loopback/server/middleware/token.js

/*!
 * Module dependencies.
 */

var loopback = require('../../lib/loopback');
var assert = require('assert');
var debug = require('debug')('loopback:middleware:token');

/*!
 * Export the middleware.
 */

module.exports = token;

/*
 * Rewrite the url to replace current user literal with the logged in user id
 */
function rewriteUserLiteral(req, currentUserLiteral) {
  if (req.accessToken && req.accessToken.userId && currentUserLiteral) {
    // Replace /me/ with /current-user-id/
    var urlBeforeRewrite = req.url;
    req.url = req.url.replace(
      new RegExp('/' + currentUserLiteral + '(/|$|\\?)', 'g'),
        '/' + req.accessToken.userId + '$1');
    if (req.url !== urlBeforeRewrite) {
      debug('req.url has been rewritten from %s to %s', urlBeforeRewrite,
        req.url);
    }
  }
}

function escapeRegExp(str) {
  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

/**
 * Check for an access token in cookies, headers, and query string parameters.
 * This function always checks for the following:
 *
 * - `access_token` (params only)
 * - `X-Access-Token` (headers only)
 * - `authorization` (headers and cookies)
 *
 * It checks for these values in cookies, headers, and query string parameters _in addition_ to the items
 * specified in the options parameter.
 *
 * **NOTE:** This function only checks for [signed cookies](http://expressjs.com/api.html#req.signedCookies).
 *
 * The following example illustrates how to check for an `accessToken` in a custom cookie, query string parameter
 * and header called `foo-auth`.
 *
 * ```js
 * app.use(loopback.token({
 *   cookies: ['foo-auth'],
 *   headers: ['foo-auth', 'X-Foo-Auth'],
 *   params: ['foo-auth', 'foo_auth']
 * }));
 * ```
 *
 * @options {Object} [options] Each option array is used to add additional keys to find an `accessToken` for a `request`.
 * @property {Array} [cookies] Array of cookie names.
 * @property {Array} [headers] Array of header names.
 * @property {Array} [params] Array of param names.
 * @property {Function|String} [model] AccessToken model name or class to use.
 * @property {String} [currentUserLiteral] String literal for the current user.
 * @header loopback.token([options])
 */

function token(options) {
  options = options || {};
  var TokenModel = options.model || loopback.AccessToken;
  if (typeof TokenModel === 'string') {
    // Make it possible to configure the model in middleware.json
    TokenModel = loopback.getModel(TokenModel);
  }
  var currentUserLiteral = options.currentUserLiteral;
  if (currentUserLiteral && (typeof currentUserLiteral !== 'string')) {
    debug('Set currentUserLiteral to \'me\' as the value is not a string.');
    currentUserLiteral = 'me';
  }
  if (typeof currentUserLiteral === 'string') {
    currentUserLiteral = escapeRegExp(currentUserLiteral);
  }
  assert(typeof TokenModel === 'function',
    'loopback.token() middleware requires a AccessToken model');

  return function(req, res, next) {
    if (req.accessToken !== undefined) {
      rewriteUserLiteral(req, currentUserLiteral);
      return next();
    }
    TokenModel.findForRequest(req, options, function(err, token) {
      req.accessToken = token || null;
      rewriteUserLiteral(req, currentUserLiteral);
      var ctx = loopback.getCurrentContext();
      if (ctx) ctx.set('accessToken', token);
      next(err);
    });
  };
}
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Module dependencies.`
			`*/`

Move middleware sources to `server/middleware` The new location allows developer to use the following identifiers when loading the middleware using the new declarative style: app.middlewareFromConfig( require('loopback/server/middleware/rest'), { phase: 'routes' }); app.middlewareFromConfig( require('loopback/server/middleware/url-not-found'), { phase: 'final' }); 2014-11-12 11:36:16 +00:00			`var loopback = require('../../lib/loopback');`
Fix missing assert 2013-12-03 00:37:42 +00:00			`var assert = require('assert');`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`var debug = require('debug')('loopback:middleware:token');`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Export the middleware.`
			`*/`

			`module.exports = token;`

Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`/*`
			`* Rewrite the url to replace current user literal with the logged in user id`
			`*/`
			`function rewriteUserLiteral(req, currentUserLiteral) {`
			`if (req.accessToken && req.accessToken.userId && currentUserLiteral) {`
			`// Replace /me/ with /current-user-id/`
			`var urlBeforeRewrite = req.url;`
			`req.url = req.url.replace(`
			`new RegExp('/' + currentUserLiteral + '(/\|$\|\\?)', 'g'),`
			`'/' + req.accessToken.userId + '$1');`
			`if (req.url !== urlBeforeRewrite) {`
			`debug('req.url has been rewritten from %s to %s', urlBeforeRewrite,`
			`req.url);`
			`}`
			`}`
			`}`

			`function escapeRegExp(str) {`
			`return str.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&');`
			`}`

add missing semicolons 2014-10-16 22:54:40 +00:00			`/**`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* Check for an access token in cookies, headers, and query string parameters.`
			`* This function always checks for the following:`
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Fix misleading token middleware documentation Signed-off-by: Aleksandr Tsertkov <tsertkov@gmail.com> 2014-07-01 14:59:49 +00:00			* - `access_token` (params only)
			* - `X-Access-Token` (headers only)
			* - `authorization` (headers and cookies)
Update JSDoc 2014-06-05 00:42:18 +00:00			`*`
			`* It checks for these values in cookies, headers, and query string parameters _in addition_ to the items`
			`* specified in the options parameter.`
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* NOTE: This function only checks for [signed cookies](http://expressjs.com/api.html#req.signedCookies).`
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			* The following example illustrates how to check for an `accessToken` in a custom cookie, query string parameter
			* and header called `foo-auth`.
add missing semicolons 2014-10-16 22:54:40 +00:00			`*`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			* ```js
			`* app.use(loopback.token({`
			`* cookies: ['foo-auth'],`
			`* headers: ['foo-auth', 'X-Foo-Auth'],`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* params: ['foo-auth', 'foo_auth']`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`* }));`
			* ```
			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			* @options {Object} [options] Each option array is used to add additional keys to find an `accessToken` for a `request`.
			`* @property {Array} [cookies] Array of cookie names.`
			`* @property {Array} [headers] Array of header names.`
			`* @property {Array} [params] Array of param names.`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`* @property {Function\|String} [model] AccessToken model name or class to use.`
			`* @property {String} [currentUserLiteral] String literal for the current user.`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* @header loopback.token([options])`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*/`

Update session / token documentation 2013-11-14 23:27:36 +00:00			`function token(options) {`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`options = options \|\| {};`
Use loopback.AccessToken as default 2013-12-03 01:16:43 +00:00			`var TokenModel = options.model \|\| loopback.AccessToken;`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`if (typeof TokenModel === 'string') {`
			`// Make it possible to configure the model in middleware.json`
			`TokenModel = loopback.getModel(TokenModel);`
			`}`
			`var currentUserLiteral = options.currentUserLiteral;`
			`if (currentUserLiteral && (typeof currentUserLiteral !== 'string')) {`
			`debug('Set currentUserLiteral to \'me\' as the value is not a string.');`
			`currentUserLiteral = 'me';`
			`}`
			`if (typeof currentUserLiteral === 'string') {`
			`currentUserLiteral = escapeRegExp(currentUserLiteral);`
			`}`
			`assert(typeof TokenModel === 'function',`
			`'loopback.token() middleware requires a AccessToken model');`
add missing semicolons 2014-10-16 22:54:40 +00:00
Enable jscs for `lib`, fix style violations 2014-10-30 20:49:47 +00:00			`return function(req, res, next) {`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`if (req.accessToken !== undefined) {`
			`rewriteUserLiteral(req, currentUserLiteral);`
			`return next();`
			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`TokenModel.findForRequest(req, options, function(err, token) {`
Invalid Access Token return 401 Clean up logic to be easier to read. Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-17 06:27:41 +00:00			`req.accessToken = token \|\| null;`
Enhance the token middleware to support current user literal 2015-03-12 15:28:15 +00:00			`rewriteUserLiteral(req, currentUserLiteral);`
middleware/token: store the token in current ctx 2014-11-10 17:37:35 +00:00			`var ctx = loopback.getCurrentContext();`
			`if (ctx) ctx.set('accessToken', token);`
Invalid Access Token return 401 Clean up logic to be easier to read. Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-17 06:27:41 +00:00			`next(err);`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`});`
add missing semicolons 2014-10-16 22:54:40 +00:00			`};`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`}`