pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-24 13:56:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

added initial schema for resource sessions and auth types

Browse Source
This commit is contained in:
Milo Schwartz
2024-11-16 22:41:43 -05:00
parent b4442a3bf7
commit cc674c2b9c
8 changed files with 381 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/routers/badger/index.ts
View File

@@ -1 +1 @@
export * from "./verifyUser";
export * from "./verifySession";

153
server/routers/badger/verifySession.ts Normal file
View File

@@ -0,0 +1,153 @@
import HttpCode from "@server/types/HttpCode";
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import { response } from "@server/utils/response";
import { validateSessionToken } from "@server/auth";
import db from "@server/db";
import {
resourcePassword,
resourcePincode,
resources,
} from "@server/db/schema";
import { eq } from "drizzle-orm";
import config from "@server/config";
import { validateResourceSessionToken } from "@server/auth/resource";
const verifyResourceSessionSchema = z.object({
cookies: z.object({
session: z.string().nullable(),
resource_session: z.string().nullable(),
}),
originalRequestURL: z.string().url(),
scheme: z.string(),
host: z.string(),
path: z.string(),
method: z.string(),
tls: z.boolean(),
});
export type VerifyResourceSessionSchema = z.infer<
typeof verifyResourceSessionSchema
>;
export type VerifyUserResponse = {
valid: boolean;
redirectUrl?: string;
};
export async function verifyResourceSession(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
const parsedBody = verifyResourceSessionSchema.safeParse(req.query);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
try {
const { cookies, host, originalRequestURL } = parsedBody.data;
const [result] = await db
.select()
.from(resources)
.leftJoin(
resourcePincode,
eq(resourcePincode.resourceId, resources.resourceId)
)
.leftJoin(
resourcePassword,
eq(resourcePassword.resourceId, resources.resourceId)
)
.where(eq(resources.fullDomain, host))
.limit(1);
const resource = result?.resources;
const pincode = result?.resourcePincode;
const password = result?.resourcePassword;
// resource doesn't exist for some reason
if (!resource) {
return notAllowed(res); // no resource to redirect to
}
// no auth is configured; auth check is disabled
if (!resource.appSSOEnabled && !pincode && !password) {
return allowed(res);
}
const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}/login?redirect=${originalRequestURL}`;
// we need to check all session to find at least one valid session
// if we find one, we allow access
// if we don't find any, we deny access and redirect to the login page
// we found a session token, and app sso is enabled, so we need to check if it's a valid session
if (cookies.session && resource.appSSOEnabled) {
const { user, session } = await validateSessionToken(
cookies.session
);
if (user && session) {
return allowed(res);
}
}
// we found a resource session token, and either pincode or password is enabled for the resource
// so we need to check if it's a valid session
if (cookies.resource_session && (pincode || password)) {
const { session, user } = await validateResourceSessionToken(
cookies.resource_session
);
if (session && user) {
if (pincode && session.method === "pincode") {
return allowed(res);
}
if (password && session.method === "password") {
return allowed(res);
}
}
}
// a valid session was not found for an enabled auth method so we deny access
// the user is redirected to the login page
// the login page with render which auth methods are enabled and show the user the correct login form
return notAllowed(res, redirectUrl);
} catch (e) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to verify session"
)
);
}
}
function notAllowed(res: Response, redirectUrl?: string) {
return response<VerifyUserResponse>(res, {
data: { valid: false, redirectUrl },
success: true,
error: false,
message: "Access denied",
status: HttpCode.OK,
});
}
function allowed(res: Response) {
return response<VerifyUserResponse>(res, {
data: { valid: true },
success: true,
error: false,
message: "Access allowed",
status: HttpCode.OK,
});
}

61
server/routers/badger/verifyUser.ts
View File

@@ -1,61 +0,0 @@
import HttpCode from "@server/types/HttpCode";
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import { response } from "@server/utils/response";
import { validateSessionToken } from "@server/auth";
export const verifyUserBody = z.object({
sessionId: z.string(),
});
export type VerifyUserBody = z.infer<typeof verifyUserBody>;
export type VerifyUserResponse = {
valid: boolean;
};
export async function verifyUser(
req: Request,
res: Response,
next: NextFunction,
): Promise<any> {
const parsedBody = verifyUserBody.safeParse(req.query);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString(),
),
);
}
const { sessionId } = parsedBody.data;
try {
const { session, user } = await validateSessionToken(sessionId);
if (!session || !user) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Invalid session"),
);
}
return response<VerifyUserResponse>(res, {
data: { valid: true },
success: true,
error: false,
message: "Access allowed",
status: HttpCode.OK,
});
} catch (e) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to check user",
),
);
}
}

2
server/routers/internal.ts
View File

@@ -24,6 +24,6 @@ gerbilRouter.post("/receive-bandwidth", gerbil.receiveBandwidth);
const badgerRouter = Router();
internalRouter.use("/badger", badgerRouter);
badgerRouter.get("/verify-user", badger.verifyUser)
badgerRouter.get("/verify-session", badger.verifyResourceSession);
export default internalRouter;

9
server/routers/resource/createResource.ts
View File

@@ -18,11 +18,7 @@ import { fromError } from "zod-validation-error";
import { subdomainSchema } from "@server/schemas/subdomainSchema";
const createResourceParamsSchema = z.object({
siteId: z
.string()
.optional()
.transform(stoi)
.pipe(z.number().int().positive().optional()),
siteId: z.string().transform(stoi).pipe(z.number().int().positive()),
orgId: z.string(),
});
@@ -88,10 +84,13 @@ export async function createResource(
);
}
const fullDomain = `${subdomain}.${org[0].domain}`;
const newResource = await db
.insert(resources)
.values({
siteId,
fullDomain,
orgId,
name,
subdomain,

32
server/routers/resource/updateResource.ts
View File

@@ -1,8 +1,8 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { resources, sites } from "@server/db/schema";
import { eq } from "drizzle-orm";
import { orgs, resources, sites } from "@server/db/schema";
import { eq, or } from "drizzle-orm";
import response from "@server/utils/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
@@ -55,9 +55,35 @@ export async function updateResource(
const { resourceId } = parsedParams.data;
const updateData = parsedBody.data;
const resource = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId))
.leftJoin(orgs, eq(resources.orgId, orgs.orgId));
if (resource.length === 0) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Resource with ID ${resourceId} not found`
)
);
}
if (!resource[0].orgs?.domain) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Resource does not have a domain"
)
);
}
const fullDomain = `${updateData.subdomain}.${resource[0].orgs.domain}`;
const updatedResource = await db
.update(resources)
.set(updateData)
.set({ ...updateData, fullDomain })
.where(eq(resources.resourceId, resourceId))
.returning();