authz: don't treat unauthenticated routes any different

srenatus · srenatus · commit addc6cd6f805 · 2024-07-03T09:51:42.000+02:00
Signed-off-by: Stephan Renatus &lt;stephan@styra.com&gt;
diff --git a/policies/cats.rego b/policies/cats.rego
@@ -1,13 +1,15 @@
 package cats
+
 import rego.v1
 
-roles := {
-  "maria": "admin",
-}
+roles := {"maria": "admin"}
 
 default allow := false
-allow := allowed(input.user, input.action, input.resource)
 
-allowed(user, _, _) if user, "admin" in roles
-allowed(_, "get", _)
-allowed(_, "list", _)
+allow := allowed(input.user, input.action, input.resource, roles)
+
+allowed(user, _, _, roles) if user, "admin" in roles
+
+allowed(_, "get", _, _)
+
+allowed(_, "list", _, _)
diff --git a/policies/hello.rego b/policies/hello.rego
@@ -0,0 +1,5 @@
+package hello
+
+import rego.v1
+
+default allow := true
diff --git a/policies/login.rego b/policies/login.rego
@@ -0,0 +1,5 @@
+package login
+
+import rego.v1
+
+default allow := true
diff --git a/policies/profile.rego b/policies/profile.rego
@@ -1,4 +1,5 @@
 package profile
+
 import rego.v1
 
 default allow := true
diff --git a/src/app.controller.ts b/src/app.controller.ts
@@ -11,6 +11,7 @@ export class AppController {
   @UseGuards(LocalAuthGuard)
   @Unauthenticated() // So global JWT guard doesn't prohibit logins
   @Post('auth/login')
+  @AuthzQuery('login/allow')
   async login(@Request() req) {
     return this.authService.login(req.user);
   }
@@ -24,6 +25,7 @@ export class AppController {
 
   @Get('hello')
   @Unauthenticated()
+  @AuthzQuery('hello/allow')
   getInfo() {
     return { hello: 'world' };
   }
diff --git a/src/authz/authz.guard.ts b/src/authz/authz.guard.ts
@@ -2,7 +2,6 @@ import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { Reflector } from '@nestjs/core';
 
-import { IS_UNAUTHENTICATED_KEY } from '../authn/decorators/public';
 import { AuthzService } from './authz.service';
 import {
   AUTHZ_EXTRA,
@@ -17,7 +16,7 @@ class InputPayload implements ToInput {
   constructor(extra: ((_: Request) => Record<string, any>)[], req: Request) {
     this.input = extra.reduce(
       (acc, add) => (add ? { ...acc, ...add(req) } : acc),
-      { user: req.user.username },
+      { user: req.user?.username },
     );
   }
 
@@ -35,14 +34,6 @@ export class AuthzGuard implements CanActivate {
   ) {}
 
   async canActivate(context: ExecutionContext) {
-    const isUnauthenticated = this.reflector.getAllAndOverride<boolean>(
-      IS_UNAUTHENTICATED_KEY,
-      [context.getHandler(), context.getClass()],
-    );
-    if (isUnauthenticated) {
-      return true;
-    }
-
     const request = context.switchToHttp().getRequest();
     const inp = new InputPayload(
       this.reflector.getAll<((_: Request) => Record<string, any>)[]>(

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ export class AppController {`
`11`	`11`	`@UseGuards(LocalAuthGuard)`
`12`	`12`	`@Unauthenticated() // So global JWT guard doesn't prohibit logins`
`13`	`13`	`@Post('auth/login')`
	`14`	`+ @AuthzQuery('login/allow')`
`14`	`15`	`async login(@Request() req) {`
`15`	`16`	`return this.authService.login(req.user);`
`16`	`17`	`}`
`@@ -24,6 +25,7 @@ export class AppController {`
`24`	`25`
`25`	`26`	`@Get('hello')`
`26`	`27`	`@Unauthenticated()`
	`28`	`+ @AuthzQuery('hello/allow')`
`27`	`29`	`getInfo() {`
`28`	`30`	`return { hello: 'world' };`
`29`	`31`	`}`