@topgroup/diginext
Version:
A BUILD SERVER & CLI to deploy apps to any Kubernetes clusters.
149 lines (148 loc) • 6.08 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.authorize = void 0;
const response_1 = require("diginext-utils/dist/response");
const lodash_1 = require("lodash");
const mongodb_1 = require("../plugins/mongodb");
const user_utils_1 = require("../plugins/user-utils");
async function authorize(req, res, next) {
var _a;
try {
let { user } = req;
const { baseUrl, method, url, path } = req;
const routePath = (0, lodash_1.trimEnd)(`${baseUrl}${path}`, "/");
// console.log("authorize > route :>> ", route);
// filter roles
const wsId = ((_a = user.activeWorkspace) === null || _a === void 0 ? void 0 : _a._id)
? mongodb_1.MongoDB.toString(user.activeWorkspace._id)
: mongodb_1.MongoDB.toString(user.activeWorkspace);
[user] = await (0, user_utils_1.filterUsersByWorkspaceRole)(wsId, [user]);
// console.log("authorize > user :>> ", user);
// request permission:
let requestPermission;
switch (method.toLowerCase()) {
case "post":
requestPermission = "create";
break;
case "patch":
requestPermission = "update";
break;
case "delete":
requestPermission = "delete";
break;
default:
requestPermission = "read";
break;
}
// if the user doesn't have roles, reject the request!
if (!user || !user.activeRole)
return response_1.Response.rejected(res);
let isAllowed = false;
/**
* authorization logic here!
*/
// const { activeRole } = user;
const activeRole = user.activeRole;
// console.log("activeRole :>> ", activeRole);
const userId = mongodb_1.MongoDB.toString(user._id);
// If wildcard "*" route is specified:
let routeRole = activeRole.routes.find((routeInfo) => routeInfo.path === "*");
if (routeRole) {
if (!routeRole.permissions)
routeRole.permissions = [];
if (routeRole.permissions.includes(requestPermission)) {
isAllowed = true;
}
else {
// if permisions have "own" -> only have access to items which "owner" is "userID":
if (routeRole.permissions.includes("full")) {
// YOU ARE THE KING!
isAllowed = true;
}
else if (routeRole.permissions.includes("public") && routeRole.permissions.includes("own")) {
req.query.$or = [{ public: "true" }, { owner: userId }];
delete req.query.owner;
isAllowed = true;
}
else if (routeRole.permissions.includes("public")) {
req.query.public = "true";
isAllowed = true;
}
else if (routeRole.permissions.includes("own")) {
req.query.owner = userId;
isAllowed = true;
}
else {
isAllowed = false;
}
}
}
// Check again if a specific route is specified:
routeRole = activeRole.routes.find((routeInfo) => routeInfo.path === routePath);
// console.log("authorize() > routeRole :>> ", routeRole);
if (routeRole) {
if (!routeRole.permissions)
routeRole.permissions = [];
if (routeRole.permissions.includes(requestPermission)) {
delete req.query.owner;
isAllowed = true;
}
else {
// if permisions have "own" -> only have access to items which "owner" is "userID":
if (routeRole.permissions.includes("full")) {
delete req.query.owner;
isAllowed = true;
}
else if (routeRole.permissions.includes("public") && routeRole.permissions.includes("own")) {
req.query.$or = [{ public: true }, { owner: userId }];
delete req.query.owner;
isAllowed = true;
}
else if (routeRole.permissions.includes("public")) {
req.query.public = true;
isAllowed = true;
}
else if (routeRole.permissions.includes("own")) {
req.query.owner = mongodb_1.MongoDB.toString(user._id);
isAllowed = true;
}
else if (routeRole.permissions.includes("read")) {
delete req.query.owner;
}
else {
isAllowed = false;
}
}
}
// print the debug info
// console.log(
// chalk.cyan(`=====> AUTHORIZING : Request for permission > [${requestPermission}]`),
// `\n> API URL: ${routePath}`,
// `\n> URL Query:`,
// req.query,
// `\n> ROLE :>> [WS: ${activeRole.workspace}] ${activeRole.name}:`,
// `\n> routeRole:`,
// routeRole,
// `\n> Allowed permissions & routes: \n${activeRole.routes.map((r) => ` · ${r.path} - ${r.permissions.join(",") || "none"}`).join("\n")}`,
// `\n>>> ALLOW:`,
// isAllowed
// );
if (!isAllowed)
return response_1.Response.rejected(res);
// always lock query filter to workspace scope
if (req.baseUrl === "/api/v1/user" || req.baseUrl === "/api/v1/service_account" || req.baseUrl === "/api/v1/api_key") {
req.query.workspaces = wsId;
}
else {
req.query.workspace = wsId;
}
// re-assign user to express.Request
req.user = user;
req.role = activeRole;
next();
}
catch (e) {
next(e);
}
}
exports.authorize = authorize;