loopback/server/middleware/token.js

// Copyright IBM Corp. 2014,2016. All Rights Reserved.
// Node module: loopback
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT

/*!
 * Module dependencies.
 */

'use strict';
var loopback = require('../../lib/loopback');
var assert = require('assert');
var debug = require('debug')('loopback:middleware:token');

/*!
 * Export the middleware.
 */

module.exports = token;

/*
 * Rewrite the url to replace current user literal with the logged in user id
 */
function rewriteUserLiteral(req, currentUserLiteral) {
  if (req.accessToken && req.accessToken.userId && currentUserLiteral) {
    // Replace /me/ with /current-user-id/
    var urlBeforeRewrite = req.url;
    req.url = req.url.replace(
      new RegExp('/' + currentUserLiteral + '(/|$|\\?)', 'g'),
        '/' + req.accessToken.userId + '$1');
    if (req.url !== urlBeforeRewrite) {
      debug('req.url has been rewritten from %s to %s', urlBeforeRewrite,
        req.url);
    }
  }
}

function escapeRegExp(str) {
  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

/**
 * Check for an access token in cookies, headers, and query string parameters.
 * This function always checks for the following:
 *
 * - `access_token` (params only)
 * - `X-Access-Token` (headers only)
 * - `authorization` (headers and cookies)
 *
 * It checks for these values in cookies, headers, and query string parameters _in addition_ to the items
 * specified in the options parameter.
 *
 * **NOTE:** This function only checks for [signed cookies](http://expressjs.com/api.html#req.signedCookies).
 *
 * The following example illustrates how to check for an `accessToken` in a custom cookie, query string parameter
 * and header called `foo-auth`.
 *
 * ```js
 * app.use(loopback.token({
 *   cookies: ['foo-auth'],
 *   headers: ['foo-auth', 'X-Foo-Auth'],
 *   params: ['foo-auth', 'foo_auth']
 * }));
 * ```
 *
 * @options {Object} [options] Each option array is used to add additional keys to find an `accessToken` for a `request`.
 * @property {Array} [cookies] Array of cookie names.
 * @property {Array} [headers] Array of header names.
 * @property {Array} [params] Array of param names.
 * @property {Boolean} [searchDefaultTokenKeys] Use the default search locations for Token in request
 * @property {Boolean} [enableDoublecheck] Execute middleware although an instance mounted earlier in the chain didn't find a token
 * @property {Boolean} [overwriteExistingToken] only has effect in combination with `enableDoublecheck`. If truthy, will allow to overwrite an existing accessToken.
 * @property {Function|String} [model] AccessToken model name or class to use.
 * @property {String} [currentUserLiteral] String literal for the current user.
 * @header loopback.token([options])
 */

function token(options) {
  options = options || {};
  var TokenModel;

  var currentUserLiteral = options.currentUserLiteral;
  if (currentUserLiteral && (typeof currentUserLiteral !== 'string')) {
    debug('Set currentUserLiteral to \'me\' as the value is not a string.');
    currentUserLiteral = 'me';
  }
  if (typeof currentUserLiteral === 'string') {
    currentUserLiteral = escapeRegExp(currentUserLiteral);
  }

  var enableDoublecheck = !!options.enableDoublecheck;
  var overwriteExistingToken = !!options.overwriteExistingToken;

  return function(req, res, next) {
    var app = req.app;
    var registry = app.registry;
    if (!TokenModel) {
      if (registry === loopback.registry) {
        TokenModel = options.model || loopback.AccessToken;
      } else if (options.model) {
        TokenModel = registry.getModel(options.model);
      } else {
        TokenModel = registry.getModel('AccessToken');
      }
    }

    assert(typeof TokenModel === 'function',
      'loopback.token() middleware requires a AccessToken model');

    if (req.accessToken !== undefined) {
      if (!enableDoublecheck) {
        // req.accessToken is defined already (might also be "null" or "false") and enableDoublecheck
        // has not been set --> skip searching for credentials
        rewriteUserLiteral(req, currentUserLiteral);
        return next();
      }
      if (req.accessToken && req.accessToken.id && !overwriteExistingToken) {
        // req.accessToken.id is defined, which means that some other middleware has identified a valid user.
        // when overwriteExistingToken is not set to a truthy value, skip searching for credentials.
        rewriteUserLiteral(req, currentUserLiteral);
        return next();
      }
      // continue normal operation (as if req.accessToken was undefined)
    }
    TokenModel.findForRequest(req, options, function(err, token) {
      req.accessToken = token || null;
      rewriteUserLiteral(req, currentUserLiteral);
      var ctx = req.loopbackContext;
      if (ctx && ctx.active) ctx.set('accessToken', token);
      next(err);
    });
  };
}
update copyright statements 2016-05-03 22:50:21 +00:00			`// Copyright IBM Corp. 2014,2016. All Rights Reserved.`
			`// Node module: loopback`
			`// This file is licensed under the MIT License.`
			`// License text available at https://opensource.org/licenses/MIT`

Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Module dependencies.`
			`*/`

Update eslint to loopback config v5 Notable side-effects: - loopback no longer exports "caller" and "arguments" properties - kv-memory connector is now properly added to the connector registry - the file "test/support.js" was finally removed 2016-11-15 21:46:23 +00:00			`'use strict';`
Move middleware sources to `server/middleware` The new location allows developer to use the following identifiers when loading the middleware using the new declarative style: app.middlewareFromConfig( require('loopback/server/middleware/rest'), { phase: 'routes' }); app.middlewareFromConfig( require('loopback/server/middleware/url-not-found'), { phase: 'final' }); 2014-11-12 11:36:16 +00:00			`var loopback = require('../../lib/loopback');`
Fix missing assert 2013-12-03 00:37:42 +00:00			`var assert = require('assert');`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`var debug = require('debug')('loopback:middleware:token');`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Export the middleware.`
			`*/`

			`module.exports = token;`

Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`/*`
			`* Rewrite the url to replace current user literal with the logged in user id`
			`*/`
			`function rewriteUserLiteral(req, currentUserLiteral) {`
			`if (req.accessToken && req.accessToken.userId && currentUserLiteral) {`
			`// Replace /me/ with /current-user-id/`
			`var urlBeforeRewrite = req.url;`
			`req.url = req.url.replace(`
			`new RegExp('/' + currentUserLiteral + '(/\|$\|\\?)', 'g'),`
			`'/' + req.accessToken.userId + '$1');`
			`if (req.url !== urlBeforeRewrite) {`
			`debug('req.url has been rewritten from %s to %s', urlBeforeRewrite,`
			`req.url);`
			`}`
			`}`
			`}`

			`function escapeRegExp(str) {`
			`return str.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&');`
			`}`

add missing semicolons 2014-10-16 22:54:40 +00:00			`/**`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* Check for an access token in cookies, headers, and query string parameters.`
			`* This function always checks for the following:`
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Fix misleading token middleware documentation Signed-off-by: Aleksandr Tsertkov <tsertkov@gmail.com> 2014-07-01 14:59:49 +00:00			* - `access_token` (params only)
			* - `X-Access-Token` (headers only)
			* - `authorization` (headers and cookies)
Update JSDoc 2014-06-05 00:42:18 +00:00			`*`
			`* It checks for these values in cookies, headers, and query string parameters _in addition_ to the items`
			`* specified in the options parameter.`
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* NOTE: This function only checks for [signed cookies](http://expressjs.com/api.html#req.signedCookies).`
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			* The following example illustrates how to check for an `accessToken` in a custom cookie, query string parameter
			* and header called `foo-auth`.
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			* ```js
			`* app.use(loopback.token({`
			`* cookies: ['foo-auth'],`
			`* headers: ['foo-auth', 'X-Foo-Auth'],`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* params: ['foo-auth', 'foo_auth']`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`* }));`
			* ```
			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			* @options {Object} [options] Each option array is used to add additional keys to find an `accessToken` for a `request`.
			`* @property {Array} [cookies] Array of cookie names.`
			`* @property {Array} [headers] Array of header names.`
			`* @property {Array} [params] Array of param names.`
access-token: add option "searchDefaultTokenKeys" Set this option to false to prevent AccessToken from checking default places like "access_token" in query. 2015-04-29 11:45:22 +00:00			`* @property {Boolean} [searchDefaultTokenKeys] Use the default search locations for Token in request`
Allow built-in token middleware to run repeatedly Add two new options: - When `enableDoublecheck` is true, the middleware will run even if a previous middleware has already set `req.accessToken` (possibly to `null` for anonymous requests) - When `overwriteExistingToken` is true (and `enableDoublecheck` too), the middleware will overwrite `req.accessToken` set by a previous middleware instances. 2016-02-29 15:49:41 +00:00			`* @property {Boolean} [enableDoublecheck] Execute middleware although an instance mounted earlier in the chain didn't find a token`
			* @property {Boolean} [overwriteExistingToken] only has effect in combination with `enableDoublecheck`. If truthy, will allow to overwrite an existing accessToken.
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`* @property {Function\|String} [model] AccessToken model name or class to use.`
			`* @property {String} [currentUserLiteral] String literal for the current user.`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* @header loopback.token([options])`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*/`

Update session / token documentation 2013-11-14 23:27:36 +00:00			`function token(options) {`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`options = options \|\| {};`
Add support for app level Model isolation - `loopback.registry` is now a true global registry - `app.registry` is unique per app object - `Model.registry` is set when a Model is created using any registry method - `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`. 2015-04-01 21:50:36 +00:00			`var TokenModel;`

Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`var currentUserLiteral = options.currentUserLiteral;`
			`if (currentUserLiteral && (typeof currentUserLiteral !== 'string')) {`
			`debug('Set currentUserLiteral to \'me\' as the value is not a string.');`
			`currentUserLiteral = 'me';`
			`}`
			`if (typeof currentUserLiteral === 'string') {`
			`currentUserLiteral = escapeRegExp(currentUserLiteral);`
			`}`
add missing semicolons 2014-10-16 22:54:40 +00:00
Allow built-in token middleware to run repeatedly Add two new options: - When `enableDoublecheck` is true, the middleware will run even if a previous middleware has already set `req.accessToken` (possibly to `null` for anonymous requests) - When `overwriteExistingToken` is true (and `enableDoublecheck` too), the middleware will overwrite `req.accessToken` set by a previous middleware instances. 2016-02-29 15:49:41 +00:00			`var enableDoublecheck = !!options.enableDoublecheck;`
			`var overwriteExistingToken = !!options.overwriteExistingToken;`

Enable jscs for `lib`, fix style violations 2014-10-30 20:49:47 +00:00			`return function(req, res, next) {`
Add support for app level Model isolation - `loopback.registry` is now a true global registry - `app.registry` is unique per app object - `Model.registry` is set when a Model is created using any registry method - `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`. 2015-04-01 21:50:36 +00:00			`var app = req.app;`
			`var registry = app.registry;`
			`if (!TokenModel) {`
			`if (registry === loopback.registry) {`
			`TokenModel = options.model \|\| loopback.AccessToken;`
			`} else if (options.model) {`
			`TokenModel = registry.getModel(options.model);`
			`} else {`
			`TokenModel = registry.getModel('AccessToken');`
			`}`
			`}`

			`assert(typeof TokenModel === 'function',`
			`'loopback.token() middleware requires a AccessToken model');`

Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`if (req.accessToken !== undefined) {`
Allow built-in token middleware to run repeatedly Add two new options: - When `enableDoublecheck` is true, the middleware will run even if a previous middleware has already set `req.accessToken` (possibly to `null` for anonymous requests) - When `overwriteExistingToken` is true (and `enableDoublecheck` too), the middleware will overwrite `req.accessToken` set by a previous middleware instances. 2016-02-29 15:49:41 +00:00			`if (!enableDoublecheck) {`
			`// req.accessToken is defined already (might also be "null" or "false") and enableDoublecheck`
			`// has not been set --> skip searching for credentials`
			`rewriteUserLiteral(req, currentUserLiteral);`
			`return next();`
			`}`
			`if (req.accessToken && req.accessToken.id && !overwriteExistingToken) {`
			`// req.accessToken.id is defined, which means that some other middleware has identified a valid user.`
			`// when overwriteExistingToken is not set to a truthy value, skip searching for credentials.`
			`rewriteUserLiteral(req, currentUserLiteral);`
			`return next();`
			`}`
			`// continue normal operation (as if req.accessToken was undefined)`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`TokenModel.findForRequest(req, options, function(err, token) {`
Invalid Access Token return 401 Clean up logic to be easier to read. Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-17 06:27:41 +00:00			`req.accessToken = token \|\| null;`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`rewriteUserLiteral(req, currentUserLiteral);`
Remove current-context API Change all current-context APIs to throw a helpful error. 2016-07-28 14:36:23 +00:00			`var ctx = req.loopbackContext;`
Fix token middleware crash Fix token middleware to check if `req.loopbackContext` is active. The context is not active for example when express-session calls setImmediate which breaks CLS. 2016-08-16 11:51:42 +00:00			`if (ctx && ctx.active) ctx.set('accessToken', token);`
Invalid Access Token return 401 Clean up logic to be easier to read. Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-17 06:27:41 +00:00			`next(err);`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`});`
add missing semicolons 2014-10-16 22:54:40 +00:00			`};`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`}`