verdnatura-mirror
/
loopback
mirror of https://github.com/strongloop/loopback.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
loopback/test/authorization-scopes.test.js

135 lines
3.9 KiB
JavaScript
Raw Normal View History

Add support for scoped access tokens Define a new property `AccessToken.scopes` to contain the list of scopes granted to this access token. Define a new remote method metadata `accessScopes` to contain a list of scope name required by this method. Define a special built-in scope name "DEFAULT" that's used when a method/token does not provide any scopes. This allows access tokens to grant access to both the default scope and any additional custom scopes at the same time. Modify the authorization algorithm to ensure that at least one of the scopes required by a remote method is allowed by the scopes granted to the requesting access token. The "DEFAULT" scope preserve backwards compatibility because existing remote methods with no `accessScopes` can be accessed by (existing) access tokens with no `scopes` defined. Impact on existing applications: - Database schema must be updated after upgrading the loopback version - If the application was already using a custom `AccessToken.scopes` property with a type different from an array, then the relevant code must be updated to work with the new type "array of strings".
2017-03-27 12:58:01 +00:00
'use strict';
const loopback = require('../');
const supertest = require('supertest');
const strongErrorHandler = require('strong-error-handler');
describe('Authorization scopes', () => {
const CUSTOM_SCOPE = 'read:custom';
let app, request, User, testUser, regularToken, scopedToken;
beforeEach(givenAppAndRequest);
beforeEach(givenRemoteMethodWithCustomScope);
beforeEach(givenUser);
beforeEach(givenDefaultToken);
beforeEach(givenScopedToken);
it('denies regular token to invoke custom-scoped method', () => {
logServerErrorsOtherThan(401);
return request.get('/users/scoped')
.set('Authorization', regularToken.id)
.expect(401);
});
it('allows regular tokens to invoke default-scoped method', () => {
logAllServerErrors();
return request.get('/users/' + testUser.id)
.set('Authorization', regularToken.id)
.expect(200);
});
it('allows scoped token to invoke custom-scoped method', () => {
logAllServerErrors();
return request.get('/users/scoped')
.set('Authorization', scopedToken.id)
.expect(204);
});
it('denies scoped token to invoke default-scoped method', () => {
logServerErrorsOtherThan(401);
return request.get('/users/' + testUser.id)
.set('Authorization', scopedToken.id)
.expect(401);
});
describe('token granted both default and custom scope', () => {
beforeEach('given token with default and custom scope',
() => givenScopedToken(['DEFAULT', CUSTOM_SCOPE]));
beforeEach(logAllServerErrors);
it('allows invocation of default-scoped method', () => {
return request.get('/users/' + testUser.id)
.set('Authorization', scopedToken.id)
.expect(200);
});
it('allows invocation of custom-scoped method', () => {
return request.get('/users/scoped')
.set('Authorization', scopedToken.id)
.expect(204);
});
});
it('allows invocation when at least one method scope is matched', () => {
givenRemoteMethodWithCustomScope(['read', 'write']);
return givenScopedToken(['read', 'execute']).then(() => {
return request.get('/users/scoped')
.set('Authorization', scopedToken.id)
.expect(204);
});
});
function givenAppAndRequest() {
app = loopback({localRegistry: true, loadBuiltinModels: true});
app.set('remoting', {rest: {handleErrors: false}});
app.dataSource('db', {connector: 'memory'});
app.enableAuth({dataSource: 'db'});
request = supertest(app);
app.use(loopback.rest());
User = app.models.User;
}
function givenRemoteMethodWithCustomScope() {
Implement more secure password flow Improve the flow for setting/changing/resetting User password to make it more secure. 1. Modify `User.resetPassword` to create a token scoped to allow invocation of a single remote method: `User.setPassword`. 2. Scope the method `User.setPassword` so that regular tokens created by `User.login` are not allowed to execute it. For backwards compatibility, this new mode (flow) is enabled only when User model setting `restrictResetPasswordTokenScope` is set to `true`. 3. Changing the password via `User.prototype.patchAttributes` (and similar DAO methods) is no longer allowed. Applications must call `User.changePassword` and ask the user to provide the current (old) password. For backwards compatibility, this new mode (flow) is enabled only when User model setting `rejectPasswordChangesViaPatchOrReplace` is set to `true`.
2017-04-10 12:07:41 +00:00
// Delete any previously registered instance of the method "scoped"
Fix method setup in authorization-scopes.test Fix the code builing a scoped method to correctly handle the case when the setup method is called twice and the previously defined method has to be overriden with new remoting metadata.
2017-04-10 10:19:20 +00:00
User.sharedClass._methods = User.sharedClass._methods
.filter(m => m.name !== 'scoped');
Add support for scoped access tokens Define a new property `AccessToken.scopes` to contain the list of scopes granted to this access token. Define a new remote method metadata `accessScopes` to contain a list of scope name required by this method. Define a special built-in scope name "DEFAULT" that's used when a method/token does not provide any scopes. This allows access tokens to grant access to both the default scope and any additional custom scopes at the same time. Modify the authorization algorithm to ensure that at least one of the scopes required by a remote method is allowed by the scopes granted to the requesting access token. The "DEFAULT" scope preserve backwards compatibility because existing remote methods with no `accessScopes` can be accessed by (existing) access tokens with no `scopes` defined. Impact on existing applications: - Database schema must be updated after upgrading the loopback version - If the application was already using a custom `AccessToken.scopes` property with a type different from an array, then the relevant code must be updated to work with the new type "array of strings".
2017-03-27 12:58:01 +00:00
const accessScopes = arguments[0] || [CUSTOM_SCOPE];
User.scoped = function(cb) { cb(); };
User.remoteMethod('scoped', {
accessScopes,
http: {verb: 'GET', path: '/scoped'},
});
User.settings.acls.push({
principalType: 'ROLE',
principalId: '$authenticated',
permission: 'ALLOW',
property: 'scoped',
accessType: 'EXECUTE',
});
}
function givenUser() {
return User.create({email: 'test@example.com', password: 'pass'})
.then(u => testUser = u);
}
function givenDefaultToken() {
return testUser.createAccessToken(60)
.then(t => regularToken = t);
}
function givenScopedToken() {
const scopes = arguments[0] || [CUSTOM_SCOPE];
return testUser.accessTokens.create({ttl: 60, scopes})
.then(t => scopedToken = t);
}
function logAllServerErrors() {
logServerErrorsOtherThan(-1);
}
function logServerErrorsOtherThan(statusCode) {
app.use((err, req, res, next) => {
if ((err.statusCode || 500) !== statusCode) {
console.log('Unhandled error for request %s %s: %s',
req.method, req.url, err.stack || err);
}
res.statusCode = err.statusCode || 500;
res.json(err);
});
}
});