feat(api): show tokens only belongs to the user for non-super admin user

Signed-off-by: Pranav C <pranavxc@gmail.com>
2 years ago · 77230b96c2
2 changed files with 27 additions and 4 deletions
--- a/packages/nocodb/src/lib/meta/api/orgTokenApis.ts
+++ b/packages/nocodb/src/lib/meta/api/orgTokenApis.ts
@ -3,14 +3,20 @@ import { OrgUserRoles } from '../../../enums/OrgUserRoles';
 import ApiToken from '../../models/ApiToken';
 import { Tele } from '../../utils/Tele';
 import { metaApiMetrics } from '../helpers/apiMetrics';
+import { NcError } from '../helpers/catchError';
 import ncMetaAclMw from '../helpers/ncMetaAclMw';
 import { PagedResponseImpl } from '../helpers/PagedResponse';

 async function apiTokenList(req, res) {
+  let fk_user_id = req.user.id;
+  if (req.user.roles.includes(OrgUserRoles.SUPER)) {
+    fk_user_id = undefined;
+  }
  res.json(
    new PagedResponseImpl(await ApiToken.listWithCreatedBy(req.query), {
      ...req.query,
      count: await ApiToken.count(),
+      fk_user_id,
    })
  );
 }
@ -21,6 +27,14 @@ export async function apiTokenCreate(req: Request, res: Response) {
 }

 export async function apiTokenDelete(req: Request, res: Response) {
+  const fk_user_id = req['user'].id;
+  const apiToken = await ApiToken.getByToken(req.params.apiTokenId);
+  if (
+    !req['user'].roles.includes(OrgUserRoles.SUPER) &&
+    apiToken.fk_user_id !== fk_user_id
+  ) {
+    NcError.notFound('Token not found');
+  }
  Tele.emit('evt', { evt_type: 'org:apiToken:deleted' });
  res.json(await ApiToken.delete(req.params.token));
 }
@ -31,7 +45,7 @@ router.get(
  '/api/v1/tokens',
  metaApiMetrics,
  ncMetaAclMw(apiTokenList, 'apiTokenList', {
-    allowedRoles: [OrgUserRoles.SUPER],
+    // allowedRoles: [OrgUserRoles.SUPER],
    blockApiTokenAccess: true,
  })
 );
@ -39,7 +53,7 @@ router.post(
  '/api/v1/tokens',
  metaApiMetrics,
  ncMetaAclMw(apiTokenCreate, 'apiTokenCreate', {
-    allowedRoles: [OrgUserRoles.SUPER],
+    // allowedRoles: [OrgUserRoles.SUPER],
    blockApiTokenAccess: true,
  })
 );
@ -47,7 +61,7 @@ router.delete(
  '/api/v1/tokens/:token',
  metaApiMetrics,
  ncMetaAclMw(apiTokenDelete, 'apiTokenDelete', {
-    allowedRoles: [OrgUserRoles.SUPER],
+    // allowedRoles: [OrgUserRoles.SUPER],
    blockApiTokenAccess: true,
  })
 );
--- a/packages/nocodb/src/lib/models/ApiToken.ts
+++ b/packages/nocodb/src/lib/models/ApiToken.ts
@ -78,7 +78,11 @@ export default class ApiToken {
  }

  public static async listWithCreatedBy(
-    { limit = 10, offset = 0 }: { limit: number; offset: number },
+    {
+      limit = 10,
+      offset = 0,
+      fk_user_id,
+    }: { limit: number; offset: number; fk_user_id?: string },
    ncMeta = Noco.ncMeta
  ) {
    const queryBuilder = ncMeta
@ -103,6 +107,11 @@ export default class ApiToken {
          )
          .as('created_by')
      );
+
+    if (fk_user_id) {
+      queryBuilder.where('fk_user_id', fk_user_id);
+    }
+
    return queryBuilder;
  }
 }