Commit Graph

39 Commits

Author SHA1 Message Date
Aaron Buchanan 50e0e4808a
Fix user-literal rewrite for anonymous requests
Currently any `currentUserLiteral` routes when accessed with a bad
token throw a 500 due to a SQL error that is raised because
`Model.findById` is invoked with `id={currentUserLiteral}`
(`id=me` in our case) when the url rewrite fails.

This commit changes the token middleware to return 401 Not Authorized
when the client is requesting a currentUserLiteral route without
a valid access token.
2017-04-04 18:55:34 +02:00
Miroslav Bajtoš f1e31ca50c Add app setting logoutSessionsOnSensitiveChanges
Disable invalidation of access tokens by default to restore backwards
compatibility with older 2.x versions.

Add a new application-wide flag logoutSessionsOnSensitiveChanges
that can be used to explicitly turn on/off the token invalidation.

When the flag is not set, a verbose warning is printed to nudge the user
to make a decision how they want to handle token invalidation.
2017-01-20 12:57:23 +01:00
Miroslav Bajtoš b3497c6778 Allow tokens with eternal TTL (value -1)
- Add a new User setting 'allowEternalTokens'
 - Enhance 'AccessToken.validate' to support eternal tokens with ttl
   value -1 when the user model allows it.
2016-10-12 12:30:33 +02:00
Carl Fürstenberg ba2fe0ee05 Fix token middleware crash
Fix token middleware to check if `req.loopbackContext` is active.
The context is not active for example when express-session calls
setImmediate which breaks CLS.
2016-08-17 13:42:43 +02:00
Miroslav Bajtoš ca28e7ff9e Deprecate current-context API
Deprecate all current-context APIs in favour of loopback-context-cls.
2016-08-10 10:58:33 +02:00
Miroslav Bajtoš fea3b781a0 Update dependencies to their latest versions 2016-08-05 10:54:42 +02:00
Miroslav Bajtoš 895629632f test: use local registry in test fixtures
Use local registry in test fixtures to prevent collision in globally
shared models.

Fix issues discoverd in auth implementation where the global registry
was used instead of the correct local one.
2016-07-27 15:06:32 +02:00
Benjamin Kroeger 7e051a7549 add missing unit tests for #2108
Subsequent token middleware tries to read `token.id`
when `enableDoublecheck: true`.
That caused a "Cannot read property `id` of `null`" error
when the first middleware didn't actually find a valid accessToken.

[back-port of #2227]
2016-06-13 15:30:28 +02:00
Miroslav Bajtoš 75da4c7784 Deprecate getters for express 3.x middleware
In LoopBack 3.0, we are removing these getters, see #2394.
2016-05-31 18:58:10 +02:00
Simon Ho 25ade96d27 Backport separate error checking and done logic 2016-05-06 14:07:38 -07:00
Ryan Graham 4d6f2e7ab7
update/insert copyright notices 2016-05-03 17:10:46 -07:00
Benjamin Kröger e4b275243f Allow built-in token middleware to run repeatedly
Add two new options:

  - When `enableDoublecheck` is true, the middleware will run
    even if a previous middleware has already set `req.accessToken`
    (possibly to `null` for anonymous requests)

  - When `overwriteExistingToken` is true (and `enableDoublecheck` too),
    the middleware will overwrite `req.accessToken` set by a previous
    middleware instances.
2016-04-06 15:47:32 +02:00
Miroslav Bajtoš 986132d79f Add a unit-test for searchDefaultTokenKeys 2015-05-29 12:06:32 +02:00
Raymond Feng 12e19e36ea Upgrade test fixtures to use LB 2.x layout 2015-04-20 09:23:44 -07:00
Ritchie Martori b9170751bc Add support for app level Model isolation
- `loopback.registry` is now a true global registry
 - `app.registry` is unique per app object
 - `Model.registry` is set when a Model is created using any registry method
 - `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`.
2015-04-03 11:48:45 -07:00
Raymond Feng 6ad61d6c00 Enhance the token middleware to support current user literal 2015-03-12 08:28:15 -07:00
Ron Edgecomb a028d9d198 Add error code property to known error responses.
Enhance the error objects with a `code` property containing
a machine-readable string code describing the error, for example
INVALID_TOKEN or USER_NOT_FOUND.

Also improve 404 error messages to include the model name.
2015-01-21 19:04:47 +01:00
Ryan Graham fbb091e3b3 Extend AccessToken to parse Basic auth headers
Allow convenient URLs for curl and browsers such as:
 - http://some-long-token@localhost:3000/
 - http://token:some-long-token@localhost:3000/

Basic Auth specifies a 'Basic' scheme for the Authorization header
similar to how OAuth specifies 'Bearer' as an auth scheme.

Following a similar convention, extract the access token from the
Authorization header when it specifies the 'Basic' scheme, assuming
it is the larger of the <user>:<pass> segments.
2015-01-15 22:53:09 -08:00
Ryan Graham 83d8844b70 tests: fix Bearer token test 2015-01-15 22:53:09 -08:00
Rob Halff 36e1f6840c fix jscs errors 2014-11-21 03:35:36 +01:00
Rob Halff 918497c365 singlequote, semicolon & /*jshint -W030 */ 2014-11-21 02:46:21 +01:00
Miroslav Bajtoš a603ffa0f5 AccessToken: optional `options` in findForRequest
Fix `AccessToken.findForRequest` to correctly handle the case when
the options argument was omitted:

    AccessToken.findForRequest(req, cb);
2014-11-14 10:42:21 +01:00
Miroslav Bajtoš 038c6a454e middleware/token: store the token in current ctx 2014-11-11 11:04:41 +01:00
Miroslav Bajtoš b8e877c5e5 test: remove infinite timeout
The infinite timeout was useful when debugging, which is not a good
reason for keeping it around when not debugging.
2014-10-14 08:58:17 +02:00
Raymond Feng 79f504a3c7 Merge branch 'master' into 2.0 2014-07-16 09:09:07 -07:00
Raymond Feng 217c9fa348 Fix the typo and add Bearer token support
See https://github.com/strongloop/loopback/issues/333
2014-07-02 09:02:13 -07:00
Miroslav Bajtoš 56c7a6b3c5 Merge branch 'master' into 2.0
Conflicts:
	test/access-token.test.js
2014-06-16 10:20:22 +02:00
Karl Mikkelsen a90a5c7e58 Allow customization of ACL http status
emulate existing error on 404
new tests for model and app settings
Signed-off-by: Karl Mikkelsen <karl@karlmikko.com>
2014-06-14 11:31:15 +10:00
Miroslav Bajtoš ea5b9d16fc Rename DataModel to PersistedModel 2014-06-05 09:56:00 +02:00
Miroslav Bajtoš 18fd61a546 Merge branch 'master' into 2.0 2014-05-28 18:41:36 +02:00
Miroslav Bajtoš bfb154d445 Modify `loopback.rest` to include `loopback.token`
Make `loopback.rest` self-contained, so that authentication works
out of the box.

    var app = loopback();
    app.enableAuth();
    app.use(loopback.rest());

Note that cookie parsing middleware is not added, users have to
explicitly configure that if they want to store access tokens
in cookies.

Modify `loopback.token` to skip token lookup when the request already
contains `accessToken` property. This is in line with other
connect-based middleware like `cookieParser` or `json`.
2014-05-21 15:22:36 +02:00
Ritchie Martori ae2fb9dea0 !fixup use DataModel instead of Model for all data based models 2014-05-02 20:15:01 -07:00
Ritchie Martori dfcb43e613 Allow requests without auth tokens 2013-12-10 15:57:55 -08:00
Ritchie Martori 2f9403016c Initial auth implementation 2013-11-22 12:26:59 -08:00
Ritchie Martori da0545bed6 Initial auto wiring for model dataSources 2013-11-18 16:13:40 -08:00
Ritchie Martori 1de2a40e88 Update AccessToken and User relationship
- Add created default
 - Default TTLs for user login access tokens
 - Break out User / AccessToken relationship
2013-11-14 19:41:29 -08:00
Ritchie Martori 1bb95607b9 Update session / token documentation 2013-11-14 15:42:37 -08:00
Ritchie Martori 64d8ff986b Add loopback.token() middleware 2013-11-14 13:01:47 -08:00
Ritchie 77a137eca6 Rename Session => AccessToken 2013-11-14 10:05:13 -08:00