2020-05-27 18:23:01 +02:00
|
|
|
const {
|
|
|
|
|
adminPermissions,
|
|
|
|
|
ADMIN_LEVEL_ID,
|
|
|
|
|
POWERUSER_LEVEL_ID,
|
2020-06-18 17:59:31 +02:00
|
|
|
BUILDER_LEVEL_ID,
|
2020-05-27 18:23:01 +02:00
|
|
|
BUILDER,
|
|
|
|
|
} = require("../utilities/accessLevels")
|
2020-10-28 21:35:06 +01:00
|
|
|
const env = require("../environment")
|
2020-10-12 12:57:37 +02:00
|
|
|
const { apiKeyTable } = require("../db/dynamoClient")
|
2020-10-13 22:33:56 +02:00
|
|
|
const { AuthTypes } = require("../constants")
|
2020-05-27 18:23:01 +02:00
|
|
|
|
2020-10-22 18:48:32 +02:00
|
|
|
const LOCAL_PASS = new RegExp(["webhooks/trigger", "webhooks/schema"].join("|"))
|
|
|
|
|
|
2020-05-27 18:23:01 +02:00
|
|
|
module.exports = (permName, getItemId) => async (ctx, next) => {
|
2020-10-22 18:48:32 +02:00
|
|
|
// webhooks can pass locally
|
2020-10-28 21:35:06 +01:00
|
|
|
if (!env.CLOUD && LOCAL_PASS.test(ctx.request.url)) {
|
2020-10-22 18:48:32 +02:00
|
|
|
return next()
|
|
|
|
|
}
|
2020-10-28 21:35:06 +01:00
|
|
|
if (env.CLOUD && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {
|
2020-10-12 12:57:37 +02:00
|
|
|
// api key header passed by external webhook
|
|
|
|
|
const apiKeyInfo = await apiKeyTable.get({
|
|
|
|
|
primary: ctx.headers["x-api-key"],
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if (apiKeyInfo) {
|
2020-10-12 14:32:52 +02:00
|
|
|
ctx.auth = {
|
2020-10-13 22:33:56 +02:00
|
|
|
authenticated: AuthTypes.EXTERNAL,
|
2020-10-12 14:32:52 +02:00
|
|
|
apiKey: ctx.headers["x-api-key"],
|
|
|
|
|
}
|
2020-10-12 12:57:37 +02:00
|
|
|
ctx.user = {
|
2020-10-29 11:28:27 +01:00
|
|
|
appId: ctx.headers["x-instanceid"],
|
2020-10-12 12:57:37 +02:00
|
|
|
}
|
|
|
|
|
return next()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx.throw(403, "API key invalid")
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-14 17:47:53 +02:00
|
|
|
// don't expose builder endpoints in the cloud
|
2020-10-28 21:35:06 +01:00
|
|
|
if (env.CLOUD && permName === BUILDER) return
|
2020-10-14 17:47:53 +02:00
|
|
|
|
2020-10-12 14:32:52 +02:00
|
|
|
if (!ctx.auth.authenticated) {
|
2020-05-27 18:23:01 +02:00
|
|
|
ctx.throw(403, "Session not authenticated")
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-18 17:59:31 +02:00
|
|
|
if (!ctx.user) {
|
|
|
|
|
ctx.throw(403, "User not found")
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-13 22:33:56 +02:00
|
|
|
if (ctx.user.accessLevel._id === ADMIN_LEVEL_ID) {
|
|
|
|
|
return next()
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-18 17:59:31 +02:00
|
|
|
if (ctx.user.accessLevel._id === BUILDER_LEVEL_ID) {
|
2020-10-08 18:34:41 +02:00
|
|
|
return next()
|
2020-05-27 18:23:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (permName === BUILDER) {
|
|
|
|
|
ctx.throw(403, "Not Authorized")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const permissionId = ({ name, itemId }) => name + (itemId ? `-${itemId}` : "")
|
|
|
|
|
|
|
|
|
|
const thisPermissionId = permissionId({
|
|
|
|
|
name: permName,
|
|
|
|
|
itemId: getItemId && getItemId(ctx),
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// power user has everything, except the admin specific perms
|
|
|
|
|
if (
|
|
|
|
|
ctx.user.accessLevel._id === POWERUSER_LEVEL_ID &&
|
|
|
|
|
!adminPermissions.map(permissionId).includes(thisPermissionId)
|
|
|
|
|
) {
|
2020-10-08 18:34:41 +02:00
|
|
|
return next()
|
2020-05-27 18:23:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (
|
|
|
|
|
ctx.user.accessLevel.permissions
|
|
|
|
|
.map(permissionId)
|
|
|
|
|
.includes(thisPermissionId)
|
|
|
|
|
) {
|
2020-10-08 18:34:41 +02:00
|
|
|
return next()
|
2020-05-27 18:23:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx.throw(403, "Not Authorized")
|
|
|
|
|
}
|
