Adding roles to user updates; adding auth restrictions to pw updates; moving limiting to middleware decl

stoopidJSON · stoopidJSON · commit 5c633011f932 · 2020-04-30T20:55:04.000-04:00
diff --git a/src/index.js b/src/index.js
@@ -32,6 +32,7 @@ app.use(cors());
 app.use(helmet());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
+app.use(apiLimiter);
 
 // Custom middleware
 app.use(async (req, res, next) => {
@@ -43,14 +44,14 @@ app.use(async (req, res, next) => {
 });
 
 // Helper endpoints
-app.get('/', apiLimiter, (req, res) => {
+app.get('/', (req, res) => {
 	res.redirect('/api-docs/');
 });
-app.get('/help', apiLimiter, (req, res) => {
+app.get('/help', (req, res) => {
 	res.redirect('/api-docs/');
 })
 app.use('/api-docs', apiLimiter, swaggerUi.serve, swaggerUi.setup(swaggerDocument, swaggerOptions));
-app.use('/health', apiLimiter, (req, res) => {
+app.use('/health', (req, res) => {
 	res.status(200).json({
 		uptime: utils.formatTime(process.uptime()),
 		environment: process.env.NODE_ENV || 'n/a',
@@ -61,16 +62,16 @@ app.use('/health', apiLimiter, (req, res) => {
 
 // Routes
 Object.entries(routes).forEach(([key, value]) => {
-	app.use(`/${key}`, apiLimiter, value);
+	app.use(`/${key}`, value);
 });
 
 // Handle 404
-app.use(apiLimiter, (req, res) => {
+app.use((req, res) => {
 	return res.status(404).send("404: Not Found.");
 });
 
 // Handle 503
-app.use(apiLimiter, (error, req, res, next) => {
+app.use((error, req, res, next) => {
 	console.error(error);
 	return res.status(503).send("503: Service Unavailable");
 });
diff --git a/src/routes/user.js b/src/routes/user.js
@@ -183,9 +183,25 @@ router.put('/', utils.authMiddleware, async (req, res) => {
 				}
 			});
 			/** @todo add ability to change email */
+			
 
 			/** @todo when roles are added make sure only admin or relevant user can change password */
-			user.password = password;
+			const e = await utils.loadCasbin();
+			const roles = await e.getRolesForUser(req.context.me.email);
+
+			if (password) {
+				if (req.context.me.email === email || roles.includes('admin')) {
+					user.password = password;
+				}
+			}
+
+			/** @todo this is half-baked. Once updating users is available through the front-end this should be revisited. */
+			if (roles !== undefined) {
+				const e = await utils.loadCasbin();
+				for (const role of roles) {
+					await e.addRoleForUser(email.toLowerCase(), role);
+				}
+			}
 
 			user.displayName = (displayName) ? displayName : user.displayName;
 			user.phone = (phone) ? phone : user.phone;
diff --git a/src/utils/index.js b/src/utils/index.js
@@ -70,7 +70,7 @@ const validateToken = async (req) => {
  * @return {Boolean}
  */
 const validateRoles = async (req) => {
-	const e = await req.context.casbinEnforcer;
+	const e = await loadCasbin();
 	const { originalUrl: path, method } = req;
 
 	const isAllowed = await e.enforce(req.context.me.email, path, method);
@@ -84,15 +84,17 @@ const validateRoles = async (req) => {
  * @param {*} res the response object
  * @param {*} next the next handler in the chain
  */
-const authMiddleware = async (req, res, next) => {
+const authMiddleware = async (req, res, next) => { 
 	let authed = false;
 	
 	if (process.env.BYPASS_LOGIN) {
 		authed = process.env.BYPASS_LOGIN;
 	} else {
 		authed = await validateToken(req);
-		authed = await validateRoles(req);
-	}
+		if (authed) {
+			authed = await validateRoles(req);
+		}
+	} 
 
 	if (authed) {
 		next();
