feat(api tokens): check permissions when saving

pkg/routes/api_routes.go

@@ -1,170 +0,0 @@
-// Vikunja is a to-do list application to facilitate your life.
-// Copyright 2018-present Vikunja and contributors. All rights reserved.
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public Licensee as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public Licensee for more details.
-//
-// You should have received a copy of the GNU Affero General Public Licensee
-// along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-package routes
-
-import (
-	"net/http"
-	"strings"
-
-	"code.vikunja.io/api/pkg/models"
-
-	"github.com/labstack/echo/v4"
-)
-
-var apiTokenRoutes = map[string]*APITokenRoute{}
-
-func init() {
-	apiTokenRoutes = make(map[string]*APITokenRoute)
-}
-
-type APITokenRoute struct {
-	Create  *RouteDetail `json:"create,omitempty"`
-	ReadOne *RouteDetail `json:"read_one,omitempty"`
-	ReadAll *RouteDetail `json:"read_all,omitempty"`
-	Update  *RouteDetail `json:"update,omitempty"`
-	Delete  *RouteDetail `json:"delete,omitempty"`
-}
-
-type RouteDetail struct {
-	Path   string `json:"path"`
-	Method string `json:"method"`
-}
-
-func getRouteGroupName(path string) string {
-	parts := strings.Split(strings.TrimPrefix(path, "/api/v1/"), "/")
-	filteredParts := []string{}
-	for _, part := range parts {
-		if strings.HasPrefix(part, ":") {
-			continue
-		}
-
-		filteredParts = append(filteredParts, part)
-	}
-
-	finalName := strings.Join(filteredParts, "_")
-	switch finalName {
-	case "tasks_all":
-		return "tasks"
-	default:
-		return finalName
-	}
-}
-
-// collectRoutesForAPITokenUsage gets called for every added APITokenRoute and builds a list of all routes we can use for the api tokens.
-func collectRoutesForAPITokenUsage(route echo.Route) {
-
-	if !strings.Contains(route.Name, "(*WebHandler)") {
-		return
-	}
-
-	routeGroupName := getRouteGroupName(route.Path)
-
-	if routeGroupName == "subscriptions" ||
-		routeGroupName == "notifications" ||
-		routeGroupName == "tokens" ||
-		strings.HasSuffix(routeGroupName, "_bulk") {
-		return
-	}
-
-	_, has := apiTokenRoutes[routeGroupName]
-	if !has {
-		apiTokenRoutes[routeGroupName] = &APITokenRoute{}
-	}
-
-	if strings.Contains(route.Name, "CreateWeb") {
-		apiTokenRoutes[routeGroupName].Create = &RouteDetail{
-			Path:   route.Path,
-			Method: route.Method,
-		}
-	}
-	if strings.Contains(route.Name, "ReadWeb") {
-		apiTokenRoutes[routeGroupName].ReadOne = &RouteDetail{
-			Path:   route.Path,
-			Method: route.Method,
-		}
-	}
-	if strings.Contains(route.Name, "ReadAllWeb") {
-		apiTokenRoutes[routeGroupName].ReadAll = &RouteDetail{
-			Path:   route.Path,
-			Method: route.Method,
-		}
-	}
-	if strings.Contains(route.Name, "UpdateWeb") {
-		apiTokenRoutes[routeGroupName].Update = &RouteDetail{
-			Path:   route.Path,
-			Method: route.Method,
-		}
-	}
-	if strings.Contains(route.Name, "DeleteWeb") {
-		apiTokenRoutes[routeGroupName].Delete = &RouteDetail{
-			Path:   route.Path,
-			Method: route.Method,
-		}
-	}
-}
-
-// GetAvailableAPIRoutesForToken returns a list of all API routes which are available for token usage.
-// @Summary Get a list of all token api routes
-// @Description Returns a list of all API routes which are available to use with an api token, not a user login.
-// @tags api
-// @Produce json
-// @Security JWTKeyAuth
-// @Success 200 {array} routes.APITokenRoute "The list of all routes."
-// @Router /routes [get]
-func GetAvailableAPIRoutesForToken(c echo.Context) error {
-	return c.JSON(http.StatusOK, apiTokenRoutes)
-}
-
-// CanDoAPIRoute checks if a token is allowed to use the current api route
-func CanDoAPIRoute(c echo.Context, token *models.APIToken) (can bool) {
-	routeGroupName := getRouteGroupName(c.Path())
-
-	group, hasGroup := token.Permissions[routeGroupName]
-	if !hasGroup {
-		return false
-	}
-
-	var route string
-	routes, has := apiTokenRoutes[routeGroupName]
-	if !has {
-		return false
-	}
-
-	if routes.Create != nil && routes.Create.Path == c.Path() && routes.Create.Method == c.Request().Method {
-		route = "create"
-	}
-	if routes.ReadOne != nil && routes.ReadOne.Path == c.Path() && routes.ReadOne.Method == c.Request().Method {
-		route = "read_one"
-	}
-	if routes.ReadAll != nil && routes.ReadAll.Path == c.Path() && routes.ReadAll.Method == c.Request().Method {
-		route = "read_all"
-	}
-	if routes.Update != nil && routes.Update.Path == c.Path() && routes.Update.Method == c.Request().Method {
-		route = "update"
-	}
-	if routes.Delete != nil && routes.Delete.Path == c.Path() && routes.Delete.Method == c.Request().Method {
-		route = "delete"
-	}
-
-	for _, p := range group {
-		if p == route {
-			return true
-		}
-	}
-
-	return false
-}

pkg/routes/routes.go

@@ -204,7 +204,7 @@ func RegisterRoutes(e *echo.Echo) {
 	// API Routes
 	a := e.Group("/api/v1")
 	e.OnAddRouteHandler = func(host string, route echo.Route, handler echo.HandlerFunc, middleware []echo.MiddlewareFunc) {
-		collectRoutesForAPITokenUsage(route)
+		models.CollectRoutesForAPITokenUsage(route)
 	}
 	registerAPIRoutes(a)
 }
@@ -316,7 +316,7 @@ func registerAPIRoutes(a *echo.Group) {
 				return echo.NewHTTPError(http.StatusUnauthorized)
 			}
 
-			if !CanDoAPIRoute(c, token) {
+			if !models.CanDoAPIRoute(c, token) {
 				return echo.NewHTTPError(http.StatusUnauthorized)
 			}
 
@@ -333,7 +333,7 @@ func registerAPIRoutes(a *echo.Group) {
 	setupMetricsMiddleware(a)
 
 	a.POST("/tokenTest", apiv1.CheckToken)
-	a.GET("/routes", GetAvailableAPIRoutesForToken)
+	a.GET("/routes", models.GetAvailableAPIRoutesForToken)
 
 	// User stuff
 	u := a.Group("/user")