mirror of
https://github.com/jambonz/jambonz-api-server.git
synced 2026-07-04 19:21:53 +00:00
more auth tests
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
const router = require('express').Router();
|
||||
const {DbErrorBadRequest} = require('../../utils/errors');
|
||||
const ApiKey = require('../../models/api-key');
|
||||
const Account = require('../../models/account');
|
||||
const decorate = require('./decorate');
|
||||
const uuidv4 = require('uuid/v4');
|
||||
const assert = require('assert');
|
||||
@@ -10,17 +11,32 @@ const preconditions = {
|
||||
'delete': validateDeleteToken
|
||||
};
|
||||
|
||||
function validateAddToken(req) {
|
||||
async function validateAddToken(req) {
|
||||
req.body.token = uuidv4();
|
||||
|
||||
if (req.user.hasAdminAuth) return;
|
||||
if (req.user.hasServiceProviderAuth) {
|
||||
if (!req.body.service_provider_sid && !req.body.account_sid) {
|
||||
throw new DbErrorBadRequest('service provider token may not be used to create admin token');
|
||||
}
|
||||
else if (req.body.service_provider_sid && req.body.service_provider_sid !== req.user.service_provider_sid) {
|
||||
throw new DbErrorBadRequest(
|
||||
'a service provider token can only be used to create tokens for the same service provider');
|
||||
}
|
||||
else if (req.body.account_sid) {
|
||||
const result = await Account.retrieve(req.body.account_sid);
|
||||
if (result.length === 1 && result[0].service_provider_sid != req.user.service_provider_sid) {
|
||||
throw new DbErrorBadRequest(
|
||||
'a service provider token can only be used to create tokens for the same service provider');
|
||||
}
|
||||
}
|
||||
if (req.body.account_sid) delete req.body.service_provider_sid;
|
||||
else req.body.service_provider_sid = req.user.service_provider_sid;
|
||||
}
|
||||
if (req.user.hasAccountAuth) {
|
||||
if (req.body.account_sid !== req.user.account_sid) {
|
||||
throw new DbErrorBadRequest('an account level token may not be used to create a token for a different account');
|
||||
throw new DbErrorBadRequest(
|
||||
'an account level token can only be used to create account level tokens for the same account');
|
||||
}
|
||||
delete req.body['service_provider_sid'];
|
||||
req.body['account_sid'] = req.user.account_sid;
|
||||
|
||||
Reference in New Issue
Block a user