@hitchy/plugin-auth 0.4.1 → 0.4.3

package/api/service/authorization/policy-generator.js

@@ -1,6 +1,10 @@
 "use strict";
 
 module.exports = function() {
+	const api = this;
+
+	const logError = api.log( "hitchy:plugin:auth:error" );
+
 	/**
 	 * Implements factory functions for policy handlers checking a requesting
 	 * user's authorization.
@@ -68,23 +72,14 @@ module.exports = function() {
 
 			const resources = Array.isArray( resource ) ? resource : [resource];
 
-			return function( req, res, next ) {
-				const user = req.user || undefined;
-				const roleNames = Array.isArray( user?.roles ) ? user.roles.map( role => role.name ) : [];
-
-				if ( roleNames.indexOf( this.services.AuthManager.adminRole ) > -1 ) {
-					next();
-					return;
-				}
-
-				const { current } = this.services.AuthorizationTree;
-				const numResources = resources.length;
-
-				for ( let i = 0; i < numResources; i++ ) {
-					if ( current.isAuthorized( resources[i], user, roleNames.length > 0 ? roleNames : undefined ) ) {
+			return async function( req, res, next ) {
+				try {
+					if ( await this.service.Authorization.mayAccess( req.user, resources ) ) {
 						next();
 						return;
 					}
+				} catch ( cause ) {
+					logError( "checking user's authorization has thrown -> rejecting access", cause );
 				}
 
 				res

package/api/service/authorization.js

@@ -0,0 +1,58 @@
+"use strict";
+
+module.exports = function() {
+	const api = this;
+	const { service } = api;
+
+	/**
+	 * Implements convenient helpers for inspecting a user's authorization based
+	 * on configured hierarchy of authorization rules.
+	 *
+	 * @alias Authorization
+	 */
+	class AuthorizationService {
+		/**
+		 * Checks if given user may access named resource(s).
+		 *
+		 * @param {string|User} user user to be tested
+		 * @param {string|string[]} resource name(s) of resource(s)
+		 * @param {boolean} checkAll if true, user has to be granted access on all named resources
+		 * @returns {Promise<boolean>} promise resolved with true if selected user may access (some or all of the) named resource(s)
+		 */
+		static async mayAccess( user, resource, checkAll = false ) {
+			if ( !resource ) {
+				throw new Error( "missing resources to test" );
+			}
+
+			if ( !user ) {
+				return false;
+			}
+
+			const userInfo = await service.AuthManager.asUser( user );
+
+			const resources = Array.isArray( resource ) ? resource : [resource];
+
+			const roleNames = Array.isArray( userInfo?.roles ) ? userInfo.roles.map( role => role.name ) : [];
+
+			if ( roleNames.indexOf( service.AuthManager.adminRole ) > -1 ) {
+				return true;
+			}
+
+			const { current: tree } = service.AuthorizationTree;
+
+			for ( const current of resources ) {
+				const isAuthorized = tree.isAuthorized( current, userInfo, roleNames.length > 0 ? roleNames : undefined );
+
+				if ( Boolean( isAuthorized ) !== Boolean( checkAll ) ) {
+					// either: may access current one + does not require access on all => return true
+					//     or: must not access current one + requires access on all => return false
+					return !checkAll;
+				}
+			}
+
+			return Boolean( checkAll );
+		}
+	}
+
+	return AuthorizationService;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@hitchy/plugin-auth",
-	"version": "0.4.1",
+	"version": "0.4.3",
 	"description": "user authentication and authorization for Hitchy",
 	"main": "index.js",
 	"types": "index.d.ts",
@@ -22,7 +22,10 @@
 	},
 	"homepage": "https://auth.hitchy.org",
 	"peerDependencies": {
-		"@hitchy/core": "0.8.x"
+		"@hitchy/core": "0.8.x",
+		"@hitchy/plugin-odem": "0.8.x",
+		"@hitchy/plugin-cookies": "0.1.x",
+		"@hitchy/plugin-session": "0.4.x"
 	},
 	"devDependencies": {
 		"@hitchy/server-dev-tools": "^0.4.9",
@@ -39,9 +42,6 @@
 		"vitepress": "^1.3.1"
 	},
 	"dependencies": {
-		"@hitchy/plugin-cookies": "^0.1.8",
-		"@hitchy/plugin-odem": "^0.7.8",
-		"@hitchy/plugin-session": "^0.4.1",
 		"passport": "^0.7.0",
 		"passport-local": "^1.0.0"
 	},