ambiser
/
umami
9
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Auth checkpoint.

pull/1683/head
Brian Cao 2022-11-30 18:40:44 -08:00
parent 0bcfc6654d
commit 3085bdd713
6 changed files with 51 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
db/postgresql/migrations/01_init/migration.sql
View File

@ -287,10 +287,10 @@ INSERT INTO "user" (user_id, username, password) VALUES ('41e2b680-648e-4b09-bcd
-- Add Roles
INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Admin', 'System Admin.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Member', 'Create and maintain websites.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Team Owner', 'Create and maintain the team, memberships, websites, and responsible for billing.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Team Member', 'Create and maintain websites.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Team Guest', 'View Websites.');
INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Member', 'Create and maintain websites.');
INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Team Owner', 'Create and maintain the team, memberships, websites, and responsible for billing.');
INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Team Member', 'Create and maintain websites.');
INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Team Guest', 'View Websites.');
-- Add Permissions
INSERT INTO "permission" ("permission_id", "name", "description") VALUES (gen_random_uuid(), 'admin', 'System Admin');

86
lib/auth.ts
View File

@ -1,10 +1,9 @@
import debug from 'debug';
import { NextApiRequestAuth } from 'interface/api/nextApi';
import cache from 'lib/cache';
import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants';
import { secret } from 'lib/crypto';
import { parseSecureToken, parseToken } from 'next-basics';
import { getPermissionsByUserId, getTeamUser, getUser } from 'queries';
import { getPermissionsByUserId, getTeamPermissionsByUserId } from 'queries';
const log = debug('umami:auth');
@ -34,13 +33,6 @@ export function parseShareToken(req) {
}
}
export function hasPermission(
value: UmamiApi.Role | UmamiApi.Permission,
permissions: UmamiApi.Role[] | UmamiApi.Permission[],
) {
return permissions.some(a => a === value);
}
export function isValidToken(token, validation) {
try {
if (typeof validation === 'object') {
@ -57,66 +49,44 @@ export function isValidToken(token, validation) {
}
export async function allowQuery(
req: NextApiRequestAuth,
requestUserId: string,
type: UmamiApi.AuthType,
typeId?: string,
permission?: UmamiApi.Permission,
) {
const { id } = req.query as { id: string };
if (type === UmamiApi.AuthType.Website) {
const website = await cache.fetchWebsite(typeId);
const { user, shareToken } = req.auth;
if (shareToken) {
return isValidToken(shareToken, { id });
}
if (user?.id) {
if (type === UmamiApi.AuthType.Website) {
const website = await cache.fetchWebsite(typeId ?? id);
if (website && website.userId === user.id) {
return true;
}
if (website.teamId) {
const teamUser = getTeamUser({ userId: user.id, teamId: website.teamId, isDeleted: false });
return teamUser;
}
return false;
} else if (type === UmamiApi.AuthType.User) {
const user = await getUser({ id });
return user && user.id === id;
} else if (type === UmamiApi.AuthType.Team) {
const teamUser = await getTeamUser({
userId: user.id,
teamId: typeId ?? id,
});
return teamUser;
} else if (type === UmamiApi.AuthType.TeamOwner) {
const teamUser = await getTeamUser({
userId: user.id,
teamId: typeId ?? id,
});
return (
teamUser &&
(teamUser.roleId === UmamiApi.Role.TeamOwner || teamUser.roleId === UmamiApi.Role.Admin)
);
if (website && website.userId === requestUserId) {
return true;
}
if (website.teamId) {
return checkTeamPermission(requestUserId, typeId, permission);
}
return false;
} else if (type === UmamiApi.AuthType.User) {
if (requestUserId !== typeId) {
return checkUserPermission(requestUserId, permission || UmamiApi.Permission.Admin);
}
return requestUserId === typeId;
} else if (type === UmamiApi.AuthType.Team) {
return checkTeamPermission(requestUserId, typeId, permission);
}
return false;
}
export async function checkPermission(req: NextApiRequestAuth, type: UmamiApi.Permission) {
const {
user: { id: userId },
} = req.auth;
export async function checkUserPermission(userId: string, type: UmamiApi.Permission) {
const userRole = await getPermissionsByUserId(userId, type);
return userRole.length > 0;
}
export async function checkTeamPermission(userId, teamId: string, type: UmamiApi.Permission) {
const userRole = await getTeamPermissionsByUserId(userId, teamId, type);
return userRole.length > 0;
}

3
lib/constants.ts
View File

@ -9,11 +9,10 @@ export namespace UmamiApi {
Website,
User,
Team,
TeamOwner,
}
export enum Permission {
Admin = 'Admin',
Admin = 'admin',
WebsiteCreate = 'website:create',
WebsiteRead = 'website:read',
WebsiteUpdate = 'website:update',

14
pages/api/teams/[id]/index.ts
View File

@ -21,12 +21,16 @@ export default async (
) => {
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query;
if (req.method === 'GET') {
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
if (!(await allowQuery(userId, UmamiApi.AuthType.Team, teamId))) {
return unauthorized(res);
}
const user = await getTeam({ id: teamId });
return ok(res, user);
@ -35,7 +39,9 @@ export default async (
if (req.method === 'POST') {
const { name } = req.body;
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
if (
!(await allowQuery(userId, UmamiApi.AuthType.Team, teamId, UmamiApi.Permission.TeamUpdate))
) {
return unauthorized(res, 'You must be the owner of this team.');
}
@ -45,7 +51,9 @@ export default async (
}
if (req.method === 'DELETE') {
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
if (
!(await allowQuery(userId, UmamiApi.AuthType.Team, teamId, UmamiApi.Permission.TeamDelete))
) {
return unauthorized(res, 'You must be the owner of this team.');
}

20
queries/admin/permission.ts
View File

@ -19,7 +19,7 @@ export async function getPermissions(where: Prisma.PermissionWhereInput): Promis
});
}
export async function getPermissionsByUserId(userId, name?: string): Promise<Permission[]> {
export async function getPermissionsByUserId(userId: string, name?: string): Promise<Permission[]> {
return prisma.client.permission.findMany({
where: {
...(name ? { name } : {}),
@ -40,7 +40,11 @@ export async function getPermissionsByUserId(userId, name?: string): Promise<Per
});
}
export async function getPermissionsByTeamId(teamId, name?: string): Promise<Permission[]> {
export async function getTeamPermissionsByUserId(
userId: string,
teamId: string,
name?: string,
): Promise<Permission[]> {
return prisma.client.permission.findMany({
where: {
...(name ? { name } : {}),
@ -50,6 +54,7 @@ export async function getPermissionsByTeamId(teamId, name?: string): Promise<Per
is: {
TeamUser: {
every: {
userId,
teamId,
},
},
@ -70,14 +75,3 @@ export async function updatePermission(
where,
});
}
export async function deletePermission(permissionId: string): Promise<Permission> {
return prisma.client.permission.update({
data: {
isDeleted: true,
},
where: {
id: permissionId,
},
});
}

11
queries/admin/role.ts
View File

@ -44,14 +44,3 @@ export async function updateRole(
where,
});
}
export async function deleteRole(roleId: string): Promise<Role> {
return prisma.client.role.update({
data: {
isDeleted: true,
},
where: {
id: roleId,
},
});
}