diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js index 6fa98addc..3a174da32 100644 --- a/src/routes/accesscontrol.js +++ b/src/routes/accesscontrol.js @@ -6,7 +6,6 @@ exports = module.exports = { authorize, authorizeOperator, - websocketAuth }; const accesscontrol = require('../accesscontrol.js'), @@ -92,22 +91,6 @@ function authorize(requiredRole) { }; } -async function websocketAuth(requiredRole, req, res, next) { - assert.strictEqual(typeof requiredRole, 'string'); - - if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'access_token must be a string')); - - const [error, user] = await safe(accesscontrol.verifyToken(req.query.access_token)); - if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message)); - if (error) return next(new HttpError(500, error.message)); - - req.user = user; - - if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${user.role}'`)); - - next(); -} - async function authorizeOperator(req, res, next) { assert.strictEqual(typeof req.params.id, 'string'); assert.strictEqual(typeof req.user, 'object'); diff --git a/src/server.js b/src/server.js index 18c1df117..bc3c5b082 100644 --- a/src/server.js +++ b/src/server.js @@ -239,7 +239,7 @@ function initializeExpressSync() { router.get ('/api/v1/apps/:id/exec', token, routes.apps.load, authorizeOperator, routes.apps.exec); // websocket cannot do bearer authentication - router.get ('/api/v1/apps/:id/execws', routes.accesscontrol.websocketAuth.bind(null, users.ROLE_ADMIN), routes.apps.load, routes.apps.execWebSocket); + router.get ('/api/v1/apps/:id/execws', token, routes.apps.load, routes.accesscontrol.authorizeOperator, routes.apps.execWebSocket); // branding routes router.get ('/api/v1/branding/:setting', token, authorizeOwner, routes.branding.get);