Merge pull request #92 from strongloop/feature/token-acl

Allow requests without auth tokens

lib/application.js

@@ -169,13 +169,13 @@ app.enableAuth = function() {
       modelId = req.param('id');
     }
 
-    if(req.accessToken) {
     Model.checkAccess(
       req.accessToken,
       modelId,
       method.name,
       function(err, allowed) {
         if(err) {
+          console.log(err);
           next(err);
         } else if(allowed) {
           next();
@@ -186,18 +186,6 @@ app.enableAuth = function() {
         }
       }
     );
-    } else if(
-      Model.requireToken === false ||
-      Model.settings.requireToken === false ||
-      method.fn && method.fn.requireToken === false
-    ) {
-      next();
-    } else {
-      var e = new Error('Access Denied');
-      e.statusCode = 401;
-
-      next(e);
-    }
   });
 }
 

lib/models/access-token.js

@@ -9,6 +9,7 @@ var Model = require('../loopback').Model
   , uid = require('uid2')
   , DEFAULT_TTL = 1209600 // 2 weeks in seconds
   , DEFAULT_TOKEN_LEN = 64
+  , Role = require('./role').Role
   , ACL = require('./acl').ACL;
 
 /**
@@ -27,7 +28,23 @@ var properties = {
  * Extends from the built in `loopback.Model` type.
  */
 
-var AccessToken = module.exports = Model.extend('AccessToken', properties);
+var AccessToken = module.exports = Model.extend('AccessToken', properties, {
+  acls: [
+    {
+      principalType: ACL.ROLE,
+      principalId: Role.EVERYONE,
+      permission: 'DENY'
+    },
+    {
+      principalType: ACL.ROLE,
+      principalId: Role.EVERYONE,
+      property: 'create',
+      permission: 'ALLOW'
+    }
+  ]
+});
+
+AccessToken.ANONYMOUS = new AccessToken({id: '$anonymous'});
 
 /**
  * Create a cryptographically random access token id.

lib/models/model.js

@@ -4,6 +4,7 @@
 var loopback = require('../loopback');
 var ModelBuilder = require('loopback-datasource-juggler').ModelBuilder;
 var modeler = new ModelBuilder();
+var assert = require('assert');
 
 /**
  * Define the built in loopback.Model.
@@ -128,6 +129,8 @@ function getACL() {
  * @param {Boolean} allowed is the request allowed
  */
 Model.checkAccess = function(token, modelId, method, callback) {
+  var ANONYMOUS = require('./access-token').ANONYMOUS;
+  token = token || ANONYMOUS;
   var ACL = getACL();
   var methodName = 'string' === typeof method? method: method && method.name;
   ACL.checkAccessForToken(token, this.modelName, modelId, methodName, callback);

lib/models/user.js

@@ -13,7 +13,9 @@ var Model = require('../loopback').Model
   , BaseAccessToken = require('./access-token')
   , DEFAULT_TTL = 1209600 // 2 weeks in seconds
   , DEFAULT_RESET_PW_TTL = 15 * 60 // 15 mins in seconds
-  , DEFAULT_MAX_TTL = 31556926; // 1 year in seconds
+  , DEFAULT_MAX_TTL = 31556926 // 1 year in seconds
+  , Role = require('./role').Role
+  , ACL = require('./acl').ACL;
 
 /**
  * Default User properties.
@@ -44,12 +46,32 @@ var properties = {
     lastUpdated: Date
 }
 
+/**
+ * Default User options.
+ */
+
+var options = {
+  acls: [
+    {
+      principalType: ACL.ROLE,
+      principalId: Role.EVERYONE,
+      permission: ACL.ALLOW,
+      property: 'create'
+    },
+    {
+      principalType: ACL.ROLE,
+      principalId: Role.OWNER,
+      permission: ACL.ALLOW,
+      property: 'removeById'
+    }
+  ]
+};
 
 /**
  * Extends from the built in `loopback.Model` type.
  */
 
-var User = module.exports = Model.extend('User', properties);
+var User = module.exports = Model.extend('User', properties, options);
 
 /**
  * Login a user by with the given `credentials`.

test/access-token.test.js

@@ -60,13 +60,6 @@ describe('app.enableAuth()', function() {
 
   beforeEach(createTestingToken);
 
-  it('should prevent all remote method calls without an accessToken', function (done) {
-    createTestAppAndRequest(this.token, done)
-      .get('/tests')
-      .expect(401)
-      .end(done);
-  });
-
   it('should prevent remote method calls if the accessToken doesnt have access', function (done) {
     createTestAppAndRequest(this.token, done)
       .del('/tests/123')