Add verify middleware

2026-02-25 22:36:38 +00:00 · 2024-10-03 22:31:20 -04:00
parent e89ee4042a
commit a8f944fc78
17 changed files with 1230 additions and 40 deletions
--- a/server/routers/auth/getUserOrgs.ts
+++ b/server/routers/auth/getUserOrgs.ts
@@ -0,0 +1,33 @@
+import { Request, Response, NextFunction } from 'express';
+import { db } from '@server/db';
+import { userOrgs, orgs } from '@server/db/schema';
+import { eq } from 'drizzle-orm';
+import createHttpError from 'http-errors';
+import HttpCode from '@server/types/HttpCode';
+
+export async function getUserOrgs(req: Request, res: Response, next: NextFunction) {
+  const userId = req.user?.id; // Assuming you have user information in the request
+
+  if (!userId) {
+    return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
+  }
+
+  try {
+    const userOrganizations = await db.select({
+      orgId: userOrgs.orgId,
+      role: userOrgs.role,
+    })
+      .from(userOrgs)
+      .where(eq(userOrgs.userId, userId));
+
+    req.userOrgs = userOrganizations.map(org => org.orgId);
+    // req.userOrgRoles = userOrganizations.reduce((acc, org) => {
+    //   acc[org.orgId] = org.role;
+    //   return acc;
+    // }, {} as Record<number, string>);
+
+    next();
+  } catch (error) {
+    next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error retrieving user organizations'));
+  }
+}
--- a/server/routers/auth/index.ts
+++ b/server/routers/auth/index.ts
@@ -4,3 +4,8 @@ export * from "./logout";
 export * from "./verifyTotp";
 export * from "./requestTotpSecret";
 export * from "./disable2fa";
+export * from "./verifyOrgAccess";
+export * from "./getUserOrgs";
+export * from "./verifySiteAccess";
+export * from "./verifyResourceAccess";
+export * from "./verifyTargetAccess";
--- a/server/routers/auth/verifyOrgAccess.ts
+++ b/server/routers/auth/verifyOrgAccess.ts
@@ -0,0 +1,36 @@
+import { Request, Response, NextFunction } from 'express';
+import { db } from '@server/db';
+import { userOrgs } from '@server/db/schema';
+import { and, eq } from 'drizzle-orm';
+import createHttpError from 'http-errors';
+import HttpCode from '@server/types/HttpCode';
+import { AuthenticatedRequest } from '@server/types/Auth';
+
+export function verifyOrgAccess(req: Request, res: Response, next: NextFunction) {
+  const userId = req.user.id; // Assuming you have user information in the request
+  const orgId = parseInt(req.params.orgId);
+
+  if (!userId) {
+    return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
+  }
+
+  if (isNaN(orgId)) {
+    return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid organization ID'));
+  }
+
+  db.select()
+    .from(userOrgs)
+    .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+    .then((result) => {
+      if (result.length === 0) {
+        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
+      } else {
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRole = result[0].role;
+        next();
+      }
+    })
+    .catch((error) => {
+      next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
+    });
+}
--- a/server/routers/auth/verifyResourceAccess.ts
+++ b/server/routers/auth/verifyResourceAccess.ts
@@ -0,0 +1,54 @@
+import { Request, Response, NextFunction } from 'express';
+import { db } from '@server/db';
+import { resources, userOrgs } from '@server/db/schema';
+import { and, eq } from 'drizzle-orm';
+import createHttpError from 'http-errors';
+import HttpCode from '@server/types/HttpCode';
+
+export async function verifyResourceAccess(req: Request, res: Response, next: NextFunction) {
+  const userId = req.user!.id; // Assuming you have user information in the request
+  const resourceId = req.params.resourceId;
+
+  if (!userId) {
+    return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
+  }
+
+  const resource = await db.select()
+    .from(resources)
+    .where(eq(resources.resourceId, resourceId))
+    .limit(1);
+
+  if (resource.length === 0) {
+    return next(
+      createHttpError(
+        HttpCode.NOT_FOUND,
+        `resource with ID ${resourceId} not found`
+      )
+    );
+  }
+
+  if (!resource[0].orgId) {
+    return next(
+      createHttpError(
+        HttpCode.INTERNAL_SERVER_ERROR,
+        `resource with ID ${resourceId} does not have an organization ID`
+      )
+    );
+  }
+
+  db.select()
+    .from(userOrgs)
+    .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource[0].orgId)))
+    .then((result) => {
+      if (result.length === 0) {
+        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
+      } else {
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRole = result[0].role;
+        next();
+      }
+    })
+    .catch((error) => {
+      next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
+    });
+}
--- a/server/routers/auth/verifySiteAccess.ts
+++ b/server/routers/auth/verifySiteAccess.ts
@@ -0,0 +1,58 @@
+import { Request, Response, NextFunction } from 'express';
+import { db } from '@server/db';
+import { sites, userOrgs } from '@server/db/schema';
+import { and, eq } from 'drizzle-orm';
+import createHttpError from 'http-errors';
+import HttpCode from '@server/types/HttpCode';
+
+export async function verifySiteAccess(req: Request, res: Response, next: NextFunction) {
+  const userId = req.user!.id; // Assuming you have user information in the request
+  const siteId = parseInt(req.params.siteId);
+
+  if (!userId) {
+    return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
+  }
+
+  if (isNaN(siteId)) {
+    return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid organization ID'));
+  }
+
+  const site = await db.select()
+    .from(sites)
+    .where(eq(sites.siteId, siteId))
+    .limit(1);
+
+  if (site.length === 0) {
+    return next(
+      createHttpError(
+        HttpCode.NOT_FOUND,
+        `Site with ID ${siteId} not found`
+      )
+    );
+  }
+
+  if (!site[0].orgId) {
+    return next(
+      createHttpError(
+        HttpCode.INTERNAL_SERVER_ERROR,
+        `Site with ID ${siteId} does not have an organization ID`
+      )
+    );
+  }
+
+  db.select()
+    .from(userOrgs)
+    .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, site[0].orgId)))
+    .then((result) => {
+      if (result.length === 0) {
+        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
+      } else {
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRole = result[0].role;
+        next();
+      }
+    })
+    .catch((error) => {
+      next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
+    });
+}
--- a/server/routers/auth/verifyTargetAccess.ts
+++ b/server/routers/auth/verifyTargetAccess.ts
@@ -0,0 +1,83 @@
+import { Request, Response, NextFunction } from 'express';
+import { db } from '@server/db';
+import { resources, targets, userOrgs } from '@server/db/schema';
+import { and, eq } from 'drizzle-orm';
+import createHttpError from 'http-errors';
+import HttpCode from '@server/types/HttpCode';
+
+export async function verifyTargetAccess(req: Request, res: Response, next: NextFunction) {
+  const userId = req.user!.id; // Assuming you have user information in the request
+  const targetId = parseInt(req.params.targetId);
+
+  if (!userId) {
+    return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
+  }
+
+  if (isNaN(targetId)) {
+    return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid organization ID'));
+  }
+
+  const target = await db.select()
+    .from(targets)
+    .where(eq(targets.targetId, targetId))
+    .limit(1);
+
+  if (target.length === 0) {
+    return next(
+      createHttpError(
+        HttpCode.NOT_FOUND,
+        `target with ID ${targetId} not found`
+      )
+    );
+  }
+
+  const resourceId = target[0].resourceId;
+
+  if (resourceId) {
+    return next(
+      createHttpError(
+        HttpCode.INTERNAL_SERVER_ERROR,
+        `target with ID ${targetId} does not have a resource ID`
+      )
+    );
+  }
+
+  const resource = await db.select()
+    .from(resources)
+    .where(eq(resources.resourceId, resourceId!))
+    .limit(1);
+
+  if (resource.length === 0) {
+    return next(
+      createHttpError(
+        HttpCode.NOT_FOUND,
+        `resource with ID ${resourceId} not found`
+      )
+    );
+  }
+
+  if (!resource[0].orgId) {
+    return next(
+      createHttpError(
+        HttpCode.INTERNAL_SERVER_ERROR,
+        `resource with ID ${resourceId} does not have an organization ID`
+      )
+    );
+  }
+
+  db.select()
+    .from(userOrgs)
+    .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource[0].orgId)))
+    .then((result) => {
+      if (result.length === 0) {
+        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
+      } else {
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRole = result[0].role;
+        next();
+      }
+    })
+    .catch((error) => {
+      next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
+    });
+}