Commit Graph

46 Commits

Author SHA1 Message Date
Raymond Feng 69df11bb8e Refactor access token to make it extensible
1. Make it possible to reuse getIdForRequest()
2. Introduce a flag to control if oAuth2 bearer token should be base64
encoded
3. Promote resolve() to locate/validate access tokens by id
2017-05-02 10:55:51 -07:00
Aaron Buchanan fbf818b2dc
Fix user-literal rewrite for anonymous requests
Currently any `currentUserLiteral` routes when accessed with a bad
token throw a 500 due to a SQL error that is raised because
`Model.findById` is invoked with `id={currentUserLiteral}`
(`id=me` in our case) when the url rewrite fails.

This commit changes the token middleware to return 401 Not Authorized
when the client is requesting a currentUserLiteral route without
a valid access token.
2017-04-04 16:30:08 +02:00
ebarault cf98d379c4 fix custom token model in token middleware
Fixing server/middleware/token.js to handle correctly the
setup of a custom AccessToken model by name in either
middleware.json or using any of :
	app.use(loopback.token({...}));
	app.middlewareFromConfig(loopback.token, {...})
	app.middleware('auth', loopback.token({...})
2017-03-06 16:10:25 +01:00
Miroslav Bajtoš 79f441b9c4
Verify User and AccessToken relations at startup
Modify `app.enableAuth()` to verify that (custom) User and AccessToken
models have correctly configured their hasMany/belongsTo relations
and print a warning otherwise.
2017-03-03 10:18:58 +01:00
Miroslav Bajtoš abf8246382
Fix test/access-token.test to use local registry 2017-02-24 14:17:12 +01:00
Miroslav Bajtoš 1ec7cf0a37 Turn on "no-unused-expressions" rule for eslint
Fix unit-tests relying on property-based assertions to use function
calls instead, using "dirty-chai" to modify chai's property checkers.
2016-11-22 15:30:04 +01:00
Loay 06cb481c3f Update eslint to loopback config v5
Notable side-effects:
 - loopback no longer exports "caller" and "arguments" properties
 - kv-memory connector is now properly added to the connector registry
 - the file "test/support.js" was finally removed
2016-11-22 14:08:02 +01:00
David Cheung b3c43b60cd make test individually runable
previously when you do something like mocha test/model.test.js
you would get an error like "assert is not a function"
2016-11-17 18:05:58 -05:00
Miroslav Bajtoš 6808159427 Allow tokens with eternal TTL (value -1)
- Add a new User setting 'allowEternalTokens'
 - Enhance 'AccessToken.validate' to support eternal tokens with ttl
   value -1 when the user model allows it.
2016-10-10 13:27:22 +02:00
Carl Fürstenberg edd5275b8b Fix token middleware crash
Fix token middleware to check if `req.loopbackContext` is active.
The context is not active for example when express-session calls
setImmediate which breaks CLS.
2016-08-17 14:44:00 +02:00
Miroslav Bajtoš b087c930ed Remove current-context API
Change all current-context APIs to throw a helpful error.
2016-08-10 13:43:40 +02:00
Miroslav Bajtoš 98816217c9 test: use local registry in test fixtures
Use local registry in test fixtures to prevent collision in globally
shared models.

Fix issues discoverd in auth implementation where the global registry
was used instead of the correct local one.
2016-07-27 10:07:49 +02:00
Benjamin Kroeger 83b5d72073 add missing unit tests for #2108
subsequent token middleware tries to read `token.id` when `enableDoublecheck: true`. That caused a "Cannot read property `id` of `null`" error when the first middleware didn't actually find a valid accessToken.
2016-06-13 15:27:59 +02:00
David Cheung ddb5327e64 Update tests for strong-error-handler
Fix rest-adapter related test case switching to strong-error-handler
Only affect the test-cases calling rest methods
2016-06-07 13:26:18 -04:00
Miroslav Bajtoš 8d295b70f6 Remove legacy express 3.x middleware getters
Remove middleware-getter properties that were simlifying upgrade from
LoopBack 1.x/Express 3.x applications:

  - loopback.compress
  - loopback.timeout
  - loopback.cookieParser
  - loopback.cookieSession
  - loopback.csrf
  - loopback.errorHandler
  - loopback.session
  - loopback.methodOverride
  - loopback.logger
  - loopback.responseTime
  - loopback.favicon
  - loopback.directory
  - loopback.vhost

Also remove `loopback.mime`, which was set to `undefined` anyways.
2016-05-31 18:59:21 +02:00
Supasate Choochaisri 04e26fae5c Separate error-checking and next/done logic from other logic in the test suite
Signed-off-by: Supasate Choochaisri <supasate.c@gmail.com>
2016-05-05 11:12:48 +07:00
Ryan Graham 6964914bab
update copyright statements 2016-05-03 15:50:21 -07:00
Benjamin Kröger 9e0405de9f Allow built-in token middleware to run repeatedly
Add two new options:

  - When `enableDoublecheck` is true, the middleware will run
    even if a previous middleware has already set `req.accessToken`
    (possibly to `null` for anonymous requests)

  - When `overwriteExistingToken` is true (and `enableDoublecheck` too),
    the middleware will overwrite `req.accessToken` set by a previous
    middleware instances.
2016-04-06 15:44:20 +02:00
Miroslav Bajtoš f9702b0ace Use eslint with loopback config
Drop jshint and jscs in favour of eslint.

Fix style violations.

While we are at this, reduce the max line length from 150 to 100.
2016-04-06 10:45:30 +02:00
Miroslav Bajtoš 986132d79f Add a unit-test for searchDefaultTokenKeys 2015-05-29 12:06:32 +02:00
Raymond Feng 12e19e36ea Upgrade test fixtures to use LB 2.x layout 2015-04-20 09:23:44 -07:00
Ritchie Martori b9170751bc Add support for app level Model isolation
- `loopback.registry` is now a true global registry
 - `app.registry` is unique per app object
 - `Model.registry` is set when a Model is created using any registry method
 - `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`.
2015-04-03 11:48:45 -07:00
Raymond Feng 6ad61d6c00 Enhance the token middleware to support current user literal 2015-03-12 08:28:15 -07:00
Ron Edgecomb a028d9d198 Add error code property to known error responses.
Enhance the error objects with a `code` property containing
a machine-readable string code describing the error, for example
INVALID_TOKEN or USER_NOT_FOUND.

Also improve 404 error messages to include the model name.
2015-01-21 19:04:47 +01:00
Ryan Graham fbb091e3b3 Extend AccessToken to parse Basic auth headers
Allow convenient URLs for curl and browsers such as:
 - http://some-long-token@localhost:3000/
 - http://token:some-long-token@localhost:3000/

Basic Auth specifies a 'Basic' scheme for the Authorization header
similar to how OAuth specifies 'Bearer' as an auth scheme.

Following a similar convention, extract the access token from the
Authorization header when it specifies the 'Basic' scheme, assuming
it is the larger of the <user>:<pass> segments.
2015-01-15 22:53:09 -08:00
Ryan Graham 83d8844b70 tests: fix Bearer token test 2015-01-15 22:53:09 -08:00
Rob Halff 36e1f6840c fix jscs errors 2014-11-21 03:35:36 +01:00
Rob Halff 918497c365 singlequote, semicolon & /*jshint -W030 */ 2014-11-21 02:46:21 +01:00
Miroslav Bajtoš a603ffa0f5 AccessToken: optional `options` in findForRequest
Fix `AccessToken.findForRequest` to correctly handle the case when
the options argument was omitted:

    AccessToken.findForRequest(req, cb);
2014-11-14 10:42:21 +01:00
Miroslav Bajtoš 038c6a454e middleware/token: store the token in current ctx 2014-11-11 11:04:41 +01:00
Miroslav Bajtoš b8e877c5e5 test: remove infinite timeout
The infinite timeout was useful when debugging, which is not a good
reason for keeping it around when not debugging.
2014-10-14 08:58:17 +02:00
Raymond Feng 79f504a3c7 Merge branch 'master' into 2.0 2014-07-16 09:09:07 -07:00
Raymond Feng 217c9fa348 Fix the typo and add Bearer token support
See https://github.com/strongloop/loopback/issues/333
2014-07-02 09:02:13 -07:00
Miroslav Bajtoš 56c7a6b3c5 Merge branch 'master' into 2.0
Conflicts:
	test/access-token.test.js
2014-06-16 10:20:22 +02:00
Karl Mikkelsen a90a5c7e58 Allow customization of ACL http status
emulate existing error on 404
new tests for model and app settings
Signed-off-by: Karl Mikkelsen <karl@karlmikko.com>
2014-06-14 11:31:15 +10:00
Miroslav Bajtoš ea5b9d16fc Rename DataModel to PersistedModel 2014-06-05 09:56:00 +02:00
Miroslav Bajtoš 18fd61a546 Merge branch 'master' into 2.0 2014-05-28 18:41:36 +02:00
Miroslav Bajtoš bfb154d445 Modify `loopback.rest` to include `loopback.token`
Make `loopback.rest` self-contained, so that authentication works
out of the box.

    var app = loopback();
    app.enableAuth();
    app.use(loopback.rest());

Note that cookie parsing middleware is not added, users have to
explicitly configure that if they want to store access tokens
in cookies.

Modify `loopback.token` to skip token lookup when the request already
contains `accessToken` property. This is in line with other
connect-based middleware like `cookieParser` or `json`.
2014-05-21 15:22:36 +02:00
Ritchie Martori ae2fb9dea0 !fixup use DataModel instead of Model for all data based models 2014-05-02 20:15:01 -07:00
Ritchie Martori dfcb43e613 Allow requests without auth tokens 2013-12-10 15:57:55 -08:00
Ritchie Martori 2f9403016c Initial auth implementation 2013-11-22 12:26:59 -08:00
Ritchie Martori da0545bed6 Initial auto wiring for model dataSources 2013-11-18 16:13:40 -08:00
Ritchie Martori 1de2a40e88 Update AccessToken and User relationship
- Add created default
 - Default TTLs for user login access tokens
 - Break out User / AccessToken relationship
2013-11-14 19:41:29 -08:00
Ritchie Martori 1bb95607b9 Update session / token documentation 2013-11-14 15:42:37 -08:00
Ritchie Martori 64d8ff986b Add loopback.token() middleware 2013-11-14 13:01:47 -08:00
Ritchie 77a137eca6 Rename Session => AccessToken 2013-11-14 10:05:13 -08:00