mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-08-31 23:10:00 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add logging for verifySession

Browse source
This commit is contained in:
Milo Schwartz 2024-11-24 14:28:23 -05:00
parent a82a7ed18d
commit 4e7fa0f2d9
No known key found for this signature in database
3 changed files with 49 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

12
package.json
View file

@ -32,8 +32,8 @@
"@radix-ui/react-switch": "1.1.1", "@radix-ui/react-switch": "1.1.1",
"@radix-ui/react-tabs": "1.1.1", "@radix-ui/react-tabs": "1.1.1",
"@radix-ui/react-toast": "1.2.2", "@radix-ui/react-toast": "1.2.2",
"@react-email/components": "0.0.25", "@react-email/components": "0.0.28",
"@react-email/tailwind": "0.1.0", "@react-email/tailwind": "1.0.2",
"@tanstack/react-table": "8.20.5", "@tanstack/react-table": "8.20.5",
"axios": "1.7.7", "axios": "1.7.7",
"better-sqlite3": "11.3.0", "better-sqlite3": "11.3.0",
@ -60,8 +60,8 @@
"node-fetch": "3.3.2", "node-fetch": "3.3.2",
"nodemailer": "6.9.15", "nodemailer": "6.9.15",
"oslo": "1.2.1", "oslo": "1.2.1",
"react": "19.0.0-rc-69d4b800-20241021", "react": "19.0.0-rc.1",
"react-dom": "19.0.0-rc-69d4b800-20241021", "react-dom": "19.0.0-rc.1",
"react-hook-form": "7.53.0", "react-hook-form": "7.53.0",
"rebuild": "0.1.2", "rebuild": "0.1.2",
"tailwind-merge": "2.5.3", "tailwind-merge": "2.5.3",
@ -71,10 +71,10 @@
"winston-daily-rotate-file": "5.0.0", "winston-daily-rotate-file": "5.0.0",
"ws": "8.18.0", "ws": "8.18.0",
"zod": "3.23.8", "zod": "3.23.8",
"zod-validation-error": "3.4.0", "zod-validation-error": "3.4.0"
"react-email": "3.0.1"
}, },
"devDependencies": { "devDependencies": {
"react-email": "3.0.2",
"@dotenvx/dotenvx": "1.14.2", "@dotenvx/dotenvx": "1.14.2",
"@esbuild-plugins/tsconfig-paths": "0.1.2", "@esbuild-plugins/tsconfig-paths": "0.1.2",
"@types/better-sqlite3": "7.6.11", "@types/better-sqlite3": "7.6.11",

2
server/routers/auth/sendEmailVerificationCode.ts
View file

@ -5,7 +5,7 @@ import { users, emailVerificationCodes } from "@server/db/schema";
import { eq } from "drizzle-orm"; import { eq } from "drizzle-orm";
import { sendEmail } from "@server/emails"; import { sendEmail } from "@server/emails";
import config from "@server/config"; import config from "@server/config";
import VerifyEmail from "@server/emails/templates/verifyEmailCode"; import VerifyEmail from "@server/emails/templates/VerifyEmailCode";
export async function sendEmailVerificationCode( export async function sendEmailVerificationCode(
email: string, email: string,

63
server/routers/badger/verifySession.ts
View file

@ -43,7 +43,7 @@ export type VerifyUserResponse = {
export async function verifyResourceSession( export async function verifyResourceSession(
req: Request, req: Request,
res: Response, res: Response,
next: NextFunction next: NextFunction,
): Promise<any> { ): Promise<any> {
logger.debug("Badger sent", req.body); // remove when done testing logger.debug("Badger sent", req.body); // remove when done testing
@ -53,8 +53,8 @@ export async function verifyResourceSession(
return next( return next(
createHttpError( createHttpError(
HttpCode.BAD_REQUEST, HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString() fromError(parsedBody.error).toString(),
) ),
); );
} }
@ -66,11 +66,11 @@ export async function verifyResourceSession(
.from(resources) .from(resources)
.leftJoin( .leftJoin(
resourcePincode, resourcePincode,
eq(resourcePincode.resourceId, resources.resourceId) eq(resourcePincode.resourceId, resources.resourceId),
) )
.leftJoin( .leftJoin(
resourcePassword, resourcePassword,
eq(resourcePassword.resourceId, resources.resourceId) eq(resourcePassword.resourceId, resources.resourceId),
) )
.where(eq(resources.fullDomain, host)) .where(eq(resources.fullDomain, host))
.limit(1); .limit(1);
@ -80,32 +80,38 @@ export async function verifyResourceSession(
const password = result?.resourcePassword; const password = result?.resourcePassword;
if (!resource) { if (!resource) {
logger.debug("Resource not found", host);
return notAllowed(res); return notAllowed(res);
} }
const { sso, blockAccess } = resource; const { sso, blockAccess } = resource;
if (blockAccess) { if (blockAccess) {
logger.debug("Resource blocked", host);
return notAllowed(res); return notAllowed(res);
} }
if (!resource.sso && !pincode && !password) { if (!resource.sso && !pincode && !password) {
logger.debug("Resource allowed because no auth");
return allowed(res); return allowed(res);
} }
const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}?redirect=${originalRequestURL}`; const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
if (sso && sessions.session) { if (sso && sessions.session) {
const { session, user } = await validateSessionToken( const { session, user } = await validateSessionToken(
sessions.session sessions.session,
); );
if (session && user) { if (session && user) {
const isAllowed = await isUserAllowedToAccessResource( const isAllowed = await isUserAllowedToAccessResource(
user.userId, user.userId,
resource resource,
); );
if (isAllowed) { if (isAllowed) {
logger.debug(
"Resource allowed because user session is valid",
);
return allowed(res); return allowed(res);
} }
} }
@ -114,13 +120,16 @@ export async function verifyResourceSession(
if (password && sessions.resource_session) { if (password && sessions.resource_session) {
const { resourceSession } = await validateResourceSessionToken( const { resourceSession } = await validateResourceSessionToken(
sessions.resource_session, sessions.resource_session,
resource.resourceId resource.resourceId,
); );
if (resourceSession) { if (resourceSession) {
if ( if (
pincode && pincode &&
resourceSession.pincodeId === pincode.pincodeId resourceSession.pincodeId === pincode.pincodeId
) { ) {
logger.debug(
"Resource allowed because pincode session is valid",
);
return allowed(res); return allowed(res);
} }
@ -128,51 +137,63 @@ export async function verifyResourceSession(
password && password &&
resourceSession.passwordId === password.passwordId resourceSession.passwordId === password.passwordId
) { ) {
logger.debug(
"Resource allowed because password session is valid",
);
return allowed(res); return allowed(res);
} }
} }
} }
logger.debug("No more auth to check, resource not allowed");
return notAllowed(res, redirectUrl); return notAllowed(res, redirectUrl);
} catch (e) { } catch (e) {
console.error(e);
return next( return next(
createHttpError( createHttpError(
HttpCode.INTERNAL_SERVER_ERROR, HttpCode.INTERNAL_SERVER_ERROR,
"Failed to verify session" "Failed to verify session",
) ),
); );
} }
} }
function notAllowed(res: Response, redirectUrl?: string) { function notAllowed(res: Response, redirectUrl?: string) {
return response<VerifyUserResponse>(res, { const data = {
data: { valid: false, redirectUrl }, data: { valid: false, redirectUrl },
success: true, success: true,
error: false, error: false,
message: "Access denied", message: "Access denied",
status: HttpCode.OK, status: HttpCode.OK,
}); }
logger.debug(JSON.stringify(data));
return response<VerifyUserResponse>(res, data);
} }
function allowed(res: Response) { function allowed(res: Response) {
return response<VerifyUserResponse>(res, { const data = {
data: { valid: true }, data: { valid: true },
success: true, success: true,
error: false, error: false,
message: "Access allowed", message: "Access allowed",
status: HttpCode.OK, status: HttpCode.OK,
}); }
logger.debug(JSON.stringify(data));
return response<VerifyUserResponse>(res, data);
} }
async function isUserAllowedToAccessResource( async function isUserAllowedToAccessResource(
userId: string, userId: string,
resource: Resource resource: Resource,
) { ) {
const userOrgRole = await db const userOrgRole = await db
.select() .select()
.from(userOrgs) .from(userOrgs)
.where( .where(
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource.orgId)) and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, resource.orgId),
),
) )
.limit(1); .limit(1);
@ -186,8 +207,8 @@ async function isUserAllowedToAccessResource(
.where( .where(
and( and(
eq(roleResources.resourceId, resource.resourceId), eq(roleResources.resourceId, resource.resourceId),
eq(roleResources.roleId, userOrgRole[0].roleId) eq(roleResources.roleId, userOrgRole[0].roleId),
) ),
) )
.limit(1); .limit(1);
@ -201,8 +222,8 @@ async function isUserAllowedToAccessResource(
.where( .where(
and( and(
eq(userResources.userId, userId), eq(userResources.userId, userId),
eq(userResources.resourceId, resource.resourceId) eq(userResources.resourceId, resource.resourceId),
) ),
) )
.limit(1); .limit(1);