From af7263a0b1a001bd1c366426b281314eae2362fa Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 10 Feb 2026 10:52:40 -0800 Subject: [PATCH] Finish adding limits checks to all put and post --- server/middlewares/verifyLimits.ts | 2 +- server/private/routers/external.ts | 18 +++++++-- server/private/routers/integration.ts | 5 ++- server/routers/external.ts | 15 +++++++ server/routers/integration.ts | 57 ++++++++++++++++++++++++++- 5 files changed, 91 insertions(+), 6 deletions(-) diff --git a/server/middlewares/verifyLimits.ts b/server/middlewares/verifyLimits.ts index 99330c33..49c5f38a 100644 --- a/server/middlewares/verifyLimits.ts +++ b/server/middlewares/verifyLimits.ts @@ -17,7 +17,7 @@ export async function verifyLimits( return next(); } - const orgId = req.userOrgId || req.params.orgId; + const orgId = req.userOrgId || req.apiKeyOrg?.orgId || req.params.orgId; if (!orgId) { return next(); // its fine if we silently fail here because this is not critical to operation or security and its better user experience if we dont fail diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts index 74ca7872..dae10a95 100644 --- a/server/private/routers/external.ts +++ b/server/private/routers/external.ts @@ -31,7 +31,8 @@ import { verifyUserHasAction, verifyUserIsServerAdmin, verifySiteAccess, - verifyClientAccess + verifyClientAccess, + verifyLimits } from "@server/middlewares"; import { ActionsEnum } from "@server/auth/actions"; import { @@ -79,6 +80,7 @@ authenticated.put( verifyValidLicense, verifyValidSubscription(tierMatrix.orgOidc), verifyOrgAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.createIdp), logActionAudit(ActionsEnum.createIdp), orgIdp.createOrgOidcIdp @@ -90,6 +92,7 @@ authenticated.post( verifyValidSubscription(tierMatrix.orgOidc), verifyOrgAccess, verifyIdpAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateIdp), logActionAudit(ActionsEnum.updateIdp), orgIdp.updateOrgOidcIdp @@ -138,6 +141,7 @@ authenticated.post( verifyValidLicense, verifyOrgAccess, verifyCertificateAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.restartCertificate), logActionAudit(ActionsEnum.restartCertificate), certificates.restartCertificate @@ -237,6 +241,7 @@ authenticated.put( "/org/:orgId/remote-exit-node", verifyValidLicense, verifyOrgAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.createRemoteExitNode), logActionAudit(ActionsEnum.createRemoteExitNode), remoteExitNode.createRemoteExitNode @@ -282,6 +287,7 @@ authenticated.put( verifyValidLicense, verifyValidSubscription(tierMatrix.loginPageDomain), verifyOrgAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.createLoginPage), logActionAudit(ActionsEnum.createLoginPage), loginPage.createLoginPage @@ -293,6 +299,7 @@ authenticated.post( verifyValidSubscription(tierMatrix.loginPageDomain), verifyOrgAccess, verifyLoginPageAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateLoginPage), logActionAudit(ActionsEnum.updateLoginPage), loginPage.updateLoginPage @@ -338,6 +345,7 @@ authenticated.put( verifyValidLicense, verifyValidSubscription(tierMatrix.deviceApprovals), verifyOrgAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateApprovals), logActionAudit(ActionsEnum.updateApprovals), approval.processPendingApproval @@ -358,6 +366,7 @@ authenticated.put( verifyValidLicense, verifyValidSubscription(tierMatrix.loginPageBranding), verifyOrgAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateLoginPage), logActionAudit(ActionsEnum.updateLoginPage), loginPage.upsertLoginPageBranding @@ -470,18 +479,20 @@ authenticated.get( authenticated.post( "/re-key/:clientId/regenerate-client-secret", - verifyClientAccess, // this is first to set the org id verifyValidLicense, verifyValidSubscription(tierMatrix.rotateCredentials), + verifyClientAccess, // this is first to set the org id + verifyLimits, verifyUserHasAction(ActionsEnum.reGenerateSecret), reKey.reGenerateClientSecret ); authenticated.post( "/re-key/:siteId/regenerate-site-secret", - verifySiteAccess, // this is first to set the org id verifyValidLicense, verifyValidSubscription(tierMatrix.rotateCredentials), + verifySiteAccess, // this is first to set the org id + verifyLimits, verifyUserHasAction(ActionsEnum.reGenerateSecret), reKey.reGenerateSiteSecret ); @@ -491,6 +502,7 @@ authenticated.put( verifyValidLicense, verifyValidSubscription(tierMatrix.rotateCredentials), verifyOrgAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.reGenerateSecret), reKey.reGenerateExitNodeSecret ); diff --git a/server/private/routers/integration.ts b/server/private/routers/integration.ts index 8109bd35..97b1adad 100644 --- a/server/private/routers/integration.ts +++ b/server/private/routers/integration.ts @@ -19,7 +19,8 @@ import { verifyApiKeyHasAction, verifyApiKeyIsRoot, verifyApiKeyOrgAccess, - verifyApiKeyIdpAccess + verifyApiKeyIdpAccess, + verifyLimits } from "@server/middlewares"; import { verifyValidSubscription, @@ -95,6 +96,7 @@ authenticated.put( verifyValidLicense, verifyValidSubscription(tierMatrix.orgOidc), verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createIdp), logActionAudit(ActionsEnum.createIdp), orgIdp.createOrgOidcIdp @@ -106,6 +108,7 @@ authenticated.post( verifyValidSubscription(tierMatrix.orgOidc), verifyApiKeyOrgAccess, verifyApiKeyIdpAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateIdp), logActionAudit(ActionsEnum.updateIdp), orgIdp.updateOrgOidcIdp diff --git a/server/routers/external.ts b/server/routers/external.ts index 48768598..1a04b55e 100644 --- a/server/routers/external.ts +++ b/server/routers/external.ts @@ -561,6 +561,7 @@ authenticated.get( authenticated.post( "/resource/:resourceId/rule/:ruleId", verifyResourceAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateResourceRule), logActionAudit(ActionsEnum.updateResourceRule), resource.updateResourceRule @@ -582,6 +583,7 @@ authenticated.get( authenticated.post( "/target/:targetId", verifyTargetAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateTarget), logActionAudit(ActionsEnum.updateTarget), target.updateTarget @@ -612,6 +614,7 @@ authenticated.get( authenticated.post( "/role/:roleId", verifyRoleAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateRole), logActionAudit(ActionsEnum.updateRole), role.updateRole @@ -640,6 +643,7 @@ authenticated.post( "/role/:roleId/add/:userId", verifyRoleAccess, verifyUserAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.addUserRole), logActionAudit(ActionsEnum.addUserRole), user.addUserRole @@ -649,6 +653,7 @@ authenticated.post( "/resource/:resourceId/roles", verifyResourceAccess, verifyRoleAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), resource.setResourceRoles @@ -658,6 +663,7 @@ authenticated.post( "/resource/:resourceId/users", verifyResourceAccess, verifySetResourceUsers, + verifyLimits, verifyUserHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), resource.setResourceUsers @@ -666,6 +672,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/password`, verifyResourceAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.setResourcePassword), logActionAudit(ActionsEnum.setResourcePassword), resource.setResourcePassword @@ -674,6 +681,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/pincode`, verifyResourceAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.setResourcePincode), logActionAudit(ActionsEnum.setResourcePincode), resource.setResourcePincode @@ -682,6 +690,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/header-auth`, verifyResourceAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.setResourceHeaderAuth), logActionAudit(ActionsEnum.setResourceHeaderAuth), resource.setResourceHeaderAuth @@ -690,6 +699,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/whitelist`, verifyResourceAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.setResourceWhitelist), logActionAudit(ActionsEnum.setResourceWhitelist), resource.setResourceWhitelist @@ -705,6 +715,7 @@ authenticated.get( authenticated.post( `/resource/:resourceId/access-token`, verifyResourceAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.generateAccessToken), logActionAudit(ActionsEnum.generateAccessToken), accessToken.generateAccessToken @@ -805,6 +816,7 @@ authenticated.post( "/org/:orgId/user/:userId", verifyOrgAccess, verifyUserAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.updateOrgUser), logActionAudit(ActionsEnum.updateOrgUser), user.updateOrgUser @@ -877,6 +889,7 @@ authenticated.post( "/user/:userId/olm/:olmId/archive", verifyIsLoggedInUser, verifyOlmAccess, + verifyLimits, olm.archiveUserOlm ); @@ -991,6 +1004,7 @@ authenticated.post( `/org/:orgId/api-key/:apiKeyId/actions`, verifyOrgAccess, verifyApiKeyAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.setApiKeyActions), logActionAudit(ActionsEnum.setApiKeyActions), apiKeys.setApiKeyActions @@ -1043,6 +1057,7 @@ authenticated.post( `/org/:orgId/domain/:domainId/restart`, verifyOrgAccess, verifyDomainAccess, + verifyLimits, verifyUserHasAction(ActionsEnum.restartOrgDomain), logActionAudit(ActionsEnum.restartOrgDomain), domain.restartOrgDomain diff --git a/server/routers/integration.ts b/server/routers/integration.ts index 59ed253f..9ece5ddd 100644 --- a/server/routers/integration.ts +++ b/server/routers/integration.ts @@ -26,7 +26,8 @@ import { verifyApiKeyIsRoot, verifyApiKeyClientAccess, verifyApiKeySiteResourceAccess, - verifyApiKeySetResourceClients + verifyApiKeySetResourceClients, + verifyLimits } from "@server/middlewares"; import HttpCode from "@server/types/HttpCode"; import { Router } from "express"; @@ -74,6 +75,7 @@ authenticated.get( authenticated.post( "/org/:orgId", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateOrg), logActionAudit(ActionsEnum.updateOrg), org.updateOrg @@ -90,6 +92,7 @@ authenticated.delete( authenticated.put( "/org/:orgId/site", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createSite), logActionAudit(ActionsEnum.createSite), site.createSite @@ -126,6 +129,7 @@ authenticated.get( authenticated.post( "/site/:siteId", verifyApiKeySiteAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateSite), logActionAudit(ActionsEnum.updateSite), site.updateSite @@ -148,6 +152,7 @@ authenticated.get( authenticated.put( "/org/:orgId/site-resource", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createSiteResource), logActionAudit(ActionsEnum.createSiteResource), siteResource.createSiteResource @@ -178,6 +183,7 @@ authenticated.get( authenticated.post( "/site-resource/:siteResourceId", verifyApiKeySiteResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateSiteResource), logActionAudit(ActionsEnum.updateSiteResource), siteResource.updateSiteResource @@ -216,6 +222,7 @@ authenticated.post( "/site-resource/:siteResourceId/roles", verifyApiKeySiteResourceAccess, verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), siteResource.setSiteResourceRoles @@ -225,6 +232,7 @@ authenticated.post( "/site-resource/:siteResourceId/users", verifyApiKeySiteResourceAccess, verifyApiKeySetResourceUsers, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), siteResource.setSiteResourceUsers @@ -234,6 +242,7 @@ authenticated.post( "/site-resource/:siteResourceId/roles/add", verifyApiKeySiteResourceAccess, verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), siteResource.addRoleToSiteResource @@ -243,6 +252,7 @@ authenticated.post( "/site-resource/:siteResourceId/roles/remove", verifyApiKeySiteResourceAccess, verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), siteResource.removeRoleFromSiteResource @@ -252,6 +262,7 @@ authenticated.post( "/site-resource/:siteResourceId/users/add", verifyApiKeySiteResourceAccess, verifyApiKeySetResourceUsers, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), siteResource.addUserToSiteResource @@ -261,6 +272,7 @@ authenticated.post( "/site-resource/:siteResourceId/users/remove", verifyApiKeySiteResourceAccess, verifyApiKeySetResourceUsers, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), siteResource.removeUserFromSiteResource @@ -270,6 +282,7 @@ authenticated.post( "/site-resource/:siteResourceId/clients", verifyApiKeySiteResourceAccess, verifyApiKeySetResourceClients, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), siteResource.setSiteResourceClients @@ -279,6 +292,7 @@ authenticated.post( "/site-resource/:siteResourceId/clients/add", verifyApiKeySiteResourceAccess, verifyApiKeySetResourceClients, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), siteResource.addClientToSiteResource @@ -288,6 +302,7 @@ authenticated.post( "/site-resource/:siteResourceId/clients/remove", verifyApiKeySiteResourceAccess, verifyApiKeySetResourceClients, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), siteResource.removeClientFromSiteResource @@ -296,6 +311,7 @@ authenticated.post( authenticated.put( "/org/:orgId/resource", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createResource), logActionAudit(ActionsEnum.createResource), resource.createResource @@ -304,6 +320,7 @@ authenticated.put( authenticated.put( "/org/:orgId/site/:siteId/resource", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createResource), logActionAudit(ActionsEnum.createResource), resource.createResource @@ -340,6 +357,7 @@ authenticated.get( authenticated.post( "/org/:orgId/create-invite", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.inviteUser), logActionAudit(ActionsEnum.inviteUser), user.inviteUser @@ -377,6 +395,7 @@ authenticated.get( authenticated.post( "/resource/:resourceId", verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateResource), logActionAudit(ActionsEnum.updateResource), resource.updateResource @@ -393,6 +412,7 @@ authenticated.delete( authenticated.put( "/resource/:resourceId/target", verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createTarget), logActionAudit(ActionsEnum.createTarget), target.createTarget @@ -408,6 +428,7 @@ authenticated.get( authenticated.put( "/resource/:resourceId/rule", verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createResourceRule), logActionAudit(ActionsEnum.createResourceRule), resource.createResourceRule @@ -423,6 +444,7 @@ authenticated.get( authenticated.post( "/resource/:resourceId/rule/:ruleId", verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateResourceRule), logActionAudit(ActionsEnum.updateResourceRule), resource.updateResourceRule @@ -446,6 +468,7 @@ authenticated.get( authenticated.post( "/target/:targetId", verifyApiKeyTargetAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateTarget), logActionAudit(ActionsEnum.updateTarget), target.updateTarget @@ -462,6 +485,7 @@ authenticated.delete( authenticated.put( "/org/:orgId/role", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createRole), logActionAudit(ActionsEnum.createRole), role.createRole @@ -470,6 +494,7 @@ authenticated.put( authenticated.post( "/role/:roleId", verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateRole), logActionAudit(ActionsEnum.updateRole), role.updateRole @@ -501,6 +526,7 @@ authenticated.post( "/role/:roleId/add/:userId", verifyApiKeyRoleAccess, verifyApiKeyUserAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.addUserRole), logActionAudit(ActionsEnum.addUserRole), user.addUserRole @@ -510,6 +536,7 @@ authenticated.post( "/resource/:resourceId/roles", verifyApiKeyResourceAccess, verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), resource.setResourceRoles @@ -519,6 +546,7 @@ authenticated.post( "/resource/:resourceId/users", verifyApiKeyResourceAccess, verifyApiKeySetResourceUsers, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), resource.setResourceUsers @@ -528,6 +556,7 @@ authenticated.post( "/resource/:resourceId/roles/add", verifyApiKeyResourceAccess, verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), resource.addRoleToResource @@ -537,6 +566,7 @@ authenticated.post( "/resource/:resourceId/roles/remove", verifyApiKeyResourceAccess, verifyApiKeyRoleAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceRoles), logActionAudit(ActionsEnum.setResourceRoles), resource.removeRoleFromResource @@ -546,6 +576,7 @@ authenticated.post( "/resource/:resourceId/users/add", verifyApiKeyResourceAccess, verifyApiKeySetResourceUsers, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), resource.addUserToResource @@ -555,6 +586,7 @@ authenticated.post( "/resource/:resourceId/users/remove", verifyApiKeyResourceAccess, verifyApiKeySetResourceUsers, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceUsers), logActionAudit(ActionsEnum.setResourceUsers), resource.removeUserFromResource @@ -563,6 +595,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/password`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourcePassword), logActionAudit(ActionsEnum.setResourcePassword), resource.setResourcePassword @@ -571,6 +604,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/pincode`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourcePincode), logActionAudit(ActionsEnum.setResourcePincode), resource.setResourcePincode @@ -579,6 +613,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/header-auth`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceHeaderAuth), logActionAudit(ActionsEnum.setResourceHeaderAuth), resource.setResourceHeaderAuth @@ -587,6 +622,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/whitelist`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceWhitelist), logActionAudit(ActionsEnum.setResourceWhitelist), resource.setResourceWhitelist @@ -595,6 +631,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/whitelist/add`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceWhitelist), resource.addEmailToResourceWhitelist ); @@ -602,6 +639,7 @@ authenticated.post( authenticated.post( `/resource/:resourceId/whitelist/remove`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setResourceWhitelist), resource.removeEmailFromResourceWhitelist ); @@ -616,6 +654,7 @@ authenticated.get( authenticated.post( `/resource/:resourceId/access-token`, verifyApiKeyResourceAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.generateAccessToken), logActionAudit(ActionsEnum.generateAccessToken), accessToken.generateAccessToken @@ -653,6 +692,7 @@ authenticated.get( authenticated.post( "/user/:userId/2fa", verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateUser), logActionAudit(ActionsEnum.updateUser), user.updateUser2FA @@ -675,6 +715,7 @@ authenticated.get( authenticated.put( "/org/:orgId/user", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createOrgUser), logActionAudit(ActionsEnum.createOrgUser), user.createOrgUser @@ -684,6 +725,7 @@ authenticated.post( "/org/:orgId/user/:userId", verifyApiKeyOrgAccess, verifyApiKeyUserAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateOrgUser), logActionAudit(ActionsEnum.updateOrgUser), user.updateOrgUser @@ -714,6 +756,7 @@ authenticated.get( authenticated.post( `/org/:orgId/api-key/:apiKeyId/actions`, verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.setApiKeyActions), logActionAudit(ActionsEnum.setApiKeyActions), apiKeys.setApiKeyActions @@ -729,6 +772,7 @@ authenticated.get( authenticated.put( `/org/:orgId/api-key`, verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createApiKey), logActionAudit(ActionsEnum.createApiKey), apiKeys.createOrgApiKey @@ -745,6 +789,7 @@ authenticated.delete( authenticated.put( "/idp/oidc", verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createIdp), logActionAudit(ActionsEnum.createIdp), idp.createOidcIdp @@ -753,6 +798,7 @@ authenticated.put( authenticated.post( "/idp/:idpId/oidc", verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateIdp), logActionAudit(ActionsEnum.updateIdp), idp.updateOidcIdp @@ -776,6 +822,7 @@ authenticated.get( authenticated.put( "/idp/:idpId/org/:orgId", verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createIdpOrg), logActionAudit(ActionsEnum.createIdpOrg), idp.createIdpOrgPolicy @@ -784,6 +831,7 @@ authenticated.put( authenticated.post( "/idp/:idpId/org/:orgId", verifyApiKeyIsRoot, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateIdpOrg), logActionAudit(ActionsEnum.updateIdpOrg), idp.updateIdpOrgPolicy @@ -828,6 +876,7 @@ authenticated.get( authenticated.put( "/org/:orgId/client", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.createClient), logActionAudit(ActionsEnum.createClient), client.createClient @@ -854,6 +903,7 @@ authenticated.delete( authenticated.post( "/client/:clientId/archive", verifyApiKeyClientAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.archiveClient), logActionAudit(ActionsEnum.archiveClient), client.archiveClient @@ -862,6 +912,7 @@ authenticated.post( authenticated.post( "/client/:clientId/unarchive", verifyApiKeyClientAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.unarchiveClient), logActionAudit(ActionsEnum.unarchiveClient), client.unarchiveClient @@ -870,6 +921,7 @@ authenticated.post( authenticated.post( "/client/:clientId/block", verifyApiKeyClientAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.blockClient), logActionAudit(ActionsEnum.blockClient), client.blockClient @@ -878,6 +930,7 @@ authenticated.post( authenticated.post( "/client/:clientId/unblock", verifyApiKeyClientAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.unblockClient), logActionAudit(ActionsEnum.unblockClient), client.unblockClient @@ -886,6 +939,7 @@ authenticated.post( authenticated.post( "/client/:clientId", verifyApiKeyClientAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.updateClient), logActionAudit(ActionsEnum.updateClient), client.updateClient @@ -894,6 +948,7 @@ authenticated.post( authenticated.put( "/org/:orgId/blueprint", verifyApiKeyOrgAccess, + verifyLimits, verifyApiKeyHasAction(ActionsEnum.applyBlueprint), logActionAudit(ActionsEnum.applyBlueprint), blueprints.applyJSONBlueprint