npm - @serve.zone/dcrouter - Versions diffs - 13.31.0 → 13.32.1 - Mend

@serve.zone/dcrouter 13.31.0 → 13.32.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/dist_serve/bundle.js +721 -721
package/dist_ts/00_commitinfo_data.js +1 -1
package/dist_ts/config/classes.route-config-manager.d.ts +1 -0
package/dist_ts/config/classes.route-config-manager.js +28 -3
package/dist_ts/config/classes.target-profile-manager.d.ts +1 -0
package/dist_ts/config/classes.target-profile-manager.js +11 -8
package/dist_ts/opsserver/classes.opsserver.d.ts +4 -2
package/dist_ts/opsserver/classes.opsserver.js +2 -11
package/dist_ts/opsserver/handlers/acme-config.handler.js +7 -24
package/dist_ts/opsserver/handlers/admin.handler.d.ts +3 -1
package/dist_ts/opsserver/handlers/admin.handler.js +95 -110
package/dist_ts/opsserver/handlers/api-token.handler.js +28 -2
package/dist_ts/opsserver/handlers/certificate.handler.js +7 -24
package/dist_ts/opsserver/handlers/config.handler.js +3 -1
package/dist_ts/opsserver/handlers/dns-provider.handler.js +7 -24
package/dist_ts/opsserver/handlers/dns-record.handler.js +7 -24
package/dist_ts/opsserver/handlers/domain.handler.js +7 -24
package/dist_ts/opsserver/handlers/email-domain.handler.js +7 -24
package/dist_ts/opsserver/handlers/email-ops.handler.js +8 -1
package/dist_ts/opsserver/handlers/logs.handler.js +4 -1
package/dist_ts/opsserver/handlers/network-target.handler.js +7 -24
package/dist_ts/opsserver/handlers/radius.handler.js +32 -1
package/dist_ts/opsserver/handlers/remoteingress.handler.js +24 -1
package/dist_ts/opsserver/handlers/route-management.handler.js +7 -26
package/dist_ts/opsserver/handlers/security.handler.js +32 -7
package/dist_ts/opsserver/handlers/source-profile.handler.js +7 -24
package/dist_ts/opsserver/handlers/stats.handler.js +8 -1
package/dist_ts/opsserver/handlers/target-profile.handler.js +7 -24
package/dist_ts/opsserver/handlers/users.handler.js +33 -13
package/dist_ts/opsserver/handlers/vpn.handler.js +34 -1
package/dist_ts/opsserver/handlers/workhoster.handler.js +16 -35
package/dist_ts/opsserver/helpers/auth.d.ts +21 -0
package/dist_ts/opsserver/helpers/auth.js +63 -0
package/dist_ts_interfaces/data/route-management.d.ts +2 -1
package/dist_ts_interfaces/data/route-management.js +48 -2
package/dist_ts_interfaces/requests/api-tokens.d.ts +10 -5
package/dist_ts_interfaces/requests/combined.stats.d.ts +2 -1
package/dist_ts_interfaces/requests/config.d.ts +2 -1
package/dist_ts_interfaces/requests/email-ops.d.ts +6 -3
package/dist_ts_interfaces/requests/logs.d.ts +4 -2
package/dist_ts_interfaces/requests/radius.d.ts +24 -12
package/dist_ts_interfaces/requests/remoteingress.d.ts +14 -7
package/dist_ts_interfaces/requests/security-policy.d.ts +16 -8
package/dist_ts_interfaces/requests/stats.d.ts +18 -9
package/dist_ts_interfaces/requests/users.d.ts +6 -3
package/dist_ts_interfaces/requests/vpn.d.ts +22 -11
package/dist_ts_interfaces/requests/workhoster.d.ts +10 -5
package/dist_ts_migrations/index.js +3 -1
package/dist_ts_web/00_commitinfo_data.js +1 -1
package/dist_ts_web/elements/access/ops-view-apitokens.js +2 -21
package/package.json +4 -4
package/ts/00_commitinfo_data.ts +1 -1
package/ts/config/classes.route-config-manager.ts +35 -2
package/ts/config/classes.target-profile-manager.ts +10 -7
package/ts/opsserver/classes.opsserver.ts +3 -14
package/ts/opsserver/handlers/acme-config.handler.ts +6 -23
package/ts/opsserver/handlers/admin.handler.ts +109 -123
package/ts/opsserver/handlers/api-token.handler.ts +27 -1
package/ts/opsserver/handlers/certificate.handler.ts +6 -23
package/ts/opsserver/handlers/config.handler.ts +2 -0
package/ts/opsserver/handlers/dns-provider.handler.ts +6 -23
package/ts/opsserver/handlers/dns-record.handler.ts +6 -23
package/ts/opsserver/handlers/domain.handler.ts +6 -23
package/ts/opsserver/handlers/email-domain.handler.ts +6 -23
package/ts/opsserver/handlers/email-ops.handler.ts +7 -0
package/ts/opsserver/handlers/logs.handler.ts +3 -0
package/ts/opsserver/handlers/network-target.handler.ts +6 -23
package/ts/opsserver/handlers/radius.handler.ts +31 -0
package/ts/opsserver/handlers/remoteingress.handler.ts +23 -0
package/ts/opsserver/handlers/route-management.handler.ts +6 -25
package/ts/opsserver/handlers/security.handler.ts +31 -6
package/ts/opsserver/handlers/source-profile.handler.ts +6 -23
package/ts/opsserver/handlers/stats.handler.ts +7 -0
package/ts/opsserver/handlers/target-profile.handler.ts +6 -23
package/ts/opsserver/handlers/users.handler.ts +32 -12
package/ts/opsserver/handlers/vpn.handler.ts +33 -0
package/ts/opsserver/handlers/workhoster.handler.ts +18 -33
package/ts/opsserver/helpers/auth.ts +91 -0
package/ts_web/00_commitinfo_data.ts +1 -1
package/ts_web/elements/access/ops-view-apitokens.ts +1 -20

package/ts/opsserver/handlers/stats.handler.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import * as interfaces from '../../../ts_interfaces/index.js';
 import { MetricsManager } from '../../monitoring/index.js';
 import { SecurityLogger } from '../../security/classes.securitylogger.js';
 import { commitinfo } from '../../00_commitinfo_data.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class StatsHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -19,6 +20,7 @@ export class StatsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServerStatistics>(
         'getServerStatistics',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const stats = await this.collectServerStats();
           return {
             stats: {
@@ -42,6 +44,7 @@ export class StatsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailStatistics>(
         'getEmailStatistics',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const emailServer = this.opsServerRef.dcRouterRef.emailServer;
           if (!emailServer) {
             return {
@@ -81,6 +84,7 @@ export class StatsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsStatistics>(
         'getDnsStatistics',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const dnsServer = this.opsServerRef.dcRouterRef.dnsServer;
           if (!dnsServer) {
             return {
@@ -118,6 +122,7 @@ export class StatsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetQueueStatus>(
         'getQueueStatus',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const emailServer = this.opsServerRef.dcRouterRef.emailServer;
           const queues: interfaces.data.IQueueStatus[] = [];
@@ -146,6 +151,7 @@ export class StatsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetHealthStatus>(
         'getHealthStatus',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const health = await this.checkHealthStatus();
           return {
             health: {
@@ -171,6 +177,7 @@ export class StatsHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCombinedMetrics>(
         'getCombinedMetrics',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
           const sections = dataArg.sections || {
             server: true,
             email: true,

package/ts/opsserver/handlers/target-profile.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class TargetProfileHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -14,29 +15,11 @@ export class TargetProfileHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {

package/ts/opsserver/handlers/users.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 /**
  * Handler for OpsServer user accounts. Registers on adminRouter,
@@ -20,7 +21,12 @@ export class UsersHandler {
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListUsers>(
         'listUsers',
-        async (_dataArg) => {
+        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'users:read',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
           const users = await this.opsServerRef.adminHandler.listUsers();
           return { users };
         },
@@ -30,23 +36,37 @@ export class UsersHandler {
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateUser>(
         'createUser',
-        async (dataArg) => this.opsServerRef.adminHandler.createUser({
-          email: dataArg.email,
-          name: dataArg.name,
-          role: dataArg.role,
-          password: dataArg.password,
-          enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
-        }),
+        async (dataArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'users:manage',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
+          return this.opsServerRef.adminHandler.createUser({
+            email: dataArg.email,
+            name: dataArg.name,
+            role: dataArg.role,
+            password: dataArg.password,
+            enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
+          });
+        },
       ),
     );
     router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteUser>(
         'deleteUser',
-        async (dataArg) => this.opsServerRef.adminHandler.deleteUser({
-          id: dataArg.id,
-          requestingUserId: dataArg.identity.userId,
-        }),
+        async (dataArg) => {
+          const auth = await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'users:manage',
+            requireAdminIdentity: true,
+            requireAdminToken: true,
+          });
+          return this.opsServerRef.adminHandler.deleteUser({
+            id: dataArg.id,
+            requestingUserId: auth.userId,
+          });
+        },
       ),
     );
   }

package/ts/opsserver/handlers/vpn.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 export class VpnHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -18,6 +19,7 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnClients>(
         'getVpnClients',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'vpn:read' });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { clients: [] };
@@ -49,6 +51,7 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnStatus>(
         'getVpnStatus',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'vpn:read' });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           const vpnConfig = this.opsServerRef.dcRouterRef.options.vpnConfig;
           if (!manager) {
@@ -84,6 +87,7 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnConnectedClients>(
         'getVpnConnectedClients',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'vpn:read' });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { connectedClients: [] };
@@ -111,6 +115,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateVpnClient>(
         'createVpnClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -168,6 +176,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateVpnClient>(
         'updateVpnClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -198,6 +210,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteVpnClient>(
         'deleteVpnClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -218,6 +234,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_EnableVpnClient>(
         'enableVpnClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -238,6 +258,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DisableVpnClient>(
         'disableVpnClient',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -258,6 +282,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RotateVpnClientKey>(
         'rotateVpnClientKey',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -281,6 +309,10 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportVpnClientConfig>(
         'exportVpnClientConfig',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'vpn:write',
+            requireAdminIdentity: true,
+          });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };
@@ -301,6 +333,7 @@ export class VpnHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnClientTelemetry>(
         'getVpnClientTelemetry',
         async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'vpn:read' });
           const manager = this.opsServerRef.dcRouterRef.vpnManager;
           if (!manager) {
             return { success: false, message: 'VPN not configured' };

package/ts/opsserver/handlers/workhoster.handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireOpsAuth } from '../helpers/auth.js';
 type TAuthContext = {
   userId: string;
@@ -20,39 +21,23 @@ export class WorkHosterHandler {
     request: { identity?: interfaces.data.IIdentity; apiToken?: string },
     requiredScope?: interfaces.data.TApiTokenScope,
   ): Promise<TAuthContext> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return { userId: request.identity.userId, isAdmin: true };
-      } catch { /* fall through */ }
-    }
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return { userId: token.createdBy, isAdmin: token.policy?.role === 'admin', token };
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope: requiredScope,
+      requireAdminIdentity: requiredScope?.endsWith(':write'),
+    });
+    return { userId: auth.userId, isAdmin: auth.isAdmin, token: auth.token };
   }
-  private async requireAdmin(request: { identity?: interfaces.data.IIdentity }): Promise<string> {
-    if (request.identity?.jwt) {
-      const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-        identity: request.identity,
-      });
-      if (isAdmin) return request.identity.userId;
-    }
-    throw new plugins.typedrequest.TypedResponseError('admin identity required');
+  private async requireAdmin(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    scope: interfaces.data.TApiTokenScope = 'gateway-clients:write',
+  ): Promise<string> {
+    const auth = await requireOpsAuth(this.opsServerRef, request, {
+      scope,
+      requireAdminIdentity: true,
+      requireAdminToken: true,
+    });
+    return auth.userId;
   }
   private registerHandlers(): void {
@@ -83,7 +68,7 @@ export class WorkHosterHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListGatewayClients>(
         'listGatewayClients',
         async (dataArg) => {
-          await this.requireAdmin(dataArg);
+          await this.requireAdmin(dataArg, 'gateway-clients:read');
           return { gatewayClients: await this.listManagedGatewayClients() };
         },
       ),
@@ -154,7 +139,7 @@ export class WorkHosterHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateGatewayClientToken>(
         'createGatewayClientToken',
         async (dataArg) => {
-          const userId = await this.requireAdmin(dataArg);
+          const userId = await this.requireAdmin(dataArg, 'tokens:manage');
           const gatewayClient = await this.opsServerRef.dcRouterRef.gatewayClientManager?.getClient(dataArg.gatewayClientId);
           const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
           if (!gatewayClient || !gatewayClient.enabled) {

package/ts/opsserver/helpers/auth.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+export interface IAuthRequest {
+  identity?: interfaces.data.IIdentity;
+  apiToken?: string;
+}
+export interface IAuthRequirement {
+  scope?: interfaces.data.TApiTokenScope;
+  requireAdminIdentity?: boolean;
+  requireAdminToken?: boolean;
+}
+export interface IAuthContext {
+  type: 'identity' | 'apiToken';
+  userId: string;
+  role?: string;
+  isAdmin: boolean;
+  scopes: interfaces.data.TApiTokenScope[];
+  identity?: interfaces.data.IIdentity;
+  token?: interfaces.data.IStoredApiToken;
+}
+const typedAuthError = (messageArg: string) => {
+  return new plugins.typedrequest.TypedResponseError(messageArg);
+};
+export async function requireOpsAuth(
+  opsServerRefArg: OpsServer,
+  requestArg: IAuthRequest,
+  requirementArg: IAuthRequirement = {},
+): Promise<IAuthContext> {
+  let identityNeedsAdmin = false;
+  let tokenNeedsAdmin = false;
+  let tokenNeedsScope = false;
+  if (requestArg.identity?.jwt) {
+    const identity = await opsServerRefArg.adminHandler.validateIdentity(requestArg.identity);
+    if (identity) {
+      const isAdmin = identity.role === 'admin';
+      if (!requirementArg.requireAdminIdentity || isAdmin) {
+        return {
+          type: 'identity',
+          userId: identity.userId,
+          role: identity.role,
+          isAdmin,
+          scopes: [],
+          identity,
+        };
+      }
+      identityNeedsAdmin = true;
+    }
+  }
+  if (requestArg.apiToken) {
+    const tokenManager = opsServerRefArg.dcRouterRef.apiTokenManager;
+    const token = tokenManager ? await tokenManager.validateToken(requestArg.apiToken) : null;
+    if (token) {
+      if (requirementArg.requireAdminToken && token.policy?.role !== 'admin') {
+        tokenNeedsAdmin = true;
+      } else if (requirementArg.scope && !tokenManager!.hasScope(token, requirementArg.scope)) {
+        tokenNeedsScope = true;
+      } else {
+        const scopes = token.policy?.role === 'admin'
+          ? ['*' as interfaces.data.TApiTokenScope]
+          : Array.from(new Set([...(token.scopes || []), ...(token.policy?.scopes || [])]));
+        return {
+          type: 'apiToken',
+          userId: token.createdBy,
+          role: token.policy?.role || 'operator',
+          isAdmin: token.policy?.role === 'admin',
+          scopes,
+          token,
+        };
+      }
+    }
+  }
+  if (tokenNeedsScope) {
+    throw typedAuthError('insufficient scope');
+  }
+  if (tokenNeedsAdmin) {
+    throw typedAuthError('admin API token required');
+  }
+  if (identityNeedsAdmin) {
+    throw typedAuthError('admin identity required');
+  }
+  throw typedAuthError('unauthorized');
+}

package/ts_web/00_commitinfo_data.ts CHANGED Viewed

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.31.0',
+  version: '13.32.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/elements/access/ops-view-apitokens.ts CHANGED Viewed

@@ -200,26 +200,7 @@ export class OpsViewApiTokens extends DeesElement {
   private async showCreateTokenDialog() {
     const { DeesModal } = await import('@design.estate/dees-catalog');
-    const allScopes = [
-      '*',
-      'routes:read',
-      'routes:write',
-      'config:read',
-      'certificates:read',
-      'certificates:write',
-      'tokens:read',
-      'tokens:manage',
-      'domains:read',
-      'domains:write',
-      'dns-records:read',
-      'dns-records:write',
-      'email-domains:read',
-      'email-domains:write',
-      'gateway-clients:read',
-      'gateway-clients:write',
-      'workhosters:read',
-      'workhosters:write',
-    ];
+    const allScopes = [...interfaces.data.apiTokenScopes];
     await DeesModal.createAndShow({
       heading: 'Create API Token',