proxyAuth: authorization logic
This commit is contained in:
Girish Ramakrishnan
+26
-10
@@ -95,7 +95,7 @@ function auth(req, res, next) {
|
||||
}
|
||||
|
||||
// endpoint called by login page, username and password posted as JSON body
|
||||
function login(req, res, next) {
|
||||
function authenticate(req, res, next) {
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
|
||||
const appId = req.headers['x-app-id'] || '';
|
||||
@@ -111,15 +111,32 @@ function login(req, res, next) {
|
||||
api(username, password, appId, function (error, user) {
|
||||
if (error) return next(new HttpError(403, 'Invalid username or password' ));
|
||||
|
||||
const token = jwt.sign({ user: users.removePrivateFields(user) }, TOKEN_SECRET, { expiresIn: `${EXPIRY_DAYS}d` });
|
||||
req.user = user;
|
||||
next();
|
||||
});
|
||||
}
|
||||
|
||||
res.cookie('authToken', token, {
|
||||
httpOnly: true,
|
||||
maxAge: EXPIRY_DAYS * 86400 * 1000, // milliseconds
|
||||
secure: true
|
||||
function authorize(req, res, next) {
|
||||
const appId = req.headers['x-app-id'] || '';
|
||||
if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));
|
||||
|
||||
apps.get(appId, function (error, app) {
|
||||
if (error) return next(new HttpError(403, 'No such app' ));
|
||||
|
||||
apps.hasAccessTo(app, req.user, function (error, hasAccess) {
|
||||
if (error) return next(new HttpError(403, 'Forbidden' ));
|
||||
if (!hasAccess) return next(new HttpError(403, 'Forbidden' ));
|
||||
|
||||
const token = jwt.sign({ user: users.removePrivateFields(req.user) }, TOKEN_SECRET, { expiresIn: `${EXPIRY_DAYS}d` });
|
||||
|
||||
res.cookie('authToken', token, {
|
||||
httpOnly: true,
|
||||
maxAge: EXPIRY_DAYS * 86400 * 1000, // milliseconds
|
||||
secure: true
|
||||
});
|
||||
|
||||
res.redirect('/');
|
||||
});
|
||||
|
||||
res.redirect('/');
|
||||
});
|
||||
}
|
||||
|
||||
@@ -156,10 +173,9 @@ function initializeAuthwallExpressSync() {
|
||||
.use(router)
|
||||
.use(middleware.lastMile());
|
||||
|
||||
router.get ('/', (req, res) => { res.redirect('/login'); }); // this can never happen
|
||||
router.get ('/login', loginPage);
|
||||
router.get ('/auth', jwtVerify, basicAuthVerify, auth);
|
||||
router.post('/login', json, login);
|
||||
router.post('/login', json, authenticate, authorize);
|
||||
router.get ('/logout', logoutPage);
|
||||
router.post('/logout', json, logout);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user