authorization/perms checking

api/ani/v1/routes/user.js

@@ -22,8 +22,8 @@ module.exports = (app, router) => {
                 if (!req.body) {return res.status(400).send("Missing body!");}
                 if (
                     !req.body.name || !req.body.discord || !req.body.permissions || !Array.isArray(req.body.permissions)
-                    || !req.body.name.match(/^[\w_ ]+$/gm) || req.body.name.length > 20
+                    || !req.body.name.match(/^[\w_\- ]+$/gm) || req.body.name.length > 20
-                    || !req.params.id.match(/^[\w_]+$/gm) || req.params.id.length > 15
+                    || !req.params.id.match(/^[\w_\-]+$/gm) || req.params.id.length > 15
                     || !req.body.password || req.body.password.length > 30
                 ) {return res.status(400).send("Malformed body or missing body data. Make sure you have all the required parameters, and you don't have illegal characters present.");}
                 
@@ -80,7 +80,7 @@ module.exports = (app, router) => {
             });
         });
 
-    router.use('/user/:id/permissions', app.auth.tokenPass, async (req, res, next) => {
+    router.use('/user/:id/permissions', app.auth.tokenPass, app.auth.permsPass('edit-users'), async (req, res, next) => {
         if (!req.params.id) {return res.status(400).send("Missing ID!");}
         const user = await Users.findOne({id: req.params.id.toLowerCase()});
         if (!user) {return res.status(404).send("That user doesn't exist!");}
@@ -93,5 +93,9 @@ module.exports = (app, router) => {
         req.user.permissions = permissions;
         req.user.markModified('permissions');
         await req.user.save();
-    }, (req, res, next) => {if (!req.authenticatedUser) {return res.status(401).send("You must be authenticated before you do that!");} return next();}));
+    }, (req, res, next) => {
+        if (!req.authenticatedUser) {return res.status(401).send("You must be authenticated before you do that!");}
+        if (req.unauthorized) {return res.status(401).send("You are not authorized to edit users!");}
+        return next();
+    }));
 };

api/index.js

@@ -34,8 +34,10 @@ server = app.listen(4062, async () => {
 
     require('../db/build')(app); //place all models in memory to prevent double-compiling
 
-    app.auth.token = require('./util/baseAuthorize')(app); //jwt token validation
+    app.auth.token = require('./util/auth/authenticate')(app); //jwt token validation
-    app.auth.tokenPass = require('./util/baseAuthorize')(app, true); //"next()" will run even if auth is not passed
+    app.auth.tokenPass = require('./util/auth/authenticate')(app, true); //"next()" will run even if auth is not passed
+    app.auth.perms = require('./util/auth/authorize')(app); //permissions checking
+    app.auth.permsPass = require('./util/auth/authorize')(app, true);
     
     app.util = {};
     app.util.list = require('./util/list');

api/util/auth/authorize.js

@@ -0,0 +1,18 @@
+module.exports = (app, passAuth) => {
+    return requiredPermissions => {
+        if (!Array.isArray(requiredPermissions)) {requiredPermissions = [requiredPermissions];}
+        return (req, res, next) => {
+            if (!req.authenticatedUser) {return next();}
+            if (req.authenticatedUser.permissions.includes("admin")) {return next();}
+            else {
+                let hasAllPerms = true;
+                for (let permission of requiredPermissions) {
+                    if (!req.authenticatedUser.permissions.includes(permission)) {hasAllPerms = false;}
+                }
+                
+                if (!hasAllPerms) {req.unauthorized = true; return passAuth ? next() : res.status(401).send("You are not authorized to do that!");}
+                else {return next();}
+            }
+        };
+    };
+};