Allow requests without auth tokens

This commit is contained in:
Ritchie Martori 2013-12-10 15:57:55 -08:00
parent 2885d3c08f
commit dfcb43e613
4 changed files with 37 additions and 36 deletions

View File

@ -169,13 +169,13 @@ app.enableAuth = function() {
modelId = req.param('id');
}
if(req.accessToken) {
Model.checkAccess(
req.accessToken,
modelId,
method.name,
function(err, allowed) {
if(err) {
console.log(err);
next(err);
} else if(allowed) {
next();
@ -186,18 +186,6 @@ app.enableAuth = function() {
}
}
);
} else if(
Model.requireToken === false ||
Model.settings.requireToken === false ||
method.fn && method.fn.requireToken === false
) {
next();
} else {
var e = new Error('Access Denied');
e.statusCode = 401;
next(e);
}
});
}

View File

@ -9,6 +9,7 @@ var Model = require('../loopback').Model
, uid = require('uid2')
, DEFAULT_TTL = 1209600 // 2 weeks in seconds
, DEFAULT_TOKEN_LEN = 64
, Role = require('./role').Role
, ACL = require('./acl').ACL;
/**
@ -27,7 +28,23 @@ var properties = {
* Extends from the built in `loopback.Model` type.
*/
var AccessToken = module.exports = Model.extend('AccessToken', properties);
var AccessToken = module.exports = Model.extend('AccessToken', properties, {
acls: [
{
principalType: ACL.ROLE,
principalId: Role.EVERYONE,
permission: 'DENY'
},
{
principalType: ACL.ROLE,
principalId: Role.EVERYONE,
property: 'create',
permission: 'ALLOW'
}
]
});
AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});
/**
* Create a cryptographically random access token id.

View File

@ -4,6 +4,7 @@
var loopback = require('../loopback');
var ModelBuilder = require('loopback-datasource-juggler').ModelBuilder;
var modeler = new ModelBuilder();
var assert = require('assert');
/**
* Define the built in loopback.Model.
@ -128,6 +129,8 @@ function getACL() {
* @param {Boolean} allowed is the request allowed
*/
Model.checkAccess = function(token, modelId, method, callback) {
var ANONYMOUS = require('./access-token').ANONYMOUS;
token = token || ANONYMOUS;
var ACL = getACL();
var methodName = 'string' === typeof method? method: method && method.name;
ACL.checkAccessForToken(token, this.modelName, modelId, methodName, callback);

View File

@ -60,13 +60,6 @@ describe('app.enableAuth()', function() {
beforeEach(createTestingToken);
it('should prevent all remote method calls without an accessToken', function (done) {
createTestAppAndRequest(this.token, done)
.get('/tests')
.expect(401)
.end(done);
});
it('should prevent remote method calls if the accessToken doesnt have access', function (done) {
createTestAppAndRequest(this.token, done)
.del('/tests/123')