Better role management

2021-01-12 09:47:09 -04:00 · 2021-01-12 09:47:09 -04:00 · 14115749a8
commit 14115749a8
parent 8522abdca0
4 changed files with 49 additions and 62 deletions
--- a/server/src/classes/User.js
+++ b/server/src/classes/User.js
@ -1,4 +1,4 @@
-import { addSeconds, differenceInSeconds } from 'date-fns'
+import { addSeconds, differenceInSeconds, addHours } from 'date-fns'
 import { ad } from '../lib/activeDirectory'
 import prisma from '../prisma'
 import { Change, createClient } from 'ldapjs'
@ -330,7 +330,6 @@ class User {

      const jwtSecret = process.env.JWT_SECRET || 'a good secret'

-      // TODO: Add date-fns to calculate expiration
      const options = { expiresIn: process.env.JWT_EXPIRATION || '72h' }

      const token = jwt.sign(payload, jwtSecret, options)
@ -338,7 +337,8 @@ class User {
      return {
        user,
        token,
-        expiresIn: options.expiresIn
+        expiresIn: options.expiresIn,
+        expiresOn: addHours
      }
    } catch (e) {
      throw new Error(
--- a/server/src/lib/activeDirectory/index.js
+++ b/server/src/lib/activeDirectory/index.js
@ -1,7 +1,6 @@
 import { promiseWrapper as AD } from 'activedirectory2'
 import config from './config'

-// TODO: Refactor to instantiate in context creation function
 const ad = new AD(config)

 ad.checkBinding = async () => {
--- a/web/src/plugins/vue-apollo.js
+++ b/web/src/plugins/vue-apollo.js
@ -138,7 +138,7 @@ export async function getLoggedUser() {
        })
        return result.data.me
      } catch (e) {
-        console.log('Erro ao recuperar informações do usuário: ', e)
+        console.error('Erro ao recuperar informações do usuário: ', e)
        return null
      }

--- a/web/src/router/index.js
+++ b/web/src/router/index.js
@ -6,17 +6,20 @@ import { getLoggedUser } from '../plugins/vue-apollo'

 Vue.use(VueRouter)

+/*
+  Roles matching:
+  If a route has no meta.roles property it's considered public
+  If a route has a empty meta.roles array, only auth is required
+  And if meta.roles has items, user.roles should satisfy it.
+*/
+
 const routes = [
  {
    path: '/',
    name: 'home',
    component: Home,
    meta: {
-      noAuth: false,
-      superAdmin: false,
-      tokenCreator: false,
-      servant: false,
-      student: false,
+      roles: [],
      title: null
    }
  },
@ -24,7 +27,6 @@ const routes = [
    path: '/about',
    name: 'about',
    meta: {
-      noAuth: true,
      title: 'Sobre'
    },
    // route level code-splitting
@ -37,7 +39,6 @@ const routes = [
    path: '/login',
    name: 'login',
    meta: {
-      noAuth: true,
      layout: 'Simple',
      title: 'Login'
    },
@ -48,7 +49,8 @@ const routes = [
    path: '/update-password',
    name: 'update-password',
    meta: {
-      title: 'Atualizar minha senha'
+      title: 'Atualizar minha senha',
+      roles: []
    },
    component: () =>
      import(
@ -60,7 +62,7 @@ const routes = [
    name: 'user-info',
    meta: {
      title: 'Inspecionar usuário',
-      superAdmin: true
+      roles: ['superAdmin']
    },
    component: () =>
      import(/* webpackChunkName: "user-info" */ '../views/UserInfo.vue')
@ -70,7 +72,8 @@ const routes = [
    name: 'replace-password',
    meta: {
      title: 'Redefinir uma senha',
-      superAdmin: true
+
+      roles: ['superAdmin']
    },
    component: () =>
      import(
@ -81,7 +84,8 @@ const routes = [
    path: '/my-devices',
    name: 'my-devices',
    meta: {
-      title: 'Meus dispositivos'
+      title: 'Meus dispositivos',
+      roles: []
    },
    component: () =>
      import(/* webpackChunkName: "my-devices" */ '../views/MyDevices.vue')
@ -90,8 +94,8 @@ const routes = [
    path: '/create-token',
    name: 'create-token',
    meta: {
-      tokenCreator: true,
-      title: 'Criar um token'
+      title: 'Criar um token',
+      roles: ['tokenCreator']
    },
    component: () =>
      import(/* webpackChunkName: "create-token" */ '../views/CreateToken.vue')
@ -100,7 +104,6 @@ const routes = [
    path: '/use-token',
    name: 'use-token',
    meta: {
-      noAuth: true,
      layout: 'Simple',
      title: 'Token'
    },
@ -114,7 +117,7 @@ const routes = [
    meta: {
      layout: 'Simple',
      title: 'Imprimir token',
-      tokenCreator: true
+      roles: ['tokenCreator']
    },
    component: () =>
      import(/* webpackChunkName: "print-token" */ '../views/PrintToken.vue')
@ -125,7 +128,7 @@ const routes = [
    name: 'user-id',
    meta: {
      title: 'Crachá',
-      servant: true
+      roles: ['servant']
    },
    component: () =>
      import(/* webpackChunkName: "user-id" */ '../views/UserId.vue')
@ -147,7 +150,7 @@ const routes = [
    name: 'user-presence',
    meta: {
      title: 'No campus agora',
-      watcher: true
+      roles: ['watcher']
    },
    component: () =>
      import(
@ -160,7 +163,7 @@ const routes = [
    name: 'wifi-devices',
    meta: {
      title: 'Dispositivos Wi-Fi',
-      superAdmin: true
+      roles: ['superAdmin']
    },
    component: () =>
      import(/* webpackChunkName: "wifi-devices" */ '../views/WifiDevices.vue')
@ -171,7 +174,7 @@ const routes = [
    name: 'wifi-users',
    meta: {
      title: 'Usuários Wi-Fi',
-      superAdmin: true
+      roles: ['superAdmin']
    },
    component: () =>
      import(/* webpackChunkName: "wifi-users" */ '../views/WifiUsers.vue')
@ -182,7 +185,7 @@ const routes = [
    name: 'system-administration',
    meta: {
      title: 'Administração do sistema',
-      superAdmin: true
+      roles: ['superAdmin']
    },
    component: () =>
      import(
@ -212,46 +215,31 @@ function updateTitle(title) {

 router.beforeEach(async (to, from, next) => {
  updateTitle(to.meta.title)
-  const loggedUser = await getLoggedUser()

-  if (loggedUser && to.matched.some(record => record.name === 'login'))
-    next({ name: 'home' })
-  else {
-    if (to.matched.some(record => record.meta.noAuth)) next()
-    else {
-      if (!loggedUser)
-        next({
-          name: 'login',
-          params: {
-            next: to.fullPath,
-            message: 'Você precisa fazer login para entrar nesta página.'
-          }
-        })
-      else {
-        //TODO: improve user authorization
-        const doNotHaveAuthorization =
-          (to.matched.some(record => record.meta.superAdmin) &&
-            !loggedUser.isSuperAdmin) ||
-          (to.matched.some(record => record.meta.tokenCreator) &&
-            !loggedUser.isTokenCreator) ||
-          (to.matched.some(record => record.meta.servant) &&
-            !loggedUser.isServant) ||
-          (to.matched.some(record => record.meta.student) &&
-            !loggedUser.isStudent) ||
-          (to.matched.some(record => record.meta.watcher) &&
-            !loggedUser.isWatcher)
+  const auth = await getLoggedUser()

-        if (doNotHaveAuthorization)
-          next({
-            name: 'home',
-            params: {
-              message: 'Você não tem permissão para entrar nessa página.'
-            }
-          })
-        else next()
+  if (auth && to.name === 'login') next({ name: 'home' })
+  else if (!('roles' in to.meta)) next()
+  else if (!auth)
+    next({
+      name: 'login',
+      params: {
+        next: to.fullPath,
+        message: 'Você precisa fazer login para entrar nesta página.'
      }
-    }
-  }
+    })
+  else if (
+    !to.meta.roles.length ||
+    to.meta.roles.some(role => auth.roles.includes(role))
+  )
+    next()
+  else
+    next({
+      name: 'home',
+      params: {
+        message: 'Você não tem permissão para entrar na página solicitada.'
+      }
+    })
 })

 export default router