Added auth middleware. Added access control to apps

2021-11-11 16:01:56 +01:00 · 2021-11-11 16:01:56 +01:00 · e3f167921c
commit e3f167921c
parent d1c61bb393
16 changed files with 92 additions and 9 deletions
--- a/api.js
+++ b/api.js
@ -21,6 +21,7 @@ api.use('/api/weather', require('./routes/weather'));
 api.use('/api/categories', require('./routes/category'));
 api.use('/api/bookmarks', require('./routes/bookmark'));
 api.use('/api/queries', require('./routes/queries'));
 api.use('/api/auth', require('./routes/auth'));
 // Custom error handler
 api.use(errorHandler);
--- a/controllers/apps/createApp.js
+++ b/controllers/apps/createApp.js
@ -1,11 +1,16 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const loadConfig = require('../../utils/loadConfig');
 const ErrorResponse = require('../../utils/ErrorResponse');
 // @desc      Create new app
 // @route     POST /api/apps
 // @access    Public
 const createApp = asyncWrapper(async (req, res, next) => {
  if (!req.isAuthenticated) {
    return next(new ErrorResponse('Unauthorized', 401));
  }
  const { pinAppsByDefault } = await loadConfig();
  let app;
--- a/controllers/apps/deleteApp.js
+++ b/controllers/apps/deleteApp.js
@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const ErrorResponse = require('../../utils/ErrorResponse');
 // @desc      Delete app
 // @route     DELETE /api/apps/:id
 // @access    Public
 const deleteApp = asyncWrapper(async (req, res, next) => {
  if (!req.isAuthenticated) {
    return next(new ErrorResponse('Unauthorized', 401));
  }
  await App.destroy({
    where: { id: req.params.id },
  });
--- a/controllers/apps/getAllApps.js
+++ b/controllers/apps/getAllApps.js
@ -25,13 +25,18 @@ const getAllApps = asyncWrapper(async (req, res, next) => {
    await useKubernetes(apps);
  }
  // apps visibility
  const where = req.isAuthenticated ? {} : { isPublic: true };
  if (orderType == 'name') {
    apps = await App.findAll({
      order: [[Sequelize.fn('lower', Sequelize.col('name')), 'ASC']],
      where,
    });
  } else {
    apps = await App.findAll({
      order: [[orderType, 'ASC']],
      where,
    });
  }
--- a/controllers/apps/getSingleApp.js
+++ b/controllers/apps/getSingleApp.js
@ -1,12 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const ErrorResponse = require('../../utils/ErrorResponse');
 // @desc      Get single app
 // @route     GET /api/apps/:id
 // @access    Public
 const getSingleApp = asyncWrapper(async (req, res, next) => {
  const visibility = req.isAuthenticated ? {} : { isPublic: true };
  const app = await App.findOne({
-    where: { id: req.params.id },
+    where: { id: req.params.id, ...visibility },
  });
  if (!app) {
--- a/controllers/apps/reorderApps.js
+++ b/controllers/apps/reorderApps.js
@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const ErrorResponse = require('../../utils/ErrorResponse');
 // @desc      Reorder apps
 // @route     PUT /api/apps/0/reorder
 // @access    Public
 const reorderApps = asyncWrapper(async (req, res, next) => {
  if (!req.isAuthenticated) {
    return next(new ErrorResponse('Unauthorized', 401));
  }
  req.body.apps.forEach(async ({ id, orderId }) => {
    await App.update(
      { orderId },
--- a/controllers/apps/updateApp.js
+++ b/controllers/apps/updateApp.js
@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const ErrorResponse = require('../../utils/ErrorResponse');
 // @desc      Update app
 // @route     PUT /api/apps/:id
 // @access    Public
 const updateApp = asyncWrapper(async (req, res, next) => {
  if (!req.isAuthenticated) {
    return next(new ErrorResponse('Unauthorized', 401));
  }
  let app = await App.findOne({
    where: { id: req.params.id },
  });
--- a/controllers/auth/index.js
+++ b/controllers/auth/index.js
@ -1,3 +1,4 @@
 module.exports = {
  login: require('./login'),
  validate: require('./validate'),
 };
--- a/controllers/auth/validate.js
+++ b/controllers/auth/validate.js
@ -0,0 +1,21 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const ErrorResponse = require('../../utils/ErrorResponse');
 const jwt = require('jsonwebtoken');
 // @desc      Verify token
 // @route     POST /api/auth/verify
 // @access    Public
 const validate = asyncWrapper(async (req, res, next) => {
  try {
    jwt.verify(req.body.token, process.env.SECRET);
    res.status(200).json({
      success: true,
      data: { token: { isValid: true } },
    });
  } catch (err) {
    return next(new ErrorResponse('Token expired', 401));
  }
 });
 module.exports = validate;
--- a/db/migrations/02_resource-access.js
+++ b/db/migrations/02_resource-access.js
@ -7,7 +7,7 @@ const up = async (query) => {
  const template = {
    type: INTEGER,
    allowNull: true,
-    defaultValue: 0,
+    defaultValue: 1,
  };
  for await (let table of tables) {
--- a/middleware/auth.js
+++ b/middleware/auth.js
@ -0,0 +1,25 @@
 const jwt = require('jsonwebtoken');
 const auth = (req, res, next) => {
  const authHeader = req.header('Authorization');
  let token;
  let tokenIsValid = false;
  if (authHeader && authHeader.startsWith('Bearer ')) {
    token = authHeader.split(' ')[1];
  }
  if (token) {
    try {
      jwt.verify(token, process.env.SECRET);
    } finally {
      tokenIsValid = true;
    }
  }
  req.isAuthenticated = tokenIsValid;
  next();
 };
 module.exports = auth;
--- a/models/App.js
+++ b/models/App.js
@ -29,7 +29,7 @@ const App = sequelize.define(
    isPublic: {
      type: DataTypes.INTEGER,
      allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
    },
  },
  {
--- a/models/Bookmark.js
+++ b/models/Bookmark.js
@ -23,7 +23,7 @@ const Bookmark = sequelize.define(
    isPublic: {
      type: DataTypes.INTEGER,
      allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
    },
  },
  {
--- a/models/Category.js
+++ b/models/Category.js
@ -20,7 +20,7 @@ const Category = sequelize.define(
    isPublic: {
      type: DataTypes.INTEGER,
      allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
    },
  },
  {
--- a/routes/apps.js
+++ b/routes/apps.js
@ -1,6 +1,7 @@
 const express = require('express');
 const router = express.Router();
 const upload = require('../middleware/multer');
 const auth = require('../middleware/auth');
 const {
  createApp,
@ -11,10 +12,14 @@ const {
  reorderApps,
 } = require('../controllers/apps');
-router.route('/').post(upload, createApp).get(getAllApps);
+router.route('/').post(auth, upload, createApp).get(auth, getAllApps);
-router.route('/:id').get(getSingleApp).put(upload, updateApp).delete(deleteApp);
+router
  .route('/:id')
  .get(auth, getSingleApp)
  .put(auth, upload, updateApp)
  .delete(auth, deleteApp);
-router.route('/0/reorder').put(reorderApps);
+router.route('/0/reorder').put(auth, reorderApps);
 module.exports = router;
--- a/routes/auth.js
+++ b/routes/auth.js
@ -1,9 +1,11 @@
 const express = require('express');
 const router = express.Router();
-const { login } = require('../controllers/auth');
+const { login, validate } = require('../controllers/auth');
 const requireBody = require('../middleware/requireBody');
 router.route('/').post(requireBody(['password', 'duration']), login);
 router.route('/validate').post(requireBody(['token']), validate);
 module.exports = router;