-
Notifications
You must be signed in to change notification settings - Fork 1
/
app.cerbos.js
122 lines (104 loc) · 2.99 KB
/
app.cerbos.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
const express = require("express");
const { users, expenses } = require("./db");
const { GRPC } = require("@cerbos/grpc");
// Playground Demo PDP
const cerbos = new GRPC("demo-pdp.cerbos.cloud", {
tls: true,
playgroundInstance: "XhkOi82fFKk3YW60e2c806Yvm0trKEje",
});
// Local PDP
// const cerbos = new GRPC("localhost:3593", {
// tls: false,
// });
const app = express();
app.use(express.json());
app.use((req, res, next) => {
const user = users.find((u) => u.id === req.headers["authorization"]);
if (!user) {
res.status(401).send("Unauthorized");
} else {
req.user = user;
next();
}
});
app.get("/", (req, res) => {
res.json({
message: "CerbFinance is running",
});
});
app.get("/expenses/:id", async (req, res) => {
const expense = expenses.find((expense) => expense.id === req.params.id);
if (!expense) return res.status(404).json({ error: "Expense not found" });
const decision = await cerbos.checkResource({
principal: req.user,
resource: {
kind: "expense",
...expense,
},
actions: ["view", "view:approver"],
});
if (decision.isAllowed("view")) {
if (!decision.isAllowed("view:approver")) {
delete expense.attributes.approvedBy;
}
return res.json(expense);
}
return res.status(401).json({ error: "Unauthorized" });
});
app.patch("/expenses/:id", async (req, res) => {
const expense = expenses.find((expense) => expense.id === req.params.id);
if (!expense) return res.status(404).json({ error: "Expense not found" });
const decision = await cerbos.checkResource({
principal: req.user,
resource: {
kind: "expense",
...expense,
},
actions: ["update"],
});
if (decision.isAllowed("update")) {
// do the patch here
return res.json(expense);
} else {
return res.status(401).json({ error: "Unauthorized" });
}
});
app.post("/expenses/:id/approve", async (req, res) => {
const expense = expenses.find((expense) => expense.id === req.params.id);
if (!expense) return res.status(404).json({ error: "Expense not found" });
const decision = await cerbos.checkResource({
principal: req.user,
resource: {
kind: "expense",
...expense,
},
actions: ["approve"],
});
if (decision.isAllowed("approve")) {
// do the approve here
return res.json(expense);
}
return res.status(401).json({ error: "Unauthorized" });
});
app.delete("/expenses/:id", async (req, res) => {
const expense = expenses.find((expense) => expense.id === req.params.id);
if (!expense) return res.status(404).json({ error: "Expense not found" });
const decision = await cerbos.checkResource({
principal: req.user,
resource: {
kind: "expense",
...expense,
},
actions: ["delete"],
});
if (decision.isAllowed("delete")) {
// do the deletion here
return res.json({
message: "expense deleted",
});
}
return res.status(401).json({ error: "Unauthorized" });
});
app.listen(8000, () => {
console.log("Server is running on port 8000");
});