From dfcb43e613cef83af968173618f930cf8c5083f3 Mon Sep 17 00:00:00 2001 From: Ritchie Martori Date: Tue, 10 Dec 2013 15:57:55 -0800 Subject: [PATCH 1/2] Allow requests without auth tokens --- lib/application.js | 44 ++++++++++++++------------------------ lib/models/access-token.js | 19 +++++++++++++++- lib/models/model.js | 3 +++ test/access-token.test.js | 7 ------ 4 files changed, 37 insertions(+), 36 deletions(-) diff --git a/lib/application.js b/lib/application.js index 7089d909..fe0b328c 100644 --- a/lib/application.js +++ b/lib/application.js @@ -169,35 +169,23 @@ app.enableAuth = function() { modelId = req.param('id'); } - if(req.accessToken) { - Model.checkAccess( - req.accessToken, - modelId, - method.name, - function(err, allowed) { - if(err) { - next(err); - } else if(allowed) { - next(); - } else { - var e = new Error('Access Denied'); - e.statusCode = 401; - next(e); - } + Model.checkAccess( + req.accessToken, + modelId, + method.name, + function(err, allowed) { + if(err) { + console.log(err); + next(err); + } else if(allowed) { + next(); + } else { + var e = new Error('Access Denied'); + e.statusCode = 401; + next(e); } - ); - } else if( - Model.requireToken === false || - Model.settings.requireToken === false || - method.fn && method.fn.requireToken === false - ) { - next(); - } else { - var e = new Error('Access Denied'); - e.statusCode = 401; - - next(e); - } + } + ); }); } diff --git a/lib/models/access-token.js b/lib/models/access-token.js index e15e2f17..9bce84c7 100644 --- a/lib/models/access-token.js +++ b/lib/models/access-token.js @@ -9,6 +9,7 @@ var Model = require('../loopback').Model , uid = require('uid2') , DEFAULT_TTL = 1209600 // 2 weeks in seconds , DEFAULT_TOKEN_LEN = 64 + , Role = require('./role').Role , ACL = require('./acl').ACL; /** @@ -27,7 +28,23 @@ var properties = { * Extends from the built in `loopback.Model` type. */ -var AccessToken = module.exports = Model.extend('AccessToken', properties); +var AccessToken = module.exports = Model.extend('AccessToken', properties, { + acls: [ + { + principalType: ACL.ROLE, + principalId: Role.EVERYONE, + permission: 'DENY' + }, + { + principalType: ACL.ROLE, + principalId: Role.EVERYONE, + property: 'create', + permission: 'ALLOW' + } + ] +}); + +AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'}); /** * Create a cryptographically random access token id. diff --git a/lib/models/model.js b/lib/models/model.js index 33461d97..c0a98817 100644 --- a/lib/models/model.js +++ b/lib/models/model.js @@ -4,6 +4,7 @@ var loopback = require('../loopback'); var ModelBuilder = require('loopback-datasource-juggler').ModelBuilder; var modeler = new ModelBuilder(); +var assert = require('assert'); /** * Define the built in loopback.Model. @@ -128,6 +129,8 @@ function getACL() { * @param {Boolean} allowed is the request allowed */ Model.checkAccess = function(token, modelId, method, callback) { + var ANONYMOUS = require('./access-token').ANONYMOUS; + token = token || ANONYMOUS; var ACL = getACL(); var methodName = 'string' === typeof method? method: method && method.name; ACL.checkAccessForToken(token, this.modelName, modelId, methodName, callback); diff --git a/test/access-token.test.js b/test/access-token.test.js index de497fde..0ac52b49 100644 --- a/test/access-token.test.js +++ b/test/access-token.test.js @@ -60,13 +60,6 @@ describe('app.enableAuth()', function() { beforeEach(createTestingToken); - it('should prevent all remote method calls without an accessToken', function (done) { - createTestAppAndRequest(this.token, done) - .get('/tests') - .expect(401) - .end(done); - }); - it('should prevent remote method calls if the accessToken doesnt have access', function (done) { createTestAppAndRequest(this.token, done) .del('/tests/123') From b0f51e20f7af8a54c67f89ffa5d6bef9aee0a9a9 Mon Sep 17 00:00:00 2001 From: Ritchie Martori Date: Tue, 10 Dec 2013 19:43:59 -0800 Subject: [PATCH 2/2] Add user default ACLs --- lib/models/user.js | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/lib/models/user.js b/lib/models/user.js index 86ad3d50..bfb431e3 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -13,7 +13,9 @@ var Model = require('../loopback').Model , BaseAccessToken = require('./access-token') , DEFAULT_TTL = 1209600 // 2 weeks in seconds , DEFAULT_RESET_PW_TTL = 15 * 60 // 15 mins in seconds - , DEFAULT_MAX_TTL = 31556926; // 1 year in seconds + , DEFAULT_MAX_TTL = 31556926 // 1 year in seconds + , Role = require('./role').Role + , ACL = require('./acl').ACL; /** * Default User properties. @@ -44,12 +46,32 @@ var properties = { lastUpdated: Date } +/** + * Default User options. + */ + +var options = { + acls: [ + { + principalType: ACL.ROLE, + principalId: Role.EVERYONE, + permission: ACL.ALLOW, + property: 'create' + }, + { + principalType: ACL.ROLE, + principalId: Role.OWNER, + permission: ACL.ALLOW, + property: 'removeById' + } + ] +}; /** * Extends from the built in `loopback.Model` type. */ -var User = module.exports = Model.extend('User', properties); +var User = module.exports = Model.extend('User', properties, options); /** * Login a user by with the given `credentials`.