feat(apis): review route and security ✨

close #5

modules/apis/controllers/apis.controller.js

@@ -15,7 +15,7 @@ const ApisService = require('../services/apis.service');
  */
 exports.list = async (req, res) => {
   try {
-    const apis = await ApisService.list();
+    const apis = await ApisService.list(req.user);
     responses.success(res, 'api list')(apis);
   } catch (err) {
     responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))(err);
@@ -151,6 +151,7 @@ exports.apiByID = async (req, res, next, id) => {
     if (!api) responses.error(res, 404, 'Not Found', 'No Api with that identifier has been found')();
     else {
       req.api = api;
+      req.isOwner = api.user;
       next();
     }
   } catch (err) {

modules/apis/policies/apis.policy.js

@@ -13,19 +13,19 @@ exports.invokeRolesPolicies = () => {
     roles: ['user'],
     allows: [{
       resources: '/api/apis',
-      permissions: '*',
+      permissions: ['get', 'post'],
     }, {
       resources: '/api/apis/:apiId',
-      permissions: '*',
+      permissions: ['get', 'put', 'delete'],
     }, {
       resources: '/api/apis/load/:apiId',
-      permissions: '*',
+      permissions: ['get'],
     }, {
       resources: '/api/apis/data/:apiId',
-      permissions: '*',
+      permissions: ['get', 'post'],
     }, {
       resources: '/api/apis/aggregate/:apiId',
-      permissions: '*',
+      permissions: ['post'],
     }],
   }]);
 };

modules/apis/repositories/apis.repository.js

@@ -17,7 +17,7 @@ const defaultPopulate = [{
  * @desc Function to get all api in db
  * @return {Array} All apis
  */
-exports.list = () => Api.find().select('-history').sort('-createdAt').exec();
+exports.list = (user) => Api.find({ user: user._id }).select('-history').sort('-createdAt').exec();
 
 /**
  * @desc Function to create a api in db

modules/apis/routes/apis.routes.js

@@ -14,24 +14,24 @@ const apisSchema = require('../models/apis.schema');
  */
 module.exports = (app) => {
   // list & post
-  app.route('/api/apis')
+  app.route('/api/apis').all(passport.authenticate('jwt'), policy.isAllowed)
     .get(apis.list) // list
-    .post(passport.authenticate('jwt'), policy.isAllowed, model.isValid(apisSchema.Api), apis.create); // create
+    .post(model.isValid(apisSchema.Api), apis.create); // create
 
   // classic crud
-  app.route('/api/apis/:apiId').all(passport.authenticate('jwt'), policy.isAllowed)
+  app.route('/api/apis/:apiId').all(passport.authenticate('jwt'), policy.isOwner, policy.isAllowed)
     .get(apis.get) // get
     .put(model.isValid(apisSchema.Api), apis.update) // update
     .delete(model.isValid(apisSchema.Api), apis.delete); // delete
 
-  app.route('/api/apis/load/:apiId')
+  app.route('/api/apis/load/:apiId').all(passport.authenticate('jwt'), policy.isOwner, policy.isAllowed)
     .get(apis.load);
 
-  app.route('/api/apis/data/:apiId')
+  app.route('/api/apis/data/:apiId').all(passport.authenticate('jwt'), policy.isOwner, policy.isAllowed)
     .get(apis.listApi)
     .post(apis.getApi);
 
-  app.route('/api/apis/aggregate/:apiId')
+  app.route('/api/apis/aggregate/:apiId').all(passport.authenticate('jwt'), policy.isOwner, policy.isAllowed)
     .post(apis.getAggregateApi);
 
   // Finish by binding the api middleware

modules/apis/services/apis.service.js

@@ -19,8 +19,8 @@ const HistoryRepository = require('../repositories/history.repository');
  * @desc Function to get all api in db
  * @return {Promise} All apis
  */
-exports.list = async () => {
-  const result = await ApisRepository.list();
+exports.list = async (user) => {
+  const result = await ApisRepository.list(user);
   return Promise.resolve(result);
 };