jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Remove scope from users.get

Browse Source
This commit is contained in:
Girish Ramakrishnan
2018-06-17 15:25:41 -07:00
parent db8b6838bb
commit 156ffb40c9
7 changed files with 33 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/accesscontrol.js
+8 -7
View File
@@ -97,11 +97,11 @@ function accessTokenAuth(accessToken, callback) {
assert.strictEqual(typeof callback, 'function');
tokendb.get(accessToken, function (error, token) {
if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, false);
if (error) return callback(error);
if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
if (error) return callback(error); // this triggers 'internal error' in passport
users.get(token.identifier, function (error, user) {
if (error && error.reason === UsersError.NOT_FOUND) return callback(null, false);
if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
if (error) return callback(error);
// scopes here can define what capabilities that token carries
@@ -110,7 +110,7 @@ function accessTokenAuth(accessToken, callback) {
var scope = accesscontrol.intersectScope(userScope, token.scope);
// these clients do not require password checks unlike UI
const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli';
var info = { scope: scope, skipPasswordVerification: skipPasswordVerification };
var info = { authorizedScope: scope, skipPasswordVerification: skipPasswordVerification };
callback(null, user, info);
});
@@ -135,7 +135,9 @@ function scope(requiredScope) {
passport.authenticate(['bearer'], { session: false }),
function (req, res, next) {
var error = accesscontrol.hasScopes(req.authInfo || null, requiredScopes);
assert(req.authInfo && typeof req.authInfo === 'object');
var error = accesscontrol.hasScopes(req.authInfo.authorizedScope, requiredScopes);
if (error) return next(new HttpError(403, error.message));
next();
@@ -153,9 +155,8 @@ function websocketAuth(requiredScopes, req, res, next) {
if (!user) return next(new HttpError(401, 'Unauthorized'));
req.user = user;
req.authInfo = info;
var e = accesscontrol.hasScopes(req.authInfo, requiredScopes);
var e = accesscontrol.hasScopes(info.authorizedScope, requiredScopes);
if (e) return next(new HttpError(403, e.message));
next();
src/routes/profile.js
+2 -3
View File
@@ -9,8 +9,7 @@ exports = module.exports = {
disableTwoFactorAuthentication: disableTwoFactorAuthentication
};
var accesscontrol = require('../accesscontrol.js'),
assert = require('assert'),
var assert = require('assert'),
HttpError = require('connect-lastmile').HttpError,
HttpSuccess = require('connect-lastmile').HttpSuccess,
users = require('../users.js'),
@@ -31,7 +30,7 @@ function get(req, res, next) {
email: req.user.email,
fallbackEmail: req.user.fallbackEmail,
admin: req.user.admin,
scope: accesscontrol.canonicalScope(req.authInfo.scope), // this returns the token scope and not the user's scope
tokenScope: req.authInfo.authorizedScope,
displayName: req.user.displayName,
twoFactorAuthenticationEnabled: req.user.twoFactorAuthenticationEnabled
}));
src/routes/test/accesscontrol-test.js
+8 -28
View File
@@ -25,29 +25,9 @@ describe('scopes middleware', function () {
passport.authenticate = passportAuthenticateSave;
});
it('fails due to missing authInfo', function (done) {
it('fails due to empty scope in request', function (done) {
var mw = accesscontrol.scope('admin')[1];
var req = {};
mw(req, null, function (error) {
expect(error).to.be.a(HttpError);
done();
});
});
it('fails due to missing scope property in authInfo', function (done) {
var mw = accesscontrol.scope('admin')[1];
var req = { authInfo: {} };
mw(req, null, function (error) {
expect(error).to.be.a(HttpError);
done();
});
});
it('fails due to missing scope in request', function (done) {
var mw = accesscontrol.scope('admin')[1];
var req = { authInfo: { scope: '' } };
var req = { authInfo: { authorizedScope: '' } };
mw(req, null, function (error) {
expect(error).to.be.a(HttpError);
@@ -57,7 +37,7 @@ describe('scopes middleware', function () {
it('fails due to wrong scope in request', function (done) {
var mw = accesscontrol.scope('admin')[1];
var req = { authInfo: { scope: 'foobar,something' } };
var req = { authInfo: { authorizedScope: 'foobar,something' } };
mw(req, null, function (error) {
expect(error).to.be.a(HttpError);
@@ -67,7 +47,7 @@ describe('scopes middleware', function () {
it('fails due to wrong scope in request', function (done) {
var mw = accesscontrol.scope('admin,users')[1];
var req = { authInfo: { scope: 'foobar,admin' } };
var req = { authInfo: { authorizedScope: 'foobar,admin' } };
mw(req, null, function (error) {
expect(error).to.be.a(HttpError);
@@ -77,7 +57,7 @@ describe('scopes middleware', function () {
it('succeeds with one requested scope and one provided scope', function (done) {
var mw = accesscontrol.scope('admin')[1];
var req = { authInfo: { scope: 'admin' } };
var req = { authInfo: { authorizedScope: 'admin' } };
mw(req, null, function (error) {
expect(error).to.not.be.ok();
@@ -87,7 +67,7 @@ describe('scopes middleware', function () {
it('succeeds with one requested scope and two provided scopes', function (done) {
var mw = accesscontrol.scope('admin')[1];
var req = { authInfo: { scope: 'foobar,admin' } };
var req = { authInfo: { authorizedScope: 'foobar,admin' } };
mw(req, null, function (error) {
expect(error).to.not.be.ok();
@@ -97,7 +77,7 @@ describe('scopes middleware', function () {
it('succeeds with two requested scope and two provided scopes', function (done) {
var mw = accesscontrol.scope('admin,foobar')[1];
var req = { authInfo: { scope: 'foobar,admin' } };
var req = { authInfo: { authorizedScope: 'foobar,admin' } };
mw(req, null, function (error) {
expect(error).to.not.be.ok();
@@ -107,7 +87,7 @@ describe('scopes middleware', function () {
it('succeeds with two requested scope and provided wildcard scope', function (done) {
var mw = accesscontrol.scope('admin,foobar')[1];
var req = { authInfo: { scope: '*' } };
var req = { authInfo: { authorizedScope: '*' } };
mw(req, null, function (error) {
expect(error).to.not.be.ok();
src/routes/test/profile-test.js
+2
View File
@@ -106,6 +106,7 @@ describe('Profile API', function () {
expect(result.body.displayName).to.be.a('string');
expect(result.body.password).to.not.be.ok();
expect(result.body.salt).to.not.be.ok();
expect(result.body.tokenScope).to.be('apps,clients,cloudron,domains,mail,profile,settings,users');
user_0 = result.body;
@@ -144,6 +145,7 @@ describe('Profile API', function () {
expect(result.body.displayName).to.be.a('string');
expect(result.body.password).to.not.be.ok();
expect(result.body.salt).to.not.be.ok();
expect(result.body.tokenScope).to.be('apps,clients,cloudron,domains,mail,profile,settings,users');
done();
});
});