loopback/lib/middleware/token.js

/*!
 * Module dependencies.
 */

var loopback = require('../loopback');
var assert = require('assert');

/*!
 * Export the middleware.
 */

module.exports = token;

/**    
 * Check for an access token in cookies, headers, and query string parameters.
 * This function always checks for the following:
 * 
 * - `access_token`
 * - `X-Access-Token`
 * - `authorization`
 *
 * It checks for these values in cookies, headers, and query string parameters _in addition_ to the items
 * specified in the options parameter.
 * 
 * **NOTE:** This function only checks for [signed cookies](http://expressjs.com/api.html#req.signedCookies).
 * 
 * The following example illustrates how to check for an `accessToken` in a custom cookie, query string parameter
 * and header called `foo-auth`.
 * 
 * ```js
 * app.use(loopback.token({
 *   cookies: ['foo-auth'],
 *   headers: ['foo-auth', 'X-Foo-Auth'],
 *   params: ['foo-auth', 'foo_auth']
 * }));
 * ```
 *
 * @options {Object} [options] Each option array is used to add additional keys to find an `accessToken` for a `request`.
 * @property {Array} [cookies] Array of cookie names.
 * @property {Array} [headers] Array of header names.
 * @property {Array} [params] Array of param names.
 * @property {Array} [model] An AccessToken object to use.
 * @header loopback.token([options])
 */

function token(options) {
  options = options || {};
  var TokenModel = options.model || loopback.AccessToken;
  assert(TokenModel, 'loopback.token() middleware requires a AccessToken model');
  
  return function (req, res, next) {
    if (req.accessToken !== undefined) return next();
    TokenModel.findForRequest(req, options, function(err, token) {
      req.accessToken = token || null;
      next(err);
    });
  }
}
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Module dependencies.`
			`*/`

			`var loopback = require('../loopback');`
Fix missing assert 2013-12-03 00:37:42 +00:00			`var assert = require('assert');`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Export the middleware.`
			`*/`

			`module.exports = token;`

Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/**`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* Check for an access token in cookies, headers, and query string parameters.`
			`* This function always checks for the following:`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			* - `access_token`
			* - `X-Access-Token`
			* - `authorization`
			`*`
			`* It checks for these values in cookies, headers, and query string parameters _in addition_ to the items`
			`* specified in the options parameter.`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* NOTE: This function only checks for [signed cookies](http://expressjs.com/api.html#req.signedCookies).`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*`
			* The following example illustrates how to check for an `accessToken` in a custom cookie, query string parameter
			* and header called `foo-auth`.
			`*`
			* ```js
			`* app.use(loopback.token({`
			`* cookies: ['foo-auth'],`
			`* headers: ['foo-auth', 'X-Foo-Auth'],`
Update JSDoc 2014-06-05 00:42:18 +00:00			`* params: ['foo-auth', 'foo_auth']`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`* }));`
			* ```
			`*`
Update JSDoc 2014-06-05 00:42:18 +00:00			* @options {Object} [options] Each option array is used to add additional keys to find an `accessToken` for a `request`.
			`* @property {Array} [cookies] Array of cookie names.`
			`* @property {Array} [headers] Array of header names.`
			`* @property {Array} [params] Array of param names.`
			`* @property {Array} [model] An AccessToken object to use.`
			`* @header loopback.token([options])`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*/`

Update session / token documentation 2013-11-14 23:27:36 +00:00			`function token(options) {`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`options = options \|\| {};`
Use loopback.AccessToken as default 2013-12-03 01:16:43 +00:00			`var TokenModel = options.model \|\| loopback.AccessToken;`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`assert(TokenModel, 'loopback.token() middleware requires a AccessToken model');`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00
			`return function (req, res, next) {`
Modify `loopback.rest` to include `loopback.token` Make `loopback.rest` self-contained, so that authentication works out of the box. var app = loopback(); app.enableAuth(); app.use(loopback.rest()); Note that cookie parsing middleware is not added, users have to explicitly configure that if they want to store access tokens in cookies. Modify `loopback.token` to skip token lookup when the request already contains `accessToken` property. This is in line with other connect-based middleware like `cookieParser` or `json`. 2014-02-04 15:17:32 +00:00			`if (req.accessToken !== undefined) return next();`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`TokenModel.findForRequest(req, options, function(err, token) {`
Invalid Access Token return 401 Clean up logic to be easier to read. Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-17 06:27:41 +00:00			`req.accessToken = token \|\| null;`
			`next(err);`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`});`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`}`
			`}`