Commit Graph

207 Commits

Author SHA1 Message Date
ebarault 8aa98a80ef Propagate authorized roles in remoting context
Adds an authorizedRoles object to remotingContext.args.options
which contains all the roles (static and dynamic) that are
granted to the user when performing a request through
strong-remoting to an app with authentication enabled.

The authorizedRoles object for example looks like:
{
  $everyone: true,
  $authenticated: true,
  myRole: true
}

NOTE: this pr also covers a number of jsdoc fixes as well
as refactoring in ACL.js and access-context.js
2017-03-20 12:29:33 +01:00
agriwebb build 3f4b5ece71
Allow custom properties of Change Model
Allow custom properties to be added to Change Model,
and make change filter customizable through mixins
to allow to add the custom property to the filter
used to look up relevant changes during change replication.
2017-03-09 08:58:42 +01:00
phairow 0969493ab7
Fix User.verify to convert uid to string
Applications using MongoDB connectors typically have `user.id`
property of type ObjectID.

This commit fixes the code building the verification URL to
correctly convert the user id value into string.
2017-03-08 16:03:53 +01:00
Hiran del Castillo a22b1e13f1
Pass options.verificationToken to templateFn
Enhance User.prototype.verify to pass the generated token
to the templating function in addition to other existing properties.

This allows application to build multiple URLs in the email template,
for example in order to provide a different URL for desktop and
mobile browsers.
2017-03-06 17:08:35 +01:00
Miroslav Bajtoš 01ce9b5f5a Merge pull request #3247 from strongloop/update-deps
Update runtime dependencies
2017-03-06 11:19:21 +01:00
Miroslav Bajtoš 8510982bea
Update runtime dependencies
- isemail@2
 - loopback-phase@3

Skip update of nodemailer because it changed the license to GPL-like one
2017-03-03 15:53:49 +01:00
Benjamin Schuster-Boeckler 4570626e9d
Fix context passing in OWNER role resolver 2017-02-24 12:28:30 +01:00
Miroslav Bajtoš 2cac589860
Fix access-token invalidation for missing relation
Fix the code invalidating access tokens on user email/password changes
to correctly handle the case when the relation
"AccessToken belongs to (subclassed) user" is not configured.
2017-02-23 12:56:13 +01:00
ebarault f0e70dd8a9 Fix Role.isOwner() for multiple user models
Fix `Role.isOwner()` to check both principalId and principalType.
This fixes a bug where users from different User model were treated
as owners as long as their user id was the same as owner's id.
2017-02-17 11:19:07 +01:00
Miroslav Bajtoš ea05a2c4dc Fix creation of verification links
Fix User.prototype.verify to call `querystring.stringify` instead
of concatenating query-string components directly.

In particular, this fixes the bug where `options.redirect` containing
a hash fragment like `#/home?arg1=value1&arg2=value2` produced incorrect
URL, because the `redirect` value was not correctly encoded.
2017-02-06 12:39:21 +01:00
Eric 9fe084fffd Enable multiple user models
Allow LoopBack applications to configure multiple User models and share
the same AccessToken model.

To enable this feature:

1) In your custom AccessToken model:

 - add a new property "principalType" of type "string".
 - configure the relation "belongsTo user" as polymorphic,
   using "principalType" as the discriminator

2) In your User models:

 - Configure the "hasMany accessTokens" relation as polymorphic,
   using "principalType" as the discriminator

When creating custom Role and Principal instances, set your
User model's name as the value of "prinicipalType".
2017-02-02 09:42:30 +01:00
ebarault ceceb44e78 Add promise support to built-in model RoleMapping 2017-02-01 09:51:43 +01:00
Miroslav Bajtoš c099d8c731 Merge pull request #3163 from ebarault/feature/promisify-acl
Add promise support to built-in model ACL
2017-01-31 14:54:26 +01:00
Miroslav Bajtoš dcb2f159ec Merge pull request #3160 from strongloop/fix/token-invalidation-on-save
Preserve sessions on User.save() making no changes
2017-01-31 14:38:48 +01:00
ebarault a63fad402e Add promise support to built-in model ACL 2017-01-31 14:09:43 +01:00
Miroslav Bajtoš 3b17a0cf5c Upgrade eslint config, fix linter errors 2017-01-31 13:44:32 +01:00
David Hernandez c072d0695d Add missing type to Role properties definition
Fix "created" and "modified" to be defined with type "date".
2017-01-30 11:37:33 +01:00
Miroslav Bajtoš 5fd79b14f4 Merge pull request #3146 from strongloop/feature/promisify-role
Promise-ify built-in Role model
2017-01-30 11:32:28 +01:00
Miroslav Bajtoš 8f80aecc1f Preserve sessions on User.save() making no changes 2017-01-30 11:30:05 +01:00
Ritchie Martori d45c1ae7bb Fix logout to handle no or missing accessToken
Return 401 when the request does not provide any accessToken argument
or the token was not found.

Also simplify the implementation of the `logout` method to make only
a single database call (`deleteById`) instead of `findById` + `delete`.
2017-01-30 08:56:18 +01:00
Miroslav Bajtoš 0fd8f8af72 Promise-ify built-in Role model 2017-01-27 17:16:59 +01:00
Miroslav Bajtoš dfa1f6035b Merge pull request #3107 from benkroeger/master
Role model: resolve related models by name
2017-01-25 10:48:15 +01:00
Aris Kemper efd8237dc6 Fix User methods to use correct Primary Key
Do not use hard-coded "id" property name, call `idName()` to get the
name of the PK property.
2017-01-20 16:24:59 +01:00
João Ribeiro e63fea83f7 Fix User.resetPassword to call createAccessToken()
This allows User subclasses to override the algorithm used for building
one-time access tokens for password recovery.
2017-01-19 16:27:22 +01:00
Benjamin Kroeger a6d511d8b4 Role model: resolves related models by name
Resolve models related to the `Role` model by name instead of class.
2017-01-16 15:48:24 +01:00
Miroslav Bajtoš e17cc3d23a Preserve current session when invalidating tokens
Fix User model to preserve the current session (provided via
"options.accessToken") when invalidating access tokens after a change
of email or password property.
2017-01-16 10:08:30 +01:00
Miroslav Bajtoš 70eecfab70 Upgrade eslint-config to 7.x 2017-01-06 12:12:35 +01:00
Bram Borggreve cddfb9c77d
Allow password reset request for users in realms 2017-01-05 09:47:18 -05:00
Miroslav Bajtoš 298635dad1 Merge pull request #2992 from DA-14/feature/resetPasswordRequest
Emit resetPasswordRequest event with options
2017-01-05 15:33:22 +01:00
박대선 697614dd45 Applied as reviewed by @flowersinthesand 2016-12-23 14:47:08 +09:00
박대선 d9ae32429b Fix false emailVerified on user model update
Yesterday, the loopback we are using in our system was upgraded
via npm, and since the upgrade, we noticed that every time
the user model updates, the emailVerified column would change to false.

I took a look and realized there might be an error in
https://github.com/strongloop/loopback/commit/eb640d8

The intent of the commit just mention is to make emailVerified false
when the email gets changed, but notice that ctx.data.email is null
on updates, so the condition is always met and emailVerified always
becomes false.

This commit fixes the issue just mentioned.
2016-12-23 14:04:44 +09:00
Miroslav Bajtoš 29a17f39d5 Invalidate AccessTokens on password change
Invalidate all existing sessions (delete all access tokens)
after user's password was changed.
2016-12-12 13:30:53 +01:00
Sergey Reus fa8bca8d6e Emit resetPasswordRequest event with options 2016-12-09 18:14:32 +02:00
Miroslav Bajtoš f476613ab1 Fix registration of operation hooks in User model
Follow-up for 4edce47 which moved only two out of three hooks.
2016-12-09 14:29:30 +01:00
Miroslav Bajtoš 4edce47b24 Fix registration of operation hooks in User model
Operation hooks are inherited by subclassed models, therefore they must
be registered outside of `Model.setup()` function.

This commit fixes this problem in the built-in User model.

There are not tests verifying this change, as writing a test would be
too cumbersome and not worth the cost IMO.
2016-12-09 13:16:42 +01:00
Miroslav Bajtoš 63beaa21fe Merge pull request #3004 from strongloop/fix/email-template-in-transport
Remove "options.template" from Email payload
2016-12-07 10:53:04 +01:00
Miroslav Bajtoš 5016703f21 Remove "options.template" from Email payload
Fix User.confirm to exclude "options.template" when sending the
confirmation email. Certain nodemailer transport plugins are rejecting
such requests.
2016-12-06 16:18:19 +01:00
Miroslav Bajtoš acdfb432d0 Upgrade eslint config and grunt-eslint to latest
- disable ES6 because PhantomJS does not support it yet
 - fix linter errors reported after the upgrade.
2016-12-06 16:05:13 +01:00
Eric b0d6c4a7d2 Add "returnOnlyRoleNames" option to Role.getRoles
Currently the return type of Role.getRoles() method is inconsistent:
role names are returned for smart roles and role ids are returned for
static roles (configured through user-role mapping).

This commit adds a new option to Role.getRoles() allowing the caller
to request role names to be returned for all types of roles.
2016-11-30 16:46:59 +01:00
Loay f72a29671f Remove workaround for default value 2016-11-22 20:58:27 -05:00
Loay 06cb481c3f Update eslint to loopback config v5
Notable side-effects:
 - loopback no longer exports "caller" and "arguments" properties
 - kv-memory connector is now properly added to the connector registry
 - the file "test/support.js" was finally removed
2016-11-22 14:08:02 +01:00
codyolsen 3f5e49c3d6 Fix context within listByPrincipalType role method
- Fix for current implimentation that returned all models that had any
  assigned roles. Context was not carried into listByPrincipalType,
  setting roleId as null.
2016-11-15 14:51:05 +01:00
Adrien Kiren 85da50cbc8 Add templateFn option to User#verify() 2016-11-14 16:22:10 +01:00
Loay eb640d8da0 Require verification after email change
When the User model is configured to require email verification,
then any change of the email address should trigger re-verification.
2016-11-09 13:06:25 +01:00
Candy 8f08398c30 Update doc links 2016-11-04 16:47:12 -04:00
Dhaval Trivedi 4922f425fc adding check of string for case insensitive emails 2016-11-01 18:13:56 -04:00
Simon Ho dcc58a9d50 Need index on principalId for performance. (#2883) 2016-10-21 16:13:16 -07:00
Miroslav Bajtoš 6808159427 Allow tokens with eternal TTL (value -1)
- Add a new User setting 'allowEternalTokens'
 - Enhance 'AccessToken.validate' to support eternal tokens with ttl
   value -1 when the user model allows it.
2016-10-10 13:27:22 +02:00
Loay 5f5e874564 Validate non-email property partial update 2016-10-03 15:45:52 -04:00
Candy 640f3a8ca7 Update globalization structure 2016-09-22 11:58:00 +02:00