Commit Graph

206 Commits

Author SHA1 Message Date
Farid Nouri Neshat 1cc25923a7 Fix options.to assertion message in user.verify 2015-08-27 00:25:09 +08:00
Raymond Feng 06cece038e Merge pull request #1584 from strongloop/feature/add-more-acl-utils
Enhance the ACL related models
2015-08-13 09:00:32 -07:00
Raymond Feng 3eb8dd55f6 Add util methods to ACL and clean up related model resolutions 2015-08-13 08:58:41 -07:00
Pradnya Baviskar 2ee7c94a4e Promisify 'Application' model 2015-08-12 09:15:24 +02:00
Miroslav Bajtoš 004baad44c Merge pull request #1501 from digitalsadhu/master
Add missing . to user model property descriptions
2015-08-06 09:40:22 +02:00
Miroslav Bajtoš aa5c9e3628 Merge pull request #1493 from PradnyaBaviskar/issue418-userModel
Promisify User model
2015-08-04 10:32:44 +02:00
Raymond Feng 66d5cc07e0 Merge pull request #1465 from FreeCodeCamp/fix/no-password
fix: exit early when password is non-string
2015-07-29 15:12:43 -07:00
Berkeley Martinez 68fd106510 fix exit early when password is non-string
closes #1437
2015-07-29 13:14:06 -07:00
Pradnya Baviskar dc987a59a9 Promisify User model 2015-07-14 13:01:46 +05:30
Miroslav Bajtoš 5ec7fd51e2 Merge pull request #1416 from strongloop/feature/searchDefaultTokenKeys
Config option: (do not) search default token keys
2015-07-09 18:03:41 +02:00
Richard Walker 83dca3e838 Add missing . to user model property descriptions 2015-07-04 22:30:45 +02:00
Raymond Feng 77bcc09107 Merge branch 'master' of https://github.com/esco/loopback into esco-master 2015-05-29 16:44:18 -07:00
Owen Brotherwood 86ed4721a5 access-token: add option "searchDefaultTokenKeys"
Set this option to false to prevent AccessToken from checking default
places like "access_token" in query.
2015-05-29 12:06:31 +02:00
Alexandru Savin f70c209526 Pass the full options object to the email send method in user verification process. 2015-05-06 15:52:07 +02:00
Miroslav Bajtoš da50d6ffb0 Merge pull request #1332 from strongloop/fix/user-login-include
Fix remoting metadata for User.login#include
2015-04-28 08:08:25 +02:00
Miroslav Bajtoš 03d9f64c82 Fix remoting metadata for User.login#include
Change the type of the "include" argument to "string array".

The type used to be "string" before and thus requests sending multiple
include items were technically incorrect.
2015-04-24 08:58:30 +02:00
Raymond Feng bdc741520e Disable inclusion of User.accessTokens 2015-04-20 11:44:07 -07:00
Edmond Lau ef7c1439b6 fixed the missing '.' in various description fields. 2015-04-15 09:47:38 -04:00
Miroslav Bajtoš cf2acb3cd2 Conflict resolution and Access control
Add end-to-end unit-tests verifying enforcement of access control during
conflict resolution.

Implement two facade methods providing REST API for Change methods used
by conflict resolution:

    PersistedModel.findLastChange
    GET /api/{model.pluralName}/{id}/changes/last

    PersistedModel.updateLastChange
    PUT /api/{model.pluralName}/{id}/changes/last

By providing these two methods on PersistedModel, replication users
don't have to expose the Change model via the REST API. What's even
more important, these two methods use the same set of ACL rules
as other (regular) PersistedModel methods.

Rework `Conflict.prototype.changes()` and `Conflict.prototype.resolve()`
to use these new facade methods.

Implement a new method `Conflict.prototype.swapParties()` that provides
better API for the situation when a conflict detected in Remote->Local
replication should be resolved locally (i.e. in the replication target).
2015-04-14 08:23:24 +02:00
Miroslav Bajtoš 9c5fe088e3 AccessControl for change replication
1) Add integration tests running change replication over REST to verify
that access control at model level is correctly enforced.

2) Implement a new access type "REPLICATE" that allows principals
to create new checkpoints, even though they don't have full WRITE
access to the model. Together with the "READ" permission, these
two types allow principals to replicate (pull) changes from the server.

Note that anybody having "WRITE" access type is automatically
granted "REPLICATE" type too.

3) Add a new model option "enableRemoteReplication" that exposes
replication methods via strong remoting, but does not configure
change rectification. This option should be used the clients
when setting up Remote models attached to the server via the remoting
connector.
2015-04-07 19:53:58 +02:00
Miroslav Bajtoš b61fae58f6 Merge pull request #1272 from strongloop/feature/after-remote-error-hook
Model.afterRemoteError hook
2015-04-07 09:47:51 +02:00
Ritchie Martori b9170751bc Add support for app level Model isolation
- `loopback.registry` is now a true global registry
 - `app.registry` is unique per app object
 - `Model.registry` is set when a Model is created using any registry method
 - `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`.
2015-04-03 11:48:45 -07:00
Miroslav Bajtoš a71c8253e2 Code cleanup, add Model._runWhenAttachedToApp 2015-04-03 10:06:49 +02:00
Miroslav Bajtoš 63e2f4b134 Improve error handling in replication
Deprecate `Change.handleError`, it was used inconsistenly for a subset
of possible errors only. Rework all `Change` methods to always report
all errors to the caller via the callback.

Rework `PersistedModel` to report change-tracking errors via the
existing method `PersistedModel.handleChangeError`. This method
can be customized on a per-model basis to provide different error
handling.

The default implementation emits `error` event on the model class,
users can attach an event listener that can provide a custom error
handler.

NOTE: Unhandled `error` events crash the application by default.
2015-03-30 11:07:53 +02:00
Raymond Feng 548cb6ef94 Fix style issues 2015-03-27 08:59:11 -07:00
Esco Obong 957f84e989 add callback args for listByPrincipalType to jsdoc comment, pass explicit arguments to callback 2015-03-26 10:10:13 -04:00
Esco Obong 1993338c0b Merge branch 'master' of https://github.com/strongloop/loopback 2015-03-25 16:45:58 -04:00
Esco Obong 7923d036f8 mark utiltiy function as private 2015-03-25 10:10:34 -04:00
Miroslav Bajtoš 65c14c1779 Add conflict resolution API
New methods:
  conflict.resolveUsingSource(cb)
  conflict.resolveUsingTarget(cb)
  conflict.resolveManually(data, cb)
2015-03-20 17:47:07 +01:00
Miroslav Bajtoš 911d8323b4 Merge pull request #1205 from strongloop/feature/custom-verify-token-generator
Add ability to pass in custom verification token generator
2015-03-20 08:56:59 +01:00
Miroslav Bajtoš 87940a4b58 Detect 3rd-party changes made during replication
Modify `Change.diff()` to include current data revision in each
delta reported back. The current data revision is stored in
`delta.prev`.

Modify `PersistedModel.bulkUpdate()` to check that the current data
revision matches `delta.prev` and report a conflict if a third party
has modified the database under our hands.

Fix `Change` implementation and tests so that they are no longer
attempting to create instances with duplicate ids.
(This used to work because the memory connector was silently
converting such requests to updateOrCreate/findOrCreate.)
2015-03-20 08:19:59 +01:00
jakerella 713001913e Ability to pass in custom verification token generator
This commit adds the ability for the developer to use a custom token generator function for the user.verify(...) method. By default, the system will still use the crypto.randomBytes() method if no option is provided.
2015-03-19 16:56:38 -04:00
Esco Obong 551261ec16 fix linting errors 2015-03-13 18:30:53 -04:00
Esco Obong c764c09837 fix lint erros 2015-03-13 16:53:26 -04:00
Esco Obong 7a990d745c Merge remote-tracking branch 'upstream/master' 2015-03-13 15:06:00 -04:00
Esco Obong 8cc558a991 consolidate Role methods roles, applications, and users into one, add query param to allow for pagination and restricting fields 2015-03-13 11:50:30 -04:00
Esco Obong 74018019b4 fix implementation of Role methods: users,roles, and applications 2015-03-12 14:58:08 -04:00
crandmck 1cabd74308 Remove duplicate cb func from getRoles and other doc cleanup 2015-03-12 11:15:36 -07:00
Benjamin Boudreau 2d08e656b8 Handling owner being a relation/function 2015-03-11 10:25:40 -04:00
Miroslav Bajtoš e59493ec40 Merge pull request #1176 from strongloop/feature/more-replication-improvements
Prevent more kinds of false replication conflicts
2015-03-06 07:27:16 +01:00
ulion 9f705139f8 Static ACL support array of properties now 2015-03-06 06:24:09 +08:00
Miroslav Bajtoš 76d9244448 Prevent more kinds of false replication conflicts
Rework the Change model to merge changes made within the same
Checkpoint.

Rework `replicate()` to run multiple iteration until there were no
changes replicated. This ensures that the target model is left in
a clean state with no pending changes associated with the latest
(current) checkpoint.
2015-03-05 14:15:02 +01:00
Miroslav Bajtoš b381c5df7e Add more debug logs to replication 2015-03-04 15:00:53 +01:00
Miroslav Bajtoš 2885317634 Merge pull request #1157 from strongloop/feature/replication-improvements
Replication improvements: Checkpoint
2015-03-04 08:45:19 +01:00
Miroslav Bajtoš 3d5c8a7443 Checkpoint: start with seq=1 instead of seq=0
Since the seq behaves in many senses like an id, it should meet
the usual expectation people have about ids. Using only truthy values
is one of them.
2015-03-03 19:37:11 +01:00
Miroslav Bajtoš 628e3a30ca Return new checkpoints in callback of replicate()
Extend `PersistedModel.replicate` to pass the newly created checkpoints
as the third callback argument.

The typical usage of these values is to pass them as the `since`
argument of the next `replicate()` call.

    global.since = -1;

    function sync(cb) {
      LocalModel.replicate(
        since,
        RemoteModel,
        function(err, conflicts, cps)
          if (err) return cb(err);
          if (!conflicts.length) {
            since = cps;
            return cb();
          }
          // resolve conflicts and try again
        });
    }
2015-03-03 19:37:11 +01:00
Miroslav Bajtoš e20cc66787 Replace deprecated hooks with Operation hooks
AccessToken.beforeCreate -> AccessToken.observe('before save')
Application.beforeCreate -> Application.observe('before save')
Checkpoint.beforeSave -> Checkpoint.observe('before save')
2015-03-03 18:06:15 +01:00
Raymond Feng 78550a9bc5 Pass options from User.login to createAccessToken
It will allow subclass of User to create access token based on additional
properties such as 'scope'.
2015-03-02 14:48:08 -08:00
Miroslav Bajtoš 3c43eccac7 Merge pull request #1120 from PradnyaBaviskar/lb-issue-416
Fix "User.confirm" to always call afterRemote hook

Close #1120
2015-02-25 14:26:07 +01:00
Pradnya Baviskar 8766d4a68d Fix "User.confirm" to always call afterRemote hook
Make the "redirect" parameter optional. When the parameter is not
specified, the server responds with an empty response (204). This allows
API clients to call the method without the need to handle redirects
and HTML responses.

Even when the "redirect" parameter is included, the builtin afterRemote
hook still calls next(), so that user-provided afterRemote hooks
are executed too.
2015-02-25 14:20:47 +01:00
Raymond Feng 13e618bff2 Skip hashing password if it's already hashed
See https://github.com/strongloop/loopback-datasource-juggler/issues/471
2015-02-24 16:36:51 -08:00
Miroslav Bajtoš 3d977f3e68 Merge pull request #1116 from strongloop/fix/change-detection
Fix change detection & tracking
2015-02-24 08:24:27 +01:00
crandmck a82b33ec5c Add docs for settings per #1069 2015-02-23 13:13:52 -08:00
Miroslav Bajtoš 702ecc6f72 Fix change detection & tracking
Add unit-tests to verify that all DAO methods correctly create change
records.

Rework the change detection to use the new operation hooks, this fixes
the bugs where operations like "updateOrCreate" did not update change
records.
2015-02-20 19:28:33 +01:00
Miroslav Bajtoš c2236c393b Upgrade jscs to ~1.11 via grunt-jscs ^1.5 2015-02-20 15:31:15 +01:00
Raymond Feng a19f39396f Fix coding style issue 2015-02-18 15:25:46 -08:00
zane 39560b9ce6 Fix for issue 1099.
Signed-off-by: zane <zane.mccaig@mail.mcgill.ca>
2015-02-18 11:05:53 -04:00
Ritchie Martori 4b6dcd6271 Document user settings 2015-02-04 14:09:01 -08:00
Miroslav Bajtoš a77b3bbac7 Remove usages of deprecated `req.param()`
Express has recently deprecated `req.param()` to force developers
to be explicit about the source of the value. To avoid deprecation
warnings, this commit replaces all calls of `req.param()` with a
simplified inline version.
2015-01-21 19:27:53 +01:00
Ron Edgecomb a028d9d198 Add error code property to known error responses.
Enhance the error objects with a `code` property containing
a machine-readable string code describing the error, for example
INVALID_TOKEN or USER_NOT_FOUND.

Also improve 404 error messages to include the model name.
2015-01-21 19:04:47 +01:00
Ritchie Martori 0b0927b56b Merge pull request #992 from TorchlightSoftware/repl-optimize
don't send queries to the DB when no changes are detected
2015-01-19 09:32:17 -08:00
Ryan Graham 8fa04fd32f Merge pull request #1015 from strongloop/feature/rmg-basic-auth-support
Extend AccessToken to parse Basic auth headers
2015-01-16 10:52:02 -08:00
Ryan Graham fbb091e3b3 Extend AccessToken to parse Basic auth headers
Allow convenient URLs for curl and browsers such as:
 - http://some-long-token@localhost:3000/
 - http://token:some-long-token@localhost:3000/

Basic Auth specifies a 'Basic' scheme for the Authorization header
similar to how OAuth specifies 'Bearer' as an auth scheme.

Following a similar convention, extract the access token from the
Authorization header when it specifies the 'Basic' scheme, assuming
it is the larger of the <user>:<pass> segments.
2015-01-15 22:53:09 -08:00
Raymond Feng 563a06fa7e Make sure EXECUTE access type matches READ or WRITE
See https://github.com/strongloop/loopback/issues/1011
2015-01-14 13:38:44 -08:00
Ritchie Martori e0e9d6ecff Merge pull request #943 from BerkeleyTrue/refactor/user-remote-method
Use User.remoteMethod instead of loopbacks method
2015-01-13 10:20:43 -08:00
bitmage c28698c1ba don't send queries to the DB when no changes are detected 2015-01-10 11:28:55 -07:00
Raymond Feng f5eac871fd Merge branch 'master' of https://github.com/greaterweb/loopback into greaterweb-master 2015-01-07 16:35:00 -08:00
Raymond Feng 90fd62ec0a Merge pull request #941 from strongloop/feature/workaround-issue-251
Allow User.hashPassword/validatePassword to be overridden
2015-01-07 14:01:03 -08:00
Raymond Feng b7db9808b2 Allow User.hashPassword/validatePassword to be overridden
See https://github.com/strongloop/loopback/issues/251
2015-01-06 16:03:30 -08:00
Berkeley Martinez 4fc07fe125 Use User.remoteMethod instead of loopbacks method
This is needed for loopback-connector-remote authorization.
Addresses https://github.com/strongloop/loopback/issues/622.
2015-01-06 08:18:57 -08:00
Ron Edgecomb dc055e5559 Require valid login credentials before verified email check.
- strongloop/loopback#931.
2015-01-05 18:40:59 -05:00
Ritchie Martori 270dfc2603 Merge pull request #955 from alFReD-NSH/checkpoint-leak
Fix Change.getCheckpointModel() giving new models each call
2015-01-05 09:40:29 -08:00
Clark Wang 2f9400fc87 fix User.settings.ttl can't be overridden in sub model
Signed-off-by: Clark Wang <clark.wangs@gmail.com>
2014-12-28 16:02:37 +08:00
Farid Neshat d5d7ecd0bb Fix Change.getCheckpointModel() giving new models each call
This was a huge memory leak in our app...
2014-12-27 23:48:56 +08:00
Raymond Feng cb2f40bb86 Fix bcrypt issues for browserify 2014-12-08 14:59:21 -08:00
Raymond Feng 1e932e72ed Allow native bcrypt for performance
See https://github.com/strongloop/loopback/issues/892
2014-12-03 09:03:36 -08:00
Miroslav Bajtoš a603ffa0f5 AccessToken: optional `options` in findForRequest
Fix `AccessToken.findForRequest` to correctly handle the case when
the options argument was omitted:

    AccessToken.findForRequest(req, cb);
2014-11-14 10:42:21 +01:00
Miroslav Bajtoš 7c96aec9af Merge pull request #738 from strongloop/feature/style-cleanup-in-common
common: coding style cleanup
2014-11-05 20:07:34 +01:00
Miroslav Bajtoš d9a426c867 Merge pull request #668 from BerkeleyTrue/fix/dublicateId
This fixes duplicate key issue #649
2014-11-05 19:22:22 +01:00
Miroslav Bajtoš dc762d2514 common: coding style cleanup 2014-11-04 13:52:49 +01:00
Raymond Feng 842d9b0bcd Fix the jsdoc for User.login 2014-11-03 14:07:19 -08:00
Berkeley Martinez 1ee05eb8a7 Deleted instantiation of new Change model.
This PR removes the instantiation of a new change model
as models return from Change.find are already
instances of Change. This solves the duplicate Id issue #649
2014-11-03 13:41:43 -08:00
Miroslav Bajtoš fec8234c4c Merge pull request #616 from jpizarrom/master
added email custom headers in user verify
2014-10-24 19:51:10 +02:00
Juan Pizarro 4098bec2c6 User: custom email headers in verify 2014-10-24 14:42:49 -03:00
Raymond Feng b98ada282f Merge pull request #660 from strongloop/feature/add-realm-support
Add realm support
2014-10-24 08:27:28 -07:00
Raymond Feng 46d1430023 Add realm support 2014-10-23 11:10:39 -07:00
Raymond Feng 03b3c3cda4 Merge pull request #680 from arlaneenalra/feature/fix-676
Force principalId to be a string in Role.getRoles Fix #676
2014-10-23 08:55:17 -07:00
Miroslav Bajtoš b57cd3e409 User: fix `confirm` permissions
Enable authentication for all User unit-tests to check that the ACLs are
correctly configured.

Fix the rule for `confirm` - the correct permission is `ALLOW`, not
`ACL.ALLOW`.
2014-10-23 13:19:43 +02:00
Chris S f678107859 Adjust id handling to deal with 0 and null 2014-10-22 11:36:54 -05:00
Chris S cff0e15936 Force principalId to be a string.
Added a defensive check for undefined to avoid problems
when converting to a string.
2014-10-22 10:05:29 -05:00
Rand McKinney 2384c9d841 Fix JSdoc for registerResolver 2014-10-20 14:45:40 -07:00
Miroslav Bajtoš 20026a9d04 Fix places using undefined variables
Also enable jshint option "undefined" in order to catch these kind
of errors in the future.
2014-10-15 16:44:00 +02:00
crandmck 2f4a54d93c Clean up jsdoc comments
Add class properties, expose some methods that should have
been documented, etc.
2014-10-15 09:42:24 +02:00
Miroslav Bajtoš 0906a6f5b3 models: move Change LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš 6cbc231fba models: move Checkpoint LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš 461ae92c1c models: move Role LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš e9c86163aa models: move RoleMapping def into its own files 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš 7c01d59d80 models: move ACL LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš ef890d5f26 models: move Scope def into its own files 2014-10-14 08:58:17 +02:00
Miroslav Bajtoš 5f20652241 models: move AccessToken LDL def into a json file 2014-10-14 08:58:17 +02:00
Miroslav Bajtoš 1e6beabbd2 models: move Application LDL def into a json file
Move some of the comments describing properties into jsdoc.
2014-10-14 08:58:17 +02:00
Miroslav Bajtoš 551d109a20 models: move Email LDL def into `email.json` 2014-10-14 08:58:17 +02:00
Miroslav Bajtoš 920d3be6a3 models: move User LDL def into `user.json` 2014-10-14 08:58:17 +02:00
Miroslav Bajtoš df9fe90d35 Auto-load and register built-in `Checkpoint` model 2014-10-14 08:58:16 +02:00
Raymond Feng 242b44ed2b Skip static ACL entries that don't match the property 2014-10-13 16:45:36 -07:00
Miroslav Bajtoš 1fe0110849 Dismantle `lib/models`.
- Move core models `Model` and `PersistedModel` to `lib/`.
 - Move `AccessContext` class to `lib/`, since it is not a model.
 - Move all other built-in models to `common/models`.

This is a preparation for extracting model definitions to JSON files.
By splitting the change into multiple commits, git is able to keep track
of file moves (renames).
2014-10-13 12:09:27 +02:00