2020-05-07 21:53:34 +12:00
|
|
|
const jwt = require("jsonwebtoken")
|
2020-05-15 02:12:30 +12:00
|
|
|
const STATUS_CODES = require("../utilities/statusCodes")
|
2020-05-28 04:23:01 +12:00
|
|
|
const accessLevelController = require("../api/controllers/accesslevel")
|
2020-11-14 04:35:20 +13:00
|
|
|
const { BUILTIN_LEVEL_ID_ARRAY } = require("../utilities/security/accessLevels")
|
2020-10-29 09:35:06 +13:00
|
|
|
const env = require("../environment")
|
2020-10-14 09:33:56 +13:00
|
|
|
const { AuthTypes } = require("../constants")
|
2020-11-04 02:45:49 +13:00
|
|
|
const { getAppId, getCookieName, setCookie } = require("../utilities")
|
2020-04-24 01:37:08 +12:00
|
|
|
|
|
|
|
module.exports = async (ctx, next) => {
|
2020-05-18 22:53:04 +12:00
|
|
|
if (ctx.path === "/_builder") {
|
2020-05-15 02:12:30 +12:00
|
|
|
await next()
|
2020-05-08 01:04:32 +12:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-11-04 02:45:49 +13:00
|
|
|
// do everything we can to make sure the appId is held correctly
|
|
|
|
// we hold it in state as a
|
|
|
|
let appId = getAppId(ctx)
|
2020-11-04 04:00:39 +13:00
|
|
|
const cookieAppId = ctx.cookies.get(getCookieName("currentapp"))
|
|
|
|
if (appId && cookieAppId !== appId) {
|
2020-11-04 02:45:49 +13:00
|
|
|
setCookie(ctx, "currentapp", appId)
|
2020-11-04 04:00:39 +13:00
|
|
|
} else if (cookieAppId) {
|
|
|
|
appId = cookieAppId
|
2020-11-04 02:45:49 +13:00
|
|
|
}
|
2020-11-03 09:14:10 +13:00
|
|
|
|
|
|
|
const appToken = ctx.cookies.get(getCookieName(appId))
|
|
|
|
const builderToken = ctx.cookies.get(getCookieName())
|
2020-06-04 04:05:36 +12:00
|
|
|
|
2020-10-14 09:33:56 +13:00
|
|
|
let token
|
|
|
|
// if running locally in the builder itself
|
2020-10-29 09:35:06 +13:00
|
|
|
if (!env.CLOUD && !appToken) {
|
2020-10-14 09:33:56 +13:00
|
|
|
token = builderToken
|
|
|
|
ctx.auth.authenticated = AuthTypes.BUILDER
|
|
|
|
} else {
|
|
|
|
token = appToken
|
|
|
|
ctx.auth.authenticated = AuthTypes.APP
|
2020-05-18 17:40:29 +12:00
|
|
|
}
|
|
|
|
|
2020-10-14 09:33:56 +13:00
|
|
|
if (!token) {
|
2020-10-13 01:32:52 +13:00
|
|
|
ctx.auth.authenticated = false
|
2020-11-09 22:42:35 +13:00
|
|
|
ctx.appId = appId
|
2020-10-14 09:33:56 +13:00
|
|
|
ctx.user = {
|
2020-10-15 09:43:36 +13:00
|
|
|
appId,
|
2020-10-14 09:33:56 +13:00
|
|
|
}
|
2020-05-07 21:53:34 +12:00
|
|
|
await next()
|
|
|
|
return
|
|
|
|
}
|
2020-04-24 01:37:08 +12:00
|
|
|
|
|
|
|
try {
|
2020-10-14 09:33:56 +13:00
|
|
|
const jwtPayload = jwt.verify(token, ctx.config.jwtSecret)
|
2020-11-04 02:45:49 +13:00
|
|
|
ctx.appId = appId
|
2020-10-14 09:33:56 +13:00
|
|
|
ctx.auth.apiKey = jwtPayload.apiKey
|
2020-05-28 04:23:01 +12:00
|
|
|
ctx.user = {
|
|
|
|
...jwtPayload,
|
2020-11-04 02:45:49 +13:00
|
|
|
appId: appId,
|
|
|
|
accessLevel: await getAccessLevel(appId, jwtPayload.accessLevelId),
|
2020-05-28 04:23:01 +12:00
|
|
|
}
|
2020-04-24 01:37:08 +12:00
|
|
|
} catch (err) {
|
2020-05-08 01:04:32 +12:00
|
|
|
ctx.throw(err.status || STATUS_CODES.FORBIDDEN, err.text)
|
2020-04-24 01:37:08 +12:00
|
|
|
}
|
|
|
|
|
2020-05-07 21:53:34 +12:00
|
|
|
await next()
|
|
|
|
}
|
2020-05-28 04:23:01 +12:00
|
|
|
|
2020-06-30 05:57:17 +12:00
|
|
|
/**
|
2020-07-08 08:29:20 +12:00
|
|
|
* Return the full access level object either from constants
|
2020-06-30 05:57:17 +12:00
|
|
|
* or the database based on the access level ID passed.
|
2020-07-08 08:29:20 +12:00
|
|
|
*
|
2020-10-29 23:28:27 +13:00
|
|
|
* @param {*} appId - appId of the user
|
2020-07-08 08:29:20 +12:00
|
|
|
* @param {*} accessLevelId - the id of the users access level
|
2020-06-30 05:57:17 +12:00
|
|
|
*/
|
2020-10-29 23:28:27 +13:00
|
|
|
const getAccessLevel = async (appId, accessLevelId) => {
|
2020-11-14 04:35:20 +13:00
|
|
|
if (BUILTIN_LEVEL_ID_ARRAY.indexOf(accessLevelId) !== -1) {
|
2020-05-28 04:23:01 +12:00
|
|
|
return {
|
|
|
|
_id: accessLevelId,
|
|
|
|
name: accessLevelId,
|
|
|
|
permissions: [],
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const findAccessContext = {
|
|
|
|
params: {
|
|
|
|
levelId: accessLevelId,
|
2020-06-19 07:41:37 +12:00
|
|
|
},
|
|
|
|
user: {
|
2020-10-29 23:28:27 +13:00
|
|
|
appId,
|
2020-05-28 04:23:01 +12:00
|
|
|
},
|
|
|
|
}
|
|
|
|
await accessLevelController.find(findAccessContext)
|
|
|
|
return findAccessContext.body
|
|
|
|
}
|