address comments

packages/api/src/controllers/session.ts

@@ -1,7 +1,7 @@
 import { Router, Request } from "express";
 import sql from "sql-template-strings";
 
-import { authorizer } from "../middleware";
+import { authorizer, hasAccessToResource } from "../middleware";
 import { User, Project } from "../schema/types";
 import { db } from "../store";
 import { DBSession } from "../store/session-table";
@@ -151,9 +151,7 @@ app.get("/:id", authorizer({}), async (req, res) => {
   let session = await db.session.get(req.params.id);
   if (
     !session ||
-    ((session.userId !== req.user.id ||
-      (session.projectId ?? "") !== (req.project?.id ?? "") ||
-      session.deleted) &&
+    (hasAccessToResource(req, session) &&
       !req.user.admin &&
       !LVPR_SDK_EMAILS.includes(req.user.email))
   ) {

packages/api/src/controllers/signing-key.test.ts

@@ -99,9 +99,7 @@ describe("controllers/signing-key", () => {
     });
 
     it("should list all user signing keys", async () => {
-      const res = await client.get(
-        `/access-control/signing-key?projectId=${projectId}`
-      );
+      const res = await client.get(`/access-control/signing-key`);
       expect(res.status).toBe(200);
     });
 

packages/api/src/controllers/stream.ts

@@ -187,7 +187,7 @@ async function validateMultistreamOpts(
 
 async function validateStreamPlaybackPolicy(
   playbackPolicy: DBStream["playbackPolicy"],
-  userId: string
+  req: Request
 ) {
   if (
     playbackPolicy?.type === "lit_signing_condition" ||
@@ -205,7 +205,7 @@ async function validateStreamPlaybackPolicy(
         `webhook ${playbackPolicy.webhookId} not found`
       );
     }
-    if (webhook.userId !== userId) {
+    if (!hasAccessToResource(req, webhook)) {
       throw new BadRequestError(
         `webhook ${playbackPolicy.webhookId} not found`
       );
@@ -698,6 +698,8 @@ app.get("/user/:userId", authorizer({}), async (req, res) => {
   const { userId } = req.params;
   let { limit, cursor, streamsonly, sessionsonly } = toStringValues(req.query);
 
+  let projectId = req.token?.projectId;
+
   if (req.user.admin !== true && req.user.id !== req.params.userId) {
     res.status(403);
     return res.json({
@@ -707,6 +709,7 @@ app.get("/user/:userId", authorizer({}), async (req, res) => {
   const query = [
     sql`data->>'deleted' IS NULL`,
     sql`data->>'userId' = ${userId}`,
+    sql`coalesce(data->>'projectId', '') = ${projectId || ""}`,
   ];
   if (streamsonly) {
     query.push(sql`data->>'parentId' IS NULL`);
@@ -1331,7 +1334,7 @@ async function handleCreateStream(req: Request) {
   };
   doc = wowzaHydrate(doc);
 
-  await validateStreamPlaybackPolicy(doc.playbackPolicy, req.user.id);
+  await validateStreamPlaybackPolicy(doc.playbackPolicy, req);
 
   doc.profiles = hackMistSettings(req, doc.profiles);
   doc.multistream = await validateMultistreamOpts(
@@ -1687,13 +1690,7 @@ app.post(
       return res.json({ errors: ["stream not found"] });
     }
 
-    if (
-      stream.userId !== req.user.id ||
-      (stream.projectId ?? "") !== (req.project?.id ?? "")
-    ) {
-      res.status(404);
-      return res.json({ errors: ["stream not found"] });
-    }
+    req.checkResourceAccess(stream);
 
     const newTarget = await validateMultistreamTarget(
       req.user.id,
@@ -1729,18 +1726,7 @@ app.delete("/:id/multistream/:targetId", authorizer({}), async (req, res) => {
 
   const stream = await db.stream.get(id);
 
-  if (!stream || stream.deleted) {
-    res.status(404);
-    return res.json({ errors: ["stream not found"] });
-  }
-
-  if (
-    stream.userId !== req.user.id ||
-    (stream.projectId ?? "") !== (req.project?.id ?? "")
-  ) {
-    res.status(404);
-    return res.json({ errors: ["stream not found"] });
-  }
+  req.checkResourceAccess(stream);
 
   let multistream: DBStream["multistream"] = stream.multistream ?? {
     targets: [],
@@ -1776,7 +1762,7 @@ app.patch(
     const stream = await db.stream.get(id);
 
     const exists = stream && !stream.deleted;
-    const hasAccess = hasAccessToResource(req, stream, true);
+    const hasAccess = hasAccessToResource(req, stream);
     if (!exists || !hasAccess) {
       res.status(404);
       return res.json({ errors: ["not found"] });
@@ -1825,7 +1811,7 @@ app.patch(
     }
 
     if (playbackPolicy) {
-      await validateStreamPlaybackPolicy(playbackPolicy, req.user.id);
+      await validateStreamPlaybackPolicy(playbackPolicy, req);
 
       patch = { ...patch, playbackPolicy };
     }
@@ -1856,14 +1842,7 @@ app.patch(
 app.patch("/:id/record", authorizer({}), async (req, res) => {
   const { id } = req.params;
   const stream = await db.stream.get(id);
-  if (
-    !stream ||
-    stream.deleted ||
-    (stream.projectId ?? "") !== (req.project?.id ?? "")
-  ) {
-    res.status(404);
-    return res.json({ errors: ["not found"] });
-  }
+  req.checkResourceAccess(stream);
   if (stream.parentId) {
     res.status(400);
     return res.json({ errors: ["can't set for session"] });
@@ -1916,8 +1895,7 @@ app.delete("/", authorizer({}), async (req, res) => {
     const streams = await db.stream.getMany(ids);
     if (
       streams.length !== ids.length ||
-      streams.some((s) => s.userId !== req.user.id) ||
-      streams.some((s) => s.projectId !== req.project.id)
+      streams.some((s) => !hasAccessToResource(req, s))
     ) {
       res.status(404);
       return res.json({ errors: ["not found"] });

packages/api/src/controllers/webhook.ts

@@ -1,5 +1,5 @@
 import { URL } from "url";
-import { authorizer } from "../middleware";
+import { authorizer, hasAccessToResource } from "../middleware";
 import { validatePost } from "../middleware";
 import Router from "express/lib/router";
 import logger from "../logger";
@@ -267,8 +267,7 @@ app.delete("/", authorizer({}), async (req, res) => {
     const webhooks = await db.webhook.getMany(ids);
     if (
       webhooks.length !== ids.length ||
-      webhooks.some((s) => s.deleted || s.userId !== req.user.id) ||
-      webhooks.some((s) => (s.projectId ?? "") !== (req.project?.id ?? ""))
+      webhooks.some((s) => !hasAccessToResource(req, s))
     ) {
       res.status(404);
       return res.json({ errors: ["not found"] });