Impelemented stats api auth via token or the usual auth (jwt with get for runners, teams and orgs).

ref #56
2020-12-30 14:19:54 +01:00
parent b5f9cf201d
commit 43e256f38c
1 changed files with 34 additions and 10 deletions
--- a/src/middlewares/StatsAuth.ts
+++ b/src/middlewares/StatsAuth.ts
@@ -2,6 +2,7 @@ import * as argon2 from "argon2";
 import { Request, Response } from 'express';
 import { getConnectionManager } from 'typeorm';
 import { StatsClient } from '../models/entities/StatsClient';
+import authchecker from './authchecker';

 /**
 * This middleware handels the authentification of stats client api tokens.
@@ -17,25 +18,48 @@ const StatsAuth = async (req: Request, res: Response, next: () => void) => {
        return;
    }

-    let prefix = "";
    try {
        provided_token = provided_token.replace("Bearer ", "");
-        prefix = provided_token.split(".")[0];
    } catch (error) {
-        res.status(401).send("Api token non-existant or invalid syntax.");
+        res.status(401).send("No valid jwt or api token provided.");
        return;
    }

+    let prefix = "";
+    try {
+        prefix = provided_token.split(".")[0];
+    }
+    finally {
+        if (prefix == "" || prefix == undefined || prefix == null) {
+            res.status(401).send("Api token non-existant or invalid syntax.");
+            return;
+        }
+    }
+
    const client = await getConnectionManager().get().getRepository(StatsClient).findOne({ prefix: prefix });
    if (!client) {
-        res.status(401).send("Api token non-existant or invalid syntax.");
-        return;
-    }
-    if (!(await argon2.verify(client.key, provided_token))) {
-        res.status(401).send("Api token invalid.");
-        return;
+        let user_authorized = false;
+        try {
+            let action = { request: req, response: res, context: null, next: next }
+            user_authorized = await authchecker(action, ["RUNNER:GET", "TEAM:GET", "ORGANISATION:GET"]);
+        }
+        finally {
+            if (user_authorized == false) {
+                res.status(401).send("Api token non-existant or invalid syntax.");
+                return;
+            }
+            else {
+                next();
+            }
+        }
    }
+    else {
+        if (!(await argon2.verify(client.key, provided_token))) {
+            res.status(401).send("Api token invalid.");
+            return;
+        }

-    next();
+        next();
+    }
 }
 export default StatsAuth;