all repos — litestore @ 50acb806e40445b93f9778d6b9fdcf7477c65a09

A minimalist nosql document store. 

Moved system examples to follder, added support for forbidding methods.
h3rald h3rald@h3rald.com
Fri, 06 Mar 2020 10:58:29 +0100
commit

50acb806e40445b93f9778d6b9fdcf7477c65a09

parent

f1832f40b40c48fbb17efe6d15a44c5cf03d6228

5 files changed, 27 insertions(+), 28 deletions(-)

jump to
D src/litestorepkg/examples/config.json 
@@ -1,28 +0,0 @@ 
-{
-  "settings": {
-    "log": "debug",
-    "middleware": "litestorepkg/examples/middleware",
-    "port": 9100
-  },
-  "resources": {
-    "/info": {
-      "GET": { "auth": ["admin:server"] }
-    },
-    "/docs/*": {
-      "GET": {
-        "middleware": ["validate", "log"]
-      },
-      "POST": { "auth": ["admin:server"] },
-      "PATCH": { "auth": ["admin:server"] },
-      "PUT": { "auth": ["admin:server"] },
-      "DELETE": { "auth": ["admin:server"] }
-    },
-    "/docs/wiki/*": {
-      "POST": { "auth": ["admin:wiki"] },
-      "PUT": { "auth": ["admin:wiki"] },
-      "PATCH": { "auth": ["admin:wiki"] },
-      "DELETE": { "auth": ["admin:wiki"] }
-    }
-  },
-  "signature": "\n-----BEGIN CERTIFICATE-----\n<certificate text goes here>\n-----END CERTIFICATE-----\n"
-}
M src/litestorepkg/examples/middleware/log.jssrc/litestorepkg/examples/system/middleware/log.js 
@@ -4,6 +4,7 @@ sub: $req.jwt.claims && $req.jwt.claims.sub || null,
         agent: $req.headers['user-agent'],
         language: $req.headers['accept-language'] && $req.headers['accept-language'].replace(/,.+$/, ''),
         path: $req.path,
+        method: $req.method,
         timestamp: Date.now()
     }
     $store.post('docs', 'logs', JSON.stringify(doc), 'application/json');
M src/litestorepkg/lib/server.nimsrc/litestorepkg/lib/server.nim 
@@ -83,12 +83,38 @@ echo getCurrentExceptionMsg()
       writeStackTrace()
       return resError(Http401, "Unauthorized - Invalid token")
 
+proc isAllowed(resource, id, meth: string): bool =
+  if LS.config.kind != JObject or not LS.config.hasKey("resources"):
+    return true
+  var reqUri = "/" & resource & "/" & id
+  if reqUri[^1] == '/':
+    reqUri.removeSuffix({'/'})
+  let parts = reqUri.split("/")
+  let ancestors = parts[1..parts.len-2]
+  var currentPath = ""
+  var currentPaths = ""
+  for p in ancestors:
+    currentPath &= "/" & p
+    currentPaths = currentPath & "/*"
+    echo currentPaths
+    if LS.config["resources"].hasKey(currentPaths) and LS.config["resources"][currentPaths].hasKey(meth) and LS.config["resources"][currentPaths][meth].hasKey("allowed"):
+      let allowed = LS.config["resources"][currentPaths][meth]["allowed"]
+      if (allowed == %false):
+        return false;
+  if LS.config["resources"].hasKey(reqUri) and LS.config["resources"][reqUri].hasKey(meth) and LS.config["resources"][reqUri][meth].hasKey("allowed"):
+    let allowed = LS.config["resources"][reqUri][meth]["allowed"]
+    if (allowed == %false):
+      return false
+  return true
+
 proc processApiUrl(req: LSRequest, LS: LiteStore, info: ResourceInfo): LSResponse = 
   var reqUri = "/" & info.resource & "/" & info.id
   if reqUri[^1] == '/':
     reqUri.removeSuffix({'/'})
   let reqMethod = $req.reqMethod
   var jwt: JWT
+  if not isAllowed(info.resource, info.id, reqMethod):
+    return resError(Http405, "Method not allowed: $1" % reqMethod)
   # Authentication/Authorization
   if LS.auth != newJNull():
     var uri = reqUri