pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-08 05:56:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

use niceId for client routes

Browse Source
This commit is contained in:
miloschwartz
2025-12-06 20:31:09 -05:00
parent 8a8c0edad3
commit d7e06161a8
22 changed files with 375 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
server/middlewares/verifyClientAccess.ts
View File

@@ -1,10 +1,11 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { Client, db } from "@server/db";
import { userOrgs, clients, roleClients, userClients } from "@server/db";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
import logger from "@server/logger";
export async function verifyClientAccess(
req: Request,
@@ -12,33 +13,51 @@ export async function verifyClientAccess(
next: NextFunction
) {
const userId = req.user!.userId; // Assuming you have user information in the request
const clientId = parseInt(
req.params.clientId || req.body.clientId || req.query.clientId
);
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (isNaN(clientId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid client ID"));
}
const clientIdStr =
req.params?.clientId || req.body?.clientId || req.query?.clientId;
const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
try {
// Get the client
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
let client: Client | null = null;
if (niceId && orgId) {
const [clientRes] = await db
.select()
.from(clients)
.where(
and(eq(clients.niceId, niceId), eq(clients.orgId, orgId))
)
.limit(1);
client = clientRes;
} else {
const clientId = parseInt(clientIdStr);
if (isNaN(clientId)) {
return next(
createHttpError(HttpCode.BAD_REQUEST, "Invalid client ID")
);
}
// Get the client
const [clientRes] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
client = clientRes;
}
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Client with ID ${clientId} not found`
`Client with ID ${niceId || clientIdStr} not found`
)
);
}
@@ -47,12 +66,12 @@ export async function verifyClientAccess(
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`Client with ID ${clientId} does not have an organization ID`
`Client with ID ${niceId || clientIdStr} does not have an organization ID`
)
);
}
if (!req.userOrg) {
if (!req.userOrg || req.userOrg?.orgId !== client.orgId) {
// Get user's role ID in the organization
const userOrgRole = await db
.select()
@@ -104,7 +123,7 @@ export async function verifyClientAccess(
.from(roleClients)
.where(
and(
eq(roleClients.clientId, clientId),
eq(roleClients.clientId, client.clientId),
eq(roleClients.roleId, userOrgRoleId)
)
)
@@ -122,7 +141,7 @@ export async function verifyClientAccess(
.where(
and(
eq(userClients.userId, userId),
eq(userClients.clientId, clientId)
eq(userClients.clientId, client.clientId)
)
)
.limit(1);
@@ -140,6 +159,7 @@ export async function verifyClientAccess(
)
);
} catch (error) {
logger.error("Error verifying client access", error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,

6
server/middlewares/verifyOrgAccess.ts
View File

@@ -27,6 +27,8 @@ export async function verifyOrgAccess(
);
}
logger.debug(`Verifying access for user ${userId} to organization ${orgId}`);
try {
if (!req.userOrg) {
const userOrgRes = await db
@@ -68,6 +70,10 @@ export async function verifyOrgAccess(
// User has access, attach the user's role to the request for potential future use
req.userOrgRoleId = req.userOrg.roleId;
req.userOrgId = orgId;
logger.debug(
`User ${userId} has access to organization ${orgId} with role ${req.userOrg.roleId}`
);
return next();
} catch (e) {
return next(

66
server/middlewares/verifyResourceAccess.ts
View File

@@ -1,5 +1,5 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { db, Resource } from "@server/db";
import { resources, userOrgs, userResources, roleResources } from "@server/db";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
@@ -12,36 +12,56 @@ export async function verifyResourceAccess(
next: NextFunction
) {
const userId = req.user!.userId;
const resourceId =
req.params.resourceId || req.body.resourceId || req.query.resourceId;
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
const resourceIdStr =
req.params?.resourceId || req.body?.resourceId || req.query?.resourceId;
const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
try {
const resource = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId))
.limit(1);
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (resource.length === 0) {
let resource: Resource | null = null;
if (orgId && niceId) {
const [resourceRes] = await db
.select()
.from(resources)
.where(
and(
eq(resources.niceId, niceId),
eq(resources.orgId, orgId)
)
)
.limit(1);
resource = resourceRes;
} else {
const resourceId = parseInt(resourceIdStr);
const [resourceRes] = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId))
.limit(1);
resource = resourceRes;
}
if (!resource) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Resource with ID ${resourceId} not found`
`Resource with ID ${resourceIdStr || niceId} not found`
)
);
}
if (!resource[0].orgId) {
if (!resource.orgId) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`Resource with ID ${resourceId} does not have an organization ID`
`Resource with ID ${resourceIdStr || niceId} does not have an organization ID`
)
);
}
@@ -53,14 +73,14 @@ export async function verifyResourceAccess(
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, resource[0].orgId)
eq(userOrgs.orgId, resource.orgId)
)
)
.limit(1);
req.userOrg = userOrgRole[0];
}
if (!req.userOrg) {
if (!req.userOrg || req.userOrg?.orgId !== resource.orgId) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@@ -89,14 +109,14 @@ export async function verifyResourceAccess(
const userOrgRoleId = req.userOrg.roleId;
req.userOrgRoleId = userOrgRoleId;
req.userOrgId = resource[0].orgId;
req.userOrgId = resource.orgId;
const roleResourceAccess = await db
.select()
.from(roleResources)
.where(
and(
eq(roleResources.resourceId, resourceId),
eq(roleResources.resourceId, resource.resourceId),
eq(roleResources.roleId, userOrgRoleId)
)
)
@@ -112,7 +132,7 @@ export async function verifyResourceAccess(
.where(
and(
eq(userResources.userId, userId),
eq(userResources.resourceId, resourceId)
eq(userResources.resourceId, resource.resourceId)
)
)
.limit(1);

71
server/middlewares/verifySiteAccess.ts
View File

@@ -1,10 +1,9 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
import { and, eq, or } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import logger from "@server/logger";
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
export async function verifySiteAccess(
@@ -13,9 +12,10 @@ export async function verifySiteAccess(
next: NextFunction
) {
const userId = req.user!.userId; // Assuming you have user information in the request
const siteId = parseInt(
req.params.siteId || req.body.siteId || req.query.siteId
);
const siteIdStr =
req.params?.siteId || req.body?.siteId || req.query?.siteId;
const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
if (!userId) {
return next(
@@ -23,32 +23,49 @@ export async function verifySiteAccess(
);
}
if (isNaN(siteId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid site ID"));
}
try {
// Get the site
const site = await db
.select()
.from(sites)
.where(eq(sites.siteId, siteId))
.limit(1);
let site: Site | null = null;
if (site.length === 0) {
if (niceId && orgId) {
const [siteRes] = await db
.select()
.from(sites)
.where(and(eq(sites.niceId, niceId), eq(sites.orgId, orgId)))
.limit(1);
site = siteRes;
} else {
const siteId = parseInt(siteIdStr);
if (isNaN(siteId)) {
return next(
createHttpError(HttpCode.BAD_REQUEST, "Invalid site ID")
);
}
// Get the site
const [siteRes] = await db
.select()
.from(sites)
.where(eq(sites.siteId, siteId))
.limit(1);
site = siteRes;
}
if (!site) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Site with ID ${siteId} not found`
`Site with ID ${siteIdStr || niceId} not found`
)
);
}
if (!site[0].orgId) {
if (!site.orgId) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`Site with ID ${siteId} does not have an organization ID`
`Site with ID ${siteIdStr} does not have an organization ID`
)
);
}
@@ -59,16 +76,13 @@ export async function verifySiteAccess(
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, site[0].orgId)
)
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
)
.limit(1);
req.userOrg = userOrgRole[0];
}
if (!req.userOrg) {
if (!req.userOrg || req.userOrg?.orgId !== site.orgId) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@@ -97,7 +111,7 @@ export async function verifySiteAccess(
const userOrgRoleId = req.userOrg.roleId;
req.userOrgRoleId = userOrgRoleId;
req.userOrgId = site[0].orgId;
req.userOrgId = site.orgId;
// Check role-based site access first
const roleSiteAccess = await db
@@ -105,7 +119,7 @@ export async function verifySiteAccess(
.from(roleSites)
.where(
and(
eq(roleSites.siteId, siteId),
eq(roleSites.siteId, site.siteId),
eq(roleSites.roleId, userOrgRoleId)
)
)
@@ -121,7 +135,10 @@ export async function verifySiteAccess(
.select()
.from(userSites)
.where(
and(eq(userSites.userId, userId), eq(userSites.siteId, siteId))
and(
eq(userSites.userId, userId),
eq(userSites.siteId, site.siteId)
)
)
.limit(1);