Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.

Commit

Permalink
🐛 Remove unauthorized scopes from API keys
Browse files Browse the repository at this point in the history
  • Loading branch information
@AnandChowdhary
AnandChowdhary committed Nov 17, 2020
1 parent 885ce27 commit d1e7c65
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 4 deletions.
25 changes: 25 additions & 0 deletions src/modules/api-keys/api-keys.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,31 @@ export class ApiKeysService {
return this.getApiLogsFromKey(testApiKey.apiKey, params);
}

/**
* Remove any unauthorized scopes in an API key for a user
* This should run when a user's permissions have changed, for example
* if they are removed from a group; this will remove any API scopes
* they don't have access to anymore from that API key
*/
async removeUnauthorizedScopesForUser(userId: number): Promise<void> {
const userApiKeys = await this.prisma.apiKeys.findMany({
where: { user: { id: userId } },
});
if (!userApiKeys.length) return;
const scopesAllowed = await this.getApiKeyScopesForUser(userId);
for await (const apiKey of userApiKeys) {
const currentScopes = (apiKey.scopes ?? []) as string[];
const newScopes = currentScopes.filter((i) =>
Object.keys(scopesAllowed).includes(i),
);
if (currentScopes.length !== newScopes.length)
this.prisma.apiKeys.update({
where: { id: apiKey.id },
data: { scopes: newScopes },
});
}
}

private async getApiLogsFromKey(
apiKey: string,
params: {
Expand Down
14 changes: 11 additions & 3 deletions src/modules/memberships/memberships.module.ts
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,23 @@
import { Module } from '@nestjs/common';
import { ConfigModule } from '@nestjs/config';
import { AuthModule } from '../auth/auth.module';
import { MailModule } from '../../providers/mail/mail.module';
import { PrismaModule } from '../../providers/prisma/prisma.module';
import { ApiKeysModule } from '../api-keys/api-keys.module';
import { AuthModule } from '../auth/auth.module';
import { GroupsModule } from '../groups/groups.module';
import { GroupMembershipController } from './memberships-group.controller';
import { UserMembershipController } from './memberships-user.controller';
import { MembershipsService } from './memberships.service';
import { GroupsModule } from '../groups/groups.module';

@Module({
imports: [PrismaModule, MailModule, ConfigModule, AuthModule, GroupsModule],
imports: [
PrismaModule,
MailModule,
ConfigModule,
AuthModule,
GroupsModule,
ApiKeysModule,
],
controllers: [UserMembershipController, GroupMembershipController],
providers: [MembershipsService],
})
Expand Down
10 changes: 9 additions & 1 deletion src/modules/memberships/memberships.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import { safeEmail } from '../../helpers/safe-email';
import { MailService } from '../../providers/mail/mail.service';
import { Expose } from '../../providers/prisma/prisma.interface';
import { PrismaService } from '../../providers/prisma/prisma.service';
import { ApiKeysService } from '../api-keys/api-keys.service';
import { AuthService } from '../auth/auth.service';
import { GroupsService } from '../groups/groups.service';
import { CreateMembershipInput } from './memberships.interface';
Expand All @@ -37,6 +38,7 @@ export class MembershipsService {
private email: MailService,
private configService: ConfigService,
private groupsService: GroupsService,
private apiKeyService: ApiKeysService,
) {}

async getMemberships(params: {
Expand Down Expand Up @@ -100,6 +102,7 @@ export class MembershipsService {
const membership = await this.prisma.memberships.delete({
where: { id },
});
await this.apiKeyService.removeUnauthorizedScopesForUser(userId);
return this.prisma.expose<memberships>(membership);
}

Expand Down Expand Up @@ -128,6 +131,9 @@ export class MembershipsService {
data,
include: { user: true },
});
await this.apiKeyService.removeUnauthorizedScopesForUser(
testMembership.userId,
);
return this.prisma.expose<memberships>(membership);
}

Expand All @@ -146,9 +152,11 @@ export class MembershipsService {
where: { id },
include: { user: true },
});
await this.apiKeyService.removeUnauthorizedScopesForUser(
testMembership.userId,
);
return this.prisma.expose<memberships>(membership);
}

async createUserMembership(userId: number, data: groupsCreateInput) {
const created = await this.groupsService.createGroup(userId, data);
return created.memberships[0];
Expand Down

0 comments on commit d1e7c65

Please sign in to comment.