all repos — litestore @ 50acb806e40445b93f9778d6b9fdcf7477c65a09

A minimalist nosql document store.

Moved system examples to follder, added support for forbidding methods.
h3rald h3rald@h3rald.com
Fri, 06 Mar 2020 10:58:29 +0100
commit

50acb806e40445b93f9778d6b9fdcf7477c65a09

parent

f1832f40b40c48fbb17efe6d15a44c5cf03d6228

D src/litestorepkg/examples/config.json

@@ -1,28 +0,0 @@

-{ - "settings": { - "log": "debug", - "middleware": "litestorepkg/examples/middleware", - "port": 9100 - }, - "resources": { - "/info": { - "GET": { "auth": ["admin:server"] } - }, - "/docs/*": { - "GET": { - "middleware": ["validate", "log"] - }, - "POST": { "auth": ["admin:server"] }, - "PATCH": { "auth": ["admin:server"] }, - "PUT": { "auth": ["admin:server"] }, - "DELETE": { "auth": ["admin:server"] } - }, - "/docs/wiki/*": { - "POST": { "auth": ["admin:wiki"] }, - "PUT": { "auth": ["admin:wiki"] }, - "PATCH": { "auth": ["admin:wiki"] }, - "DELETE": { "auth": ["admin:wiki"] } - } - }, - "signature": "\n-----BEGIN CERTIFICATE-----\n<certificate text goes here>\n-----END CERTIFICATE-----\n" -}
M src/litestorepkg/examples/middleware/log.jssrc/litestorepkg/examples/system/middleware/log.js

@@ -4,6 +4,7 @@ sub: $req.jwt.claims && $req.jwt.claims.sub || null,

agent: $req.headers['user-agent'], language: $req.headers['accept-language'] && $req.headers['accept-language'].replace(/,.+$/, ''), path: $req.path, + method: $req.method, timestamp: Date.now() } $store.post('docs', 'logs', JSON.stringify(doc), 'application/json');
M src/litestorepkg/lib/server.nimsrc/litestorepkg/lib/server.nim

@@ -83,12 +83,38 @@ echo getCurrentExceptionMsg()

writeStackTrace() return resError(Http401, "Unauthorized - Invalid token") +proc isAllowed(resource, id, meth: string): bool = + if LS.config.kind != JObject or not LS.config.hasKey("resources"): + return true + var reqUri = "/" & resource & "/" & id + if reqUri[^1] == '/': + reqUri.removeSuffix({'/'}) + let parts = reqUri.split("/") + let ancestors = parts[1..parts.len-2] + var currentPath = "" + var currentPaths = "" + for p in ancestors: + currentPath &= "/" & p + currentPaths = currentPath & "/*" + echo currentPaths + if LS.config["resources"].hasKey(currentPaths) and LS.config["resources"][currentPaths].hasKey(meth) and LS.config["resources"][currentPaths][meth].hasKey("allowed"): + let allowed = LS.config["resources"][currentPaths][meth]["allowed"] + if (allowed == %false): + return false; + if LS.config["resources"].hasKey(reqUri) and LS.config["resources"][reqUri].hasKey(meth) and LS.config["resources"][reqUri][meth].hasKey("allowed"): + let allowed = LS.config["resources"][reqUri][meth]["allowed"] + if (allowed == %false): + return false + return true + proc processApiUrl(req: LSRequest, LS: LiteStore, info: ResourceInfo): LSResponse = var reqUri = "/" & info.resource & "/" & info.id if reqUri[^1] == '/': reqUri.removeSuffix({'/'}) let reqMethod = $req.reqMethod var jwt: JWT + if not isAllowed(info.resource, info.id, reqMethod): + return resError(Http405, "Method not allowed: $1" % reqMethod) # Authentication/Authorization if LS.auth != newJNull(): var uri = reqUri