feat: Adds route-level role filtering. #3734

tommoor · 2022-07-05T07:14:05Z

Another layer in the onion of security and performance.

…security and performance

tommoor · 2022-07-05T07:14:23Z

app/components/Sidebar/App.tsx

-    documents.fetchDrafts();
-    documents.fetchTemplates();
-  }, [documents]);
+    if (!user.isViewer) {


Viewers do not need to load this data

tommoor · 2022-07-05T07:14:33Z

app/routes/authenticated.tsx

@@ -71,14 +77,24 @@ export default function AuthenticatedRoutes() {
          }
        >
          <Switch>
+            {can.createDocument && (


Viewers don't need these routes mounted

tommoor · 2022-07-05T07:14:56Z

server/middlewares/authentication.ts

      // not awaiting the promise here so that the request is not blocked
-      user.updateActiveAt(ctx.request.ip);
+      user.updateActiveAt(ctx.request.ip).catch((err) => {


I hanve't seen any issues here, but good practice to catch all non-awaited promises

tommoor · 2022-07-05T07:16:26Z

server/routes/auth/providers/slack.ts

          return ctx.redirect(
-            `${team!.url}/auth${ctx.request.path}?${ctx.request.querystring}`


Removing ! where possible

tommoor · 2022-07-05T07:16:40Z

server/routes/auth/providers/slack.ts

            return ctx.redirect(
-              `${team!.url}/auth${ctx.request.path}?${ctx.request.querystring}`


Removing ! where possible

tommoor · 2022-07-05T07:17:42Z

server/routes/api/fileOperations.ts

@@ -13,7 +13,7 @@ import pagination from "./middlewares/pagination";

 const router = new Router();

-router.post("fileOperations.info", auth(), async (ctx) => {
+router.post("fileOperations.info", auth({ admin: true }), async (ctx) => {


Note: These routes are already authorized via policies, but this is another "layer" of security by restricting the role so early on.

tommoor · 2022-07-05T07:18:06Z

server/routes/api/documents.test.ts

@@ -1432,12 +1433,76 @@ describe("#documents.archived", () => {
    expect(body.data.length).toEqual(0);
  });

+  it("should require member", async () => {


Fixes a bug where viewers could load archived docs via API but not see them in the UI

tommoor · 2022-07-05T07:18:12Z

server/routes/api/documents.test.ts

+    expect(body.data.length).toEqual(0);
+  });
+
+  it("should require member", async () => {


Fixes a bug where viewers could load trashed docs via API but not see them in the UI

feat: Adds route-level role filtering. Another layer in the onion of …

9dc10b8

…security and performance

tommoor commented Jul 5, 2022

View reviewed changes

tommoor marked this pull request as ready for review July 5, 2022 07:18

fix: Regression in authentication middleware

1649257

tommoor merged commit 831df67 into main Jul 5, 2022

delete-merged-branch bot deleted the tom/feat-route-role-filtering branch July 5, 2022 19:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Adds route-level role filtering. #3734

feat: Adds route-level role filtering. #3734

tommoor commented Jul 5, 2022

tommoor Jul 5, 2022

tommoor Jul 5, 2022

tommoor Jul 5, 2022 •

edited

tommoor Jul 5, 2022

tommoor Jul 5, 2022

tommoor Jul 5, 2022

tommoor Jul 5, 2022

tommoor Jul 5, 2022

		return ctx.redirect(
		`${team!.url}/auth${ctx.request.path}?${ctx.request.querystring}`

feat: Adds route-level role filtering. #3734

feat: Adds route-level role filtering. #3734

Conversation

tommoor commented Jul 5, 2022

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022 • edited

Choose a reason for hiding this comment

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022

Choose a reason for hiding this comment

tommoor Jul 5, 2022 •

edited