Hexabot/api/src/authorization/authorization.service.ts at fb9c01e0d3b82db34a19a316c74f8c66314d60c7 · Hexastack/Hexabot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/*
 * Copyright © 2025 Hexastack. All rights reserved.
 *
 * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
 * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
 * 2. All derivative works must include clear attribution to the original creator and software, Hexastack and Hexabot, in a prominent location (e.g., in the software's "About" section, documentation, and README file).
 */

import { Injectable } from '@nestjs/common';

import { LoggerService } from '@/logger/logger.service';
import { PermissionService } from '@/user/services/permission.service';
import { UserService } from '@/user/services/user.service';
import { MethodToAction } from '@/user/types/action.type';
import { TModel } from '@/user/types/model.type';

@Injectable()
export class AuthorizationService {
  constructor(
    private readonly logger: LoggerService,
    private readonly userService: UserService,
    private readonly permissionService: PermissionService,
  ) {}

  /**
   * Checks if a request (REST/WebSocket) is authorized to get access
   *
   * @param method - The Request Method
   * @param userRoles - An array of ID's user Roles or empty
   * @param targetModel - The target model that we want access
   * @returns
   */
  async canAccess(
    method: string,
    userId: string,
    targetModel?: TModel,
  ): Promise<boolean> {
    try {
      if (!targetModel) {
        return false;
      }
      const user = await this.userService.findOne(userId);
      const permissions = await this.permissionService.getPermissions();

      if (permissions && user?.roles?.length) {
        const permissionsFromRoles = Object.entries(permissions)
          .filter(([key, _]) => user.roles.includes(key))
          .map(([_, value]) => value);

        if (
          permissionsFromRoles.some((permission) =>
            permission[targetModel]?.includes(MethodToAction[method]),
          )
        ) {
          return true;
        }
      }
    } catch (err) {
      this.logger.error('Request has no ability to get access', err);
      return false;
    }

    return false;
  }
}