fix: add permission authorization middleware to only specific routes

api/src/middlewares/authenticateToken.ts

@@ -3,7 +3,6 @@ import jwt from 'jsonwebtoken'
 import { csrfProtection } from '../app'
 import { fetchLatestAutoExec, ModeType, verifyTokenInDB } from '../utils'
 import { desktopUser } from './desktop'
-import { authorize } from './authorize'
 
 export const authenticateAccessToken: RequestHandler = async (
   req,
@@ -25,7 +24,7 @@ export const authenticateAccessToken: RequestHandler = async (
       if (user) {
         if (user.isActive) {
           req.user = user
-          return csrfProtection(req, res, () => authorize(req, res, next))
+          return csrfProtection(req, res, next)
         } else return res.sendStatus(401)
       }
     }
@@ -35,7 +34,7 @@ export const authenticateAccessToken: RequestHandler = async (
   authenticateToken(
     req,
     res,
-    () => authorize(req, res, next),
+    next,
     process.env.ACCESS_TOKEN_SECRET as string,
     'accessToken'
   )

api/src/middlewares/authorize.ts

@@ -13,13 +13,15 @@ export const authorize: RequestHandler = async (req, res, next) => {
     const dbUser = await User.findOne({ id: user.userId })
     if (!dbUser) return res.sendStatus(401)
 
-    const uri = req.baseUrl + req.path
+    const uri = req.baseUrl + req.route.path
 
     // find permission w.r.t user
     permission = await Permission.findOne({ uri, user: dbUser._id })
 
-    if (permission && permission.setting === PermissionSetting.grant)
-      return next()
+    if (permission) {
+      if (permission.setting === PermissionSetting.grant) return next()
+      else res.sendStatus(401)
+    }
 
     // find permission w.r.t user's groups
     for (const group of dbUser.groups) {