koa-accesscontrol/lib/authorization.js

Accesss control middleware for koa

"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
Object.defineProperty(exports, "__esModule", { value: true });
const utils_1 = require("./utils");
const accesscontrol_1 = require("accesscontrol");
const interfaces_1 = require("./interfaces");
const errors_1 = require("./errors");
let accesscontrol;
let rolel;
function Authorization(grants, roleLocation) {
    accesscontrol = new accesscontrol_1.AccessControl(grants);
    rolel = roleLocation;
    return (options) => {
        return (ctx, next) => __awaiter(this, void 0, void 0, function* () {
            authorization(ctx, options, interfaces_1.Action.Request);
            yield next();
            authorization(ctx, options, interfaces_1.Action.Response);
        });
    };
}
exports.Authorization = Authorization;
function authorization(ctx, options, action) {
    const role = utils_1.valueAt(ctx, rolel);
    if (!role || !accesscontrol.hasRole(role)) {
        throw new errors_1.AuthorizationError('unauthorized_error', 'Wrong role provided or undefined');
    }
    const actions = {}; // Add an option to extend methods and actions used
    const query = accesscontrol.can(role);
    switch (ctx.request.method) {
        case 'POST':
            actions.any = 'createAny';
            actions.own = 'createOwn';
            break;
        case 'PUT' || 'PATCH':
            actions.any = 'updateAny';
            actions.own = 'updateOwn';
            break;
        case 'GET':
            actions.any = 'readAny';
            actions.own = 'readOwn';
            break;
        case 'DELETE':
            actions.any = 'deleteAny';
            actions.own = 'deleteOwn';
            break;
        default:
            throw new Error('invalid_action');
    }
    let permission;
    if (options.operands) {
        if (options.operands.length !== 2) {
            throw new Error('operands_error');
        }
        const values = [];
        for (const operand of options.operands) {
            values.push(utils_1.valueAt(ctx, operand));
        }
        if (utils_1.equal(values)) {
            permission = query[actions.own](options.resource);
        }
        else {
            permission = query[actions.any](options.resource);
        }
    }
    else {
        permission = query[actions.any](options.resource);
    }
    if (!permission.granted) {
        throw new errors_1.AuthorizationError('unauthorized_error', 'Unauthorized Error');
    }
    if (action === interfaces_1.Action.Request && ctx.request.body) { // Filter request body
        ctx.request.body = permission.filter(ctx.request.body);
    }
    else if (action === interfaces_1.Action.Response) { // Filter response body
        ctx.response.body = permission.filter(ctx.response.body);
    }
}
//# sourceMappingURL=authorization.js.map