Auth scopes

src/core/domains/console/commands/ListRoutesCommand.ts

@@ -9,12 +9,11 @@ export default class ListRoutesCommand extends BaseCommand {
 
     public keepProcessAlive = false;
 
-
     /**
      * Execute the command
      */
     async execute() {
-        const showDetails = (this.getArguementByKey('details')?.value ?? false) !== false;
+        const showDetails = this.parsedArgumenets.find(arg => ['--details', '--d', '--detailed'].includes(arg.value));
         const expressService = App.container('express')
 
         this.input.clearScreen();
@@ -27,8 +26,10 @@ export default class ListRoutesCommand extends BaseCommand {
                 this.input.writeLine(`  Name: ${route.name}`);
                 this.input.writeLine(`  Method: ${route.method}`);
                 this.input.writeLine(`  Action: ${route.action.name}`);
-                this.input.writeLine(`  Middleware: ${route.middlewares?.map(m => m.name).join(', ')}`);
-                this.input.writeLine(`  Validators: ${route.validator?.name ?? 'None'}`);
+                this.input.writeLine(`  Middleware: [${route.middlewares?.map(m => m.name).join(', ') ?? ''}]`);
+                this.input.writeLine(`  Validators: [${route.validator?.name ?? ''}]`);
+                this.input.writeLine(`  Scopes: [${route.scopes?.join(', ') ?? ''}]`);
+                this.input.writeLine(`  Security: [${route.security?.map(s => s.id).join(', ')}]`);
                 this.input.writeLine();
                 return;
             }

src/core/domains/express/actions/resourceCreate.ts

@@ -4,8 +4,9 @@ import { IRouteResourceOptions } from '@src/core/domains/express/interfaces/IRou
 import responseError from '@src/core/domains/express/requests/responseError';
 import { RouteResourceTypes } from '@src/core/domains/express/routing/RouteResource';
 import CurrentRequest from '@src/core/domains/express/services/CurrentRequest';
-import { ALWAYS, SecurityIdentifiers } from '@src/core/domains/express/services/Security';
+import { ALWAYS } from '@src/core/domains/express/services/Security';
 import SecurityReader from '@src/core/domains/express/services/SecurityReader';
+import { SecurityIdentifiers } from '@src/core/domains/express/services/SecurityRules';
 import { BaseRequest } from "@src/core/domains/express/types/BaseRequest.t";
 import { Response } from 'express';
 
@@ -21,7 +22,7 @@ import { Response } from 'express';
 export default async (req: BaseRequest, res: Response, options: IRouteResourceOptions): Promise<void> => {
     try {
         const resourceOwnerSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.RESOURCE_OWNER, [RouteResourceTypes.CREATE]);
-        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZATION, [RouteResourceTypes.CREATE, ALWAYS]);
+        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZED, [RouteResourceTypes.CREATE, ALWAYS]);
 
         if(authorizationSecurity && !authorizationSecurity.callback(req)) {
             responseError(req, res, new UnauthorizedError(), 401)

src/core/domains/express/actions/resourceDelete.ts

@@ -4,8 +4,9 @@ import UnauthorizedError from '@src/core/domains/auth/exceptions/UnauthorizedErr
 import { IRouteResourceOptions } from '@src/core/domains/express/interfaces/IRouteResourceOptions';
 import responseError from '@src/core/domains/express/requests/responseError';
 import { RouteResourceTypes } from '@src/core/domains/express/routing/RouteResource';
-import { ALWAYS, SecurityIdentifiers } from '@src/core/domains/express/services/Security';
+import { ALWAYS } from '@src/core/domains/express/services/Security';
 import SecurityReader from '@src/core/domains/express/services/SecurityReader';
+import { SecurityIdentifiers } from '@src/core/domains/express/services/SecurityRules';
 import { BaseRequest } from "@src/core/domains/express/types/BaseRequest.t";
 import ModelNotFound from '@src/core/exceptions/ModelNotFound';
 import { Response } from 'express';
@@ -21,7 +22,7 @@ import { Response } from 'express';
 export default async (req: BaseRequest, res: Response, options: IRouteResourceOptions): Promise<void> => {
     try {
         const resourceOwnerSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.RESOURCE_OWNER, [RouteResourceTypes.DESTROY]);
-        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZATION, [RouteResourceTypes.DESTROY, ALWAYS]);
+        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZED, [RouteResourceTypes.DESTROY, ALWAYS]);
 
         if(authorizationSecurity && !authorizationSecurity.callback(req)) {
             responseError(req, res, new UnauthorizedError(), 401)

src/core/domains/express/actions/resourceIndex.ts

@@ -4,8 +4,9 @@ import { IRouteResourceOptions } from '@src/core/domains/express/interfaces/IRou
 import responseError from '@src/core/domains/express/requests/responseError';
 import { RouteResourceTypes } from '@src/core/domains/express/routing/RouteResource';
 import CurrentRequest from '@src/core/domains/express/services/CurrentRequest';
-import { ALWAYS, SecurityIdentifiers } from '@src/core/domains/express/services/Security';
+import { ALWAYS } from '@src/core/domains/express/services/Security';
 import SecurityReader from '@src/core/domains/express/services/SecurityReader';
+import { SecurityIdentifiers } from '@src/core/domains/express/services/SecurityRules';
 import { BaseRequest } from "@src/core/domains/express/types/BaseRequest.t";
 import { IModel } from '@src/core/interfaces/IModel';
 import IModelData from '@src/core/interfaces/IModelData';
@@ -30,7 +31,7 @@ const formatResults = (results: IModel<IModelData>[]) => results.map(result => r
 export default async (req: BaseRequest, res: Response, options: IRouteResourceOptions): Promise<void> => {
     try {
         const resourceOwnerSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.RESOURCE_OWNER, [RouteResourceTypes.ALL])
-        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZATION, [RouteResourceTypes.ALL, ALWAYS]);
+        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZED, [RouteResourceTypes.ALL, ALWAYS]);
 
         if(authorizationSecurity && !authorizationSecurity.callback(req)) {
             responseError(req, res, new UnauthorizedError(), 401)

src/core/domains/express/actions/resourceShow.ts

@@ -5,8 +5,9 @@ import { IRouteResourceOptions } from '@src/core/domains/express/interfaces/IRou
 import responseError from '@src/core/domains/express/requests/responseError';
 import { RouteResourceTypes } from '@src/core/domains/express/routing/RouteResource';
 import CurrentRequest from '@src/core/domains/express/services/CurrentRequest';
-import { ALWAYS, SecurityIdentifiers } from '@src/core/domains/express/services/Security';
+import { ALWAYS } from '@src/core/domains/express/services/Security';
 import SecurityReader from '@src/core/domains/express/services/SecurityReader';
+import { SecurityIdentifiers } from '@src/core/domains/express/services/SecurityRules';
 import { BaseRequest } from "@src/core/domains/express/types/BaseRequest.t";
 import ModelNotFound from '@src/core/exceptions/ModelNotFound';
 import { IModel } from '@src/core/interfaces/IModel';
@@ -23,7 +24,7 @@ import { Response } from 'express';
 export default async (req: BaseRequest, res: Response, options: IRouteResourceOptions): Promise<void> => {
     try {
         const resourceOwnerSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.RESOURCE_OWNER, [RouteResourceTypes.SHOW]);
-        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZATION, [RouteResourceTypes.SHOW, ALWAYS]);
+        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZED, [RouteResourceTypes.SHOW, ALWAYS]);
 
         if(authorizationSecurity && !authorizationSecurity.callback(req)) {
             responseError(req, res, new UnauthorizedError(), 401)

src/core/domains/express/actions/resourceUpdate.ts

@@ -5,8 +5,9 @@ import MissingSecurityError from '@src/core/domains/express/exceptions/MissingSe
 import { IRouteResourceOptions } from '@src/core/domains/express/interfaces/IRouteResourceOptions';
 import responseError from '@src/core/domains/express/requests/responseError';
 import { RouteResourceTypes } from '@src/core/domains/express/routing/RouteResource';
-import { ALWAYS, SecurityIdentifiers } from '@src/core/domains/express/services/Security';
+import { ALWAYS } from '@src/core/domains/express/services/Security';
 import SecurityReader from '@src/core/domains/express/services/SecurityReader';
+import { SecurityIdentifiers } from '@src/core/domains/express/services/SecurityRules';
 import { BaseRequest } from "@src/core/domains/express/types/BaseRequest.t";
 import ModelNotFound from '@src/core/exceptions/ModelNotFound';
 import { IModel } from '@src/core/interfaces/IModel';
@@ -23,7 +24,7 @@ import { Response } from 'express';
 export default async (req: BaseRequest, res: Response, options: IRouteResourceOptions): Promise<void> => {
     try {
         const resourceOwnerSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.RESOURCE_OWNER, [RouteResourceTypes.UPDATE]);
-        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZATION, [RouteResourceTypes.UPDATE, ALWAYS]);
+        const authorizationSecurity = SecurityReader.findFromRouteResourceOptions(options, SecurityIdentifiers.AUTHORIZED, [RouteResourceTypes.UPDATE, ALWAYS]);
 
         if(authorizationSecurity && !authorizationSecurity.callback(req)) {
             responseError(req, res, new UnauthorizedError(), 401)

src/core/domains/express/interfaces/IRoute.ts

@@ -5,10 +5,12 @@ import { Middleware } from '@src/core/interfaces/Middleware.t';
 
 export interface IRoute {
     name: string;
-    resourceType?: string;
     path: string;
     method: 'get' | 'post' | 'put' | 'patch' | 'delete';
     action: IRouteAction;
+    resourceType?: string;
+    scopes?: string[];
+    scopesSecurityEnabled?: boolean;
     middlewares?: Middleware[];
     validator?: ValidatorCtor;
     validateBeforeAction?: boolean;

src/core/domains/express/interfaces/IRouteResourceOptions.ts

@@ -1,16 +1,18 @@
-import { IdentifiableSecurityCallback } from "@src/core/domains/auth/services/Security";
 import { IRoute } from "@src/core/domains/express/interfaces/IRoute";
+import { IIdentifiableSecurityCallback } from "@src/core/domains/express/interfaces/ISecurity";
 import { ValidatorCtor } from "@src/core/domains/validator/types/ValidatorCtor";
 import { IModel, ModelConstructor } from "@src/core/interfaces/IModel";
 
 export type ResourceType = 'index' | 'create' | 'update' | 'show' | 'delete';
 
 export interface IRouteResourceOptions extends Pick<IRoute, 'middlewares'> {
+    name: string;
+    resource: ModelConstructor<IModel>;
     except?: ResourceType[];
     only?: ResourceType[];
-    resource: ModelConstructor<IModel>;
-    name: string;
     createValidator?: ValidatorCtor;
     updateValidator?: ValidatorCtor;
-    security?: IdentifiableSecurityCallback[];
+    security?: IIdentifiableSecurityCallback[];
+    scopes?: string[];
+    scopesSecurityEnabled?: boolean;
 }

src/core/domains/express/interfaces/ISecurity.ts

@@ -21,6 +21,9 @@ export type SecurityCallback = (req: BaseRequest, ...args: any[]) => boolean;
 export type IIdentifiableSecurityCallback = {
     // The identifier for the security callback.
     id: string;
+    // Include another security rule in the callback.
+    //  TODO: We could add another type here 'alsoArguments' if extra parameters are required
+    also?: string;
     // The condition for when the security check should be executed. Defaults to 'always'.
     when: string[] | null;
     // The condition for when the security check should never be executed.

src/core/domains/express/middleware/securityMiddleware.ts

@@ -4,8 +4,9 @@ import AuthRequest from '@src/core/domains/auth/services/AuthRequest';
 import { IRoute } from '@src/core/domains/express/interfaces/IRoute';
 import { ISecurityMiddleware } from '@src/core/domains/express/interfaces/ISecurity';
 import responseError from '@src/core/domains/express/requests/responseError';
-import { ALWAYS, SecurityIdentifiers } from '@src/core/domains/express/services/Security';
+import { ALWAYS } from '@src/core/domains/express/services/Security';
 import SecurityReader from '@src/core/domains/express/services/SecurityReader';
+import { SecurityIdentifiers } from '@src/core/domains/express/services/SecurityRules';
 import { BaseRequest } from '@src/core/domains/express/types/BaseRequest.t';
 import { NextFunction, Response } from 'express';
 
@@ -17,23 +18,23 @@ const bindSecurityToRequest = (route: IRoute, req: BaseRequest) => {
 /**
  * Applies the authorization security check on the request.
  */
-const applyAuthorizeSecurity = async (route: IRoute, req: BaseRequest, res: Response): Promise<void> => {
+const applyAuthorizeSecurity = async (route: IRoute, req: BaseRequest, res: Response): Promise<void | null> => {
 
     const conditions = [ALWAYS]
 
     if(route.resourceType) {
         conditions.push(route.resourceType)
     }
 
-    const authorizeSecurity = SecurityReader.findFromRequest(req, SecurityIdentifiers.AUTHORIZATION, conditions);
+    const authorizeSecurity = SecurityReader.findFromRequest(req, SecurityIdentifiers.AUTHORIZED, conditions);
 
     if (authorizeSecurity) {
         try {
             req = await AuthRequest.attemptAuthorizeRequest(req);
 
             if(!authorizeSecurity.callback(req)) {
                 responseError(req, res, new UnauthorizedError(), 401);
-                return;
+                return null;
             }
         }
         catch (err) {
@@ -61,6 +62,23 @@ const applyHasRoleSecurity = (req: BaseRequest, res: Response): void | null => {
 
 }
 
+/**
+ * Checks if the hasRole security has been defined and validates it.
+ * If the hasRole security is defined and the validation fails, it will send a 403 response with a ForbiddenResourceError.
+ */
+const applyHasScopeSecurity = (req: BaseRequest, res: Response): void | null => {
+
+    // Check if the hasRole security has been defined and validate
+    const securityHasScope = SecurityReader.findFromRequest(req, SecurityIdentifiers.HAS_SCOPE);
+
+    if (securityHasScope && !securityHasScope.callback(req)) {
+        responseError(req, res, new ForbiddenResourceError(), 403)
+        return null;
+    }
+
+}
+
+
 /**
  * This middleware will check the security definition of the route and validate it.
  * If the security definition is not valid, it will throw an UnauthorizedError.
@@ -80,7 +98,9 @@ export const securityMiddleware: ISecurityMiddleware = ({ route }) => async (req
          * Authorizes the user
          * Depending on option 'throwExceptionOnUnauthorized', can allow continue processing on failed auth
          */
-        await applyAuthorizeSecurity(route, req, res)
+        if(await applyAuthorizeSecurity(route, req, res) === null) {
+            return;
+        }
 
         /**
          * Check if the authorized user passes the has role security
@@ -89,6 +109,13 @@ export const securityMiddleware: ISecurityMiddleware = ({ route }) => async (req
             return;
         }
 
+        /**
+         * Check if the authorized user passes the has scope security
+         */
+        if(applyHasScopeSecurity(req, res) === null) {
+            return;
+        }
+
         /**
          * Security is OK, continue
          */

src/core/domains/express/routing/RouteResource.ts

@@ -8,6 +8,7 @@ import { IRoute } from "@src/core/domains/express/interfaces/IRoute";
 import { IRouteResourceOptions } from "@src/core/domains/express/interfaces/IRouteResourceOptions";
 import Route from "@src/core/domains/express/routing/Route";
 import RouteGroup from "@src/core/domains/express/routing/RouteGroup";
+import RouteResourceScope from "@src/core/domains/express/routing/RouteResourceScope";
 import routeGroupUtil from "@src/core/domains/express/utils/routeGroupUtil";
 
 /**
@@ -40,11 +41,22 @@ export const RouteResourceTypes = {
 const RouteResource = (options: IRouteResourceOptions): IRoute[] => {
     const name = options.name.startsWith('/') ? options.name.slice(1) : options.name
 
+    const {
+        scopes = [],
+        scopesSecurityEnabled = false
+    } = options;
+
     const routes = RouteGroup([
-    // Get all resources
+        // Get all resources
         Route({
             name: `${name}.index`,
             resourceType: RouteResourceTypes.ALL,
+            scopes: RouteResourceScope.getScopes({
+                name,
+                types: 'read',
+                additionalScopes: scopes
+            }),
+            scopesSecurityEnabled,
             method: 'get',
             path: `/${name}`,
             action: resourceAction(options, resourceIndex),
@@ -55,6 +67,12 @@ const RouteResource = (options: IRouteResourceOptions): IRoute[] => {
         Route({
             name: `${name}.show`,
             resourceType: RouteResourceTypes.SHOW,
+            scopes: RouteResourceScope.getScopes({
+                name,
+                types: 'read',
+                additionalScopes: scopes
+            }),
+            scopesSecurityEnabled,
             method: 'get',
             path: `/${name}/:id`,
             action: resourceAction(options, resourceShow),
@@ -65,6 +83,12 @@ const RouteResource = (options: IRouteResourceOptions): IRoute[] => {
         Route({
             name: `${name}.update`,
             resourceType: RouteResourceTypes.UPDATE,
+            scopes: RouteResourceScope.getScopes({
+                name,
+                types: 'write',
+                additionalScopes: scopes
+            }),
+            scopesSecurityEnabled,
             method: 'put',
             path: `/${name}/:id`,
             action: resourceAction(options, resourceUpdate),
@@ -76,6 +100,12 @@ const RouteResource = (options: IRouteResourceOptions): IRoute[] => {
         Route({
             name: `${name}.destroy`,
             resourceType: RouteResourceTypes.DESTROY,
+            scopes: RouteResourceScope.getScopes({
+                name,
+                types: 'delete',
+                additionalScopes: scopes
+            }),
+            scopesSecurityEnabled,
             method: 'delete',
             path: `/${name}/:id`,
             action: resourceAction(options, resourceDelete),
@@ -86,6 +116,12 @@ const RouteResource = (options: IRouteResourceOptions): IRoute[] => {
         Route({
             name: `${name}.create`,
             resourceType: RouteResourceTypes.CREATE,
+            scopes: RouteResourceScope.getScopes({
+                name,
+                types: 'read',
+                additionalScopes: scopes
+            }),
+            scopesSecurityEnabled,
             method: 'post',
             path: `/${name}`,
             action: resourceAction(options, resourceCreate),