Decouple local access manager from proxy 🚧

Author: MiroDojkic

server/app.js

@@ -8,7 +8,7 @@ const helmet = require('helmet');
 const origin = require('./shared/origin');
 const path = require('path');
 const storage = require('./repository/storage');
-const storageProxy = require('./repository/proxy');
+const storageProxy = require('./shared/storage/proxy');
 // eslint-disable-next-line require-sort/require-sort
 require('express-async-errors');
 

server/repository/index.js

@@ -8,11 +8,11 @@ const feed = require('./feed');
 const multer = require('multer');
 const path = require('path');
 const processQuery = require('../shared/util/processListQuery');
-const proxy = require('./proxy');
+const proxyAccessManager = require('./proxy');
 const { Repository } = require('../shared/database');
 const router = require('express').Router();
 const storage = require('./storage');
-const { setSignedCookies } = require('../shared/storage/proxy/mw')(storage, proxy);
+const { setSignedCookies } = require('../shared/storage/proxy/mw')(storage, proxyAccessManager);
 
 /* eslint-disable require-sort/require-sort */
 const activity = require('../activity');

server/repository/proxy.js

@@ -1,14 +1,13 @@
 'use strict';
 
-const BaseProxy = require('../shared/storage/proxy');
-const { proxy: config } = require('../../config/server').storage;
 const path = require('path');
+const proxy = require('../shared/storage/proxy');
 
 const storageCookies = {
   REPOSITORY: 'Storage-Repository'
 };
 
-class Proxy extends BaseProxy {
+class RepositoryProxyAccessManager extends proxy.AccessManager {
   getSignedCookies(repositoryId, maxAge) {
     const resource = path.join('repository', `${repositoryId}`);
     return {
@@ -31,4 +30,4 @@ class Proxy extends BaseProxy {
   }
 }
 
-module.exports = new Proxy(config);
+module.exports = new RepositoryProxyAccessManager(proxy.config);

server/shared/content-plugins/elementRegistry.js

@@ -8,7 +8,7 @@ const elementsList = require('../../../config/shared/core-elements');
 const hooks = require('./elementHooks');
 const pick = require('lodash/pick');
 const storage = require('../../repository/storage');
-const storageProxy = require('../../repository/proxy');
+const storageProxy = require('../../shared/storage/proxy');
 const toCase = require('to-case');
 
 const EXTENSIONS_LIST = '../../../extensions/content-elements/index';

server/shared/storage/proxy/index.js

@@ -2,6 +2,7 @@
 
 const autobind = require('auto-bind');
 const path = require('path');
+const { proxy: config } = require('../../../../config/server').storage;
 
 class Proxy {
   constructor(config) {
@@ -22,32 +23,40 @@ class Proxy {
     return this.provider.isSelfHosted;
   }
 
+  get config() {
+    return this.provider.config;
+  }
+
   get path() {
     return this.isSelfHosted && this.provider.path;
   }
 
-  getSignedCookies(resource, maxAge) {
-    return this.provider.getSignedCookies(resource, maxAge);
+  get AccessManager() {
+    return this.provider.AccessManager;
+  }
+
+  getSignedCookies(resource, maxAge, accessManager) {
+    return this.provider.getSignedCookies(resource, maxAge, accessManager);
   }
 
-  verifyCookies(cookies, resource) {
-    return this.provider.verifyCookies(cookies, resource);
+  verifyCookies(cookies, resource, accessManager) {
+    return this.provider.verifyCookies(cookies, resource, accessManager);
   }
 
-  hasCookies(cookies) {
-    return this.provider.hasCookies(cookies);
+  hasCookies(cookies, ...params) {
+    return this.provider.hasCookies(cookies, ...params);
   }
 
   getFileUrl(key) {
     return this.provider.getFileUrl(key);
   }
 
-  getCookieNames() {
-    return this.provider.getCookieNames();
+  getCookieNames(accessManager) {
+    return this.provider.getCookieNames(accessManager);
   }
 }
 
-module.exports = Proxy;
+module.exports = new Proxy(config);
 
 function loadProvider(name) {
   try {

server/shared/storage/proxy/mw.js

@@ -3,12 +3,13 @@
 const { FORBIDDEN } = require('http-status-codes');
 const miss = require('mississippi');
 const path = require('path');
+const proxy = require('.');
 const router = require('express').Router();
 
-module.exports = (storage, proxy) => {
+module.exports = (storage, proxyAccessManager) => {
   function getFile(req, res, next) {
     const key = req.params[0];
-    const hasValidCookies = proxy.verifyCookies(req.cookies, key);
+    const hasValidCookies = proxy.verifyCookies(req.cookies, key, proxyAccessManager);
     if (!hasValidCookies) return res.status(FORBIDDEN).end();
     res.type(path.extname(key));
     miss.pipe(storage.createReadStream(key), res, err => {
@@ -19,9 +20,9 @@ module.exports = (storage, proxy) => {
 
   function setSignedCookies(req, res, next) {
     const repositoryId = req.repository.id;
-    if (proxy.hasCookies(req.cookies, repositoryId)) return next();
+    if (proxy.hasCookies(req.cookies, repositoryId, proxyAccessManager)) return next();
     const maxAge = 1000 * 60 * 60; // 1 hour in ms
-    const cookies = proxy.getSignedCookies(repositoryId, maxAge);
+    const cookies = proxy.getSignedCookies(repositoryId, maxAge, proxyAccessManager);
     Object.entries(cookies).forEach(([cookie, value]) => {
       res.cookie(cookie, value, { maxAge, httpOnly: true });
     });

server/shared/storage/proxy/providers/cloudfront/access-manager.js

@@ -2,36 +2,18 @@
 
 const every = require('lodash/every');
 const NodeRSA = require('node-rsa');
-const { origin } = require('../../../../../config/server');
-const urlJoin = require('url-join');
-const { validateConfig } = require('../../validation');
-const yup = require('yup');
 
-const PROXY_PATH = '/proxy';
 const storageCookies = {
   SIGNATURE: 'Storage-Signature',
   EXPIRES: 'Storage-Expires'
 };
 
-const schema = yup.object().shape({
-  privateKey: yup.string().pkcs1().required()
-});
-
-class Local {
+class LocalAccessManager {
   constructor(config) {
-    config = validateConfig(config, schema);
-
     this.signer = new NodeRSA(config.privateKey, 'private');
-    this.isSelfHosted = true;
-    this.path = PROXY_PATH;
-  }
-
-  static create(config) {
-    return new this(config);
   }
 
-  getSignedCookies(resource, maxAge) {
-    const expires = getExpirationTime(maxAge);
+  getSignedCookies(resource, expires) {
     const signature = this.signer.encrypt({ resource, expires }, 'base64');
     return {
       [storageCookies.SIGNATURE]: signature,
@@ -52,18 +34,9 @@ class Local {
     return every(storageCookies, cookie => cookies[cookie]);
   }
 
-  getFileUrl(key) {
-    return urlJoin(origin, this.path, key);
-  }
-
   getCookieNames() {
     return Object.values(storageCookies);
   }
 }
 
-module.exports = { create: Local.create.bind(Local) };
-
-function getExpirationTime(maxAge) {
-  // Expiration unix timestamp in ms
-  return new Date().getTime() + maxAge;
-}
+module.exports = LocalAccessManager;

server/shared/storage/proxy/providers/cloudfront.js renamed to server/shared/storage/proxy/providers/cloudfront/index.js

@@ -0,0 +1,60 @@
+'use strict';
+
+const AccessManager = require('./access-manager');
+const last = require('lodash/last');
+const { origin } = require('../../../../../../config/server');
+const urlJoin = require('url-join');
+const { validateConfig } = require('../../../validation');
+const yup = require('yup');
+
+const PROXY_PATH = '/proxy';
+
+const schema = yup.object().shape({
+  privateKey: yup.string().pkcs1().required()
+});
+
+class Local {
+  constructor(config) {
+    this.config = validateConfig(config, schema);
+    this.accessManager = new AccessManager(this.config);
+    this.isSelfHosted = true;
+    this.path = PROXY_PATH;
+  }
+
+  static create(config) {
+    return new this(config);
+  }
+
+  get AccessManager() {
+    return AccessManager;
+  }
+
+  getSignedCookies(resource, maxAge, accessManager = this.accessManager) {
+    const expires = getExpirationTime(maxAge);
+    return accessManager.getSignedCookies(resource, expires);
+  }
+
+  verifyCookies(cookies, key, accessManager = this.accessManager) {
+    return accessManager.verifyCookies(cookies, key);
+  }
+
+  hasCookies(cookies, ...params) {
+    const accessManager = last(params) || this.accessManager;
+    return accessManager.hasCookies(cookies, ...params);
+  }
+
+  getCookieNames(accessManager = this.accessManager) {
+    return accessManager.getCookieNames();
+  }
+
+  getFileUrl(key) {
+    return urlJoin(origin, this.path, key);
+  }
+}
+
+module.exports = { create: Local.create.bind(Local) };
+
+function getExpirationTime(maxAge) {
+  // Expiration unix timestamp in ms
+  return new Date().getTime() + maxAge;
+}