feat(ops-auth): add scoped API token auth across ops endpoints
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
import * as plugins from '../../plugins.js';
|
||||
import type { OpsServer } from '../classes.opsserver.js';
|
||||
import * as interfaces from '../../../ts_interfaces/index.js';
|
||||
import { requireOpsAuth } from '../helpers/auth.js';
|
||||
|
||||
type TAuthContext = {
|
||||
userId: string;
|
||||
@@ -20,39 +21,23 @@ export class WorkHosterHandler {
|
||||
request: { identity?: interfaces.data.IIdentity; apiToken?: string },
|
||||
requiredScope?: interfaces.data.TApiTokenScope,
|
||||
): Promise<TAuthContext> {
|
||||
if (request.identity?.jwt) {
|
||||
try {
|
||||
const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
|
||||
identity: request.identity,
|
||||
});
|
||||
if (isAdmin) return { userId: request.identity.userId, isAdmin: true };
|
||||
} catch { /* fall through */ }
|
||||
}
|
||||
|
||||
if (request.apiToken) {
|
||||
const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
|
||||
if (tokenManager) {
|
||||
const token = await tokenManager.validateToken(request.apiToken);
|
||||
if (token) {
|
||||
if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
|
||||
return { userId: token.createdBy, isAdmin: token.policy?.role === 'admin', token };
|
||||
}
|
||||
throw new plugins.typedrequest.TypedResponseError('insufficient scope');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
throw new plugins.typedrequest.TypedResponseError('unauthorized');
|
||||
const auth = await requireOpsAuth(this.opsServerRef, request, {
|
||||
scope: requiredScope,
|
||||
requireAdminIdentity: requiredScope?.endsWith(':write'),
|
||||
});
|
||||
return { userId: auth.userId, isAdmin: auth.isAdmin, token: auth.token };
|
||||
}
|
||||
|
||||
private async requireAdmin(request: { identity?: interfaces.data.IIdentity }): Promise<string> {
|
||||
if (request.identity?.jwt) {
|
||||
const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
|
||||
identity: request.identity,
|
||||
});
|
||||
if (isAdmin) return request.identity.userId;
|
||||
}
|
||||
throw new plugins.typedrequest.TypedResponseError('admin identity required');
|
||||
private async requireAdmin(
|
||||
request: { identity?: interfaces.data.IIdentity; apiToken?: string },
|
||||
scope: interfaces.data.TApiTokenScope = 'gateway-clients:write',
|
||||
): Promise<string> {
|
||||
const auth = await requireOpsAuth(this.opsServerRef, request, {
|
||||
scope,
|
||||
requireAdminIdentity: true,
|
||||
requireAdminToken: true,
|
||||
});
|
||||
return auth.userId;
|
||||
}
|
||||
|
||||
private registerHandlers(): void {
|
||||
@@ -83,7 +68,7 @@ export class WorkHosterHandler {
|
||||
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListGatewayClients>(
|
||||
'listGatewayClients',
|
||||
async (dataArg) => {
|
||||
await this.requireAdmin(dataArg);
|
||||
await this.requireAdmin(dataArg, 'gateway-clients:read');
|
||||
return { gatewayClients: await this.listManagedGatewayClients() };
|
||||
},
|
||||
),
|
||||
@@ -154,7 +139,7 @@ export class WorkHosterHandler {
|
||||
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateGatewayClientToken>(
|
||||
'createGatewayClientToken',
|
||||
async (dataArg) => {
|
||||
const userId = await this.requireAdmin(dataArg);
|
||||
const userId = await this.requireAdmin(dataArg, 'tokens:manage');
|
||||
const gatewayClient = await this.opsServerRef.dcRouterRef.gatewayClientManager?.getClient(dataArg.gatewayClientId);
|
||||
const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
|
||||
if (!gatewayClient || !gatewayClient.enabled) {
|
||||
|
||||
Reference in New Issue
Block a user