jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Remove token scope business

Browse Source
This commit is contained in:
Johannes Zellner
2020-02-06 16:44:46 +01:00
parent b4e4b11ab3
commit 2854462e0e
3 changed files with 177 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
src/routes/accesscontrol.js
View File

@@ -4,7 +4,7 @@ exports = module.exports = {
passwordAuth: passwordAuth,
tokenAuth: tokenAuth,
scope: scope,
authorize: authorize,
websocketAuth: websocketAuth
};
@@ -95,53 +95,41 @@ function tokenAuth(req, res, next) {
if (!token) return next(new HttpError(401, 'Unauthorized'));
accesscontrol.validateToken(token, function (error, user, info) {
accesscontrol.verifyToken(token, function (error, user) {
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
if (error) return next(new HttpError(500, error.message));
if (!user) return next(new HttpError(401, 'Unauthorized'));
req.user = user;
req.authInfo = info;
next();
});
}
// The scope middleware provides an auth middleware for routes.
//
// It is used for API routes, which are authenticated using accesstokens.
// Those accesstokens carry OAuth scopes and the middleware takes the required
// scope as an argument and will verify the accesstoken against it.
//
// See server.js:
// var profileScope = routes.oauth2.scope('profile');
//
function scope(requiredScope) {
assert.strictEqual(typeof requiredScope, 'string');
var requiredScopes = requiredScope.split(',');
function authorize(requiredRole) {
assert.strictEqual(typeof requiredRole, 'string');
return function (req, res, next) {
assert(req.authInfo && typeof req.authInfo === 'object');
assert.strictEqual(req.user, 'object');
var error = accesscontrol.hasScopes(req.authInfo.authorizedScopes, requiredScopes);
var error = accesscontrol.hasRole(req.user, requiredRole);
if (error) return next(new HttpError(403, error.message));
next();
};
}
function websocketAuth(requiredScopes, req, res, next) {
assert(Array.isArray(requiredScopes));
function websocketAuth(requiredRole, req, res, next) {
assert.strictEqual(typeof requiredRole, 'string');
if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'Unauthorized'));
accesscontrol.validateToken(req.query.access_token, function (error, user, info) {
accesscontrol.verifyToken(req.query.access_token, function (error, user) {
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
if (error) return next(new HttpError(500, error.message));
if (!user) return next(new HttpError(401, 'Unauthorized'));
req.user = user;
var e = accesscontrol.hasScopes(info.authorizedScopes, requiredScopes);
var e = accesscontrol.hasRole(req.user, requiredRole);
if (e) return next(new HttpError(403, e.message));
next();