Allow requests without auth tokens
This commit is contained in:
Ritchie Martori
parent
2885d3c08f
commit
dfcb43e613
|
|
@ -169,35 +169,23 @@ app.enableAuth = function() {
|
|||
modelId = req.param('id');
|
||||
}
|
||||
|
||||
if(req.accessToken) {
|
||||
Model.checkAccess(
|
||||
req.accessToken,
|
||||
modelId,
|
||||
method.name,
|
||||
function(err, allowed) {
|
||||
if(err) {
|
||||
next(err);
|
||||
} else if(allowed) {
|
||||
next();
|
||||
} else {
|
||||
var e = new Error('Access Denied');
|
||||
e.statusCode = 401;
|
||||
next(e);
|
||||
}
|
||||
Model.checkAccess(
|
||||
req.accessToken,
|
||||
modelId,
|
||||
method.name,
|
||||
function(err, allowed) {
|
||||
if(err) {
|
||||
console.log(err);
|
||||
next(err);
|
||||
} else if(allowed) {
|
||||
next();
|
||||
} else {
|
||||
var e = new Error('Access Denied');
|
||||
e.statusCode = 401;
|
||||
next(e);
|
||||
}
|
||||
);
|
||||
} else if(
|
||||
Model.requireToken === false ||
|
||||
Model.settings.requireToken === false ||
|
||||
method.fn && method.fn.requireToken === false
|
||||
) {
|
||||
next();
|
||||
} else {
|
||||
var e = new Error('Access Denied');
|
||||
e.statusCode = 401;
|
||||
|
||||
next(e);
|
||||
}
|
||||
}
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ var Model = require('../loopback').Model
|
|||
, uid = require('uid2')
|
||||
, DEFAULT_TTL = 1209600 // 2 weeks in seconds
|
||||
, DEFAULT_TOKEN_LEN = 64
|
||||
, Role = require('./role').Role
|
||||
, ACL = require('./acl').ACL;
|
||||
|
||||
/**
|
||||
|
|
@ -27,7 +28,23 @@ var properties = {
|
|||
* Extends from the built in `loopback.Model` type.
|
||||
*/
|
||||
|
||||
var AccessToken = module.exports = Model.extend('AccessToken', properties);
|
||||
var AccessToken = module.exports = Model.extend('AccessToken', properties, {
|
||||
acls: [
|
||||
{
|
||||
principalType: ACL.ROLE,
|
||||
principalId: Role.EVERYONE,
|
||||
permission: 'DENY'
|
||||
},
|
||||
{
|
||||
principalType: ACL.ROLE,
|
||||
principalId: Role.EVERYONE,
|
||||
property: 'create',
|
||||
permission: 'ALLOW'
|
||||
}
|
||||
]
|
||||
});
|
||||
|
||||
AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});
|
||||
|
||||
/**
|
||||
* Create a cryptographically random access token id.
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
var loopback = require('../loopback');
|
||||
var ModelBuilder = require('loopback-datasource-juggler').ModelBuilder;
|
||||
var modeler = new ModelBuilder();
|
||||
var assert = require('assert');
|
||||
|
||||
/**
|
||||
* Define the built in loopback.Model.
|
||||
|
|
@ -128,6 +129,8 @@ function getACL() {
|
|||
* @param {Boolean} allowed is the request allowed
|
||||
*/
|
||||
Model.checkAccess = function(token, modelId, method, callback) {
|
||||
var ANONYMOUS = require('./access-token').ANONYMOUS;
|
||||
token = token || ANONYMOUS;
|
||||
var ACL = getACL();
|
||||
var methodName = 'string' === typeof method? method: method && method.name;
|
||||
ACL.checkAccessForToken(token, this.modelName, modelId, methodName, callback);
|
||||
|
|
|
|||
|
|
@ -60,13 +60,6 @@ describe('app.enableAuth()', function() {
|
|||
|
||||
beforeEach(createTestingToken);
|
||||
|
||||
it('should prevent all remote method calls without an accessToken', function (done) {
|
||||
createTestAppAndRequest(this.token, done)
|
||||
.get('/tests')
|
||||
.expect(401)
|
||||
.end(done);
|
||||
});
|
||||
|
||||
it('should prevent remote method calls if the accessToken doesnt have access', function (done) {
|
||||
createTestAppAndRequest(this.token, done)
|
||||
.del('/tests/123')
|
||||
|
|
|
|||
Loading…
Reference in New Issue