-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.js
96 lines (77 loc) · 3.07 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
const { Helper, newEnforcer, newModel } = require('casbin');
const jwt = require('jsonwebtoken');
const CasbinJWTAdapter = function(decodedToken) {
this.decodedToken = decodedToken
this.loadPolicy = function(model) {
if (!this.decodedToken) {
throw new Error('invalid Token. Token must be provided');
}
const lines = decodedToken.policy.split('\n');
lines.forEach(n => {
const line = n.trim();
if (!line) {
return;
}
Helper.loadPolicyLine(line, model);
});
}
this.savePolicy = function() {
throw new Error("Transient adapter; cannot save")
}
this.addPolicy = function() {
throw new Error("Transient adapter; cannot add")
}
this.removePolicy = function() {
throw new Error("Transient adapter; cannot remove")
}
this.removeFilteredPolicy = function() {
throw new Error("Transient adapter; cannot remove")
}
}
module.exports = function(modelSource, jwtSecret, ignoredPathsRegex) {
return async (req, res, next) => {
if (ignoredPathsRegex) {
if (typeof(ignoredPathsRegex) === "string") {
if (req.originalUrl.match(new RegExp(ignoredPathsRegex, "g"))) {
return next()
}
}else{
if (req.originalUrl.match(ignoredPathsRegex)) {
return next()
}
}
}
let token = null
if (!req.headers.authorization) {
console.error("No HTTP Authorization Header found. To be handled by the casbin-jwt-express middleware, the request must have a Authorization HTTP Header with the format `Bearer <JWT_TOKEN>`. This request didn't have it.")
return res.status(400).send({ auth: false, message: 'Unauthorized access.' });
}else if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
token = req.headers.authorization.split(' ')[1];
} else if (req.query && req.query.token) {
token = req.query.token;
}else{
console.error("No JWT Token Found. To be handled by the casbin-jwt-express middleware, the request must have a Authorization HTTP Header with the format `Bearer <JWT_TOKEN>` or have a TOKEN provided as a query param in the URL. This request didn't have either of it.")
return res.status(400).send({ auth: false, message: 'Unauthorized access.' });
}
let model = null
if (typeof(modelSource) === "string") { //model from file
model = newModel(modelSource, '');
}else{ //object model
model = newModel(modelSource.fromText)
}
jwt.verify(token, jwtSecret, async(err, decoded) => {
if (err) {
console.error(err)
return res.status(401).send({ auth: false, message: 'Unauthorized access.' });
}
const enforcer = await newEnforcer(model, new CasbinJWTAdapter(decoded))
const { originalUrl: path, method } = req
const username = token ? decoded.sub : 'anonymous'
if(enforcer.enforce(username, path, method)) {
next()
}else{
return res.status(403).send({ auth: false, message: 'Unauthorized access.' });
}
})
}
}