fosrl.pangolin/server/middlewares/verifyTargetAccess.ts

import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { resources, targets, userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import { canUserAccessResource } from "../auth/canUserAccessResource";

export async function verifyTargetAccess(
    req: Request,
    res: Response,
    next: NextFunction
) {
    const userId = req.user!.userId;
    const targetId = parseInt(req.params.targetId);

    if (!userId) {
        return next(
            createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
        );
    }

    if (isNaN(targetId)) {
        return next(
            createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
        );
    }

    const target = await db
        .select()
        .from(targets)
        .where(eq(targets.targetId, targetId))
        .limit(1);

    if (target.length === 0) {
        return next(
            createHttpError(
                HttpCode.NOT_FOUND,
                `Target with ID ${targetId} not found`
            )
        );
    }

    const resourceId = target[0].resourceId;

    if (!resourceId) {
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                `Target with ID ${targetId} does not have a resource ID`
            )
        );
    }

    try {
        const resource = await db
            .select()
            .from(resources)
            .where(eq(resources.resourceId, resourceId!))
            .limit(1);

        if (resource.length === 0) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `Resource with ID ${resourceId} not found`
                )
            );
        }

        if (!resource[0].orgId) {
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    `resource with ID ${resourceId} does not have an organization ID`
                )
            );
        }

        if (!req.userOrg) {
            const res = await db
                .select()
                .from(userOrgs)
                .where(
                    and(
                        eq(userOrgs.userId, userId),
                        eq(userOrgs.orgId, resource[0].orgId)
                    )
                );
            req.userOrg = res[0];
        }

        if (!req.userOrg) {
            next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                )
            );
        } else {
            req.userOrgRoleId = req.userOrg.roleId;
            req.userOrgId = resource[0].orgId!;
        }

        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
            roleId: req.userOrgRoleId!
        });

        if (!resourceAllowed) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this resource"
                )
            );
        }

        next();
    } catch (e) {
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Error verifying organization access"
            )
        );
    }
}
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`import { Request, Response, NextFunction } from "express";`
			`import { db } from "@server/db";`
			`import { resources, targets, userOrgs } from "@server/db/schema";`
			`import { and, eq } from "drizzle-orm";`
			`import createHttpError from "http-errors";`
			`import HttpCode from "@server/types/HttpCode";`
allow access token in resource url 2025-01-11 19:47:07 -05:00			`import { canUserAccessResource } from "../auth/canUserAccessResource";`
Add verify middleware 2024-10-03 22:31:20 -04:00
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`export async function verifyTargetAccess(`
			`req: Request,`
			`res: Response,`
			`next: NextFunction`
			`) {`
			`const userId = req.user!.userId;`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`const targetId = parseInt(req.params.targetId);`
Add verify middleware 2024-10-03 22:31:20 -04:00
Format files and fix http response 2024-10-06 18:05:20 -04:00			`if (!userId) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`return next(`
			`createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")`
			`);`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`}`
Add verify middleware 2024-10-03 22:31:20 -04:00
Format files and fix http response 2024-10-06 18:05:20 -04:00			`if (isNaN(targetId)) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`return next(`
			`createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")`
			`);`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`}`
Add verify middleware 2024-10-03 22:31:20 -04:00
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`const target = await db`
			`.select()`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`.from(targets)`
			`.where(eq(targets.targetId, targetId))`
			`.limit(1);`
Add verify middleware 2024-10-03 22:31:20 -04:00
Format files and fix http response 2024-10-06 18:05:20 -04:00			`if (target.length === 0) {`
			`return next(`
			`createHttpError(`
			`HttpCode.NOT_FOUND,`
more user role stuff 2024-11-09 23:59:19 -05:00			`Target with ID ${targetId} not found`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`)`
			`);`
			`}`
Add verify middleware 2024-10-03 22:31:20 -04:00
Format files and fix http response 2024-10-06 18:05:20 -04:00			`const resourceId = target[0].resourceId;`
Add verify middleware 2024-10-03 22:31:20 -04:00
Targets working? 2024-10-19 20:47:05 -04:00			`if (!resourceId) {`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
more user role stuff 2024-11-09 23:59:19 -05:00			`Target with ID ${targetId} does not have a resource ID`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`)`
			`);`
			`}`
Add verify middleware 2024-10-03 22:31:20 -04:00
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`try {`
			`const resource = await db`
			`.select()`
			`.from(resources)`
			`.where(eq(resources.resourceId, resourceId!))`
			`.limit(1);`
Add verify middleware 2024-10-03 22:31:20 -04:00
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`if (resource.length === 0) {`
			`return next(`
			`createHttpError(`
			`HttpCode.NOT_FOUND,`
			`Resource with ID ${resourceId} not found`
			`)`
			`);`
			`}`
Add verify middleware 2024-10-03 22:31:20 -04:00
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`if (!resource[0].orgId) {`
			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
			`resource with ID ${resourceId} does not have an organization ID`
			`)`
			`);`
			`}`

more user role stuff 2024-11-09 23:59:19 -05:00			`if (!req.userOrg) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`const res = await db`
			`.select()`
			`.from(userOrgs)`
			`.where(`
			`and(`
			`eq(userOrgs.userId, userId),`
			`eq(userOrgs.orgId, resource[0].orgId)`
			`)`
			`);`
more user role stuff 2024-11-09 23:59:19 -05:00			`req.userOrg = res[0];`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`}`

more user role stuff 2024-11-09 23:59:19 -05:00			`if (!req.userOrg) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`next(`
			`createHttpError(`
			`HttpCode.FORBIDDEN,`
			`"User does not have access to this organization"`
			`)`
			`);`
			`} else {`
more user role stuff 2024-11-09 23:59:19 -05:00			`req.userOrgRoleId = req.userOrg.roleId;`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`req.userOrgId = resource[0].orgId!;`
			`}`
access token endpoints and other backend support 2024-12-18 23:14:26 -05:00
			`const resourceAllowed = await canUserAccessResource({`
			`userId,`
			`resourceId,`
			`roleId: req.userOrgRoleId!`
			`});`

			`if (!resourceAllowed) {`
			`return next(`
			`createHttpError(`
			`HttpCode.FORBIDDEN,`
			`"User does not have access to this resource"`
			`)`
			`);`
			`}`

			`next();`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`} catch (e) {`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`"Error verifying organization access"`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`)`
			`);`
			`}`
remove lucia 2024-10-13 17:13:47 -04:00			`}`