2024-09-27 21:39:03 -04:00
import { Router } from "express" ;
2025-01-01 21:41:31 -05:00
import config from "@server/lib/config" ;
2024-10-02 00:04:40 -04:00
import * as site from "./site" ;
import * as org from "./org" ;
import * as resource from "./resource" ;
2025-02-16 18:09:17 -05:00
import * as domain from "./domain" ;
2024-10-02 00:04:40 -04:00
import * as target from "./target" ;
import * as user from "./user" ;
import * as auth from "./auth" ;
2024-10-12 21:36:14 -04:00
import * as role from "./role" ;
2025-03-20 22:16:02 -04:00
import * as supporterKey from "./supporterKey" ;
2024-12-18 23:14:26 -05:00
import * as accessToken from "./accessToken" ;
2025-04-12 15:39:15 -04:00
import * as idp from "./idp" ;
2025-04-27 13:03:00 -04:00
import * as license from "./license" ;
2025-04-28 21:14:09 -04:00
import * as apiKeys from "./apiKeys" ;
2024-10-02 00:04:40 -04:00
import HttpCode from "@server/types/HttpCode" ;
2024-10-04 23:14:40 -04:00
import {
2024-12-18 23:14:26 -05:00
verifyAccessTokenAccess ,
2024-10-04 23:14:40 -04:00
verifySessionMiddleware ,
verifySessionUserMiddleware ,
verifyOrgAccess ,
verifySiteAccess ,
verifyResourceAccess ,
verifyTargetAccess ,
2024-10-12 21:36:14 -04:00
verifyRoleAccess ,
2024-11-16 22:48:10 -05:00
verifySetResourceUsers ,
2024-10-12 23:03:56 -04:00
verifyUserAccess ,
2025-03-21 17:05:04 -04:00
getUserOrgs ,
2025-04-18 15:38:50 -04:00
verifyUserIsServerAdmin ,
2025-04-28 21:14:09 -04:00
verifyIsLoggedInUser ,
2025-05-29 22:34:05 +05:30
verifyApiKeyAccess
2024-11-16 22:48:10 -05:00
} from "@server/middlewares" ;
import { verifyUserHasAction } from "../middlewares/verifyUserHasAction" ;
2024-11-05 23:55:46 -05:00
import { ActionsEnum } from "@server/auth/actions" ;
2024-11-16 22:48:10 -05:00
import { verifyUserIsOrgOwner } from "../middlewares/verifyUserIsOrgOwner" ;
2024-11-10 17:08:29 -05:00
import { createNewt , getToken } from "./newt" ;
2025-02-05 22:46:33 -05:00
import rateLimit from "express-rate-limit" ;
import createHttpError from "http-errors" ;
2024-09-27 21:39:03 -04:00
2024-10-02 00:04:40 -04:00
// Root routes
export const unauthenticated = Router ( ) ;
2024-09-27 21:39:03 -04:00
2024-10-02 00:04:40 -04:00
unauthenticated . get ( "/" , ( _ , res ) = > {
res . status ( HttpCode . OK ) . json ( { message : "Healthy" } ) ;
2024-09-27 21:39:03 -04:00
} ) ;
2024-10-02 00:04:40 -04:00
// Authenticated Root routes
export const authenticated = Router ( ) ;
2024-10-04 23:14:40 -04:00
authenticated . use ( verifySessionUserMiddleware ) ;
2024-09-28 12:14:44 -04:00
2024-10-14 19:30:38 -04:00
authenticated . get ( "/org/checkId" , org . checkId ) ;
2024-10-03 22:31:20 -04:00
authenticated . put ( "/org" , getUserOrgs , org . createOrg ) ;
2025-04-18 15:38:50 -04:00
authenticated . get ( "/orgs" , verifyUserIsServerAdmin , org . listOrgs ) ;
authenticated . get ( "/user/:userId/orgs" , verifyIsLoggedInUser , org . listUserOrgs ) ;
2024-11-05 23:55:46 -05:00
authenticated . get (
"/org/:orgId" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . getOrg ) ,
2024-12-16 22:40:42 -05:00
org . getOrg
2024-11-05 23:55:46 -05:00
) ;
authenticated . post (
"/org/:orgId" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . updateOrg ) ,
2024-12-16 22:40:42 -05:00
org . updateOrg
2024-11-05 23:55:46 -05:00
) ;
2024-11-09 00:08:17 -05:00
authenticated . delete (
"/org/:orgId" ,
verifyOrgAccess ,
verifyUserIsOrgOwner ,
2024-12-16 22:40:42 -05:00
org . deleteOrg
2024-11-09 00:08:17 -05:00
) ;
2024-10-02 00:04:40 -04:00
2024-11-05 23:55:46 -05:00
authenticated . put (
"/org/:orgId/site" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . createSite ) ,
2024-12-16 22:40:42 -05:00
site . createSite
2024-11-05 23:55:46 -05:00
) ;
authenticated . get (
"/org/:orgId/sites" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listSites ) ,
2024-12-16 22:40:42 -05:00
site . listSites
2024-11-05 23:55:46 -05:00
) ;
authenticated . get (
"/org/:orgId/site/:niceId" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
2024-12-16 22:40:42 -05:00
site . getSite
2024-11-05 23:55:46 -05:00
) ;
2024-10-14 22:26:32 -04:00
2024-11-02 18:12:17 -04:00
authenticated . get (
2024-11-03 13:57:51 -05:00
"/org/:orgId/pick-site-defaults" ,
2024-11-02 18:12:17 -04:00
verifyOrgAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . createSite ) ,
2024-12-16 22:40:42 -05:00
site . pickSiteDefaults
2024-11-02 18:12:17 -04:00
) ;
2024-11-05 23:55:46 -05:00
authenticated . get (
"/site/:siteId" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
2024-12-16 22:40:42 -05:00
site . getSite
2024-11-05 23:55:46 -05:00
) ;
// authenticated.get(
// "/site/:siteId/roles",
// verifySiteAccess,
// verifyUserHasAction(ActionsEnum.listSiteRoles),
// site.listSiteRoles
// );
authenticated . post (
"/site/:siteId" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . updateSite ) ,
2024-12-16 22:40:42 -05:00
site . updateSite
2024-11-05 23:55:46 -05:00
) ;
authenticated . delete (
"/site/:siteId" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . deleteSite ) ,
2024-12-16 22:40:42 -05:00
site . deleteSite
2024-11-05 23:55:46 -05:00
) ;
2024-10-02 22:05:21 -04:00
2025-05-29 22:34:05 +05:30
authenticated . get (
"/site/:siteId/docker/status" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
site . dockerStatus
) ;
authenticated . get (
"/site/:siteId/docker/online" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
site . dockerOnline
) ;
authenticated . post (
"/site/:siteId/docker/check" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
site . checkDockerSocket
) ;
authenticated . post (
"/site/:siteId/docker/trigger" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
site . triggerFetchContainers
) ;
authenticated . get (
"/site/:siteId/docker/containers" ,
verifySiteAccess ,
verifyUserHasAction ( ActionsEnum . getSite ) ,
site . listContainers
) ;
2024-10-04 23:14:40 -04:00
authenticated . put (
"/org/:orgId/site/:siteId/resource" ,
verifyOrgAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . createResource ) ,
2024-12-16 22:40:42 -05:00
resource . createResource
2024-10-04 23:14:40 -04:00
) ;
2024-12-18 23:14:26 -05:00
2024-11-05 23:55:46 -05:00
authenticated . get (
"/site/:siteId/resources" ,
verifyUserHasAction ( ActionsEnum . listResources ) ,
2024-12-16 22:40:42 -05:00
resource . listResources
2024-11-05 23:55:46 -05:00
) ;
2024-12-18 23:14:26 -05:00
2024-10-04 23:14:40 -04:00
authenticated . get (
"/org/:orgId/resources" ,
verifyOrgAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . listResources ) ,
2024-12-16 22:40:42 -05:00
resource . listResources
2024-11-02 18:12:17 -04:00
) ;
2025-02-16 18:09:17 -05:00
authenticated . get (
"/org/:orgId/domains" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listOrgDomains ) ,
domain . listDomains
) ;
2025-04-08 18:18:57 -07:00
authenticated . get (
"/org/:orgId/invitations" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listInvitations ) ,
user . listInvitations
) ;
authenticated . delete (
"/org/:orgId/invitations/:inviteId" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . removeInvitation ) ,
user . removeInvitation
) ;
2024-11-02 18:12:17 -04:00
authenticated . post (
"/org/:orgId/create-invite" ,
verifyOrgAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . inviteUser ) ,
2024-12-16 22:40:42 -05:00
user . inviteUser
2024-11-02 23:46:08 -04:00
) ; // maybe make this /invite/create instead
2024-12-31 18:25:11 -05:00
unauthenticated . post ( "/invite/accept" , user . acceptInvite ) ; // this is supposed to be unauthenticated
2024-11-02 18:12:17 -04:00
2024-11-15 18:25:27 -05:00
authenticated . get (
"/resource/:resourceId/roles" ,
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . listResourceRoles ) ,
2024-12-16 22:40:42 -05:00
resource . listResourceRoles
2024-11-15 18:25:27 -05:00
) ;
2024-11-15 23:38:08 -05:00
authenticated . get (
"/resource/:resourceId/users" ,
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . listResourceUsers ) ,
2024-12-16 22:40:42 -05:00
resource . listResourceUsers
2024-11-15 23:38:08 -05:00
) ;
2024-10-04 23:14:40 -04:00
authenticated . get (
"/resource/:resourceId" ,
verifyResourceAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . getResource ) ,
2024-12-16 22:40:42 -05:00
resource . getResource
2024-10-04 23:14:40 -04:00
) ;
authenticated . post (
"/resource/:resourceId" ,
verifyResourceAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . updateResource ) ,
2024-12-16 22:40:42 -05:00
resource . updateResource
2024-10-04 23:14:40 -04:00
) ;
authenticated . delete (
"/resource/:resourceId" ,
verifyResourceAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . deleteResource ) ,
2024-12-16 22:40:42 -05:00
resource . deleteResource
2024-10-04 23:14:40 -04:00
) ;
2024-10-03 22:31:20 -04:00
2024-10-04 23:14:40 -04:00
authenticated . put (
"/resource/:resourceId/target" ,
verifyResourceAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . createTarget ) ,
2024-12-16 22:40:42 -05:00
target . createTarget
2024-10-04 23:14:40 -04:00
) ;
authenticated . get (
"/resource/:resourceId/targets" ,
verifyResourceAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . listTargets ) ,
2024-12-16 22:40:42 -05:00
target . listTargets
2024-10-04 23:14:40 -04:00
) ;
2025-02-08 17:02:22 -05:00
authenticated . put (
2025-02-08 17:38:30 -05:00
"/resource/:resourceId/rule" ,
2025-02-08 17:02:22 -05:00
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . createResourceRule ) ,
resource . createResourceRule
) ;
authenticated . get (
"/resource/:resourceId/rules" ,
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . listResourceRules ) ,
resource . listResourceRules
) ;
2025-02-08 17:10:37 -05:00
authenticated . post (
2025-02-08 17:38:30 -05:00
"/resource/:resourceId/rule/:ruleId" ,
2025-02-08 17:10:37 -05:00
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . updateResourceRule ) ,
resource . updateResourceRule
) ;
2025-02-08 17:02:22 -05:00
authenticated . delete (
2025-02-08 17:38:30 -05:00
"/resource/:resourceId/rule/:ruleId" ,
2025-02-08 17:02:22 -05:00
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . deleteResourceRule ) ,
resource . deleteResourceRule
) ;
2024-11-05 23:55:46 -05:00
authenticated . get (
"/target/:targetId" ,
verifyTargetAccess ,
verifyUserHasAction ( ActionsEnum . getTarget ) ,
2024-12-16 22:40:42 -05:00
target . getTarget
2024-11-05 23:55:46 -05:00
) ;
2024-10-04 23:14:40 -04:00
authenticated . post (
"/target/:targetId" ,
verifyTargetAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . updateTarget ) ,
2024-12-16 22:40:42 -05:00
target . updateTarget
2024-10-04 23:14:40 -04:00
) ;
authenticated . delete (
"/target/:targetId" ,
verifyTargetAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . deleteTarget ) ,
2024-12-16 22:40:42 -05:00
target . deleteTarget
2024-10-04 23:14:40 -04:00
) ;
2024-10-02 00:04:40 -04:00
2024-11-09 00:08:17 -05:00
authenticated . put (
"/org/:orgId/role" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . createRole ) ,
2024-12-16 22:40:42 -05:00
role . createRole
2024-11-09 00:08:17 -05:00
) ;
2024-11-08 00:03:54 -05:00
authenticated . get (
"/org/:orgId/roles" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listRoles ) ,
2024-12-16 22:40:42 -05:00
role . listRoles
2024-11-08 00:03:54 -05:00
) ;
2024-11-03 17:28:12 -05:00
// authenticated.get(
// "/role/:roleId",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.getRole),
2024-11-03 17:28:12 -05:00
// role.getRole
// );
2024-11-03 13:57:51 -05:00
// authenticated.post(
// "/role/:roleId",
// verifyRoleAccess,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.updateRole),
2024-11-03 13:57:51 -05:00
// role.updateRole
// );
2024-11-09 23:59:19 -05:00
authenticated . delete (
"/role/:roleId" ,
verifyRoleAccess ,
verifyUserHasAction ( ActionsEnum . deleteRole ) ,
2024-12-16 22:40:42 -05:00
role . deleteRole
2024-11-09 23:59:19 -05:00
) ;
authenticated . post (
"/role/:roleId/add/:userId" ,
verifyRoleAccess ,
verifyUserAccess ,
verifyUserHasAction ( ActionsEnum . addUserRole ) ,
2024-12-16 22:40:42 -05:00
user . addUserRole
2024-11-09 23:59:19 -05:00
) ;
2024-10-12 21:36:14 -04:00
2024-11-03 17:28:12 -05:00
// authenticated.put(
// "/role/:roleId/site",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.addRoleSite),
2024-11-03 17:28:12 -05:00
// role.addRoleSite
// );
// authenticated.delete(
// "/role/:roleId/site",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.removeRoleSite),
2024-11-03 17:28:12 -05:00
// role.removeRoleSite
// );
// authenticated.get(
// "/role/:roleId/sites",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.listRoleSites),
2024-11-03 17:28:12 -05:00
// role.listRoleSites
// );
2024-11-15 18:25:27 -05:00
authenticated . post (
"/resource/:resourceId/roles" ,
verifyResourceAccess ,
verifyRoleAccess ,
verifyUserHasAction ( ActionsEnum . setResourceRoles ) ,
2024-12-16 22:40:42 -05:00
resource . setResourceRoles
2024-11-15 23:38:08 -05:00
) ;
authenticated . post (
"/resource/:resourceId/users" ,
verifyResourceAccess ,
verifySetResourceUsers ,
verifyUserHasAction ( ActionsEnum . setResourceUsers ) ,
2024-12-16 22:40:42 -05:00
resource . setResourceUsers
2024-11-15 18:25:27 -05:00
) ;
2024-11-17 22:44:11 -05:00
authenticated . post (
` /resource/:resourceId/password ` ,
verifyResourceAccess ,
2024-12-18 23:14:26 -05:00
verifyUserHasAction ( ActionsEnum . setResourcePassword ) ,
2024-12-16 22:40:42 -05:00
resource . setResourcePassword
2024-11-17 22:44:11 -05:00
) ;
2024-11-23 20:08:56 -05:00
authenticated . post (
` /resource/:resourceId/pincode ` ,
verifyResourceAccess ,
2024-12-18 23:14:26 -05:00
verifyUserHasAction ( ActionsEnum . setResourcePincode ) ,
2024-12-16 22:40:42 -05:00
resource . setResourcePincode
) ;
authenticated . post (
` /resource/:resourceId/whitelist ` ,
verifyResourceAccess ,
2024-12-18 23:14:26 -05:00
verifyUserHasAction ( ActionsEnum . setResourceWhitelist ) ,
2024-12-16 22:40:42 -05:00
resource . setResourceWhitelist
) ;
authenticated . get (
` /resource/:resourceId/whitelist ` ,
verifyResourceAccess ,
2024-12-18 23:14:26 -05:00
verifyUserHasAction ( ActionsEnum . getResourceWhitelist ) ,
2024-12-16 22:40:42 -05:00
resource . getResourceWhitelist
2024-11-23 20:08:56 -05:00
) ;
2024-11-17 22:44:11 -05:00
2025-01-16 21:15:41 +01:00
authenticated . post (
` /resource/:resourceId/transfer ` ,
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . updateResource ) ,
resource . transferResource
) ;
2024-12-18 23:14:26 -05:00
authenticated . post (
` /resource/:resourceId/access-token ` ,
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . generateAccessToken ) ,
accessToken . generateAccessToken
) ;
authenticated . delete (
` /access-token/:accessTokenId ` ,
verifyAccessTokenAccess ,
verifyUserHasAction ( ActionsEnum . deleteAcessToken ) ,
accessToken . deleteAccessToken
) ;
authenticated . get (
` /org/:orgId/access-tokens ` ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listAccessTokens ) ,
accessToken . listAccessTokens
) ;
authenticated . get (
` /resource/:resourceId/access-tokens ` ,
verifyResourceAccess ,
verifyUserHasAction ( ActionsEnum . listAccessTokens ) ,
accessToken . listAccessTokens
) ;
2024-12-26 19:33:56 -05:00
authenticated . get ( ` /org/:orgId/overview ` , verifyOrgAccess , org . getOrgOverview ) ;
2025-03-26 22:20:22 -04:00
authenticated . post (
` /supporter-key/validate ` ,
supporterKey . validateSupporterKey
) ;
2025-03-20 22:16:02 -04:00
authenticated . post ( ` /supporter-key/hide ` , supporterKey . hideSupporterKey ) ;
2024-11-17 23:24:30 -05:00
unauthenticated . get ( "/resource/:resourceId/auth" , resource . getResourceAuthInfo ) ;
2024-11-03 17:28:12 -05:00
// authenticated.get(
// "/role/:roleId/resources",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.listRoleResources),
2024-11-03 17:28:12 -05:00
// role.listRoleResources
// );
// authenticated.put(
// "/role/:roleId/action",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.addRoleAction),
2024-11-03 17:28:12 -05:00
// role.addRoleAction
// );
// authenticated.delete(
// "/role/:roleId/action",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.removeRoleAction),
2024-11-03 17:28:12 -05:00
// role.removeRoleAction
// );
// authenticated.get(
// "/role/:roleId/actions",
// verifyRoleAccess,
// verifyUserInRole,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.listRoleActions),
2024-11-03 17:28:12 -05:00
// role.listRoleActions
// );
2024-10-12 21:36:14 -04:00
2024-10-13 15:05:52 -04:00
unauthenticated . get ( "/user" , verifySessionMiddleware , user . getUser ) ;
2025-03-21 17:05:04 -04:00
authenticated . get ( "/users" , verifyUserIsServerAdmin , user . adminListUsers ) ;
2025-07-13 21:43:09 -07:00
authenticated . get ( "/user/:userId" , verifyUserIsServerAdmin , user . adminGetUser ) ;
2025-03-21 17:05:04 -04:00
authenticated . delete (
"/user/:userId" ,
verifyUserIsServerAdmin ,
user . adminRemoveUser
) ;
2025-04-23 13:26:38 -04:00
authenticated . put (
"/org/:orgId/user" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . createOrgUser ) ,
user . createOrgUser
) ;
2024-11-09 23:59:19 -05:00
authenticated . get ( "/org/:orgId/user/:userId" , verifyOrgAccess , user . getOrgUser ) ;
2025-07-13 21:43:09 -07:00
authenticated . post (
"/user/:userId/2fa" ,
verifyUserIsServerAdmin ,
2025-07-07 16:02:42 -04:00
user . updateUser2FA
) ;
2025-04-23 13:26:38 -04:00
2024-11-05 23:55:46 -05:00
authenticated . get (
"/org/:orgId/users" ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listUsers ) ,
2024-12-16 22:40:42 -05:00
user . listUsers
2024-11-05 23:55:46 -05:00
) ;
2024-10-12 23:03:56 -04:00
authenticated . delete (
"/org/:orgId/user/:userId" ,
verifyOrgAccess ,
verifyUserAccess ,
2024-11-05 23:55:46 -05:00
verifyUserHasAction ( ActionsEnum . removeUser ) ,
2024-12-16 22:40:42 -05:00
user . removeUserOrg
2024-10-12 23:03:56 -04:00
) ;
2024-10-12 22:31:24 -04:00
2024-11-03 17:28:12 -05:00
// authenticated.put(
// "/user/:userId/site",
// verifySiteAccess,
// verifyUserAccess,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.addRoleSite),
2024-11-03 17:28:12 -05:00
// role.addRoleSite
// );
// authenticated.delete(
// "/user/:userId/site",
// verifySiteAccess,
// verifyUserAccess,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.removeRoleSite),
2024-11-03 17:28:12 -05:00
// role.removeRoleSite
// );
// authenticated.put(
// "/org/:orgId/user/:userId/action",
// verifyOrgAccess,
// verifyUserAccess,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.addRoleAction),
2024-11-03 17:28:12 -05:00
// role.addRoleAction
// );
// authenticated.delete(
// "/org/:orgId/user/:userId/action",
// verifyOrgAccess,
// verifyUserAccess,
2024-11-05 23:55:46 -05:00
// verifyUserHasAction(ActionsEnum.removeRoleAction),
2024-11-03 17:28:12 -05:00
// role.removeRoleAction
// );
2024-10-02 00:04:40 -04:00
2025-04-06 11:48:42 -04:00
// authenticated.put(
// "/newt",
// verifyUserHasAction(ActionsEnum.createNewt),
// createNewt
// );
2024-11-10 17:08:29 -05:00
2025-04-12 15:39:15 -04:00
authenticated . put (
2025-04-13 17:57:27 -04:00
"/idp/oidc" ,
verifyUserIsServerAdmin ,
// verifyUserHasAction(ActionsEnum.createIdp),
2025-04-12 15:39:15 -04:00
idp . createOidcIdp
2025-04-15 09:26:25 -04:00
) ;
2025-04-17 22:30:02 -04:00
authenticated . post (
"/idp/:idpId/oidc" ,
verifyUserIsServerAdmin ,
idp . updateOidcIdp
) ;
2025-04-18 15:38:50 -04:00
authenticated . delete ( "/idp/:idpId" , verifyUserIsServerAdmin , idp . deleteIdp ) ;
2025-04-15 09:26:25 -04:00
2025-04-28 21:14:09 -04:00
authenticated . get ( "/idp" , verifyUserIsServerAdmin , idp . listIdps ) ;
authenticated . get ( "/idp/:idpId" , verifyUserIsServerAdmin , idp . getIdp ) ;
authenticated . put (
"/idp/:idpId/org/:orgId" ,
verifyUserIsServerAdmin ,
idp . createIdpOrgPolicy
) ;
authenticated . post (
"/idp/:idpId/org/:orgId" ,
verifyUserIsServerAdmin ,
idp . updateIdpOrgPolicy
) ;
authenticated . delete (
"/idp/:idpId/org/:orgId" ,
verifyUserIsServerAdmin ,
idp . deleteIdpOrgPolicy
) ;
authenticated . get (
"/idp/:idpId/org" ,
verifyUserIsServerAdmin ,
idp . listIdpOrgPolicies
) ;
2025-04-23 13:46:06 -04:00
authenticated . get ( "/idp" , idp . listIdps ) ; // anyone can see this; it's just a list of idp names and ids
2025-04-18 15:38:50 -04:00
authenticated . get ( "/idp/:idpId" , verifyUserIsServerAdmin , idp . getIdp ) ;
2025-04-12 15:39:15 -04:00
2025-04-27 13:03:00 -04:00
authenticated . post (
"/license/activate" ,
verifyUserIsServerAdmin ,
license . activateLicense
) ;
authenticated . get (
"/license/keys" ,
verifyUserIsServerAdmin ,
license . listLicenseKeys
) ;
authenticated . delete (
"/license/:licenseKey" ,
verifyUserIsServerAdmin ,
license . deleteLicenseKey
) ;
authenticated . post (
"/license/recheck" ,
verifyUserIsServerAdmin ,
license . recheckStatus
) ;
2025-04-28 21:14:09 -04:00
authenticated . get (
` /api-key/:apiKeyId ` ,
verifyUserIsServerAdmin ,
apiKeys . getApiKey
) ;
authenticated . put (
` /api-key ` ,
verifyUserIsServerAdmin ,
apiKeys . createRootApiKey
) ;
authenticated . delete (
` /api-key/:apiKeyId ` ,
verifyUserIsServerAdmin ,
apiKeys . deleteApiKey
) ;
authenticated . get (
` /api-keys ` ,
verifyUserIsServerAdmin ,
apiKeys . listRootApiKeys
) ;
authenticated . get (
` /api-key/:apiKeyId/actions ` ,
verifyUserIsServerAdmin ,
apiKeys . listApiKeyActions
) ;
authenticated . post (
` /api-key/:apiKeyId/actions ` ,
verifyUserIsServerAdmin ,
apiKeys . setApiKeyActions
) ;
authenticated . get (
` /org/:orgId/api-keys ` ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . listApiKeys ) ,
apiKeys . listOrgApiKeys
) ;
authenticated . post (
` /org/:orgId/api-key/:apiKeyId/actions ` ,
verifyOrgAccess ,
verifyApiKeyAccess ,
verifyUserHasAction ( ActionsEnum . setApiKeyActions ) ,
apiKeys . setApiKeyActions
) ;
authenticated . get (
` /org/:orgId/api-key/:apiKeyId/actions ` ,
verifyOrgAccess ,
verifyApiKeyAccess ,
verifyUserHasAction ( ActionsEnum . listApiKeyActions ) ,
apiKeys . listApiKeyActions
) ;
authenticated . put (
` /org/:orgId/api-key ` ,
verifyOrgAccess ,
verifyUserHasAction ( ActionsEnum . createApiKey ) ,
apiKeys . createOrgApiKey
) ;
authenticated . delete (
` /org/:orgId/api-key/:apiKeyId ` ,
verifyOrgAccess ,
verifyApiKeyAccess ,
verifyUserHasAction ( ActionsEnum . deleteApiKey ) ,
apiKeys . deleteOrgApiKey
) ;
authenticated . get (
` /org/:orgId/api-key/:apiKeyId ` ,
verifyOrgAccess ,
verifyApiKeyAccess ,
verifyUserHasAction ( ActionsEnum . getApiKey ) ,
apiKeys . getApiKey
) ;
2024-10-02 00:04:40 -04:00
// Auth routes
2024-10-05 15:11:51 -04:00
export const authRouter = Router ( ) ;
unauthenticated . use ( "/auth" , authRouter ) ;
authRouter . use (
2025-07-14 18:00:41 -07:00
rateLimit ( {
windowMs : config.getRawConfig ( ) . rate_limits . auth . window_minutes ,
max : config.getRawConfig ( ) . rate_limits . auth . max_requests ,
keyGenerator : ( req ) = > ` authRouterGlobal: ${ req . ip } : ${ req . path } ` ,
handler : ( req , res , next ) = > {
const message = ` Rate limit exceeded. You can make ${ config . getRawConfig ( ) . rate_limits . auth . max_requests } requests every ${ config . getRawConfig ( ) . rate_limits . auth . window_minutes } minute(s). ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
2024-12-16 22:40:42 -05:00
} )
2024-10-05 15:11:51 -04:00
) ;
2025-07-14 18:00:41 -07:00
authRouter . put (
"/signup" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > ` signup: ${ req . ip } : ${ req . body . email } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only sign up ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . signup
) ;
authRouter . post (
"/login" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > ` login: ${ req . body . email } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only log in ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . login
) ;
2024-10-05 15:11:51 -04:00
authRouter . post ( "/logout" , auth . logout ) ;
2025-07-14 18:00:41 -07:00
authRouter . post (
"/newt/get-token" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 900 ,
keyGenerator : ( req ) = > ` newtGetToken: ${ req . body . newtId } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only request a Newt token ${ 900 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
getToken
) ;
2024-11-10 17:08:29 -05:00
2025-07-14 18:00:41 -07:00
authRouter . post (
"/2fa/enable" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > {
// user is authenticated, so we can use their userId;
// otherwise, they provide the email
if ( req . body . email ) {
return ` signup: ${ req . body . email } ` ;
} else {
return ` signup: ${ req . user ! . userId } ` ;
}
} ,
handler : ( req , res , next ) = > {
const message = ` You can only enable 2FA ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . verifyTotp
) ;
authRouter . post (
"/2fa/request" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > {
// user is authenticated, so we can use their userId;
// otherwise, they provide the email
if ( req . body . email ) {
return ` signup: ${ req . body . email } ` ;
} else {
return ` signup: ${ req . user ! . userId } ` ;
}
} ,
handler : ( req , res , next ) = > {
const message = ` You can only request a 2FA code ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . requestTotpSecret
) ;
authRouter . post (
"/2fa/disable" ,
verifySessionUserMiddleware ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > ` signup: ${ req . user ! . userId } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only disable 2FA ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . disable2fa
) ;
authRouter . post (
"/verify-email" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > ` signup: ${ req . body . email } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only sign up ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
verifySessionMiddleware ,
auth . verifyEmail
) ;
2025-02-05 22:46:33 -05:00
2024-10-05 15:11:51 -04:00
authRouter . post (
2024-10-05 17:01:49 -04:00
"/verify-email/request" ,
2024-10-04 23:14:40 -04:00
verifySessionMiddleware ,
2025-02-05 22:46:33 -05:00
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
2025-07-14 18:00:41 -07:00
max : 15 ,
2025-02-05 22:46:33 -05:00
keyGenerator : ( req ) = > ` requestEmailVerificationCode: ${ req . body . email } ` ,
handler : ( req , res , next ) = > {
2025-07-14 18:00:41 -07:00
const message = ` You can only request an email verification code ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
2025-02-05 22:46:33 -05:00
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
2024-12-16 22:40:42 -05:00
auth . requestEmailVerificationCode
2024-10-04 23:14:40 -04:00
) ;
2025-02-05 22:46:33 -05:00
2024-12-22 20:16:52 -05:00
// authRouter.post(
// "/change-password",
// verifySessionUserMiddleware,
// auth.changePassword
// );
2025-02-05 22:46:33 -05:00
authRouter . post (
"/reset-password/request" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
2025-07-14 18:00:41 -07:00
max : 15 ,
2025-02-05 22:46:33 -05:00
keyGenerator : ( req ) = > ` requestPasswordReset: ${ req . body . email } ` ,
handler : ( req , res , next ) = > {
2025-07-14 18:00:41 -07:00
const message = ` You can only request a password reset ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
2025-02-05 22:46:33 -05:00
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . requestPasswordReset
) ;
2025-07-14 18:00:41 -07:00
authRouter . post (
"/reset-password/" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = > ` resetPassword: ${ req . body . email } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only request a password reset ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . resetPassword
) ;
2024-11-24 11:27:43 -05:00
2025-07-14 18:00:41 -07:00
authRouter . post (
"/resource/:resourceId/password" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = >
` authWithPassword: ${ req . ip } : ${ req . params . resourceId } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only authenticate with password ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
resource . authWithPassword
) ;
authRouter . post (
"/resource/:resourceId/pincode" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
max : 15 ,
keyGenerator : ( req ) = >
` authWithPincode: ${ req . ip } : ${ req . params . resourceId } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only authenticate with pincode ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
resource . authWithPincode
) ;
2025-02-05 22:46:33 -05:00
authRouter . post (
"/resource/:resourceId/whitelist" ,
rateLimit ( {
windowMs : 15 * 60 * 1000 ,
2025-07-14 18:00:41 -07:00
max : 15 ,
keyGenerator : ( req ) = >
` authWithWhitelist: ${ req . ip } : ${ req . body . email } : ${ req . params . resourceId } ` ,
2025-02-05 22:46:33 -05:00
handler : ( req , res , next ) = > {
2025-07-14 18:00:41 -07:00
const message = ` You can only request an email OTP ${ 15 } times every ${ 15 } minutes. Please try again later. ` ;
2025-02-05 22:46:33 -05:00
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
resource . authWithWhitelist
) ;
2024-12-18 23:14:26 -05:00
authRouter . post (
"/resource/:resourceId/access-token" ,
resource . authWithAccessToken
) ;
2025-04-04 22:58:01 -04:00
2025-04-18 15:38:50 -04:00
authRouter . post ( "/access-token" , resource . authWithAccessToken ) ;
2025-04-12 15:39:15 -04:00
2025-04-18 15:38:50 -04:00
authRouter . post ( "/idp/:idpId/oidc/generate-url" , idp . generateOidcUrl ) ;
2025-04-12 15:39:15 -04:00
2025-04-18 15:38:50 -04:00
authRouter . post ( "/idp/:idpId/oidc/validate-callback" , idp . validateOidcCallback ) ;
2025-06-19 22:11:05 -04:00
authRouter . put ( "/set-server-admin" , auth . setServerAdmin ) ;
authRouter . get ( "/initial-setup-complete" , auth . initialSetupComplete ) ;
2025-07-03 21:53:07 +08:00
2025-07-05 21:51:31 +08:00
// Security Key routes
2025-07-03 21:53:07 +08:00
authRouter . post (
2025-07-14 14:55:09 -07:00
"/security-key/register/start" ,
verifySessionUserMiddleware ,
2025-07-03 21:53:07 +08:00
rateLimit ( {
windowMs : 15 * 60 * 1000 , // 15 minutes
2025-07-14 14:55:09 -07:00
max : 5 , // Allow 5 security key registrations per 15 minutes
2025-07-14 18:00:41 -07:00
keyGenerator : ( req ) = > ` securityKeyRegister: ${ req . user ! . userId } ` ,
2025-07-03 21:53:07 +08:00
handler : ( req , res , next ) = > {
2025-07-14 18:00:41 -07:00
const message = ` You can only register a security key ${ 5 } times every ${ 15 } minutes. Please try again later. ` ;
2025-07-03 21:53:07 +08:00
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . startRegistration
) ;
2025-07-14 18:00:41 -07:00
authRouter . post (
"/security-key/register/verify" ,
verifySessionUserMiddleware ,
auth . verifyRegistration
) ;
2025-07-03 21:53:07 +08:00
authRouter . post (
2025-07-05 21:51:31 +08:00
"/security-key/authenticate/start" ,
2025-07-03 21:53:07 +08:00
rateLimit ( {
windowMs : 15 * 60 * 1000 , // 15 minutes
max : 10 , // Allow 10 authentication attempts per 15 minutes per IP
2025-07-14 18:00:41 -07:00
keyGenerator : ( req ) = > {
if ( req . body . email ) {
return ` securityKeyAuth: ${ req . body . email } ` ;
} else {
return ` securityKeyAuth: ${ req . ip } ` ;
}
} ,
2025-07-03 21:53:07 +08:00
handler : ( req , res , next ) = > {
2025-07-05 21:51:31 +08:00
const message = ` You can only attempt security key authentication ${ 10 } times every ${ 15 } minutes. Please try again later. ` ;
2025-07-03 21:53:07 +08:00
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . startAuthentication
) ;
2025-07-05 21:51:31 +08:00
authRouter . post ( "/security-key/authenticate/verify" , auth . verifyAuthentication ) ;
2025-07-14 18:00:41 -07:00
authRouter . get (
"/security-key/list" ,
verifySessionUserMiddleware ,
auth . listSecurityKeys
) ;
authRouter . delete (
"/security-key/:credentialId" ,
verifySessionUserMiddleware ,
rateLimit ( {
windowMs : 15 * 60 * 1000 , // 15 minutes
max : 20 , // Allow 10 authentication attempts per 15 minutes per IP
keyGenerator : ( req ) = > ` securityKeyAuth: ${ req . user ! . userId } ` ,
handler : ( req , res , next ) = > {
const message = ` You can only delete a security key ${ 10 } times every ${ 15 } minutes. Please try again later. ` ;
return next ( createHttpError ( HttpCode . TOO_MANY_REQUESTS , message ) ) ;
}
} ) ,
auth . deleteSecurityKey
) ;