From c411c3401678f702202918f53fd2041530541523 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 31 May 2017 20:02:26 +0000 Subject: [PATCH] account-handling logic --- lib/apis.js | 120 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 113 insertions(+), 7 deletions(-) diff --git a/lib/apis.js b/lib/apis.js index 5f57b35..c417132 100644 --- a/lib/apis.js +++ b/lib/apis.js @@ -8,6 +8,9 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) { var fs = PromiseA.promisifyAll(require('fs')); var path = require('path'); var localCache = { rests: {}, pkgs: {} }; + var promisableRequest = require('./common').promisableRequest; + var rejectableRequest = require('./common').rejectableRequest; + var crypto = require('crypto'); // TODO xconfx.apispath xconfx.restPath = path.join(__dirname, '..', '..', 'packages', 'rest'); @@ -103,6 +106,107 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) { }); } + function accountRequiredById(req, res, next) { + var promise = req.oauth3.verifyAsync().then(function (/*result*/) { + var tok = req.oauth3.token; + var accountId = req.params.accountId || '__NO_ID_GIVEN__'; + var ppid; + + if (tok.sub && tok.sub.split(/,/g).filter(function (ppid) { + return ppid === accountId; + }).length) { + ppid = accountId; + } + + if (tok.axs && tok.axs.filter(function (acc) { + return acc.id === accountId || acc.appScopedId === accountId; + }).length) { + ppid = accountId; + } + + if (tok.acx && accountId === (tok.acx.appScopedId || tok.acx.id || tok.acx)) { + ppid = accountId; + } + + if (!ppid) { + return PromiseA.reject(new Error("missing accountId '" + accountId + "' in access token")); + } + + return req.oauth3.rescope(ppid).then(function (accountIdx) { + req.oauth3.accountIdx = accountIdx; + req.oauth3.ppid = ppid; + req.oauth3.accountHash = crypto.createHash('sha1').update(accountIdx).digest('hex'); + + next(); + }); + }); + + rejectableRequest(req, res, promise, "[com.daplie.walnut] attach account by id"); + } + + function accountRequired(req, res, next) { + // if this already has auth, great + if (req.oauth3.ppid) { + next(); + return; + } + + // being public does not disallow authentication + if (req.isPublic && !req.oauth3.encodedToken) { + next(); + return; + } + + if (!req.oauth3.encodedToken) { + rejectableRequest( + req + , res + , PromiseA.reject(new Error("this secure resource requires an access token")) + , "[com.daplie.walnut] required account (not /public)" + ); + return; + } + + // verify the auth if it's here + var promise = req.oauth3.verifyAsync().then(function (/*result*/) { + var tok = req.oauth3.token; + var ppid; + var err; + + if (tok.sub) { + if (tok.sub.split(/,/g).length > 1) { + err = new Error("more than one 'sub' specified in token"); + return PromiseA.reject(err); + } + ppid = tok.sub; + } + else if (tok.axs && tok.axs.length) { + if (tok.axs.length > 1) { + err = new Error("more than one 'axs' specified in token (also, update to using 'sub' instead)"); + return PromiseA.reject(err); + } + ppid = tok.axs[0].appScopedId || tok.axs[0].id; + } + else if (tok.acx) { + ppid = tok.acx.appScopedId || tok.acx.id || tok.acx; + } + + if (!ppid) { + return PromiseA.reject(new Error("could not determine accountId from access token")); + } + + return req.oauth3.rescope(ppid).then(function (accountIdx) { + req.oauth3.accountIdx = accountIdx; + req.oauth3.ppid = ppid; + req.oauth3.accountHash = crypto.createHash('sha1').update(accountIdx).digest('hex'); + + next(); + }); + }); + + rejectableRequest(req, res, promise, "[com.daplie.walnut] required account (not /public)"); + } + function loadRestHelper(myConf, clientUrih, pkgId) { var pkgPath = path.join(myConf.restPath, pkgId); var pkgLinks = []; @@ -151,8 +255,8 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) { console.log('DEBUG pkgPath', pkgPath); myApp = express(); - myApp.handlePromise = require('./common').promisableRequest; - myApp.handleRejection = require('./common').rejectableRequest; + myApp.handlePromise = promisableRequest; + myApp.handleRejection = rejectableRequest; myApp.grantsRequired = function (grants) { if (!Array.isArray(grants)) { throw new Error("Usage: app.grantsRequired([ 'name|altname|altname2', 'othergrant' ])"); @@ -198,11 +302,6 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) { //require('oauthcommon').inject(packagedApi._getOauth3Controllers, packagedApi._api, pkgConf, pkgDeps); require('oauthcommon').inject(_getOauth3Controllers, myApp/*, pkgConf, pkgDeps*/); - myApp.use('/public', function preHandler(req, res, next) { - // TODO authenticate or use guest user - next(); - }); - // TODO delete these caches when config changes var _stripe; var _stripe_test; @@ -325,6 +424,13 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) { next(); }); }); + myApp.use('/public', function preHandler(req, res, next) { + // TODO authenticate or use guest user + req.isPublic = true; + next(); + }); + myApp.use('/accounts/:accountId', accountRequiredById); + myApp.use('/acl', accountRequired); // // TODO handle /accounts/:accountId