walnut.js/lib/oauth3-auth.js

109 lines
2.8 KiB
JavaScript
Raw Normal View History

2015-12-04 07:00:30 +00:00
'use strict';
var PromiseA = require('bluebird');
module.exports.inject = function (app) {
//var jwsUtils = require('./lib/jws-utils').create(signer);
var CORS = require('connect-cors');
2015-12-04 08:11:34 +00:00
var cors = CORS({ credentials: true, headers: [
2015-12-04 07:00:30 +00:00
'X-Requested-With'
, 'X-HTTP-Method-Override'
, 'Content-Type'
, 'Accept'
, 'Authorization'
2015-12-04 08:11:34 +00:00
], methods: [ "GET", "POST", "PATCH", "PUT", "DELETE" ] });
// Allows CORS access to API with ?access_token=
// TODO Access-Control-Max-Age: 600
// TODO How can we help apps handle this? token?
// TODO allow apps to configure trustedDomains, auth, etc
2015-12-04 07:00:30 +00:00
//function weakDecipher(secret, val) { return require('./weak-crypt').weakDecipher(val, secret); }
//
// Generic Session / Login / Account Routes
//
function parseAccessToken(req, opts) {
var token;
var parts;
var scheme;
var credentials;
if (req.headers && req.headers.authorization) {
parts = req.headers.authorization.split(' ');
if (parts.length !== 2) {
return PromiseA.reject(new Error("malformed Authorization header"));
}
scheme = parts[0];
credentials = parts[1];
if (-1 !== (opts && opts.schemes || ['token', 'bearer']).indexOf(scheme.toLowerCase())) {
token = credentials;
}
}
if (req.body && req.body.access_token) {
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
token = req.body.access_token;
}
// TODO disallow query with req.method === 'GET'
// (cookies should be used for protected static assets)
if (req.query && req.query.access_token) {
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
token = req.query.access_token;
}
/*
err = new Error(challenge());
err.code = 'E_BEARER_REALM';
if (!token) { return PromiseA.reject(err); }
*/
return PromiseA.resolve(token);
}
function getToken(req, res, next) {
req.oauth3 = {};
parseAccessToken(req).then(function (token) {
if (!token) {
next();
return;
}
var jwt = require('jsonwebtoken');
var data = jwt.decode(token);
var err;
if (!data) {
err = new Error('not a json web token');
err.code = 'E_NOT_JWT';
2015-12-04 08:11:34 +00:00
res.send({
error: err.code
, error_description: err.message
, error_url: 'https://oauth3.org/docs/errors#' + (err.code || 'E_UNKNOWN_EXCEPTION')
});
// PromiseA.reject(err);
return;
2015-12-04 07:00:30 +00:00
}
req.oauth3.token = token;
next();
});
}
2015-12-04 08:11:34 +00:00
/*
app.use('/', function (req, res, next) {
console.log('[DEBUG CORS]', req.method, req.hostname, req.url);
cors(req, res, next);
});
*/
2015-12-04 07:00:30 +00:00
app.use('/', getToken);
};