mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-07-24 20:55:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add deleteClient endpoint

Browse source
This commit is contained in:
miloschwartz 2025-02-21 15:26:48 -05:00
parent 255e29d9c8
commit 11920ca997
No known key found for this signature in database
6 changed files with 161 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

3
server/auth/actions.ts
View file

@ -62,7 +62,8 @@ export enum ActionsEnum {
deleteResourceRule = "deleteResourceRule",
listResourceRules = "listResourceRules",
updateResourceRule = "updateResourceRule",
createClient = "createClient"
createClient = "createClient",
deleteClient = "deleteClient"
}
export async function checkUserActionPermission(

8
server/db/schema.ts
View file

@ -121,9 +121,11 @@ export const clients = sqliteTable("clients", {
siteId: integer("siteId").references(() => sites.siteId, {
onDelete: "cascade"
}),
orgId: text("orgId").references(() => orgs.orgId, {
onDelete: "cascade"
}),
orgId: text("orgId")
.references(() => orgs.orgId, {
onDelete: "cascade"
})
.notNull(),
name: text("name").notNull(),
pubKey: text("pubKey"),
subnet: text("subnet").notNull(),

1
server/middlewares/index.ts
View file

@ -14,3 +14,4 @@ export * from "./verifyAdmin";
export * from "./verifySetResourceUsers";
export * from "./verifyUserInRole";
export * from "./verifyAccessTokenAccess";
export * from "./verifyClientAccess";

131
server/middlewares/verifyClientAccess.ts Normal file
View file

@ -0,0 +1,131 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { userOrgs, clients, roleClients, userClients } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyClientAccess(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId; // Assuming you have user information in the request
const clientId = parseInt(
req.params.clientId || req.body.clientId || req.query.clientId
);
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (isNaN(clientId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid client ID"));
}
try {
// Get the client
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Client with ID ${clientId} not found`
)
);
}
if (!client.orgId) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`Client with ID ${clientId} does not have an organization ID`
)
);
}
if (!req.userOrg) {
// Get user's role ID in the organization
const userOrgRole = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, client.orgId)
)
)
.limit(1);
req.userOrg = userOrgRole[0];
}
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
const userOrgRoleId = req.userOrg.roleId;
req.userOrgRoleId = userOrgRoleId;
req.userOrgId = client.orgId;
// Check role-based site access first
const [roleClientAccess] = await db
.select()
.from(roleClients)
.where(
and(
eq(roleClients.clientId, clientId),
eq(roleClients.roleId, userOrgRoleId)
)
)
.limit(1);
if (roleClientAccess) {
// User has access to the site through their role
return next();
}
// If role doesn't have access, check user-specific site access
const [userClientAccess] = await db
.select()
.from(userClients)
.where(
and(
eq(userClients.userId, userId),
eq(userClients.clientId, clientId)
)
)
.limit(1);
if (userClientAccess) {
// User has direct access to the site
return next();
}
// If we reach here, the user doesn't have access to the site
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this client"
)
);
} catch (error) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying site access"
)
);
}
}

50
server/routers/client/deleteClient.ts
View file

@ -1,23 +1,21 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { newts, newtSessions, sites } from "@server/db/schema";
import { clients, sites } from "@server/db/schema";
import { eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { deletePeer } from "../gerbil/peers";
import { fromError } from "zod-validation-error";
import { sendToClient } from "../ws";
const deleteClientSchema = z
.object({
siteId: z.string().transform(Number).pipe(z.number().int().positive())
clientId: z.string().transform(Number).pipe(z.number().int().positive())
})
.strict();
export async function deleteSite(
export async function deleteClient(
req: Request,
res: Response,
next: NextFunction
@ -33,56 +31,30 @@ export async function deleteSite(
);
}
const { siteId } = parsedParams.data;
const { clientId } = parsedParams.data;
const [site] = await db
const [client] = await db
.select()
.from(sites)
.where(eq(sites.siteId, siteId))
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!site) {
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Site with ID ${siteId} not found`
`Site with ID ${clientId} not found`
)
);
}
await db.transaction(async (trx) => {
if (site.pubKey) {
if (site.type == "wireguard") {
await deletePeer(site.exitNodeId!, site.pubKey);
} else if (site.type == "newt") {
// get the newt on the site by querying the newt table for siteId
const [deletedNewt] = await trx
.delete(newts)
.where(eq(newts.siteId, siteId))
.returning();
if (deletedNewt) {
const payload = {
type: `newt/terminate`,
data: {}
};
sendToClient(deletedNewt.newtId, payload);
// delete all of the sessions for the newt
await trx
.delete(newtSessions)
.where(eq(newtSessions.newtId, deletedNewt.newtId));
}
}
}
await trx.delete(sites).where(eq(sites.siteId, siteId));
});
await db.delete(sites).where(eq(sites.siteId, clientId));
return response(res, {
data: null,
success: true,
error: false,
message: "Site deleted successfully",
message: "Client deleted successfully",
status: HttpCode.OK
});
} catch (error) {

13
server/routers/external.ts
View file

@ -22,7 +22,8 @@ import {
verifyRoleAccess,
verifySetResourceUsers,
verifyUserAccess,
getUserOrgs
getUserOrgs,
verifyClientAccess
} from "@server/middlewares";
import { verifyUserHasAction } from "../middlewares/verifyUserHasAction";
import { ActionsEnum } from "@server/auth/actions";
@ -98,7 +99,7 @@ authenticated.get(
authenticated.get(
"/site/:siteId/pick-client-defaults",
verifyOrgAccess,
verifySiteAccess,
verifyUserHasAction(ActionsEnum.createClient),
client.pickClientDefaults
);
@ -110,6 +111,14 @@ authenticated.put(
client.createClient
);
authenticated.delete(
"/client/:clientId",
verifyClientAccess,
verifyUserHasAction(ActionsEnum.deleteClient),
client.deleteClient
);
// authenticated.get(
// "/site/:siteId/roles",
// verifySiteAccess,