feat(api): relocate authorizations outside of JWT (#3079)

* feat(api): relocate authorizations outside of JWT * fix(api): update user authorization after enabling the RBAC extension * feat(api): add PortainerEndpointList operation in the default portainer authorizations * feat(auth): retrieve authorization from API instead of JWT * refactor(auth): move permissions retrieval to function * refactor(api): document authorizations methods
2025-08-08 07:15:23 +02:00 · 2019-09-10 10:58:26 +12:00 · 2019-09-10 10:58:26 +12:00 · 7d76bc89e7
commit 7d76bc89e7
parent 7ebb3e62dd
29 changed files with 472 additions and 303 deletions
--- a/app/portainer/models/user.js
+++ b/app/portainer/models/user.js
@ -2,6 +2,8 @@ export function UserViewModel(data) {
  this.Id = data.Id;
  this.Username = data.Username;
  this.Role = data.Role;
+  this.EndpointAuthorizations = data.EndpointAuthorizations;
+  this.PortainerAuthorizations = data.PortainerAuthorizations;
  if (data.Role === 1) {
    this.RoleName = 'administrator';
  } else {
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@ -1,7 +1,7 @@
 angular.module('portainer.app')
 .factory('Authentication', [
-'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider',
-function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
+'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 'UserService',
+function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider, UserService) {
  'use strict';

  var service = {};
@ -15,6 +15,7 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
  service.getUserDetails = getUserDetails;
  service.isAdmin = isAdmin;
  service.hasAuthorizations = hasAuthorizations;
+  service.retrievePermissions = retrievePermissions;

  function init() {
    var jwt = LocalStorage.getJWT();
@ -53,14 +54,20 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
    return user;
  }

+  function retrievePermissions() {
+    return UserService.user(user.ID)
+    .then((data) => {
+      user.endpointAuthorizations = data.EndpointAuthorizations;
+      user.portainerAuthorizations = data.PortainerAuthorizations;
+    });
+  }
+
  function setUser(jwt) {
    LocalStorage.storeJWT(jwt);
    var tokenPayload = jwtHelper.decodeToken(jwt);
    user.username = tokenPayload.username;
    user.ID = tokenPayload.id;
    user.role = tokenPayload.role;
-    user.endpointAuthorizations = tokenPayload.endpointAuthorizations;
-    user.portainerAuthorizations = tokenPayload.portainerAuthorizations;
  }

  function isAdmin() {
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@ -29,12 +29,21 @@ function($async, $q, $scope, $state, $stateParams, $sanitize, Authentication, Us
    }
  }

+  function permissionsError() {
+    $scope.state.permissionsError = true;
+    Authentication.logout();
+    $scope.state.AuthenticationError = 'Unable to retrieve permissions.'
+    $scope.state.loginInProgress = false;
+    return Promise.reject();
+  }
+
  $scope.authenticateUser = function() {
    var username = $scope.formValues.Username;
    var password = $scope.formValues.Password;
    $scope.state.loginInProgress = true;

    Authentication.login(username, password)
+    .then(() => Authentication.retrievePermissions().catch(permissionsError))
    .then(function success() {
      return retrieveAndSaveEnabledExtensions();
    })
@ -42,6 +51,9 @@ function($async, $q, $scope, $state, $stateParams, $sanitize, Authentication, Us
      checkForEndpoints();
    })
    .catch(function error() {
+      if ($scope.state.permissionsError) {
+        return;
+      }
      SettingsService.publicSettings()
      .then(function success(settings) {
        if (settings.AuthenticationMethod === 1) {
@ -166,6 +178,7 @@ function($async, $q, $scope, $state, $stateParams, $sanitize, Authentication, Us

  function oAuthLogin(code) {
    return Authentication.OAuthLogin(code)
+    .then(() => Authentication.retrievePermissions().catch(permissionsError))
    .then(function success() {
      return retrieveAndSaveEnabledExtensions();
    })
@ -173,6 +186,9 @@ function($async, $q, $scope, $state, $stateParams, $sanitize, Authentication, Us
      URLHelper.cleanParameters();
    })
    .catch(function error() {
+      if ($scope.state.permissionsError) {
+        return;
+      }
      $scope.state.AuthenticationError = 'Unable to login via OAuth';
      $scope.state.isInOAuthProcess = false;
    });