diff --git a/lib/application.js b/lib/application.js index 7089d909..fe0b328c 100644 --- a/lib/application.js +++ b/lib/application.js @@ -169,35 +169,23 @@ app.enableAuth = function() { modelId = req.param('id'); } - if(req.accessToken) { - Model.checkAccess( - req.accessToken, - modelId, - method.name, - function(err, allowed) { - if(err) { - next(err); - } else if(allowed) { - next(); - } else { - var e = new Error('Access Denied'); - e.statusCode = 401; - next(e); - } + Model.checkAccess( + req.accessToken, + modelId, + method.name, + function(err, allowed) { + if(err) { + console.log(err); + next(err); + } else if(allowed) { + next(); + } else { + var e = new Error('Access Denied'); + e.statusCode = 401; + next(e); } - ); - } else if( - Model.requireToken === false || - Model.settings.requireToken === false || - method.fn && method.fn.requireToken === false - ) { - next(); - } else { - var e = new Error('Access Denied'); - e.statusCode = 401; - - next(e); - } + } + ); }); } diff --git a/lib/models/access-token.js b/lib/models/access-token.js index e15e2f17..9bce84c7 100644 --- a/lib/models/access-token.js +++ b/lib/models/access-token.js @@ -9,6 +9,7 @@ var Model = require('../loopback').Model , uid = require('uid2') , DEFAULT_TTL = 1209600 // 2 weeks in seconds , DEFAULT_TOKEN_LEN = 64 + , Role = require('./role').Role , ACL = require('./acl').ACL; /** @@ -27,7 +28,23 @@ var properties = { * Extends from the built in `loopback.Model` type. */ -var AccessToken = module.exports = Model.extend('AccessToken', properties); +var AccessToken = module.exports = Model.extend('AccessToken', properties, { + acls: [ + { + principalType: ACL.ROLE, + principalId: Role.EVERYONE, + permission: 'DENY' + }, + { + principalType: ACL.ROLE, + principalId: Role.EVERYONE, + property: 'create', + permission: 'ALLOW' + } + ] +}); + +AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'}); /** * Create a cryptographically random access token id. diff --git a/lib/models/model.js b/lib/models/model.js index 33461d97..c0a98817 100644 --- a/lib/models/model.js +++ b/lib/models/model.js @@ -4,6 +4,7 @@ var loopback = require('../loopback'); var ModelBuilder = require('loopback-datasource-juggler').ModelBuilder; var modeler = new ModelBuilder(); +var assert = require('assert'); /** * Define the built in loopback.Model. @@ -128,6 +129,8 @@ function getACL() { * @param {Boolean} allowed is the request allowed */ Model.checkAccess = function(token, modelId, method, callback) { + var ANONYMOUS = require('./access-token').ANONYMOUS; + token = token || ANONYMOUS; var ACL = getACL(); var methodName = 'string' === typeof method? method: method && method.name; ACL.checkAccessForToken(token, this.modelName, modelId, methodName, callback); diff --git a/test/access-token.test.js b/test/access-token.test.js index de497fde..0ac52b49 100644 --- a/test/access-token.test.js +++ b/test/access-token.test.js @@ -60,13 +60,6 @@ describe('app.enableAuth()', function() { beforeEach(createTestingToken); - it('should prevent all remote method calls without an accessToken', function (done) { - createTestAppAndRequest(this.token, done) - .get('/tests') - .expect(401) - .end(done); - }); - it('should prevent remote method calls if the accessToken doesnt have access', function (done) { createTestAppAndRequest(this.token, done) .del('/tests/123')