Module: BetterAuth::APIKey::OrgAuthorization

Defined in:
lib/better_auth/api_key/org_authorization.rb

Constant Summary collapse

PERMISSIONS = 
{
  apiKey: %w[create read update delete]
}.freeze

Class Method Summary collapse

Class Method Details

.authorize_reference!(ctx, config, user_id, reference_id, action) ⇒ Object 



43
44
45
46
47
48
49
 
# File 'lib/better_auth/api_key/org_authorization.rb', line 43

def authorize_reference!(ctx, config, user_id, reference_id, action)
  if config[:references].to_s == "organization"
    check_permission!(ctx, user_id, reference_id, action)
  elsif reference_id != user_id
    raise BetterAuth::APIError.new("NOT_FOUND", message: BetterAuth::Plugins::API_KEY_ERROR_CODES["KEY_NOT_FOUND"])
  end
end

.check_permission!(ctx, user_id, organization_id, action) ⇒ Object

Raises:

  • (BetterAuth::APIError) 


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/better_auth/api_key/org_authorization.rb', line 12

def check_permission!(ctx, user_id, organization_id, action)
  org_plugin = ctx.context.options.plugins.find { |plugin| plugin.id == "organization" }
  unless org_plugin
    raise BetterAuth::APIError.new(
      "INTERNAL_SERVER_ERROR",
      message: BetterAuth::Plugins::API_KEY_ERROR_CODES["ORGANIZATION_PLUGIN_REQUIRED"],
      code: "ORGANIZATION_PLUGIN_REQUIRED"
    )
  end

  member = ctx.context.adapter.find_one(model: "member", where: [{field: "userId", value: user_id}, {field: "organizationId", value: organization_id}])
  unless member
    raise BetterAuth::APIError.new(
      "FORBIDDEN",
      message: BetterAuth::Plugins::API_KEY_ERROR_CODES["USER_NOT_MEMBER_OF_ORGANIZATION"],
      code: "USER_NOT_MEMBER_OF_ORGANIZATION"
    )
  end

  return member if member["role"].to_s == (org_plugin.options[:creator_role] || "owner").to_s

  permissions = {"apiKey" => [action]}
  return member if BetterAuth::Plugins.organization_permission?(ctx, org_plugin.options, member["role"], permissions, organization_id)

  raise BetterAuth::APIError.new(
    "FORBIDDEN",
    message: BetterAuth::Plugins::API_KEY_ERROR_CODES["INSUFFICIENT_API_KEY_PERMISSIONS"],
    code: "INSUFFICIENT_API_KEY_PERMISSIONS"
  )
end

.create_reference_id!(ctx, body, session, config) ⇒ Object 



51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'lib/better_auth/api_key/org_authorization.rb', line 51

def create_reference_id!(ctx, body, session, config)
  if config[:references].to_s == "organization"
    organization_id = body[:organization_id]
    if organization_id.to_s.empty?
      raise BetterAuth::APIError.new(
        "BAD_REQUEST",
        message: BetterAuth::Plugins::API_KEY_ERROR_CODES["ORGANIZATION_ID_REQUIRED"],
        code: "ORGANIZATION_ID_REQUIRED"
      )
    end

    user_id = session&.dig(:user, "id") || body[:user_id]
    raise BetterAuth::APIError.new("UNAUTHORIZED", message: BetterAuth::Plugins::API_KEY_ERROR_CODES["UNAUTHORIZED_SESSION"]) if user_id.to_s.empty?

    check_permission!(ctx, user_id, organization_id, "create")
    organization_id
  elsif session && body[:user_id] && body[:user_id] != session[:user]["id"]
    raise BetterAuth::APIError.new("UNAUTHORIZED", message: BetterAuth::Plugins::API_KEY_ERROR_CODES["UNAUTHORIZED_SESSION"])
  elsif session
    session[:user]["id"]
  else
    user_id = body[:user_id]
    raise BetterAuth::APIError.new("UNAUTHORIZED", message: BetterAuth::Plugins::API_KEY_ERROR_CODES["UNAUTHORIZED_SESSION"]) if user_id.to_s.empty?

    user_id
  end
end