🐛 Remove user check from API key

package.json

@@ -1,6 +1,6 @@
 {
   "name": "staart",
-  "version": "1.0.20",
+  "version": "1.0.21",
   "main": "index.js",
   "repository": "[email protected]:AnandChowdhary/staart.git",
   "author": "Anand Chowdhary <[email protected]>",

src/helpers/authorization.ts

@@ -6,7 +6,7 @@ import {
   UserRole,
   MembershipRole
 } from "../interfaces/enum";
-import { getUser, getApiKey } from "../crud/user";
+import { getUser } from "../crud/user";
 import { getUserMemberships, getMembership } from "../crud/membership";
 import { getOrganization } from "../crud/organization";
 import { Membership } from "../interfaces/tables/memberships";
@@ -148,36 +148,15 @@ const canUserGeneral = async (user: User, action: Authorizations) => {
   return false;
 };
 
-const canUserApiKey = async (
-  user: User,
-  action: Authorizations,
-  target: ApiKey
-) => {
-  // A user can do anything to her API key
-  if (target.userId == user.id) return true;
-
-  let secureAction = action;
-  if (action === Authorizations.CREATE)
-    secureAction = Authorizations.CREATE_SECURE;
-  if (action === Authorizations.READ) secureAction = Authorizations.READ_SECURE;
-  if (action === Authorizations.UPDATE)
-    secureAction = Authorizations.UPDATE_SECURE;
-  if (action === Authorizations.DELETE)
-    secureAction = Authorizations.DELETE_SECURE;
-
-  const owner = await getUser(target.userId);
-  return await canUserUser(user, secureAction, owner);
-};
-
 /**
  * Whether a user has authorization to perform an action
  * @param ipAddress  IP address for the new location
  */
 export const can = async (
   user: User | number,
   action: Authorizations,
-  targetType: "user" | "organization" | "membership" | "api-key" | "general",
-  target?: User | Organization | Membership | ApiKey | number
+  targetType: "user" | "organization" | "membership" | "general",
+  target?: User | Organization | Membership | number
 ) => {
   let userObject: User;
   if (typeof target === "object") {
@@ -211,11 +190,6 @@ export const can = async (
       action,
       targetObject as Membership
     );
-  } else if (targetType === "api-key") {
-    if (typeof target === "string" || typeof target === "number")
-      targetObject = await getApiKey(target.toString());
-    else targetObject = target as ApiKey;
-    return await canUserApiKey(userObject, action, targetObject as ApiKey);
   }
 
   return await canUserGeneral(userObject, action);

src/rest/organization.ts

@@ -475,8 +475,14 @@ export const updateApiKeyForUser = async (
   data: KeyValue,
   locals: Locals
 ) => {
-  const apiKeyDetails = await getApiKey(organizationId, apiKey);
-  if (await can(userId, Authorizations.UPDATE, "api-key", apiKeyDetails)) {
+  if (
+    await can(
+      userId,
+      Authorizations.UPDATE_SECURE,
+      "organization",
+      organizationId
+    )
+  ) {
     await updateApiKey(organizationId, apiKey, data);
     await createEvent(
       {
@@ -517,8 +523,14 @@ export const deleteApiKeyForUser = async (
   apiKey: string,
   locals: Locals
 ) => {
-  const apiKeyDetails = await getApiKey(organizationId, apiKey);
-  if (await can(userId, Authorizations.DELETE, "api-key", apiKeyDetails)) {
+  if (
+    await can(
+      userId,
+      Authorizations.DELETE_SECURE,
+      "organization",
+      organizationId
+    )
+  ) {
     await deleteApiKey(organizationId, apiKey);
     await createEvent(
       {