Commit Graph

2107 Commits

Author SHA1 Message Date
Aaron Buchanan fbf818b2dc
Fix user-literal rewrite for anonymous requests
Currently any `currentUserLiteral` routes when accessed with a bad
token throw a 500 due to a SQL error that is raised because
`Model.findById` is invoked with `id={currentUserLiteral}`
(`id=me` in our case) when the url rewrite fails.

This commit changes the token middleware to return 401 Not Authorized
when the client is requesting a currentUserLiteral route without
a valid access token.
2017-04-04 16:30:08 +02:00
Miroslav Bajtoš 0499d09d6b
3.6.0
* Add new event "remoteMethodAdded" (Flavien DAVID)
 * Forward options in prepareForTokenInvalidation (Miroslav Bajtoš)
 * Check max password length in User.changePassword (Miroslav Bajtoš)
 * Add User.changePassword(id, old, new, cb) (Miroslav Bajtoš)
 * Propagate authorized roles in remoting context (ebarault)
 * Run the latest Node.js 7 version on Travis again (Miroslav Bajtoš)
 * Lock down Travis CI Node 7 version to 7.7.1 (Miroslav Bajtoš)
 * README: add a link to our announcements list (Miroslav Bajtoš)
 * Allow custom properties of Change Model (agriwebb build)
 * Fix User.verify to convert uid to string (phairow)
 * Pass options.verificationToken to templateFn (Hiran del Castillo)
 * fix custom token model in token middleware (ebarault)
 * Update runtime dependencies (Miroslav Bajtoš)
 * Verify User and AccessToken relations at startup (Miroslav Bajtoš)
 * Deep-clone model settings in lib/builtin-models (Miroslav Bajtoš)
 * Use local registry in test/replication.rest.test (Miroslav Bajtoš)
 * Fix test/access-token.test to use local registry (Miroslav Bajtoš)
 * Fix context passing in OWNER role resolver (Benjamin Schuster-Boeckler)
2017-03-31 16:09:09 +02:00
Miroslav Bajtoš 75fdd3cf32 Merge pull request #3322 from DAVIDFlavien/fix/nestRemotingRoutes
Add new event "remoteMethodAdded"
2017-03-31 16:02:32 +02:00
Flavien DAVID 981bd309fc
Add new event "remoteMethodAdded"
Emit a new method "remoteMethodAdded" whenever a new method is added,
typically when `Model.remoteMethod` or `Model.nestRemoting` is called.

The method is emitted both by the Model affected and the application
object.
2017-03-31 15:32:19 +02:00
Miroslav Bajtoš 53182affef Merge pull request #3316 from strongloop/fix/options-in-token-invalidations-master
Forward options in prepareForTokenInvalidation
2017-03-28 16:17:39 +02:00
Miroslav Bajtoš 94f267884f
Forward options in prepareForTokenInvalidation 2017-03-28 15:59:20 +02:00
Miroslav Bajtoš f736da64f4 Merge pull request #3312 from strongloop/fix/change-password-validation
Check max password length in User.changePassword
2017-03-28 15:59:07 +02:00
Miroslav Bajtoš b550cdcf43
Check max password length in User.changePassword 2017-03-28 15:46:01 +02:00
Miroslav Bajtoš 048110ee01 Merge pull request #3299 from strongloop/feature/change-password-api
Add User.changePassword(id, old, new, cb)
2017-03-24 12:05:41 +01:00
Miroslav Bajtoš 27ed712528
Add User.changePassword(id, old, new, cb)
Implement a new method for changing user passwords the secure way.
The method requires the old password to be provided before a new
password can be used.

REST API:

    POST /api/users/change-password
    Authorization: your-token-id
    Content-Type: application/json

    {"oldPassword":"old-pass", "newPassword": "new-pass"}

JavaScript API:

    User.changePassword(userId, oldPassword, newPassword[, cb])

There is also an instance-level (prototype) method that can be used
from JavaScript:

    userInstance.changePassword(oldPassword, newPassword[, cb])
2017-03-24 11:01:04 +01:00
Miroslav Bajtoš cb7e2114ec Merge pull request #2957 from ebarault/propagate-resolved-roles-in-context
propagate resolved roles in remoting context
2017-03-20 13:34:12 +01:00
ebarault 8aa98a80ef Propagate authorized roles in remoting context
Adds an authorizedRoles object to remotingContext.args.options
which contains all the roles (static and dynamic) that are
granted to the user when performing a request through
strong-remoting to an app with authentication enabled.

The authorizedRoles object for example looks like:
{
  $everyone: true,
  $authenticated: true,
  myRole: true
}

NOTE: this pr also covers a number of jsdoc fixes as well
as refactoring in ACL.js and access-context.js
2017-03-20 12:29:33 +01:00
Miroslav Bajtoš 960e118c4e Merge pull request #3285 from strongloop/fix/travis-config
Run the latest Node.js 7 version on Travis again
2017-03-15 16:58:25 +01:00
Miroslav Bajtoš 89c9f5bb04
Run the latest Node.js 7 version on Travis again 2017-03-15 10:22:12 +01:00
Miroslav Bajtoš 5da8075fc9 Merge pull request #3261 from strongloop/add/ann-list
README: add a link to our announcements list
2017-03-13 09:27:38 +01:00
Miroslav Bajtoš 3a93167685 Merge pull request #3262 from strongloop/fix/ci-on-node-7.7.2
Fix CI on Node 7.7.2
2017-03-09 13:32:42 +01:00
Miroslav Bajtoš 6467658fdc
Lock down Travis CI Node 7 version to 7.7.1 2017-03-09 13:17:43 +01:00
Miroslav Bajtoš 0448184a6c Merge pull request #2959 from kobaska/add-multi-tenancy
Support multi-tenancy in change replication - allow apps to extend Change model with extra properties
2017-03-09 12:08:16 +01:00
Miroslav Bajtoš 55adb6c50e
README: add a link to our announcements list 2017-03-09 09:23:11 +01:00
agriwebb build 3f4b5ece71
Allow custom properties of Change Model
Allow custom properties to be added to Change Model,
and make change filter customizable through mixins
to allow to add the custom property to the filter
used to look up relevant changes during change replication.
2017-03-09 08:58:42 +01:00
Miroslav Bajtoš 011dc1f6b8 Merge pull request #3253 from phairow/patch-1
Fix User.verify to convert ObjectID uid to string
2017-03-08 16:26:36 +01:00
phairow 0969493ab7
Fix User.verify to convert uid to string
Applications using MongoDB connectors typically have `user.id`
property of type ObjectID.

This commit fixes the code building the verification URL to
correctly convert the user id value into string.
2017-03-08 16:03:53 +01:00
Miroslav Bajtoš 48bf16bd5a Merge pull request #3245 from strongloop/fix/token-middleware-custom-model
fix custom token model in token middleware
2017-03-06 18:10:41 +01:00
Miroslav Bajtoš b5a8564956 Merge pull request #3249 from islamixo/feature-verificationToken
Pass options.verificationToken to templateFn
2017-03-06 18:05:44 +01:00
Hiran del Castillo a22b1e13f1
Pass options.verificationToken to templateFn
Enhance User.prototype.verify to pass the generated token
to the templating function in addition to other existing properties.

This allows application to build multiple URLs in the email template,
for example in order to provide a different URL for desktop and
mobile browsers.
2017-03-06 17:08:35 +01:00
ebarault cf98d379c4 fix custom token model in token middleware
Fixing server/middleware/token.js to handle correctly the
setup of a custom AccessToken model by name in either
middleware.json or using any of :
	app.use(loopback.token({...}));
	app.middlewareFromConfig(loopback.token, {...})
	app.middleware('auth', loopback.token({...})
2017-03-06 16:10:25 +01:00
Miroslav Bajtoš 01ce9b5f5a Merge pull request #3247 from strongloop/update-deps
Update runtime dependencies
2017-03-06 11:19:21 +01:00
Miroslav Bajtoš 5ebc9b6a2e Merge pull request #3230 from strongloop/fix/context-passing-for-isOwner
Fix context passing in OWNER role resolver
2017-03-03 16:19:52 +01:00
Miroslav Bajtoš 8510982bea
Update runtime dependencies
- isemail@2
 - loopback-phase@3

Skip update of nodemailer because it changed the license to GPL-like one
2017-03-03 15:53:49 +01:00
Miroslav Bajtoš ed4f56c7f8 Merge pull request #3231 from strongloop/warn-on-misconfigured-accessToken-user
Warn on misconfigured access token user
2017-03-03 10:57:20 +01:00
Miroslav Bajtoš 79f441b9c4
Verify User and AccessToken relations at startup
Modify `app.enableAuth()` to verify that (custom) User and AccessToken
models have correctly configured their hasMany/belongsTo relations
and print a warning otherwise.
2017-03-03 10:18:58 +01:00
Miroslav Bajtoš f0c9700e1d
Deep-clone model settings in lib/builtin-models
Fix the code loading builtin models to always clone the JSON object
used as model settings/definition. This is needed to allow applications
to modify model settings while not affecting settings of new models
created in the local registry of another app.
2017-02-24 15:13:06 +01:00
Miroslav Bajtoš c45954cdaa
Use local registry in test/replication.rest.test 2017-02-24 15:13:06 +01:00
Miroslav Bajtoš abf8246382
Fix test/access-token.test to use local registry 2017-02-24 14:17:12 +01:00
Benjamin Schuster-Boeckler 4570626e9d
Fix context passing in OWNER role resolver 2017-02-24 12:28:30 +01:00
Miroslav Bajtoš 2570dda984
3.4.0
* Fix access-token invalidation for missing relation (Miroslav Bajtoš)
 * Configure Travis CI to cache phantomjs binaries (Miroslav Bajtoš)
 * Optimise replication (kobaska)
 * Improve "filter" arg description (Raymond Camden)
2017-02-24 09:36:42 +01:00
Miroslav Bajtoš ec9274c5aa Merge pull request #3227 from strongloop/fix/invalidate-tokens
Fix access-token invalidation for missing relation
2017-02-24 09:20:17 +01:00
Miroslav Bajtoš 2cac589860
Fix access-token invalidation for missing relation
Fix the code invalidating access tokens on user email/password changes
to correctly handle the case when the relation
"AccessToken belongs to (subclassed) user" is not configured.
2017-02-23 12:56:13 +01:00
Miroslav Bajtoš 4796b7daf9 Merge pull request #3221 from strongloop/ci/cache-phantomjs-on-travis
Configure Travis CI to cache phantomjs binaries
2017-02-22 15:36:26 +01:00
Miroslav Bajtoš 37b49194f2 Merge pull request #2961 from kobaska/optimise-replication
Optimize replication by sending multiple smaller requests to the server
2017-02-22 15:33:30 +01:00
Miroslav Bajtoš f871358688
Configure Travis CI to cache phantomjs binaries
This should speed up our CI builds and also save a lot of bandwidth
for people providing phantomjs-prebuilt module.

See also
https://www.npmjs.com/package/phantomjs-prebuilt#continuous-integration
2017-02-22 15:19:55 +01:00
kobaska 7078c5d0e5
Optimise replication
Add a new model-level setting "replicationChunkSize" which allows
users to configure change replication algorithm to issue several
smaller requests to fetch changes and upload updates.
2017-02-22 15:12:54 +01:00
Miroslav Bajtoš 92317e811a Merge pull request #3218 from strongloop/fix/filter-desc
Improve "filter" arg description
2017-02-21 15:00:28 +01:00
Raymond Camden 440b9a52a6
Improve "filter" arg description
Add an example showing how to serialize object values as JSON.
2017-02-21 14:00:09 +01:00
Miroslav Bajtoš c69e010670 3.3.0
* Fix Role.isOwner() for multiple user models (ebarault)
 * Update ISSUE_TEMPLATE.md (Simon Ho)
 * Upgrade supertest to 3.x (Miroslav Bajtoš)
 * Fix creation of verification links (Miroslav Bajtoš)
 * Enable multiple user models (Eric)
 * Babelify juggler for Karma tests (Miroslav Bajtoš)
 * Fix Karma config to babelify node_modules too (Miroslav Bajtoš)
 * Add promise support to built-in model RoleMapping (ebarault)
 * Add promise support to built-in model ACL (ebarault)
 * Add nyc coverage, report data to coveralls.io (Miroslav Bajtoš)
 * Upgrade eslint config, fix linter errors (Miroslav Bajtoš)
 * Add missing type to Role properties definition (David Hernandez)
 * Preserve sessions on User.save() making no changes (Miroslav Bajtoš)
 * Fix logout to handle no or missing accessToken (Ritchie Martori)
 * Promise-ify built-in Role model (Miroslav Bajtoš)
 * Remove .jscsrc that's no longer used (Miroslav Bajtoš)
 * Enable ES6/ES2015 goodness (Miroslav Bajtoš)
 * Remove test/support.js from karma config (Miroslav Bajtoš)
 * Use English when running Mocha tests (Miroslav Bajtoš)
 * Update ISSUE_TEMPLATE (Simon Ho)
 * Updating README - add cli and remove arc (Joe Sepi)
 * Fix User methods to use correct Primary Key (Aris Kemper)
 * Fix User.resetPassword to call createAccessToken() (João Ribeiro)
 * Role model: resolves related models by name (Benjamin Kroeger)
2017-02-17 15:14:55 +01:00
Miroslav Bajtoš c8271491af Merge pull request #3180 from ebarault/enable-multiple-user-models
Fix Role.isOwner() for multiple user models
2017-02-17 12:49:29 +01:00
ebarault f0e70dd8a9 Fix Role.isOwner() for multiple user models
Fix `Role.isOwner()` to check both principalId and principalType.
This fixes a bug where users from different User model were treated
as owners as long as their user id was the same as owner's id.
2017-02-17 11:19:07 +01:00
Simon Ho 0dbfe8970f Update ISSUE_TEMPLATE.md 2017-02-14 10:17:43 -08:00
Miroslav Bajtoš 88c38e7ff8 Merge pull request #3196 from strongloop/upgrade-supertest
Upgrade supertest to 3.x
2017-02-09 16:37:30 +01:00
Miroslav Bajtoš a80f844e88 Upgrade supertest to 3.x
Also fix tests relying on internal supertest API to keep working with
then new supertest internals after the upgrade.
2017-02-09 16:17:10 +01:00