Added auth middleware. Added access control to apps

lamelas · Nov 11, 2021 · e3f1679 · e3f1679
1 parent d1c61bb
commit e3f1679
Show file tree

Hide file tree

Showing 16 changed files with 92 additions and 9 deletions.
diff --git a/api.js b/api.js
@@ -21,6 +21,7 @@ api.use('/api/weather', require('./routes/weather'));
 api.use('/api/categories', require('./routes/category'));
 api.use('/api/bookmarks', require('./routes/bookmark'));
 api.use('/api/queries', require('./routes/queries'));
+api.use('/api/auth', require('./routes/auth'));
 
 // Custom error handler
 api.use(errorHandler);

diff --git a/controllers/apps/createApp.js b/controllers/apps/createApp.js
@@ -1,11 +1,16 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
 const loadConfig = require('../../utils/loadConfig');
+const ErrorResponse = require('../../utils/ErrorResponse');
 
 // @desc      Create new app
 // @route     POST /api/apps
 // @access    Public
 const createApp = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
   const { pinAppsByDefault } = await loadConfig();
 
   let app;

diff --git a/controllers/apps/deleteApp.js b/controllers/apps/deleteApp.js
@@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');
 
 // @desc      Delete app
 // @route     DELETE /api/apps/:id
 // @access    Public
 const deleteApp = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
   await App.destroy({
     where: { id: req.params.id },
   });

diff --git a/controllers/apps/getAllApps.js b/controllers/apps/getAllApps.js
@@ -25,13 +25,18 @@ const getAllApps = asyncWrapper(async (req, res, next) => {
     await useKubernetes(apps);
   }
 
+  // apps visibility
+  const where = req.isAuthenticated ? {} : { isPublic: true };
+
   if (orderType == 'name') {
     apps = await App.findAll({
       order: [[Sequelize.fn('lower', Sequelize.col('name')), 'ASC']],
+      where,
     });
   } else {
     apps = await App.findAll({
       order: [[orderType, 'ASC']],
+      where,
     });
   }
 

diff --git a/controllers/apps/getSingleApp.js b/controllers/apps/getSingleApp.js
@@ -1,12 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');
 
 // @desc      Get single app
 // @route     GET /api/apps/:id
 // @access    Public
 const getSingleApp = asyncWrapper(async (req, res, next) => {
+  const visibility = req.isAuthenticated ? {} : { isPublic: true };
+
   const app = await App.findOne({
-    where: { id: req.params.id },
+    where: { id: req.params.id, ...visibility },
   });
 
   if (!app) {

diff --git a/controllers/apps/reorderApps.js b/controllers/apps/reorderApps.js
@@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');
 
 // @desc      Reorder apps
 // @route     PUT /api/apps/0/reorder
 // @access    Public
 const reorderApps = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
   req.body.apps.forEach(async ({ id, orderId }) => {
     await App.update(
       { orderId },

diff --git a/controllers/apps/updateApp.js b/controllers/apps/updateApp.js
@@ -1,10 +1,15 @@
 const asyncWrapper = require('../../middleware/asyncWrapper');
 const App = require('../../models/App');
+const ErrorResponse = require('../../utils/ErrorResponse');
 
 // @desc      Update app
 // @route     PUT /api/apps/:id
 // @access    Public
 const updateApp = asyncWrapper(async (req, res, next) => {
+  if (!req.isAuthenticated) {
+    return next(new ErrorResponse('Unauthorized', 401));
+  }
+
   let app = await App.findOne({
     where: { id: req.params.id },
   });

diff --git a/controllers/auth/index.js b/controllers/auth/index.js
@@ -1,3 +1,4 @@
 module.exports = {
   login: require('./login'),
+  validate: require('./validate'),
 };
diff --git a/controllers/auth/validate.js b/controllers/auth/validate.js
@@ -0,0 +1,21 @@
+const asyncWrapper = require('../../middleware/asyncWrapper');
+const ErrorResponse = require('../../utils/ErrorResponse');
+const jwt = require('jsonwebtoken');
+
+// @desc      Verify token
+// @route     POST /api/auth/verify
+// @access    Public
+const validate = asyncWrapper(async (req, res, next) => {
+  try {
+    jwt.verify(req.body.token, process.env.SECRET);
+
+    res.status(200).json({
+      success: true,
+      data: { token: { isValid: true } },
+    });
+  } catch (err) {
+    return next(new ErrorResponse('Token expired', 401));
+  }
+});
+
+module.exports = validate;
diff --git a/db/migrations/02_resource-access.js b/db/migrations/02_resource-access.js
@@ -7,7 +7,7 @@ const up = async (query) => {
   const template = {
     type: INTEGER,
     allowNull: true,
-    defaultValue: 0,
+    defaultValue: 1,
   };
 
   for await (let table of tables) {

diff --git a/middleware/auth.js b/middleware/auth.js
@@ -0,0 +1,25 @@
+const jwt = require('jsonwebtoken');
+
+const auth = (req, res, next) => {
+  const authHeader = req.header('Authorization');
+  let token;
+  let tokenIsValid = false;
+
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    token = authHeader.split(' ')[1];
+  }
+
+  if (token) {
+    try {
+      jwt.verify(token, process.env.SECRET);
+    } finally {
+      tokenIsValid = true;
+    }
+  }
+
+  req.isAuthenticated = tokenIsValid;
+
+  next();
+};
+
+module.exports = auth;
diff --git a/models/App.js b/models/App.js
@@ -29,7 +29,7 @@ const App = sequelize.define(
     isPublic: {
       type: DataTypes.INTEGER,
       allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
     },
   },
   {

diff --git a/models/Bookmark.js b/models/Bookmark.js
@@ -23,7 +23,7 @@ const Bookmark = sequelize.define(
     isPublic: {
       type: DataTypes.INTEGER,
       allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
     },
   },
   {

diff --git a/models/Category.js b/models/Category.js
@@ -20,7 +20,7 @@ const Category = sequelize.define(
     isPublic: {
       type: DataTypes.INTEGER,
       allowNull: true,
-      defaultValue: 0,
+      defaultValue: 1,
     },
   },
   {

diff --git a/routes/apps.js b/routes/apps.js
@@ -1,6 +1,7 @@
 const express = require('express');
 const router = express.Router();
 const upload = require('../middleware/multer');
+const auth = require('../middleware/auth');
 
 const {
   createApp,
@@ -11,10 +12,14 @@ const {
   reorderApps,
 } = require('../controllers/apps');
 
-router.route('/').post(upload, createApp).get(getAllApps);
+router.route('/').post(auth, upload, createApp).get(auth, getAllApps);
 
-router.route('/:id').get(getSingleApp).put(upload, updateApp).delete(deleteApp);
+router
+  .route('/:id')
+  .get(auth, getSingleApp)
+  .put(auth, upload, updateApp)
+  .delete(auth, deleteApp);
 
-router.route('/0/reorder').put(reorderApps);
+router.route('/0/reorder').put(auth, reorderApps);
 
 module.exports = router;
diff --git a/routes/auth.js b/routes/auth.js
@@ -1,9 +1,11 @@
 const express = require('express');
 const router = express.Router();
 
-const { login } = require('../controllers/auth');
+const { login, validate } = require('../controllers/auth');
 const requireBody = require('../middleware/requireBody');
 
 router.route('/').post(requireBody(['password', 'duration']), login);
 
+router.route('/validate').post(requireBody(['token']), validate);
+
 module.exports = router;