mirror of
https://github.com/jambonz/jambonz-api-server.git
synced 2025-12-19 05:47:46 +00:00
4c935c7fda
* https://github.com/jambonz/jambonz-api-server/issues/371 Implemented view_only permission feature * calling prepare-permissions in create-test-db.js * check if there is only 1 permission and if it is VIEW_ONLY then consider user as read-only user * setting is_view_only flag for view user by userid
50 lines
1.3 KiB
JavaScript
50 lines
1.3 KiB
JavaScript
const logger = require('./logger');
|
|
const {UserPermissionError} = require('./utils/errors');
|
|
|
|
function delayLoginMiddleware(req, res, next) {
|
|
if (req.path.includes('/login') || req.path.includes('/signin')) {
|
|
const min = 200;
|
|
const max = 1000;
|
|
/* Random delay between 200 - 1000ms */
|
|
const sendStatusDelay = Math.floor(Math.random() * (max - min + 1)) + min;
|
|
|
|
/* the res.json take longer, we decrease the max delay slightly to 0-800ms */
|
|
const jsonDelay = Math.floor(Math.random() * 800);
|
|
logger.debug(`delayLoginMiddleware: sendStatus ${sendStatusDelay} - json ${jsonDelay}`);
|
|
const sendStatus = res.sendStatus;
|
|
const json = res.json;
|
|
|
|
res.sendStatus = function(status) {
|
|
setTimeout(() => {
|
|
sendStatus.call(res, status);
|
|
}, sendStatusDelay);
|
|
};
|
|
res.json = function(body) {
|
|
setTimeout(() => {
|
|
json.call(res, body);
|
|
}, jsonDelay);
|
|
};
|
|
}
|
|
next();
|
|
}
|
|
|
|
function verifyViewOnlyUser(req, res, next) {
|
|
// Skip check for GET requests
|
|
if (req.method === 'GET') {
|
|
return next();
|
|
}
|
|
// Check if user is read-only
|
|
if (req.user && !!req.user.is_view_only) {
|
|
const upError = new UserPermissionError('User has view-only access');
|
|
upError.status = 403;
|
|
throw upError;
|
|
}
|
|
|
|
next();
|
|
}
|
|
|
|
module.exports = {
|
|
delayLoginMiddleware,
|
|
verifyViewOnlyUser
|
|
};
|