loopback/lib/models/access-token.js

/*!
 * Module Dependencies.
 */

var Model = require('../loopback').Model
  , loopback = require('../loopback')
  , assert = require('assert')
  , crypto = require('crypto')
  , uid = require('uid2')
  , DEFAULT_TTL = 1209600 // 2 weeks in seconds
  , DEFAULT_TOKEN_LEN = 64
  , Role = require('./role').Role
  , ACL = require('./acl').ACL;

/*!
 * Default AccessToken properties.
 */

var properties = {
  id: {type: String, id: true},
  ttl: {type: Number, ttl: true, default: DEFAULT_TTL}, // time to live in seconds
  created: {type: Date, default: function() {
    return new Date();
  }}
};

/**
 * Token based authentication and access control.
 *
 * **Default ACLs**
 * 
 *  - DENY EVERYONE `*`
 *  - ALLOW EVERYONE create
 *
 * @property {String} id Generated token ID
 * @property {Number} ttl Time to live in seconds
 * @property {Date} created When the token was created
 *  
 * @class
 * @inherits {Model}
 */

var AccessToken = module.exports = Model.extend('AccessToken', properties, {
  acls: [
    {
      principalType: ACL.ROLE,
      principalId: Role.EVERYONE,
      permission: 'DENY'
    },
    {
      principalType: ACL.ROLE,
      principalId: Role.EVERYONE,
      property: 'create',
      permission: 'ALLOW'
    }
  ],
  relations: {
    user: {
      type: 'belongsTo',
      model: 'User',
      foreignKey: 'userId'
    }
  }
});

/**
 * Anonymous Token
 * 
 * ```js
 * assert(AccessToken.ANONYMOUS.id === '$anonymous');
 * ```
 */

AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});

/**
 * Create a cryptographically random access token id.
 * 
 * @callback {Function} callback
 * @param {Error} err
 * @param {String} token
 */

AccessToken.createAccessTokenId = function (fn) {
  uid(this.settings.accessTokenIdLength || DEFAULT_TOKEN_LEN, function(err, guid) {
    if(err) {
      fn(err);
    } else {
      fn(null, guid);
    }
  });
}

/*!
 * Hook to create accessToken id.
 */

AccessToken.beforeCreate = function (next, data) {
  data = data || {};
  
  AccessToken.createAccessTokenId(function (err, id) {
    if(err) {
      next(err);
    } else {
      data.id = id;

      next();
    }
  });
}

/**
 * Find a token for the given `ServerRequest`.
 *
 * @param {ServerRequest} req
 * @param {Object} [options] Options for finding the token
 * @callback {Function} callback
 * @param {Error} err
 * @param {AccessToken} token
 */

AccessToken.findForRequest = function(req, options, cb) {
  var id = tokenIdForRequest(req, options);

  if(id) {
    this.findById(id, function(err, token) {
      if(err) {
        cb(err);
      } else if(token) {
        token.validate(function(err, isValid) {
          if(err) {
            cb(err);
          } else if(isValid) {
            cb(null, token);
          } else {
            var e = new Error('Invalid Access Token');
            e.status = e.statusCode = 401;
            cb(e);
          }
        });
      } else {
        cb();
      }
    });
  } else {
    process.nextTick(function() {
      cb();
    });
  }
}

/**
 * Validate the token.
 * 
 * @callback {Function} callback
 * @param {Error} err
 * @param {Boolean} isValid
 */

AccessToken.prototype.validate = function(cb) {
  try {
    assert(
      this.created && typeof this.created.getTime === 'function',
      'token.created must be a valid Date'
    );
    assert(this.ttl !== 0, 'token.ttl must be not be 0');
    assert(this.ttl, 'token.ttl must exist');
    assert(this.ttl >= -1, 'token.ttl must be >= -1');

    var now = Date.now();
    var created = this.created.getTime();
    var elapsedSeconds = (now - created) / 1000;
    var secondsToLive = this.ttl;
    var isValid = elapsedSeconds < secondsToLive;

    if(isValid) {
      cb(null, isValid);
    } else {
      this.destroy(function(err) {
        cb(err, isValid);
      });
    }
  } catch(e) {
    cb(e);
  }
}

function tokenIdForRequest(req, options) {
  var params = options.params || [];
  var headers = options.headers || [];
  var cookies = options.cookies || [];
  var i = 0;
  var length;
  var id;

  params = params.concat(['access_token']);
  headers = headers.concat(['X-Access-Token', 'authorization']);
  cookies = cookies.concat(['access_token', 'authorization']);

  for(length = params.length; i < length; i++) {
    id = req.param(params[i]);

    if(typeof id === 'string') {
      return id;
    }
  }

  for(i = 0, length = headers.length; i < length; i++) {
    id = req.header(headers[i]);

    if(typeof id === 'string') {
      // Add support for oAuth 2.0 bearer token
      // http://tools.ietf.org/html/rfc6750
      if (id.indexOf('Bearer ') === 0) {
        id = id.substring(7);
        // Decode from base64
        var buf = new Buffer(id, 'base64');
        id = buf.toString('utf8');
      }
      return id;
    }
  }

  if(req.signedCookies) {
    for(i = 0, length = cookies.length; i < length; i++) {
      id = req.signedCookies[cookies[i]];

      if(typeof id === 'string') {
        return id;
      }
    }
  }
  return null;
}
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`/*!`
Initial users 2013-07-02 23:51:38 +00:00			`* Module Dependencies.`
			`*/`

rename asteroid to loopback 2013-07-16 17:49:25 +00:00			`var Model = require('../loopback').Model`
			`, loopback = require('../loopback')`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`, assert = require('assert')`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`, crypto = require('crypto')`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`, uid = require('uid2')`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`, DEFAULT_TTL = 1209600 // 2 weeks in seconds`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`, DEFAULT_TOKEN_LEN = 64`
Allow requests without auth tokens 2013-12-10 23:57:55 +00:00			`, Role = require('./role').Role`
Initial auth implementation 2013-11-15 04:19:46 +00:00			`, ACL = require('./acl').ACL;`
Initial users 2013-07-02 23:51:38 +00:00
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Default AccessToken properties.`
Initial users 2013-07-02 23:51:38 +00:00			`*/`

			`var properties = {`
Remove the generated flag for access token id The generated flag is used to indicate if the id is automatically generated by the backend store. If it's set, the data type will be updated when the model is attached to a datasource. The AccessToken model defines a string id, which is set in the beforeCreate hook. So it's client provided id. 2014-01-30 17:02:12 +00:00			`id: {type: String, id: true},`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`ttl: {type: Number, ttl: true, default: DEFAULT_TTL}, // time to live in seconds`
			`created: {type: Date, default: function() {`
			`return new Date();`
			`}}`
Initial users 2013-07-02 23:51:38 +00:00			`};`

			`/**`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* Token based authentication and access control.`
Start to move md to jsdoc 2014-01-06 23:52:08 +00:00			`*`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* Default ACLs`
			`*`
			* - DENY EVERYONE `*`
			`* - ALLOW EVERYONE create`
Fix accessToken property docs 2014-08-11 17:55:23 +00:00			`*`
			`* @property {String} id Generated token ID`
			`* @property {Number} ttl Time to live in seconds`
			`* @property {Date} created When the token was created`
			`*`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* @class`
			`* @inherits {Model}`
Initial users 2013-07-02 23:51:38 +00:00			`*/`

Allow requests without auth tokens 2013-12-10 23:57:55 +00:00			`var AccessToken = module.exports = Model.extend('AccessToken', properties, {`
			`acls: [`
			`{`
			`principalType: ACL.ROLE,`
			`principalId: Role.EVERYONE,`
			`permission: 'DENY'`
			`},`
			`{`
			`principalType: ACL.ROLE,`
			`principalId: Role.EVERYONE,`
			`property: 'create',`
			`permission: 'ALLOW'`
			`}`
Make sure User/AccessToken relations are set up by default User.login assumes the relation User.accessTokens exists 2014-02-14 18:31:30 +00:00			`],`
			`relations: {`
			`user: {`
			`type: 'belongsTo',`
			`model: 'User',`
			`foreignKey: 'userId'`
			`}`
			`}`
Allow requests without auth tokens 2013-12-10 23:57:55 +00:00			`});`

Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`/**`
			`* Anonymous Token`
			`*`
			* ```js
			`* assert(AccessToken.ANONYMOUS.id === '$anonymous');`
			* ```
			`*/`

Allow requests without auth tokens 2013-12-10 23:57:55 +00:00			`AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00
			`/**`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Create a cryptographically random access token id.`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`*`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* @callback {Function} callback`
			`* @param {Error} err`
			`* @param {String} token`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`*/`

Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`AccessToken.createAccessTokenId = function (fn) {`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`uid(this.settings.accessTokenIdLength \|\| DEFAULT_TOKEN_LEN, function(err, guid) {`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`if(err) {`
			`fn(err);`
			`} else {`
Update session / token documentation 2013-11-14 23:27:36 +00:00			`fn(null, guid);`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`}`
			`});`
			`}`

			`/*!`
Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`* Hook to create accessToken id.`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`*/`

Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`AccessToken.beforeCreate = function (next, data) {`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`data = data \|\| {};`

Rename Session => AccessToken 2013-11-13 19:49:08 +00:00			`AccessToken.createAccessTokenId(function (err, id) {`
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`if(err) {`
			`next(err);`
			`} else {`
			`data.id = id;`
Added AccessToken created property 2013-11-15 00:47:24 +00:00
Create 64 byte session ids 2013-07-12 22:47:58 +00:00			`next();`
			`}`
			`});`
Fix bundle model name casing 2013-11-11 21:35:54 +00:00			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
			`/**`
			* Find a token for the given `ServerRequest`.
			`*`
			`* @param {ServerRequest} req`
			`* @param {Object} [options] Options for finding the token`
Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`* @callback {Function} callback`
			`* @param {Error} err`
			`* @param {AccessToken} token`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`*/`

			`AccessToken.findForRequest = function(req, options, cb) {`
			`var id = tokenIdForRequest(req, options);`

			`if(id) {`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`this.findById(id, function(err, token) {`
			`if(err) {`
			`cb(err);`
Various ACL fixes 2013-12-11 05:49:18 +00:00			`} else if(token) {`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`token.validate(function(err, isValid) {`
			`if(err) {`
			`cb(err);`
			`} else if(isValid) {`
			`cb(null, token);`
			`} else {`
Invalid Access Token return 401 Clean up logic to be easier to read. Signed-off-by: Karl Mikkelsen <karl@karlmikko.com> 2014-06-17 06:27:41 +00:00			`var e = new Error('Invalid Access Token');`
			`e.status = e.statusCode = 401;`
			`cb(e);`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`}`
			`});`
Various ACL fixes 2013-12-11 05:49:18 +00:00			`} else {`
			`cb();`
Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`}`
			`});`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`} else {`
			`process.nextTick(function() {`
			`cb();`
			`});`
			`}`
			`}`

Add reference documentation using sdocs 2013-12-20 01:49:47 +00:00			`/**`
			`* Validate the token.`
			`*`
			`* @callback {Function} callback`
			`* @param {Error} err`
			`* @param {Boolean} isValid`
			`*/`

Update AccessToken and User relationship - Add created default - Default TTLs for user login access tokens - Break out User / AccessToken relationship 2013-11-15 02:34:51 +00:00			`AccessToken.prototype.validate = function(cb) {`
			`try {`
			`assert(`
			`this.created && typeof this.created.getTime === 'function',`
			`'token.created must be a valid Date'`
			`);`
			`assert(this.ttl !== 0, 'token.ttl must be not be 0');`
			`assert(this.ttl, 'token.ttl must exist');`
			`assert(this.ttl >= -1, 'token.ttl must be >= -1');`

			`var now = Date.now();`
			`var created = this.created.getTime();`
			`var elapsedSeconds = (now - created) / 1000;`
			`var secondsToLive = this.ttl;`
			`var isValid = elapsedSeconds < secondsToLive;`

			`if(isValid) {`
			`cb(null, isValid);`
			`} else {`
			`this.destroy(function(err) {`
			`cb(err, isValid);`
			`});`
			`}`
			`} catch(e) {`
			`cb(e);`
			`}`
			`}`

Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`function tokenIdForRequest(req, options) {`
			`var params = options.params \|\| [];`
			`var headers = options.headers \|\| [];`
			`var cookies = options.cookies \|\| [];`
			`var i = 0;`
			`var length;`
			`var id;`

Fix a slowdown caused by mutation of an incoming accessToken option. 2014-06-20 21:39:28 +00:00			`params = params.concat(['access_token']);`
			`headers = headers.concat(['X-Access-Token', 'authorization']);`
			`cookies = cookies.concat(['access_token', 'authorization']);`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
			`for(length = params.length; i < length; i++) {`
			`id = req.param(params[i]);`

			`if(typeof id === 'string') {`
			`return id;`
			`}`
			`}`

Update session / token documentation 2013-11-14 23:27:36 +00:00			`for(i = 0, length = headers.length; i < length; i++) {`
			`id = req.header(headers[i]);`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
			`if(typeof id === 'string') {`
Fix the typo and add Bearer token support See https://github.com/strongloop/loopback/issues/333 2014-07-02 16:02:13 +00:00			`// Add support for oAuth 2.0 bearer token`
			`// http://tools.ietf.org/html/rfc6750`
			`if (id.indexOf('Bearer ') === 0) {`
			`id = id.substring(7);`
			`// Decode from base64`
			`var buf = new Buffer(id, 'base64');`
			`id = buf.toString('utf8');`
			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`return id;`
			`}`
			`}`

Only look at cookies if they are available 2013-12-12 00:42:47 +00:00			`if(req.signedCookies) {`
Fix the typo and add Bearer token support See https://github.com/strongloop/loopback/issues/333 2014-07-02 16:02:13 +00:00			`for(i = 0, length = cookies.length; i < length; i++) {`
Only look at cookies if they are available 2013-12-12 00:42:47 +00:00			`id = req.signedCookies[cookies[i]];`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00
Only look at cookies if they are available 2013-12-12 00:42:47 +00:00			`if(typeof id === 'string') {`
			`return id;`
			`}`
Add loopback.token() middleware 2013-11-14 21:01:47 +00:00			`}`
			`}`
			`return null;`
			`}`