Merge pull request #6 from oas-tools/develop

Release 1.1.0

README.md

@@ -87,6 +87,7 @@ The configuration object can be provided through the `use` function like shown i
 |`roleBinding`			 | `String`            | Binds `role` to another attribute of the JWT		 |
 | `acl`      			 | `Object`            | Access control configuration      	        		 |
 | `acl.[schemeName]` 	 | `Object` or `String`| Permission declaration. Can be object or a file path|
+| `checkOwnership`    | `Function`           | Function that checks wether some resource is owned or not by the client |
 
 
 #### setting permission
@@ -148,6 +149,17 @@ parameters:
 
 Finally, in case no `role` is specified in the JWT payload, the middleware will assume an `anonymous` role that only has read access to those operations that doesn't include parameters of any type. This role can be overriden by configuration.
 
+#### Checking ownership
+The middleware can be configured to check wether a resource is owned by the client or not. This is done by providing a function that receives the JWT payload and the parameters name and value, to retur a boolean value. The function must be provided through `config.checkOwnership`
+
+```javascript
+    authCfg.checkOwnership = async (decoded, paramName, paramValue) => {
+      return await Actor.findOne({ [paramName]: paramValue }).then(actor => actor?.email === decoded?.email);
+    }
+```
+
+> **NOTE**: Bear in mind that the function MUST return a boolean value. Promises are suported, but you will need to wait for them to resolve by using `await` or `.then()`. If you don't return a boolean value, the middleware will assume that the resource is not owned by the client and will return `403 Forbidden`.
+
 ## Compatibility chart
 The following chart shows which versions of NodeJS are compatible with each of the contents inside this package.
 

middleware/bearerjwt.js

@@ -89,17 +89,30 @@ export class OASBearerJWT extends OASBase {
 
                 /* Check permissions for each param in request */
                 if(res.locals.oas.params && Object.keys(res.locals.oas.params).length > 0) {
-                  allowed = Object.entries(res.locals.oas.params).every(([paramName, paramValue]) => {
+                  allowed = await Promise.all(Object.entries(res.locals.oas.params).map(async ([paramName, paramValue]) => {
                     const paramDef = oasRequest.parameters.find((p) => p.name === paramName);
-                    const tokenParam = decoded[paramDef['x-acl-binding'] ?? paramName];
-                    const ownership = Array.isArray(tokenParam) && tokenParam.includes(paramValue) || tokenParam === paramValue; 
                     let permission = ac.can(role)[`${action}Any`](req.route.path);
 
-                    if (!permission.granted && !tokenParam) logger.warn(`Missing atribute ${paramDef['x-acl-binding'] ?? paramName} in JWT.`);
+                    let ownership = false;
+
+                    if (config.checkOwnership) { /* Checks ownership from external function */
+                      ownership = await config.checkOwnership(decoded, paramDef['x-acl-binding'] ?? paramName, paramValue);
+                    } else { /* Checks ownership from attributes in token */
+                      const tokenParam = decoded[paramDef['x-acl-binding'] ?? paramName];
+                      ownership = Array.isArray(tokenParam) && tokenParam.includes(paramValue) || tokenParam === paramValue; 
+                      if (!permission.granted && !tokenParam) logger.warn(`Missing atribute ${paramDef['x-acl-binding'] ?? paramName} in JWT.`);
+                    }
+
                     if (!permission.granted && ownership) permission = ac.can(role)[`${action}Own`](req.route.path);
 
                     return permission.granted;
+                  }))
+                  .then((results) => results.every((r) => r === true))
+                  .catch((err) => {
+                    logger.error("Unknown error while checking permissions", err); 
+                    return false; 
                   });
+
                 } else {
                   allowed = ac.can(role)[`${action}Any`](req.route.path).granted;
                 }

package.json

@@ -33,7 +33,7 @@
   "dependencies": {
     "@oas-tools/commons": "^1.0.0",
     "accesscontrol": "^2.2.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.21"
   },
   "devDependencies": {
@@ -46,4 +46,4 @@
     "sinon": "^14.0.0"
   },
   "version": "1.0.1"
-}
+}