Merge pull request #1164 from Infisical/depr-middleware
Remove unused authorization middlewarepull/498/merge
commit
131d5d7207
@ -1,5 +0,0 @@
|
||||
import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
|
||||
|
||||
export {
|
||||
requireSecretSnapshotAuth,
|
||||
}
|
@ -1,43 +0,0 @@
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { SecretSnapshotNotFoundError } from "../../utils/errors";
|
||||
import { SecretSnapshot } from "../models";
|
||||
import {
|
||||
validateMembership,
|
||||
} from "../../helpers/membership";
|
||||
|
||||
/**
|
||||
* Validate if user on request has proper membership for secret snapshot
|
||||
* @param {Object} obj
|
||||
* @param {String[]} obj.acceptedRoles - accepted workspace roles
|
||||
* @param {String[]} obj.acceptedStatuses - accepted workspace statuses
|
||||
* @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
|
||||
*/
|
||||
const requireSecretSnapshotAuth = ({
|
||||
acceptedRoles,
|
||||
}: {
|
||||
acceptedRoles: Array<"admin" | "member">;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { secretSnapshotId } = req.params;
|
||||
|
||||
const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
|
||||
|
||||
if (!secretSnapshot) {
|
||||
return next(SecretSnapshotNotFoundError({
|
||||
message: "Failed to find secret snapshot",
|
||||
}));
|
||||
}
|
||||
|
||||
await validateMembership({
|
||||
userId: req.user._id,
|
||||
workspaceId: secretSnapshot.workspace,
|
||||
acceptedRoles,
|
||||
});
|
||||
|
||||
req.secretSnapshot = secretSnapshot as any;
|
||||
|
||||
next();
|
||||
}
|
||||
}
|
||||
|
||||
export default requireSecretSnapshotAuth;
|
@ -1,39 +1,23 @@
|
||||
import requireAuth from "./requireAuth";
|
||||
import requireMfaAuth from "./requireMfaAuth";
|
||||
import requireBotAuth from "./requireBotAuth";
|
||||
import requireSignupAuth from "./requireSignupAuth";
|
||||
import requireWorkspaceAuth from "./requireWorkspaceAuth";
|
||||
import requireMembershipAuth from "./requireMembershipAuth";
|
||||
import requireMembershipOrgAuth from "./requireMembershipOrgAuth";
|
||||
import requireOrganizationAuth from "./requireOrganizationAuth";
|
||||
import requireIntegrationAuth from "./requireIntegrationAuth";
|
||||
import requireIntegrationAuthorizationAuth from "./requireIntegrationAuthorizationAuth";
|
||||
import requireServiceTokenAuth from "./requireServiceTokenAuth";
|
||||
import requireServiceTokenDataAuth from "./requireServiceTokenDataAuth";
|
||||
import requireSecretAuth from "./requireSecretAuth";
|
||||
import requireSecretsAuth from "./requireSecretsAuth";
|
||||
import requireBlindIndicesEnabled from "./requireBlindIndicesEnabled";
|
||||
import requireE2EEOff from "./requireE2EEOff";
|
||||
import requireIPAllowlistCheck from "./requireIPAllowlistCheck";
|
||||
import validateRequest from "./validateRequest";
|
||||
|
||||
export {
|
||||
requireAuth,
|
||||
requireMfaAuth,
|
||||
requireBotAuth,
|
||||
requireSignupAuth,
|
||||
requireWorkspaceAuth,
|
||||
requireMembershipAuth,
|
||||
requireMembershipOrgAuth,
|
||||
requireOrganizationAuth,
|
||||
requireIntegrationAuth,
|
||||
requireIntegrationAuthorizationAuth,
|
||||
requireServiceTokenAuth,
|
||||
requireServiceTokenDataAuth,
|
||||
requireSecretAuth,
|
||||
requireSecretsAuth,
|
||||
requireBlindIndicesEnabled,
|
||||
requireE2EEOff,
|
||||
requireIPAllowlistCheck,
|
||||
validateRequest,
|
||||
};
|
||||
|
@ -1,27 +0,0 @@
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { Types } from "mongoose";
|
||||
import { validateClientForBot } from "../validation";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
const requireBotAuth = ({
|
||||
acceptedRoles,
|
||||
locationBotId = "params",
|
||||
}: {
|
||||
acceptedRoles: Array<"admin" | "member">;
|
||||
locationBotId?: req;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { botId } = req[locationBotId];
|
||||
|
||||
req.bot = await validateClientForBot({
|
||||
authData: req.authData,
|
||||
botId: new Types.ObjectId(botId),
|
||||
acceptedRoles,
|
||||
});
|
||||
|
||||
next();
|
||||
}
|
||||
}
|
||||
|
||||
export default requireBotAuth;
|
@ -1,55 +0,0 @@
|
||||
import net from "net";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { UnauthorizedRequestError } from "../utils/errors";
|
||||
import { extractIPDetails } from "../utils/ip";
|
||||
import { ActorType, TrustedIP } from "../ee/models";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
/**
|
||||
* Validate if workspace with [workspaceId] has E2EE off/disabled
|
||||
* @param {Object} obj
|
||||
* @param {String} obj.locationWorkspaceId - location of [workspaceId] on request (e.g. params, body) for parsing
|
||||
* @returns
|
||||
*/
|
||||
const requireIPAllowlistCheck = ({
|
||||
locationWorkspaceId
|
||||
}: {
|
||||
locationWorkspaceId: req;
|
||||
}) => {
|
||||
return async (req: Request, _: Response, next: NextFunction) => {
|
||||
const workspaceId = req[locationWorkspaceId]?.workspaceId;
|
||||
|
||||
if (req.authData.actor.type === ActorType.SERVICE) {
|
||||
const trustedIps = await TrustedIP.find({
|
||||
workspace: workspaceId
|
||||
});
|
||||
|
||||
if (trustedIps.length > 0) {
|
||||
// case: check the IP address of the inbound request against trusted IPs
|
||||
|
||||
const blockList = new net.BlockList();
|
||||
|
||||
for (const trustedIp of trustedIps) {
|
||||
if (trustedIp.prefix !== undefined) {
|
||||
blockList.addSubnet(trustedIp.ipAddress, trustedIp.prefix, trustedIp.type);
|
||||
} else {
|
||||
blockList.addAddress(trustedIp.ipAddress, trustedIp.type);
|
||||
}
|
||||
}
|
||||
|
||||
const { type } = extractIPDetails(req.authData.ipAddress);
|
||||
const check = blockList.check(req.authData.ipAddress, type);
|
||||
|
||||
if (!check)
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed workspace authorization"
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
return next();
|
||||
}
|
||||
}
|
||||
|
||||
export default requireIPAllowlistCheck;
|
@ -1,37 +0,0 @@
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { Types } from "mongoose";
|
||||
import { validateClientForIntegration } from "../validation";
|
||||
|
||||
/**
|
||||
* Validate if user on request is a member of workspace with proper roles associated
|
||||
* with the integration on request params.
|
||||
* @param {Object} obj
|
||||
* @param {String[]} obj.acceptedRoles - accepted workspace roles
|
||||
*/
|
||||
const requireIntegrationAuth = ({
|
||||
acceptedRoles,
|
||||
}: {
|
||||
acceptedRoles: Array<"admin" | "member">;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { integrationId } = req.params;
|
||||
|
||||
const { integration, accessToken } = await validateClientForIntegration({
|
||||
authData: req.authData,
|
||||
integrationId: new Types.ObjectId(integrationId),
|
||||
acceptedRoles,
|
||||
});
|
||||
|
||||
if (integration) {
|
||||
req.integration = integration;
|
||||
}
|
||||
|
||||
if (accessToken) {
|
||||
req.accessToken = accessToken;
|
||||
}
|
||||
|
||||
return next();
|
||||
};
|
||||
};
|
||||
|
||||
export default requireIntegrationAuth;
|
@ -1,49 +0,0 @@
|
||||
import { Types } from "mongoose";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { validateClientForIntegrationAuth } from "../validation";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
/**
|
||||
* Validate if user on request is a member of workspace with proper roles associated
|
||||
* with the integration authorization on request params.
|
||||
* @param {Object} obj
|
||||
* @param {String[]} obj.acceptedRoles - accepted workspace roles
|
||||
* @param {Boolean} obj.attachAccessToken - whether or not to decrypt and attach integration authorization access token onto request
|
||||
*/
|
||||
const requireIntegrationAuthorizationAuth = ({
|
||||
acceptedRoles,
|
||||
attachAccessToken = true,
|
||||
location = "params",
|
||||
}: {
|
||||
acceptedRoles: Array<"admin" | "member">;
|
||||
attachAccessToken?: boolean;
|
||||
location?: req;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { integrationAuthId } = req[location];
|
||||
|
||||
const { integrationAuth, accessToken, accessId } = await validateClientForIntegrationAuth({
|
||||
authData: req.authData,
|
||||
integrationAuthId: new Types.ObjectId(integrationAuthId),
|
||||
acceptedRoles,
|
||||
attachAccessToken,
|
||||
});
|
||||
|
||||
if (integrationAuth) {
|
||||
req.integrationAuth = integrationAuth;
|
||||
}
|
||||
|
||||
if (accessToken) {
|
||||
req.accessToken = accessToken;
|
||||
}
|
||||
|
||||
if (accessId) {
|
||||
req.accessId = accessId;
|
||||
}
|
||||
|
||||
return next();
|
||||
};
|
||||
};
|
||||
|
||||
export default requireIntegrationAuthorizationAuth;
|
@ -1,38 +0,0 @@
|
||||
import { Types } from "mongoose";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { validateClientForMembership } from "../validation";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
/**
|
||||
* Validate membership with id [membershipId] and that user with id
|
||||
* [req.user._id] can modify that membership.
|
||||
* @param {Object} obj
|
||||
* @param {String[]} obj.acceptedRoles - accepted workspace roles
|
||||
* @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
|
||||
*/
|
||||
const requireMembershipAuth = ({
|
||||
acceptedRoles,
|
||||
locationMembershipId = "params",
|
||||
}: {
|
||||
acceptedRoles: Array<"admin" | "member">;
|
||||
locationMembershipId: req
|
||||
}) => {
|
||||
return async (
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
) => {
|
||||
const { membershipId } = req[locationMembershipId];
|
||||
|
||||
req.targetMembership = await validateClientForMembership({
|
||||
authData: req.authData,
|
||||
membershipId: new Types.ObjectId(membershipId),
|
||||
acceptedRoles,
|
||||
});
|
||||
|
||||
return next();
|
||||
}
|
||||
}
|
||||
|
||||
export default requireMembershipAuth;
|
@ -1,37 +0,0 @@
|
||||
import { Types } from "mongoose";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { validateClientForMembershipOrg } from "../validation";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
/**
|
||||
* Validate (organization) membership id [membershipId] and that user with id
|
||||
* [req.user._id] can modify that membership.
|
||||
* @param {Object} obj
|
||||
* @param {String[]} obj.acceptedRoles - accepted organization roles
|
||||
* @param {String[]} obj.location - location of [membershipId] on request (e.g. params, body) for parsing
|
||||
*/
|
||||
const requireMembershipOrgAuth = ({
|
||||
acceptedRoles,
|
||||
acceptedStatuses,
|
||||
locationMembershipOrgId = "params",
|
||||
}: {
|
||||
acceptedRoles: Array<"owner" | "admin" | "member">;
|
||||
acceptedStatuses: Array<"invited" | "accepted">;
|
||||
locationMembershipOrgId?: req;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { membershipId } = req[locationMembershipOrgId];
|
||||
|
||||
req.membershipOrg = await validateClientForMembershipOrg({
|
||||
authData: req.authData,
|
||||
membershipOrgId: new Types.ObjectId(membershipId),
|
||||
acceptedRoles,
|
||||
acceptedStatuses,
|
||||
});
|
||||
|
||||
return next();
|
||||
}
|
||||
}
|
||||
|
||||
export default requireMembershipOrgAuth;
|
@ -1,45 +0,0 @@
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { Types } from "mongoose";
|
||||
import { validateClientForOrganization } from "../validation";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
/**
|
||||
* Validate if user on request is a member with proper roles for organization
|
||||
* on request params.
|
||||
* @param {Object} obj
|
||||
* @param {String[]} obj.acceptedRoles - accepted organization roles
|
||||
* @param {String[]} obj.accepteStatuses - accepted organization statuses
|
||||
*/
|
||||
const requireOrganizationAuth = ({
|
||||
acceptedRoles,
|
||||
acceptedStatuses,
|
||||
locationOrganizationId = "params",
|
||||
}: {
|
||||
acceptedRoles: Array<"owner" | "admin" | "member">;
|
||||
acceptedStatuses: Array<"invited" | "accepted">;
|
||||
locationOrganizationId?: req;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { organizationId } = req[locationOrganizationId];
|
||||
|
||||
const { organization, membershipOrg } = await validateClientForOrganization({
|
||||
authData: req.authData,
|
||||
organizationId: new Types.ObjectId(organizationId),
|
||||
acceptedRoles,
|
||||
acceptedStatuses,
|
||||
});
|
||||
|
||||
if (organization) {
|
||||
req.organization = organization;
|
||||
}
|
||||
|
||||
if (membershipOrg) {
|
||||
req.membershipOrg = membershipOrg;
|
||||
}
|
||||
|
||||
return next();
|
||||
};
|
||||
};
|
||||
|
||||
export default requireOrganizationAuth;
|
@ -1,27 +0,0 @@
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import { Types } from "mongoose";
|
||||
import { validateClientForServiceTokenData } from "../validation";
|
||||
|
||||
type req = "params" | "body" | "query";
|
||||
|
||||
const requireServiceTokenDataAuth = ({
|
||||
acceptedRoles,
|
||||
location = "params",
|
||||
}: {
|
||||
acceptedRoles: Array<"admin" | "member">;
|
||||
location?: req;
|
||||
}) => {
|
||||
return async (req: Request, res: Response, next: NextFunction) => {
|
||||
const { serviceTokenDataId } = req[location];
|
||||
|
||||
req.serviceTokenData = await validateClientForServiceTokenData({
|
||||
authData: req.authData,
|
||||
serviceTokenDataId: new Types.ObjectId(serviceTokenDataId),
|
||||
acceptedRoles,
|
||||
});
|
||||
|
||||
next();
|
||||
}
|
||||
}
|
||||
|
||||
export default requireServiceTokenDataAuth;
|
Loading…
Reference in new issue