diff --git a/src/accesscontrol.js b/src/accesscontrol.js index 58b093087..bd611b3bf 100644 --- a/src/accesscontrol.js +++ b/src/accesscontrol.js @@ -14,10 +14,6 @@ exports = module.exports = { SCOPE_ANY: '*', - // roles are handled just like the above scopes, they are parallel to scopes - // scopes enclose API groups, roles specify the usage role - SCOPE_ROLE_SDK: 'roleSdk', - validateScope: validateScope, validateRequestedScopes: validateRequestedScopes, normalizeScope: normalizeScope @@ -40,8 +36,7 @@ function validateScope(scope) { exports.SCOPE_DOMAIN, exports.SCOPE_CLIENTS, exports.SCOPE_MAIL, - exports.SCOPE_ANY, // includes all scopes, but not roles - exports.SCOPE_ROLE_SDK + exports.SCOPE_ANY // includes all scopes ]; if (scope === '') return new Error('Empty scope not allowed'); @@ -61,11 +56,6 @@ function validateRequestedScopes(authInfo, requestedScopes) { var scopes = authInfo.scope.split(','); - // check for roles separately - if (requestedScopes.indexOf(exports.SCOPE_ROLE_SDK) !== -1 && scopes.indexOf(exports.SCOPE_ROLE_SDK) === -1) { - return new Error('Missing required scope role "' + exports.SCOPE_ROLE_SDK + '"'); - } - if (scopes.indexOf(exports.SCOPE_ANY) !== -1) return null; for (var i = 0; i < requestedScopes.length; ++i) { diff --git a/src/auth.js b/src/auth.js index 330c60562..e8777321f 100644 --- a/src/auth.js +++ b/src/auth.js @@ -118,7 +118,7 @@ function accessTokenAuth(accessToken, callback) { // scopes here can define what capabilities that token carries // passport put the 'info' object into req.authInfo, where we can further validate the scopes var scope = accesscontrol.normalizeScope(user.scope, token.scope); - var info = { scope: scope }; + var info = { scope: scope, clientId: token.clientId }; callback(null, user, info); }); diff --git a/src/clientdb.js b/src/clientdb.js index 5ae93d803..53ca1754f 100644 --- a/src/clientdb.js +++ b/src/clientdb.js @@ -182,8 +182,8 @@ function clear(callback) { function addDefaultClients(callback) { async.series([ - add.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', 'https://admin-localhost', 'cloudron,profile,users,apps,settings'), - add.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', 'https://admin-localhost', '*,roleSdk'), - add.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', 'https://admin-localhost', '*,roleSdk') + add.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', 'https://admin-localhost', '*'), + add.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', 'https://admin-localhost', '*'), + add.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', 'https://admin-localhost', '*') ], callback); } diff --git a/src/clients.js b/src/clients.js index 6c0e9d66d..307fe0c06 100644 --- a/src/clients.js +++ b/src/clients.js @@ -288,13 +288,10 @@ function addDefaultClients(origin, callback) { debug('Adding default clients'); // The domain might have changed, therefor we have to update the record - // !!! This needs to be in sync with the webadmin, specifically login_callback.js - const ADMIN_SCOPES = 'cloudron,developer,profile,users,apps,settings'; - // id, appId, type, clientSecret, redirectURI, scope async.series([ - clientdb.upsert.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', origin, ADMIN_SCOPES), - clientdb.upsert.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', origin, '*,roleSdk'), - clientdb.upsert.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', origin, '*, roleSdk') + clientdb.upsert.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', origin, '*'), + clientdb.upsert.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', origin, '*'), + clientdb.upsert.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', origin, '*') ], callback); } diff --git a/src/developer.js b/src/developer.js index 165a5d874..c513b5e7f 100644 --- a/src/developer.js +++ b/src/developer.js @@ -10,7 +10,6 @@ exports = module.exports = { var accesscontrol = require('./accesscontrol.js'), assert = require('assert'), - clients = require('./clients.js'), constants = require('./constants.js'), eventlog = require('./eventlog.js'), tokendb = require('./tokendb.js'), @@ -46,9 +45,8 @@ function issueDeveloperToken(userObject, ip, callback) { var token = tokendb.generateToken(); var expiresAt = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION; - var scopes = '*,' + accesscontrol.SCOPE_ROLE_SDK; - tokendb.add(token, userObject.id, 'cid-cli', expiresAt, scopes, function (error) { + tokendb.add(token, userObject.id, 'cid-cli', expiresAt, accesscontrol.SCOPE_ANY, function (error) { if (error) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, error)); eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'cli', ip: ip }, { userId: userObject.id, user: users.removePrivateFields(userObject) }); diff --git a/src/routes/users.js b/src/routes/users.js index a2f25ef17..97d19df0d 100644 --- a/src/routes/users.js +++ b/src/routes/users.js @@ -11,8 +11,7 @@ exports = module.exports = { setGroups: setGroups }; -var accesscontrol = require('../accesscontrol.js'), - assert = require('assert'), +var assert = require('assert'), constants = require('../constants.js'), generatePassword = require('../password.js').generate, HttpError = require('connect-lastmile').HttpError, @@ -129,8 +128,7 @@ function verifyPassword(req, res, next) { assert.strictEqual(typeof req.body, 'object'); // using an 'sdk' token we skip password checks - var error = accesscontrol.validateRequestedScopes(req.authInfo || null, [ accesscontrol.SCOPE_ROLE_SDK ]); - if (!error) return next(); + if (req.authInfo.clientId === 'cid-sdk' || req.authInfo.clientId === 'cid-cli') return next(); if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));