fix(core): Skip auth for controllers/routes that don't use the Authorized decorator, or use Authorized('none') (#6106)

This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™ 2023-04-27 10:51:55 +00:00 committed by GitHub
parent 3e9ecd9397
commit 59aee2270b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 5 deletions

View file

@ -32,6 +32,11 @@ export const createAuthMiddleware =
res.status(403).json({ status: 'error', message: 'Unauthorized' });
};
const authFreeRoutes: string[] = [];
export const canSkipAuth = (method: string, path: string): boolean =>
authFreeRoutes.includes(`${method.toLowerCase()} ${path}`);
export const registerController = (app: Application, config: Config, controller: object) => {
const controllerClass = controller.constructor;
const controllerBasePath = Reflect.getMetadata(CONTROLLER_BASE_PATH, controllerClass) as
@ -69,6 +74,7 @@ export const registerController = (app: Application, config: Config, controller:
(controller as Controller)[handlerName](req, res),
),
);
if (!authRole || authRole === 'none') authFreeRoutes.push(`${method} ${prefix}${path}`);
});
app.use(prefix, router);

View file

@ -12,6 +12,7 @@ import { AUTH_COOKIE_NAME, EDITOR_UI_DIST_DIR } from '@/constants';
import { issueCookie, resolveJwtContent } from '@/auth/jwt';
import { isUserManagementEnabled } from '@/UserManagement/UserManagementHelper';
import type { UserRepository } from '@db/repositories';
import { canSkipAuth } from '@/decorators/registerController';
const jwtFromRequest = (req: Request) => {
// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
@ -90,14 +91,10 @@ export const setupAuthMiddlewares = (
// skip authentication for preflight requests
req.method === 'OPTIONS' ||
staticAssets.includes(req.url.slice(1)) ||
canSkipAuth(req.method, req.path) ||
isAuthExcluded(req.url, ignoredEndpoints) ||
req.url.startsWith(`/${restEndpoint}/settings`) ||
req.url.startsWith(`/${restEndpoint}/login`) ||
req.url.startsWith(`/${restEndpoint}/resolve-signup-token`) ||
isPostUsersId(req, restEndpoint) ||
req.url.startsWith(`/${restEndpoint}/forgot-password`) ||
req.url.startsWith(`/${restEndpoint}/resolve-password-token`) ||
req.url.startsWith(`/${restEndpoint}/change-password`) ||
req.url.startsWith(`/${restEndpoint}/oauth2-credential/callback`) ||
req.url.startsWith(`/${restEndpoint}/oauth1-credential/callback`)
) {