CoreID/app/routing/middleware/api/Permission.middleware.js

const { Middleware } = require('libflitter')

class PermissionMiddleware extends Middleware {
    static get services() {
        return [...super.services, 'models', 'activity']
    }

    async test(req, res, next, { check }) {
        const Policy = this.models.get('iam:Policy')

        // If the request was authorized using an OAuth2 bearer token,
        // make sure the associated client has permission to access this endpoint.
        if ( req?.oauth?.client ) {
            if ( !req.oauth.client.can(check) ) {
                const reason = 'oauth-permission-fail'
                await this.activity.api_access_denial({
                    req,
                    reason,
                    check,
                    oauth_client_id: req.oauth.client.id,
                })

                return res.status(401)
                    .message('Insufficient permissions (OAuth2 Client).')
                    .api()
            }
        }

        const policy_denied = await Policy.check_user_denied(req.user, check)
        const policy_access = await Policy.check_user_access(req.user, check)

        // Make sure the user has permission
        if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
            // Record the failed API access
            const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
            await this.activity.api_access_denial({ req, reason, check })

            return res.status(401)
                .message('Insufficient permissions.')
                .api()
        }

        return next()
    }
}

module.exports = exports = PermissionMiddleware
Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`const { Middleware } = require('libflitter')`

			`class PermissionMiddleware extends Middleware {`
Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`static get services() {`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`return [...super.services, 'models', 'activity']`
Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`}`

Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`async test(req, res, next, { check }) {`
Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`const Policy = this.models.get('iam:Policy')`

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`// If the request was authorized using an OAuth2 bearer token,`
			`// make sure the associated client has permission to access this endpoint.`
			`if ( req?.oauth?.client ) {`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`if ( !req.oauth.client.can(check) ) {`
			`const reason = 'oauth-permission-fail'`
			`await this.activity.api_access_denial({`
			`req,`
			`reason,`
			`check,`
			`oauth_client_id: req.oauth.client.id,`
			`})`

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`return res.status(401)`
			`.message('Insufficient permissions (OAuth2 Client).')`
			`.api()`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`}`
Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`}`

Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`const policy_denied = await Policy.check_user_denied(req.user, check)`
			`const policy_access = await Policy.check_user_access(req.user, check)`

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`// Make sure the user has permission`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`if ( policy_denied \|\| (!req.user.can(check) && !policy_access) ) {`
			`// Record the failed API access`
			`const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')`
			`await this.activity.api_access_denial({ req, reason, check })`

Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`return res.status(401)`
			`.message('Insufficient permissions.')`
			`.api()`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`}`
Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00
			`return next()`
			`}`
			`}`

			`module.exports = exports = PermissionMiddleware`