    AppConfig.set_config_value("features|public_api_access", true)
+
+    res =
+      conn
+      |> put_auth_header_for_token(app_token)
+      |> do_graphql_action(@query_public_rooms)
+
+    rooms = res["data"]["publicRooms"]["entries"]
+    assert List.first(rooms)["id"] == public_hub.hub_sid
+  end
 end
diff --git a/test/ret_web/controllers/api/credentials_controller_test.exs b/test/ret_web/controllers/api/credentials_controller_test.exs
index 5c0558aa8..9590f8bc0 100644
--- a/test/ret_web/controllers/api/credentials_controller_test.exs
+++ b/test/ret_web/controllers/api/credentials_controller_test.exs
@@ -1,11 +1,14 @@
 defmodule RetWeb.CredentialsControllerTest do
   use RetWeb.ConnCase
   import Ret.TestHelpers, only: [create_account: 2, put_auth_header_for_account: 2]
+  alias Ret.AppConfig
   alias Ret.Api.Scopes
 
   @endpoint RetWeb.Endpoint
 
   setup %{conn: conn} do
+    AppConfig.set_config_value("features|public_api_access", true)
+
     {
       :ok,
       conn: conn,
@@ -296,4 +299,24 @@ defmodule RetWeb.CredentialsControllerTest do
            |> hd()
            |> Map.get("is_revoked")
   end
+
+  test "Public API Access has to be enabled on the server", %{
+    account: account,
+    conn: conn,
+    list: list
+  } do
+    AppConfig.set_config_value("features|public_api_access", false)
+
+    conn
+    |> put_auth_header_for_account(account)
+    |> get(list)
+    |> response(404)
+
+    AppConfig.set_config_value("features|public_api_access", true)
+
+    conn
+    |> put_auth_header_for_account(account)
+    |> get(list)
+    |> json_response(200)
+  end
 end

From d3adae7a516e0543a31ae138b8407890bd7833b7 Mon Sep 17 00:00:00 2001
From: John Shaughnessy <johnfshaughnessy@gmail.com>
Date: Sun, 13 Dec 2020 22:50:05 -0800
Subject: [PATCH 138/138] lint

---
 lib/ret_web/router.ex | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/ret_web/router.ex b/lib/ret_web/router.ex
index 43695089b..3342fc143 100644
--- a/lib/ret_web/router.ex
+++ b/lib/ret_web/router.ex
@@ -161,7 +161,10 @@ defmodule RetWeb.Router do
   end
 
   scope "/api/v2_alpha", as: :api_v2_alpha do
-    pipe_through([:parsed_body, :api, :public_api_access, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: []))
+    pipe_through(
+      [:parsed_body, :api, :public_api_access, :graphql] ++ if(Mix.env() == :prod, do: [:ssl_only], else: [])
+    )
+
     forward "/graphiql", Absinthe.Plug.GraphiQL, json_codec: Jason, schema: RetWeb.Schema
     forward "/", Absinthe.Plug, json_codec: Jason, schema: RetWeb.Schema
   end