sasjs/server
1
0
Fork 0
mirror of https://github.com/sasjs/server.git synced 2025-12-12 03:54:34 +00:00
Code Issues Projects Releases Wiki Activity

feat: add authorize middleware for validating permissions

Browse Source
This commit is contained in:
Sabir Hassan
2022-06-29 23:06:58 +05:00
parent 70f279a49c
commit 7d916ec3e9
3 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
api/src/middlewares/authenticateToken.ts
View File

@@ -3,6 +3,7 @@ import jwt from 'jsonwebtoken'
import { csrfProtection } from '../app' import { csrfProtection } from '../app'
import { fetchLatestAutoExec, ModeType, verifyTokenInDB } from '../utils' import { fetchLatestAutoExec, ModeType, verifyTokenInDB } from '../utils'
import { desktopUser } from './desktop' import { desktopUser } from './desktop'
import { authorize } from './authorize'
export const authenticateAccessToken: RequestHandler = async ( export const authenticateAccessToken: RequestHandler = async (
req, req,
@@ -24,7 +25,7 @@ export const authenticateAccessToken: RequestHandler = async (
if (user) { if (user) {
if (user.isActive) { if (user.isActive) {
req.user = user req.user = user
return csrfProtection(req, res, next) return csrfProtection(req, res, () => authorize(req, res, next))
} else return res.sendStatus(401) } else return res.sendStatus(401)
} }
} }
@@ -34,7 +35,7 @@ export const authenticateAccessToken: RequestHandler = async (
authenticateToken( authenticateToken(
req, req,
res, res,
next, () => authorize(req, res, next),
process.env.ACCESS_TOKEN_SECRET as string, process.env.ACCESS_TOKEN_SECRET as string,
'accessToken' 'accessToken'
) )

34
api/src/middlewares/authorize.ts Normal file
View File

@@ -0,0 +1,34 @@
import { RequestHandler } from 'express'
import User from '../model/User'
import Permission from '../model/Permission'
import { PermissionSetting } from '../controllers/permission'
export const authorize: RequestHandler = async (req, res, next) => {
let permission
const user = req.user
if (user) {
// no need to check for permissions when user is admin
if (user.isAdmin) return next()
const dbUser = await User.findOne({ id: user.userId })
if (!dbUser) return res.sendStatus(401)
const uri = req.baseUrl + req.path
// find permission w.r.t user
permission = await Permission.findOne({ uri, user: dbUser._id })
if (permission && permission.setting === PermissionSetting.grant)
return next()
// find permission w.r.t user's groups
for (const group of dbUser.groups) {
permission = await Permission.findOne({ uri, group })
if (permission && permission.setting === PermissionSetting.grant)
return next()
}
return res.sendStatus(401)
}
return res.sendStatus(401)
}

1
api/src/middlewares/index.ts
View File

@@ -2,3 +2,4 @@ export * from './authenticateToken'
export * from './desktop' export * from './desktop'
export * from './verifyAdmin' export * from './verifyAdmin'
export * from './verifyAdminIfNeeded' export * from './verifyAdminIfNeeded'
export * from './authorize'