feat(plugins/auth): add assertAuthorization for simple authorizatio…

…n based on user, req, and ctx
netzo · May 21, 2024 · 0861d1a · 0861d1a
1 parent 7dcd8c3
commit 0861d1a
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 10 deletions.
diff --git a/lib/plugins/auth/middlewares/mod.ts b/lib/plugins/auth/middlewares/mod.ts
@@ -1,10 +1,11 @@
 import type { FreshContext } from "$fresh/server.ts";
-import { AuthState } from "netzo/plugins/auth/plugin.ts";
 import { getSessionId } from "../../../deps/deno_kv_oauth/mod.ts";
 import type { NetzoState } from "../../../mod.ts";
+import { AuthConfig, AuthState } from "../plugin.ts";
 import { createDatastoreAuth } from "../utils/adapters/datastore.ts";
+import { getFunctionsByProvider } from "../utils/providers/mod.ts";
 
-type NetzoStateWithAuth = NetzoState & {
+export type NetzoStateWithAuth = NetzoState & {
   auth: AuthState;
 };
 
@@ -54,7 +55,7 @@ export async function setSessionState(
   return await ctx.next(); // C) authenticated
 }
 
-export async function assertUserIsWorkspaceUserOfWorkspaceOfApiKeyIfProviderIsNetzo(
+export async function assertUserIsMemberOfWorkspaceOfApiKeyIfProviderIsNetzo(
   req: Request,
   ctx: FreshContext<NetzoStateWithAuth>,
 ) {
@@ -90,6 +91,33 @@ export async function assertUserIsWorkspaceUserOfWorkspaceOfApiKeyIfProviderIsNe
   return await ctx.next();
 }
 
+export function createAssertUserIsAuthorized(config: AuthConfig) {
+  return async (req: Request, ctx: FreshContext<NetzoStateWithAuth>) => {
+    if (skip(req, ctx)) return await ctx.next();
+
+    if (ctx.url.pathname.startsWith("/auth")) return await ctx.next(); // skip auth route
+
+    const { sessionUser } = ctx.state.auth ?? {};
+
+    if (sessionUser) {
+      try {
+        await config?.assertAuthorization?.(sessionUser, req, ctx);
+        ctx.url.searchParams.delete("error");
+      } catch (e: Error | unknown) {
+        const [_, __, signOut] = getFunctionsByProvider(sessionUser.provider);
+        await signOut(req);
+        const { message = "You are not authorized to sign in." } = e as Error;
+        return new Response("", {
+          status: 307,
+          headers: { Location: `/auth?error=${message}` },
+        }); // redirect to relative path
+      }
+    }
+
+    return await ctx.next();
+  };
+}
+
 export async function setRequestState(
   req: Request,
   ctx: FreshContext<NetzoStateWithAuth>,

diff --git a/lib/plugins/auth/plugin.ts b/lib/plugins/auth/plugin.ts
@@ -1,9 +1,11 @@
-import type { Plugin, PluginRoute } from "$fresh/server.ts";
+import type { FreshContext, Plugin, PluginRoute } from "$fresh/server.ts";
 import type { OAuth2ClientConfig } from "../../deps/oauth2_client/src/oauth2_client.ts";
 import type { NetzoState } from "../../mod.ts";
 import {
-  assertUserIsWorkspaceUserOfWorkspaceOfApiKeyIfProviderIsNetzo,
+  assertUserIsMemberOfWorkspaceOfApiKeyIfProviderIsNetzo,
+  createAssertUserIsAuthorized,
   ensureSignedIn,
+  NetzoStateWithAuth,
   setAuthState,
   setRequestState,
   setSessionState,
@@ -38,6 +40,15 @@ export type AuthConfig = {
     auth0?: OAuth2ClientConfig;
     okta?: OAuth2ClientConfig;
   };
+  /** A function to check if a user is authorized to sign in. The function should
+   * throw an Error with an optional error message if not authorized.
+   * @example throw new Error("User is not authorized to sign in.");
+   */
+  assertAuthorization?: (
+    user: AuthUser,
+    req: Request,
+    ctx: FreshContext<NetzoStateWithAuth>,
+  ) => Error | unknown;
 };
 
 export type AuthState = Auth & {
@@ -85,6 +96,7 @@ export const auth = (config: AuthConfig): Plugin<NetzoState> => {
   config.description ??= "Sign in to access the app";
   config.caption ??= ""; // e.g. 'By signing in you agree to the <a href="/" target="_blank">Terms of Service</a>';
   config.providers ??= {};
+  config.assertAuthorization ??= () => true;
 
   const authRoutes: PluginRoute[] = [
     { path: "/auth", component: createAuth(config) },
@@ -109,10 +121,13 @@ export const auth = (config: AuthConfig): Plugin<NetzoState> => {
       {
         path: "/",
         middleware: {
-          handler:
-            assertUserIsWorkspaceUserOfWorkspaceOfApiKeyIfProviderIsNetzo,
+          handler: assertUserIsMemberOfWorkspaceOfApiKeyIfProviderIsNetzo,
         },
       },
+      {
+        path: "/",
+        middleware: { handler: createAssertUserIsAuthorized(config) },
+      },
       {
         path: "/",
         middleware: { handler: setRequestState },

diff --git a/lib/plugins/auth/utils/providers/netzo.handle_callback.ts b/lib/plugins/auth/utils/providers/netzo.handle_callback.ts
@@ -2,11 +2,11 @@
 import { getCookies, setCookie } from "../../../../deps/deno_kv_oauth/deps.ts";
 import {
   COOKIE_BASE,
-  OAUTH_COOKIE_NAME,
-  SITE_COOKIE_NAME,
   getCookieName,
   isHttps,
+  OAUTH_COOKIE_NAME,
   redirect,
+  SITE_COOKIE_NAME,
 } from "../../../../deps/deno_kv_oauth/lib/_http.ts";
 import { getAndDeleteOAuthSession } from "../../../../deps/deno_kv_oauth/lib/_kv.ts";
 import { handleCallback } from "../../../../deps/deno_kv_oauth/mod.ts";

diff --git a/lib/plugins/auth/utils/providers/netzo.sign_in.ts b/lib/plugins/auth/utils/providers/netzo.sign_in.ts
@@ -6,10 +6,10 @@ import {
 } from "../../../../deps/deno_kv_oauth/deps.ts";
 import {
   COOKIE_BASE,
-  OAUTH_COOKIE_NAME,
   getCookieName,
   getSuccessUrl,
   isHttps,
+  OAUTH_COOKIE_NAME,
   redirect,
 } from "../../../../deps/deno_kv_oauth/lib/_http.ts";
 import { setOAuthSession } from "../../../../deps/deno_kv_oauth/lib/_kv.ts";