Added auth middleware. Added access control to apps

2021-11-11 16:01:56 +01:00 · 2021-11-11 16:01:56 +01:00 · e3f167921c
commit e3f167921c
parent d1c61bb393
16 changed files with 92 additions and 9 deletions
--- a/api.js
+++ b/api.js
@ -21,6 +21,7 @@ api.use('/api/weather', require('./routes/weather'));
 api.use('/api/categories', require('./routes/category'));
 api.use('/api/bookmarks', require('./routes/bookmark'));
 api.use('/api/queries', require('./routes/queries'));
+api.use('/api/auth', require('./routes/auth'));

 // Custom error handler
 api.use(errorHandler);
--- a/controllers/apps/createApp.js
+++ b/controllers/apps/createApp.js
@ -1,11 +1,16 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const loadConfig = require('../../utils/loadConfig');
+const ErrorResponse = require('../../utils/ErrorResponse');

 // @desc      Create new app
 // @route     POST /api/apps
 // @access    Public
 const createApp = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
  const { pinAppsByDefault } = await loadConfig();

  let app;
--- a/controllers/apps/deleteApp.js
+++ b/controllers/apps/deleteApp.js
@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');

 // @desc      Delete app
 // @route     DELETE /api/apps/:id
 // @access    Public
 const deleteApp = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
  await App.destroy({
    where: { id: req.params.id },
  });
--- a/controllers/apps/getAllApps.js
+++ b/controllers/apps/getAllApps.js
@ -25,13 +25,18 @@ const getAllApps = asyncWrapper(async (req, res, next) => {
    await useKubernetes(apps);
  }

+  // apps visibility
+  const where = req.isAuthenticated ? {} : { isPublic: true };
+
  if (orderType == 'name') {
    apps = await App.findAll({
      order: [[Sequelize.fn('lower', Sequelize.col('name')), 'ASC']],
+      where,
    });
  } else {
    apps = await App.findAll({
      order: [[orderType, 'ASC']],
+      where,
    });
  }

--- a/controllers/apps/getSingleApp.js
+++ b/controllers/apps/getSingleApp.js
@ -1,12 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');

 // @desc      Get single app
 // @route     GET /api/apps/:id
 // @access    Public
 const getSingleApp = asyncWrapper(async (req, res, next) => {
+  const visibility = req.isAuthenticated ? {} : { isPublic: true };
+
  const app = await App.findOne({
-    where: { id: req.params.id },
+    where: { id: req.params.id, ...visibility },
  });

  if (!app) {
--- a/controllers/apps/reorderApps.js
+++ b/controllers/apps/reorderApps.js
@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');

 // @desc      Reorder apps
 // @route     PUT /api/apps/0/reorder
 // @access    Public
 const reorderApps = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
  req.body.apps.forEach(async ({ id, orderId }) => {
    await App.update(
      { orderId },
--- a/controllers/apps/updateApp.js
+++ b/controllers/apps/updateApp.js
@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');

 // @desc      Update app
 // @route     PUT /api/apps/:id
 // @access    Public
 const updateApp = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
  let app = await App.findOne({
    where: { id: req.params.id },
  });
--- a/controllers/auth/index.js
+++ b/controllers/auth/index.js
@ -1,3 +1,4 @@
 module.exports = {
  login: require('./login'),
+  validate: require('./validate'),
 };
--- a/controllers/auth/validate.js
+++ b/controllers/auth/validate.js
@ -0,0 +1,21 @@
+const asyncWrapper = require('../../middleware/asyncWrapper');
+const ErrorResponse = require('../../utils/ErrorResponse');
+const jwt = require('jsonwebtoken');
+
+// @desc      Verify token
+// @route     POST /api/auth/verify
+// @access    Public
+const validate = asyncWrapper(async (req, res, next) => {
+  try {
+    jwt.verify(req.body.token, process.env.SECRET);
+
+    res.status(200).json({
+      success: true,
+      data: { token: { isValid: true } },
+    });
+  } catch (err) {
+    return next(new ErrorResponse('Token expired', 401));
+  }
+});
+
+module.exports = validate;
--- a/db/migrations/02_resource-access.js
+++ b/db/migrations/02_resource-access.js
@ -7,7 +7,7 @@ const up = async (query) => {
  const template = {
    type: INTEGER,
    allowNull: true,
-    defaultValue: 0,
+    defaultValue: 1,
  };

  for await (let table of tables) {
--- a/middleware/auth.js
+++ b/middleware/auth.js
@ -0,0 +1,25 @@
+const jwt = require('jsonwebtoken');
+
+const auth = (req, res, next) => {
+  const authHeader = req.header('Authorization');
+  let token;
+  let tokenIsValid = false;
+
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    token = authHeader.split(' ')[1];
+  }
+
+  if (token) {
+    try {
+      jwt.verify(token, process.env.SECRET);
+    } finally {
+      tokenIsValid = true;
+    }
+  }
+
+  req.isAuthenticated = tokenIsValid;
+
+  next();
+};
+
+module.exports = auth;
--- a/models/App.js
+++ b/models/App.js
@ -29,7 +29,7 @@ const App = sequelize.define(
    isPublic: {
      type: DataTypes.INTEGER,
      allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
    },
  },
  {
--- a/models/Bookmark.js
+++ b/models/Bookmark.js
@ -23,7 +23,7 @@ const Bookmark = sequelize.define(
    isPublic: {
      type: DataTypes.INTEGER,
      allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
    },
  },
  {
--- a/models/Category.js
+++ b/models/Category.js
@ -20,7 +20,7 @@ const Category = sequelize.define(
    isPublic: {
      type: DataTypes.INTEGER,
      allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
    },
  },
  {
--- a/routes/apps.js
+++ b/routes/apps.js
@ -1,6 +1,7 @@
 const express = require('express');
 const router = express.Router();
 const upload = require('../middleware/multer');
+const auth = require('../middleware/auth');

 const {
  createApp,
@ -11,10 +12,14 @@ const {
  reorderApps,
 } = require('../controllers/apps');

-router.route('/').post(upload, createApp).get(getAllApps);
+router.route('/').post(auth, upload, createApp).get(auth, getAllApps);

-router.route('/:id').get(getSingleApp).put(upload, updateApp).delete(deleteApp);
+router
+  .route('/:id')
+  .get(auth, getSingleApp)
+  .put(auth, upload, updateApp)
+  .delete(auth, deleteApp);

-router.route('/0/reorder').put(reorderApps);
+router.route('/0/reorder').put(auth, reorderApps);

 module.exports = router;
--- a/routes/auth.js
+++ b/routes/auth.js
@ -1,9 +1,11 @@
 const express = require('express');
 const router = express.Router();

-const { login } = require('../controllers/auth');
+const { login, validate } = require('../controllers/auth');
 const requireBody = require('../middleware/requireBody');

 router.route('/').post(requireBody(['password', 'duration']), login);

+router.route('/validate').post(requireBody(['token']), validate);
+
 module.exports = router;