Merge branch 'main' into search-applications-by-instances-and-devices

forge/lib/permissions.js

@@ -109,10 +109,7 @@ const Permissions = {
     'platform:debug': { description: 'View platform debug information', role: Roles.Admin },
     'platform:stats': { description: 'View platform stats information', role: Roles.Admin },
     'platform:stats:token': { description: 'Create/Delete platform stats token', role: Roles.Admin },
-    'platform:audit-log': { description: 'View platform audit log', role: Roles.Admin },
-
-    // assistant
-    'assistant:method': { description: 'Access the assistant method endpoint', role: Roles.Member }
+    'platform:audit-log': { description: 'View platform audit log', role: Roles.Admin }
 }
 
 module.exports = {

forge/routes/api/assistant.js

@@ -10,6 +10,16 @@ const { default: axios } = require('axios')
  */
 module.exports = async function (app) {
     app.addHook('preHandler', app.verifySession)
+    app.addHook('preHandler', (request, reply, done) => {
+        // Only permit requests made by a valid device or instance token
+        if (!request.session || request.session.provisioning) {
+            reply.code(401).send({ code: 'unauthorized', error: 'unauthorized' })
+        } else if (request.session.ownerType !== 'device' && request.session.ownerType !== 'project') {
+            reply.code(401).send({ code: 'unauthorized', error: 'unauthorized' })
+        } else {
+            done()
+        }
+    })
 
     /**
      * Endpoint for assistant methods
@@ -18,7 +28,6 @@ module.exports = async function (app) {
      * use an alternative means of accessing it.
     */
     app.post('/:method', {
-        preHandler: app.needsPermission('assistant:method'),
         schema: {
             hide: true, // dont show in swagger
             body: {

forge/routes/auth/permissions.js

@@ -9,17 +9,15 @@ const IMPLICIT_TOKEN_SCOPES = {
     device: [
         'team:projects:list', // permit a device being edited via a tunnel in developer mode to list projects
         'library:entry:create', // permit a device being edited via a tunnel in developer mode to create library entries
-        'library:entry:list', // permit a device being edited via a tunnel in developer mode to list library entries
-        'assistant:method' // permit calls to the assistant endpoint for method node/code/json/etc creation
+        'library:entry:list' // permit a device being edited via a tunnel in developer mode to list library entries
     ],
     project: [
         'user:read',
         'project:flows:view',
         'project:flows:edit',
         'team:projects:list',
         'library:entry:create',
-        'library:entry:list',
-        'assistant:method'
+        'library:entry:list'
     ]
 }
 

test/unit/forge/routes/api/assistant_spec.js

@@ -140,8 +140,18 @@ describe('Assistant API', async function () {
                 })
                 response.statusCode.should.equal(401)
             })
+            it('user token can not access', async function () {
+                sinon.stub(axios, 'post').resolves({ data: { status: 'ok' } })
+                const response = await app.inject({
+                    method: 'POST',
+                    url: `/api/v1/assistant/${serviceName}`,
+                    cookies: { sid: TestObjects.tokens.alice },
+                    payload: { prompt: 'multiply by 5', transactionId: '1234' }
+                })
+                response.statusCode.should.equal(401)
+                axios.post.calledOnce.should.be.false()
+            })
             it('device token can access', async function () {
-                // const device = await createDevice({ name: 'Ad1', type: 'Ad1_type', team: TestObjects.ATeam.hashid, as: TestObjects.tokens.alice })
                 const deviceCreateResponse = await app.inject({
                     method: 'POST',
                     url: '/api/v1/devices',