UNPKG

@topgroup/diginext

Version:

A BUILD SERVER & CLI to deploy apps to any Kubernetes clusters.

149 lines (148 loc) 6.08 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.authorize = void 0; const response_1 = require("diginext-utils/dist/response"); const lodash_1 = require("lodash"); const mongodb_1 = require("../plugins/mongodb"); const user_utils_1 = require("../plugins/user-utils"); async function authorize(req, res, next) { var _a; try { let { user } = req; const { baseUrl, method, url, path } = req; const routePath = (0, lodash_1.trimEnd)(`${baseUrl}${path}`, "/"); // console.log("authorize > route :>> ", route); // filter roles const wsId = ((_a = user.activeWorkspace) === null || _a === void 0 ? void 0 : _a._id) ? mongodb_1.MongoDB.toString(user.activeWorkspace._id) : mongodb_1.MongoDB.toString(user.activeWorkspace); [user] = await (0, user_utils_1.filterUsersByWorkspaceRole)(wsId, [user]); // console.log("authorize > user :>> ", user); // request permission: let requestPermission; switch (method.toLowerCase()) { case "post": requestPermission = "create"; break; case "patch": requestPermission = "update"; break; case "delete": requestPermission = "delete"; break; default: requestPermission = "read"; break; } // if the user doesn't have roles, reject the request! if (!user || !user.activeRole) return response_1.Response.rejected(res); let isAllowed = false; /** * authorization logic here! */ // const { activeRole } = user; const activeRole = user.activeRole; // console.log("activeRole :>> ", activeRole); const userId = mongodb_1.MongoDB.toString(user._id); // If wildcard "*" route is specified: let routeRole = activeRole.routes.find((routeInfo) => routeInfo.path === "*"); if (routeRole) { if (!routeRole.permissions) routeRole.permissions = []; if (routeRole.permissions.includes(requestPermission)) { isAllowed = true; } else { // if permisions have "own" -> only have access to items which "owner" is "userID": if (routeRole.permissions.includes("full")) { // YOU ARE THE KING! isAllowed = true; } else if (routeRole.permissions.includes("public") && routeRole.permissions.includes("own")) { req.query.$or = [{ public: "true" }, { owner: userId }]; delete req.query.owner; isAllowed = true; } else if (routeRole.permissions.includes("public")) { req.query.public = "true"; isAllowed = true; } else if (routeRole.permissions.includes("own")) { req.query.owner = userId; isAllowed = true; } else { isAllowed = false; } } } // Check again if a specific route is specified: routeRole = activeRole.routes.find((routeInfo) => routeInfo.path === routePath); // console.log("authorize() > routeRole :>> ", routeRole); if (routeRole) { if (!routeRole.permissions) routeRole.permissions = []; if (routeRole.permissions.includes(requestPermission)) { delete req.query.owner; isAllowed = true; } else { // if permisions have "own" -> only have access to items which "owner" is "userID": if (routeRole.permissions.includes("full")) { delete req.query.owner; isAllowed = true; } else if (routeRole.permissions.includes("public") && routeRole.permissions.includes("own")) { req.query.$or = [{ public: true }, { owner: userId }]; delete req.query.owner; isAllowed = true; } else if (routeRole.permissions.includes("public")) { req.query.public = true; isAllowed = true; } else if (routeRole.permissions.includes("own")) { req.query.owner = mongodb_1.MongoDB.toString(user._id); isAllowed = true; } else if (routeRole.permissions.includes("read")) { delete req.query.owner; } else { isAllowed = false; } } } // print the debug info // console.log( // chalk.cyan(`=====> AUTHORIZING : Request for permission > [${requestPermission}]`), // `\n> API URL: ${routePath}`, // `\n> URL Query:`, // req.query, // `\n> ROLE :>> [WS: ${activeRole.workspace}] ${activeRole.name}:`, // `\n> routeRole:`, // routeRole, // `\n> Allowed permissions & routes: \n${activeRole.routes.map((r) => ` · ${r.path} - ${r.permissions.join(",") || "none"}`).join("\n")}`, // `\n>>> ALLOW:`, // isAllowed // ); if (!isAllowed) return response_1.Response.rejected(res); // always lock query filter to workspace scope if (req.baseUrl === "/api/v1/user" || req.baseUrl === "/api/v1/service_account" || req.baseUrl === "/api/v1/api_key") { req.query.workspaces = wsId; } else { req.query.workspace = wsId; } // re-assign user to express.Request req.user = user; req.role = activeRole; next(); } catch (e) { next(e); } } exports.authorize = authorize;