diff --git a/src/storage/rules/index.js b/src/storage/rules/index.js new file mode 100644 index 00000000..b0807b16 --- /dev/null +++ b/src/storage/rules/index.js @@ -0,0 +1,27 @@ +exports.storagePermission = (key, type, claims) => { + let res; + + console.log('checking access permission 2'); + + // console.log({key}); + // console.log({type}); + // console.log({claims}); + + res = key.match(/\/companies\/(?\w*)\/customers\/(\d*)\/.*/); + if (res) { + if (claims['x-hasura-company-id'] === res.groups.company_id) { + return true; + } + return false; + } + + // accept read to public directory + res = key.match(/\/public\/.*/); + if (res) { + if (type === 'read') { + return true; + } + } + + return false; +}; diff --git a/src/storage/storage-rules.js b/src/storage/storage-rules.js deleted file mode 100644 index a7d1d36f..00000000 --- a/src/storage/storage-rules.js +++ /dev/null @@ -1,32 +0,0 @@ -module.exports = { - - // key - file path - // type - [ read, write ] - // claims - claims in JWT - // this is similar to Firebase Security Rules for files. but not as good looking - validateInteraction: function(key, type, claims) { - let res; - - // console.log({key}); - // console.log({type}); - // console.log({claims}); - - res = key.match(/\/companies\/(?\w*)\/customers\/(\d*)\/.*/); - if (res) { - if (claims['x-hasura-company-id'] === res.groups.company_id) { - return true; - } - return false; - } - - // accept read to public directory - res = key.match(/\/public\/.*/); - if (res) { - if (type === 'read') { - return true; - } - } - - return false; - }, -}; diff --git a/src/storage/storage.js b/src/storage/storage.js index c35ec8de..2d6fe881 100644 --- a/src/storage/storage.js +++ b/src/storage/storage.js @@ -17,7 +17,7 @@ const { S3_BUCKET, } = require('../config'); -const storage_rules = require('./storage-rules'); +const { storagePermission } = require('./rules'); const router = express.Router(); @@ -50,8 +50,8 @@ router.get('/file/*', (req, res, next) => { } // check access of key for jwt token claims - if (!storage_rules.validateInteraction(key, 'read', claims)) { - console.log('not allowed to read'); + if (!storagePermission(key, 'read', claims)) { + console.error('not allowed to read'); return next(Boom.unauthorized('You are not allowed to read this file')); } @@ -152,7 +152,7 @@ const upload_auth = (req, res, next) => { // completed req.saved_files = []; - if (!storage_rules.validateInteraction(req.s3_key_prefix, 'write', claims)) { + if (!storagePermission(req.s3_key_prefix, 'write', claims)) { return next(Boom.unauthorized('You are not allowed to write files here')); }