Skip to content

Commit 034f575

Browse files
bobbylemmFrantz Kati
bobbylemm
authored and
Frantz Kati
committed
fix(rest): fix permissions being registered on user custom routes
When a route is registered by a user, that route should not be automatically authorized
1 parent 029e724 commit 034f575

File tree

20 files changed

+237
-77
lines changed

20 files changed

+237
-77
lines changed

examples/blog/app.js

+15-5
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ require('dotenv').config()
22
const { auth } = require('@tensei/auth')
33
const { rest } = require('@tensei/rest')
44
const { graphql } = require('@tensei/graphql')
5-
const { tensei, plugin } = require('@tensei/core')
5+
const { tensei, plugin, route } = require('@tensei/core')
66

77
const Tag = require('./resources/Tag')
88
const Post = require('./resources/Post')
@@ -14,6 +14,16 @@ module.exports = tensei()
1414
.resources([Tag, Post, User, Comment])
1515
.clientUrl('https://google.com')
1616
.defaultStorageDriver('local')
17+
.routes([
18+
route('Get products')
19+
.get()
20+
.path('/products')
21+
.handle((req, res) =>
22+
res.formatter.ok({
23+
name: 'Product 1',
24+
})
25+
),
26+
])
1727
.plugins([
1828
auth()
1929
.user('Customer')
@@ -61,14 +71,14 @@ module.exports = tensei()
6171
}),
6272
])
6373
.databaseConfig({
64-
// type: 'mysql',
65-
// dbName: 'mikrotensei',
74+
type: 'mysql',
75+
dbName: 'mikrotensei',
6676
// debug: true,
6777
// user: 'mikrotensei',
6878
// password: 'password',
6979

70-
type: 'sqlite',
71-
dbName: 'mikrotensei',
80+
// type: 'sqlite',
81+
// dbName: 'mikrotensei',
7282

7383
// type: 'postgresql',
7484
// // debug: true,

packages/auth/src/index.ts

+21-12
Original file line numberDiff line numberDiff line change
@@ -570,13 +570,17 @@ class Auth {
570570
async ({ graphQlQueries, routes, apiPath }) => {
571571
graphQlQueries.forEach(query => {
572572
if (query.config.resource) {
573-
const { path } = query.config
573+
const { path, internal } = query.config
574574
const {
575575
snakeCaseNamePlural: plural,
576576
snakeCaseName: singular,
577577
slug
578578
} = query.config.resource.data
579579

580+
if (!internal) {
581+
return
582+
}
583+
580584
if (
581585
[
582586
`insert_${plural}`,
@@ -626,13 +630,19 @@ class Auth {
626630

627631
routes.forEach(route => {
628632
if (route.config.resource) {
629-
const { resource, path, type } = route.config
633+
const {
634+
resource,
635+
path,
636+
type,
637+
internal
638+
} = route.config
630639

631640
const { slugSingular, slugPlural } = resource.data
632641

633642
if (
634643
path === `/${apiPath}/${slugPlural}` &&
635-
type === 'POST'
644+
type === 'POST' &&
645+
internal
636646
) {
637647
return route.authorize(({ user }) =>
638648
user.permissions!.includes(
@@ -643,7 +653,8 @@ class Auth {
643653

644654
if (
645655
path === `/${apiPath}/${slugPlural}` &&
646-
type === 'GET'
656+
type === 'GET' &&
657+
internal
647658
) {
648659
return route.authorize(({ user }) =>
649660
user.permissions!.includes(
@@ -654,7 +665,8 @@ class Auth {
654665

655666
if (
656667
path === `/${apiPath}/${slugPlural}/:id` &&
657-
type === 'GET'
668+
type === 'GET' &&
669+
internal
658670
) {
659671
return route.authorize(({ user }) =>
660672
user.permissions!.includes(
@@ -668,7 +680,8 @@ class Auth {
668680
`/${apiPath}/${slugPlural}/:id`,
669681
`/${apiPath}/${slugPlural}`
670682
].includes(path) &&
671-
['PUT', 'PATCH'].includes(type)
683+
['PUT', 'PATCH'].includes(type) &&
684+
internal
672685
) {
673686
return route.authorize(({ user }) =>
674687
user.permissions!.includes(
@@ -682,7 +695,8 @@ class Auth {
682695
`/${apiPath}/${slugPlural}/:id`,
683696
`/${apiPath}/${slugPlural}`
684697
].includes(path) &&
685-
type === 'DELETE'
698+
type === 'DELETE' &&
699+
internal
686700
) {
687701
return route.authorize(({ user }) =>
688702
user.permissions!.includes(
@@ -694,9 +708,6 @@ class Auth {
694708

695709
route.middleware([
696710
async (request, response, next) => {
697-
// @ts-ignore
698-
request.req = request
699-
700711
await this.getAuthUserFromContext(
701712
request as any
702713
)
@@ -730,8 +741,6 @@ class Auth {
730741
next()
731742
}
732743
])
733-
734-
route.authorize(() => false)
735744
})
736745
}
737746
)

packages/common/src/api/GraphQlQuery.ts

+7
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ export class GraphQlQuery implements GraphQlQueryContract {
1010
public config: GraphQlQueryConfig = {
1111
path: '',
1212
name: '',
13+
internal: false,
1314
type: 'QUERY',
1415
snakeCaseName: '',
1516
paramCaseName: '',
@@ -62,6 +63,12 @@ export class GraphQlQuery implements GraphQlQueryContract {
6263

6364
return this
6465
}
66+
67+
internal() {
68+
this.config.internal = true
69+
70+
return this
71+
}
6572
}
6673

6774
export const graphQlQuery = (name?: string) => new GraphQlQuery(name)

packages/common/src/api/Route.ts

+7
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ export class Route implements RouteContract {
1212
path: '',
1313
name: '',
1414
type: 'GET',
15+
internal: false,
1516
middleware: [],
1617
snakeCaseName: '',
1718
paramCaseName: '',
@@ -88,6 +89,12 @@ export class Route implements RouteContract {
8889

8990
return this
9091
}
92+
93+
internal() {
94+
this.config.internal = true
95+
96+
return this
97+
}
9198
}
9299

93100
export const route = (name?: string) => new Route(name)

packages/common/typings/config.d.ts

+4
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ declare module '@tensei/common/config' {
3232
put(): this
3333
patch(): this
3434
delete(): this
35+
internal(): this
3536
resource(resource: ResourceContract): this
3637
middleware(middleware: RequestHandler[]): this
3738
resource(resource: ResourceContract): this
@@ -44,6 +45,7 @@ declare module '@tensei/common/config' {
4445
path(path: string): this
4546
query(): this
4647
mutation(): this
48+
internal(): this
4749
resource(resource: ResourceContract): this
4850
authorize(authorize: AuthorizeFunction): this
4951
handle(handler: GraphQlQueryConfig['handler']): this
@@ -52,6 +54,7 @@ declare module '@tensei/common/config' {
5254
interface RouteConfig {
5355
path: string
5456
name: string
57+
internal: boolean
5558
type: EndpointTypes
5659
snakeCaseName: string
5760
paramCaseName: string
@@ -68,6 +71,7 @@ declare module '@tensei/common/config' {
6871
> {
6972
path: string
7073
name: string
74+
internal: boolean
7175
snakeCaseName: string
7276
paramCaseName: string
7377
resource?: ResourceContract

packages/core/Tensei.ts

+4-5
Original file line numberDiff line numberDiff line change
@@ -212,8 +212,9 @@ export class Tensei implements TenseiContract {
212212

213213
this.app.listen(port, () => {
214214
this.ctx.logger.success(
215-
`🚀 Access your server on ${this.ctx.serverUrl ||
216-
`http://127.0.0.1:${port}`}`
215+
`🚀 Access your server on ${
216+
this.ctx.serverUrl || `http://127.0.0.1:${port}`
217+
}`
217218
)
218219
})
219220
}
@@ -587,9 +588,7 @@ export class Tensei implements TenseiContract {
587588
}
588589

589590
public mail(driverName: SupportedDrivers, mailConfig = {}) {
590-
this.ctx.mailer = mail()
591-
.connection(driverName)
592-
.config(mailConfig)
591+
this.ctx.mailer = mail().connection(driverName).config(mailConfig)
593592

594593
return this
595594
}

packages/core/database/index.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,7 @@ class Database {
126126
}
127127

128128
private generateEntityClass(resource: ResourceContract) {
129-
const entityClass = function() {}
129+
const entityClass = function () {}
130130

131131
Object.defineProperty(entityClass, 'name', {
132132
value: resource.data.pascalCaseName,

packages/express-session-mikro-orm/src/index.ts

+1-4
Original file line numberDiff line numberDiff line change
@@ -49,10 +49,7 @@ const StoreFactory = (Store: any) => {
4949
this.options.tableName,
5050
(table: any) => {
5151
table.string('session_id').primary()
52-
table
53-
.datetime('expires')
54-
.nullable()
55-
.index()
52+
table.datetime('expires').nullable().index()
5653
table.text('data').notNullable()
5754
}
5855
)

packages/graphql/src/index.ts

+8
Original file line numberDiff line numberDiff line change
@@ -818,6 +818,7 @@ input id_where_query {
818818
graphQlQuery(`Fetch ${resource.data.snakeCaseNamePlural}`)
819819
.path(resource.data.snakeCaseNamePlural)
820820
.query()
821+
.internal()
821822
.resource(resource)
822823
.handle(async (_, args, ctx, info) => {
823824
const data: any[] = await ctx.manager.find(
@@ -841,6 +842,7 @@ input id_where_query {
841842
graphQlQuery(`Fetch single ${resource.data.snakeCaseName}`)
842843
.path(resource.data.snakeCaseName)
843844
.query()
845+
.internal()
844846
.resource(resource)
845847
.handle(async (_, args, ctx, info) => {
846848
const data: any = await ctx.manager.findOneOrFail(
@@ -865,6 +867,7 @@ input id_where_query {
865867
graphQlQuery(`Insert single ${resource.data.snakeCaseName}`)
866868
.path(`insert_${resource.data.snakeCaseName}`)
867869
.mutation()
870+
.internal()
868871
.resource(resource)
869872
.handle(async (_, args, ctx, info) => {
870873
const data = ctx.manager.create(
@@ -891,6 +894,7 @@ input id_where_query {
891894
)
892895
.path(`insert_${resource.data.snakeCaseNamePlural}`)
893896
.mutation()
897+
.internal()
894898
.resource(resource)
895899
.handle(async (_, args, ctx, info) => {
896900
const data: any[] = args.objects.map((object: any) =>
@@ -919,6 +923,7 @@ input id_where_query {
919923
graphQlQuery(`Update single ${resource.data.snakeCaseName}`)
920924
.path(`update_${resource.data.snakeCaseName}`)
921925
.mutation()
926+
.internal()
922927
.resource(resource)
923928
.handle(async (_, args, ctx, info) => {
924929
const data: any = await ctx.manager
@@ -946,6 +951,7 @@ input id_where_query {
946951
)
947952
.path(`update_${resource.data.snakeCaseNamePlural}`)
948953
.mutation()
954+
.internal()
949955
.resource(resource)
950956
.handle(async (_, args, ctx, info) => {
951957
const data = await ctx.manager.find(
@@ -972,6 +978,7 @@ input id_where_query {
972978
graphQlQuery(`Delete single ${resource.data.snakeCaseName}`)
973979
.path(`delete_${resource.data.snakeCaseName}`)
974980
.mutation()
981+
.internal()
975982
.resource(resource)
976983
.handle(async (_, args, ctx, info) => {
977984
const data: any = await ctx.manager
@@ -997,6 +1004,7 @@ input id_where_query {
9971004
)
9981005
.path(`delete_${resource.data.snakeCaseNamePlural}`)
9991006
.mutation()
1007+
.internal()
10001008
.resource(resource)
10011009
.handle(async (_, args, ctx, info) => {
10021010
const data = await ctx.manager.find(

packages/rest/package.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,8 @@
2121
},
2222
"dependencies": {
2323
"@tensei/common": "^0.2.3",
24-
"express-response-formatter": "^2.0.2"
24+
"express-response-formatter": "^2.0.2",
25+
"qs": "^6.9.4"
2526
},
2627
"publishConfig": {
2728
"access": "public"

0 commit comments

Comments
 (0)