middleware hasPermissions.ts

100% Statements 16/16
100% Branches 18/18
100% Functions 4/4
100% Lines 14/14
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56  
 
 
 
 
 
 
 
 
 
12x
 
 
7x
7x
 
7x
2x
 
 
5x
 
 
 
2x
 
 
 
 
 
 
 
 
12x
 
 
23x
23x
 
 
23x
2x
 
 
 
 
21x
 
 
 
 
3x
 
 
 
  import { MiddlewareObj, Request } from "@middy/core";
import { createError } from "@middy/util";
import { isCmsUser, isUserManagerUser } from "shared-utils";
 
import { getAuthUserFromRequest, getPackageFromRequest } from "./utils";
 
/**
 * Checks the user's permissions to determine if they can access the package.
 * @returns {MiddlewareObj} middleware the validate permission for a user to view a package before the handler runs
 */
export const canViewPackage = (): MiddlewareObj => ({
  before: async (request: Request) => {
    // Get the user to check if they are authorized to see the package
    const user = await getAuthUserFromRequest(request);
    const packageResult = await getPackageFromRequest(request);
 
    if (!user || !packageResult) {
      throw new Error("User or package were not stored on the request");
    }
 
    if (
      !isCmsUser(user) &&
      (!user.states || !user.states.includes(packageResult?._source?.state.toUpperCase()))
    ) {
      throw createError(403, JSON.stringify({ message: "Not authorized to view this resource" }));
    }
  },
});
 
/**
 * Checks the user's permissions to determine if they can view the user.
 * @returns {MiddlewareObj} middleware the validate permission for a user to view a user before the handler runs
 */
export const canViewUser = (): MiddlewareObj => ({
  before: async (request: Request) => {
    // Get the user to check if they are authorized to see the user
    const authenticatedUser = await getAuthUserFromRequest(request);
    const { userEmail } = request.event.body;
 
    // if the user wasn't set in context throw an error
    if (!authenticatedUser || !authenticatedUser?.email) {
      throw new Error("User was not stored on the request");
    }
 
    // if the userEmail was set but the authenticated user does not have
    // authorization to view another user's details, throw an error
    if (
      userEmail &&
      authenticatedUser.email !== userEmail &&
      !isUserManagerUser(authenticatedUser)
    ) {
      throw createError(403, JSON.stringify({ message: "Not authorized to view this resource" }));
    }
  },
});