From 5eb0487c77e66c4f83738b2849ba75249e898ea3 Mon Sep 17 00:00:00 2001 From: garrettmills Date: Sun, 18 Oct 2020 20:22:10 -0500 Subject: [PATCH] Allow oauth2 clients to exercise permissions independent to the user --- app/routing/middleware/api/Permission.middleware.js | 5 +++++ app/routing/middleware/auth/APIRoute.middleware.js | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/routing/middleware/api/Permission.middleware.js b/app/routing/middleware/api/Permission.middleware.js index 545a786..5e74b39 100644 --- a/app/routing/middleware/api/Permission.middleware.js +++ b/app/routing/middleware/api/Permission.middleware.js @@ -24,6 +24,11 @@ class PermissionMiddleware extends Middleware { .message('Insufficient permissions (OAuth2 Client).') .api() } + + // If the oauth2 client has this permission, then allow the request to continue, + // even if the user does not. + // OAuth2Clients need to be able to query users via the API. + return next() } const policy_denied = await Policy.check_user_denied(req.user, check) diff --git a/app/routing/middleware/auth/APIRoute.middleware.js b/app/routing/middleware/auth/APIRoute.middleware.js index 5edee17..8da4f35 100644 --- a/app/routing/middleware/auth/APIRoute.middleware.js +++ b/app/routing/middleware/auth/APIRoute.middleware.js @@ -11,6 +11,7 @@ class APIRouteMiddleware extends Middleware { return next() } else if ( allow_token ) { if ( !req.oauth ) req.oauth = {} + return req.app.oauth2.authorise()(req, res, async e => { if ( e ) return next(e) // Look up the OAuth2 client an inject it into the route @@ -52,9 +53,9 @@ class APIRouteMiddleware extends Middleware { next() }) + } else { + return res.status(401).api() } - - return res.status(401).api() } }