Fix overzealous auth requirement in API

This commit is contained in:
Dragory 2019-07-22 00:49:05 +03:00
parent b24dd6a938
commit 1c7508ffc5
2 changed files with 6 additions and 15 deletions

View file

@ -134,13 +134,13 @@ export function initAuth(app: express.Express) {
res.json({ valid: true }); res.json({ valid: true });
}); });
app.post("/auth/logout", ...getRequireAPITokenHandlers(), async (req: Request, res: Response) => { app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
await apiLogins.expireApiKey(req.user.apiKey); await apiLogins.expireApiKey(req.user.apiKey);
return ok(res); return ok(res);
}); });
} }
function getRequireAPITokenHandlers() { export function apiTokenAuthHandlers() {
return [ return [
passport.authenticate("api-token", { failWithError: true }), passport.authenticate("api-token", { failWithError: true }),
(err, req, res, next) => { (err, req, res, next) => {
@ -148,7 +148,3 @@ function getRequireAPITokenHandlers() {
}, },
]; ];
} }
export function requireAPIToken(router: express.Router) {
router.use(...getRequireAPITokenHandlers());
}

View file

@ -1,28 +1,25 @@
import express from "express"; import express from "express";
import passport from "passport"; import passport from "passport";
import { AllowedGuilds } from "../data/AllowedGuilds"; import { AllowedGuilds } from "../data/AllowedGuilds";
import { requireAPIToken } from "./auth";
import { ApiPermissions } from "../data/ApiPermissions"; import { ApiPermissions } from "../data/ApiPermissions";
import { clientError, error, ok, serverError, unauthorized } from "./responses"; import { clientError, error, ok, serverError, unauthorized } from "./responses";
import { Configs } from "../data/Configs"; import { Configs } from "../data/Configs";
import { ApiRoles } from "../data/ApiRoles"; import { ApiRoles } from "../data/ApiRoles";
import { validateGuildConfig } from "../configValidator"; import { validateGuildConfig } from "../configValidator";
import yaml, { YAMLException } from "js-yaml"; import yaml, { YAMLException } from "js-yaml";
import { apiTokenAuthHandlers } from "./auth";
export function initGuildsAPI(app: express.Express) { export function initGuildsAPI(app: express.Express) {
const guildAPIRouter = express.Router();
requireAPIToken(guildAPIRouter);
const allowedGuilds = new AllowedGuilds(); const allowedGuilds = new AllowedGuilds();
const apiPermissions = new ApiPermissions(); const apiPermissions = new ApiPermissions();
const configs = new Configs(); const configs = new Configs();
guildAPIRouter.get("/guilds/available", async (req, res) => { app.get("/guilds/available", ...apiTokenAuthHandlers(), async (req, res) => {
const guilds = await allowedGuilds.getForApiUser(req.user.userId); const guilds = await allowedGuilds.getForApiUser(req.user.userId);
res.json(guilds); res.json(guilds);
}); });
guildAPIRouter.get("/guilds/:guildId/config", async (req, res) => { app.get("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId); const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
if (!permissions) return unauthorized(res); if (!permissions) return unauthorized(res);
@ -30,7 +27,7 @@ export function initGuildsAPI(app: express.Express) {
res.json({ config: config ? config.config : "" }); res.json({ config: config ? config.config : "" });
}); });
guildAPIRouter.post("/guilds/:guildId/config", async (req, res) => { app.post("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId); const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
if (!permissions || ApiRoles[permissions.role] < ApiRoles.Editor) return unauthorized(res); if (!permissions || ApiRoles[permissions.role] < ApiRoles.Editor) return unauthorized(res);
@ -69,6 +66,4 @@ export function initGuildsAPI(app: express.Express) {
await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user.userId); await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user.userId);
ok(res); ok(res);
}); });
app.use(guildAPIRouter);
} }