diff --git a/src/store/hookTokens.controller.ts b/src/store/hookTokens.controller.ts index 3aa4228..97b188a 100644 --- a/src/store/hookTokens.controller.ts +++ b/src/store/hookTokens.controller.ts @@ -31,7 +31,7 @@ export class HookTonesController { await this.authService.checkRequest(request); const api = makeApiHeader(request); const {key} = request?.query ?? {}; - return await this.storeService.findApiTokens(api, key); + return await this.storeService.findApiTokens(api, key, request.headers.authorization); } @Post() @@ -51,7 +51,7 @@ export class HookTonesController { await this.authService.checkRequest(request); const api = makeApiHeader(request); const {key} = request?.query ?? {}; - return await this.storeService.createApiToken(api, key, request?.body); + return await this.storeService.createApiToken(api, key, request?.body, request.headers.authorization); } @Delete() @@ -70,7 +70,7 @@ export class HookTonesController { await this.authService.checkRequest(request); const api = makeApiHeader(request); const {key, id} = request?.query ?? {}; - return await this.storeService.deleteApiToken(api, key, id); + return await this.storeService.deleteApiToken(api, key, id, request.headers.authorization); } @Options('') diff --git a/src/store/store.service.ts b/src/store/store.service.ts index 3b9711c..dbbb7b0 100644 --- a/src/store/store.service.ts +++ b/src/store/store.service.ts @@ -4,6 +4,7 @@ import {InjectConnection} from '@nestjs/mongoose'; import {Store, StoreRequest, StoreSchema, HookToken, HookTokenResponse, HookTokenMap, RightType} from './store.schema'; import {DB_TEST_NAME, DB_NAME, COLLECTION_STORE} from 'src/consts'; import * as jwt from 'jsonwebtoken'; +import {access} from 'fs'; interface Token { login: string; @@ -203,19 +204,29 @@ export class StoreService { throw new NotFoundException(`Not found api key "${key}"`); } - async findApiTokens(api: string, key: string): Promise { + async findApiTokens(api: string, key: string, access_token: string): Promise { const searchStore = await this.storeModel(api).findOne({key}); + if (searchStore) { + const user = await this.loadUserByToken(access_token); + if (user.is_admin || user.login === searchStore.author) { + return searchStore.hook_tokens?.map(prepareHook); + } + return []; + } + throw new NotFoundException(`Not found api key "${key}"`); + } + + async createApiToken(api: string, key: string, hook: HookTokenMap, access_token: string): Promise { + const searchStore = await this.storeModel(api).findOne({key}); + if (!searchStore) { throw new NotFoundException(`Not found api key "${key}"`); } - return searchStore.hook_tokens?.map(prepareHook); - } - async createApiToken(api: string, key: string, hook: HookTokenMap): Promise { - const searchStore = await this.storeModel(api).findOne({key}); + const user = await this.loadUserByToken(access_token); - if (!searchStore) { - throw new NotFoundException(`Not found api key "${key}"`); + if (!user.is_admin && user.login !== searchStore.author) { + throw new BadRequestException(`You don't have access to "${key}"`); } const store = { @@ -246,13 +257,19 @@ export class StoreService { return prepareHook(newToken); } - async deleteApiToken(api: string, key: string, id: string): Promise { + async deleteApiToken(api: string, key: string, id: string, access_token: string): Promise { const searchStore = await this.storeModel(api).findOne({key}); if (!searchStore) { throw new NotFoundException(`Not found api key "${key}"`); } + const user = await this.loadUserByToken(access_token); + + if (!user.is_admin && user.login !== searchStore.author) { + throw new BadRequestException(`You don't have access to "${key}"`); + } + const deleteToken = searchStore.hook_tokens?.find(token => token._id.toString() === id); if (!deleteToken) {