fix(rest): fix permissions being registered on user custom routes

When a route is registered by a user, that route should not be automatically authorized
tenseijs · Nov 20, 2020 · 034f575 · 034f575
1 parent 029e724
commit 034f575
Show file tree

Hide file tree

Showing 20 changed files with 237 additions and 77 deletions.
diff --git a/examples/blog/app.js b/examples/blog/app.js
@@ -2,7 +2,7 @@ require('dotenv').config()
 const { auth } = require('@tensei/auth')
 const { rest } = require('@tensei/rest')
 const { graphql } = require('@tensei/graphql')
-const { tensei, plugin } = require('@tensei/core')
+const { tensei, plugin, route } = require('@tensei/core')
 
 const Tag = require('./resources/Tag')
 const Post = require('./resources/Post')
@@ -14,6 +14,16 @@ module.exports = tensei()
     .resources([Tag, Post, User, Comment])
     .clientUrl('https://google.com')
     .defaultStorageDriver('local')
+    .routes([
+        route('Get products')
+            .get()
+            .path('/products')
+            .handle((req, res) =>
+                res.formatter.ok({
+                    name: 'Product 1',
+                })
+            ),
+    ])
     .plugins([
         auth()
             .user('Customer')
@@ -61,14 +71,14 @@ module.exports = tensei()
         }),
     ])
     .databaseConfig({
-        // type: 'mysql',
-        // dbName: 'mikrotensei',
+        type: 'mysql',
+        dbName: 'mikrotensei',
         // debug: true,
         // user: 'mikrotensei',
         // password: 'password',
 
-        type: 'sqlite',
-        dbName: 'mikrotensei',
+        // type: 'sqlite',
+        // dbName: 'mikrotensei',
 
         // type: 'postgresql',
         // // debug: true,

diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts
@@ -570,13 +570,17 @@ class Auth {
                 async ({ graphQlQueries, routes, apiPath }) => {
                     graphQlQueries.forEach(query => {
                         if (query.config.resource) {
-                            const { path } = query.config
+                            const { path, internal } = query.config
                             const {
                                 snakeCaseNamePlural: plural,
                                 snakeCaseName: singular,
                                 slug
                             } = query.config.resource.data
 
+                            if (!internal) {
+                                return
+                            }
+
                             if (
                                 [
                                     `insert_${plural}`,
@@ -626,13 +630,19 @@ class Auth {
 
                     routes.forEach(route => {
                         if (route.config.resource) {
-                            const { resource, path, type } = route.config
+                            const {
+                                resource,
+                                path,
+                                type,
+                                internal
+                            } = route.config
 
                             const { slugSingular, slugPlural } = resource.data
 
                             if (
                                 path === `/${apiPath}/${slugPlural}` &&
-                                type === 'POST'
+                                type === 'POST' &&
+                                internal
                             ) {
                                 return route.authorize(({ user }) =>
                                     user.permissions!.includes(
@@ -643,7 +653,8 @@ class Auth {
 
                             if (
                                 path === `/${apiPath}/${slugPlural}` &&
-                                type === 'GET'
+                                type === 'GET' &&
+                                internal
                             ) {
                                 return route.authorize(({ user }) =>
                                     user.permissions!.includes(
@@ -654,7 +665,8 @@ class Auth {
 
                             if (
                                 path === `/${apiPath}/${slugPlural}/:id` &&
-                                type === 'GET'
+                                type === 'GET' &&
+                                internal
                             ) {
                                 return route.authorize(({ user }) =>
                                     user.permissions!.includes(
@@ -668,7 +680,8 @@ class Auth {
                                     `/${apiPath}/${slugPlural}/:id`,
                                     `/${apiPath}/${slugPlural}`
                                 ].includes(path) &&
-                                ['PUT', 'PATCH'].includes(type)
+                                ['PUT', 'PATCH'].includes(type) &&
+                                internal
                             ) {
                                 return route.authorize(({ user }) =>
                                     user.permissions!.includes(
@@ -682,7 +695,8 @@ class Auth {
                                     `/${apiPath}/${slugPlural}/:id`,
                                     `/${apiPath}/${slugPlural}`
                                 ].includes(path) &&
-                                type === 'DELETE'
+                                type === 'DELETE' &&
+                                internal
                             ) {
                                 return route.authorize(({ user }) =>
                                     user.permissions!.includes(
@@ -694,9 +708,6 @@ class Auth {
 
                         route.middleware([
                             async (request, response, next) => {
-                                // @ts-ignore
-                                request.req = request
-
                                 await this.getAuthUserFromContext(
                                     request as any
                                 )
@@ -730,8 +741,6 @@ class Auth {
                                 next()
                             }
                         ])
-
-                        route.authorize(() => false)
                     })
                 }
             )

diff --git a/packages/common/src/api/GraphQlQuery.ts b/packages/common/src/api/GraphQlQuery.ts
@@ -10,6 +10,7 @@ export class GraphQlQuery implements GraphQlQueryContract {
     public config: GraphQlQueryConfig = {
         path: '',
         name: '',
+        internal: false,
         type: 'QUERY',
         snakeCaseName: '',
         paramCaseName: '',
@@ -62,6 +63,12 @@ export class GraphQlQuery implements GraphQlQueryContract {
 
         return this
     }
+
+    internal() {
+        this.config.internal = true
+
+        return this
+    }
 }
 
 export const graphQlQuery = (name?: string) => new GraphQlQuery(name)
diff --git a/packages/common/src/api/Route.ts b/packages/common/src/api/Route.ts
@@ -12,6 +12,7 @@ export class Route implements RouteContract {
         path: '',
         name: '',
         type: 'GET',
+        internal: false,
         middleware: [],
         snakeCaseName: '',
         paramCaseName: '',
@@ -88,6 +89,12 @@ export class Route implements RouteContract {
 
         return this
     }
+
+    internal() {
+        this.config.internal = true
+
+        return this
+    }
 }
 
 export const route = (name?: string) => new Route(name)
diff --git a/packages/common/typings/config.d.ts b/packages/common/typings/config.d.ts
@@ -32,6 +32,7 @@ declare module '@tensei/common/config' {
         put(): this
         patch(): this
         delete(): this
+        internal(): this
         resource(resource: ResourceContract): this
         middleware(middleware: RequestHandler[]): this
         resource(resource: ResourceContract): this
@@ -44,6 +45,7 @@ declare module '@tensei/common/config' {
         path(path: string): this
         query(): this
         mutation(): this
+        internal(): this
         resource(resource: ResourceContract): this
         authorize(authorize: AuthorizeFunction): this
         handle(handler: GraphQlQueryConfig['handler']): this
@@ -52,6 +54,7 @@ declare module '@tensei/common/config' {
     interface RouteConfig {
         path: string
         name: string
+        internal: boolean
         type: EndpointTypes
         snakeCaseName: string
         paramCaseName: string
@@ -68,6 +71,7 @@ declare module '@tensei/common/config' {
     > {
         path: string
         name: string
+        internal: boolean
         snakeCaseName: string
         paramCaseName: string
         resource?: ResourceContract

diff --git a/packages/core/Tensei.ts b/packages/core/Tensei.ts
@@ -212,8 +212,9 @@ export class Tensei implements TenseiContract {
 
         this.app.listen(port, () => {
             this.ctx.logger.success(
-                `🚀 Access your server on ${this.ctx.serverUrl ||
-                    `http://127.0.0.1:${port}`}`
+                `🚀 Access your server on ${
+                    this.ctx.serverUrl || `http://127.0.0.1:${port}`
+                }`
             )
         })
     }
@@ -587,9 +588,7 @@ export class Tensei implements TenseiContract {
     }
 
     public mail(driverName: SupportedDrivers, mailConfig = {}) {
-        this.ctx.mailer = mail()
-            .connection(driverName)
-            .config(mailConfig)
+        this.ctx.mailer = mail().connection(driverName).config(mailConfig)
 
         return this
     }

diff --git a/packages/core/database/index.ts b/packages/core/database/index.ts
@@ -126,7 +126,7 @@ class Database {
     }
 
     private generateEntityClass(resource: ResourceContract) {
-        const entityClass = function() {}
+        const entityClass = function () {}
 
         Object.defineProperty(entityClass, 'name', {
             value: resource.data.pascalCaseName,

diff --git a/packages/express-session-mikro-orm/src/index.ts b/packages/express-session-mikro-orm/src/index.ts
@@ -49,10 +49,7 @@ const StoreFactory = (Store: any) => {
                     this.options.tableName,
                     (table: any) => {
                         table.string('session_id').primary()
-                        table
-                            .datetime('expires')
-                            .nullable()
-                            .index()
+                        table.datetime('expires').nullable().index()
                         table.text('data').notNullable()
                     }
                 )

diff --git a/packages/graphql/src/index.ts b/packages/graphql/src/index.ts
@@ -818,6 +818,7 @@ input id_where_query {
                 graphQlQuery(`Fetch ${resource.data.snakeCaseNamePlural}`)
                     .path(resource.data.snakeCaseNamePlural)
                     .query()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data: any[] = await ctx.manager.find(
@@ -841,6 +842,7 @@ input id_where_query {
                 graphQlQuery(`Fetch single ${resource.data.snakeCaseName}`)
                     .path(resource.data.snakeCaseName)
                     .query()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data: any = await ctx.manager.findOneOrFail(
@@ -865,6 +867,7 @@ input id_where_query {
                 graphQlQuery(`Insert single ${resource.data.snakeCaseName}`)
                     .path(`insert_${resource.data.snakeCaseName}`)
                     .mutation()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data = ctx.manager.create(
@@ -891,6 +894,7 @@ input id_where_query {
                 )
                     .path(`insert_${resource.data.snakeCaseNamePlural}`)
                     .mutation()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data: any[] = args.objects.map((object: any) =>
@@ -919,6 +923,7 @@ input id_where_query {
                 graphQlQuery(`Update single ${resource.data.snakeCaseName}`)
                     .path(`update_${resource.data.snakeCaseName}`)
                     .mutation()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data: any = await ctx.manager
@@ -946,6 +951,7 @@ input id_where_query {
                 )
                     .path(`update_${resource.data.snakeCaseNamePlural}`)
                     .mutation()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data = await ctx.manager.find(
@@ -972,6 +978,7 @@ input id_where_query {
                 graphQlQuery(`Delete single ${resource.data.snakeCaseName}`)
                     .path(`delete_${resource.data.snakeCaseName}`)
                     .mutation()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data: any = await ctx.manager
@@ -997,6 +1004,7 @@ input id_where_query {
                 )
                     .path(`delete_${resource.data.snakeCaseNamePlural}`)
                     .mutation()
+                    .internal()
                     .resource(resource)
                     .handle(async (_, args, ctx, info) => {
                         const data = await ctx.manager.find(

diff --git a/packages/rest/package.json b/packages/rest/package.json
@@ -21,7 +21,8 @@
     },
     "dependencies": {
         "@tensei/common": "^0.2.3",
-        "express-response-formatter": "^2.0.2"
+        "express-response-formatter": "^2.0.2",
+        "qs": "^6.9.4"
     },
     "publishConfig": {
         "access": "public"