Merge pull request #339 from Cartmanishere/authorization

Add authorization middleware based on roles

Author: ankurnarkhede

controllers/users.js

@@ -1,6 +1,5 @@
 
 const userQuery = require('../models/users')
-const accountOwners = require('../mockdata/appOwners')
 const imageService = require('../services/imageService')
 /**
  * Fetches the data about our users
@@ -23,22 +22,6 @@ const getUsers = async (req, res) => {
   }
 }
 
-/**
- * Fetches the data about our account Owners
- *
- * @param req {Object} - Express request object
- * @param res {Object} - Express response object
- */
-
-const getAccountOwners = async (req, res) => {
-  try {
-    return accountOwners
-  } catch (error) {
-    logger.error(`Error while fetching application owners: ${error}`)
-    return res.boom.badImplementation('Something went wrong please contact admin')
-  }
-}
-
 /**
  * Fetches the data about user with given id
  *
@@ -166,6 +149,5 @@ module.exports = {
   getSelfDetails,
   getUser,
   getUsernameAvailabilty,
-  getAccountOwners,
   postUserPicture
 }

firebase.json

@@ -1,7 +1,7 @@
 {
   "emulators": {
     "firestore": {
-      "port": 8080
+      "port": 8081
     },
     "ui": {
       "enabled": true,

middlewares/authorization.js

@@ -1,13 +1,54 @@
-const { isSuperUser } = require('../models/members')
-module.exports = (req, res, next) => {
-  try {
-    const { username } = req.userData
-    if (!isSuperUser(username)) {
-      return res.boom.forbidden('You are not allowed to perform this action.')
+/**
+ * Describe the priority order of roles. Any route requiring `x` role is allowed
+ * for user having authority of role `x` or a higher authority.
+ * For e.g
+ * - Route requiring `superUser` role is only allowed for `super_user`.
+ * - Route requiring `appOwner` role is allowed for `superUser` and `app_owner`.
+ */
+const REQUIRED_ROLES_PRIORITY = {
+  superUser: ['super_user'],
+  appOwner: ['app_owner', 'super_user'],
+  default: ['default', 'super_user', 'app_owner']
+}
+
+/**
+ * Check if the user has enough authorization based on their role.
+ * User would have following roles schema -
+ * userRoles = {app_owner: true, super_user: true}
+ * @param {String} requiredRole - Required role level to authorize request.
+ * @param {Object} userRoles - Roles information of the current user.
+ * @returns {Boolean} - Whether the current user is authorized for required role level.
+ */
+const userHasPermission = (requiredRole, userRoles) => {
+  const allowedRoles = REQUIRED_ROLES_PRIORITY[`${requiredRole}`] || ['default']
+  return allowedRoles.some((role) => {
+    return Boolean(userRoles[`${role}`])
+  })
+}
+
+/**
+ * Create an authorization middleware for a route based on the required role needed
+ * for that route. Currently following roles are supported:
+ * - `authorizeUser('superUser')`
+ * - `authorizeUser('appOwner')`
+ * Note: This must be added on routes after the `authenticate` middleware.
+ * @param {String} requiredRole - The least role authority required for a route.
+ * @returns {Function} - A middleware function that authorizes given role.
+ */
+const authorizeUser = (requiredRole) => {
+  return (req, res, next) => {
+    const { roles = {} } = req.userData
+    // All users should have `default` role
+    roles.default = true
+
+    if (!userHasPermission(requiredRole, roles)) {
+      return res.boom.unauthorized('You are not authorized for this action.')
     }
     return next()
-  } catch (err) {
-    logger.error(err)
-    return res.boom.forbidden('You are not allowed to perform this action.')
   }
 }
+
+module.exports = {
+  authorizeUser,
+  userHasPermission
+}

models/members.js

@@ -37,16 +37,6 @@ const fetchMembers = async () => {
   }
 }
 
-/**
- * Checks whether the user is a superuser
- * @return {Boolean}
- */
-
-const isSuperUser = (username) => {
-  return username === 'ankush'
-}
-
 module.exports = {
-  fetchMembers,
-  isSuperUser
+  fetchMembers
 }

routes/stocks.js

@@ -1,8 +1,8 @@
 const express = require('express')
 const router = express.Router()
 const authenticate = require('../middlewares/authenticate')
-const authorization = require('../middlewares/authorization')
-const { addNewStock, fetchStocks, getSelfStocks } = require('../controllers/stocks')
+const { authorizeUser } = require('../middlewares/authorization')
+const { addNewStock, fetchStocks } = require('../controllers/stocks')
 const { createStock } = require('../middlewares/validators/stocks')
 
 /**
@@ -62,7 +62,7 @@ router.get('/', fetchStocks)
  *           schema:
  *             $ref: '#/components/schemas/errors/badImplementation'
  */
-router.post('/', authenticate, authorization, createStock, addNewStock)
+router.post('/', authenticate, authorizeUser('superUser'), createStock, addNewStock)
 
 /**
  * @swagger

routes/tasks.js

@@ -3,7 +3,7 @@ const router = express.Router()
 const authenticate = require('../middlewares/authenticate')
 const tasks = require('../controllers/tasks')
 const { createTask, updateTask } = require('../middlewares/validators/tasks')
-const authorizeOwner = require('../middlewares/authorizeOwner')
+const { authorizeUser } = require('../middlewares/authorization')
 
 /**
  * @swagger
@@ -93,7 +93,7 @@ router.get('/self', authenticate, tasks.getSelfTasks)
  *           schema:
  *             $ref: '#/components/schemas/errors/badImplementation'
  */
-router.post('/', authenticate, authorizeOwner, createTask, tasks.addNewTask)
+router.post('/', authenticate, authorizeUser('appOwner'), createTask, tasks.addNewTask)
 
 /**
  * @swagger
@@ -124,7 +124,7 @@ router.post('/', authenticate, authorizeOwner, createTask, tasks.addNewTask)
  *           schema:
  *             $ref: '#/components/schemas/errors/badImplementation'
  */
-router.patch('/:id', authenticate, authorizeOwner, updateTask, tasks.updateTask)
+router.patch('/:id', authenticate, authorizeUser('appOwner'), updateTask, tasks.updateTask)
 
 /**
  * @swagger

routes/wallets.js

@@ -2,7 +2,7 @@ const express = require('express')
 const router = express.Router()
 const wallet = require('../controllers/wallets')
 const authenticate = require('../middlewares/authenticate')
-const authorization = require('../middlewares/authorization')
+const { authorizeUser } = require('../middlewares/authorization')
 
 /**
  * @swagger
@@ -66,6 +66,6 @@ router.get('/', authenticate, wallet.getOwnWallet)
  *             schema:
  *               $ref: '#/components/schemas/errors/badImplementation'
  */
-router.get('/:username', authenticate, authorization, wallet.getUserWallet)
+router.get('/:username', authenticate, authorizeUser('superUser'), wallet.getUserWallet)
 
 module.exports = router

test/fixtures/user/user.js

@@ -52,6 +52,43 @@ module.exports = () => {
       roles: {
         restricted: true
       }
+    },
+    {
+      username: 'sagar',
+      first_name: 'Sagar',
+      last_name: 'Bajpai',
+      yoe: 3,
+      img: './img.png',
+      linkedin_id: 'sagarbajpai',
+      github_id: 'sagarbajpai',
+      github_display_name: 'Sagar Bajpai',
+      phone: '1234567890',
+      email: '[email protected]',
+      tokens: {
+        githubAccessToken: 'githubAccessToken'
+      },
+      roles: {
+        restricted: false,
+        app_owner: true
+      }
+    },
+    {
+      username: 'ankush',
+      first_name: 'Ankush',
+      last_name: 'Dharkar',
+      yoe: 10,
+      img: './img.png',
+      linkedin_id: 'ankushdharkar',
+      github_id: 'ankushdharkar',
+      github_display_name: 'Ankush Dharkar',
+      phone: '1234567890',
+      email: '[email protected]',
+      tokens: {
+        githubAccessToken: 'githubAccessToken'
+      },
+      roles: {
+        super_user: true
+      }
     }
   ]
 }

test/integration/authorization.test.js

@@ -0,0 +1,133 @@
+const chai = require('chai')
+const { expect } = chai
+
+const { authorizeUser } = require('../../middlewares/authorization')
+const authenticate = require('../../middlewares/authenticate')
+const authService = require('../../services/authService')
+const addUser = require('../utils/addUser')
+const cleanDb = require('../utils/cleanDb')
+const config = require('config')
+const cookieName = config.get('userToken.cookieName')
+const userData = require('../fixtures/user/user')()
+
+const defaultUser = userData[0] // user with no `roles` key
+const appOwner = userData[3]
+const superUser = userData[4]
+
+// Setup some routes with various permissions for testing
+const express = require('express')
+const router = express.Router()
+const AppMiddlewares = require('../../middlewares')
+
+const pongHandler = (_, res) => {
+  return res.json({ message: 'pong' })
+}
+
+router.get('/for-everyone', authenticate, pongHandler)
+router.get('/for-app-owner', authenticate, authorizeUser('appOwner'), pongHandler)
+router.get('/for-super-user', authenticate, authorizeUser('superUser'), pongHandler)
+
+const app = express()
+AppMiddlewares(app)
+app.use('/', router)
+
+describe('authorizeUser', function () {
+  let defaultJwt, appOwnerJwt, superUserJwt
+
+  before(async function () {
+    const defaultUserId = await addUser(defaultUser)
+    const appOwnerId = await addUser(appOwner)
+    const superUserId = await addUser(superUser)
+    defaultJwt = authService.generateAuthToken({ userId: defaultUserId })
+    appOwnerJwt = authService.generateAuthToken({ userId: appOwnerId })
+    superUserJwt = authService.generateAuthToken({ userId: superUserId })
+  })
+
+  after(async function () {
+    await cleanDb()
+  })
+
+  it('should authorize default user for route with no required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-everyone')
+      .set('cookie', `${cookieName}=${defaultJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(200)
+        return done()
+      })
+  })
+
+  it('should authorize user with role for route with no required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-everyone')
+      .set('cookie', `${cookieName}=${appOwnerJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(200)
+        return done()
+      })
+  })
+
+  it('should authorize appOwner for route with appOwner required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-app-owner')
+      .set('cookie', `${cookieName}=${appOwnerJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(200)
+        return done()
+      })
+  })
+
+  it('should not allow user not having role for route with appOwner required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-app-owner')
+      .set('cookie', `${cookieName}=${defaultJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(401)
+        return done()
+      })
+  })
+
+  it('should authorize superUser for route with appOwner required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-app-owner')
+      .set('cookie', `${cookieName}=${superUserJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(200)
+        return done()
+      })
+  })
+
+  it('should authorize superUser for route with superUser required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-super-user')
+      .set('cookie', `${cookieName}=${superUserJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(200)
+        return done()
+      })
+  })
+
+  it('should not allow appOwner for route with superUser required role', function (done) {
+    chai
+      .request(app)
+      .get('/for-super-user')
+      .set('cookie', `${cookieName}=${appOwnerJwt}`)
+      .end((err, res) => {
+        if (err) { return done(err) }
+        expect(res).to.have.status(401)
+        return done()
+      })
+  })
+})