src/accesscontrol.js

'use strict';

exports = module.exports = {
    verifyToken: verifyToken
};

var assert = require('assert'),
    BoxError = require('./boxerror.js'),
    tokendb = require('./tokendb.js'),
    users = require('./users.js');

function verifyToken(accessToken, callback) {
    assert.strictEqual(typeof accessToken, 'string');
    assert.strictEqual(typeof callback, 'function');

    tokendb.getByAccessToken(accessToken, function (error, token) {
        if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
        if (error) return callback(error);

        users.get(token.identifier, function (error, user) {
            if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
            if (error) return callback(error);

            if (!user.active) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));

            callback(null, user);
        });
    });
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`verifyToken: verifyToken`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`};`

refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`var assert = require('assert'),`
Move ClientsError to BoxError 2019-10-22 21:16:00 -07:00			`BoxError = require('./boxerror.js'),`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`tokendb = require('./tokendb.js'),`
Remove token scope business 2020-02-06 16:44:46 +01:00			`users = require('./users.js');`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00
Remove token scope business 2020-02-06 16:44:46 +01:00			`function verifyToken(accessToken, callback) {`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`assert.strictEqual(typeof accessToken, 'string');`
			`assert.strictEqual(typeof callback, 'function');`

Make token API id based we don't return the accessToken anymore 2019-02-15 13:57:18 -08:00			`tokendb.getByAccessToken(accessToken, function (error, token) {`
Remove token scope business 2020-02-06 16:44:46 +01:00			`if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));`
Remove passport 2020-02-06 14:50:12 +01:00			`if (error) return callback(error);`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00
Revert role support 2018-07-26 10:20:19 -07:00			`users.get(token.identifier, function (error, user) {`
Remove token scope business 2020-02-06 16:44:46 +01:00			`if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`if (error) return callback(error);`

Remove token scope business 2020-02-06 16:44:46 +01:00			`if (!user.active) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));`
make scopesForUser async 2018-08-02 19:07:33 -07:00
Remove token scope business 2020-02-06 16:44:46 +01:00			`callback(null, user);`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`});`
			`});`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`}`