From 6b626888247ca34765157b9a84abcbd17b0244e3 Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Sun, 2 Oct 2022 20:33:59 +0200 Subject: [PATCH] feat: allow guests in SessionGuard Signed-off-by: Philip Molares --- src/identity/session.guard.ts | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/src/identity/session.guard.ts b/src/identity/session.guard.ts index 5dd653250..a0b6b2ff5 100644 --- a/src/identity/session.guard.ts +++ b/src/identity/session.guard.ts @@ -1,33 +1,54 @@ /* - * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file) + * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file) * * SPDX-License-Identifier: AGPL-3.0-only */ import { CanActivate, ExecutionContext, + Inject, Injectable, UnauthorizedException, } from '@nestjs/common'; +import { GuestAccess } from '../config/guest_access.enum'; +import noteConfiguration, { NoteConfig } from '../config/note.config'; import { NotInDBError } from '../errors/errors'; import { ConsoleLoggerService } from '../logger/console-logger.service'; import { User } from '../users/user.entity'; import { UsersService } from '../users/users.service'; +/** + * This guard checks if a session is present. + * + * If there is a username in `request.session.user` it will try to get this user from the database and put it into `request.user`. See {@link RequestUser}. + * If there is no `request.session.user`, but any GuestAccess is configured, `request.session.authProvider` is set to `guest` to indicate a guest user. + * + * @throws UnauthorizedException + */ @Injectable() export class SessionGuard implements CanActivate { constructor( private readonly logger: ConsoleLoggerService, private userService: UsersService, + @Inject(noteConfiguration.KEY) + private noteConfig: NoteConfig, ) { this.logger.setContext(SessionGuard.name); } async canActivate(context: ExecutionContext): Promise { - const request: Request & { session?: { user: string }; user?: User } = - context.switchToHttp().getRequest(); + const request: Request & { + session?: { user: string; authProvider: string }; + user?: User; + } = context.switchToHttp().getRequest(); if (!request.session?.user) { + if (this.noteConfig.guestAccess !== GuestAccess.DENY) { + if (request.session) { + request.session.authProvider = 'guest'; + return true; + } + } this.logger.debug('The user has no session.'); throw new UnauthorizedException("You're not logged in"); }