Add Rudimentary Stats Endpoint Protection

Author: consindo

.travis.yml

@@ -28,7 +28,7 @@ before_script:
   - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
   - chmod +x ./cc-test-reporter
   - './cc-test-reporter before-build'
-  - psql -c 'create database nitro_travis;' -U postgres
+  - psql -c 'create database nitrotest;' -U postgres
   - npm run migrate
 after_script:
   - './cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT'

config/config.js

@@ -6,26 +6,33 @@ const config = {
   // dist: path.resolve(__dirname, '../../nitro/dist'),
 
   development: {
-    url: process.env.DATABASE_URL || 'postgres://nitro:secret@localhost:5432/nitro',
+    url:
+      process.env.DATABASE_URL ||
+      'postgres://nitro:secret@localhost:5432/nitro',
     dialect: 'postgres'
   },
   production: {
-    url: process.env.DATABASE_URL || 'postgres://nitro:secret@localhost:5432/nitro',
+    url:
+      process.env.DATABASE_URL ||
+      'postgres://nitro:secret@localhost:5432/nitro',
     dialect: 'postgres'
   },
   test: {
-    url: process.env.DATABASE_URL_TEST || 'postgres://nitro:secret@localhost:5432/nitrotest',
+    url:
+      process.env.DATABASE_URL_TEST ||
+      'postgres://postgres:@127.0.0.1/nitrotest',
     dialect: 'postgres'
   },
   travis: {
-    url: 'postgres://postgres:@127.0.0.1/nitro_travis',
+    url: 'postgres://postgres:@127.0.0.1/nitrotest',
     dialect: 'postgres'
   },
 
   jwtstrategy: process.env.JWT_Strategy || 'bearer',
   jwtaudience: process.env.JWT_Audience || 'https://uat.nitrotasks.com/a/',
   jwtissuer: process.env.JWT_Issuer || 'https://dymajo.au.auth0.com/',
-  jwksuri: process.env.JWKS_Uri || 'https://dymajo.au.auth0.com/.well-known/jwks.json',
+  jwksuri:
+    process.env.JWKS_Uri || 'https://dymajo.au.auth0.com/.well-known/jwks.json',
   jwtsecret: process.env.JWT_Secret || 'secret'
 }
-module.exports = config
+module.exports = config

lib/controllers/stats.js

@@ -9,8 +9,20 @@ const ArchivedTask = require('../models/archivedtask')
 const Meta = require('../models/meta')
 const auth = passport.authenticate('bearer', { session: false })
 
-// TODO: need to lock this down to admin users only - verify scopes
 stats.get('/', auth, async (req, res) => {
+  // TODO: need to change to verify scopes
+  const user = await User.findOne({
+    where: {
+      id: req.user
+    }
+  })
+  if (
+    process.env.NODE_ENV !== 'test' &&
+    process.env.NODE_ENV !== 'travis' &&
+    user.loginType.indexOf('@clients') === -1
+  ) {
+    return res.status(401).send('Incorrect User Role')
+  }
   const userStats = User.findAll({
     attributes: [
       [sequelize.fn('COUNT', sequelize.col('username')), 'user_count']

package.json

@@ -7,7 +7,7 @@
     "start": "node app.js",
     "start-production": "if npm run check-postgres; then npm run start; fi",
     "check-postgres": "./wait-for-it.sh -h $DATABASE_HOST -p $DATABASE_PORT",
-    "test": "nyc mocha --exit",
+    "test": "nyc mocha --require test/mocha.env.js --exit",
     "sequelize": "sequelize",
     "migrate": "sequelize db:migrate",
     "migrate:test": "cross-env NODE_ENV=test sequelize db:migrate:undo:all && cross-env NODE_ENV=test sequelize db:migrate && npm run test",
@@ -26,11 +26,7 @@
     "node": "8.4.x"
   },
   "nyc": {
-    "reporter": [
-      "lcov",
-      "text",
-      "html"
-    ]
+    "reporter": ["lcov", "text", "html"]
   },
   "homepage": "http://nitrotasks.com",
   "dependencies": {

test/mocha.env.js

@@ -0,0 +1 @@
+process.env.NODE_ENV = 'test'