hrms-bangkok/hrms-edm
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

chore: prevent accident auth bypass in production

Browse source
This commit is contained in:
Methapon2001 2023-12-11 20:34:41 +07:00
parent e0c60eb241
commit a401428fa3
No known key found for this signature in database
GPG key ID: 849924FEF46BD132
1 changed files with 8 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

15
Services/server/src/utils/auth.ts
View file

@ -28,7 +28,9 @@ export async function expressAuthentication(
securityName: string,
scopes?: string[],
) {
if (process.env.AUTH_BYPASS) return { preferred_username: "bypassed" };
if (process.env.NODE_ENV !== "production" && process.env.AUTH_BYPASS) {
return { preferred_username: "bypassed" };
}
if (securityName !== "bearerAuth") throw new Error("Unknown authentication method.");
@ -36,7 +38,7 @@ export async function expressAuthentication(
? request.headers["authorization"].split(" ")[1]
: null;
if (!token) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "No token provided.");
if (!token) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "ไม่พบข้อมูลสำหัรบบืนบันตัวตน");
let payload: JwtPayload = {};
@ -55,12 +57,11 @@ export async function expressAuthentication(
if (
scopes &&
scopes.length > 0 &&
scopes
.map((v) => (v === "management-role" ? process.env.MANAGEMENT_ROLE : v))
.every((v) => !payload.resource_access[payload.azp].roles.includes(v))
) {
throw new HttpError(HttpStatusCode.FORBIDDEN, "You are not allowed to perform this action.");
throw new HttpError(HttpStatusCode.FORBIDDEN, "คุณไม่มีสิทธิในเข้าถึงข้อมูลนี้");
}
return payload;
@ -68,7 +69,7 @@ export async function expressAuthentication(
async function verifyOffline(token: string) {
const payload = await jwtVerify(token).catch((_) => null);
if (!payload) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "Invalid token provided.");
if (!payload) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
return payload;
}
@ -77,8 +78,8 @@ async function verifyOnline(token: string) {
headers: { authorization: `Bearer ${token}` },
}).catch((e) => console.error(e));
if (!res) throw new Error("Cannot connect to auth service.");
if (!res.ok) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "Invalid token provided.");
if (!res) throw new Error("ไม่สามารถเข้าถึงระบบยืนยันตัวตน");
if (!res.ok) throw new HttpError(HttpStatusCode.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
return await jwtDecode(token);
}