loopback/common/models/access-token.js

// Copyright IBM Corp. 2014,2016. All Rights Reserved.
// Node module: loopback
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT

/*!
 * Module Dependencies.
 */

'use strict';
var g = require('../../lib/globalize');
var loopback = require('../../lib/loopback');
var assert = require('assert');
var uid = require('uid2');
var DEFAULT_TOKEN_LEN = 64;

/**
 * Token based authentication and access control.
 *
 * **Default ACLs**
 *
 *  - DENY EVERYONE `*`
 *  - ALLOW EVERYONE create
 *
 * @property {String} id Generated token ID.
 * @property {Number} ttl Time to live in seconds, 2 weeks by default.
 * @property {Date} created When the token was created.
 * @property {Object} settings Extends the `Model.settings` object.
 * @property {Number} settings.accessTokenIdLength Length of the base64-encoded string access token. Default value is 64.
 * Increase the length for a more secure access token.
 *
 * @class AccessToken
 * @inherits {PersistedModel}
 */

module.exports = function(AccessToken) {
  /**
   * Anonymous Token
   *
   * ```js
   * assert(AccessToken.ANONYMOUS.id === '$anonymous');
   * ```
   */

  AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});

  /**
   * Create a cryptographically random access token id.
   *
   * @callback {Function} callback
   * @param {Error} err
   * @param {String} token
   */

  AccessToken.createAccessTokenId = function(fn) {
    uid(this.settings.accessTokenIdLength || DEFAULT_TOKEN_LEN, function(err, guid) {
      if (err) {
        fn(err);
      } else {
        fn(null, guid);
      }
    });
  };

  /*!
   * Hook to create accessToken id.
   */
  AccessToken.observe('before save', function(ctx, next) {
    if (!ctx.instance || ctx.instance.id) {
      // We are running a partial update or the instance already has an id
      return next();
    }

    AccessToken.createAccessTokenId(function(err, id) {
      if (err) return next(err);
      ctx.instance.id = id;
      next();
    });
  });

  /**
   * Find a token for the given `ServerRequest`.
   *
   * @param {ServerRequest} req
   * @param {Object} [options] Options for finding the token
   * @callback {Function} callback
   * @param {Error} err
   * @param {AccessToken} token
   */

  AccessToken.findForRequest = function(req, options, cb) {
    if (cb === undefined && typeof options === 'function') {
      cb = options;
      options = {};
    }

    var id = tokenIdForRequest(req, options);

    if (id) {
      this.findById(id, function(err, token) {
        if (err) {
          cb(err);
        } else if (token) {
          token.validate(function(err, isValid) {
            if (err) {
              cb(err);
            } else if (isValid) {
              cb(null, token);
            } else {
              var e = new Error(g.f('Invalid Access Token'));
              e.status = e.statusCode = 401;
              e.code = 'INVALID_TOKEN';
              cb(e);
            }
          });
        } else {
          cb();
        }
      });
    } else {
      process.nextTick(function() {
        cb();
      });
    }
  };

  /**
   * Validate the token.
   *
   * @callback {Function} callback
   * @param {Error} err
   * @param {Boolean} isValid
   */

  AccessToken.prototype.validate = function(cb) {
    try {
      assert(
          this.created && typeof this.created.getTime === 'function',
        'token.created must be a valid Date'
      );
      assert(this.ttl !== 0, 'token.ttl must be not be 0');
      assert(this.ttl, 'token.ttl must exist');
      assert(this.ttl >= -1, 'token.ttl must be >= -1');

      var AccessToken = this.constructor;
      var userRelation = AccessToken.relations.user; // may not be set up
      var User = userRelation && userRelation.modelTo;

      // redefine user model if accessToken's principalType is available
      if (this.principalType) {
        User = AccessToken.registry.findModel(this.principalType);
        if (!User) {
          process.nextTick(function() {
            return cb(null, false);
          });
        }
      }

      var now = Date.now();
      var created = this.created.getTime();
      var elapsedSeconds = (now - created) / 1000;
      var secondsToLive = this.ttl;
      var eternalTokensAllowed = !!(User && User.settings.allowEternalTokens);
      var isEternalToken = secondsToLive === -1;
      var isValid = isEternalToken ?
        eternalTokensAllowed :
        elapsedSeconds < secondsToLive;

      if (isValid) {
        process.nextTick(function() {
          cb(null, isValid);
        });
      } else {
        this.destroy(function(err) {
          cb(err, isValid);
        });
      }
    } catch (e) {
      process.nextTick(function() {
        cb(e);
      });
    }
  };

  function tokenIdForRequest(req, options) {
    var params = options.params || [];
    var headers = options.headers || [];
    var cookies = options.cookies || [];
    var i = 0;
    var length, id;

    // https://github.com/strongloop/loopback/issues/1326
    if (options.searchDefaultTokenKeys !== false) {
      params = params.concat(['access_token']);
      headers = headers.concat(['X-Access-Token', 'authorization']);
      cookies = cookies.concat(['access_token', 'authorization']);
    }

    for (length = params.length; i < length; i++) {
      var param = params[i];
      // replacement for deprecated req.param()
      id = req.params && req.params[param] !== undefined ? req.params[param] :
        req.body && req.body[param] !== undefined ? req.body[param] :
        req.query && req.query[param] !== undefined ? req.query[param] :
        undefined;

      if (typeof id === 'string') {
        return id;
      }
    }

    for (i = 0, length = headers.length; i < length; i++) {
      id = req.header(headers[i]);

      if (typeof id === 'string') {
        // Add support for oAuth 2.0 bearer token
        // http://tools.ietf.org/html/rfc6750
        if (id.indexOf('Bearer ') === 0) {
          id = id.substring(7);
          // Decode from base64
          var buf = new Buffer(id, 'base64');
          id = buf.toString('utf8');
        } else if (/^Basic /i.test(id)) {
          id = id.substring(6);
          id = (new Buffer(id, 'base64')).toString('utf8');
          // The spec says the string is user:pass, so if we see both parts
          // we will assume the longer of the two is the token, so we will
          // extract "a2b2c3" from:
          //   "a2b2c3"
          //   "a2b2c3:"   (curl http://a2b2c3@localhost:3000/)
          //   "token:a2b2c3" (curl http://token:a2b2c3@localhost:3000/)
          //   ":a2b2c3"
          var parts = /^([^:]*):(.*)$/.exec(id);
          if (parts) {
            id = parts[2].length > parts[1].length ? parts[2] : parts[1];
          }
        }
        return id;
      }
    }

    if (req.signedCookies) {
      for (i = 0, length = cookies.length; i < length; i++) {
        id = req.signedCookies[cookies[i]];

        if (typeof id === 'string') {
          return id;
        }
      }
    }
    return null;
  }
};
update copyright statements 2016-05-03 22:50:21 +00:00			`// Copyright IBM Corp. 2014,2016. All Rights Reserved.`
			`// Node module: loopback`
			`// This file is licensed under the MIT License.`
			`// License text available at https://opensource.org/licenses/MIT`

Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`/*!`
Initial users 2013-07-02 23:51:38 +00:00			`* Module Dependencies.`
			`*/`

Update eslint to loopback config v5 Notable side-effects: - loopback no longer exports "caller" and "arguments" properties - kv-memory connector is now properly added to the connector registry - the file "test/support.js" was finally removed 2016-11-15 21:46:23 +00:00			`'use strict';`
Update globalization structure 2016-09-16 19:31:48 +00:00			`var g = require('../../lib/globalize');`
common: coding style cleanup 2014-11-04 12:52:49 +00:00			`var loopback = require('../../lib/loopback');`
			`var assert = require('assert');`
			`var uid = require('uid2');`
			`var DEFAULT_TOKEN_LEN = 64;`
Initial users 2013-07-02 23:51:38 +00:00
			`/**`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* Token based authentication and access control.`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* Default ACLs`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`*`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			* - DENY EVERYONE `*`
			`* - ALLOW EVERYONE create`
Fix accessToken property docs 2014-08-11 17:55:23 +00:00			`*`
Add docs for settings per #1069 2015-02-23 21:13:52 +00:00			`* @property {String} id Generated token ID.`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`* @property {Number} ttl Time to live in seconds, 2 weeks by default.`
Add docs for settings per #1069 2015-02-23 21:13:52 +00:00			`* @property {Date} created When the token was created.`
			* @property {Object} settings Extends the `Model.settings` object.
			`* @property {Number} settings.accessTokenIdLength Length of the base64-encoded string access token. Default value is 64.`
			`* Increase the length for a more secure access token.`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`*`
			`* @class AccessToken`
Make sure AccessToken extends from PersistedModel 2014-08-19 04:44:28 +00:00			`* @inherits {PersistedModel}`
Initial users 2013-07-02 23:51:38 +00:00			`*/`

models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`module.exports = function(AccessToken) {`
			`/**`
			`* Anonymous Token`
			`*`
			* ```js
			`* assert(AccessToken.ANONYMOUS.id === '$anonymous');`
			* ```
			`*/`

Update eslint to loopback config v5 Notable side-effects: - loopback no longer exports "caller" and "arguments" properties - kv-memory connector is now properly added to the connector registry - the file "test/support.js" was finally removed 2016-11-15 21:46:23 +00:00			`AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00
			`/**`
			`* Create a cryptographically random access token id.`
			`*`
			`* @callback {Function} callback`
			`* @param {Error} err`
			`* @param {String} token`
			`*/`

			`AccessToken.createAccessTokenId = function(fn) {`
			`uid(this.settings.accessTokenIdLength \|\| DEFAULT_TOKEN_LEN, function(err, guid) {`
			`if (err) {`
			`fn(err);`
			`} else {`
			`fn(null, guid);`
			`}`
			`});`
common: coding style cleanup 2014-11-04 12:52:49 +00:00			`};`
Added AccessToken created property 2013-11-15 00:47:24 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`/*!`
			`* Hook to create accessToken id.`
			`*/`
Replace deprecated hooks with Operation hooks AccessToken.beforeCreate -> AccessToken.observe('before save') Application.beforeCreate -> Application.observe('before save') Checkpoint.beforeSave -> Checkpoint.observe('before save') 2015-03-02 12:09:14 +00:00			`AccessToken.observe('before save', function(ctx, next) {`
			`if (!ctx.instance \|\| ctx.instance.id) {`
			`// We are running a partial update or the instance already has an id`
			`return next();`
			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`AccessToken.createAccessTokenId(function(err, id) {`
Replace deprecated hooks with Operation hooks AccessToken.beforeCreate -> AccessToken.observe('before save') Application.beforeCreate -> Application.observe('before save') Checkpoint.beforeSave -> Checkpoint.observe('before save') 2015-03-02 12:09:14 +00:00			`if (err) return next(err);`
			`ctx.instance.id = id;`
			`next();`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`});`
Replace deprecated hooks with Operation hooks AccessToken.beforeCreate -> AccessToken.observe('before save') Application.beforeCreate -> Application.observe('before save') Checkpoint.beforeSave -> Checkpoint.observe('before save') 2015-03-02 12:09:14 +00:00			`});`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`/**`
			* Find a token for the given `ServerRequest`.
			`*`
			`* @param {ServerRequest} req`
			`* @param {Object} [options] Options for finding the token`
			`* @callback {Function} callback`
			`* @param {Error} err`
			`* @param {AccessToken} token`
			`*/`

			`AccessToken.findForRequest = function(req, options, cb) {`
AccessToken: optional `options` in findForRequest Fix `AccessToken.findForRequest` to correctly handle the case when the options argument was omitted: AccessToken.findForRequest(req, cb); 2014-11-14 09:37:22 +00:00			`if (cb === undefined && typeof options === 'function') {`
			`cb = options;`
			`options = {};`
			`}`

models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`var id = tokenIdForRequest(req, options);`

			`if (id) {`
			`this.findById(id, function(err, token) {`
			`if (err) {`
			`cb(err);`
			`} else if (token) {`
			`token.validate(function(err, isValid) {`
			`if (err) {`
			`cb(err);`
			`} else if (isValid) {`
			`cb(null, token);`
			`} else {`
Add globalization 2016-06-07 14:48:28 +00:00			`var e = new Error(g.f('Invalid Access Token'));`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`e.status = e.statusCode = 401;`
Add error code property to known error responses. Enhance the error objects with a `code` property containing a machine-readable string code describing the error, for example INVALID_TOKEN or USER_NOT_FOUND. Also improve 404 error messages to include the model name. 2014-12-18 20:26:27 +00:00			`e.code = 'INVALID_TOKEN';`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`cb(e);`
			`}`
			`});`
			`} else {`
			`cb();`
			`}`
			`});`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`} else {`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`process.nextTick(function() {`
			`cb();`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`});`
			`}`
common: coding style cleanup 2014-11-04 12:52:49 +00:00			`};`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`/**`
			`* Validate the token.`
			`*`
			`* @callback {Function} callback`
			`* @param {Error} err`
			`* @param {Boolean} isValid`
			`*/`

			`AccessToken.prototype.validate = function(cb) {`
			`try {`
			`assert(`
			`this.created && typeof this.created.getTime === 'function',`
			`'token.created must be a valid Date'`
			`);`
			`assert(this.ttl !== 0, 'token.ttl must be not be 0');`
			`assert(this.ttl, 'token.ttl must exist');`
			`assert(this.ttl >= -1, 'token.ttl must be >= -1');`

Allow tokens with eternal TTL (value -1) - Add a new User setting 'allowEternalTokens' - Enhance 'AccessToken.validate' to support eternal tokens with ttl value -1 when the user model allows it. 2016-10-10 11:27:22 +00:00			`var AccessToken = this.constructor;`
			`var userRelation = AccessToken.relations.user; // may not be set up`
			`var User = userRelation && userRelation.modelTo;`

Enable multiple user models Allow LoopBack applications to configure multiple User models and share the same AccessToken model. To enable this feature: 1) In your custom AccessToken model: - add a new property "principalType" of type "string". - configure the relation "belongsTo user" as polymorphic, using "principalType" as the discriminator 2) In your User models: - Configure the "hasMany accessTokens" relation as polymorphic, using "principalType" as the discriminator When creating custom Role and Principal instances, set your User model's name as the value of "prinicipalType". 2016-11-21 20:51:43 +00:00			`// redefine user model if accessToken's principalType is available`
			`if (this.principalType) {`
			`User = AccessToken.registry.findModel(this.principalType);`
			`if (!User) {`
			`process.nextTick(function() {`
			`return cb(null, false);`
			`});`
			`}`
			`}`

models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`var now = Date.now();`
			`var created = this.created.getTime();`
			`var elapsedSeconds = (now - created) / 1000;`
			`var secondsToLive = this.ttl;`
Allow tokens with eternal TTL (value -1) - Add a new User setting 'allowEternalTokens' - Enhance 'AccessToken.validate' to support eternal tokens with ttl value -1 when the user model allows it. 2016-10-10 11:27:22 +00:00			`var eternalTokensAllowed = !!(User && User.settings.allowEternalTokens);`
			`var isEternalToken = secondsToLive === -1;`
			`var isValid = isEternalToken ?`
			`eternalTokensAllowed :`
			`elapsedSeconds < secondsToLive;`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00
			`if (isValid) {`
Enable multiple user models Allow LoopBack applications to configure multiple User models and share the same AccessToken model. To enable this feature: 1) In your custom AccessToken model: - add a new property "principalType" of type "string". - configure the relation "belongsTo user" as polymorphic, using "principalType" as the discriminator 2) In your User models: - Configure the "hasMany accessTokens" relation as polymorphic, using "principalType" as the discriminator When creating custom Role and Principal instances, set your User model's name as the value of "prinicipalType". 2016-11-21 20:51:43 +00:00			`process.nextTick(function() {`
			`cb(null, isValid);`
			`});`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`} else {`
			`this.destroy(function(err) {`
			`cb(err, isValid);`
			`});`
			`}`
			`} catch (e) {`
Enable multiple user models Allow LoopBack applications to configure multiple User models and share the same AccessToken model. To enable this feature: 1) In your custom AccessToken model: - add a new property "principalType" of type "string". - configure the relation "belongsTo user" as polymorphic, using "principalType" as the discriminator 2) In your User models: - Configure the "hasMany accessTokens" relation as polymorphic, using "principalType" as the discriminator When creating custom Role and Principal instances, set your User model's name as the value of "prinicipalType". 2016-11-21 20:51:43 +00:00			`process.nextTick(function() {`
			`cb(e);`
			`});`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`}`
common: coding style cleanup 2014-11-04 12:52:49 +00:00			`};`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00
			`function tokenIdForRequest(req, options) {`
			`var params = options.params \|\| [];`
			`var headers = options.headers \|\| [];`
			`var cookies = options.cookies \|\| [];`
			`var i = 0;`
Use eslint with loopback config Drop jshint and jscs in favour of eslint. Fix style violations. While we are at this, reduce the max line length from 150 to 100. 2016-04-01 09:14:26 +00:00			`var length, id;`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
access-token: add option "searchDefaultTokenKeys" Set this option to false to prevent AccessToken from checking default places like "access_token" in query. 2015-04-29 11:45:22 +00:00			`// https://github.com/strongloop/loopback/issues/1326`
			`if (options.searchDefaultTokenKeys !== false) {`
			`params = params.concat(['access_token']);`
			`headers = headers.concat(['X-Access-Token', 'authorization']);`
			`cookies = cookies.concat(['access_token', 'authorization']);`
			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`for (length = params.length; i < length; i++) {`
Remove usages of deprecated `req.param()` Express has recently deprecated `req.param()` to force developers to be explicit about the source of the value. To avoid deprecation warnings, this commit replaces all calls of `req.param()` with a simplified inline version. 2015-01-21 18:27:53 +00:00			`var param = params[i];`
			`// replacement for deprecated req.param()`
			`id = req.params && req.params[param] !== undefined ? req.params[param] :`
			`req.body && req.body[param] !== undefined ? req.body[param] :`
			`req.query && req.query[param] !== undefined ? req.query[param] :`
			`undefined;`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`if (typeof id === 'string') {`
			`return id;`
			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`

models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`for (i = 0, length = headers.length; i < length; i++) {`
			`id = req.header(headers[i]);`

			`if (typeof id === 'string') {`
			`// Add support for oAuth 2.0 bearer token`
			`// http://tools.ietf.org/html/rfc6750`
			`if (id.indexOf('Bearer ') === 0) {`
			`id = id.substring(7);`
			`// Decode from base64`
			`var buf = new Buffer(id, 'base64');`
			`id = buf.toString('utf8');`
Extend AccessToken to parse Basic auth headers Allow convenient URLs for curl and browsers such as: - http://some-long-token@localhost:3000/ - http://token:some-long-token@localhost:3000/ Basic Auth specifies a 'Basic' scheme for the Authorization header similar to how OAuth specifies 'Bearer' as an auth scheme. Following a similar convention, extract the access token from the Authorization header when it specifies the 'Basic' scheme, assuming it is the larger of the <user>:<pass> segments. 2015-01-14 22:10:20 +00:00			`} else if (/^Basic /i.test(id)) {`
			`id = id.substring(6);`
			`id = (new Buffer(id, 'base64')).toString('utf8');`
			`// The spec says the string is user:pass, so if we see both parts`
			`// we will assume the longer of the two is the token, so we will`
			`// extract "a2b2c3" from:`
			`// "a2b2c3"`
			`// "a2b2c3:" (curl http://a2b2c3@localhost:3000/)`
			`// "token:a2b2c3" (curl http://token:a2b2c3@localhost:3000/)`
			`// ":a2b2c3"`
			`var parts = /^([^:]):(.)$/.exec(id);`
			`if (parts) {`
			`id = parts[2].length > parts[1].length ? parts[2] : parts[1];`
			`}`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`}`
			`return id;`
Fix the typo and add Bearer token support See https://github.com/strongloop/loopback/issues/333 2014-07-02 16:02:13 +00:00			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`

models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`if (req.signedCookies) {`
			`for (i = 0, length = cookies.length; i < length; i++) {`
			`id = req.signedCookies[cookies[i]];`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`if (typeof id === 'string') {`
			`return id;`
			`}`
Only look at cookies if they are available 2013-12-12 00:42:47 +00:00			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`return null;`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`
models: move AccessToken LDL def into a json file 2014-10-13 08:23:35 +00:00			`};`