Fix overzealous auth requirement in API
This commit is contained in:
parent
b24dd6a938
commit
1c7508ffc5
2 changed files with 6 additions and 15 deletions
|
@ -134,13 +134,13 @@ export function initAuth(app: express.Express) {
|
||||||
|
|
||||||
res.json({ valid: true });
|
res.json({ valid: true });
|
||||||
});
|
});
|
||||||
app.post("/auth/logout", ...getRequireAPITokenHandlers(), async (req: Request, res: Response) => {
|
app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
|
||||||
await apiLogins.expireApiKey(req.user.apiKey);
|
await apiLogins.expireApiKey(req.user.apiKey);
|
||||||
return ok(res);
|
return ok(res);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
function getRequireAPITokenHandlers() {
|
export function apiTokenAuthHandlers() {
|
||||||
return [
|
return [
|
||||||
passport.authenticate("api-token", { failWithError: true }),
|
passport.authenticate("api-token", { failWithError: true }),
|
||||||
(err, req, res, next) => {
|
(err, req, res, next) => {
|
||||||
|
@ -148,7 +148,3 @@ function getRequireAPITokenHandlers() {
|
||||||
},
|
},
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
export function requireAPIToken(router: express.Router) {
|
|
||||||
router.use(...getRequireAPITokenHandlers());
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,28 +1,25 @@
|
||||||
import express from "express";
|
import express from "express";
|
||||||
import passport from "passport";
|
import passport from "passport";
|
||||||
import { AllowedGuilds } from "../data/AllowedGuilds";
|
import { AllowedGuilds } from "../data/AllowedGuilds";
|
||||||
import { requireAPIToken } from "./auth";
|
|
||||||
import { ApiPermissions } from "../data/ApiPermissions";
|
import { ApiPermissions } from "../data/ApiPermissions";
|
||||||
import { clientError, error, ok, serverError, unauthorized } from "./responses";
|
import { clientError, error, ok, serverError, unauthorized } from "./responses";
|
||||||
import { Configs } from "../data/Configs";
|
import { Configs } from "../data/Configs";
|
||||||
import { ApiRoles } from "../data/ApiRoles";
|
import { ApiRoles } from "../data/ApiRoles";
|
||||||
import { validateGuildConfig } from "../configValidator";
|
import { validateGuildConfig } from "../configValidator";
|
||||||
import yaml, { YAMLException } from "js-yaml";
|
import yaml, { YAMLException } from "js-yaml";
|
||||||
|
import { apiTokenAuthHandlers } from "./auth";
|
||||||
|
|
||||||
export function initGuildsAPI(app: express.Express) {
|
export function initGuildsAPI(app: express.Express) {
|
||||||
const guildAPIRouter = express.Router();
|
|
||||||
requireAPIToken(guildAPIRouter);
|
|
||||||
|
|
||||||
const allowedGuilds = new AllowedGuilds();
|
const allowedGuilds = new AllowedGuilds();
|
||||||
const apiPermissions = new ApiPermissions();
|
const apiPermissions = new ApiPermissions();
|
||||||
const configs = new Configs();
|
const configs = new Configs();
|
||||||
|
|
||||||
guildAPIRouter.get("/guilds/available", async (req, res) => {
|
app.get("/guilds/available", ...apiTokenAuthHandlers(), async (req, res) => {
|
||||||
const guilds = await allowedGuilds.getForApiUser(req.user.userId);
|
const guilds = await allowedGuilds.getForApiUser(req.user.userId);
|
||||||
res.json(guilds);
|
res.json(guilds);
|
||||||
});
|
});
|
||||||
|
|
||||||
guildAPIRouter.get("/guilds/:guildId/config", async (req, res) => {
|
app.get("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
|
||||||
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
|
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
|
||||||
if (!permissions) return unauthorized(res);
|
if (!permissions) return unauthorized(res);
|
||||||
|
|
||||||
|
@ -30,7 +27,7 @@ export function initGuildsAPI(app: express.Express) {
|
||||||
res.json({ config: config ? config.config : "" });
|
res.json({ config: config ? config.config : "" });
|
||||||
});
|
});
|
||||||
|
|
||||||
guildAPIRouter.post("/guilds/:guildId/config", async (req, res) => {
|
app.post("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
|
||||||
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
|
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
|
||||||
if (!permissions || ApiRoles[permissions.role] < ApiRoles.Editor) return unauthorized(res);
|
if (!permissions || ApiRoles[permissions.role] < ApiRoles.Editor) return unauthorized(res);
|
||||||
|
|
||||||
|
@ -69,6 +66,4 @@ export function initGuildsAPI(app: express.Express) {
|
||||||
await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user.userId);
|
await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user.userId);
|
||||||
ok(res);
|
ok(res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.use(guildAPIRouter);
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue