Added auth middleware. Added access control to apps

This commit is contained in:
Paweł Malak 2021-11-11 16:01:56 +01:00
parent d1c61bb393
commit e3f167921c
16 changed files with 92 additions and 9 deletions

1
api.js
View File

@ -21,6 +21,7 @@ api.use('/api/weather', require('./routes/weather'));
api.use('/api/categories', require('./routes/category'));
api.use('/api/bookmarks', require('./routes/bookmark'));
api.use('/api/queries', require('./routes/queries'));
api.use('/api/auth', require('./routes/auth'));
// Custom error handler
api.use(errorHandler);

View File

@ -1,11 +1,16 @@
const asyncWrapper = require('../../middleware/asyncWrapper');
const App = require('../../models/App');
const loadConfig = require('../../utils/loadConfig');
const ErrorResponse = require('../../utils/ErrorResponse');
// @desc Create new app
// @route POST /api/apps
// @access Public
const createApp = asyncWrapper(async (req, res, next) => {
if (!req.isAuthenticated) {
return next(new ErrorResponse('Unauthorized', 401));
}
const { pinAppsByDefault } = await loadConfig();
let app;

View File

@ -1,10 +1,15 @@
const asyncWrapper = require('../../middleware/asyncWrapper');
const App = require('../../models/App');
const ErrorResponse = require('../../utils/ErrorResponse');
// @desc Delete app
// @route DELETE /api/apps/:id
// @access Public
const deleteApp = asyncWrapper(async (req, res, next) => {
if (!req.isAuthenticated) {
return next(new ErrorResponse('Unauthorized', 401));
}
await App.destroy({
where: { id: req.params.id },
});

View File

@ -25,13 +25,18 @@ const getAllApps = asyncWrapper(async (req, res, next) => {
await useKubernetes(apps);
}
// apps visibility
const where = req.isAuthenticated ? {} : { isPublic: true };
if (orderType == 'name') {
apps = await App.findAll({
order: [[Sequelize.fn('lower', Sequelize.col('name')), 'ASC']],
where,
});
} else {
apps = await App.findAll({
order: [[orderType, 'ASC']],
where,
});
}

View File

@ -1,12 +1,15 @@
const asyncWrapper = require('../../middleware/asyncWrapper');
const App = require('../../models/App');
const ErrorResponse = require('../../utils/ErrorResponse');
// @desc Get single app
// @route GET /api/apps/:id
// @access Public
const getSingleApp = asyncWrapper(async (req, res, next) => {
const visibility = req.isAuthenticated ? {} : { isPublic: true };
const app = await App.findOne({
where: { id: req.params.id },
where: { id: req.params.id, ...visibility },
});
if (!app) {

View File

@ -1,10 +1,15 @@
const asyncWrapper = require('../../middleware/asyncWrapper');
const App = require('../../models/App');
const ErrorResponse = require('../../utils/ErrorResponse');
// @desc Reorder apps
// @route PUT /api/apps/0/reorder
// @access Public
const reorderApps = asyncWrapper(async (req, res, next) => {
if (!req.isAuthenticated) {
return next(new ErrorResponse('Unauthorized', 401));
}
req.body.apps.forEach(async ({ id, orderId }) => {
await App.update(
{ orderId },

View File

@ -1,10 +1,15 @@
const asyncWrapper = require('../../middleware/asyncWrapper');
const App = require('../../models/App');
const ErrorResponse = require('../../utils/ErrorResponse');
// @desc Update app
// @route PUT /api/apps/:id
// @access Public
const updateApp = asyncWrapper(async (req, res, next) => {
if (!req.isAuthenticated) {
return next(new ErrorResponse('Unauthorized', 401));
}
let app = await App.findOne({
where: { id: req.params.id },
});

View File

@ -1,3 +1,4 @@
module.exports = {
login: require('./login'),
validate: require('./validate'),
};

View File

@ -0,0 +1,21 @@
const asyncWrapper = require('../../middleware/asyncWrapper');
const ErrorResponse = require('../../utils/ErrorResponse');
const jwt = require('jsonwebtoken');
// @desc Verify token
// @route POST /api/auth/verify
// @access Public
const validate = asyncWrapper(async (req, res, next) => {
try {
jwt.verify(req.body.token, process.env.SECRET);
res.status(200).json({
success: true,
data: { token: { isValid: true } },
});
} catch (err) {
return next(new ErrorResponse('Token expired', 401));
}
});
module.exports = validate;

View File

@ -7,7 +7,7 @@ const up = async (query) => {
const template = {
type: INTEGER,
allowNull: true,
defaultValue: 0,
defaultValue: 1,
};
for await (let table of tables) {

25
middleware/auth.js Normal file
View File

@ -0,0 +1,25 @@
const jwt = require('jsonwebtoken');
const auth = (req, res, next) => {
const authHeader = req.header('Authorization');
let token;
let tokenIsValid = false;
if (authHeader && authHeader.startsWith('Bearer ')) {
token = authHeader.split(' ')[1];
}
if (token) {
try {
jwt.verify(token, process.env.SECRET);
} finally {
tokenIsValid = true;
}
}
req.isAuthenticated = tokenIsValid;
next();
};
module.exports = auth;

View File

@ -29,7 +29,7 @@ const App = sequelize.define(
isPublic: {
type: DataTypes.INTEGER,
allowNull: true,
defaultValue: 0,
defaultValue: 1,
},
},
{

View File

@ -23,7 +23,7 @@ const Bookmark = sequelize.define(
isPublic: {
type: DataTypes.INTEGER,
allowNull: true,
defaultValue: 0,
defaultValue: 1,
},
},
{

View File

@ -20,7 +20,7 @@ const Category = sequelize.define(
isPublic: {
type: DataTypes.INTEGER,
allowNull: true,
defaultValue: 0,
defaultValue: 1,
},
},
{

View File

@ -1,6 +1,7 @@
const express = require('express');
const router = express.Router();
const upload = require('../middleware/multer');
const auth = require('../middleware/auth');
const {
createApp,
@ -11,10 +12,14 @@ const {
reorderApps,
} = require('../controllers/apps');
router.route('/').post(upload, createApp).get(getAllApps);
router.route('/').post(auth, upload, createApp).get(auth, getAllApps);
router.route('/:id').get(getSingleApp).put(upload, updateApp).delete(deleteApp);
router
.route('/:id')
.get(auth, getSingleApp)
.put(auth, upload, updateApp)
.delete(auth, deleteApp);
router.route('/0/reorder').put(reorderApps);
router.route('/0/reorder').put(auth, reorderApps);
module.exports = router;

View File

@ -1,9 +1,11 @@
const express = require('express');
const router = express.Router();
const { login } = require('../controllers/auth');
const { login, validate } = require('../controllers/auth');
const requireBody = require('../middleware/requireBody');
router.route('/').post(requireBody(['password', 'duration']), login);
router.route('/validate').post(requireBody(['token']), validate);
module.exports = router;