2013-12-20 01:49:47 +00:00
|
|
|
/*!
|
2013-07-02 23:51:38 +00:00
|
|
|
* Module Dependencies.
|
|
|
|
*/
|
|
|
|
|
2013-07-16 17:49:25 +00:00
|
|
|
var Model = require('../loopback').Model
|
|
|
|
, loopback = require('../loopback')
|
2013-11-15 02:34:51 +00:00
|
|
|
, assert = require('assert')
|
2013-11-14 21:01:47 +00:00
|
|
|
, crypto = require('crypto')
|
2013-11-14 23:27:36 +00:00
|
|
|
, uid = require('uid2')
|
2013-11-15 02:34:51 +00:00
|
|
|
, DEFAULT_TTL = 1209600 // 2 weeks in seconds
|
2013-11-15 04:19:46 +00:00
|
|
|
, DEFAULT_TOKEN_LEN = 64
|
2013-12-10 23:57:55 +00:00
|
|
|
, Role = require('./role').Role
|
2013-11-15 04:19:46 +00:00
|
|
|
, ACL = require('./acl').ACL;
|
2013-07-02 23:51:38 +00:00
|
|
|
|
2014-01-06 23:52:08 +00:00
|
|
|
/*!
|
2013-11-13 19:49:08 +00:00
|
|
|
* Default AccessToken properties.
|
2013-07-02 23:51:38 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
var properties = {
|
2014-01-30 17:02:12 +00:00
|
|
|
id: {type: String, id: true},
|
2013-11-15 02:34:51 +00:00
|
|
|
ttl: {type: Number, ttl: true, default: DEFAULT_TTL}, // time to live in seconds
|
|
|
|
created: {type: Date, default: function() {
|
|
|
|
return new Date();
|
|
|
|
}}
|
2013-07-02 23:51:38 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
2013-12-20 01:49:47 +00:00
|
|
|
* Token based authentication and access control.
|
2014-01-06 23:52:08 +00:00
|
|
|
*
|
|
|
|
* @property id {String} Generated token ID
|
|
|
|
* @property ttl {Number} Time to live
|
|
|
|
* @property created {Date} When the token was created
|
2013-12-20 01:49:47 +00:00
|
|
|
*
|
|
|
|
* **Default ACLs**
|
|
|
|
*
|
|
|
|
* - DENY EVERYONE `*`
|
|
|
|
* - ALLOW EVERYONE create
|
|
|
|
*
|
|
|
|
* @class
|
|
|
|
* @inherits {Model}
|
2013-07-02 23:51:38 +00:00
|
|
|
*/
|
|
|
|
|
2013-12-10 23:57:55 +00:00
|
|
|
var AccessToken = module.exports = Model.extend('AccessToken', properties, {
|
|
|
|
acls: [
|
|
|
|
{
|
|
|
|
principalType: ACL.ROLE,
|
|
|
|
principalId: Role.EVERYONE,
|
|
|
|
permission: 'DENY'
|
|
|
|
},
|
|
|
|
{
|
|
|
|
principalType: ACL.ROLE,
|
|
|
|
principalId: Role.EVERYONE,
|
|
|
|
property: 'create',
|
|
|
|
permission: 'ALLOW'
|
|
|
|
}
|
2014-02-14 18:31:30 +00:00
|
|
|
],
|
|
|
|
relations: {
|
|
|
|
user: {
|
|
|
|
type: 'belongsTo',
|
|
|
|
model: 'User',
|
|
|
|
foreignKey: 'userId'
|
|
|
|
}
|
|
|
|
}
|
2013-12-10 23:57:55 +00:00
|
|
|
});
|
|
|
|
|
2013-12-20 01:49:47 +00:00
|
|
|
/**
|
|
|
|
* Anonymous Token
|
|
|
|
*
|
|
|
|
* ```js
|
|
|
|
* assert(AccessToken.ANONYMOUS.id === '$anonymous');
|
|
|
|
* ```
|
|
|
|
*/
|
|
|
|
|
2013-12-10 23:57:55 +00:00
|
|
|
AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});
|
2013-07-12 22:47:58 +00:00
|
|
|
|
|
|
|
/**
|
2013-11-13 19:49:08 +00:00
|
|
|
* Create a cryptographically random access token id.
|
2013-07-12 22:47:58 +00:00
|
|
|
*
|
2013-12-20 01:49:47 +00:00
|
|
|
* @callback {Function} callback
|
|
|
|
* @param {Error} err
|
|
|
|
* @param {String} token
|
2013-07-12 22:47:58 +00:00
|
|
|
*/
|
|
|
|
|
2013-11-13 19:49:08 +00:00
|
|
|
AccessToken.createAccessTokenId = function (fn) {
|
2013-11-14 23:27:36 +00:00
|
|
|
uid(this.settings.accessTokenIdLength || DEFAULT_TOKEN_LEN, function(err, guid) {
|
2013-07-12 22:47:58 +00:00
|
|
|
if(err) {
|
|
|
|
fn(err);
|
|
|
|
} else {
|
2013-11-14 23:27:36 +00:00
|
|
|
fn(null, guid);
|
2013-07-12 22:47:58 +00:00
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
/*!
|
2013-11-13 19:49:08 +00:00
|
|
|
* Hook to create accessToken id.
|
2013-07-12 22:47:58 +00:00
|
|
|
*/
|
|
|
|
|
2013-11-13 19:49:08 +00:00
|
|
|
AccessToken.beforeCreate = function (next, data) {
|
2013-07-12 22:47:58 +00:00
|
|
|
data = data || {};
|
|
|
|
|
2013-11-13 19:49:08 +00:00
|
|
|
AccessToken.createAccessTokenId(function (err, id) {
|
2013-07-12 22:47:58 +00:00
|
|
|
if(err) {
|
|
|
|
next(err);
|
|
|
|
} else {
|
|
|
|
data.id = id;
|
2013-11-15 00:47:24 +00:00
|
|
|
|
2013-07-12 22:47:58 +00:00
|
|
|
next();
|
|
|
|
}
|
|
|
|
});
|
2013-11-11 21:35:54 +00:00
|
|
|
}
|
2013-11-14 21:01:47 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Find a token for the given `ServerRequest`.
|
|
|
|
*
|
|
|
|
* @param {ServerRequest} req
|
|
|
|
* @param {Object} [options] Options for finding the token
|
2013-12-20 01:49:47 +00:00
|
|
|
* @callback {Function} callback
|
|
|
|
* @param {Error} err
|
|
|
|
* @param {AccessToken} token
|
2013-11-14 21:01:47 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
AccessToken.findForRequest = function(req, options, cb) {
|
|
|
|
var id = tokenIdForRequest(req, options);
|
|
|
|
|
|
|
|
if(id) {
|
2013-11-15 02:34:51 +00:00
|
|
|
this.findById(id, function(err, token) {
|
|
|
|
if(err) {
|
|
|
|
cb(err);
|
2013-12-11 05:49:18 +00:00
|
|
|
} else if(token) {
|
2013-11-15 02:34:51 +00:00
|
|
|
token.validate(function(err, isValid) {
|
|
|
|
if(err) {
|
|
|
|
cb(err);
|
|
|
|
} else if(isValid) {
|
|
|
|
cb(null, token);
|
|
|
|
} else {
|
2014-06-17 06:27:41 +00:00
|
|
|
var e = new Error('Invalid Access Token');
|
|
|
|
e.status = e.statusCode = 401;
|
|
|
|
cb(e);
|
2013-11-15 02:34:51 +00:00
|
|
|
}
|
|
|
|
});
|
2013-12-11 05:49:18 +00:00
|
|
|
} else {
|
|
|
|
cb();
|
2013-11-15 02:34:51 +00:00
|
|
|
}
|
|
|
|
});
|
2013-11-14 21:01:47 +00:00
|
|
|
} else {
|
|
|
|
process.nextTick(function() {
|
|
|
|
cb();
|
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-12-20 01:49:47 +00:00
|
|
|
/**
|
|
|
|
* Validate the token.
|
|
|
|
*
|
|
|
|
* @callback {Function} callback
|
|
|
|
* @param {Error} err
|
|
|
|
* @param {Boolean} isValid
|
|
|
|
*/
|
|
|
|
|
2013-11-15 02:34:51 +00:00
|
|
|
AccessToken.prototype.validate = function(cb) {
|
|
|
|
try {
|
|
|
|
assert(
|
|
|
|
this.created && typeof this.created.getTime === 'function',
|
|
|
|
'token.created must be a valid Date'
|
|
|
|
);
|
|
|
|
assert(this.ttl !== 0, 'token.ttl must be not be 0');
|
|
|
|
assert(this.ttl, 'token.ttl must exist');
|
|
|
|
assert(this.ttl >= -1, 'token.ttl must be >= -1');
|
|
|
|
|
|
|
|
var now = Date.now();
|
|
|
|
var created = this.created.getTime();
|
|
|
|
var elapsedSeconds = (now - created) / 1000;
|
|
|
|
var secondsToLive = this.ttl;
|
|
|
|
var isValid = elapsedSeconds < secondsToLive;
|
|
|
|
|
|
|
|
if(isValid) {
|
|
|
|
cb(null, isValid);
|
|
|
|
} else {
|
|
|
|
this.destroy(function(err) {
|
|
|
|
cb(err, isValid);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
} catch(e) {
|
|
|
|
cb(e);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-11-14 21:01:47 +00:00
|
|
|
function tokenIdForRequest(req, options) {
|
|
|
|
var params = options.params || [];
|
|
|
|
var headers = options.headers || [];
|
|
|
|
var cookies = options.cookies || [];
|
|
|
|
var i = 0;
|
|
|
|
var length;
|
|
|
|
var id;
|
|
|
|
|
2014-06-20 21:39:28 +00:00
|
|
|
params = params.concat(['access_token']);
|
|
|
|
headers = headers.concat(['X-Access-Token', 'authorization']);
|
|
|
|
cookies = cookies.concat(['access_token', 'authorization']);
|
2013-11-14 21:01:47 +00:00
|
|
|
|
|
|
|
for(length = params.length; i < length; i++) {
|
|
|
|
id = req.param(params[i]);
|
|
|
|
|
|
|
|
if(typeof id === 'string') {
|
|
|
|
return id;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-11-14 23:27:36 +00:00
|
|
|
for(i = 0, length = headers.length; i < length; i++) {
|
|
|
|
id = req.header(headers[i]);
|
2013-11-14 21:01:47 +00:00
|
|
|
|
|
|
|
if(typeof id === 'string') {
|
|
|
|
return id;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-12-12 00:42:47 +00:00
|
|
|
if(req.signedCookies) {
|
|
|
|
for(i = 0, length = headers.length; i < length; i++) {
|
|
|
|
id = req.signedCookies[cookies[i]];
|
2013-11-14 21:01:47 +00:00
|
|
|
|
2013-12-12 00:42:47 +00:00
|
|
|
if(typeof id === 'string') {
|
|
|
|
return id;
|
|
|
|
}
|
2013-11-14 21:01:47 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|