feat(backend): Endpoints voor studenten beschermd

backend/src/middleware/auth/auth.ts

@@ -1,13 +1,11 @@
-import { envVars, getEnvVar } from '../../util/envVars.js';
-import { expressjwt } from 'express-jwt';
+import {envVars, getEnvVar} from '../../util/envVars.js';
+import {expressjwt} from 'express-jwt';
 import * as jwt from 'jsonwebtoken';
-import { JwtPayload } from 'jsonwebtoken';
+import {JwtPayload} from 'jsonwebtoken';
 import jwksClient from 'jwks-rsa';
 import * as express from 'express';
-import { AuthenticatedRequest } from './authenticated-request.js';
-import { AuthenticationInfo } from './authentication-info.js';
-import { UnauthorizedException } from '../../exceptions/unauthorized-exception.js';
-import { ForbiddenException } from '../../exceptions/forbidden-exception.js';
+import {AuthenticatedRequest} from './authenticated-request.js';
+import {AuthenticationInfo} from './authentication-info.js';
 
 const JWKS_CACHE = true;
 const JWKS_RATE_LIMIT = true;
@@ -108,36 +106,3 @@ function addAuthenticationInfo(req: AuthenticatedRequest, _res: express.Response
 }
 
 export const authenticateUser = [verifyJwtToken, addAuthenticationInfo];
-
-/**
- * Middleware which rejects unauthenticated users (with HTTP 401) and authenticated users which do not fulfill
- * the given access condition.
- * @param accessCondition Predicate over the current AuthenticationInfo. Access is only granted when this evaluates
- *                        to true.
- */
-export function authorize(accessCondition: (auth: AuthenticationInfo) => boolean) {
-    return (req: AuthenticatedRequest, _res: express.Response, next: express.NextFunction): void => {
-        if (!req.auth) {
-            throw new UnauthorizedException();
-        } else if (!accessCondition(req.auth)) {
-            throw new ForbiddenException();
-        } else {
-            next();
-        }
-    };
-}
-
-/**
- * Middleware which rejects all unauthenticated users, but accepts all authenticated users.
- */
-export const authenticatedOnly = authorize((_) => true);
-
-/**
- * Middleware which rejects requests from unauthenticated users or users that aren't students.
- */
-export const studentsOnly = authorize((auth) => auth.accountType === 'student');
-
-/**
- * Middleware which rejects requests from unauthenticated users or users that aren't teachers.
- */
-export const teachersOnly = authorize((auth) => auth.accountType === 'teacher');

backend/src/middleware/auth/checks/auth-checks.ts

@@ -0,0 +1,38 @@
+import {AuthenticationInfo} from "../authentication-info";
+import {AuthenticatedRequest} from "../authenticated-request";
+import * as express from "express";
+import {UnauthorizedException} from "../../../exceptions/unauthorized-exception";
+import {ForbiddenException} from "../../../exceptions/forbidden-exception";
+
+/**
+ * Middleware which rejects unauthenticated users (with HTTP 401) and authenticated users which do not fulfill
+ * the given access condition.
+ * @param accessCondition Predicate over the current AuthenticationInfo. Access is only granted when this evaluates
+ *                        to true.
+ */
+export function authorize(
+    accessCondition: (auth: AuthenticationInfo, req: AuthenticatedRequest) => boolean | Promise<boolean>
+) {
+    return async (req: AuthenticatedRequest, _res: express.Response, next: express.NextFunction): Promise<void> => {
+        if (!req.auth) {
+            throw new UnauthorizedException();
+        } else if (!await accessCondition(req.auth, req)) {
+            throw new ForbiddenException();
+        } else {
+            next();
+        }
+    };
+}
+
+/**
+ * Middleware which rejects all unauthenticated users, but accepts all authenticated users.
+ */
+export const authenticatedOnly = authorize((_) => true);
+/**
+ * Middleware which rejects requests from unauthenticated users or users that aren't students.
+ */
+export const studentsOnly = authorize((auth) => auth.accountType === 'student');
+/**
+ * Middleware which rejects requests from unauthenticated users or users that aren't teachers.
+ */
+export const teachersOnly = authorize((auth) => auth.accountType === 'teacher');

backend/src/middleware/auth/checks/class-auth-checks.ts

@@ -0,0 +1,22 @@
+import {authorize} from "./auth-checks";
+import {AuthenticationInfo} from "../authentication-info";
+import {AuthenticatedRequest} from "../authenticated-request";
+import {getClassesByTeacher} from "../../../services/teachers";
+
+/**
+ * To be used on a request with path parameters username and classId.
+ * Only allows requests whose username parameter is equal to the username of the user who is logged in and requests
+ * whose classId parameter references a class the logged-in user is a teacher of.
+ */
+export const onlyAllowStudentHimselfAndTeachersOfClass = authorize(
+    async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
+        if (req.params.username === auth.username) {
+            return true;
+        } else if (auth.accountType === "teacher") {
+            const classes: string[] = (await getClassesByTeacher(auth.username, false)) as string[];
+            return req.params.classId in classes;
+        } else {
+            return false;
+        }
+    }
+);

backend/src/middleware/auth/checks/user-auth-checks.ts

@@ -0,0 +1,10 @@
+import {authorize} from "./auth-checks";
+import {AuthenticationInfo} from "../authentication-info";
+import {AuthenticatedRequest} from "../authenticated-request";
+
+/**
+ * Only allow the user whose username is in the path parameter "username" to access the endpoint.
+ */
+export const onlyAllowUserHimself = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) => req.params.username === auth.username
+);