diff --git a/client/components/login.vue b/client/components/login.vue index 692595f9..a65b63d7 100644 --- a/client/components/login.vue +++ b/client/components/login.vue @@ -11,7 +11,7 @@ offset-xl4, xl4 ) transition(name='zoom') - v-card.elevation-5.radius-7(v-show='isShown') + v-card.elevation-5.md2(v-show='isShown') v-toolbar(color='primary', flat, dense, dark) v-spacer .subheading(v-if='screen === "tfa"') {{ $t('auth:tfa.subtitle') }} @@ -59,7 +59,7 @@ ) v-card-actions.pb-4 v-spacer - v-btn( + v-btn.md2( v-if='screen === "login"' block large @@ -68,7 +68,7 @@ round :loading='isLoading' ) {{ $t('auth:actions.login') }} - v-btn( + v-btn.md2( v-if='screen === "tfa"' block large diff --git a/client/scss/layout/_md2.scss b/client/scss/layout/_md2.scss index b15c3aac..6e3a674b 100644 --- a/client/scss/layout/_md2.scss +++ b/client/scss/layout/_md2.scss @@ -1,7 +1,17 @@ .md2 { - &.v-text-field .v-input__slot { - border-radius: 28px; + &.v-text-field { + .v-input__slot { + border-radius: 7px; + } + } + + &.v-btn { + border-radius: 7px; + } + + &.v-card { + border-radius: 7px; } } diff --git a/server/graph/directives/auth.js b/server/graph/directives/auth.js index 1c3b4f11..851f3039 100644 --- a/server/graph/directives/auth.js +++ b/server/graph/directives/auth.js @@ -1,5 +1,6 @@ const { SchemaDirectiveVisitor } = require('graphql-tools') const { defaultFieldResolver } = require('graphql') +const _ = require('lodash') class AuthDirective extends SchemaDirectiveVisitor { visitObject(type) { @@ -39,11 +40,13 @@ class AuthDirective extends SchemaDirectiveVisitor { } const context = args[2] - console.info(context.req.user) - // const user = await getUser(context.headers.authToken) - // if (!user.hasRole(requiredScopes)) { - // throw new Error('not authorized') - // } + if (!context.req.user) { + throw new Error('Unauthorized') + } + + if (!_.some(context.req.user.permissions, pm => _.includes(requiredScopes, pm))) { + throw new Error('Forbidden') + } return resolve.apply(this, args) } diff --git a/server/helpers/security.js b/server/helpers/security.js index c0479b5c..4f0ef46f 100644 --- a/server/helpers/security.js +++ b/server/helpers/security.js @@ -24,16 +24,14 @@ module.exports = { }) }, - async extractJWT (req) { - return passportJWT.ExtractJwt.fromExtractors([ - passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(), - (req) => { - let token = null - if (req && req.cookies) { - token = req.cookies['jwt'] - } - return token + extractJWT: passportJWT.ExtractJwt.fromExtractors([ + passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(), + (req) => { + let token = null + if (req && req.cookies) { + token = req.cookies['jwt'] } - ])(req) - } + return token + } + ]) } diff --git a/server/middlewares/auth.js b/server/middlewares/auth.js index 50d80918..e9006a71 100644 --- a/server/middlewares/auth.js +++ b/server/middlewares/auth.js @@ -13,12 +13,9 @@ module.exports = { WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => { if (err) { return next() } - console.info(err, user, info) - // Expired but still valid within 7 days, just renew if (info instanceof jwt.TokenExpiredError && moment().subtract(7, 'days').isBefore(info.expiredAt)) { const jwtPayload = jwt.decode(securityHelper.extractJWT(req)) - console.info(jwtPayload) try { const newToken = await WIKI.models.users.refreshToken(jwtPayload.id) user = newToken.user diff --git a/server/models/users.js b/server/models/users.js index c50a9d62..053dcf18 100644 --- a/server/models/users.js +++ b/server/models/users.js @@ -252,9 +252,9 @@ module.exports = class User extends Model { timezone: user.timezone, localeCode: user.localeCode, defaultEditor: user.defaultEditor, - permissions: [] + permissions: ['manage:system'] }, WIKI.config.sessionSecret, { - expiresIn: '10s', + expiresIn: '30m', audience: 'urn:wiki.js', // TODO: use value from admin issuer: 'urn:wiki.js' }),