feat: Add INTERNAL_ACCESS_TOKEN to support internal user configuration

docker-compose-dev.yml

@@ -38,6 +38,7 @@ services:
       # - DEFAULT_ADMIN_NAME=Demo Demo
       # - DEFAULT_ADMIN_USERNAME=demo
 
+      # - INTERNAL_ACCESS_TOKEN=
       # - ACTIVE_USERS_LIMIT=
 
       # Set to true to show more detailed authentication error messages.

docker-compose.yml

@@ -52,6 +52,7 @@ services:
       # - DEFAULT_ADMIN_NAME=Demo Demo
       # - DEFAULT_ADMIN_USERNAME=demo
 
+      # - INTERNAL_ACCESS_TOKEN=
       # - ACTIVE_USERS_LIMIT=
 
       # Set to true to show more detailed authentication error messages.

server/.env.sample

@@ -29,6 +29,7 @@ SECRET_KEY=notsecretkey
 # DEFAULT_ADMIN_NAME=Demo Demo
 # DEFAULT_ADMIN_USERNAME=demo
 
+# INTERNAL_ACCESS_TOKEN=
 # ACTIVE_USERS_LIMIT=
 
 # Set to true to show more detailed authentication error messages.

server/api/hooks/current-user/index.js

@@ -67,8 +67,12 @@ module.exports = function defineCurrentUserHook(sails) {
 
             if (authorizationHeader && TOKEN_PATTERN.test(authorizationHeader)) {
               const accessToken = authorizationHeader.replace(TOKEN_PATTERN, '');
-              const { httpOnlyToken } = req.cookies;
+              const { internalAccessToken } = sails.config.custom;
 
+              if (internalAccessToken && accessToken === internalAccessToken) {
+                req.currentUser = User.INTERNAL;
+              } else {
+                const { httpOnlyToken } = req.cookies;
                 const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);
 
                 if (sessionAndUser) {
@@ -89,6 +93,7 @@ module.exports = function defineCurrentUserHook(sails) {
                   }
                 }
               }
+            }
 
             return next();
           },

server/api/models/User.js

@@ -81,8 +81,14 @@ const PERSONAL_FIELD_NAMES = [
   'defaultProjectsOrder',
 ];
 
+const INTERNAL = {
+  id: '_internal',
+  role: Roles.ADMIN,
+};
+
 const OIDC = {
   id: '_oidc',
+  role: Roles.ADMIN,
 };
 
 module.exports = {
@@ -93,6 +99,7 @@ module.exports = {
   LANGUAGES,
   PRIVATE_FIELD_NAMES,
   PERSONAL_FIELD_NAMES,
+  INTERNAL,
   OIDC,
 
   attributes: {

server/api/policies/is-external.js

@@ -0,0 +1,12 @@
+/*!
+ * Copyright (c) 2024 PLANKA Software GmbH
+ * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
+ */
+
+module.exports = async function isExternal(req, res, proceed) {
+  if (req.currentUser.id === User.INTERNAL.id) {
+    return res.notFound(); // Forbidden
+  }
+
+  return proceed();
+};

server/config/custom.js

@@ -50,6 +50,7 @@ module.exports.custom = {
   defaultAdminEmail:
     process.env.DEFAULT_ADMIN_EMAIL && process.env.DEFAULT_ADMIN_EMAIL.toLowerCase(),
 
+  internalAccessToken: process.env.INTERNAL_ACCESS_TOKEN,
   activeUsersLimit: envToNumber(process.env.ACTIVE_USERS_LIMIT),
   showDetailedAuthErrors: process.env.SHOW_DETAILED_AUTH_ERRORS === 'true',
 

server/config/policies.js

@@ -16,17 +16,24 @@ module.exports.policies = {
    *
    */
 
-  '*': 'is-authenticated',
+  '*': ['is-authenticated', 'is-external'],
 
-  'webhooks/index': ['is-admin'],
-  'webhooks/create': ['is-admin'],
-  'webhooks/update': ['is-admin'],
-  'webhooks/delete': ['is-admin'],
+  'webhooks/index': ['is-authenticated', 'is-external', 'is-admin'],
+  'webhooks/create': ['is-authenticated', 'is-external', 'is-admin'],
+  'webhooks/update': ['is-authenticated', 'is-external', 'is-admin'],
+  'webhooks/delete': ['is-authenticated', 'is-external', 'is-admin'],
 
+  'users/index': 'is-authenticated',
   'users/create': ['is-authenticated', 'is-admin'],
+  'users/show': 'is-authenticated',
+  'users/update': 'is-authenticated',
+  'users/update-email': 'is-authenticated',
+  'users/update-password': 'is-authenticated',
+  'users/update-username': 'is-authenticated',
+  'users/update-avatar': 'is-authenticated',
   'users/delete': ['is-authenticated', 'is-admin'],
 
-  'projects/create': ['is-authenticated', 'is-admin-or-project-owner'],
+  'projects/create': ['is-authenticated', 'is-external', 'is-admin-or-project-owner'],
 
   'config/show': true,
   'access-tokens/create': true,