src/accesscontrol.js

'use strict';

exports = module.exports = {
    verifyToken
};

const assert = require('assert'),
    BoxError = require('./boxerror.js'),
    safe = require('safetydance'),
    tokens = require('./tokens.js'),
    users = require('./users.js');

async function verifyToken(accessToken) {
    assert.strictEqual(typeof accessToken, 'string');

    const token = await tokens.getByAccessToken(accessToken);
    if (!token) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'No such token');

    const user = await users.get(token.identifier);
    if (!user) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'User not found');
    if (!user.active) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'User not active');

    await safe(tokens.update(token.id, { lastUsedTime: new Date() })); // ignore any error

    return user;
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00			`verifyToken`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`};`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`const assert = require('assert'),`
Move ClientsError to BoxError 2019-10-22 21:16:00 -07:00			`BoxError = require('./boxerror.js'),`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`safe = require('safetydance'),`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00			`tokens = require('./tokens.js'),`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`users = require('./users.js');`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function verifyToken(accessToken) {`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`assert.strictEqual(typeof accessToken, 'string');`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`const token = await tokens.getByAccessToken(accessToken);`
better error messages for 401 2021-06-05 21:26:43 -07:00			`if (!token) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'No such token');`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`const user = await users.get(token.identifier);`
			`if (!user) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'User not found');`
better error messages for 401 2021-06-05 21:26:43 -07:00			`if (!user.active) throw new BoxError(BoxError.INVALID_CREDENTIALS, 'User not active');`
make scopesForUser async 2018-08-02 19:07:33 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`await safe(tokens.update(token.id, { lastUsedTime: new Date() })); // ignore any error`
tokens: add lastUsedTime 2021-03-15 12:47:57 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`return user;`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`}`