From d8c7aeab80e52dc1213c639210242527d8d23f3e Mon Sep 17 00:00:00 2001
From: Thodoris Greasidis <thgreasi@gmail.com>
Date: Tue, 4 Jul 2023 13:31:44 +0300
Subject: [PATCH 1/2] device-proxy: Use $filter based canAccess checks

Change-type: patch
See: https://www.flowdock.com/app/rulemotion/resin-tech/threads/7WcMXnx1te1vhkaOtmQB2fU-0n8
Signed-off-by: Thodoris Greasidis <thodoris@balena.io>
sq

Resolves: #
Change-type:
Signed-off-by: Thodoris Greasidis <thodoris@balena.io>
sq

Resolves: #
Change-type:
Signed-off-by: Thodoris Greasidis <thodoris@balena.io>
---
 src/features/device-proxy/device-proxy.ts | 25 ++++++++++++-----------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/features/device-proxy/device-proxy.ts b/src/features/device-proxy/device-proxy.ts
index f7674625c..bcbede26c 100644
--- a/src/features/device-proxy/device-proxy.ts
+++ b/src/features/device-proxy/device-proxy.ts
@@ -201,6 +201,7 @@ async function requestDevices({
 							filter,
 						],
 					},
+					$orderby: { id: 'asc' },
 				},
 			})) as Array<Pick<Device, 'id'>>
 		).map(({ id }) => id);
@@ -214,18 +215,18 @@ async function requestDevices({
 		// Check for device update permission, except for
 		// internal operation of the platform.
 		if (method !== 'GET' && req !== permissions.root) {
-			await Promise.all(
-				deviceIds.map(async (deviceId) => {
-					const res = (await resinApi.post({
-						url: `device(${deviceId})/canAccess`,
-						body: { action: 'update' },
-					})) as { d?: Array<{ id: number }> };
-
-					if (res?.d?.[0]?.id !== deviceId) {
-						throw new errors.ForbiddenError();
-					}
-				}),
-			);
+			console.log('*** device-proxy');
+			// npm run fasttest 20 to test this
+			const res = (await resinApi.post({
+				url: `device($action=update)/canAccess?$filter=id in (${deviceIds.join(
+					',',
+				)})`,
+				body: {},
+			})) as { d?: Array<{ id: number }> };
+			console.log('*** device-proxy', { res: res?.d?.[0], deviceIds });
+			if (_.isEqual(res?.d?.[0], deviceIds)) {
+				throw new errors.ForbiddenError();
+			}
 		}
 		// And now fetch device data with full privs
 		return await api.resin.get({

From 0a9cd9241cd230ad7ffad814366463acf5a06d66 Mon Sep 17 00:00:00 2001
From: Thodoris Greasidis <thgreasi@gmail.com>
Date: Tue, 4 Jul 2023 18:44:40 +0300
Subject: [PATCH 2/2] wip

Resolves: #
Change-type:
---
 src/features/device-proxy/device-proxy.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/features/device-proxy/device-proxy.ts b/src/features/device-proxy/device-proxy.ts
index bcbede26c..57847f35b 100644
--- a/src/features/device-proxy/device-proxy.ts
+++ b/src/features/device-proxy/device-proxy.ts
@@ -218,7 +218,7 @@ async function requestDevices({
 			console.log('*** device-proxy');
 			// npm run fasttest 20 to test this
 			const res = (await resinApi.post({
-				url: `device($action=update)/canAccess?$filter=id in (${deviceIds.join(
+				url: `device(action='update')/canAccess?$filter=id in (${deviceIds.join(
 					',',
 				)})`,
 				body: {},