-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Copy pathauthorize-interceptor.ts
164 lines (151 loc) · 4.75 KB
/
authorize-interceptor.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
// Copyright IBM Corp. 2019. All Rights Reserved.
// Node module: @loopback/authorization
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT
import {
asGlobalInterceptor,
bind,
BindingAddress,
// eslint-disable-next-line @typescript-eslint/no-unused-vars
config,
Context,
filterByTag,
inject,
Interceptor,
InvocationContext,
Next,
Provider,
} from '@loopback/context';
import {
Principal,
SecurityBindings,
securityId,
UserProfile,
} from '@loopback/security';
import * as debugFactory from 'debug';
import {getAuthorizationMetadata} from './decorators/authorize';
import {AuthorizationBindings, AuthorizationTags} from './keys';
import {
AuthorizationContext,
AuthorizationDecision,
AuthorizationError,
AuthorizationOptions,
Authorizer,
} from './types';
const debug = debugFactory('loopback:authorization:interceptor');
@bind(asGlobalInterceptor('authorization'))
export class AuthorizationInterceptor implements Provider<Interceptor> {
private options: AuthorizationOptions;
constructor(
@inject(filterByTag(AuthorizationTags.AUTHORIZER))
private authorizers: Authorizer[],
@config({fromBinding: AuthorizationBindings.COMPONENT})
options: AuthorizationOptions = {},
) {
this.options = {
defaultDecision: AuthorizationDecision.DENY,
precedence: AuthorizationDecision.DENY,
...options,
};
debug('Authorization options', this.options);
}
value(): Interceptor {
return this.intercept.bind(this);
}
async intercept(invocationCtx: InvocationContext, next: Next) {
const description = debug.enabled ? invocationCtx.description : '';
let metadata = getAuthorizationMetadata(
invocationCtx.target,
invocationCtx.methodName,
);
if (!metadata) {
debug('No authorization metadata is found for %s', description);
}
metadata = metadata || this.options.defaultMetadata;
if (!metadata) {
debug('Authorization is skipped for %s', description);
const result = await next();
return result;
}
debug('Authorization metadata for %s', description, metadata);
// retrieve it from authentication module
const user = await invocationCtx.get<UserProfile>(SecurityBindings.USER, {
optional: true,
});
debug('Current user', user);
const authorizationCtx: AuthorizationContext = {
principals: user ? [userToPrinciple(user)] : [],
roles: [],
scopes: [],
resource: invocationCtx.targetName,
invocationContext: invocationCtx,
};
debug('Security context for %s', description, authorizationCtx);
let authorizers = await loadAuthorizers(
invocationCtx,
metadata.voters || [],
);
let finalDecision = this.options.defaultDecision;
authorizers = authorizers.concat(this.authorizers);
for (const fn of authorizers) {
const decision = await fn(authorizationCtx, metadata);
debug('Decision', decision);
// Reset the final decision if an explicit Deny or Allow is voted
if (decision && decision !== AuthorizationDecision.ABSTAIN) {
finalDecision = decision;
}
// we can add another interceptor to process the error
if (
decision === AuthorizationDecision.DENY &&
this.options.precedence === AuthorizationDecision.DENY
) {
debug('Access denied');
const error = new AuthorizationError('Access denied');
error.statusCode = 401;
throw error;
}
if (
decision === AuthorizationDecision.ALLOW &&
this.options.precedence === AuthorizationDecision.ALLOW
) {
debug('Access allowed');
break;
}
}
debug('Final decision', finalDecision);
// Handle the final decision
if (finalDecision === AuthorizationDecision.DENY) {
const error = new AuthorizationError('Access denied');
error.statusCode = 401;
throw error;
}
return next();
}
}
async function loadAuthorizers(
ctx: Context,
authorizers: (Authorizer | BindingAddress<Authorizer>)[],
) {
const authorizerFunctions: Authorizer[] = [];
const bindings = ctx.findByTag<Authorizer>(AuthorizationTags.AUTHORIZER);
authorizers = authorizers.concat(bindings.map(b => b.key));
for (const keyOrFn of authorizers) {
if (typeof keyOrFn === 'function') {
authorizerFunctions.push(keyOrFn);
} else {
const fn = await ctx.get(keyOrFn);
authorizerFunctions.push(fn);
}
}
return authorizerFunctions;
}
// This is a workaround before we extract a common layer
// for authentication and authorization.
function userToPrinciple(user: UserProfile): Principal {
return {
name: user.name || user[securityId],
[securityId]: user.id,
email: user.email,
type: 'USER',
};
}