feat: allow guests in SessionGuard

Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit is contained in:
Philip Molares 2022-10-02 20:33:59 +02:00
parent b384c795d0
commit 6b62688824

View file

@ -1,33 +1,54 @@
/*
* SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
* SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
*
* SPDX-License-Identifier: AGPL-3.0-only
*/
import {
CanActivate,
ExecutionContext,
Inject,
Injectable,
UnauthorizedException,
} from '@nestjs/common';
import { GuestAccess } from '../config/guest_access.enum';
import noteConfiguration, { NoteConfig } from '../config/note.config';
import { NotInDBError } from '../errors/errors';
import { ConsoleLoggerService } from '../logger/console-logger.service';
import { User } from '../users/user.entity';
import { UsersService } from '../users/users.service';
/**
* This guard checks if a session is present.
*
* If there is a username in `request.session.user` it will try to get this user from the database and put it into `request.user`. See {@link RequestUser}.
* If there is no `request.session.user`, but any GuestAccess is configured, `request.session.authProvider` is set to `guest` to indicate a guest user.
*
* @throws UnauthorizedException
*/
@Injectable()
export class SessionGuard implements CanActivate {
constructor(
private readonly logger: ConsoleLoggerService,
private userService: UsersService,
@Inject(noteConfiguration.KEY)
private noteConfig: NoteConfig,
) {
this.logger.setContext(SessionGuard.name);
}
async canActivate(context: ExecutionContext): Promise<boolean> {
const request: Request & { session?: { user: string }; user?: User } =
context.switchToHttp().getRequest();
const request: Request & {
session?: { user: string; authProvider: string };
user?: User;
} = context.switchToHttp().getRequest();
if (!request.session?.user) {
if (this.noteConfig.guestAccess !== GuestAccess.DENY) {
if (request.session) {
request.session.authProvider = 'guest';
return true;
}
}
this.logger.debug('The user has no session.');
throw new UnauthorizedException("You're not logged in");
}