mirror of
https://github.com/mollersuite/monofile.git
synced 2024-11-25 07:06:25 -08:00
token-permissions: update middleware
This commit is contained in:
parent
b3efd8ca29
commit
a04cc9a376
|
@ -37,7 +37,7 @@ export function create(
|
||||||
expire:Date.now()+expire,
|
expire:Date.now()+expire,
|
||||||
|
|
||||||
type,
|
type,
|
||||||
tokenPermissions
|
tokenPermissions: type == "App" ? tokenPermissions || ["user"] : undefined
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthTokens.push(token)
|
AuthTokens.push(token)
|
||||||
|
@ -52,6 +52,14 @@ export function validate(token:string) {
|
||||||
return AuthTokens.find(e => e.token == token && Date.now() < e.expire)?.account
|
return AuthTokens.find(e => e.token == token && Date.now() < e.expire)?.account
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export function getType(token:string): TokenType | undefined {
|
||||||
|
return AuthTokens.find(e => e.token == token && Date.now() < e.expire)?.type
|
||||||
|
}
|
||||||
|
|
||||||
|
export function getPermissions(token:string): TokenPermission[] | undefined {
|
||||||
|
return AuthTokens.find(e => e.token == token && Date.now() < e.expire)?.tokenPermissions
|
||||||
|
}
|
||||||
|
|
||||||
export function tokenTimer(token:AuthToken) {
|
export function tokenTimer(token:AuthToken) {
|
||||||
if (Date.now() >= token.expire) {
|
if (Date.now() >= token.expire) {
|
||||||
invalidate(token.token)
|
invalidate(token.token)
|
||||||
|
|
|
@ -1,17 +1,22 @@
|
||||||
import * as Accounts from "./accounts";
|
import * as Accounts from "./accounts";
|
||||||
import express, { type RequestHandler } from "express"
|
import express, { type RequestHandler } from "express"
|
||||||
import ServeError from "../lib/errors";
|
import ServeError from "../lib/errors";
|
||||||
|
import * as auth from "./auth";
|
||||||
|
|
||||||
export let getAccount: RequestHandler = function(req, res, next) {
|
function tokenFor(req: express.Request) {
|
||||||
res.locals.acc = Accounts.getFromToken(req.cookies.auth || (
|
return req.cookies.auth || (
|
||||||
req.header("authorization")?.startsWith("Bearer ")
|
req.header("authorization")?.startsWith("Bearer ")
|
||||||
? req.header("authorization")?.split(" ")[1]
|
? req.header("authorization")?.split(" ")[1]
|
||||||
: undefined
|
: undefined
|
||||||
))
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
export const getAccount: RequestHandler = function(req, res, next) {
|
||||||
|
res.locals.acc = Accounts.getFromToken(tokenFor(req))
|
||||||
next()
|
next()
|
||||||
}
|
}
|
||||||
|
|
||||||
export let requiresAccount: RequestHandler = function(_req, res, next) {
|
export const requiresAccount: RequestHandler = function(_req, res, next) {
|
||||||
if (!res.locals.acc) {
|
if (!res.locals.acc) {
|
||||||
ServeError(res, 401, "not logged in")
|
ServeError(res, 401, "not logged in")
|
||||||
return
|
return
|
||||||
|
@ -19,10 +24,53 @@ export let requiresAccount: RequestHandler = function(_req, res, next) {
|
||||||
next()
|
next()
|
||||||
}
|
}
|
||||||
|
|
||||||
export let requiresAdmin: RequestHandler = function(_req, res, next) {
|
export const requiresAdmin: RequestHandler = function(_req, res, next) {
|
||||||
if (!res.locals.acc.admin) {
|
if (!res.locals.acc.admin) {
|
||||||
ServeError(res, 403, "you are not an administrator")
|
ServeError(res, 403, "you are not an administrator")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
next()
|
next()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export namespace apiBlockers {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @description Blocks requests based on the permissions which a token has. Does not apply to routes being accessed with a token of type `User`
|
||||||
|
* @param tokenPermissions Permissions which your route requires.
|
||||||
|
* @returns Express middleware
|
||||||
|
*/
|
||||||
|
|
||||||
|
export const requiresPermissions = function(...tokenPermissions: auth.TokenPermission[]): RequestHandler {
|
||||||
|
return function(req, res, next) {
|
||||||
|
let token = tokenFor(req)
|
||||||
|
let type = auth.getType(token)
|
||||||
|
|
||||||
|
if (type == "App") {
|
||||||
|
let permissions = auth.getPermissions(token)
|
||||||
|
|
||||||
|
if (!permissions) ServeError(res, 403, "insufficient permissions")
|
||||||
|
else {
|
||||||
|
|
||||||
|
for (let v in tokenPermissions)
|
||||||
|
if (!permissions.includes(v as auth.TokenPermission)) {
|
||||||
|
ServeError(res,403,"insufficient permissions")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
next()
|
||||||
|
|
||||||
|
}
|
||||||
|
} else next()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @description Blocks requests based on whether or not the token being used to access the route is of type `User`.
|
||||||
|
*/
|
||||||
|
|
||||||
|
export const noAPIAccess: RequestHandler = function(req, res, next) {
|
||||||
|
if (auth.getType(tokenFor(req)) == "App") ServeError(res, 403, "apps are not allowed to access this endpoint")
|
||||||
|
else next()
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in a new issue