Modify `loopback.rest` to include `loopback.token`
Make `loopback.rest` self-contained, so that authentication works out of the box. var app = loopback(); app.enableAuth(); app.use(loopback.rest()); Note that cookie parsing middleware is not added, users have to explicitly configure that if they want to store access tokens in cookies. Modify `loopback.token` to skip token lookup when the request already contains `accessToken` property. This is in line with other connect-based middleware like `cookieParser` or `json`.
This commit is contained in:
parent
81d29875be
commit
bfb154d445
|
@ -15,6 +15,7 @@ module.exports = rest;
|
|||
*/
|
||||
|
||||
function rest() {
|
||||
var tokenParser = null;
|
||||
return function (req, res, next) {
|
||||
var app = req.app;
|
||||
var handler = app.handler('rest');
|
||||
|
@ -23,9 +24,28 @@ function rest() {
|
|||
res.send(handler.adapter.allRoutes());
|
||||
} else if(req.url === '/models') {
|
||||
return res.send(app.remotes().toJSON());
|
||||
} else if (app.isAuthEnabled) {
|
||||
if (!tokenParser) {
|
||||
// NOTE(bajtos) It would be better to search app.models for a model
|
||||
// of type AccessToken instead of searching all loopback models.
|
||||
// Unfortunately that's not supported now.
|
||||
// Related discussions:
|
||||
// https://github.com/strongloop/loopback/pull/167
|
||||
// https://github.com/strongloop/loopback/commit/f07446a
|
||||
var AccessToken = loopback.getModelByType(loopback.AccessToken);
|
||||
tokenParser = loopback.token({ model: AccessToken });
|
||||
}
|
||||
|
||||
tokenParser(req, res, function(err) {
|
||||
if (err) {
|
||||
next(err);
|
||||
} else {
|
||||
handler(req, res, next);
|
||||
}
|
||||
});
|
||||
} else {
|
||||
handler(req, res, next);
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -53,12 +53,14 @@ function token(options) {
|
|||
assert(TokenModel, 'loopback.token() middleware requires a AccessToken model');
|
||||
|
||||
return function (req, res, next) {
|
||||
if (req.accessToken !== undefined) return next();
|
||||
TokenModel.findForRequest(req, options, function(err, token) {
|
||||
if(err) return next(err);
|
||||
if(token) {
|
||||
req.accessToken = token;
|
||||
next();
|
||||
} else {
|
||||
req.accessToken = null;
|
||||
return next();
|
||||
}
|
||||
});
|
||||
|
|
|
@ -32,6 +32,27 @@ describe('loopback.token(options)', function() {
|
|||
.end(done);
|
||||
});
|
||||
});
|
||||
|
||||
it('should skip when req.token is already present', function(done) {
|
||||
var tokenStub = { id: 'stub id' };
|
||||
app.use(function(req, res, next) {
|
||||
req.accessToken = tokenStub;
|
||||
next();
|
||||
});
|
||||
app.use(loopback.token({ model: Token }));
|
||||
app.get('/', function(req, res, next) {
|
||||
res.send(req.accessToken);
|
||||
});
|
||||
|
||||
request(app).get('/')
|
||||
.set('Authorization', this.token.id)
|
||||
.expect(200)
|
||||
.end(function(err, res) {
|
||||
if (err) return done(err);
|
||||
expect(res.body).to.eql(tokenStub);
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('AccessToken', function () {
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
describe('loopback.rest', function() {
|
||||
beforeEach(function() {
|
||||
app.dataSource('db', { connector: loopback.Memory });
|
||||
});
|
||||
|
||||
it('works out-of-the-box', function(done) {
|
||||
app.model('MyModel', { dataSource: 'db' });
|
||||
app.use(loopback.rest());
|
||||
request(app).get('/mymodels')
|
||||
.expect(200)
|
||||
.end(done);
|
||||
});
|
||||
|
||||
it('includes loopback.token when necessary', function(done) {
|
||||
givenUserModelWithAuth();
|
||||
app.enableAuth();
|
||||
app.use(loopback.rest());
|
||||
|
||||
givenLoggedInUser(function(err, token) {
|
||||
if (err) return done(err);
|
||||
expect(token).instanceOf(app.models.accessToken);
|
||||
request(app).get('/users/' + token.userId)
|
||||
.set('Authorization', token.id)
|
||||
.expect(200)
|
||||
.end(done);
|
||||
});
|
||||
});
|
||||
|
||||
it('does not include loopback.token when auth not enabled', function(done) {
|
||||
var User = givenUserModelWithAuth();
|
||||
User.getToken = function(req, cb) {
|
||||
cb(null, req.accessToken ? req.accessToken.id : null);
|
||||
};
|
||||
loopback.remoteMethod(User.getToken, {
|
||||
accepts: [{ type: 'object', http: { source: 'req' } }],
|
||||
returns: [{ type: 'object', name: 'id' }]
|
||||
});
|
||||
|
||||
app.use(loopback.rest());
|
||||
givenLoggedInUser(function(err, token) {
|
||||
if (err) return done(err);
|
||||
request(app).get('/users/getToken')
|
||||
.set('Authorization', token.id)
|
||||
.expect(200)
|
||||
.end(function(err, res) {
|
||||
if (err) return done(err);
|
||||
expect(res.body.id).to.equal(null);
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
function givenUserModelWithAuth() {
|
||||
// NOTE(bajtos) It is important to create a custom AccessToken model here,
|
||||
// in order to overwrite the entry created by previous tests in
|
||||
// the global model registry
|
||||
app.model('accessToken', {
|
||||
options: {
|
||||
base: 'AccessToken'
|
||||
},
|
||||
dataSource: 'db'
|
||||
});
|
||||
return app.model('user', {
|
||||
options: {
|
||||
base: 'User',
|
||||
relations: {
|
||||
accessTokens: {
|
||||
model: 'accessToken',
|
||||
type: 'hasMany',
|
||||
foreignKey: 'userId'
|
||||
}
|
||||
}
|
||||
},
|
||||
dataSource: 'db'
|
||||
});
|
||||
}
|
||||
function givenLoggedInUser(cb) {
|
||||
var credentials = { email: 'user@example.com', password: 'pwd' };
|
||||
var User = app.models.user;
|
||||
User.create(credentials,
|
||||
function(err, user) {
|
||||
if (err) return done(err);
|
||||
User.login(credentials, cb);
|
||||
});
|
||||
}
|
||||
});
|
Loading…
Reference in New Issue