feat: token permissions

feat: handle sensitive data feat: handle read-only data
2024-07-02 12:15:58 +02:00
parent 1249b1ece9
commit c39d6dd407
28 changed files with 328 additions and 201 deletions
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -21,6 +21,27 @@ use Visus\Cuid2\Cuid2;

 class ApplicationsController extends Controller
 {
+    private function removeSensitiveData($application)
+    {
+        $token = auth()->user()->currentAccessToken();
+        if ($token->can('view:sensitive')) {
+            return serializeApiResponse($application);
+        }
+        $application->makeHidden([
+            'custom_labels',
+            'dockerfile',
+            'docker_compose',
+            'docker_compose_raw',
+            'manual_webhook_secret_bitbucket',
+            'manual_webhook_secret_gitea',
+            'manual_webhook_secret_github',
+            'manual_webhook_secret_gitlab',
+            'private_key_id',
+        ]);
+
+        return serializeApiResponse($application);
+    }
+
    public function applications(Request $request)
    {
        $teamId = getTeamIdFromToken();
@@ -32,7 +53,7 @@ class ApplicationsController extends Controller
        $applications->push($projects->pluck('applications')->flatten());
        $applications = $applications->flatten();
        $applications = $applications->map(function ($application) {
-            return serializeApiResponse($application);
+            return $this->removeSensitiveData($application);
        });

        return response()->json([
@@ -484,10 +505,6 @@ class ApplicationsController extends Controller
        if (! $uuid) {
            return response()->json(['success' => false, 'message' => 'UUID is required.'], 400);
        }
-        $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
-            return $return;
-        }
        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
        if (! $application) {
            return response()->json(['success' => false, 'message' => 'Application not found.'], 404);
@@ -495,7 +512,7 @@ class ApplicationsController extends Controller

        return response()->json([
            'success' => true,
-            'data' => serializeApiResponse($application),
+            'data' => $this->removeSensitiveData($application),
        ]);
    }

@@ -625,7 +642,7 @@ class ApplicationsController extends Controller

        return response()->json([
            'success' => true,
-            'data' => serializeApiResponse($application),
+            'data' => $this->removeSensitiveData($application),
        ]);
    }

@@ -635,10 +652,6 @@ class ApplicationsController extends Controller
        if (is_null($teamId)) {
            return invalidTokenResponse();
        }
-        $return = validateIncomingRequest($request);
-        if ($return instanceof \Illuminate\Http\JsonResponse) {
-            return $return;
-        }
        $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();

        if (! $application) {
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -20,6 +20,27 @@ use Illuminate\Validation\Rule;

 class DatabasesController extends Controller
 {
+    private function removeSensitiveData($database)
+    {
+        $token = auth()->user()->currentAccessToken();
+        if ($token->can('view:sensitive')) {
+            return serializeApiResponse($database);
+        }
+
+        $database->makeHidden([
+            'internal_db_url',
+            'external_db_url',
+            'postgres_password',
+            'dragonfly_password',
+            'redis_password',
+            'mongo_initdb_root_password',
+            'keydb_password',
+            'clickhouse_admin_password',
+        ]);
+
+        return serializeApiResponse($database);
+    }
+
    public function databases(Request $request)
    {
        $teamId = getTeamIdFromToken();
@@ -32,7 +53,7 @@ class DatabasesController extends Controller
            $databases = $databases->merge($project->databases());
        }
        $databases = $databases->map(function ($database) {
-            return serializeApiResponse($database);
+            return $this->removeSensitiveData($database);
        });

        return response()->json([
@@ -57,7 +78,7 @@ class DatabasesController extends Controller

        return response()->json([
            'success' => true,
-            'data' => serializeApiResponse($database),
+            'data' => $this->removeSensitiveData($database),
        ]);
    }

--- a/app/Http/Controllers/Api/DeployController.php
+++ b/app/Http/Controllers/Api/DeployController.php
@@ -20,6 +20,20 @@ use Visus\Cuid2\Cuid2;

 class DeployController extends Controller
 {
+    private function removeSensitiveData($deployment)
+    {
+        $token = auth()->user()->currentAccessToken();
+        if ($token->can('view:sensitive')) {
+            return serializeApiResponse($deployment);
+        }
+
+        $deployment->makeHidden([
+            'logs',
+        ]);
+
+        return serializeApiResponse($deployment);
+    }
+
    public function deployments(Request $request)
    {
        $teamId = getTeamIdFromToken();
@@ -61,7 +75,7 @@ class DeployController extends Controller

        return response()->json([
            'success' => true,
-            'data' => serializeApiResponse($deployment->makeHidden('logs')),
+            'data' => $this->removeSensitiveData($deployment),
        ]);
    }

--- a/app/Http/Controllers/Api/TeamController.php
+++ b/app/Http/Controllers/Api/TeamController.php
@@ -7,17 +7,36 @@ use Illuminate\Http\Request;

 class TeamController extends Controller
 {
+    private function removeSensitiveData($team)
+    {
+        $token = auth()->user()->currentAccessToken();
+        if ($token->can('view:sensitive')) {
+            return serializeApiResponse($team);
+        }
+        $team->makeHidden([
+            'smtp_username',
+            'smtp_password',
+            'resend_api_key',
+            'telegram_token',
+        ]);
+
+        return serializeApiResponse($team);
+    }
+
    public function teams(Request $request)
    {
        $teamId = getTeamIdFromToken();
        if (is_null($teamId)) {
            return invalidTokenResponse();
        }
-        $teams = auth()->user()->teams;
+        $teams = auth()->user()->teams->sortBy('id');
+        $teams = $teams->map(function ($team) {
+            return $this->removeSensitiveData($team);
+        });

        return response()->json([
            'success' => true,
-            'data' => serializeApiResponse($teams),
+            'data' => $teams,
        ]);
    }

@@ -33,6 +52,7 @@ class TeamController extends Controller
        if (is_null($team)) {
            return response()->json(['success' => false, 'message' => 'Team not found.',  'docs' => 'https://coolify.io/docs/api-reference/get-team-by-teamid'], 404);
        }
+        $team = $this->removeSensitiveData($team);

        return response()->json([
            'success' => true,
@@ -52,10 +72,11 @@ class TeamController extends Controller
        if (is_null($team)) {
            return response()->json(['success' => false, 'message' => 'Team not found.', 'docs' => 'https://coolify.io/docs/api-reference/get-team-by-teamid-members'], 404);
        }
+        $members = $team->members;

        return response()->json([
            'success' => true,
-            'data' => serializeApiResponse($team->members),
+            'data' => serializeApiResponse($members),
        ]);
    }