diff --git a/backend/src/auth/ROLES.ts b/backend/src/auth/ROLES.ts index 3650ca7da..ef6746059 100644 --- a/backend/src/auth/ROLES.ts +++ b/backend/src/auth/ROLES.ts @@ -2,23 +2,23 @@ import { INALIENABLE_RIGHTS } from './INALIENABLE_RIGHTS' import { RIGHTS } from './RIGHTS' import { Role } from './Role' +export const ROLE_UNAUTHORIZED = new Role('unauthorized', INALIENABLE_RIGHTS) +export const ROLE_USER = new Role('user', [ + ...INALIENABLE_RIGHTS, + RIGHTS.BALANCE, + RIGHTS.LIST_GDT_ENTRIES, + RIGHTS.EXIST_PID, + RIGHTS.GET_KLICKTIPP_USER, + RIGHTS.GET_KLICKTIPP_TAG_MAP, + RIGHTS.UNSUBSCRIBE_NEWSLETTER, + RIGHTS.SUBSCRIBE_NEWSLETTER, + RIGHTS.TRANSACTION_LIST, + RIGHTS.SEND_COINS, + RIGHTS.LOGOUT, + RIGHTS.UPDATE_USER_INFOS, + RIGHTS.HAS_ELOPAGE, +]) +export const ROLE_ADMIN = new Role('admin', Object.values(RIGHTS)) // all rights + // TODO from database -export const ROLES = [ - new Role('unauthorized', INALIENABLE_RIGHTS), // inalienable rights - new Role('user', [ - ...INALIENABLE_RIGHTS, - RIGHTS.BALANCE, - RIGHTS.LIST_GDT_ENTRIES, - RIGHTS.EXIST_PID, - RIGHTS.GET_KLICKTIPP_USER, - RIGHTS.GET_KLICKTIPP_TAG_MAP, - RIGHTS.UNSUBSCRIBE_NEWSLETTER, - RIGHTS.SUBSCRIBE_NEWSLETTER, - RIGHTS.TRANSACTION_LIST, - RIGHTS.SEND_COINS, - RIGHTS.LOGOUT, - RIGHTS.UPDATE_USER_INFOS, - RIGHTS.HAS_ELOPAGE, - ]), - new Role('admin', Object.values(RIGHTS)), // all rights -] +export const ROLES = [ROLE_UNAUTHORIZED, ROLE_USER, ROLE_ADMIN] diff --git a/backend/src/auth/Role.ts b/backend/src/auth/Role.ts index 8e2cc7deb..a2f13ec20 100644 --- a/backend/src/auth/Role.ts +++ b/backend/src/auth/Role.ts @@ -8,4 +8,8 @@ export class Role { this.id = id this.rights = rights } + + hasRight = (right: RIGHTS): boolean => { + return this.rights.includes(right) + } } diff --git a/backend/src/auth/hasRight.ts b/backend/src/auth/hasRight.ts deleted file mode 100644 index 3f736fb6f..000000000 --- a/backend/src/auth/hasRight.ts +++ /dev/null @@ -1,6 +0,0 @@ -import { RIGHTS } from './RIGHTS' -import { Role } from './Role' - -export const hasRight = (right: RIGHTS, role: Role): boolean => { - return role.rights.includes(right) -} diff --git a/backend/src/graphql/directive/isAuthorized.ts b/backend/src/graphql/directive/isAuthorized.ts index 5303600bc..9313c9b5a 100644 --- a/backend/src/graphql/directive/isAuthorized.ts +++ b/backend/src/graphql/directive/isAuthorized.ts @@ -3,12 +3,11 @@ import { AuthChecker } from 'type-graphql' import { decode, encode } from '../../auth/JWT' -import { ROLES } from '../../auth/ROLES' -import { hasRight } from '../../auth/hasRight' +import { ROLE_USER, ROLE_UNAUTHORIZED } from '../../auth/ROLES' import { RIGHTS } from '../../auth/RIGHTS' const isAuthorized: AuthChecker = async ({ context }, rights) => { - context.role = ROLES[0] // unauthorized user + context.role = ROLE_UNAUTHORIZED // unauthorized user // Do we have a token? if (context.token) { @@ -22,11 +21,11 @@ const isAuthorized: AuthChecker = async ({ context }, rights) => { // set new header token context.setHeaders.push({ key: 'token', value: encode(decoded.pubKey) }) // TODO - load from database dynamically & admin - maybe encode this in the token to prevent many database requests - context.role = ROLES[1] // logged in user + context.role = ROLE_USER // logged in user } // check for correct rights - const missingRights = (rights).filter((right) => !hasRight(right, context.role)) + const missingRights = (rights).filter((right) => !context.role.hasRight(right)) if (missingRights.length !== 0) { throw new Error('401 Unauthorized') }