chore(api): update auth guards

3 years ago · 1aa237f255
5 changed files with 49 additions and 7 deletions
--- a/api/src/auth/auth.controller.ts
+++ b/api/src/auth/auth.controller.ts
@ -12,8 +12,9 @@ import {
 } from '@nestjs/common'
 import { ApiBearerAuth, ApiOperation, ApiQuery, ApiTags } from '@nestjs/swagger'
 import { LoginInputDTO, RegisterInputDTO } from './auth.dto'
-import { AuthGuard } from './auth.guard'
+import { AuthGuard } from './guards/auth.guard'
 import { AuthService } from './auth.service'
+import { CanModifyApiKey } from './guards/can-modify-api-key.guard'

@ApiTags('auth')
@Controller('auth')
@ -69,8 +70,7 @@ export class AuthController {
    return { data }
  }

-  // TODO: Add a guard to check if the user is the owner of the api key
-  @UseGuards(AuthGuard)
+  @UseGuards(AuthGuard, CanModifyApiKey)
  @ApiOperation({ summary: 'Generate Api Key' })
  @ApiBearerAuth()
  @HttpCode(HttpStatus.OK)
--- a/api/src/auth/auth.service.ts
+++ b/api/src/auth/auth.service.ts
@ -115,10 +115,14 @@ export class AuthService {
    return this.apiKeyModel.find({ user: currentUser._id })
  }

-  async findApiKeys(params) {
+  async findApiKey(params) {
    return this.apiKeyModel.findOne(params)
  }

+  async findApiKeyById(apiKeyId: string) {
+    return this.apiKeyModel.findById(apiKeyId)
+  }
+
  async deleteApiKey(apiKeyId: string) {
    const apiKey = await this.apiKeyModel.findOne({ _id: apiKeyId })
    if (!apiKey) {
--- a/api/src/auth/guards/auth.guard.ts
+++ b/api/src/auth/guards/auth.guard.ts
@ -7,7 +7,7 @@ import {
 } from '@nestjs/common'
 import { JwtService } from '@nestjs/jwt'
 import { UsersService } from 'src/users/users.service'
-import { AuthService } from './auth.service'
+import { AuthService } from '../auth.service'
 import * as bcrypt from 'bcryptjs'

@Injectable()
@ -34,7 +34,7 @@ export class AuthGuard implements CanActivate {
      const apiKeyStr = request.query.apiKey
      if (apiKeyStr) {
        var regex = new RegExp(`^${apiKeyStr.substr(0, 17)}`, 'g')
-        const apiKey = await this.authService.findApiKeys({
+        const apiKey = await this.authService.findApiKey({
          apiKey: { $regex: regex },
        })

--- a/api/src/auth/guards/can-modify-api-key.guard.ts
+++ b/api/src/auth/guards/can-modify-api-key.guard.ts
@ -0,0 +1,38 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  HttpException,
+  HttpStatus,
+  Injectable,
+} from '@nestjs/common'
+import mongoose from 'mongoose'
+import { UserRole } from 'src/users/user-roles.enum'
+import { AuthService } from '../auth.service'
+
+@Injectable()
+export class CanModifyApiKey implements CanActivate {
+  constructor(private authService: AuthService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest()
+
+    const apiKeyId = request.params.id
+    const userId = request.user?.id
+
+    const isValidId = mongoose.Types.ObjectId.isValid(apiKeyId)
+    if (!isValidId) {
+      throw new HttpException({ error: 'Invalid id' }, HttpStatus.BAD_REQUEST)
+    }
+
+    const apiKey = await this.authService.findApiKeyById(apiKeyId)
+    if (
+      !!userId &&
+      (apiKey?.user == userId.toString() ||
+        request.user?.role == UserRole.ADMIN)
+    ) {
+      return true
+    }
+
+    throw new HttpException({ error: 'Unauthorized' }, HttpStatus.UNAUTHORIZED)
+  }
+}
--- a/api/src/gateway/gateway.controller.ts
+++ b/api/src/gateway/gateway.controller.ts
@ -9,7 +9,7 @@ import {
  Get,
 } from '@nestjs/common'
 import { ApiBearerAuth, ApiOperation, ApiQuery, ApiTags } from '@nestjs/swagger'
-import { AuthGuard } from 'src/auth/auth.guard'
+import { AuthGuard } from 'src/auth/guards/auth.guard'
 import { RegisterDeviceInputDTO, SendSMSInputDTO } from './gateway.dto'
 import { GatewayService } from './gateway.service'
 import { CanModifyDevice } from './guards/can-modify-device.guard'