Allow oauth2 clients to exercise permissions independent to the user

Permission middleware log oauth client UUID
Use req.user to check auth instead of req.is_auth
2020-10-18 20:22:10 -05:00 · 2020-10-18 18:55:21 -05:00 · 2020-10-18 18:35:55 -05:00 · 2020-10-18 17:19:26 -05:00
2 changed files with 11 additions and 4 deletions
--- a/app/routing/middleware/api/Permission.middleware.js
+++ b/app/routing/middleware/api/Permission.middleware.js
@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
                    req,
                    reason,
                    check,
-                    oauth_client_id: req.oauth.client.id,
+                    oauth_client_id: req.oauth.client.uuid,
                })

                return res.status(401)
                    .message('Insufficient permissions (OAuth2 Client).')
                    .api()
            }
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
        }

        const policy_denied = await Policy.check_user_denied(req.user, check)
--- a/app/routing/middleware/auth/APIRoute.middleware.js
+++ b/app/routing/middleware/auth/APIRoute.middleware.js
@@ -7,9 +7,11 @@ class APIRouteMiddleware extends Middleware {

    async test(req, res, next, { allow_token = true, allow_user = true }) {
        // First, check if there is a user in the session.
-        if ( allow_user && req.is_auth ) {
+        if ( allow_user && req.user ) {
            return next()
        } else if ( allow_token ) {
+            if ( !req.oauth ) req.oauth = {}
+
            return req.app.oauth2.authorise()(req, res, async e => {
                if ( e ) return next(e)
                // Look up the OAuth2 client an inject it into the route
@@ -51,9 +53,9 @@ class APIRouteMiddleware extends Middleware {

                next()
            })
+        } else {
+            return res.status(401).api()
        }
-
-        return res.status(401).api()
    }
 }
Author	SHA1	Message	Date
garrettmills	5eb0487c77	Allow oauth2 clients to exercise permissions independent to the user All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 20:22:10 -05:00
garrettmills	3f2680671b	Permission middleware log oauth client UUID All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 18:55:21 -05:00
garrettmills	fd06e17d7d	Use req.user to check auth instead of req.is_auth All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 18:35:55 -05:00
garrettmills	efdea10b14	Guarantee req.oauth in APIRoute middleware All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 17:19:26 -05:00