chore: actually validate API key privileges and refs

graph/schema.resolvers.go

@@ -74,11 +74,10 @@ func (r *mutationResolver) AddAPIKey(ctx context.Context, input *model.InputAPIK
 // UpdateSubGraph is the resolver for the updateSubGraph field.
 func (r *mutationResolver) UpdateSubGraph(ctx context.Context, input model.InputSubGraph) (*model.SubGraph, error) {
 	orgId := middleware.OrganizationFromContext(ctx)
-	key, err := middleware.ApiKeyFromContext(ctx)
+	name, err := r.apiKeyCanAccessRef(ctx, input.Ref, true)
 	if err != nil {
 		return nil, err
 	}
-	apiKey := r.Cache.ApiKeyByKey(key)
 	subGraphId := r.Cache.SubGraphId(orgId, input.Ref, input.Service)
 	subGraph := &domain.SubGraph{}
 	if subGraphId != "" {
@@ -115,7 +114,7 @@ func (r *mutationResolver) UpdateSubGraph(ctx context.Context, input model.Input
 		Url:            input.URL,
 		WSUrl:          input.WsURL,
 		Sdl:            input.Sdl,
-		Initiator:      apiKey.Name,
+		Initiator:      name,
 	})
 	if err != nil {
 		return nil, err
@@ -133,6 +132,10 @@ func (r *queryResolver) Organizations(ctx context.Context) ([]*model.Organizatio
 // Supergraph is the resolver for the supergraph field.
 func (r *queryResolver) Supergraph(ctx context.Context, ref string, isAfter *string) (model.Supergraph, error) {
 	orgId := middleware.OrganizationFromContext(ctx)
+	_, err := r.apiKeyCanAccessRef(ctx, ref, false)
+	if err != nil {
+		return nil, err
+	}
 	after := ""
 	if isAfter != nil {
 		after = *isAfter