add logging for verifySession

This commit is contained in:
Milo Schwartz 2024-11-24 14:28:23 -05:00
parent a82a7ed18d
commit 4e7fa0f2d9
No known key found for this signature in database
3 changed files with 49 additions and 28 deletions

View file

@ -32,8 +32,8 @@
"@radix-ui/react-switch": "1.1.1",
"@radix-ui/react-tabs": "1.1.1",
"@radix-ui/react-toast": "1.2.2",
"@react-email/components": "0.0.25",
"@react-email/tailwind": "0.1.0",
"@react-email/components": "0.0.28",
"@react-email/tailwind": "1.0.2",
"@tanstack/react-table": "8.20.5",
"axios": "1.7.7",
"better-sqlite3": "11.3.0",
@ -60,8 +60,8 @@
"node-fetch": "3.3.2",
"nodemailer": "6.9.15",
"oslo": "1.2.1",
"react": "19.0.0-rc-69d4b800-20241021",
"react-dom": "19.0.0-rc-69d4b800-20241021",
"react": "19.0.0-rc.1",
"react-dom": "19.0.0-rc.1",
"react-hook-form": "7.53.0",
"rebuild": "0.1.2",
"tailwind-merge": "2.5.3",
@ -71,10 +71,10 @@
"winston-daily-rotate-file": "5.0.0",
"ws": "8.18.0",
"zod": "3.23.8",
"zod-validation-error": "3.4.0",
"react-email": "3.0.1"
"zod-validation-error": "3.4.0"
},
"devDependencies": {
"react-email": "3.0.2",
"@dotenvx/dotenvx": "1.14.2",
"@esbuild-plugins/tsconfig-paths": "0.1.2",
"@types/better-sqlite3": "7.6.11",

View file

@ -5,7 +5,7 @@ import { users, emailVerificationCodes } from "@server/db/schema";
import { eq } from "drizzle-orm";
import { sendEmail } from "@server/emails";
import config from "@server/config";
import VerifyEmail from "@server/emails/templates/verifyEmailCode";
import VerifyEmail from "@server/emails/templates/VerifyEmailCode";
export async function sendEmailVerificationCode(
email: string,

View file

@ -43,7 +43,7 @@ export type VerifyUserResponse = {
export async function verifyResourceSession(
req: Request,
res: Response,
next: NextFunction
next: NextFunction,
): Promise<any> {
logger.debug("Badger sent", req.body); // remove when done testing
@ -53,8 +53,8 @@ export async function verifyResourceSession(
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
fromError(parsedBody.error).toString(),
),
);
}
@ -66,11 +66,11 @@ export async function verifyResourceSession(
.from(resources)
.leftJoin(
resourcePincode,
eq(resourcePincode.resourceId, resources.resourceId)
eq(resourcePincode.resourceId, resources.resourceId),
)
.leftJoin(
resourcePassword,
eq(resourcePassword.resourceId, resources.resourceId)
eq(resourcePassword.resourceId, resources.resourceId),
)
.where(eq(resources.fullDomain, host))
.limit(1);
@ -80,32 +80,38 @@ export async function verifyResourceSession(
const password = result?.resourcePassword;
if (!resource) {
logger.debug("Resource not found", host);
return notAllowed(res);
}
const { sso, blockAccess } = resource;
if (blockAccess) {
logger.debug("Resource blocked", host);
return notAllowed(res);
}
if (!resource.sso && !pincode && !password) {
logger.debug("Resource allowed because no auth");
return allowed(res);
}
const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}?redirect=${originalRequestURL}`;
const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
if (sso && sessions.session) {
const { session, user } = await validateSessionToken(
sessions.session
sessions.session,
);
if (session && user) {
const isAllowed = await isUserAllowedToAccessResource(
user.userId,
resource
resource,
);
if (isAllowed) {
logger.debug(
"Resource allowed because user session is valid",
);
return allowed(res);
}
}
@ -114,13 +120,16 @@ export async function verifyResourceSession(
if (password && sessions.resource_session) {
const { resourceSession } = await validateResourceSessionToken(
sessions.resource_session,
resource.resourceId
resource.resourceId,
);
if (resourceSession) {
if (
pincode &&
resourceSession.pincodeId === pincode.pincodeId
) {
logger.debug(
"Resource allowed because pincode session is valid",
);
return allowed(res);
}
@ -128,51 +137,63 @@ export async function verifyResourceSession(
password &&
resourceSession.passwordId === password.passwordId
) {
logger.debug(
"Resource allowed because password session is valid",
);
return allowed(res);
}
}
}
logger.debug("No more auth to check, resource not allowed");
return notAllowed(res, redirectUrl);
} catch (e) {
console.error(e);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to verify session"
)
"Failed to verify session",
),
);
}
}
function notAllowed(res: Response, redirectUrl?: string) {
return response<VerifyUserResponse>(res, {
const data = {
data: { valid: false, redirectUrl },
success: true,
error: false,
message: "Access denied",
status: HttpCode.OK,
});
}
logger.debug(JSON.stringify(data));
return response<VerifyUserResponse>(res, data);
}
function allowed(res: Response) {
return response<VerifyUserResponse>(res, {
const data = {
data: { valid: true },
success: true,
error: false,
message: "Access allowed",
status: HttpCode.OK,
});
}
logger.debug(JSON.stringify(data));
return response<VerifyUserResponse>(res, data);
}
async function isUserAllowedToAccessResource(
userId: string,
resource: Resource
resource: Resource,
) {
const userOrgRole = await db
.select()
.from(userOrgs)
.where(
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource.orgId))
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, resource.orgId),
),
)
.limit(1);
@ -186,8 +207,8 @@ async function isUserAllowedToAccessResource(
.where(
and(
eq(roleResources.resourceId, resource.resourceId),
eq(roleResources.roleId, userOrgRole[0].roleId)
)
eq(roleResources.roleId, userOrgRole[0].roleId),
),
)
.limit(1);
@ -201,8 +222,8 @@ async function isUserAllowedToAccessResource(
.where(
and(
eq(userResources.userId, userId),
eq(userResources.resourceId, resource.resourceId)
)
eq(userResources.resourceId, resource.resourceId),
),
)
.limit(1);