coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixes #593

Browse Source
This commit is contained in:
Tom Moor
2018-02-24 20:44:13 -08:00
parent fb19075d0e
commit f3c7fb8bc6
6 changed files with 52 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
server/api/__snapshots__/documents.test.js.snap
View File

@ -1,11 +1,10 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP // Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`#documents.create should create as a child 1`] = ` exports[`#documents.create should error with invalid parentDocument 1`] = `
Object { Object {
"error": "invalid_parent_document", "error": "authorization_error",
"message": "Invalid parentDocument", "message": "Authorization error",
"ok": false, "ok": false,
"status": 400,
} }
`; `;
@ -56,7 +55,7 @@ Object {
exports[`#documents.update should fail if document lastRevision does not match 1`] = ` exports[`#documents.update should fail if document lastRevision does not match 1`] = `
Object { Object {
"error": "document_has_changed_since_last_revision", "error": "invalid_request",
"message": "Document has changed since last revision", "message": "Document has changed since last revision",
"ok": false, "ok": false,
"status": 400, "status": 400,

39
server/api/documents.js
View File

@ -1,11 +1,11 @@
// @flow // @flow
import Router from 'koa-router'; import Router from 'koa-router';
import httpErrors from 'http-errors';
import auth from './middlewares/authentication'; import auth from './middlewares/authentication';
import pagination from './middlewares/pagination'; import pagination from './middlewares/pagination';
import { presentDocument, presentRevision } from '../presenters'; import { presentDocument, presentRevision } from '../presenters';
import { Document, Collection, Star, View, Revision } from '../models'; import { Document, Collection, Star, View, Revision } from '../models';
import { ValidationError, InvalidRequestError } from '../errors';
import policy from '../policies'; import policy from '../policies';
const { authorize } = policy; const { authorize } = policy;
@ -208,8 +208,6 @@ router.post('documents.create', auth(), async ctx => {
}); });
authorize(user, 'publish', ownerCollection); authorize(user, 'publish', ownerCollection);
if (!ownerCollection) throw httpErrors.BadRequest();
let parentDocumentObj = {}; let parentDocumentObj = {};
if (parentDocument && ownerCollection.type === 'atlas') { if (parentDocument && ownerCollection.type === 'atlas') {
parentDocumentObj = await Document.findOne({ parentDocumentObj = await Document.findOne({
@ -218,8 +216,7 @@ router.post('documents.create', auth(), async ctx => {
atlasId: ownerCollection.id, atlasId: ownerCollection.id,
}, },
}); });
if (!parentDocumentObj) authorize(user, 'read', parentDocumentObj);
throw httpErrors.BadRequest('Invalid parentDocument');
} }
const newDocument = await Document.create({ const newDocument = await Document.create({
@ -258,7 +255,7 @@ router.post('documents.update', auth(), async ctx => {
authorize(ctx.state.user, 'update', document); authorize(ctx.state.user, 'update', document);
if (lastRevision && lastRevision !== document.revisionCount) { if (lastRevision && lastRevision !== document.revisionCount) {
throw httpErrors.BadRequest('Document has changed since last revision'); throw new InvalidRequestError('Document has changed since last revision');
} }
// Update document // Update document
@ -283,27 +280,25 @@ router.post('documents.move', auth(), async ctx => {
const { id, parentDocument, index } = ctx.body; const { id, parentDocument, index } = ctx.body;
ctx.assertPresent(id, 'id is required'); ctx.assertPresent(id, 'id is required');
if (parentDocument) if (parentDocument)
ctx.assertUuid(parentDocument, 'parentDocument must be an uuid'); ctx.assertUuid(parentDocument, 'parentDocument must be a uuid');
if (index) ctx.assertPositiveInteger(index, 'index must be an integer (>=0)'); if (index) ctx.assertPositiveInteger(index, 'index must be an integer (>=0)');
const user = ctx.state.user;
const document = await Document.findById(id); const document = await Document.findById(id);
authorize(ctx.state.user, 'update', document); authorize(user, 'update', document);
const collection = document.collection; const collection = document.collection;
if (collection.type !== 'atlas') if (collection.type !== 'atlas')
throw httpErrors.BadRequest("This document can't be moved"); throw new InvalidRequestError('This document cant be moved');
// Set parent document // Set parent document
if (parentDocument) { if (parentDocument) {
const parent = await Document.findById(parentDocument); const parent = await Document.findById(parentDocument);
if (!parent || parent.atlasId !== document.atlasId) authorize(user, 'update', parent);
throw httpErrors.BadRequest(
'Invalid parentDocument (must be same collection)'
);
} }
if (parentDocument === id) if (parentDocument === id)
throw httpErrors.BadRequest('Infinite loop detected and prevented!'); throw new InvalidRequestError('Infinite loop detected and prevented!');
// If no parent document is provided, set it as null (move to root level) // If no parent document is provided, set it as null (move to root level)
document.parentDocumentId = parentDocument; document.parentDocumentId = parentDocument;
@ -327,27 +322,11 @@ router.post('documents.delete', auth(), async ctx => {
const collection = document.collection; const collection = document.collection;
if (collection.type === 'atlas') { if (collection.type === 'atlas') {
// Don't allow deletion of root docs
if (collection.documentStructure.length === 1) {
throw httpErrors.BadRequest(
"Unable to delete collection's only document"
);
}
// Delete document and all of its children // Delete document and all of its children
try {
await collection.removeDocument(document); await collection.removeDocument(document);
} catch (e) {
throw httpErrors.BadRequest('Error while deleting');
}
} }
// Delete the actual document
try {
await document.destroy(); await document.destroy();
} catch (e) {
throw httpErrors.BadRequest('Error while deleting document');
}
ctx.body = { ctx.body = {
success: true, success: true,

4
server/api/documents.test.js
View File

@ -312,7 +312,7 @@ describe('#documents.create', async () => {
expect(body.data.collection.documents[0].children[0].id).toBe(body.data.id); expect(body.data.collection.documents[0].children[0].id).toBe(body.data.id);
}); });
it('should create as a child', async () => { it('should error with invalid parentDocument', async () => {
const { user, collection } = await seed(); const { user, collection } = await seed();
const res = await server.post('/api/documents.create', { const res = await server.post('/api/documents.create', {
body: { body: {
@ -325,7 +325,7 @@ describe('#documents.create', async () => {
}); });
const body = await res.json(); const body = await res.json();
expect(res.status).toEqual(400); expect(res.status).toEqual(403);
expect(body).toMatchSnapshot(); expect(body).toMatchSnapshot();
}); });
}); });

8
server/api/hooks.js
View File

@ -1,6 +1,6 @@
// @flow // @flow
import Router from 'koa-router'; import Router from 'koa-router';
import httpErrors from 'http-errors'; import { AuthenticationError, InvalidRequestError } from '../errors';
import { Authentication, Document, User } from '../models'; import { Authentication, Document, User } from '../models';
import * as Slack from '../slack'; import * as Slack from '../slack';
const router = new Router(); const router = new Router();
@ -10,7 +10,7 @@ router.post('hooks.unfurl', async ctx => {
if (challenge) return (ctx.body = ctx.body.challenge); if (challenge) return (ctx.body = ctx.body.challenge);
if (token !== process.env.SLACK_VERIFICATION_TOKEN) if (token !== process.env.SLACK_VERIFICATION_TOKEN)
throw httpErrors.BadRequest('Invalid token'); throw new AuthenticationError('Invalid token');
// TODO: Everything from here onwards will get moved to an async job // TODO: Everything from here onwards will get moved to an async job
const user = await User.find({ where: { slackId: event.user } }); const user = await User.find({ where: { slackId: event.user } });
@ -50,7 +50,7 @@ router.post('hooks.slack', async ctx => {
ctx.assertPresent(text, 'text is required'); ctx.assertPresent(text, 'text is required');
if (token !== process.env.SLACK_VERIFICATION_TOKEN) if (token !== process.env.SLACK_VERIFICATION_TOKEN)
throw httpErrors.Unauthorized('Invalid token'); throw new AuthenticationError('Invalid token');
const user = await User.find({ const user = await User.find({
where: { where: {
@ -58,7 +58,7 @@ router.post('hooks.slack', async ctx => {
}, },
}); });
if (!user) throw httpErrors.BadRequest('Invalid user'); if (!user) throw new InvalidRequestError('Invalid user');
const documents = await Document.searchForUser(user, text, { const documents = await Document.searchForUser(user, text, {
limit: 5, limit: 5,

43
server/api/middlewares/authentication.js
View File

@ -1,20 +1,10 @@
// @flow // @flow
import httpErrors from 'http-errors';
import JWT from 'jsonwebtoken'; import JWT from 'jsonwebtoken';
import { type Context } from 'koa'; import { type Context } from 'koa';
import { User, ApiKey } from '../../models'; import { User, ApiKey } from '../../models';
import { AuthenticationError } from '../../errors';
type AuthOptions = { export default function auth() {
require?: boolean,
};
export default function auth(options: AuthOptions = {}) {
options = {
require: true,
...options,
};
return async function authMiddleware( return async function authMiddleware(
ctx: Context, ctx: Context,
next: () => Promise<void> next: () => Promise<void>
@ -32,12 +22,10 @@ export default function auth(options: AuthOptions = {}) {
token = credentials; token = credentials;
} }
} else { } else {
if (require) { throw new AuthenticationError(
throw httpErrors.Unauthorized(
`Bad Authorization header format. Format is "Authorization: Bearer <token>"` `Bad Authorization header format. Format is "Authorization: Bearer <token>"`
); );
} }
}
// $FlowFixMe // $FlowFixMe
} else if (ctx.body.token) { } else if (ctx.body.token) {
token = ctx.body.token; token = ctx.body.token;
@ -45,9 +33,7 @@ export default function auth(options: AuthOptions = {}) {
token = ctx.request.query.token; token = ctx.request.query.token;
} }
if (!token && require) { if (!token) throw new AuthenticationError('Authentication required');
throw httpErrors.Unauthorized('Authentication required');
}
if (token) { if (token) {
let user; let user;
@ -62,16 +48,13 @@ export default function auth(options: AuthOptions = {}) {
}, },
}); });
} catch (e) { } catch (e) {
throw httpErrors.Unauthorized('Invalid API key'); throw new AuthenticationError('Invalid API key');
} }
if (!apiKey) throw httpErrors.Unauthorized('Invalid API key'); if (!apiKey) throw new AuthenticationError('Invalid API key');
user = await User.findOne({ user = await User.findById(apiKey.userId);
where: { id: apiKey.userId }, if (!user) throw new AuthenticationError('Invalid API key');
});
if (!user) throw httpErrors.Unauthorized('Invalid API key');
} else { } else {
// JWT // JWT
// Get user without verifying payload signature // Get user without verifying payload signature
@ -79,19 +62,17 @@ export default function auth(options: AuthOptions = {}) {
try { try {
payload = JWT.decode(token); payload = JWT.decode(token);
} catch (e) { } catch (e) {
throw httpErrors.Unauthorized('Unable to decode JWT token'); throw new AuthenticationError('Unable to decode JWT token');
} }
if (!payload) throw httpErrors.Unauthorized('Invalid token'); if (!payload) throw new AuthenticationError('Invalid token');
user = await User.findOne({ user = await User.findById(payload.id);
where: { id: payload.id },
});
try { try {
JWT.verify(token, user.jwtSecret); JWT.verify(token, user.jwtSecret);
} catch (e) { } catch (e) {
throw httpErrors.Unauthorized('Invalid token'); throw new AuthenticationError('Invalid token');
} }
} }

24
server/errors.js
View File

@ -1,14 +1,10 @@
// @flow // @flow
import httpErrors from 'http-errors'; import httpErrors from 'http-errors';
export function ValidationError(message: string = 'Validation failed') { export function AuthenticationError(
return httpErrors(400, message, { id: 'validation_error' }); message: string = 'Invalid authentication'
}
export function ParamRequiredError(
message: string = 'Required parameter missing'
) { ) {
return httpErrors(400, message, { id: 'param_required' }); return httpErrors(401, message, { id: 'authentication_required' });
} }
export function AuthorizationError( export function AuthorizationError(
@ -23,6 +19,20 @@ export function AdminRequiredError(
return httpErrors(403, message, { id: 'admin_required' }); return httpErrors(403, message, { id: 'admin_required' });
} }
export function InvalidRequestError(message: string = 'Request invalid') {
return httpErrors(400, message, { id: 'invalid_request' });
}
export function NotFoundError(message: string = 'Resource not found') { export function NotFoundError(message: string = 'Resource not found') {
return httpErrors(404, message, { id: 'not_found' }); return httpErrors(404, message, { id: 'not_found' });
} }
export function ParamRequiredError(
message: string = 'Required parameter missing'
) {
return httpErrors(400, message, { id: 'param_required' });
}
export function ValidationError(message: string = 'Validation failed') {
return httpErrors(400, message, { id: 'validation_error' });
}