Add hardcoded list of allowed users

gbv · Nov 19, 2024 · 6cc5d00 · 6cc5d00
1 parent 6ae791a
commit 6cc5d00
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 7 deletions.
diff --git a/.docker/README.md b/.docker/README.md
@@ -26,6 +26,7 @@ services:
       - PORT=3454
       # When used in Docker, this needs to be a publicly available URL
       - VITE_LOGIN_SERVER=http://localhost:3004
+      - VITE_ALLOWED_USERS=uri1,uri2
     ports:
       - 3454:3454
     restart: unless-stopped

diff --git a/.docker/docker-compose.yml b/.docker/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       - BASE=/
       - PORT=3454
       - VITE_LOGIN_SERVER=http://localhost:3004
+      - VITE_ALLOWED_USERS=uri1,uri2
     ports:
       - 3454:3454
     restart: unless-stopped
diff --git a/README.md b/README.md
@@ -53,10 +53,13 @@ There is an input form to give a PPN from K10plus catalogue.
 Configuration can be adjusted via a `.env` file. Variables prefixed with `VITE_` can be used in the client as well.
 
 ```env
+PORT=3454
 # Base path on which your app will be hosted
 BASE=/
 # Login Server instance base URL
 VITE_LOGIN_SERVER=http://localhost:3004
+# Hardcoded list of allow user URIs that can perform enrichments in the backend
+VITE_ALLOWED_USERS=uri1,uri2
 ```
 
 ## To-Dos

diff --git a/src/client/App.vue b/src/client/App.vue
@@ -1,5 +1,5 @@
 <script setup>
-import { ref, watch, computed } from "vue"
+import { ref, watch, computed, inject } from "vue"
 import { getSubjects, getTitleName, sortSuggestionMappings, suggestionsToPica, getMappingsForSubjects, getConceptData } from "@/utils.js"
 
 import * as jskos from "jskos-tools"
@@ -13,8 +13,11 @@ const initPromise = useInit()
 
 import { useLogin } from "@/composables/login.js"
 const { loginConfigured } = useLogin()
+const { loggedIn, user } = inject("login-refs")
 
-import { version, name, showWhenExistsKey, examples } from "@/config.js"
+import { version, name, showWhenExistsKey, examples, allowedUsers } from "@/config.js"
+
+const hasBackendAccess = computed(() => allowedUsers.includes(user.value?.uri))
 
 const ppninput = ref("")
 
@@ -239,8 +242,31 @@ function submitEnrichments() {
             ⬅ zurück zur coli-conc Webseite
           </a>
         </li>
-        <li v-if="loginConfigured">
-          <user-status />
+        <li 
+          v-if="loginConfigured"
+          style="position: relative;">
+          <user-status>
+            <template
+              v-if="loggedIn"
+              #after>
+              <hr>
+              <p 
+                v-if="hasBackendAccess"
+                style="color: green;">
+                Schreibberechtigung ist vorhanden.
+              </p>
+              <p
+                v-else
+                style="color: red;">
+                Keine Schreibberechtigung.
+              </p>
+            </template>
+          </user-status>
+          <div 
+            v-if="!hasBackendAccess"
+            style="position: absolute; top: 0; right: 5px; z-index: 10000; color: red;">
+            ●
+          </div>
         </li>
       </ul>
       <div style="clear:both" />
@@ -426,13 +452,16 @@ function submitEnrichments() {
         <template v-if="state.ppn && state.loadingPhase > 4 && selectedSuggestionsPica">
           <h2>Ausgewählte Anreicherungen in PICA</h2>
           <pre style="font-weight: 400; font-size: 14px; overflow-x: scroll;"><code>{{ selectedSuggestionsPica }}</code></pre>
-          <p>
+          <p v-if="hasBackendAccess">
             <button 
               class="button"
               @click="submitEnrichments">
               Auswahl in Datenbank eintragen
             </button>
           </p>
+          <p v-else>
+            Keine Berechtigung zur Eintragung vorhanden.
+          </p>
         </template>
       </div>
     </main>

diff --git a/src/client/config.js b/src/client/config.js
@@ -37,3 +37,5 @@ export const concordanceRegistry = cdk.initializeRegistry({
 const loginServer = import.meta.env.VITE_LOGIN_SERVER || null
 export const loginServerUrl = loginServer && loginServer.replace(/https?:\/\//, "")
 export const loginServerSsl = loginServer && loginServer.startsWith("https://")
+
+export const allowedUsers = (import.meta.env.VITE_ALLOWED_USERS || "").split(",").filter(Boolean).map(uri => uri.trim())
diff --git a/src/config.js b/src/config.js
@@ -21,6 +21,7 @@ export default {
   base: env.BASE || "/",
   port: parseInt(env.PORT) || 3454,
   login,
+  allowedUsers: (env.VITE_ALLOWED_USERS || "").split(",").filter(Boolean).map(uri => uri.trim()),
   // methods
   log,
   warn: logger("warn"),

diff --git a/src/server/auth.js b/src/server/auth.js
@@ -82,8 +82,12 @@ const auth = [
   }, 
   authPreparation, 
   (req, res, next) => {
-    // TODO: Check if user is authorized (by URI or provider)
-    next()
+    // TODO: Add provider check as alternative as soon as CBS login provider is configured in Login Server.
+    if (!config.allowedUsers.includes(req.user?.uri)) {
+      next(new ForbiddenAccessError("Access forbidden. User is not on the allowed list."))
+    } else {
+      next()
+    }
   },
 ]