From 86ed4721a5800fa88672bf7fe9cea6383c3508c3 Mon Sep 17 00:00:00 2001 From: Owen Brotherwood Date: Wed, 29 Apr 2015 13:45:22 +0200 Subject: [PATCH] access-token: add option "searchDefaultTokenKeys" Set this option to false to prevent AccessToken from checking default places like "access_token" in query. --- common/models/access-token.js | 9 ++++++--- server/middleware/token.js | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/common/models/access-token.js b/common/models/access-token.js index 73137125..27cf5206 100644 --- a/common/models/access-token.js +++ b/common/models/access-token.js @@ -168,9 +168,12 @@ module.exports = function(AccessToken) { var length; var id; - params = params.concat(['access_token']); - headers = headers.concat(['X-Access-Token', 'authorization']); - cookies = cookies.concat(['access_token', 'authorization']); + // https://github.com/strongloop/loopback/issues/1326 + if (options.searchDefaultTokenKeys !== false) { + params = params.concat(['access_token']); + headers = headers.concat(['X-Access-Token', 'authorization']); + cookies = cookies.concat(['access_token', 'authorization']); + } for (length = params.length; i < length; i++) { var param = params[i]; diff --git a/server/middleware/token.js b/server/middleware/token.js index d9e0c1a5..e80eb560 100644 --- a/server/middleware/token.js +++ b/server/middleware/token.js @@ -61,6 +61,7 @@ function escapeRegExp(str) { * @property {Array} [cookies] Array of cookie names. * @property {Array} [headers] Array of header names. * @property {Array} [params] Array of param names. + * @property {Boolean} [searchDefaultTokenKeys] Use the default search locations for Token in request * @property {Function|String} [model] AccessToken model name or class to use. * @property {String} [currentUserLiteral] String literal for the current user. * @header loopback.token([options])