✨ Add authorization helpers

Author: AnandChowdhary

src/crud/user.ts

@@ -90,16 +90,21 @@ export const addApprovedLocation = async (
     subnet,
     createdAt: new Date()
   };
+  deleteItemFromCache(CacheCategories.APPROVE_LOCATIONS, userId);
+  deleteItemFromCache(CacheCategories.APPROVE_LOCATION, subnet);
   return await query(
     `INSERT INTO \`approved-locations\` ${tableValues(subnetLocation)}`,
     Object.values(subnetLocation)
   );
 };
 
 export const getUserApprovedLocations = async (userId: number) => {
-  return await query("SELECT * FROM `approved-locations` WHERE userId = ?", [
-    userId
-  ]);
+  return await cachedQuery(
+    CacheCategories.APPROVE_LOCATIONS,
+    userId,
+    "SELECT * FROM `approved-locations` WHERE userId = ?",
+    [userId]
+  );
 };
 
 export const checkApprovedLocation = async (
@@ -108,7 +113,9 @@ export const checkApprovedLocation = async (
 ) => {
   const subnet = anonymizeIpAddress(ipAddress);
   const approvedLocations = <ApprovedLocation[]>(
-    await query(
+    await cachedQuery(
+      CacheCategories.APPROVE_LOCATION,
+      subnet,
       "SELECT * FROM `approved-locations` WHERE userId = ? AND subnet = ? LIMIT 1",
       [userId, subnet]
     )

src/helpers/authorization.ts

@@ -0,0 +1,149 @@
+import { User } from "../interfaces/tables/user";
+import { Organization } from "../interfaces/tables/organization";
+import {
+  ErrorCode,
+  Authorizations,
+  UserRole,
+  MembershipRole
+} from "../interfaces/enum";
+import { getUser } from "../crud/user";
+import { getUserMembershipObject, getMembership } from "../crud/membership";
+import { getOrganization } from "../crud/organization";
+import { Membership } from "../interfaces/tables/memberships";
+
+const canUserUser = async (
+  user: User,
+  action: Authorizations,
+  target: User
+) => {
+  // A super user can do anything
+  if (user.role == UserRole.ADMIN) return true;
+
+  // A user can do anything to herself
+  if (user.id === target.id) return true;
+
+  const userMembership = await getUserMembershipObject(user);
+  const userOrganizationId = userMembership.organizationId;
+  const targetMembership = await getUserMembershipObject(target);
+  const targetOrganizationId = targetMembership.organizationId;
+
+  // A reseller can view/edit/delete users in her organization
+  if (
+    userOrganizationId === targetOrganizationId &&
+    user.role == UserRole.RESELLER &&
+    action != Authorizations.IMPERSONATE
+  )
+    return true;
+
+  if (action == Authorizations.READ) {
+    // A user can read another user in the same organization, as long as they're not a basic member
+    if (
+      userOrganizationId === targetOrganizationId &&
+      userMembership.role != MembershipRole.BASIC
+    )
+      return true;
+  }
+
+  return false;
+};
+
+const canUserOrganization = async (
+  user: User,
+  action: Authorizations,
+  target: Organization
+) => {
+  // A super user can do anything
+  if (user.role == UserRole.ADMIN) return true;
+
+  const membership = await getUserMembershipObject(user);
+
+  // A non-member cannot do anything
+  if (membership.organizationId != target.id) return false;
+
+  // An organization owner can do anything
+  if (membership.role == MembershipRole.OWNER) return true;
+
+  // An organization admin can do anything too
+  if (membership.role == MembershipRole.ADMIN) return true;
+
+  // An organization manager can do anything but delete
+  if (
+    membership.role == MembershipRole.MANAGER &&
+    action != Authorizations.DELETE
+  )
+    return true;
+
+  // An organization member can read, not edit/delete/invite
+  if (membership.role == MembershipRole.MEMBER && action == Authorizations.READ)
+    return true;
+
+  return false;
+};
+
+const canUserMembership = async (
+  user: User,
+  action: Authorizations,
+  target: Membership
+) => {
+  // A super user can do anything
+  if (user.role == UserRole.ADMIN) return true;
+
+  // A member can do anything to herself
+  if (user.id == target.userId) return true;
+
+  const membership = await getUserMembershipObject(user);
+
+  // A different organization member cannot edit a membership
+  if (membership.organizationId != target.organizationId) return false;
+
+  // An admin, owner, or manager can edit
+  if (
+    [
+      MembershipRole.OWNER,
+      MembershipRole.ADMIN,
+      MembershipRole.MANAGER
+    ].includes(membership.role)
+  )
+    return true;
+
+  return false;
+};
+
+export const can = async (
+  user: User | number,
+  action: Authorizations,
+  targetType: "user" | "organization" | "membership",
+  target: User | Organization | Membership | number
+) => {
+  let userObject;
+  if (typeof user === "number") {
+    userObject = await getUser(user);
+  } else {
+    userObject = user;
+  }
+  let targetObject;
+  if (typeof target === "string") target = parseInt(target);
+  if (typeof target == "number") {
+    if (targetType === "user") {
+      targetObject = await getUser(target);
+    } else if (targetType === "organization") {
+      targetObject = await getOrganization(target);
+    } else {
+      targetObject = await getMembership(target);
+    }
+  } else {
+    targetObject = target;
+  }
+  if (!userObject.id) throw new Error(ErrorCode.USER_NOT_FOUND);
+  if (targetType === "user") {
+    return await canUserUser(userObject, action, <User>targetObject);
+  } else if (targetType === "organization") {
+    return await canUserOrganization(userObject, action, <Organization>(
+      targetObject
+    ));
+  } else {
+    return await canUserMembership(userObject, action, <Membership>(
+      targetObject
+    ));
+  }
+};

src/helpers/cache.ts

@@ -8,16 +8,19 @@ const cache = new NodeCache({
   checkperiod: CACHE_CHECK_PERIOD
 });
 
-const generateKey = (category: string, item: number | string) =>
+const generateKey = (category: CacheCategories, item: number | string) =>
   `${category}_${item}`;
 
-export const getItemFromCache = (category: string, item: number | string) => {
+export const getItemFromCache = (
+  category: CacheCategories,
+  item: number | string
+) => {
   const key = generateKey(category, item);
   return cache.get(key);
 };
 
 export const storeItemInCache = (
-  category: string,
+  category: CacheCategories,
   item: number | string,
   value: any
 ) => {
@@ -26,7 +29,7 @@ export const storeItemInCache = (
 };
 
 export const deleteItemFromCache = (
-  category: string,
+  category: CacheCategories,
   item: number | string
 ) => {
   const key = generateKey(category, item);

src/helpers/jwt.ts

@@ -64,28 +64,35 @@ export const refreshToken = (id: number) =>
 
 export const getLoginResponse = async (
   user: User,
-  type: EventType,
-  strategy: string,
-  locals: Locals
+  type?: EventType,
+  strategy?: string,
+  locals?: Locals
 ) => {
   if (!user.id) throw new Error(ErrorCode.USER_NOT_FOUND);
   const verifiedEmails = await getUserVerifiedEmails(user);
   if (!verifiedEmails.length) throw new Error(ErrorCode.UNVERIFIED_EMAIL);
-  if (!(await checkApprovedLocation(user.id, locals.ipAddress))) {
-    await mail(await getUserPrimaryEmail(user), Templates.UNAPPROVED_LOCATION, {
-      ...user,
-      token: await approveLocationToken(user.id)
-    });
-    throw new Error(ErrorCode.UNAPPROVED_LOCATION);
+  if (locals) {
+    if (!(await checkApprovedLocation(user.id, locals.ipAddress))) {
+      await mail(
+        await getUserPrimaryEmail(user),
+        Templates.UNAPPROVED_LOCATION,
+        {
+          ...user,
+          token: await approveLocationToken(user.id)
+        }
+      );
+      throw new Error(ErrorCode.UNAPPROVED_LOCATION);
+    }
   }
-  await createEvent(
-    {
-      userId: user.id,
-      type,
-      data: { strategy }
-    },
-    locals
-  );
+  if (type && strategy && locals)
+    await createEvent(
+      {
+        userId: user.id,
+        type,
+        data: { strategy }
+      },
+      locals
+    );
   try {
     return {
       token: await loginToken(deleteSensitiveInfoUser(user)),

src/interfaces/enum.ts

@@ -78,5 +78,16 @@ export enum CacheCategories {
   USER_EVENT = "user-event",
   ORGANIZATION_MEMBERSHIPS = "memberships",
   MEMBERSHIP = "membership",
-  ORGANIZATION = "organization"
+  ORGANIZATION = "organization",
+  APPROVE_LOCATIONS = "approved-locations",
+  APPROVE_LOCATION = "approved-location"
+}
+
+export enum Authorizations {
+  CREATE = "create",
+  READ = "read",
+  UPDATE = "update",
+  DELETE = "delete",
+  INVITE_MEMBER = "invite-member",
+  IMPERSONATE = "impersonate"
 }

src/rest/auth.ts

@@ -11,9 +11,7 @@ import { createEmail, updateEmail, getEmail } from "../crud/email";
 import { mail } from "../helpers/mail";
 import {
   verifyToken,
-  loginToken,
   passwordResetToken,
-  refreshToken,
   getLoginResponse
 } from "../helpers/jwt";
 import { KeyValue, Locals } from "../interfaces/general";
@@ -24,16 +22,16 @@ import {
   MembershipRole,
   Templates,
   Tokens,
-  UserRole
+  Authorizations
 } from "../interfaces/enum";
 import { compare, hash } from "bcrypt";
-import { deleteSensitiveInfoUser } from "../helpers/utils";
 import { createMembership } from "../crud/membership";
 import {
   googleGetConnectionUrl,
   googleGetTokensFromCode,
   googleGetEmailFromToken
 } from "../helpers/google";
+import { can } from "../helpers/authorization";
 
 export const validateRefreshToken = async (token: string, locals: Locals) => {
   const data = <User>await verifyToken(token, Tokens.REFRESH);
@@ -152,15 +150,16 @@ export const impersonate = async (
   tokenUserId: number,
   impersonateUserId: number
 ) => {
-  const tokenUser = await getUser(tokenUserId);
-  if (tokenUser.role != UserRole.ADMIN)
-    throw new Error(ErrorCode.INSUFFICIENT_PERMISSION);
-  const user = await getUser(impersonateUserId);
-  if (!user.id) throw new Error(ErrorCode.USER_NOT_FOUND);
-  return {
-    token: await loginToken(deleteSensitiveInfoUser(user)),
-    refresh: await refreshToken(user.id)
-  };
+  if (
+    await can(
+      tokenUserId,
+      Authorizations.IMPERSONATE,
+      "user",
+      impersonateUserId
+    )
+  )
+    return await getLoginResponse(await getUser(impersonateUserId));
+  throw new Error(ErrorCode.INSUFFICIENT_PERMISSION);
 };
 
 export const approveLocation = async (token: string, locals: Locals) => {