authorization/perms checking

master
Kit Kasune 2 years ago
parent 215c458b56
commit 6fe11be108
  1. 12
      api/ani/v1/routes/user.js
  2. 6
      api/index.js
  3. 0
      api/util/auth/authenticate.js
  4. 18
      api/util/auth/authorize.js

@ -22,8 +22,8 @@ module.exports = (app, router) => {
if (!req.body) {return res.status(400).send("Missing body!");} if (!req.body) {return res.status(400).send("Missing body!");}
if ( if (
!req.body.name || !req.body.discord || !req.body.permissions || !Array.isArray(req.body.permissions) !req.body.name || !req.body.discord || !req.body.permissions || !Array.isArray(req.body.permissions)
|| !req.body.name.match(/^[\w_ ]+$/gm) || req.body.name.length > 20 || !req.body.name.match(/^[\w_\- ]+$/gm) || req.body.name.length > 20
|| !req.params.id.match(/^[\w_]+$/gm) || req.params.id.length > 15 || !req.params.id.match(/^[\w_\-]+$/gm) || req.params.id.length > 15
|| !req.body.password || req.body.password.length > 30 || !req.body.password || req.body.password.length > 30
) {return res.status(400).send("Malformed body or missing body data. Make sure you have all the required parameters, and you don't have illegal characters present.");} ) {return res.status(400).send("Malformed body or missing body data. Make sure you have all the required parameters, and you don't have illegal characters present.");}
@ -80,7 +80,7 @@ module.exports = (app, router) => {
}); });
}); });
router.use('/user/:id/permissions', app.auth.tokenPass, async (req, res, next) => { router.use('/user/:id/permissions', app.auth.tokenPass, app.auth.permsPass('edit-users'), async (req, res, next) => {
if (!req.params.id) {return res.status(400).send("Missing ID!");} if (!req.params.id) {return res.status(400).send("Missing ID!");}
const user = await Users.findOne({id: req.params.id.toLowerCase()}); const user = await Users.findOne({id: req.params.id.toLowerCase()});
if (!user) {return res.status(404).send("That user doesn't exist!");} if (!user) {return res.status(404).send("That user doesn't exist!");}
@ -93,5 +93,9 @@ module.exports = (app, router) => {
req.user.permissions = permissions; req.user.permissions = permissions;
req.user.markModified('permissions'); req.user.markModified('permissions');
await req.user.save(); await req.user.save();
}, (req, res, next) => {if (!req.authenticatedUser) {return res.status(401).send("You must be authenticated before you do that!");} return next();})); }, (req, res, next) => {
if (!req.authenticatedUser) {return res.status(401).send("You must be authenticated before you do that!");}
if (req.unauthorized) {return res.status(401).send("You are not authorized to edit users!");}
return next();
}));
}; };

@ -34,8 +34,10 @@ server = app.listen(4062, async () => {
require('../db/build')(app); //place all models in memory to prevent double-compiling require('../db/build')(app); //place all models in memory to prevent double-compiling
app.auth.token = require('./util/baseAuthorize')(app); //jwt token validation app.auth.token = require('./util/auth/authenticate')(app); //jwt token validation
app.auth.tokenPass = require('./util/baseAuthorize')(app, true); //"next()" will run even if auth is not passed app.auth.tokenPass = require('./util/auth/authenticate')(app, true); //"next()" will run even if auth is not passed
app.auth.perms = require('./util/auth/authorize')(app); //permissions checking
app.auth.permsPass = require('./util/auth/authorize')(app, true);
app.util = {}; app.util = {};
app.util.list = require('./util/list'); app.util.list = require('./util/list');

@ -0,0 +1,18 @@
module.exports = (app, passAuth) => {
return requiredPermissions => {
if (!Array.isArray(requiredPermissions)) {requiredPermissions = [requiredPermissions];}
return (req, res, next) => {
if (!req.authenticatedUser) {return next();}
if (req.authenticatedUser.permissions.includes("admin")) {return next();}
else {
let hasAllPerms = true;
for (let permission of requiredPermissions) {
if (!req.authenticatedUser.permissions.includes(permission)) {hasAllPerms = false;}
}
if (!hasAllPerms) {req.unauthorized = true; return passAuth ? next() : res.status(401).send("You are not authorized to do that!");}
else {return next();}
}
};
};
};
Loading…
Cancel
Save