Merge pull request #92 from strongloop/feature/token-acl

Allow requests without auth tokens
This commit is contained in:
Ritchie Martori 2013-12-10 19:44:24 -08:00
commit f08b09823d
5 changed files with 61 additions and 38 deletions

View File

@ -169,35 +169,23 @@ app.enableAuth = function() {
modelId = req.param('id');
}
if(req.accessToken) {
Model.checkAccess(
req.accessToken,
modelId,
method.name,
function(err, allowed) {
if(err) {
next(err);
} else if(allowed) {
next();
} else {
var e = new Error('Access Denied');
e.statusCode = 401;
next(e);
}
Model.checkAccess(
req.accessToken,
modelId,
method.name,
function(err, allowed) {
if(err) {
console.log(err);
next(err);
} else if(allowed) {
next();
} else {
var e = new Error('Access Denied');
e.statusCode = 401;
next(e);
}
);
} else if(
Model.requireToken === false ||
Model.settings.requireToken === false ||
method.fn && method.fn.requireToken === false
) {
next();
} else {
var e = new Error('Access Denied');
e.statusCode = 401;
next(e);
}
}
);
});
}

View File

@ -9,6 +9,7 @@ var Model = require('../loopback').Model
, uid = require('uid2')
, DEFAULT_TTL = 1209600 // 2 weeks in seconds
, DEFAULT_TOKEN_LEN = 64
, Role = require('./role').Role
, ACL = require('./acl').ACL;
/**
@ -27,7 +28,23 @@ var properties = {
* Extends from the built in `loopback.Model` type.
*/
var AccessToken = module.exports = Model.extend('AccessToken', properties);
var AccessToken = module.exports = Model.extend('AccessToken', properties, {
acls: [
{
principalType: ACL.ROLE,
principalId: Role.EVERYONE,
permission: 'DENY'
},
{
principalType: ACL.ROLE,
principalId: Role.EVERYONE,
property: 'create',
permission: 'ALLOW'
}
]
});
AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});
/**
* Create a cryptographically random access token id.

View File

@ -4,6 +4,7 @@
var loopback = require('../loopback');
var ModelBuilder = require('loopback-datasource-juggler').ModelBuilder;
var modeler = new ModelBuilder();
var assert = require('assert');
/**
* Define the built in loopback.Model.
@ -128,6 +129,8 @@ function getACL() {
* @param {Boolean} allowed is the request allowed
*/
Model.checkAccess = function(token, modelId, method, callback) {
var ANONYMOUS = require('./access-token').ANONYMOUS;
token = token || ANONYMOUS;
var ACL = getACL();
var methodName = 'string' === typeof method? method: method && method.name;
ACL.checkAccessForToken(token, this.modelName, modelId, methodName, callback);

View File

@ -13,7 +13,9 @@ var Model = require('../loopback').Model
, BaseAccessToken = require('./access-token')
, DEFAULT_TTL = 1209600 // 2 weeks in seconds
, DEFAULT_RESET_PW_TTL = 15 * 60 // 15 mins in seconds
, DEFAULT_MAX_TTL = 31556926; // 1 year in seconds
, DEFAULT_MAX_TTL = 31556926 // 1 year in seconds
, Role = require('./role').Role
, ACL = require('./acl').ACL;
/**
* Default User properties.
@ -44,12 +46,32 @@ var properties = {
lastUpdated: Date
}
/**
* Default User options.
*/
var options = {
acls: [
{
principalType: ACL.ROLE,
principalId: Role.EVERYONE,
permission: ACL.ALLOW,
property: 'create'
},
{
principalType: ACL.ROLE,
principalId: Role.OWNER,
permission: ACL.ALLOW,
property: 'removeById'
}
]
};
/**
* Extends from the built in `loopback.Model` type.
*/
var User = module.exports = Model.extend('User', properties);
var User = module.exports = Model.extend('User', properties, options);
/**
* Login a user by with the given `credentials`.

View File

@ -60,13 +60,6 @@ describe('app.enableAuth()', function() {
beforeEach(createTestingToken);
it('should prevent all remote method calls without an accessToken', function (done) {
createTestAppAndRequest(this.token, done)
.get('/tests')
.expect(401)
.end(done);
});
it('should prevent remote method calls if the accessToken doesnt have access', function (done) {
createTestAppAndRequest(this.token, done)
.del('/tests/123')