zeppelin/backend/src/api/guilds.ts

import { ApiPermissions } from "@shared/apiPermissions";
import express, { Request, Response } from "express";
import { YAMLException } from "js-yaml";
import { validateGuildConfig } from "../configValidator";
import { AllowedGuilds } from "../data/AllowedGuilds";
import { ApiPermissionAssignments, ApiPermissionTypes } from "../data/ApiPermissionAssignments";
import { Configs } from "../data/Configs";
import { apiTokenAuthHandlers } from "./auth";
import { hasGuildPermission, requireGuildPermission } from "./permissions";
import { clientError, ok, serverError, unauthorized } from "./responses";
import { loadYamlSafely } from "../utils/loadYamlSafely";
import { ObjectAliasError } from "../utils/validateNoObjectAliases";
import { isSnowflake } from "../utils";
import moment from "moment-timezone";
import { ApiAuditLog } from "../data/ApiAuditLog";
import { AuditLogEventTypes } from "../data/apiAuditLogTypes";
import { Queue } from "../Queue";

const apiPermissionAssignments = new ApiPermissionAssignments();
const auditLog = new ApiAuditLog();

export function initGuildsAPI(app: express.Express) {
  const allowedGuilds = new AllowedGuilds();
  const configs = new Configs();

  const guildRouter = express.Router();
  guildRouter.use(...apiTokenAuthHandlers());

  guildRouter.get("/available", async (req: Request, res: Response) => {
    const guilds = await allowedGuilds.getForApiUser(req.user!.userId);
    res.json(guilds);
  });

  guildRouter.get(
    "/my-permissions", // a
    async (req: Request, res: Response) => {
      const permissions = await apiPermissionAssignments.getByUserId(req.user!.userId);
      res.json(permissions);
    },
  );

  guildRouter.get("/:guildId", async (req: Request, res: Response) => {
    if (!(await hasGuildPermission(req.user!.userId, req.params.guildId, ApiPermissions.ViewGuild))) {
      return unauthorized(res);
    }

    const guild = await allowedGuilds.find(req.params.guildId);
    res.json(guild);
  });

  guildRouter.post("/:guildId/check-permission", async (req: Request, res: Response) => {
    const permission = req.body.permission;
    const hasPermission = await hasGuildPermission(req.user!.userId, req.params.guildId, permission);
    res.json({ result: hasPermission });
  });

  guildRouter.get(
    "/:guildId/config",
    requireGuildPermission(ApiPermissions.ReadConfig),
    async (req: Request, res: Response) => {
      const config = await configs.getActiveByKey(`guild-${req.params.guildId}`);
      res.json({ config: config ? config.config : "" });
    },
  );

  guildRouter.post("/:guildId/config", requireGuildPermission(ApiPermissions.EditConfig), async (req, res) => {
    let config = req.body.config;
    if (config == null) return clientError(res, "No config supplied");

    config = config.trim() + "\n"; // Normalize start/end whitespace in the config

    const currentConfig = await configs.getActiveByKey(`guild-${req.params.guildId}`);
    if (currentConfig && config === currentConfig.config) {
      return ok(res);
    }

    // Validate config
    let parsedConfig;
    try {
      parsedConfig = loadYamlSafely(config);
    } catch (e) {
      if (e instanceof YAMLException) {
        return res.status(400).json({ errors: [e.message] });
      }

      if (e instanceof ObjectAliasError) {
        return res.status(400).json({ errors: [e.message] });
      }

      // tslint:disable-next-line:no-console
      console.error("Error when loading YAML: " + e.message);
      return serverError(res, "Server error");
    }

    if (parsedConfig == null) {
      parsedConfig = {};
    }

    const error = await validateGuildConfig(parsedConfig);
    if (error) {
      return res.status(422).json({ errors: [error] });
    }

    await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user!.userId);

    ok(res);
  });

  guildRouter.get(
    "/:guildId/permissions",
    requireGuildPermission(ApiPermissions.ManageAccess),
    async (req: Request, res: Response) => {
      const permissions = await apiPermissionAssignments.getByGuildId(req.params.guildId);
      res.json(permissions);
    },
  );

  const permissionManagementQueue = new Queue();
  guildRouter.post(
    "/:guildId/set-target-permissions",
    requireGuildPermission(ApiPermissions.ManageAccess),
    async (req: Request, res: Response) => {
      await permissionManagementQueue.add(async () => {
        const { type, targetId, permissions, expiresAt } = req.body;

        if (type !== ApiPermissionTypes.User) {
          return clientError(res, "Invalid type");
        }
        if (!isSnowflake(targetId)) {
          return clientError(res, "Invalid targetId");
        }
        const validPermissions = new Set(Object.values(ApiPermissions));
        validPermissions.delete(ApiPermissions.Owner);
        if (!Array.isArray(permissions) || permissions.some((p) => !validPermissions.has(p))) {
          return clientError(res, "Invalid permissions");
        }
        if (expiresAt != null && !moment.utc(expiresAt).isValid()) {
          return clientError(res, "Invalid expiresAt");
        }

        const existingAssignment = await apiPermissionAssignments.getByGuildAndUserId(req.params.guildId, targetId);
        if (existingAssignment && existingAssignment.permissions.includes(ApiPermissions.Owner)) {
          return clientError(res, "Can't change owner permissions");
        }

        if (permissions.length === 0) {
          await apiPermissionAssignments.removeUser(req.params.guildId, targetId);
          await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.REMOVE_API_PERMISSION, {
            type: ApiPermissionTypes.User,
            target_id: targetId,
          });
        } else {
          const existing = await apiPermissionAssignments.getByGuildAndUserId(req.params.guildId, targetId);
          if (existing) {
            await apiPermissionAssignments.updateUserPermissions(req.params.guildId, targetId, permissions);
            await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.EDIT_API_PERMISSION, {
              type: ApiPermissionTypes.User,
              target_id: targetId,
              permissions,
              expires_at: existing.expires_at,
            });
          } else {
            await apiPermissionAssignments.addUser(req.params.guildId, targetId, permissions, expiresAt);
            await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.ADD_API_PERMISSION, {
              type: ApiPermissionTypes.User,
              target_id: targetId,
              permissions,
              expires_at: expiresAt,
            });
          }
        }

        ok(res);
      });
    },
  );

  app.use("/guilds", guildRouter);
}
Organise all imports, make Mutes depend on Logs 2021-06-06 23:51:32 +02:00			`import { ApiPermissions } from "@shared/apiPermissions";`
More work on API permissions 2019-11-08 00:04:24 +02:00			`import express, { Request, Response } from "express";`
Disallow anchors/aliases to objects when loading config YAML 2021-08-14 18:22:29 +03:00			`import { YAMLException } from "js-yaml";`
Organise all imports, make Mutes depend on Logs 2021-06-06 23:51:32 +02:00			`import { validateGuildConfig } from "../configValidator";`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`import { AllowedGuilds } from "../data/AllowedGuilds";`
Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`import { ApiPermissionAssignments, ApiPermissionTypes } from "../data/ApiPermissionAssignments";`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`import { Configs } from "../data/Configs";`
Fix overzealous auth requirement in API 2019-07-22 00:49:05 +03:00			`import { apiTokenAuthHandlers } from "./auth";`
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`import { hasGuildPermission, requireGuildPermission } from "./permissions";`
Organise all imports, make Mutes depend on Logs 2021-06-06 23:51:32 +02:00			`import { clientError, ok, serverError, unauthorized } from "./responses";`
Disallow anchors/aliases to objects when loading config YAML 2021-08-14 18:22:29 +03:00			`import { loadYamlSafely } from "../utils/loadYamlSafely";`
			`import { ObjectAliasError } from "../utils/validateNoObjectAliases";`
Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`import { isSnowflake } from "../utils";`
			`import moment from "moment-timezone";`
			`import { ApiAuditLog } from "../data/ApiAuditLog";`
			`import { AuditLogEventTypes } from "../data/apiAuditLogTypes";`
			`import { Queue } from "../Queue";`
dashboard: work on guild access page 2020-05-23 17:30:52 +03:00
			`const apiPermissionAssignments = new ApiPermissionAssignments();`
Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`const auditLog = new ApiAuditLog();`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00
			`export function initGuildsAPI(app: express.Express) {`
			`const allowedGuilds = new AllowedGuilds();`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`const configs = new Configs();`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`const guildRouter = express.Router();`
			`guildRouter.use(...apiTokenAuthHandlers());`

			`guildRouter.get("/available", async (req: Request, res: Response) => {`
Turn on strict TS compilation. Fix up and tweak types accordingly. 2020-11-09 20:03:57 +02:00			`const guilds = await allowedGuilds.getForApiUser(req.user!.userId);`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`res.json(guilds);`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`});`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00
Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`guildRouter.get(`
			`"/my-permissions", // a`
			`async (req: Request, res: Response) => {`
			`const permissions = await apiPermissionAssignments.getByUserId(req.user!.userId);`
			`res.json(permissions);`
			`},`
			`);`

dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`guildRouter.get("/:guildId", async (req: Request, res: Response) => {`
Turn on strict TS compilation. Fix up and tweak types accordingly. 2020-11-09 20:03:57 +02:00			`if (!(await hasGuildPermission(req.user!.userId, req.params.guildId, ApiPermissions.ViewGuild))) {`
More work on API permissions 2019-11-08 00:04:24 +02:00			`return unauthorized(res);`
			`}`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`const guild = await allowedGuilds.find(req.params.guildId);`
			`res.json(guild);`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`});`

dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`guildRouter.post("/:guildId/check-permission", async (req: Request, res: Response) => {`
			`const permission = req.body.permission;`
Turn on strict TS compilation. Fix up and tweak types accordingly. 2020-11-09 20:03:57 +02:00			`const hasPermission = await hasGuildPermission(req.user!.userId, req.params.guildId, permission);`
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`res.json({ result: hasPermission });`
			`});`

			`guildRouter.get(`
			`"/:guildId/config",`
			`requireGuildPermission(ApiPermissions.ReadConfig),`
			`async (req: Request, res: Response) => {`
			const config = await configs.getActiveByKey(`guild-${req.params.guildId}`);
			`res.json({ config: config ? config.config : "" });`
			`},`
			`);`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`guildRouter.post("/:guildId/config", requireGuildPermission(ApiPermissions.EditConfig), async (req, res) => {`
Don't save identical configs as new revisions 2019-07-22 00:14:24 +03:00			`let config = req.body.config;`
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`if (config == null) return clientError(res, "No config supplied");`

Don't save identical configs as new revisions 2019-07-22 00:14:24 +03:00			`config = config.trim() + "\n"; // Normalize start/end whitespace in the config`

			const currentConfig = await configs.getActiveByKey(`guild-${req.params.guildId}`);
Turn on strict TS compilation. Fix up and tweak types accordingly. 2020-11-09 20:03:57 +02:00			`if (currentConfig && config === currentConfig.config) {`
Don't save identical configs as new revisions 2019-07-22 00:14:24 +03:00			`return ok(res);`
			`}`

Switch from ajv to io-ts for config validation; validate configs on save in the API/dashboard; start work on creating io-ts schemas for all plugins 2019-07-11 12:23:57 +03:00			`// Validate config`
			`let parsedConfig;`
			`try {`
Disallow anchors/aliases to objects when loading config YAML 2021-08-14 18:22:29 +03:00			`parsedConfig = loadYamlSafely(config);`
Switch from ajv to io-ts for config validation; validate configs on save in the API/dashboard; start work on creating io-ts schemas for all plugins 2019-07-11 12:23:57 +03:00			`} catch (e) {`
			`if (e instanceof YAMLException) {`
Fix YAML errors not showing the proper error message in config editor 2019-07-22 02:00:04 +03:00			`return res.status(400).json({ errors: [e.message] });`
Switch from ajv to io-ts for config validation; validate configs on save in the API/dashboard; start work on creating io-ts schemas for all plugins 2019-07-11 12:23:57 +03:00			`}`

Disallow anchors/aliases to objects when loading config YAML 2021-08-14 18:22:29 +03:00			`if (e instanceof ObjectAliasError) {`
			`return res.status(400).json({ errors: [e.message] });`
			`}`

Disable unneeded tslint warning 2019-11-27 20:30:36 +02:00			`// tslint:disable-next-line:no-console`
Switch from ajv to io-ts for config validation; validate configs on save in the API/dashboard; start work on creating io-ts schemas for all plugins 2019-07-11 12:23:57 +03:00			`console.error("Error when loading YAML: " + e.message);`
			`return serverError(res, "Server error");`
			`}`

			`if (parsedConfig == null) {`
			`parsedConfig = {};`
			`}`

Handle plugin load errors gracefully 2020-07-30 20:40:00 +03:00			`const error = await validateGuildConfig(parsedConfig);`
			`if (error) {`
			`return res.status(422).json({ errors: [error] });`
Switch from ajv to io-ts for config validation; validate configs on save in the API/dashboard; start work on creating io-ts schemas for all plugins 2019-07-11 12:23:57 +03:00			`}`

Turn on strict TS compilation. Fix up and tweak types accordingly. 2020-11-09 20:03:57 +02:00			await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user!.userId);
Fix API config validation not taking default options into account 2020-07-28 23:28:26 +03:00
dashboard: auth fixes, guild listing, config editing 2019-06-23 03:40:53 +03:00			`ok(res);`
			`});`
dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00
dashboard: work on guild access page 2020-05-23 17:30:52 +03:00			`guildRouter.get(`
			`"/:guildId/permissions",`
			`requireGuildPermission(ApiPermissions.ManageAccess),`
			`async (req: Request, res: Response) => {`
			`const permissions = await apiPermissionAssignments.getByGuildId(req.params.guildId);`
			`res.json(permissions);`
			`},`
			`);`

Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`const permissionManagementQueue = new Queue();`
			`guildRouter.post(`
			`"/:guildId/set-target-permissions",`
			`requireGuildPermission(ApiPermissions.ManageAccess),`
			`async (req: Request, res: Response) => {`
			`await permissionManagementQueue.add(async () => {`
			`const { type, targetId, permissions, expiresAt } = req.body;`

			`if (type !== ApiPermissionTypes.User) {`
			`return clientError(res, "Invalid type");`
			`}`
			`if (!isSnowflake(targetId)) {`
			`return clientError(res, "Invalid targetId");`
			`}`
			`const validPermissions = new Set(Object.values(ApiPermissions));`
			`validPermissions.delete(ApiPermissions.Owner);`
Reformat all files with Prettier 2021-09-11 19:06:51 +03:00			`if (!Array.isArray(permissions) \|\| permissions.some((p) => !validPermissions.has(p))) {`
Add rudimentary user management to dashboard 2021-09-05 16:42:35 +03:00			`return clientError(res, "Invalid permissions");`
			`}`
			`if (expiresAt != null && !moment.utc(expiresAt).isValid()) {`
			`return clientError(res, "Invalid expiresAt");`
			`}`

			`const existingAssignment = await apiPermissionAssignments.getByGuildAndUserId(req.params.guildId, targetId);`
			`if (existingAssignment && existingAssignment.permissions.includes(ApiPermissions.Owner)) {`
			`return clientError(res, "Can't change owner permissions");`
			`}`

			`if (permissions.length === 0) {`
			`await apiPermissionAssignments.removeUser(req.params.guildId, targetId);`
			`await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.REMOVE_API_PERMISSION, {`
			`type: ApiPermissionTypes.User,`
			`target_id: targetId,`
			`});`
			`} else {`
			`const existing = await apiPermissionAssignments.getByGuildAndUserId(req.params.guildId, targetId);`
			`if (existing) {`
			`await apiPermissionAssignments.updateUserPermissions(req.params.guildId, targetId, permissions);`
			`await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.EDIT_API_PERMISSION, {`
			`type: ApiPermissionTypes.User,`
			`target_id: targetId,`
			`permissions,`
			`expires_at: existing.expires_at,`
			`});`
			`} else {`
			`await apiPermissionAssignments.addUser(req.params.guildId, targetId, permissions, expiresAt);`
			`await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.ADD_API_PERMISSION, {`
			`type: ApiPermissionTypes.User,`
			`target_id: targetId,`
			`permissions,`
			`expires_at: expiresAt,`
			`});`
			`}`
			`}`

			`ok(res);`
			`});`
			`},`
			`);`

dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup 2020-05-23 16:22:03 +03:00			`app.use("/guilds", guildRouter);`
Dashboard work. Move configs to DB. Some script reorganization. Add nodemon configs. 2019-06-22 18:52:24 +03:00			`}`