Commit Graph

658 Commits

Author SHA1 Message Date
Kevin Scroggins b2bc449e24 Add check for undefined user email in setter 2018-05-23 20:00:45 -04:00
Miroslav Bajtoš 2aead13f11
Fix isOwner() bug in multiple-principal setup
Fix the owner role resolver to correctly handle the case when a user
from one model (e.g. Seller) is accessing an instance of another
user-like model (e.g. Customer).
2018-05-18 15:36:59 +02:00
Miroslav Bajtoš 0cd380c590
feat: remove all references to a Model
Add API allowing applications to hide a Model from the
REST API and remove all references to it, allowing Garbage Collector
to claim all memory used by the model.
2018-04-17 09:42:08 +02:00
Miroslav Bajtoš 743b2d1495
Remove forgotten debugger statement 2018-03-22 09:21:44 +01:00
Miroslav Bajtoš f4527c9c91
Fix role check in apps with multiple user models 2018-03-20 14:15:44 +01:00
Miroslav Bajtoš 66497ead70
Merge pull request #3787 from strongloop/fix/dangling-promise-in-test
test: add missing "return" in a promise-style test
2018-02-09 08:20:10 +01:00
Kevin Delisle 386615a1df model: fix infinite loop on nestRemoting
Prevent endless recursion on nestRemoting calls for
two-way model links.
2018-02-08 11:26:02 -05:00
Miroslav Bajtoš 3723f107db
test: add missing "return" in a promise-style test
Before this change, when the test failed, the rejected promise
was not reported back to mocha and triggered "unhandled promise
rejection" warning only.
2018-02-02 14:25:52 +01:00
Raymond Feng d23ff84587
Merge pull request #3784 from zbarbuto/fix/user-status-code
Use statusCode prop for user errors
2018-01-31 15:16:27 -08:00
Zak Barbuto 50e2b49efe Use statusCode prop for user errors 2018-02-01 09:40:13 +10:30
Kevin Scroggins ab791fc258
fix: preserve datasource name
Modify the code creating juggler DataSource objects to correctly
forward the datasource name provided by the user.
2018-01-19 15:58:33 +01:00
Justin Ross 60750b4508
Update Copyright Years
Update copyright years to include 2018
2018-01-16 13:55:02 +01:00
Edward Choh 00169d2312
Support options.filter in createChangeStream
Implement "options.filter" argument in Persisted.createChangeStream()
by leveraging loopback-filter module.
2017-12-14 13:08:28 +01:00
Miroslav Bajtoš 7c030c6900
Merge pull request #3728 from strongloop/update-eslint-config
Update eslint and eslint-config to latest
2017-12-14 13:07:14 +01:00
bmatson 317e00d92c
Update nestRemoting to pass optionsFromContext
Fix the code invoking relation getter to correctly pass through
the "options" argument.
2017-12-12 17:24:35 +01:00
Miroslav Bajtoš 73cc950b1b
Update eslint and eslint-config to latest 2017-12-12 09:33:15 +01:00
Samuel Reed 3af6a1bbaa
fix(test): rem exclusive test
Ref: #3720
2017-12-08 11:14:15 -06:00
Samuel Reed 2bfd67ccaa
fix(test): working test with 0 userId 2017-12-07 10:10:35 -06:00
Samuel Reed b362776e73
fix(AccessContext): Tighten userid/appid checks
An application may have a use for a falsy ID.
2017-12-05 10:03:52 -06:00
CSLTech 1a2d8a4571 Added missing DateString type in loopback index 2017-11-21 11:56:36 -05:00
Miroslav Bajtoš 825d5a6373
Merge tag 'v3.16.1'
Bring in changes from #3674 that were accidentally not landed on master:

 * Fix createOnlyInstance for related methods (Raymond Feng)

Close #3674
2017-10-30 09:00:16 +01:00
Raymond Feng 6570b94843 Fix createOnlyInstance for related methods
For scoped or related create method, the createOnlyInstance flag should
be calculated on the target model. For example, User.createAccessTokens
should set the flag only if AccessToken has updateonly properties.
2017-10-27 18:51:56 -07:00
Miroslav Bajtoš 3996f56ab9
Fix "POST /change-password" for multi-user setup
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* We have two user models, e.g. Admin and Customer

* We have an Admin instance and a Customer instance with the same
  id and the same password.

* The Customer can change Admin's password using their
  regular access token.
2017-10-27 09:47:07 +02:00
Miroslav Bajtoš 0a2a45512c
Fix "POST /reset-password" for multi-user setup
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* A UserA with id 1 (for example), requires a resetToken1

* A UserB with the same id requires a resetToken2.

* Using resetToken2, use the UserAs/reset-password endpoint and change
  the password of UserA and/or vice-versa.
2017-10-19 13:29:08 +02:00
Miroslav Bajtoš 4ebc517a78
test: extract helpers for logging HTTP errors
Extract two helpers into a shared file:

 - logAllServerErrors(app)
 - logServerErrorsOtherThan(statusCode, app)
2017-10-19 13:08:54 +02:00
Miroslav Bajtoš d0a4941668
Fix handling of user verification options
- Fix `User.prototype.verify` to not modify properties of the supplied
   `verifyOptions` argument. This is needed to allow callers to supply
   the same options object to multiple calls of `verify`.

 - Fix `User.getVerifyOptions` to always return a new copy of the
   options object. This is needed to allow callers to modify the
   returned options object without affecting the result returned
   by subsequent calls of `getVerifyOptions`.
2017-10-09 13:42:22 +02:00
Miroslav Bajtoš 33989d776c
test: fix too strict test assertion
Rework the test verifying properties of `loopback` to ignore
new express properties added after the test was written.
2017-10-04 10:31:50 +02:00
Raymond Feng c0a0f09f3a Allow declarative nestRemoting for relations
Now relation.options.nestRemoting can be set to true so that
nestRemoting will be set up automatically without explicitly
calling MyModel.nestRemoting
2017-09-27 09:22:06 -07:00
pierreclr e17132d061
Fix OWNER role to handle multiple relations
Fix the code resolving OWNER role to correctly handle the situation
where the target model has multiple "belongsTo" relations to the User
model.

Introduce a new model setting "ownerRelations" that enables the new
behavior. When "ownerRelations" is set to true, then all "belongsTo"
relations are considered as granting ownership. Alternatively,
"ownerRelations" can be set to an array of the relations which
are granting ownership.

For example, a document can "belongTo" an author and a reviewer,
but only the author is an owner, the reviewer is not. In this case,
"ownerRelations" should be set to "['author']".
2017-09-27 17:11:36 +02:00
Farid Neshat d2d8fabb16 Fix acl.resolvePermission for wildcard req
When acl.resolvePermission was called with a request containing a
wildcard, it would return the matching acl with lowest score instead of
higher.

Fixes #2153
2017-09-27 02:48:34 +02:00
Zak Barbuto d405432b2d Fix relation race condition in model glob
Globs working depended on the order that models were imported.
Remote sharing is now re-calculated whenever a new model is remoted.
2017-09-01 09:18:39 +09:30
Rashmi Hunt 3651c09782 Support createOnlyInstance in model (#3548)
* setting up createOnlyInstance

* add comment

* fix eslint issue

* new tests

* Address code review comments
2017-08-22 17:10:55 -07:00
loay bf4b5de648 Catch errors on invalidate update 2017-08-17 10:46:09 -04:00
Miroslav Bajtoš 2ebe38b4d5 Merge pull request #3540 from lehni/fix/isStatic-method-settings
Do not add isStatic properties to method settings
2017-08-16 15:55:11 +02:00
Samuel Reed 44dd048036
fix(validatePassword): reword error message
Reword the error message returned when the password is too long
 - remove the plaintext password value, it looks very bad
 - include information about the maximum allowed length instead

Also add additional context to the error.
2017-08-16 14:57:57 +02:00
Jürg Lehni a736f782af Do not add isStatic properties to method settings
Closes #3529
2017-08-15 18:09:16 +02:00
Zak Barbuto 724a7d1928 Allow glob-style patterns for remote options 2017-08-14 12:23:26 +09:30
Sakib Hasan 2fd5701ede Revert "Validate on updateAll" 2017-08-03 13:46:01 -04:00
Jürg Lehni 5cd95e42f2
Add tests of HTTP normalization on app level
Also improve tests on model level to include nested routes

Add a test for HTTP normalization precedence too.
2017-08-03 12:32:54 +02:00
ssh24 5dd0d196ee Validate on updateAll 2017-08-02 11:52:56 -04:00
loay c761dc5279 Add unit test for empty password 2017-07-25 14:40:04 -04:00
Alexei Smirnov 8ed92a12e0
Remove observers from Model on end of the stream
- Remove flags and properly finish the stream.
 - Destroy emits an end event for compability with ending of
   ReadableStream now.
 - Check for default implementation of destroy() method,
   because in Node.js 8 all types of streams have a native one.
2017-07-12 10:28:27 +02:00
Daijiro Wachi 75b4a45968 Use `localhost` instead of `::` for local 2017-06-15 22:29:37 +02:00
Piero Maltese 4735efa41f
Support remoting adapters with no ctx.req object
Fix `Model.createOptionsFromRemotingContext()` to correctly handle
the case where `ctx.req` is not defined, e.g. when using
websocket-based adapters.
2017-05-22 13:21:44 +02:00
Raymond Feng 69df11bb8e Refactor access token to make it extensible
1. Make it possible to reuse getIdForRequest()
2. Introduce a flag to control if oAuth2 bearer token should be base64
encoded
3. Promote resolve() to locate/validate access tokens by id
2017-05-02 10:55:51 -07:00
ebarault b9fbf51b27 Remote method /user/:id/verify
This commit adds:
- user.prototype.verify(verifyOptions, options, cb)
- remote method /user/:id/verify
- User.getVerifyOptions()

The remote method can be used to replay the sending of a user
identity/email verification message.

`getVerifyOptions()` can be fully customized programmatically
or partially customized using user model's `.settings.verifyOptions`

`getVerifyOptions()` is called under the hood when calling the
/user/:id/verify remote method

`getVerifyOptions()` can also be used to ease the building
of identity verifyOptions:

```js
var verifyOptions = {
  type: 'email',
  from: 'noreply@example.com'
  template: 'verify.ejs',
  redirect: '/',
  generateVerificationToken: function (user, options, cb) {
    cb('random-token');
  }
};

user.verify(verifyOptions);
```

NOTE: the `User.login()` has been modified to return the userId when
failing due to unverified identity/email. This userId can then be used
to call the /user/:id/verify remote method.
2017-04-26 19:05:41 +02:00
Miroslav Bajtoš c5ca2e1c2e
Implement more secure password flow
Improve the flow for setting/changing/resetting User password to make
it more secure.

 1. Modify `User.resetPassword` to create a token scoped to allow
    invocation of a single remote method: `User.setPassword`.

 2. Scope the method `User.setPassword` so that regular tokens created
    by `User.login` are not allowed to execute it.

For backwards compatibility, this new mode (flow) is enabled only
when User model setting `restrictResetPasswordTokenScope` is set to
`true`.

 3. Changing the password via `User.prototype.patchAttributes`
    (and similar DAO methods) is no longer allowed. Applications
    must call `User.changePassword` and ask the user to provide
    the current (old) password.

For backwards compatibility, this new mode (flow) is enabled only
when User model setting `rejectPasswordChangesViaPatchOrReplace` is set
to `true`.
2017-04-20 10:22:21 +02:00
Miroslav Bajtoš e27419086c
Add User.setPassword(id, new, cb)
Implement a new method for changing user password with password-reset
token but without the old password.

REST API

    POST /api/users/reset-password
    Authorization: your-password-reset-token-id
    Content-Type: application/json

    {"newPassword": "new-pass"}

JavaScript API

    User.setPassword(userId, newPassword[, cb])
    userInstance.setPassword(newPassword[, cb])

Note: the new REST endpoint is not protected by scopes yet, therefore
any valid access token can invoke it (similarly to how any valid access
token can change the password via PATCH /api/users/:id).
2017-04-20 10:18:49 +02:00
Miroslav Bajtoš d95ec66a23
Fix method setup in authorization-scopes.test
Fix the code builing a scoped method to correctly handle the case
when the setup method is called twice and the previously defined
method has to be overriden with new remoting metadata.
2017-04-18 13:01:15 +02:00
Miroslav Bajtoš 9c63abef52
Add missing tests for reset password flow 2017-04-18 13:01:14 +02:00