Update libflitter and add config to log API responses

Allow oauth2 clients to exercise permissions independent to the user
Permission middleware log oauth client UUID
2020-10-18 20:49:19 -05:00 · 2020-10-18 20:22:10 -05:00 · 2020-10-18 18:55:21 -05:00
5 changed files with 16 additions and 8 deletions
--- a/app/routing/middleware/api/Permission.middleware.js
+++ b/app/routing/middleware/api/Permission.middleware.js
@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
                    req,
                    reason,
                    check,
-                    oauth_client_id: req.oauth.client.id,
+                    oauth_client_id: req.oauth.client.uuid,
                })

                return res.status(401)
                    .message('Insufficient permissions (OAuth2 Client).')
                    .api()
            }
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
        }

        const policy_denied = await Policy.check_user_denied(req.user, check)
--- a/app/routing/middleware/auth/APIRoute.middleware.js
+++ b/app/routing/middleware/auth/APIRoute.middleware.js
@@ -11,6 +11,7 @@ class APIRouteMiddleware extends Middleware {
            return next()
        } else if ( allow_token ) {
            if ( !req.oauth ) req.oauth = {}
+
            return req.app.oauth2.authorise()(req, res, async e => {
                if ( e ) return next(e)
                // Look up the OAuth2 client an inject it into the route
@@ -52,10 +53,10 @@ class APIRouteMiddleware extends Middleware {

                next()
            })
-        }
-
+        } else {
            return res.status(401).api()
        }
+    }
 }

 module.exports = exports = APIRouteMiddleware
--- a/config/server.config.js
+++ b/config/server.config.js
@@ -23,6 +23,8 @@ const server_config = {
        level: env("LOGGING_LEVEL", 2),

        include_timestamp: env("LOGGING_TIMESTAMP", false),
+
+        api_logging: env('LOG_API_RESPONSES', false),
    },

    session: {
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
    "ioredis": "^4.17.1",
    "is-absolute-url": "^3.0.3",
    "ldapjs": "^1.0.2",
-    "libflitter": "^0.53.1",
+    "libflitter": "^0.55.0",
    "moment": "^2.24.0",
    "mongodb": "^3.5.9",
    "nodemailer": "^6.4.6",
--- a/yarn.lock
+++ b/yarn.lock
@@ -3235,10 +3235,10 @@ leven@^1.0.2:
  resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
  integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=

-libflitter@^0.53.1:
-  version "0.53.1"
-  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.53.1.tgz#30b1838763a228fba8b9c820d2cad501c3aa0117"
-  integrity sha512-EK3okZyt0pmnpsZNx2lYOIcwgtmSOEPh4a5xE3pXM9RVc3dtXXscgJ5h9OvLTIN9WfRc7T5VTdpOjeAK6Xmysg==
+libflitter@^0.55.0:
+  version "0.55.0"
+  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.55.0.tgz#9392f163950ceeda57a2a7c9cc7871672268b2f5"
+  integrity sha512-EM4wJbdS/5KCEPU+ylw/Z8GxseK8+HrbQNu8ooSNsDsEsmCzva8K0StK8NR50eJQQkqs6XwcuMm96Y5+X9CNTA==
  dependencies:
    colors "^1.3.3"
    connect-mongodb-session "^2.2.0"
Author	SHA1	Message	Date
garrettmills	1cd306157a	Update libflitter and add config to log API responses All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 20:49:19 -05:00
garrettmills	5eb0487c77	Allow oauth2 clients to exercise permissions independent to the user All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 20:22:10 -05:00
garrettmills	3f2680671b	Permission middleware log oauth client UUID All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 18:55:21 -05:00