mirror of
https://github.com/fosrl/pangolin.git
synced 2025-08-04 18:14:53 +02:00
add logging for verifySession
This commit is contained in:
parent
a82a7ed18d
commit
4e7fa0f2d9
3 changed files with 49 additions and 28 deletions
12
package.json
12
package.json
|
@ -32,8 +32,8 @@
|
|||
"@radix-ui/react-switch": "1.1.1",
|
||||
"@radix-ui/react-tabs": "1.1.1",
|
||||
"@radix-ui/react-toast": "1.2.2",
|
||||
"@react-email/components": "0.0.25",
|
||||
"@react-email/tailwind": "0.1.0",
|
||||
"@react-email/components": "0.0.28",
|
||||
"@react-email/tailwind": "1.0.2",
|
||||
"@tanstack/react-table": "8.20.5",
|
||||
"axios": "1.7.7",
|
||||
"better-sqlite3": "11.3.0",
|
||||
|
@ -60,8 +60,8 @@
|
|||
"node-fetch": "3.3.2",
|
||||
"nodemailer": "6.9.15",
|
||||
"oslo": "1.2.1",
|
||||
"react": "19.0.0-rc-69d4b800-20241021",
|
||||
"react-dom": "19.0.0-rc-69d4b800-20241021",
|
||||
"react": "19.0.0-rc.1",
|
||||
"react-dom": "19.0.0-rc.1",
|
||||
"react-hook-form": "7.53.0",
|
||||
"rebuild": "0.1.2",
|
||||
"tailwind-merge": "2.5.3",
|
||||
|
@ -71,10 +71,10 @@
|
|||
"winston-daily-rotate-file": "5.0.0",
|
||||
"ws": "8.18.0",
|
||||
"zod": "3.23.8",
|
||||
"zod-validation-error": "3.4.0",
|
||||
"react-email": "3.0.1"
|
||||
"zod-validation-error": "3.4.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"react-email": "3.0.2",
|
||||
"@dotenvx/dotenvx": "1.14.2",
|
||||
"@esbuild-plugins/tsconfig-paths": "0.1.2",
|
||||
"@types/better-sqlite3": "7.6.11",
|
||||
|
|
|
@ -5,7 +5,7 @@ import { users, emailVerificationCodes } from "@server/db/schema";
|
|||
import { eq } from "drizzle-orm";
|
||||
import { sendEmail } from "@server/emails";
|
||||
import config from "@server/config";
|
||||
import VerifyEmail from "@server/emails/templates/verifyEmailCode";
|
||||
import VerifyEmail from "@server/emails/templates/VerifyEmailCode";
|
||||
|
||||
export async function sendEmailVerificationCode(
|
||||
email: string,
|
||||
|
|
|
@ -43,7 +43,7 @@ export type VerifyUserResponse = {
|
|||
export async function verifyResourceSession(
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
next: NextFunction,
|
||||
): Promise<any> {
|
||||
logger.debug("Badger sent", req.body); // remove when done testing
|
||||
|
||||
|
@ -53,8 +53,8 @@ export async function verifyResourceSession(
|
|||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
fromError(parsedBody.error).toString()
|
||||
)
|
||||
fromError(parsedBody.error).toString(),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -66,11 +66,11 @@ export async function verifyResourceSession(
|
|||
.from(resources)
|
||||
.leftJoin(
|
||||
resourcePincode,
|
||||
eq(resourcePincode.resourceId, resources.resourceId)
|
||||
eq(resourcePincode.resourceId, resources.resourceId),
|
||||
)
|
||||
.leftJoin(
|
||||
resourcePassword,
|
||||
eq(resourcePassword.resourceId, resources.resourceId)
|
||||
eq(resourcePassword.resourceId, resources.resourceId),
|
||||
)
|
||||
.where(eq(resources.fullDomain, host))
|
||||
.limit(1);
|
||||
|
@ -80,32 +80,38 @@ export async function verifyResourceSession(
|
|||
const password = result?.resourcePassword;
|
||||
|
||||
if (!resource) {
|
||||
logger.debug("Resource not found", host);
|
||||
return notAllowed(res);
|
||||
}
|
||||
|
||||
const { sso, blockAccess } = resource;
|
||||
|
||||
if (blockAccess) {
|
||||
logger.debug("Resource blocked", host);
|
||||
return notAllowed(res);
|
||||
}
|
||||
|
||||
if (!resource.sso && !pincode && !password) {
|
||||
logger.debug("Resource allowed because no auth");
|
||||
return allowed(res);
|
||||
}
|
||||
|
||||
const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}?redirect=${originalRequestURL}`;
|
||||
const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
|
||||
|
||||
if (sso && sessions.session) {
|
||||
const { session, user } = await validateSessionToken(
|
||||
sessions.session
|
||||
sessions.session,
|
||||
);
|
||||
if (session && user) {
|
||||
const isAllowed = await isUserAllowedToAccessResource(
|
||||
user.userId,
|
||||
resource
|
||||
resource,
|
||||
);
|
||||
|
||||
if (isAllowed) {
|
||||
logger.debug(
|
||||
"Resource allowed because user session is valid",
|
||||
);
|
||||
return allowed(res);
|
||||
}
|
||||
}
|
||||
|
@ -114,13 +120,16 @@ export async function verifyResourceSession(
|
|||
if (password && sessions.resource_session) {
|
||||
const { resourceSession } = await validateResourceSessionToken(
|
||||
sessions.resource_session,
|
||||
resource.resourceId
|
||||
resource.resourceId,
|
||||
);
|
||||
if (resourceSession) {
|
||||
if (
|
||||
pincode &&
|
||||
resourceSession.pincodeId === pincode.pincodeId
|
||||
) {
|
||||
logger.debug(
|
||||
"Resource allowed because pincode session is valid",
|
||||
);
|
||||
return allowed(res);
|
||||
}
|
||||
|
||||
|
@ -128,51 +137,63 @@ export async function verifyResourceSession(
|
|||
password &&
|
||||
resourceSession.passwordId === password.passwordId
|
||||
) {
|
||||
logger.debug(
|
||||
"Resource allowed because password session is valid",
|
||||
);
|
||||
return allowed(res);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
logger.debug("No more auth to check, resource not allowed");
|
||||
return notAllowed(res, redirectUrl);
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"Failed to verify session"
|
||||
)
|
||||
"Failed to verify session",
|
||||
),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
function notAllowed(res: Response, redirectUrl?: string) {
|
||||
return response<VerifyUserResponse>(res, {
|
||||
const data = {
|
||||
data: { valid: false, redirectUrl },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Access denied",
|
||||
status: HttpCode.OK,
|
||||
});
|
||||
}
|
||||
logger.debug(JSON.stringify(data));
|
||||
return response<VerifyUserResponse>(res, data);
|
||||
}
|
||||
|
||||
function allowed(res: Response) {
|
||||
return response<VerifyUserResponse>(res, {
|
||||
const data = {
|
||||
data: { valid: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Access allowed",
|
||||
status: HttpCode.OK,
|
||||
});
|
||||
}
|
||||
logger.debug(JSON.stringify(data));
|
||||
return response<VerifyUserResponse>(res, data);
|
||||
}
|
||||
|
||||
async function isUserAllowedToAccessResource(
|
||||
userId: string,
|
||||
resource: Resource
|
||||
resource: Resource,
|
||||
) {
|
||||
const userOrgRole = await db
|
||||
.select()
|
||||
.from(userOrgs)
|
||||
.where(
|
||||
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource.orgId))
|
||||
and(
|
||||
eq(userOrgs.userId, userId),
|
||||
eq(userOrgs.orgId, resource.orgId),
|
||||
),
|
||||
)
|
||||
.limit(1);
|
||||
|
||||
|
@ -186,8 +207,8 @@ async function isUserAllowedToAccessResource(
|
|||
.where(
|
||||
and(
|
||||
eq(roleResources.resourceId, resource.resourceId),
|
||||
eq(roleResources.roleId, userOrgRole[0].roleId)
|
||||
)
|
||||
eq(roleResources.roleId, userOrgRole[0].roleId),
|
||||
),
|
||||
)
|
||||
.limit(1);
|
||||
|
||||
|
@ -201,8 +222,8 @@ async function isUserAllowedToAccessResource(
|
|||
.where(
|
||||
and(
|
||||
eq(userResources.userId, userId),
|
||||
eq(userResources.resourceId, resource.resourceId)
|
||||
)
|
||||
eq(userResources.resourceId, resource.resourceId),
|
||||
),
|
||||
)
|
||||
.limit(1);
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue