Merge pull request #5921 from FlowFuse/device-access-to-ff-tables

Allow Devices to get FF Tables creds

Author: Steve-Mcl

forge/ee/routes/tables/index.js

@@ -41,6 +41,11 @@ module.exports = async function (app) {
                 if (project.Team.hashid !== request.team.hashid) {
                     return reply.status(401).send({ code: 'unauthorized', error: 'unauthorized' })
                 }
+            } else if (request.session.ownerType === 'device') {
+                const device = await app.db.models.Device.byId(parseInt(request.session.ownerId))
+                if (!device || device.Team.hashid !== request.team.hashid) {
+                    return reply.status(401).send({ code: 'unauthorized', error: 'unauthorized' })
+                }
             } else {
                 await app.needsPermission('team:database:list')(request, reply, done)
             }

test/unit/forge/ee/routes/tables/index_spec.js

@@ -32,6 +32,10 @@ describe('Tables API', function () {
         TestObjects.team = app.team
         TestObjects.application = app.application
         TestObjects.instance = app.instance
+        TestObjects.device = await app.factory.createDevice({
+            name: 'device1',
+            mode: 'developer'
+        }, app.team, app.instance)
 
         TestObjects.alice = await app.db.models.User.byUsername('alice')
         await login('alice', 'aaPassword')
@@ -121,6 +125,38 @@ describe('Tables API', function () {
         dbs[0].should.have.property('name', TestObjects.team.hashid)
     })
 
+    it('Get Team database list as Instance', async function () {
+        const projectTokens = await app.instance.refreshAuthTokens()
+        const response = await app.inject({
+            method: 'GET',
+            url: `/api/v1/teams/${TestObjects.team.hashid}/databases`,
+            headers: {
+                Authorization: `Bearer ${projectTokens.token}`
+            }
+        })
+        response.statusCode.should.equal(200)
+        const dbs = response.json()
+        dbs.should.be.an.Array().and.have.length(1)
+        dbs[0].should.have.property('id')
+        dbs[0].should.have.property('name', TestObjects.team.hashid)
+    })
+
+    it('Get Team database list as Device', async function () {
+        const deviceToken = await app.db.controllers.AccessToken.createTokenForDevice(TestObjects.device)
+        const response = await app.inject({
+            method: 'GET',
+            url: `/api/v1/teams/${TestObjects.team.hashid}/databases`,
+            headers: {
+                Authorization: `Bearer ${deviceToken.token}`
+            }
+        })
+        response.statusCode.should.equal(200)
+        const dbs = response.json()
+        dbs.should.be.an.Array().and.have.length(1)
+        dbs[0].should.have.property('id')
+        dbs[0].should.have.property('name', TestObjects.team.hashid)
+    })
+
     it('Get Team database by ID', async function () {
         const db = (await app.db.models.Table.byTeamId(TestObjects.team.id))[0]
         const response = await app.inject({