Merge pull request #1844 from rocket-admin/backend_public_permissions

feat: implement public access permissions for unauthenticated users

Author: Artuomka

backend/src/authorization/public-or-auth.middleware.ts

@@ -0,0 +1,129 @@
+import {
+	HttpException,
+	Injectable,
+	InternalServerErrorException,
+	NestMiddleware,
+	NotFoundException,
+	UnauthorizedException,
+} from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import Sentry from '@sentry/minimal';
+import { NextFunction, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import { Repository } from 'typeorm';
+import { JwtScopesEnum } from '../entities/user/enums/jwt-scopes.enum.js';
+import { UserEntity } from '../entities/user/user.entity.js';
+import { EncryptionAlgorithmEnum } from '../enums/encryption-algorithm.enum.js';
+import { TwoFaRequiredException } from '../exceptions/custom-exceptions/two-fa-required-exception.js';
+import { Messages } from '../exceptions/text/messages.js';
+import { Constants } from '../helpers/constants/constants.js';
+import { Encryptor } from '../helpers/encryption/encryptor.js';
+import { isObjectEmpty } from '../helpers/is-object-empty.js';
+import { appConfig } from '../shared/config/app-config.js';
+import { IRequestWithCognitoInfo } from './cognito-decoded.interface.js';
+
+/**
+ * Authentication middleware that ALSO allows anonymous ("public") requests through.
+ *
+ * - A JWT cookie or an `x-api-key` header is authenticated exactly like AuthWithApiMiddleware and
+ *   populates `req.decoded`.
+ * - When neither is present, the request is treated as public: `req.decoded` is left empty and the
+ *   request continues. Downstream guards then decide whether the connection's public policy grants
+ *   access. An invalid/expired credential still fails fast.
+ *
+ * This is applied only to read-capable pure CRUD routes; write routes keep AuthWithApiMiddleware.
+ */
+@Injectable()
+export class PublicOrAuthMiddleware implements NestMiddleware {
+	public constructor(
+		@InjectRepository(UserEntity)
+		private readonly userRepository: Repository<UserEntity>,
+	) {}
+
+	async use(req: IRequestWithCognitoInfo, _res: Response, next: NextFunction): Promise<void> {
+		try {
+			const tokenFromCookie = req.cookies?.[Constants.JWT_COOKIE_KEY_NAME];
+			let apiKey = req.headers?.['x-api-key'];
+			if (Array.isArray(apiKey)) {
+				apiKey = apiKey[0];
+			}
+
+			if (tokenFromCookie) {
+				await this.authenticateWithToken(tokenFromCookie, req);
+			} else if (apiKey) {
+				await this.authenticateWithApiKey(apiKey, req);
+			} else {
+				req.decoded = {};
+			}
+			next();
+		} catch (error) {
+			Sentry.captureException(error);
+			if (error instanceof HttpException || error instanceof UnauthorizedException) {
+				throw error;
+			}
+			throw new InternalServerErrorException(Messages.AUTHORIZATION_REJECTED);
+		}
+	}
+
+	private async authenticateWithToken(tokenFromCookie: string, req: IRequestWithCognitoInfo): Promise<void> {
+		const jwtSecret = appConfig.auth.jwtSecret;
+		if (!jwtSecret) {
+			throw new UnauthorizedException('JWT verification failed');
+		}
+		const data = jwt.verify(tokenFromCookie, jwtSecret) as jwt.JwtPayload;
+		const userId = data.id;
+
+		if (!userId) {
+			throw new UnauthorizedException('JWT verification failed');
+		}
+
+		const userExists = await this.userRepository.findOne({ where: { id: userId } });
+		if (!userExists) {
+			throw new UnauthorizedException('JWT verification failed');
+		}
+
+		if (userExists.suspended) {
+			throw new UnauthorizedException(Messages.ACCOUNT_SUSPENDED);
+		}
+
+		const addedScope: Array<JwtScopesEnum> = data.scope;
+		if (addedScope && addedScope.length > 0) {
+			if (addedScope.includes(JwtScopesEnum.TWO_FA_ENABLE)) {
+				throw new TwoFaRequiredException();
+			}
+		}
+
+		const payload = {
+			sub: userId,
+			email: data.email,
+			exp: data.exp,
+			iat: data.iat,
+		};
+		if (!payload || isObjectEmpty(payload)) {
+			throw new UnauthorizedException('JWT verification failed');
+		}
+		req.decoded = payload;
+	}
+
+	private async authenticateWithApiKey(apiKey: string, req: IRequestWithCognitoInfo): Promise<void> {
+		const apiKeyHash = await Encryptor.processDataWithAlgorithm(apiKey, EncryptionAlgorithmEnum.sha256);
+		const foundUserByApiKey = await this.userRepository
+			.createQueryBuilder('user')
+			.innerJoinAndSelect('user.api_keys', 'api_key')
+			.where('api_key.hash = :hash', { hash: apiKeyHash })
+			.getOne();
+
+		if (!foundUserByApiKey) {
+			throw new NotFoundException(Messages.NO_AUTH_KEYS_FOUND);
+		}
+
+		if (foundUserByApiKey.suspended) {
+			throw new UnauthorizedException(Messages.API_KEY_SUSPENDED);
+		}
+
+		req.decoded = {
+			sub: foundUserByApiKey.id,
+			email: foundUserByApiKey.email,
+		};
+	}
+}

backend/src/decorators/optional-user-id.decorator.ts

@@ -0,0 +1,22 @@
+import { BadRequestException, createParamDecorator, ExecutionContext } from '@nestjs/common';
+import { IRequestWithCognitoInfo } from '../authorization/cognito-decoded.interface.js';
+import { Messages } from '../exceptions/text/messages.js';
+import { ValidationHelper } from '../helpers/validators/validation-helper.js';
+
+/**
+ * Like @UserId(), but tolerates an unauthenticated ("public") request: when no user is present it
+ * returns undefined instead of throwing. Use on endpoints that may be reached by public users
+ * (the guard decides whether public access is allowed); the handler then treats a missing userId
+ * as a public request.
+ */
+export const OptionalUserId = createParamDecorator((_data: unknown, ctx: ExecutionContext): string | undefined => {
+	const request: IRequestWithCognitoInfo = ctx.switchToHttp().getRequest();
+	const userId = request.decoded?.sub;
+	if (!userId) {
+		return undefined;
+	}
+	if (ValidationHelper.isValidUUID(userId)) {
+		return userId;
+	}
+	throw new BadRequestException(Messages.UUID_INVALID);
+});

backend/src/entities/cedar-authorization/cedar-action-map.ts

@@ -40,6 +40,8 @@ export const ACTION_EVENT_PROBE_ID = '__probe__';
 
 export const COLUMN_PROBE_ID = '__probe__';
 
+export const PUBLIC_USER_ID = '__public__';
+
 export interface CedarValidationRequest {
 	userId: string;
 	action: CedarAction;
@@ -50,4 +52,5 @@ export interface CedarValidationRequest {
 	actionEventId?: string;
 	dashboardId?: string;
 	panelId?: string;
+	publicAccess?: boolean;
 }

backend/src/entities/cedar-authorization/cedar-authorization.controller.ts

@@ -6,6 +6,7 @@ import {
 	HttpStatus,
 	Injectable,
 	Post,
+	Put,
 	UseGuards,
 	UseInterceptors,
 } from '@nestjs/common';
@@ -18,6 +19,7 @@ import { ConnectionReadGuard } from '../../guards/connection-read.guard.js';
 import { SentryInterceptor } from '../../interceptors/sentry.interceptor.js';
 import { IComplexPermission } from '../permission/permission.interface.js';
 import { CedarAuthorizationService } from './cedar-authorization.service.js';
+import { PublicPermissionsResponseDto, SetPublicPermissionsDto } from './dto/public-permissions.dto.js';
 import { SaveCedarPolicyDto } from './dto/save-cedar-policy.dto.js';
 import { ValidateCedarSchemaDto } from './dto/validate-cedar-schema.dto.js';
 
@@ -87,4 +89,40 @@ export class CedarAuthorizationController {
 		}
 		return this.cedarAuthService.saveCedarPolicy(connectionId, dto.groupId, dto.cedarPolicy);
 	}
+
+	@ApiOperation({
+		summary: 'Get the public (unauthenticated) read permissions configured for a connection',
+	})
+	@ApiResponse({ status: 200, description: 'Public permissions returned.', type: PublicPermissionsResponseDto })
+	@ApiParam({ name: 'connectionId', required: true })
+	@UseGuards(ConnectionEditGuard)
+	@Get('/connection/public-permissions/:connectionId')
+	async getPublicPermissions(@SlugUuid('connectionId') connectionId: string): Promise<PublicPermissionsResponseDto> {
+		if (!connectionId) {
+			throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+		}
+		return this.cedarAuthService.getPublicPermissions(connectionId);
+	}
+
+	@ApiOperation({
+		summary: 'Set the public (unauthenticated) read permissions for a connection',
+		description:
+			'Generates and stores a Cedar policy granting public users QueryTable + ColumnRead on the listed tables. ' +
+			'Pass an empty "tables" array to disable public access.',
+	})
+	@ApiResponse({ status: 200, description: 'Public permissions saved.', type: PublicPermissionsResponseDto })
+	@ApiBody({ type: SetPublicPermissionsDto })
+	@ApiParam({ name: 'connectionId', required: true })
+	@UseGuards(ConnectionEditGuard)
+	@Put('/connection/public-permissions/:connectionId')
+	async setPublicPermissions(
+		@SlugUuid('connectionId') connectionId: string,
+		@Body() dto: SetPublicPermissionsDto,
+	): Promise<PublicPermissionsResponseDto> {
+		if (!connectionId) {
+			throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+		}
+		const { enabled, tables } = await this.cedarAuthService.savePublicPermissions(connectionId, dto.tables ?? []);
+		return { enabled, tables };
+	}
 }

backend/src/entities/cedar-authorization/cedar-authorization.module.ts

@@ -31,6 +31,8 @@ export class CedarAuthorizationModule implements NestModule {
 				{ path: '/connection/cedar-schema/:connectionId', method: RequestMethod.GET },
 				{ path: '/connection/cedar-schema/validate/:connectionId', method: RequestMethod.POST },
 				{ path: '/connection/cedar-policy/:connectionId', method: RequestMethod.POST },
+				{ path: '/connection/public-permissions/:connectionId', method: RequestMethod.GET },
+				{ path: '/connection/public-permissions/:connectionId', method: RequestMethod.PUT },
 			);
 	}
 }