2015-12-04 07:00:30 +00:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
var PromiseA = require('bluebird');
|
|
|
|
|
|
|
|
module.exports.inject = function (app) {
|
|
|
|
//var jwsUtils = require('./lib/jws-utils').create(signer);
|
|
|
|
var CORS = require('connect-cors');
|
2015-12-04 08:11:34 +00:00
|
|
|
var cors = CORS({ credentials: true, headers: [
|
2015-12-04 07:00:30 +00:00
|
|
|
'X-Requested-With'
|
|
|
|
, 'X-HTTP-Method-Override'
|
|
|
|
, 'Content-Type'
|
|
|
|
, 'Accept'
|
|
|
|
, 'Authorization'
|
2015-12-04 08:11:34 +00:00
|
|
|
], methods: [ "GET", "POST", "PATCH", "PUT", "DELETE" ] });
|
|
|
|
|
|
|
|
// Allows CORS access to API with ?access_token=
|
|
|
|
// TODO Access-Control-Max-Age: 600
|
|
|
|
// TODO How can we help apps handle this? token?
|
|
|
|
// TODO allow apps to configure trustedDomains, auth, etc
|
2015-12-04 07:00:30 +00:00
|
|
|
|
|
|
|
//function weakDecipher(secret, val) { return require('./weak-crypt').weakDecipher(val, secret); }
|
|
|
|
|
|
|
|
//
|
|
|
|
// Generic Session / Login / Account Routes
|
|
|
|
//
|
|
|
|
function parseAccessToken(req, opts) {
|
|
|
|
var token;
|
|
|
|
var parts;
|
|
|
|
var scheme;
|
|
|
|
var credentials;
|
|
|
|
|
|
|
|
if (req.headers && req.headers.authorization) {
|
|
|
|
parts = req.headers.authorization.split(' ');
|
|
|
|
|
|
|
|
if (parts.length !== 2) {
|
|
|
|
return PromiseA.reject(new Error("malformed Authorization header"));
|
|
|
|
}
|
|
|
|
|
|
|
|
scheme = parts[0];
|
|
|
|
credentials = parts[1];
|
|
|
|
|
|
|
|
if (-1 !== (opts && opts.schemes || ['token', 'bearer']).indexOf(scheme.toLowerCase())) {
|
|
|
|
token = credentials;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (req.body && req.body.access_token) {
|
|
|
|
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
|
|
|
|
token = req.body.access_token;
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO disallow query with req.method === 'GET'
|
|
|
|
// (cookies should be used for protected static assets)
|
|
|
|
if (req.query && req.query.access_token) {
|
|
|
|
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
|
|
|
|
token = req.query.access_token;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
err = new Error(challenge());
|
|
|
|
err.code = 'E_BEARER_REALM';
|
|
|
|
|
|
|
|
if (!token) { return PromiseA.reject(err); }
|
|
|
|
*/
|
|
|
|
|
|
|
|
return PromiseA.resolve(token);
|
|
|
|
}
|
|
|
|
|
|
|
|
function getToken(req, res, next) {
|
|
|
|
req.oauth3 = {};
|
|
|
|
|
|
|
|
parseAccessToken(req).then(function (token) {
|
|
|
|
if (!token) {
|
|
|
|
next();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
var jwt = require('jsonwebtoken');
|
|
|
|
var data = jwt.decode(token);
|
|
|
|
var err;
|
|
|
|
|
|
|
|
if (!data) {
|
|
|
|
err = new Error('not a json web token');
|
|
|
|
err.code = 'E_NOT_JWT';
|
2015-12-04 08:11:34 +00:00
|
|
|
res.send({
|
|
|
|
error: err.code
|
|
|
|
, error_description: err.message
|
|
|
|
, error_url: 'https://oauth3.org/docs/errors#' + (err.code || 'E_UNKNOWN_EXCEPTION')
|
|
|
|
});
|
|
|
|
// PromiseA.reject(err);
|
|
|
|
return;
|
2015-12-04 07:00:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
req.oauth3.token = token;
|
|
|
|
|
|
|
|
next();
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
2015-12-04 08:11:34 +00:00
|
|
|
app.use('/', function (req, res, next) {
|
2015-12-04 08:46:11 +00:00
|
|
|
//console.log('[DEBUG CORS]', req.method, req.hostname, req.url);
|
2015-12-04 08:11:34 +00:00
|
|
|
cors(req, res, next);
|
|
|
|
});
|
|
|
|
|
2015-12-04 07:00:30 +00:00
|
|
|
app.use('/', getToken);
|
|
|
|
};
|