ambiser
/
umami
9
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Auth checkpoint.

pull/1683/head
Brian Cao 2022-11-30 18:40:44 -08:00
parent 0bcfc6654d
commit 3085bdd713
6 changed files with 51 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
db/postgresql/migrations/01_init/migration.sql
View File

@ -287,10 +287,10 @@ INSERT INTO "user" (user_id, username, password) VALUES ('41e2b680-648e-4b09-bcd
-- Add Roles -- Add Roles
INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Admin', 'System Admin.'); INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Admin', 'System Admin.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Member', 'Create and maintain websites.'); INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Member', 'Create and maintain websites.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Team Owner', 'Create and maintain the team, memberships, websites, and responsible for billing.'); INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Team Owner', 'Create and maintain the team, memberships, websites, and responsible for billing.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Team Member', 'Create and maintain websites.'); INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Team Member', 'Create and maintain websites.');
INSERT INTO "role" ("role_id", "name", "description") (gen_random_uuid(), 'Team Guest', 'View Websites.'); INSERT INTO "role" ("role_id", "name", "description") VALUES (gen_random_uuid(), 'Team Guest', 'View Websites.');
-- Add Permissions -- Add Permissions
INSERT INTO "permission" ("permission_id", "name", "description") VALUES (gen_random_uuid(), 'admin', 'System Admin'); INSERT INTO "permission" ("permission_id", "name", "description") VALUES (gen_random_uuid(), 'admin', 'System Admin');

86
lib/auth.ts
View File

@ -1,10 +1,9 @@
import debug from 'debug'; import debug from 'debug';
import { NextApiRequestAuth } from 'interface/api/nextApi';
import cache from 'lib/cache'; import cache from 'lib/cache';
import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants'; import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants';
import { secret } from 'lib/crypto'; import { secret } from 'lib/crypto';
import { parseSecureToken, parseToken } from 'next-basics'; import { parseSecureToken, parseToken } from 'next-basics';
import { getPermissionsByUserId, getTeamUser, getUser } from 'queries'; import { getPermissionsByUserId, getTeamPermissionsByUserId } from 'queries';
const log = debug('umami:auth'); const log = debug('umami:auth');
@ -34,13 +33,6 @@ export function parseShareToken(req) {
} }
} }
export function hasPermission(
value: UmamiApi.Role | UmamiApi.Permission,
permissions: UmamiApi.Role[] | UmamiApi.Permission[],
) {
return permissions.some(a => a === value);
}
export function isValidToken(token, validation) { export function isValidToken(token, validation) {
try { try {
if (typeof validation === 'object') { if (typeof validation === 'object') {
@ -57,66 +49,44 @@ export function isValidToken(token, validation) {
} }
export async function allowQuery( export async function allowQuery(
req: NextApiRequestAuth, requestUserId: string,
type: UmamiApi.AuthType, type: UmamiApi.AuthType,
typeId?: string, typeId?: string,
permission?: UmamiApi.Permission,
) { ) {
const { id } = req.query as { id: string }; if (type === UmamiApi.AuthType.Website) {
const website = await cache.fetchWebsite(typeId);
const { user, shareToken } = req.auth; if (website && website.userId === requestUserId) {
return true;
if (shareToken) {
return isValidToken(shareToken, { id });
}
if (user?.id) {
if (type === UmamiApi.AuthType.Website) {
const website = await cache.fetchWebsite(typeId ?? id);
if (website && website.userId === user.id) {
return true;
}
if (website.teamId) {
const teamUser = getTeamUser({ userId: user.id, teamId: website.teamId, isDeleted: false });
return teamUser;
}
return false;
} else if (type === UmamiApi.AuthType.User) {
const user = await getUser({ id });
return user && user.id === id;
} else if (type === UmamiApi.AuthType.Team) {
const teamUser = await getTeamUser({
userId: user.id,
teamId: typeId ?? id,
});
return teamUser;
} else if (type === UmamiApi.AuthType.TeamOwner) {
const teamUser = await getTeamUser({
userId: user.id,
teamId: typeId ?? id,
});
return (
teamUser &&
(teamUser.roleId === UmamiApi.Role.TeamOwner || teamUser.roleId === UmamiApi.Role.Admin)
);
} }
if (website.teamId) {
return checkTeamPermission(requestUserId, typeId, permission);
}
return false;
} else if (type === UmamiApi.AuthType.User) {
if (requestUserId !== typeId) {
return checkUserPermission(requestUserId, permission || UmamiApi.Permission.Admin);
}
return requestUserId === typeId;
} else if (type === UmamiApi.AuthType.Team) {
return checkTeamPermission(requestUserId, typeId, permission);
} }
return false; return false;
} }
export async function checkPermission(req: NextApiRequestAuth, type: UmamiApi.Permission) { export async function checkUserPermission(userId: string, type: UmamiApi.Permission) {
const {
user: { id: userId },
} = req.auth;
const userRole = await getPermissionsByUserId(userId, type); const userRole = await getPermissionsByUserId(userId, type);
return userRole.length > 0; return userRole.length > 0;
} }
export async function checkTeamPermission(userId, teamId: string, type: UmamiApi.Permission) {
const userRole = await getTeamPermissionsByUserId(userId, teamId, type);
return userRole.length > 0;
}

3
lib/constants.ts
View File

@ -9,11 +9,10 @@ export namespace UmamiApi {
Website, Website,
User, User,
Team, Team,
TeamOwner,
} }
export enum Permission { export enum Permission {
Admin = 'Admin', Admin = 'admin',
WebsiteCreate = 'website:create', WebsiteCreate = 'website:create',
WebsiteRead = 'website:read', WebsiteRead = 'website:read',
WebsiteUpdate = 'website:update', WebsiteUpdate = 'website:update',

14
pages/api/teams/[id]/index.ts
View File

@ -21,12 +21,16 @@ export default async (
) => { ) => {
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query; const { id: teamId } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) { if (!(await allowQuery(userId, UmamiApi.AuthType.Team, teamId))) {
return unauthorized(res); return unauthorized(res);
} }
const user = await getTeam({ id: teamId }); const user = await getTeam({ id: teamId });
return ok(res, user); return ok(res, user);
@ -35,7 +39,9 @@ export default async (
if (req.method === 'POST') { if (req.method === 'POST') {
const { name } = req.body; const { name } = req.body;
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) { if (
!(await allowQuery(userId, UmamiApi.AuthType.Team, teamId, UmamiApi.Permission.TeamUpdate))
) {
return unauthorized(res, 'You must be the owner of this team.'); return unauthorized(res, 'You must be the owner of this team.');
} }
@ -45,7 +51,9 @@ export default async (
} }
if (req.method === 'DELETE') { if (req.method === 'DELETE') {
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) { if (
!(await allowQuery(userId, UmamiApi.AuthType.Team, teamId, UmamiApi.Permission.TeamDelete))
) {
return unauthorized(res, 'You must be the owner of this team.'); return unauthorized(res, 'You must be the owner of this team.');
} }

20
queries/admin/permission.ts
View File

@ -19,7 +19,7 @@ export async function getPermissions(where: Prisma.PermissionWhereInput): Promis
}); });
} }
export async function getPermissionsByUserId(userId, name?: string): Promise<Permission[]> { export async function getPermissionsByUserId(userId: string, name?: string): Promise<Permission[]> {
return prisma.client.permission.findMany({ return prisma.client.permission.findMany({
where: { where: {
...(name ? { name } : {}), ...(name ? { name } : {}),
@ -40,7 +40,11 @@ export async function getPermissionsByUserId(userId, name?: string): Promise<Per
}); });
} }
export async function getPermissionsByTeamId(teamId, name?: string): Promise<Permission[]> { export async function getTeamPermissionsByUserId(
userId: string,
teamId: string,
name?: string,
): Promise<Permission[]> {
return prisma.client.permission.findMany({ return prisma.client.permission.findMany({
where: { where: {
...(name ? { name } : {}), ...(name ? { name } : {}),
@ -50,6 +54,7 @@ export async function getPermissionsByTeamId(teamId, name?: string): Promise<Per
is: { is: {
TeamUser: { TeamUser: {
every: { every: {
userId,
teamId, teamId,
}, },
}, },
@ -70,14 +75,3 @@ export async function updatePermission(
where, where,
}); });
} }
export async function deletePermission(permissionId: string): Promise<Permission> {
return prisma.client.permission.update({
data: {
isDeleted: true,
},
where: {
id: permissionId,
},
});
}

11
queries/admin/role.ts
View File

@ -44,14 +44,3 @@ export async function updateRole(
where, where,
}); });
} }
export async function deleteRole(roleId: string): Promise<Role> {
return prisma.client.role.update({
data: {
isDeleted: true,
},
where: {
id: roleId,
},
});
}