pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-20 11:56:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

add org policy check to verify session

Browse Source
This commit is contained in:
miloschwartz
2025-10-25 17:15:37 -07:00
parent 9ce81b34c9
commit 8973726f63
4 changed files with 113 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/private/lib/checkOrgAccessPolicy.ts
View File

@@ -95,6 +95,13 @@ export async function checkOrgAccessPolicy(
}
}
if (props.session.userId !== props.user.userId) {
return {
allowed: false,
error: "Session does not belong to the user"
};
}
// now check the policies
const policies: CheckOrgAccessPolicyResult["policies"] = {};

92
server/private/routers/hybrid.ts
View File

@@ -73,6 +73,8 @@ import { validateResourceSessionToken } from "@server/auth/sessions/resource";
import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
import { maxmindLookup } from "@server/db/maxmind";
import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";
// Zod schemas for request validation
const getResourceByDomainParamsSchema = z
@@ -300,7 +302,8 @@ function loadEncryptData() {
return; // already loaded
}
encryptionKeyPath = privateConfig.getRawPrivateConfig().server.encryption_key_path;
encryptionKeyPath =
privateConfig.getRawPrivateConfig().server.encryption_key_path;
if (!fs.existsSync(encryptionKeyPath)) {
throw new Error(
@@ -1582,3 +1585,90 @@ hybridRouter.post(
}
}
);
const getOrgAccessPolicyParamsSchema = z
.object({
orgId: z.string().min(1),
userId: z.string().min(1)
})
.strict();
const getOrgAccessPolicyBodySchema = z
.object({
sessionId: z.string().min(1)
})
.strict();
hybridRouter.get(
"/org/:orgId/user/:userId/access",
async (req: Request, res: Response, next: NextFunction) => {
try {
const parsedParams = getOrgAccessPolicyParamsSchema.safeParse(
req.params
);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const parsedBody = getOrgAccessPolicyBodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { orgId, userId } = parsedParams.data;
const { sessionId } = parsedBody.data;
const remoteExitNode = req.remoteExitNode;
if (!remoteExitNode?.exitNodeId) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Remote exit node not found"
)
);
}
if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
// If the exit node is not allowed for the org, return an error
return next(
createHttpError(
HttpCode.FORBIDDEN,
"Exit node not allowed for this organization"
)
);
}
const accessPolicy = await checkOrgAccessPolicy({
orgId,
userId,
sessionId
});
return response<CheckOrgAccessPolicyResult>(res, {
data: accessPolicy,
success: true,
error: false,
message: "Org access policy retrieved successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to get org login page"
)
);
}
}
);