feat(AccessToken&ACL): refs #7547 upgrade security

back/methods/vn-token/killSession.js

@@ -0,0 +1,29 @@
+module.exports = Self => {
+    Self.remoteMethodCtx('killSession', {
+        description: 'Kill session',
+        accepts: [{
+            arg: 'userId',
+            type: 'integer',
+            description: 'The user id',
+            required: true,
+        }, {
+            arg: 'created',
+            type: 'date',
+            description: 'The created time',
+            required: true,
+        }],
+        accessType: 'WRITE',
+        http: {
+            path: `/killSession`,
+            verb: 'POST'
+        }
+    });
+
+    Self.killSession = async function(ctx, userId, created) {
+        await Self.app.models.VnUser.userSecurity(ctx, ctx.req.accessToken.userId);
+        const tokens = await Self.app.models.AccessToken.find({where: {userId, created}});
+        if (!tokens?.length) return;
+        for (const token of tokens)
+            await Self.app.models.AccessToken.deleteById(token.id);
+    };
+};

back/model-config.json

@@ -166,6 +166,9 @@
     "ViaexpressConfig": {
         "dataSource": "vn"
     },
+    "VnToken": {
+        "dataSource": "vn"
+    },
     "VnUser": {
         "dataSource": "vn"
     },

back/models/vn-token.js

@@ -0,0 +1,5 @@
+const vnModel = require('vn-loopback/common/models/vn-model');
+module.exports = function(Self) {
+    vnModel(Self);
+    require('../methods/vn-token/killSession')(Self);
+};

back/models/vn-token.json

@@ -0,0 +1,22 @@
+{
+    "name": "VnToken",
+    "base": "AccessToken",
+    "options": {
+        "mysql": {
+            "table": "salix.AccessToken"
+        }
+    },
+    "properties": {
+        "created": {
+            "type": "date"
+        }
+    },
+    "relations": {
+        "user": {
+            "type": "belongsTo",
+            "model": "VnUser",
+            "foreignKey": "userId"
+        }
+    },
+    "hidden": ["id"]
+}

db/versions/11112-blackRose/00-firstScript.sql

@@ -0,0 +1,13 @@
+UPDATE `salix`.`ACL`
+	SET accessType='READ'
+	WHERE model = 'ACL';
+
+UPDATE `salix`.`ACL`
+	SET principalId='developerBoss'
+	WHERE model = 'AccessToken';
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+	VALUES
+		('VnToken', '*', 'READ', 'ALLOW', 'ROLE', 'developer'),
+		('VnToken', 'killSession', '*', 'ALLOW', 'ROLE', 'developer'),
+		('ACL', '*', 'WRITE', 'ALLOW', 'ROLE', 'developerBoss');

modules/account/front/connections/index.html

@@ -1,6 +1,6 @@
 <vn-crud-model
     vn-id="model"
-    url="AccessTokens"
+    url="VnTokens"
     filter="::$ctrl.filter"
     limit="20"
     auto-load="true">

modules/account/front/connections/index.js

@@ -16,8 +16,8 @@ export default class Controller extends Section {
         };
     }
 
-    onDisconnect(row) {
+    onDisconnect({created, userId}) {
-        return this.$http.delete(`AccessTokens/${row.id}`)
+        return this.$http.post(`VnTokens/killSession`, {created, userId})
             .then(() => this.$.model.refresh())
             .then(() => this.vnApp.showSuccess(this.$t('Session killed')));
     }