@terreno/api 0.0.1

package/src/permissions.test.ts

@@ -0,0 +1,219 @@
+import {beforeEach, describe, expect, it} from "bun:test";
+import type express from "express";
+import supertest from "supertest";
+import type TestAgent from "supertest/lib/agent";
+
+import {modelRouter} from "./api";
+import {addAuthRoutes, setupAuth} from "./auth";
+import {Permissions} from "./permissions";
+import {
+  authAsUser,
+  type Food,
+  FoodModel,
+  getBaseServer,
+  RequiredModel,
+  setupDb,
+  UserModel,
+} from "./tests";
+
+describe("permissions", () => {
+  let server: TestAgent;
+  let app: express.Application;
+
+  beforeEach(async () => {
+    process.env.REFRESH_TOKEN_SECRET = "testsecret1234";
+
+    const [admin, notAdmin] = await setupDb();
+
+    await Promise.all([
+      FoodModel.create({
+        calories: 1,
+        created: new Date(),
+        name: "Spinach",
+        ownerId: notAdmin._id,
+      }),
+      FoodModel.create({
+        calories: 100,
+        created: Date.now() - 10,
+        name: "Apple",
+        ownerId: admin._id,
+      }),
+    ]);
+    app = getBaseServer();
+    setupAuth(app, UserModel as any);
+    addAuthRoutes(app, UserModel as any);
+    app.use(
+      "/food",
+      modelRouter(FoodModel, {
+        allowAnonymous: true,
+        permissions: {
+          create: [Permissions.IsAuthenticated],
+          delete: [Permissions.IsAdmin],
+          list: [Permissions.IsAny],
+          read: [Permissions.IsAny],
+          update: [Permissions.IsOwner],
+        },
+      })
+    );
+    app.use(
+      "/required",
+      modelRouter(RequiredModel, {
+        permissions: {
+          create: [Permissions.IsAuthenticated],
+          delete: [Permissions.IsAdmin],
+          list: [Permissions.IsAny],
+          read: [Permissions.IsAny],
+          update: [Permissions.IsOwner],
+        },
+      })
+    );
+    server = supertest(app);
+  });
+
+  describe("anonymous food", () => {
+    it("list", async () => {
+      const res = await server.get("/food").expect(200);
+      expect(res.body.data).toHaveLength(2);
+    });
+
+    it("get", async () => {
+      const res = await server.get("/food").expect(200);
+      expect(res.body.data).toHaveLength(2);
+      const res2 = await server.get(`/food/${res.body.data[0]._id}`).expect(200);
+      expect(res.body.data[0]._id).toBe(res2.body.data._id);
+    });
+
+    it("post", async () => {
+      const res = await server.post("/food").send({
+        calories: 15,
+        name: "Broccoli",
+      });
+      expect(res.status).toBe(405);
+    });
+
+    it("patch", async () => {
+      const res = await server.get("/food");
+      const res2 = await server.patch(`/food/${res.body.data[0]._id}`).send({
+        name: "Broccoli",
+      });
+      expect(res2.status).toBe(403);
+    });
+
+    it("delete", async () => {
+      const res = await server.get("/food");
+      const res2 = await server.delete(`/food/${res.body.data[0]._id}`);
+      expect(res2.status).toBe(405);
+    });
+  });
+
+  describe("non admin food", () => {
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      agent = await authAsUser(app, "notAdmin");
+    });
+
+    it("list", async () => {
+      const res = await agent.get("/food").expect(200);
+      expect(res.body.data).toHaveLength(2);
+    });
+
+    it("get", async () => {
+      const res = await agent.get("/food").expect(200);
+      expect(res.body.data).toHaveLength(2);
+      const res2 = await server.get(`/food/${res.body.data[0]._id}`).expect(200);
+      expect(res.body.data[0]._id).toBe(res2.body.data._id);
+    });
+
+    it("post", async () => {
+      await agent
+        .post("/food")
+        .send({
+          calories: 15,
+          name: "Broccoli",
+        })
+        .expect(201);
+    });
+
+    it("patch own item", async () => {
+      const res = await agent.get("/food");
+      const spinach = res.body.data.find((food: Food) => food.name === "Spinach");
+      const res2 = await agent
+        .patch(`/food/${spinach._id}`)
+        .send({
+          name: "Broccoli",
+        })
+        .expect(200);
+      expect(res2.body.data.name).toBe("Broccoli");
+    });
+
+    it("patch other item", async () => {
+      const res = await agent.get("/food");
+      const spinach = res.body.data.find((food: Food) => food.name === "Apple");
+      await agent
+        .patch(`/food/${spinach._id}`)
+        .send({
+          name: "Broccoli",
+        })
+        .expect(403);
+    });
+
+    it("delete", async () => {
+      const res = await agent.get("/food");
+      const res2 = await agent.delete(`/food/${res.body.data[0]._id}`);
+      expect(res2.status).toBe(405);
+    });
+  });
+
+  describe("admin food", () => {
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      agent = await authAsUser(app, "admin");
+    });
+
+    it("list", async () => {
+      const res = await agent.get("/food");
+      expect(res.body.data).toHaveLength(2);
+    });
+
+    it("get", async () => {
+      const res = await agent.get("/food");
+      expect(res.body.data).toHaveLength(2);
+      const res2 = await agent.get(`/food/${res.body.data[0]._id}`);
+      expect(res.body.data[0]._id).toBe(res2.body.data._id);
+    });
+
+    it("post", async () => {
+      const res = await agent.post("/food").send({
+        calories: 15,
+        name: "Broccoli",
+      });
+      expect(res.status).toBe(201);
+    });
+
+    it("patch", async () => {
+      const res = await agent.get("/food");
+      await agent
+        .patch(`/food/${res.body.data[0]._id}`)
+        .send({
+          name: "Broccoli",
+        })
+        .expect(200);
+    });
+
+    it("delete", async () => {
+      const res = await agent.get("/food");
+      await agent.delete(`/food/${res.body.data[0]._id}`).expect(204);
+    });
+
+    it("handles validation errors", async () => {
+      await agent
+        .post("/required")
+        .send({
+          about: "Whoops forgot required",
+        })
+        .expect(400);
+    });
+  });
+});

package/src/permissions.ts

@@ -0,0 +1,228 @@
+// Defaults closed
+import * as Sentry from "@sentry/node";
+import type express from "express";
+import type {NextFunction} from "express";
+import mongoose, {type Model} from "mongoose";
+
+import {addPopulateToQuery, getModel, type modelRouterOptions, type RESTMethod} from "./api";
+import type {User} from "./auth";
+import {APIError} from "./errors";
+import {logger} from "./logger";
+
+export type PermissionMethod<T> = (
+  method: RESTMethod,
+  user?: User,
+  obj?: T
+) => boolean | Promise<boolean>;
+
+export interface RESTPermissions<T> {
+  create: PermissionMethod<T>[];
+  list: PermissionMethod<T>[];
+  read: PermissionMethod<T>[];
+  update: PermissionMethod<T>[];
+  delete: PermissionMethod<T>[];
+}
+
+export const OwnerQueryFilter = (user?: User) => {
+  if (user) {
+    return {ownerId: user?.id};
+  }
+  // Return a null, so we know to return no results.
+  return null;
+};
+
+export const Permissions = {
+  IsAdmin: (_method: RESTMethod, user?: User) => {
+    return Boolean(user?.admin);
+  },
+  IsAny: () => {
+    return true;
+  },
+  IsAuthenticated: (_method: RESTMethod, user?: User) => {
+    if (!user) {
+      return false;
+    }
+    return Boolean(user.id);
+  },
+  IsAuthenticatedOrReadOnly: (method: RESTMethod, user?: User) => {
+    if (user?.id && !user?.isAnonymous) {
+      return true;
+    }
+    return method === "list" || method === "read";
+  },
+  IsOwner: (_method: RESTMethod, user?: User, obj?: any) => {
+    // When checking if we can possibly perform the action, return true.
+    if (!obj) {
+      return true;
+    }
+    if (!user) {
+      return false;
+    }
+    if (user?.admin) {
+      return true;
+    }
+    const ownerId = obj?.ownerId?._id || obj?.ownerId;
+    return user?.id && ownerId && String(ownerId) === String(user?.id);
+  },
+  IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: any) => {
+    // When checking if we can possibly perform the action, return true.
+    if (!obj) {
+      return true;
+    }
+    if (user?.admin) {
+      return true;
+    }
+
+    if (user?.id && obj?.ownerId && String(obj?.ownerId) === String(user?.id)) {
+      return true;
+    }
+    return method === "list" || method === "read";
+  },
+};
+
+export async function checkPermissions<T>(
+  method: RESTMethod,
+  permissions: PermissionMethod<T>[],
+  user?: User,
+  obj?: T
+): Promise<boolean> {
+  let anyTrue = false;
+  for (const perm of permissions) {
+    // May or may not be a promise.
+    if (!(await perm(method, user, obj))) {
+      return false;
+    }
+    anyTrue = true;
+  }
+  return anyTrue;
+}
+
+// Check the permissions for a given model and method. If the method is a read, update, or delete,
+// finds the relevant object, checks the permissions, and attaches the object to the request as
+// req.obj.
+export function permissionMiddleware<T>(
+  baseModel: Model<T>,
+  options: Pick<modelRouterOptions<T>, "permissions" | "populatePaths" | "discriminatorKey">
+) {
+  return async (req: express.Request, _res: express.Response, next: NextFunction) => {
+    if (req.method === "OPTIONS") {
+      return next();
+    }
+    try {
+      let method: "list" | "create" | "read" | "update" | "delete";
+
+      const reqMethod = req.method.toLowerCase();
+      if (reqMethod === "post") {
+        method = "create";
+      } else if (reqMethod === "get") {
+        if (req.params.id) {
+          method = "read";
+        } else {
+          method = "list";
+        }
+      } else if (reqMethod === "patch") {
+        method = "update";
+      } else if (reqMethod === "delete") {
+        method = "delete";
+      } else {
+        throw new APIError({
+          status: 405,
+          title: `Method ${req.method} not allowed`,
+        });
+      }
+
+      const model = getModel(baseModel, req.body, options);
+
+      // All methods check for permissions.
+      if (!(await checkPermissions(method, options.permissions[method], req.user))) {
+        throw new APIError({
+          status: 405,
+          title:
+            `Access to ${method.toUpperCase()} on ${model.modelName} ` +
+            `denied for ${req.user?.id}`,
+        });
+      }
+
+      if (method === "create" || method === "list") {
+        return next();
+      }
+
+      const builtQuery = model.findById(req.params.id);
+      const populatedQuery = addPopulateToQuery(builtQuery as any, options.populatePaths);
+      let data;
+      try {
+        data = await populatedQuery.exec();
+      } catch (error: any) {
+        throw new APIError({
+          error,
+          status: 500,
+          title: `GET failed on ${req.params.id}`,
+        });
+      }
+      if (!data || (["update", "delete"].includes(method) && data?.__t && !req.body?.__t)) {
+        // For discriminated models, return 404 without checking hidden state
+        if (["update", "delete"].includes(method) && data?.__t && !req.body?.__t) {
+          throw new APIError({
+            status: 404,
+            title: `Document ${req.params.id} not found for model ${model.modelName}`,
+          });
+        }
+
+        // Check if document exists but is hidden. Completely skip plugins.
+        const hiddenDoc = await model.collection.findOne({
+          _id: new mongoose.Types.ObjectId(req.params.id),
+        });
+
+        if (!hiddenDoc) {
+          Sentry.captureMessage(`Document ${req.params.id} not found for model ${model.modelName}`);
+          const error = new APIError({
+            status: 404,
+            title: `Document ${req.params.id} not found for model ${model.modelName}`,
+          });
+          error.meta = undefined;
+          throw error;
+        }
+
+        // Document exists but is hidden
+        const reason: {[key: string]: string} | null = hiddenDoc.deleted
+          ? {deleted: "true"}
+          : hiddenDoc.disabled
+            ? {disabled: "true"}
+            : hiddenDoc.archived
+              ? {archived: "true"}
+              : null;
+
+        // If no reason found, treat as not found
+        if (!reason) {
+          const error = new APIError({
+            status: 404,
+            title: `Document ${req.params.id} not found for model ${model.modelName}`,
+          });
+          error.meta = undefined;
+          throw error;
+        }
+        throw new APIError({
+          // We don't want to send this to Sentry because it's expected behavior.
+          disableExternalErrorTracking: true,
+          meta: reason,
+          status: 404,
+          title: `Document ${req.params.id} not found for model ${model.modelName}`,
+        });
+      }
+
+      if (!(await checkPermissions(method, options.permissions[method], req.user, data))) {
+        throw new APIError({
+          status: 403,
+          title: `Access to GET on ${model.modelName}:${req.params.id} denied for ${req.user?.id}`,
+        });
+      }
+
+      (req as any).obj = data;
+
+      return next();
+    } catch (error) {
+      logger.error(`Permissions error: ${error instanceof Error ? error.message : error}`);
+      return next(error);
+    }
+  };
+}