Updating administration middleware so that internal requests allowed through automatically.

2024-07-03 05:20:32 +12:00 · 2021-05-21 16:43:01 +01:00 · 2021-05-21 16:43:01 +01:00 · c6a6d49cd7
parent 27fc3a3c5e
commit c6a6d49cd7
5 changed files with 16 additions and 10 deletions
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@ -43,6 +43,7 @@ module.exports = (noAuthPatterns = [], opts) => {
      // this is an internal request, no user made it
      if (apiKey && apiKey === env.INTERNAL_API_KEY) {
        ctx.isAuthenticated = true
+        ctx.internal = true
      } else if (authCookie) {
        try {
          const db = database.getDB(StaticDatabases.GLOBAL.name)
--- a/packages/builder/src/pages/builder/portal/manage/users/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/users/index.svelte
@ -22,6 +22,7 @@
  const schema = {
    email: {},
    developmentAccess: { displayName: "Development Access", type: "boolean" },
+    adminAccess: { displayName: "Admin Access", type: "boolean" },
    // role: { type: "options" },
    group: {},
    // access: {},
@ -36,6 +37,7 @@
      ...user,
      group: ["All users"],
      developmentAccess: user.builder.global,
+      adminAccess: user.admin.global,
    }))

  let createUserModal
--- a/packages/worker/src/api/routes/admin/email.js
+++ b/packages/worker/src/api/routes/admin/email.js
@ -2,6 +2,7 @@ const Router = require("@koa/router")
 const controller = require("../../controllers/admin/email")
 const { EmailTemplatePurpose } = require("../../../constants")
 const joiValidator = require("../../../middleware/joi-validator")
+const adminOnly = require("../../../middleware/adminOnly")
 const Joi = require("joi")

 const router = Router()
@ -21,6 +22,7 @@ function buildEmailSendValidation() {
 router.post(
  "/api/admin/email/send",
  buildEmailSendValidation(),
+  adminOnly,
  controller.sendEmail
 )

--- a/packages/worker/src/api/routes/admin/users.js
+++ b/packages/worker/src/api/routes/admin/users.js
@ -54,16 +54,9 @@ router
    buildUserSaveValidation(),
    controller.save
  )
-  .get("/api/admin/users", controller.fetch)
-  .post("/api/admin/users/init", controller.adminUser)
-  .get("/api/admin/users/self", controller.getSelf)
-  .post(
-    "/api/admin/users/self",
-    buildUserSaveValidation(true),
-    controller.updateSelf
-  )
+  .get("/api/admin/users", adminOnly, controller.fetch)
  .delete("/api/admin/users/:id", adminOnly, controller.destroy)
-  .get("/api/admin/users/:id", controller.find)
+  .get("/api/admin/users/:id", adminOnly, controller.find)
  .get("/api/admin/roles/:appId")
  .post(
    "/api/admin/users/invite",
@ -71,10 +64,18 @@ router
    buildInviteValidation(),
    controller.invite
  )
+  // non-admin endpoints
+  .post(
+    "/api/admin/users/self",
+    buildUserSaveValidation(true),
+    controller.updateSelf
+  )
  .post(
    "/api/admin/users/invite/accept",
    buildInviteAcceptValidation(),
    controller.inviteAccept
  )
+  .post("/api/admin/users/init", controller.adminUser)
+  .get("/api/admin/users/self", controller.getSelf)

 module.exports = router
--- a/packages/worker/src/middleware/adminOnly.js
+++ b/packages/worker/src/middleware/adminOnly.js
@ -1,5 +1,5 @@
 module.exports = async (ctx, next) => {
-  if (!ctx.user || !ctx.user.admin || !ctx.user.admin.global) {
+  if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
    ctx.throw(403, "Admin user only endpoint.")
  }
  return next()