feat(AccessToken&ACL): refs #7547 upgrade security

2024-06-21 14:28:55 +02:00 · 2024-06-21 14:28:55 +02:00 · 7f278269a5
parent 6874474207
commit 7f278269a5
7 changed files with 76 additions and 4 deletions
--- a/back/methods/vn-token/killSession.js
+++ b/back/methods/vn-token/killSession.js
@ -0,0 +1,29 @@
+module.exports = Self => {
+    Self.remoteMethodCtx('killSession', {
+        description: 'Kill session',
+        accepts: [{
+            arg: 'userId',
+            type: 'integer',
+            description: 'The user id',
+            required: true,
+        }, {
+            arg: 'created',
+            type: 'date',
+            description: 'The created time',
+            required: true,
+        }],
+        accessType: 'WRITE',
+        http: {
+            path: `/killSession`,
+            verb: 'POST'
+        }
+    });
+
+    Self.killSession = async function(ctx, userId, created) {
+        await Self.app.models.VnUser.userSecurity(ctx, ctx.req.accessToken.userId);
+        const tokens = await Self.app.models.AccessToken.find({where: {userId, created}});
+        if (!tokens?.length) return;
+        for (const token of tokens)
+            await Self.app.models.AccessToken.deleteById(token.id);
+    };
+};
--- a/back/model-config.json
+++ b/back/model-config.json
@ -166,6 +166,9 @@
    "ViaexpressConfig": {
        "dataSource": "vn"
    },
+    "VnToken": {
+        "dataSource": "vn"
+    },
    "VnUser": {
        "dataSource": "vn"
    },
--- a/back/models/vn-token.js
+++ b/back/models/vn-token.js
@ -0,0 +1,5 @@
+const vnModel = require('vn-loopback/common/models/vn-model');
+module.exports = function(Self) {
+    vnModel(Self);
+    require('../methods/vn-token/killSession')(Self);
+};
--- a/back/models/vn-token.json
+++ b/back/models/vn-token.json
@ -0,0 +1,22 @@
+{
+    "name": "VnToken",
+    "base": "AccessToken",
+    "options": {
+        "mysql": {
+            "table": "salix.AccessToken"
+        }
+    },
+    "properties": {
+        "created": {
+            "type": "date"
+        }
+    },
+    "relations": {
+        "user": {
+            "type": "belongsTo",
+            "model": "VnUser",
+            "foreignKey": "userId"
+        }
+    },
+    "hidden": ["id"]
+}
--- a/db/versions/11112-blackRose/00-firstScript.sql
+++ b/db/versions/11112-blackRose/00-firstScript.sql
@ -0,0 +1,13 @@
+UPDATE `salix`.`ACL`
+	SET accessType='READ'
+	WHERE model = 'ACL';
+
+UPDATE `salix`.`ACL`
+	SET principalId='developerBoss'
+	WHERE model = 'AccessToken';
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+	VALUES
+		('VnToken', '*', 'READ', 'ALLOW', 'ROLE', 'developer'),
+		('VnToken', 'killSession', '*', 'ALLOW', 'ROLE', 'developer'),
+		('ACL', '*', 'WRITE', 'ALLOW', 'ROLE', 'developerBoss');
--- a/modules/account/front/connections/index.html
+++ b/modules/account/front/connections/index.html
@ -1,6 +1,6 @@
 <vn-crud-model
    vn-id="model"
-    url="AccessTokens"
+    url="VnTokens"
    filter="::$ctrl.filter"
    limit="20"
    auto-load="true">
@ -42,4 +42,4 @@
    ng-click="model.refresh()"
    vn-bind="r"
    fixed-bottom-right>
-</vn-float-button>
+</vn-float-button>
--- a/modules/account/front/connections/index.js
+++ b/modules/account/front/connections/index.js
@ -16,8 +16,8 @@ export default class Controller extends Section {
        };
    }

-    onDisconnect(row) {
-        return this.$http.delete(`AccessTokens/${row.id}`)
+    onDisconnect({created, userId}) {
+        return this.$http.post(`VnTokens/killSession`, {created, userId})
            .then(() => this.$.model.refresh())
            .then(() => this.vnApp.showSuccess(this.$t('Session killed')));
    }