ami/tl-vikunja
1
0
Fork 0
Code

feat(api tokens): check for scopes

Browse Source
This commit is contained in:
kolaente 2023-08-31 21:59:20 +02:00
parent 677bd5cfc9
commit 5c6c6cd9f0
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
2 changed files with 79 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
pkg/routes/api_routes_list.go → pkg/routes/api_routes.go
View File

@ -17,6 +17,7 @@
package routes package routes
import ( import (
"code.vikunja.io/api/pkg/models"
"net/http" "net/http"
"strings" "strings"
@ -30,15 +31,20 @@ func init() {
} }
type APITokenRoute struct { type APITokenRoute struct {
Create string `json:"create,omitempty"` Create *RouteDetail `json:"create,omitempty"`
ReadOne string `json:"read_one,omitempty"` ReadOne *RouteDetail `json:"read_one,omitempty"`
ReadAll string `json:"read_all,omitempty"` ReadAll *RouteDetail `json:"read_all,omitempty"`
Update string `json:"update,omitempty"` Update *RouteDetail `json:"update,omitempty"`
Delete string `json:"delete,omitempty"` Delete *RouteDetail `json:"delete,omitempty"`
} }
func getRouteGroupName(route echo.Route) string { type RouteDetail struct {
parts := strings.Split(strings.TrimPrefix(route.Path, "/api/v1/"), "/") Path string `json:"path"`
Method string `json:"method"`
}
func getRouteGroupName(path string) string {
parts := strings.Split(strings.TrimPrefix(path, "/api/v1/"), "/")
filteredParts := []string{} filteredParts := []string{}
for _, part := range parts { for _, part := range parts {
if strings.HasPrefix(part, ":") { if strings.HasPrefix(part, ":") {
@ -64,7 +70,7 @@ func collectRoutesForAPITokenUsage(route echo.Route) {
return return
} }
routeGroupName := getRouteGroupName(route) routeGroupName := getRouteGroupName(route.Path)
if routeGroupName == "subscriptions" || if routeGroupName == "subscriptions" ||
routeGroupName == "notifications" || routeGroupName == "notifications" ||
@ -79,19 +85,34 @@ func collectRoutesForAPITokenUsage(route echo.Route) {
} }
if strings.Contains(route.Name, "CreateWeb") { if strings.Contains(route.Name, "CreateWeb") {
apiTokenRoutes[routeGroupName].Create = route.Path apiTokenRoutes[routeGroupName].Create = &RouteDetail{
Path: route.Path,
Method: route.Method,
}
} }
if strings.Contains(route.Name, "ReadWeb") { if strings.Contains(route.Name, "ReadWeb") {
apiTokenRoutes[routeGroupName].ReadOne = route.Path apiTokenRoutes[routeGroupName].ReadOne = &RouteDetail{
Path: route.Path,
Method: route.Method,
}
} }
if strings.Contains(route.Name, "ReadAllWeb") { if strings.Contains(route.Name, "ReadAllWeb") {
apiTokenRoutes[routeGroupName].ReadAll = route.Path apiTokenRoutes[routeGroupName].ReadAll = &RouteDetail{
Path: route.Path,
Method: route.Method,
}
} }
if strings.Contains(route.Name, "UpdateWeb") { if strings.Contains(route.Name, "UpdateWeb") {
apiTokenRoutes[routeGroupName].Update = route.Path apiTokenRoutes[routeGroupName].Update = &RouteDetail{
Path: route.Path,
Method: route.Method,
}
} }
if strings.Contains(route.Name, "DeleteWeb") { if strings.Contains(route.Name, "DeleteWeb") {
apiTokenRoutes[routeGroupName].Delete = route.Path apiTokenRoutes[routeGroupName].Delete = &RouteDetail{
Path: route.Path,
Method: route.Method,
}
} }
} }
@ -106,3 +127,43 @@ func collectRoutesForAPITokenUsage(route echo.Route) {
func GetAvailableAPIRoutesForToken(c echo.Context) error { func GetAvailableAPIRoutesForToken(c echo.Context) error {
return c.JSON(http.StatusOK, apiTokenRoutes) return c.JSON(http.StatusOK, apiTokenRoutes)
} }
// CanDoAPIRoute checks if a token is allowed to use the current api route
func CanDoAPIRoute(c echo.Context, token *models.APIToken) (can bool) {
routeGroupName := getRouteGroupName(c.Path())
group, hasGroup := token.Permissions[routeGroupName]
if !hasGroup {
return false
}
var route string
routes, has := apiTokenRoutes[routeGroupName]
if !has {
return false
}
if routes.Create != nil && routes.Create.Path == c.Path() && routes.Create.Method == c.Request().Method {
route = "create"
}
if routes.ReadOne != nil && routes.ReadOne.Path == c.Path() && routes.ReadOne.Method == c.Request().Method {
route = "read_one"
}
if routes.ReadAll != nil && routes.ReadAll.Path == c.Path() && routes.ReadAll.Method == c.Request().Method {
route = "read_all"
}
if routes.Update != nil && routes.Update.Path == c.Path() && routes.Update.Method == c.Request().Method {
route = "update"
}
if routes.Delete != nil && routes.Delete.Path == c.Path() && routes.Delete.Method == c.Request().Method {
route = "delete"
}
for _, p := range group {
if p == route {
return true
}
}
return false
}

6
pkg/routes/routes.go
View File

@ -312,7 +312,11 @@ func registerAPIRoutes(a *echo.Group) {
return echo.NewHTTPError(http.StatusInternalServerError).SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError).SetInternal(err)
} }
if token.ExpiresAt.After(time.Now()) { if time.Now().After(token.ExpiresAt) {
return echo.NewHTTPError(http.StatusUnauthorized)
}
if !CanDoAPIRoute(c, token) {
return echo.NewHTTPError(http.StatusUnauthorized) return echo.NewHTTPError(http.StatusUnauthorized)
} }