@hitchy/plugin-auth 0.4.2 → 0.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
|
|
3
3
|
module.exports = function() {
|
|
4
|
+
const api = this;
|
|
5
|
+
|
|
6
|
+
const logError = api.log( "hitchy:plugin:auth:error" );
|
|
7
|
+
|
|
4
8
|
/**
|
|
5
9
|
* Implements factory functions for policy handlers checking a requesting
|
|
6
10
|
* user's authorization.
|
|
@@ -68,23 +72,14 @@ module.exports = function() {
|
|
|
68
72
|
|
|
69
73
|
const resources = Array.isArray( resource ) ? resource : [resource];
|
|
70
74
|
|
|
71
|
-
return function( req, res, next ) {
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
if ( roleNames.indexOf( this.services.AuthManager.adminRole ) > -1 ) {
|
|
76
|
-
next();
|
|
77
|
-
return;
|
|
78
|
-
}
|
|
79
|
-
|
|
80
|
-
const { current } = this.services.AuthorizationTree;
|
|
81
|
-
const numResources = resources.length;
|
|
82
|
-
|
|
83
|
-
for ( let i = 0; i < numResources; i++ ) {
|
|
84
|
-
if ( current.isAuthorized( resources[i], user, roleNames.length > 0 ? roleNames : undefined ) ) {
|
|
75
|
+
return async function( req, res, next ) {
|
|
76
|
+
try {
|
|
77
|
+
if ( await this.service.Authorization.mayAccess( req.user, resources ) ) {
|
|
85
78
|
next();
|
|
86
79
|
return;
|
|
87
80
|
}
|
|
81
|
+
} catch ( cause ) {
|
|
82
|
+
logError( "checking user's authorization has thrown -> rejecting access", cause );
|
|
88
83
|
}
|
|
89
84
|
|
|
90
85
|
res
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
|
|
3
|
+
module.exports = function() {
|
|
4
|
+
const api = this;
|
|
5
|
+
const { service } = api;
|
|
6
|
+
|
|
7
|
+
/**
|
|
8
|
+
* Implements convenient helpers for inspecting a user's authorization based
|
|
9
|
+
* on configured hierarchy of authorization rules.
|
|
10
|
+
*
|
|
11
|
+
* @alias Authorization
|
|
12
|
+
*/
|
|
13
|
+
class AuthorizationService {
|
|
14
|
+
/**
|
|
15
|
+
* Checks if given user may access named resource(s).
|
|
16
|
+
*
|
|
17
|
+
* @param {string|User} user user to be tested
|
|
18
|
+
* @param {string|string[]} resource name(s) of resource(s)
|
|
19
|
+
* @param {boolean} checkAll if true, user has to be granted access on all named resources
|
|
20
|
+
* @returns {Promise<boolean>} promise resolved with true if selected user may access (some or all of the) named resource(s)
|
|
21
|
+
*/
|
|
22
|
+
static async mayAccess( user, resource, checkAll = false ) {
|
|
23
|
+
if ( !resource ) {
|
|
24
|
+
throw new Error( "missing resources to test" );
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
if ( !user ) {
|
|
28
|
+
return false;
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
const userInfo = await service.AuthManager.asUser( user );
|
|
32
|
+
|
|
33
|
+
const resources = Array.isArray( resource ) ? resource : [resource];
|
|
34
|
+
|
|
35
|
+
const roleNames = Array.isArray( userInfo?.roles ) ? userInfo.roles.map( role => role.name ) : [];
|
|
36
|
+
|
|
37
|
+
if ( roleNames.indexOf( service.AuthManager.adminRole ) > -1 ) {
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
const { current: tree } = service.AuthorizationTree;
|
|
42
|
+
|
|
43
|
+
for ( const current of resources ) {
|
|
44
|
+
const isAuthorized = tree.isAuthorized( current, userInfo, roleNames.length > 0 ? roleNames : undefined );
|
|
45
|
+
|
|
46
|
+
if ( Boolean( isAuthorized ) !== Boolean( checkAll ) ) {
|
|
47
|
+
// either: may access current one + does not require access on all => return true
|
|
48
|
+
// or: must not access current one + requires access on all => return false
|
|
49
|
+
return !checkAll;
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
return Boolean( checkAll );
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
return AuthorizationService;
|
|
58
|
+
};
|