Commit Graph

16 Commits

Author SHA1 Message Date
Samuel Reed b362776e73
fix(AccessContext): Tighten userid/appid checks
An application may have a use for a falsy ID.
2017-12-05 10:03:52 -06:00
Miroslav Bajtoš c5145bdf34
Add support for scoped access tokens
Define a new property `AccessToken.scopes` to contain the list of
scopes granted to this access token.

Define a new remote method metadata `accessScopes` to contain a list
of scope name required by this method.

Define a special built-in scope name "DEFAULT" that's used when
a method/token does not provide any scopes. This allows access
tokens to grant access to both the default scope and any additional
custom scopes at the same time.

Modify the authorization algorithm to ensure that at least one
of the scopes required by a remote method is allowed by the scopes
granted to the requesting access token.

The "DEFAULT" scope preserve backwards compatibility because existing
remote methods with no `accessScopes` can be accessed by (existing)
access tokens with no `scopes` defined.

Impact on existing applications:

 - Database schema must be updated after upgrading the loopback version

 - If the application was already using a custom `AccessToken.scopes`
   property with a type different from an array, then the relevant code
   must be updated to work with the new type "array of strings".
2017-04-07 13:04:40 +02:00
ebarault 8aa98a80ef Propagate authorized roles in remoting context
Adds an authorizedRoles object to remotingContext.args.options
which contains all the roles (static and dynamic) that are
granted to the user when performing a request through
strong-remoting to an app with authentication enabled.

The authorizedRoles object for example looks like:
{
  $everyone: true,
  $authenticated: true,
  myRole: true
}

NOTE: this pr also covers a number of jsdoc fixes as well
as refactoring in ACL.js and access-context.js
2017-03-20 12:29:33 +01:00
ebarault f0e70dd8a9 Fix Role.isOwner() for multiple user models
Fix `Role.isOwner()` to check both principalId and principalType.
This fixes a bug where users from different User model were treated
as owners as long as their user id was the same as owner's id.
2017-02-17 11:19:07 +01:00
Eric 9fe084fffd Enable multiple user models
Allow LoopBack applications to configure multiple User models and share
the same AccessToken model.

To enable this feature:

1) In your custom AccessToken model:

 - add a new property "principalType" of type "string".
 - configure the relation "belongsTo user" as polymorphic,
   using "principalType" as the discriminator

2) In your User models:

 - Configure the "hasMany accessTokens" relation as polymorphic,
   using "principalType" as the discriminator

When creating custom Role and Principal instances, set your
User model's name as the value of "prinicipalType".
2017-02-02 09:42:30 +01:00
Loay 06cb481c3f Update eslint to loopback config v5
Notable side-effects:
 - loopback no longer exports "caller" and "arguments" properties
 - kv-memory connector is now properly added to the connector registry
 - the file "test/support.js" was finally removed
2016-11-22 14:08:02 +01:00
Ryan Graham 6964914bab
update copyright statements 2016-05-03 15:50:21 -07:00
Miroslav Bajtoš f9702b0ace Use eslint with loopback config
Drop jshint and jscs in favour of eslint.

Fix style violations.

While we are at this, reduce the max line length from 150 to 100.
2016-04-06 10:45:30 +02:00
Miroslav Bajtoš 9c5fe088e3 AccessControl for change replication
1) Add integration tests running change replication over REST to verify
that access control at model level is correctly enforced.

2) Implement a new access type "REPLICATE" that allows principals
to create new checkpoints, even though they don't have full WRITE
access to the model. Together with the "READ" permission, these
two types allow principals to replicate (pull) changes from the server.

Note that anybody having "WRITE" access type is automatically
granted "REPLICATE" type too.

3) Add a new model option "enableRemoteReplication" that exposes
replication methods via strong remoting, but does not configure
change rectification. This option should be used the clients
when setting up Remote models attached to the server via the remoting
connector.
2015-04-07 19:53:58 +02:00
Rob Halff 33096dafa7 Enable jscs for `lib`, fix style violations 2014-11-04 08:25:33 +01:00
Rand McKinney 3d201028e1 Remove doc for debug function 2014-11-03 16:26:33 -08:00
Rob Halff 4ebf10ae0d add missing semicolons 2014-10-22 18:47:52 +02:00
Miroslav Bajtoš 20026a9d04 Fix places using undefined variables
Also enable jshint option "undefined" in order to catch these kind
of errors in the future.
2014-10-15 16:44:00 +02:00
Miroslav Bajtoš 7c01d59d80 models: move ACL LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš 5f20652241 models: move AccessToken LDL def into a json file 2014-10-14 08:58:17 +02:00
Miroslav Bajtoš 1fe0110849 Dismantle `lib/models`.
- Move core models `Model` and `PersistedModel` to `lib/`.
 - Move `AccessContext` class to `lib/`, since it is not a model.
 - Move all other built-in models to `common/models`.

This is a preparation for extracting model definitions to JSON files.
By splitting the change into multiple commits, git is able to keep track
of file moves (renames).
2014-10-13 12:09:27 +02:00