Permissions authorization middleware.

2026-02-18 13:50:31 +00:00 · 2019-09-16 01:08:19 +02:00
parent ed4d37c8fb
commit de905d7e7c
23 changed files with 318 additions and 51 deletions
--- a/server/src/http/controllers/AccountOpeningBalance.js
+++ b/server/src/http/controllers/AccountOpeningBalance.js
@@ -1,9 +1,10 @@
 import express from 'express';
 import { check, validationResult, oneOf } from 'express-validator';
 import { difference } from 'lodash';
+import knex from 'knex';
 import asyncMiddleware from '../middleware/asyncMiddleware';
 import Account from '@/models/Account';
-// import AccountBalance from '@/models/AccountBalance';
+import '@/models/AccountBalance';

 export default {
  /**
@@ -35,6 +36,7 @@ export default {
    ],
    async handler(req, res) {
      const validationErrors = validationResult(req);
+      // const defaultCurrency = 'USD';

      if (!validationErrors.isEmpty()) {
        return res.boom.badData(null, {
@@ -48,11 +50,12 @@ export default {
      const accountsCollection = await Account.query((query) => {
        query.select(['id']);
        query.whereIn('id', accountsIds);
-      }).fetchAll();
+      }).fetchAll({
+        withRelated: ['balances'],
+      });

      const accountsStoredIds = accountsCollection.map((account) => account.attributes.id);
      const notFoundAccountsIds = difference(accountsIds, accountsStoredIds);
-
      const errorReasons = [];

      if (notFoundAccountsIds.length > 0) {
@@ -64,6 +67,29 @@ export default {
        return res.boom.badData(null, { errors: errorReasons });
      }

+      const storedAccountsBalances = accountsCollection.related('balances');
+
+      const submitBalancesMap = new Map(accounts.map((account) => [account, account.id]));
+      const storedBalancesMap = new Map(storedAccountsBalances.map((balance) => [
+        balance.attributes, balance.attributes.id,
+      ]));
+
+      // const updatedStoredBalanced = [];
+      const notStoredBalances = [];
+
+      accountsIds.forEach((id) => {
+        if (!storedBalancesMap.get(id)) {
+          notStoredBalances.push(id);
+        }
+      });
+
+      await knex('accounts_balances').insert([
+        ...notStoredBalances.map((id) => {
+          const account = submitBalancesMap.get(id);
+          return { ...account };
+        }),
+      ]);
+
      return res.status(200).send();
    },
  },
--- a/server/src/http/controllers/Accounts.js
+++ b/server/src/http/controllers/Accounts.js
@@ -152,7 +152,6 @@ export default {
      if (!account) {
        return res.boom.notFound();
      }
-
      return res.status(200).send({ item: { ...account.attributes } });
    },
  },
--- a/server/src/http/controllers/Authentication.js
+++ b/server/src/http/controllers/Authentication.js
@@ -4,6 +4,7 @@ import { check, validationResult } from 'express-validator';
 import path from 'path';
 import fs from 'fs';
 import Mustache from 'mustache';
+import jwt from 'jsonwebtoken';
 import User from '@/models/User';
 import asyncMiddleware from '../middleware/asyncMiddleware';
 import PasswordReset from '@/models/PasswordReset';
@@ -49,6 +50,7 @@ export default {
        });
      }
      const { crediential, password } = req.body;
+      const { JWT_SECRET_KEY } = process.env;

      const user = await User.query({
        where: { email: crediential },
@@ -70,8 +72,15 @@ export default {
          errors: [{ type: 'USER_INACTIVE', code: 120 }],
        });
      }
-      user.save({ alst_login_at: new Date() });
-      return res.status(200).send({});
+      user.save({ last_login_at: new Date() });
+
+      const token = jwt.sign({
+        email: user.attributes.email,
+        _id: user.id,
+      }, JWT_SECRET_KEY, {
+        expiresIn: '1d',
+      });
+      return res.status(200).send({ token });
    },
  },

--- a/server/src/http/controllers/ItemCategories.js
+++ b/server/src/http/controllers/ItemCategories.js
@@ -2,7 +2,8 @@ import express from 'express';
 import { check, param, validationResult } from 'express-validator';
 import asyncMiddleware from '../middleware/asyncMiddleware';
 import ItemCategory from '@/models/ItemCategory';
-// import JWTAuth from '@/http/middleware/jwtAuth';
+import Authorization from '@/http/middleware/authorization';
+import JWTAuth from '@/http/middleware/jwtAuth';

 export default {
  /**
@@ -10,24 +11,32 @@ export default {
   */
  router() {
    const router = express.Router();
+    const permit = Authorization('items_categories');
+
+    router.use(JWTAuth);

    router.post('/:id',
+      permit('create', 'edit'),
      this.editCategory.validation,
      asyncMiddleware(this.editCategory.handler));

    router.post('/',
+      permit('create'),
      this.newCategory.validation,
      asyncMiddleware(this.newCategory.handler));

    router.delete('/:id',
+      permit('create', 'edit', 'delete'),
      this.deleteItem.validation,
      asyncMiddleware(this.deleteItem.handler));

-    // router.get('/:id',
-    //   this.getCategory.validation,
-    //   asyncMiddleware(this.getCategory.handler));
+    router.get('/:id',
+      permit('view'),
+      this.getCategory.validation,
+      asyncMiddleware(this.getCategory.handler));

    router.get('/',
+      permit('view'),
      this.getList.validation,
      asyncMiddleware(this.getList.validation));

@@ -152,6 +161,9 @@ export default {
    },
  },

+  /**
+   * Retrieve details of the given category.
+   */
  getCategory: {
    validation: [
      param('category_id').toInt(),
--- a/server/src/http/controllers/Items.js
+++ b/server/src/http/controllers/Items.js
@@ -1,21 +1,30 @@
 import express from 'express';
 import { check, validationResult } from 'express-validator';
 import moment from 'moment';
-import asyncMiddleware from '../middleware/asyncMiddleware';
+import { difference } from 'lodash';
+import asyncMiddleware from '@/http/middleware/asyncMiddleware';
+import jwtAuth from '@/http/middleware/jwtAuth';
 import Item from '@/models/Item';
 import Account from '@/models/Account';
 import ItemCategory from '@/models/ItemCategory';
+import Resource from '@/models/Resource';
+import ResourceField from '@/models/ResourceField';
+import Authorization from '@/http/middleware/authorization';

 export default {

  router() {
    const router = express.Router();
+    const permit = Authorization('items');
+
+    router.use(jwtAuth);

    // router.post('/:id',
    //   this.editItem.validation,
    //   asyncMiddleware(this.editCategory.handler));

    router.post('/',
+      permit('create'),
      this.newItem.validation,
      asyncMiddleware(this.newItem.handler));

@@ -46,6 +55,11 @@ export default {
      check('cost_account_id').exists().isInt(),
      check('sell_account_id').exists().isInt(),
      check('category_id').optional().isInt(),
+
+      check('custom_fields').isArray({ min: 1 }),
+      check('custom_fields.*.key').exists().isNumeric().toInt(),
+      check('custom_fields.*.value').exists(),
+
      check('note').optional(),
    ],
    async handler(req, res) {
@@ -58,19 +72,38 @@ export default {
      }

      const { sell_account_id: sellAccountId, cost_account_id: costAccountId } = req.body;
-      const { category_id: categoryId } = req.body;
+      const { category_id: categoryId, custom_fields: customFields } = req.body;
+      const errorReasons = [];

      const costAccountPromise = Account.where('id', costAccountId).fetch();
      const sellAccountPromise = Account.where('id', sellAccountId).fetch();
      const itemCategoryPromise = (categoryId)
        ? ItemCategory.where('id', categoryId).fetch() : null;

+      // Validate the custom fields key and value type.
+      if (customFields.length > 0) {
+        const customFieldsKeys = customFields.map((field) => field.key);
+
+        // Get resource id than get all resource fields.
+        const resource = await Resource.where('name', 'items').fetch();
+        const fields = await ResourceField.query((query) => {
+          query.where('resource_id', resource.id);
+          query.whereIn('key', customFieldsKeys);
+        }).fetchAll();
+
+        const storedFieldsKey = fields.map((f) => f.attributes.key);
+
+        // Get all not defined resource fields.
+        const notFoundFields = difference(customFieldsKeys, storedFieldsKey);
+
+        if (notFoundFields.length > 0) {
+          errorReasons.push({ type: 'FIELD_KEY_NOT_FOUND', code: 150, fields: notFoundFields });
+        }
+      }
+
      const [costAccount, sellAccount, itemCategory] = await Promise.all([
        costAccountPromise, sellAccountPromise, itemCategoryPromise,
      ]);
-
-      const errorReasons = [];
-
      if (!costAccount) {
        errorReasons.push({ type: 'COST_ACCOUNT_NOT_FOUND', code: 100 });
      }
@@ -92,7 +125,6 @@ export default {
        currency_code: req.body.currency_code,
        note: req.body.note,
      });
-
      await item.save();

      return res.status(200).send();
--- a/server/src/http/controllers/Users.js
+++ b/server/src/http/controllers/Users.js
@@ -2,6 +2,8 @@ import express from 'express';
 import { check, validationResult } from 'express-validator';
 import User from '@/models/User';
 import asyncMiddleware from '@/http/middleware/asyncMiddleware';
+import jwtAuth from '@/http/middleware/jwtAuth';
+import Authorization from '@/http/middleware/authorization';

 export default {

@@ -10,24 +12,32 @@ export default {
   */
  router() {
    const router = express.Router();
+    const permit = Authorization('users');
+
+    router.use(jwtAuth);

    router.post('/',
+      permit('create'),
      this.newUser.validation,
      asyncMiddleware(this.newUser.handler));

    router.post('/:id',
+      permit('create', 'edit'),
      this.editUser.validation,
      asyncMiddleware(this.editUser.handler));

-    // router.get('/',
-    //   this.listUsers.validation,
-    //   asyncMiddleware(this.listUsers.handler));
+    router.get('/',
+      permit('view'),
+      this.listUsers.validation,
+      asyncMiddleware(this.listUsers.handler));

-    // router.get('/:id',
-    //   this.getUser.validation,
-    //   asyncMiddleware(this.getUser.handler));
+    router.get('/:id',
+      permit('view'),
+      this.getUser.validation,
+      asyncMiddleware(this.getUser.handler));

    router.delete('/:id',
+      permit('create', 'edit', 'delete'),
      this.deleteUser.validation,
      asyncMiddleware(this.deleteUser.handler));

--- a/server/src/http/middleware/authorization.js
+++ b/server/src/http/middleware/authorization.js
@@ -1,4 +1,16 @@
-
-const authorization = (req, res, next) => {
+/* eslint-disable consistent-return */
+const authorization = (resourceName) => (...permissions) => (req, res, next) => {
  const { user } = req;
-};
+  const onError = () => {
+    res.boom.unauthorized();
+  };
+  user.hasPermissions(resourceName, permissions)
+    .then((authorized) => {
+      if (!authorized) {
+        return onError();
+      }
+      next();
+    }).catch(onError);
+};
+
+export default authorization;
--- a/server/src/http/middleware/jwtAuth.js
+++ b/server/src/http/middleware/jwtAuth.js
@@ -1,23 +1,23 @@
 /* eslint-disable consistent-return */
 import jwt from 'jsonwebtoken';
 import User from '@/models/User';
-import Auth from '@/models/Auth';
+// import Auth from '@/models/Auth';

 const authMiddleware = (req, res, next) => {
+  const { JWT_SECRET_KEY } = process.env;
  const token = req.headers['x-access-token'] || req.query.token;

  const onError = () => {
-    Auth.loggedOut();
+    // Auth.loggedOut();
    res.status(401).send({
      success: false,
      message: 'unauthorized',
    });
-  }
+  };

  if (!token) {
    return onError();
  }
-  const { JWT_SECRET_KEY } = process.env;

  const verify = new Promise((resolve, reject) => {
    jwt.verify(token, JWT_SECRET_KEY, async (error, decoded) => {
@@ -26,7 +26,7 @@ const authMiddleware = (req, res, next) => {
      } else {
        // eslint-disable-next-line no-underscore-dangle
        req.user = await User.where('id', decoded._id).fetch();
-        Auth.setAuthenticatedUser(req.user);
+        // Auth.setAuthenticatedUser(req.user);

        if (!req.user) {
          return onError();