Update keys.js route

2025-01-08 09:00:10 -05:00 · 2018-08-01 18:57:45 -04:00 · 2018-08-01 18:57:45 -04:00 · cc788d10e4
commit cc788d10e4
parent 0ab946031e
2 changed files with 66 additions and 72 deletions
--- a/app/routes/api/keys.js
+++ b/app/routes/api/keys.js
@ -1,87 +1,78 @@
-var express = require('express');
+const express = require('express');
-var router = express.Router();
+const router = express.Router();
-var crypto = require('crypto');
+const config = require('config');
 const crypto = require('crypto');
-var User = require('../../models/User.js');
+const ModelPath = '../../models/';
-var Key = require('../../models/Key.js');
+const Key = require(ModelPath + 'Key.js');
-var requireScope = function (perm) {
+const wrap = require('../../util/wrap');
-    return function(req, res, next) {
+const bodyVerifier = require('../../util/verifyBody').bodyVerifier;
-        User.findOne({username: req.session.passport.user}, function(err, user) {
+const verifyScope = require('../../util/verifyScope');
-            if (err) throw err;
+const requireAuth = require('../../util/auth').requireAuth;
            if (user.scope.indexOf(perm) === -1)
                res.status(400).json({'message': 'No permission.'});
            else
                next();
        });
    }
 };
-router.post('/create', requireScope('api.create'), function (req, res) {
+const createParams = [
-    if (!req.body.identifier || !req.body.scope) {
+    {name: 'identifier', type: 'string', sanitize: true},
-        res.status(400).json({'message': 'Bad request.'});
+    {name: 'scope', instance: Array}];
-        return;
+router.post('/create', requireAuth('key.create'), bodyVerifier(createParams), wrap(async (req, res) => {
-    }
+    const keyCount = await Key.countDocuments({username: req.username});
    if (keyCount >= config.get('Key.limit'))
        return res.status(403).json({message: 'Key limit reached.'});
-    Key.count({'username': req.session.passport.user}, function (err, count) {
+    const scope = req.body.scope;
-        if (count >= 10) {
+    if (!scope.every(scope => verifyScope(req.scope, scope)))
-            res.status(403).json({'message': 'Key limit reached.'});
+        return res.status(403).json({message: 'Requested scope exceeds own scope.'});
            return;
        }
-        var scope;
+    const key = {
-        try {
+        key: await crypto.randomBytes(32).toString('hex'),
-            scope = JSON.parse(req.body.scope);
+        identifier: req.body.identifier,
        } catch (e) {
            res.status(500).json({'message': e.name + ': ' + e.message});
            return;
        }
        var id = req.sanitize(req.body.identifier);
        if (id.length === 0) id = "err";
        var entry = {
            key: crypto.randomBytes(32).toString('hex'),
            identifier: id,
        scope: scope,
-            username: req.session.passport.user,
+        issuer: req.username,
        date: Date.now()
    };
-        Key.create(entry, function (err) {
+    await Key.create(key);
            if (err) {
                throw err;
            } else {
                res.status(200).json({
                    key: entry.key,
                    identifier: entry.identifier,
                    scope: entry.scope
                });
            }
        })
    })
 });
-router.get('/get', function (req, res, next) {
+    res.status(200).json({
-    var query = {username: req.session.passport.user};
+        message: 'Key created.',
        key: key.key
    });
 }));
 const getProps = [
    {name: 'identifier', type: 'string', optional: true},
    {name: 'issuer', type: 'string', optional: true}];
 router.get('/get', requireAuth('key.get'), bodyVerifier(getProps), wrap(async (req, res) => {
    let query = {};
    if (req.body.identifier)
        query.identifier = req.body.identifier;
-    Key.find(query, function (err, keys) {
+    if (!verifyScope(req.scope, 'key.get.others'))
-        if (err) {
+        query.issuer = req.username;
-            next(err);
+    else if (req.body.issuer)
-        } else {
+        query.issuer = req.body.issuer;
            res.status(200).json(keys);
        }
    })
 });
-router.post('/delete', requireScope('api.delete'), function(req, res, next) {
+    const keys = await Key.find(query);
-    Key.deleteOne({key: req.body.key}, function(err) {
+
-        if (err) next(err);
+    res.status(200).json(keys);
-        else res.status(200).json({'message': 'Successfully deleted.'});
+}));
-    });
+
-});
+const deleteProps = [{name: 'key', type: 'string'}, {name: 'issuer', type: 'string', optional: true}];
 router.post('/delete', requireAuth('key.delete'), bodyVerifier(deleteProps), wrap(async (req, res) => {
    let query = {key : req.body.key};
    if (!verifyScope(req.scope, 'key.delete.others'))
        query.issuer = req.username;
    else if (req.body.issuer)
        query.issuer = req.body.issuer;
    const key = await Key.findOne(query);
    if (!key)
        return res.status(422).json({message: 'Key not found.'});
    await Key.deleteOne({_id: key._id});
    res.status(200).json({message: 'Key deleted.'});
 }));
 module.exports = router;
--- a/config/default.json
+++ b/config/default.json
@ -28,6 +28,9 @@
      "hashIterations": 25000
    }
  },
  "Key": {
    "limit": 5
  },
  "Log": {
    "httpLevel": "combined"
  }