fix: Routes protection

JonaszJestem · JonaszJestem · commit f103f9cfb077 · 2021-04-09T08:46:47.000+02:00
diff --git a/src/authentication/protected-routes.handler.ts b/src/authentication/protected-routes.handler.ts
@@ -43,10 +43,11 @@ export const isAdminRoute = (url: string, adminRootUrl: string): boolean => {
     .map((route) => convertToExpressRoute(route.path))
     .filter((route) => route !== "");
   const isAdminRootUrl = url === adminRootUrl;
+  const urlWithoutRoot = url.substring(adminRootUrl?.length ?? 0, url.length);
 
   return (
     isAdminRootUrl ||
-    !!adminRoutes.find((route) => pathToRegexp(route).test(url))
+    adminRoutes.some((route) => pathToRegexp(route).test(urlWithoutRoot))
   );
 };
 
diff --git a/src/buildAuthenticatedRouter.ts b/src/buildAuthenticatedRouter.ts
@@ -55,6 +55,7 @@ export const buildAuthenticatedRouter = (
   const router = predefinedRouter || express.Router();
 
   router.use((req, _, next) => {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     if ((req as any)._body) {
       next(new OldBodyParserUsedError());
     }
diff --git a/test/protected-routes.test.ts b/test/protected-routes.test.ts
@@ -32,5 +32,11 @@ describe("Protected routes", () => {
     it("should detect non-admin routes", () => {
       expect(isAdminRoute("/api/my-endpoint", "/")).toBeFalsy();
     });
+
+    it("should detect admin routes with base url", () => {
+      expect(
+        isAdminRoute("/admin/resources/someResource/actions/new", "/admin")
+      ).toBeTruthy();
+    });
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ export const buildAuthenticatedRouter = (`
`55`	`55`	`const router = predefinedRouter \|\| express.Router();`
`56`	`56`
`57`	`57`	`router.use((req, _, next) => {`
	`58`	`+ // eslint-disable-next-line @typescript-eslint/no-explicit-any`
`58`	`59`	`if ((req as any)._body) {`
`59`	`60`	`next(new OldBodyParserUsedError());`
`60`	`61`	`}`