neoris/openvidu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

backend: Add configureRoomAuthorization middleware for get room endpoint

Browse Source
This commit is contained in:
juancarmore 2025-03-25 16:38:32 +01:00
parent 147a334868
commit 93048f236a
2 changed files with 68 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backend/src/middlewares/room.middleware.ts
View File

@ -3,9 +3,9 @@ import { NextFunction, Request, Response } from 'express';
import { LoggerService } from '../services/logger.service.js'; import { LoggerService } from '../services/logger.service.js';
import { GlobalPreferencesService } from '../services/index.js'; import { GlobalPreferencesService } from '../services/index.js';
import { allowAnonymous, apiKeyValidator, tokenAndRoleValidator, withAuth } from './auth.middleware.js'; import { allowAnonymous, apiKeyValidator, tokenAndRoleValidator, withAuth } from './auth.middleware.js';
import { UserRole } from '@typings-ce'; import { AuthMode, ParticipantRole, UserRole } from '@typings-ce';
export const configureRoomAuth = async (req: Request, res: Response, next: NextFunction) => { export const configureCreateRoomAuth = async (req: Request, res: Response, next: NextFunction) => {
const logger = container.get(LoggerService); const logger = container.get(LoggerService);
const globalPrefService = container.get(GlobalPreferencesService); const globalPrefService = container.get(GlobalPreferencesService);
let allowRoomCreation: boolean; let allowRoomCreation: boolean;
@ -31,3 +31,59 @@ export const configureRoomAuth = async (req: Request, res: Response, next: NextF
return withAuth(...authValidators)(req, res, next); return withAuth(...authValidators)(req, res, next);
}; };
/**
* Middleware that configures authorization for accessing a specific room.
*
* This middleware runs after authentication and applies additional authorization rules
* based on the user's role and global authentication settings.
*
* - If there is no token in the session, the user is granted access (admin or API key).
* - If the user does not belong to the requested room, access is denied.
* - If the user is a moderator and global authentication requires it,
* an extra validation step is added with `withAuth(tokenAndRoleValidator(UserRole.USER))`.
* - If the user is not a moderator, access is denied.
*/
export const configureRoomAuthorization = async (req: Request, res: Response, next: NextFunction) => {
const roomName = req.params.roomName as string;
const payload = req.session?.tokenClaims;
// If there is no token, the user is admin or it is invoked using the API key
// In this case, the user is allowed to access the resource
if (!payload) {
return next();
}
const sameRoom = payload.video?.room === roomName;
const metadata = JSON.parse(payload.metadata || '{}');
const role = metadata.role as ParticipantRole;
if (!sameRoom) {
return res.status(403).json({ message: 'Insufficient permissions to access this resource' });
}
const logger = container.get(LoggerService);
const globalPrefService = container.get(GlobalPreferencesService);
let authMode: AuthMode;
try {
const { securityPreferences } = await globalPrefService.getGlobalPreferences();
authMode = securityPreferences.authentication.authMode;
} catch (error) {
logger.error('Error checking authentication preferences', error);
return res.status(500).json({ message: 'Internal server error' });
}
// If the user is a moderator, it is necessary to add the user role validator
// in case the room requires some authentication
if (role === ParticipantRole.MODERATOR) {
if (authMode !== AuthMode.NONE) {
return withAuth(tokenAndRoleValidator(UserRole.USER))(req, res, next);
}
return next();
}
// If the user is not a moderator, it is not allowed to access the resource
return res.status(403).json({ message: 'Insufficient permissions to access this resource' });
};

14
backend/src/routes/room.routes.ts
View File

@ -1,13 +1,18 @@
import { Router } from 'express'; import { Router } from 'express';
import bodyParser from 'body-parser'; import bodyParser from 'body-parser';
import * as roomCtrl from '../controllers/room.controller.js'; import * as roomCtrl from '../controllers/room.controller.js';
import { withAuth, tokenAndRoleValidator, apiKeyValidator } from '../middlewares/auth.middleware.js'; import {
withAuth,
tokenAndRoleValidator,
apiKeyValidator,
participantTokenValidator
} from '../middlewares/auth.middleware.js';
import { import {
validateGetRoomQueryParams, validateGetRoomQueryParams,
validateRoomRequest validateRoomRequest
} from '../middlewares/request-validators/room-validator.middleware.js'; } from '../middlewares/request-validators/room-validator.middleware.js';
import { UserRole } from '@typings-ce'; import { UserRole } from '@typings-ce';
import { configureRoomAuth } from '../middlewares/room.middleware.js'; import { configureCreateRoomAuth, configureRoomAuthorization } from '../middlewares/room.middleware.js';
export const roomRouter = Router(); export const roomRouter = Router();
@ -15,7 +20,7 @@ roomRouter.use(bodyParser.urlencoded({ extended: true }));
roomRouter.use(bodyParser.json()); roomRouter.use(bodyParser.json());
// Room Routes // Room Routes
roomRouter.post('/', configureRoomAuth, validateRoomRequest, roomCtrl.createRoom); roomRouter.post('/', configureCreateRoomAuth, validateRoomRequest, roomCtrl.createRoom);
roomRouter.get( roomRouter.get(
'/', '/',
withAuth(apiKeyValidator, tokenAndRoleValidator(UserRole.ADMIN)), withAuth(apiKeyValidator, tokenAndRoleValidator(UserRole.ADMIN)),
@ -24,7 +29,8 @@ roomRouter.get(
); );
roomRouter.get( roomRouter.get(
'/:roomName', '/:roomName',
withAuth(apiKeyValidator, tokenAndRoleValidator(UserRole.ADMIN), tokenAndRoleValidator(UserRole.USER)), withAuth(apiKeyValidator, tokenAndRoleValidator(UserRole.ADMIN), participantTokenValidator),
configureRoomAuthorization,
validateGetRoomQueryParams, validateGetRoomQueryParams,
roomCtrl.getRoom roomCtrl.getRoom
); );