NORY-59: add protection to identity actions

dashboard/src/lib/action/identity.ts

@@ -12,6 +12,8 @@ import {
 import { getDB } from '@/db';
 import { identities, identity_recovery_addresses, identity_verifiable_addresses } from '@/db/schema';
 import { eq, ilike, or, sql } from 'drizzle-orm';
+import { checkPermission, requireSession } from '@/lib/action/authentication';
+import { permission, relation } from '@/lib/permission';
 
 interface QueryIdentitiesProps {
     page: number,
@@ -21,6 +23,12 @@ interface QueryIdentitiesProps {
 
 export async function queryIdentities({ page, pageSize, query }: QueryIdentitiesProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.access, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     if (page < 1 || pageSize < 1) {
         return {
             data: [],
@@ -81,6 +89,12 @@ interface UpdatedIdentityProps {
 
 export async function updateIdentity({ id, body }: UpdatedIdentityProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.it, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.updateIdentity({
         id: id,
@@ -101,6 +115,12 @@ interface DeleteIdentityCredentialProps {
 
 export async function deleteIdentityCredential({ id, type }: DeleteIdentityCredentialProps) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentityCredentials({ id, type });
 
@@ -113,6 +133,12 @@ export async function deleteIdentityCredential({ id, type }: DeleteIdentityCrede
 
 export async function deleteIdentitySessions(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.session, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentitySessions({ id });
 
@@ -125,6 +151,12 @@ export async function deleteIdentitySessions(id: string) {
 
 export async function createRecoveryCode(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.code, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.createRecoveryCodeForIdentity({
         createRecoveryCodeForIdentityBody: {
@@ -139,6 +171,12 @@ export async function createRecoveryCode(id: string) {
 
 export async function createRecoveryLink(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.link, relation.create, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.createRecoveryLinkForIdentity({
         createRecoveryLinkForIdentityBody: {
@@ -153,6 +191,12 @@ export async function createRecoveryLink(id: string) {
 
 export async function blockIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.state, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.patchIdentity({
         id,
@@ -172,6 +216,12 @@ export async function blockIdentity(id: string) {
 
 export async function unblockIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.state, relation.edit, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.patchIdentity({
         id,
@@ -191,6 +241,12 @@ export async function unblockIdentity(id: string) {
 
 export async function deleteIdentity(id: string) {
 
+    const session = await requireSession();
+    const allowed = await checkPermission(permission.user.credential, relation.delete, session.identity!.id);
+    if (!allowed) {
+        throw Error('Unauthorised');
+    }
+
     const identityApi = await getIdentityApi();
     const { data } = await identityApi.deleteIdentity({ id });
 

dashboard/src/lib/permission.ts

@@ -5,6 +5,9 @@ export const permission = {
     },
     user: {
         it: 'admin.user',
+        code: 'admin.user.code',
+        credential: 'admin.user.credential',
+        link: 'admin.user.link',
         session: 'admin.user.session',
         state: 'admin.user.state',
     },
@@ -12,6 +15,7 @@ export const permission = {
 
 export const relation = {
     access: 'access',
+    create: 'create',
     edit: 'edit',
     delete: 'delete',
 };