StyAndCo/zeppelin
3
0
Fork 0
mirror of https://github.com/ZeppelinBot/Zeppelin.git synced 2025-03-15 05:41:51 +00:00
Code Releases Activity

Fix overzealous auth requirement in API

Browse source
This commit is contained in:
Dragory 2019-07-22 00:49:05 +03:00
parent b24dd6a938
commit 1c7508ffc5
2 changed files with 6 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/api/auth.ts
View file

@ -134,13 +134,13 @@ export function initAuth(app: express.Express) {
res.json({ valid: true });
});
app.post("/auth/logout", ...getRequireAPITokenHandlers(), async (req: Request, res: Response) => {
app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
await apiLogins.expireApiKey(req.user.apiKey);
return ok(res);
});
}
function getRequireAPITokenHandlers() {
export function apiTokenAuthHandlers() {
return [
passport.authenticate("api-token", { failWithError: true }),
(err, req, res, next) => {
@ -148,7 +148,3 @@ function getRequireAPITokenHandlers() {
},
];
}
export function requireAPIToken(router: express.Router) {
router.use(...getRequireAPITokenHandlers());
}

13
src/api/guilds.ts
View file

@ -1,28 +1,25 @@
import express from "express";
import passport from "passport";
import { AllowedGuilds } from "../data/AllowedGuilds";
import { requireAPIToken } from "./auth";
import { ApiPermissions } from "../data/ApiPermissions";
import { clientError, error, ok, serverError, unauthorized } from "./responses";
import { Configs } from "../data/Configs";
import { ApiRoles } from "../data/ApiRoles";
import { validateGuildConfig } from "../configValidator";
import yaml, { YAMLException } from "js-yaml";
import { apiTokenAuthHandlers } from "./auth";
export function initGuildsAPI(app: express.Express) {
const guildAPIRouter = express.Router();
requireAPIToken(guildAPIRouter);
const allowedGuilds = new AllowedGuilds();
const apiPermissions = new ApiPermissions();
const configs = new Configs();
guildAPIRouter.get("/guilds/available", async (req, res) => {
app.get("/guilds/available", ...apiTokenAuthHandlers(), async (req, res) => {
const guilds = await allowedGuilds.getForApiUser(req.user.userId);
res.json(guilds);
});
guildAPIRouter.get("/guilds/:guildId/config", async (req, res) => {
app.get("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
if (!permissions) return unauthorized(res);
@ -30,7 +27,7 @@ export function initGuildsAPI(app: express.Express) {
res.json({ config: config ? config.config : "" });
});
guildAPIRouter.post("/guilds/:guildId/config", async (req, res) => {
app.post("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
if (!permissions || ApiRoles[permissions.role] < ApiRoles.Editor) return unauthorized(res);
@ -69,6 +66,4 @@ export function initGuildsAPI(app: express.Express) {
await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user.userId);
ok(res);
});
app.use(guildAPIRouter);
}