tdpeuter/2025SELab2-project-Dwengo
tdpeuter/2025SELab2-project-Dwengo
1
Fork 0
Code Issues Releases 4 Packages 2 Wiki Activity

feat(backend): Bescherming van leerobject-manipulatie endpoints.

Browse source 
Ook delete route voor leerobjecten toegevoegd.
This commit is contained in:
Gerald Schmittinger 2025-05-12 14:57:54 +02:00
parent a7f90aace3
commit 20c04370b5
4 changed files with 50 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
backend/src/middleware/auth/auth.ts
View file

@ -8,6 +8,7 @@ import { AuthenticatedRequest } from './authenticated-request.js';
import { AuthenticationInfo } from './authentication-info.js';
import { UnauthorizedException } from '../../exceptions/unauthorized-exception.js';
import { ForbiddenException } from '../../exceptions/forbidden-exception.js';
import { RequestHandler } from 'express';
const JWKS_CACHE = true;
const JWKS_RATE_LIMIT = true;
@ -115,11 +116,17 @@ export const authenticateUser = [verifyJwtToken, addAuthenticationInfo];
* @param accessCondition Predicate over the current AuthenticationInfo. Access is only granted when this evaluates
* to true.
*/
export function authorize(accessCondition: (auth: AuthenticationInfo) => boolean) {
return (req: AuthenticatedRequest, _res: express.Response, next: express.NextFunction): void => {
export function authorize(
accessCondition: (auth: AuthenticationInfo, req: AuthenticatedRequest) => boolean | Promise<boolean>
): RequestHandler {
return async (
req: AuthenticatedRequest,
_res: express.Response,
next: express.NextFunction
): Promise<void> => {
if (!req.auth) {
throw new UnauthorizedException();
} else if (!accessCondition(req.auth)) {
} else if (!(await accessCondition(req.auth, req))) {
throw new ForbiddenException();
} else {
next();

16
backend/src/middleware/auth/checks/learning-object-auth-checks.ts Normal file
View file

@ -0,0 +1,16 @@
import { Language } from "@dwengo-1/common/util/language";
import learningObjectService from "../../../services/learning-objects/learning-object-service";
import { authorize } from "../auth";
import { AuthenticatedRequest } from "../authenticated-request";
import { AuthenticationInfo } from "../authentication-info";
export const onlyAdminsForLearningObject = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
const { hruid } = req.params;
const { version, language } = req.query;
const admins = await learningObjectService.getAdmins({
hruid,
language: language as Language,
version: parseInt(version as string)
});
return auth.username in admins;
});