CoreID/app/routing/middleware/api/Permission.middleware.js

48 lines
1.6 KiB
JavaScript
Raw Permalink Normal View History

2020-05-12 01:26:09 +00:00
const { Middleware } = require('libflitter')
class PermissionMiddleware extends Middleware {
2020-05-21 02:17:07 +00:00
static get services() {
return [...super.services, 'models', 'activity']
2020-05-21 02:17:07 +00:00
}
2020-05-12 01:26:09 +00:00
async test(req, res, next, { check }) {
2020-05-21 02:17:07 +00:00
const Policy = this.models.get('iam:Policy')
// If the request was authorized using an OAuth2 bearer token,
// make sure the associated client has permission to access this endpoint.
if ( req?.oauth?.client ) {
if ( !req.oauth.client.can(check) ) {
const reason = 'oauth-permission-fail'
await this.activity.api_access_denial({
req,
reason,
check,
oauth_client_id: req.oauth.client.id,
})
return res.status(401)
.message('Insufficient permissions (OAuth2 Client).')
.api()
}
}
2020-05-21 02:17:07 +00:00
const policy_denied = await Policy.check_user_denied(req.user, check)
const policy_access = await Policy.check_user_access(req.user, check)
// Make sure the user has permission
if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
// Record the failed API access
const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
await this.activity.api_access_denial({ req, reason, check })
2020-05-12 01:26:09 +00:00
return res.status(401)
.message('Insufficient permissions.')
.api()
}
2020-05-12 01:26:09 +00:00
return next()
}
}
module.exports = exports = PermissionMiddleware