Merge pull request #1416 from strongloop/feature/searchDefaultTokenKeys

Config option: (do not) search default token keys

common/models/access-token.js

@@ -168,9 +168,12 @@ module.exports = function(AccessToken) {
     var length;
     var id;
 
-    params = params.concat(['access_token']);
+    // https://github.com/strongloop/loopback/issues/1326
-    headers = headers.concat(['X-Access-Token', 'authorization']);
+    if (options.searchDefaultTokenKeys !== false) {
-    cookies = cookies.concat(['access_token', 'authorization']);
+      params = params.concat(['access_token']);
+      headers = headers.concat(['X-Access-Token', 'authorization']);
+      cookies = cookies.concat(['access_token', 'authorization']);
+    }
 
     for (length = params.length; i < length; i++) {
       var param = params[i];

server/middleware/token.js

@@ -61,6 +61,7 @@ function escapeRegExp(str) {
  * @property {Array} [cookies] Array of cookie names.
  * @property {Array} [headers] Array of header names.
  * @property {Array} [params] Array of param names.
+ * @property {Boolean} [searchDefaultTokenKeys] Use the default search locations for Token in request
  * @property {Function|String} [model] AccessToken model name or class to use.
  * @property {String} [currentUserLiteral] String literal for the current user.
  * @header loopback.token([options])

test/access-token.test.js

@@ -31,6 +31,30 @@ describe('loopback.token(options)', function() {
       .end(done);
   });
 
+  it('should not search default keys when searchDefaultTokenKeys is false',
+  function(done) {
+    var tokenId = this.token.id;
+    var app = createTestApp(
+      this.token,
+      { token: { searchDefaultTokenKeys: false } },
+      done);
+    var agent = request.agent(app);
+
+    // Set the token cookie
+    agent.get('/token').expect(200).end(function(err, res) {
+      if (err) return done(err);
+
+      // Make a request that sets the token in all places searched by default
+      agent.get('/check-access?access_token=' + tokenId)
+        .set('X-Access-Token', tokenId)
+        .set('authorization', tokenId)
+        // Expect 401 because there is no (non-default) place configured where
+        // the middleware should load the token from
+        .expect(401)
+        .end(done);
+    });
+  });
+
   it('should populate req.token from an authorization header with bearer token', function(done) {
     var token = this.token.id;
     token = 'Bearer ' + new Buffer(token).toString('base64');
@@ -350,13 +374,18 @@ function createTestApp(testToken, settings, done) {
 
   var appSettings = settings.app || {};
   var modelSettings = settings.model || {};
+  var tokenSettings = extend({
+    model: Token,
+    currentUserLiteral: 'me'
+  }, settings.token);
 
   var app = loopback();
 
   app.use(loopback.cookieParser('secret'));
-  app.use(loopback.token({model: Token, currentUserLiteral: 'me'}));
+  app.use(loopback.token(tokenSettings));
   app.get('/token', function(req, res) {
     res.cookie('authorization', testToken.id, {signed: true});
+    res.cookie('access_token', testToken.id, {signed: true});
     res.end();
   });
   app.get('/', function(req, res) {
@@ -368,6 +397,9 @@ function createTestApp(testToken, settings, done) {
     }
     res.send('ok');
   });
+  app.get('/check-access', function(req, res) {
+    res.status(req.accessToken ? 200 : 401).end();
+  });
   app.use('/users/:uid', function(req, res) {
     var result = {userId: req.params.uid};
     if (req.query.state) {