Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Add api authorization logging
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details

Browse Source
This commit is contained in:
Garrett Mills
2020-10-18 21:07:42 -05:00
parent 7c8a05aa4f
commit fac3431375
3 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/routing/middleware/api/Permission.middleware.js
View File

@@ -8,23 +8,30 @@ class PermissionMiddleware extends Middleware {
async test(req, res, next, { check }) {
const Policy = this.models.get('iam:Policy')
req.additional_api_log_data.permission_check = check
// If the request was authorized using an OAuth2 bearer token,
// make sure the associated client has permission to access this endpoint.
if ( req?.oauth?.client ) {
if ( !req.oauth.client.can(check) ) {
const reason = 'oauth-permission-fail'
await this.activity.api_access_denial({
const fail_activity = await this.activity.api_access_denial({
req,
reason,
check,
oauth_client_id: req.oauth.client.uuid,
})
req.additional_api_log_data.permission_check_succeeded = false
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
return res.status(401)
.message('Insufficient permissions (OAuth2 Client).')
.api()
}
req.additional_api_log_data.permission_check_succeeded = true
// If the oauth2 client has this permission, then allow the request to continue,
// even if the user does not.
// OAuth2Clients need to be able to query users via the API.
@@ -38,13 +45,18 @@ class PermissionMiddleware extends Middleware {
if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
// Record the failed API access
const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
await this.activity.api_access_denial({ req, reason, check })
const fail_activity = await this.activity.api_access_denial({ req, reason, check })
req.additional_api_log_data.permission_check_succeeded = false
req.additional_api_log_data.permission_check_reason = reason
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
return res.status(401)
.message('Insufficient permissions.')
.api()
}
req.additional_api_log_data.permission_check_succeeded = true
return next()
}
}