coolaj86/walnut.js
1
1
Fork 1
Code Issues Pull Requests Releases Activity

Compare commits

base: coolaj86:master
Branches Tags
coolaj86:master
coolaj86:v1
coolaj86:v1.2
coolaj86:installer-v2
coolaj86:v1.0
coolaj86:native-random
coolaj86:prefix-fix
coolaj86:v1-normal
coolaj86:master-normal
coolaj86:fs-nosql
coolaj86:letsencrypt
coolaj86:master-2016-03-29
coolaj86:v1.2.4
coolaj86:v1.2.3
coolaj86:v1.2.2
coolaj86:v1.2.1
coolaj86:pre-issuer-rewrite
coolaj86:v1.2.0
..
compare: coolaj86:pre-issuer-rewrite
Branches Tags
coolaj86:master
coolaj86:v1
coolaj86:v1.2
coolaj86:installer-v2
coolaj86:v1.0
coolaj86:native-random
coolaj86:prefix-fix
coolaj86:v1-normal
coolaj86:master-normal
coolaj86:fs-nosql
coolaj86:letsencrypt
coolaj86:master-2016-03-29
coolaj86:v1.2.4
coolaj86:v1.2.3
coolaj86:v1.2.2
coolaj86:v1.2.1
coolaj86:pre-issuer-rewrite
coolaj86:v1.2.0

No commits in common. "master" and "pre-issuer-rewrite" have entirely different histories.
master ... pre-issuer

26 changed files with 1025 additions and 1722 deletions
Show Stats Expand all files Collapse all files

4
CHANGELOG
View File

@ -1,4 +0,0 @@
v1.2.5 - Beginning of CHANGELOG
* has semi-functional launchpad
* OAuth3 with issuer-rewrite merged in
* capabilities API

2
INSTALL.md
View File

@ -192,7 +192,7 @@ For the APIs for that we'll install the `issuer@oauth3.org` API package and enab
```bash
# API packaged for walnut
git clone https://git.daplie.com/OAuth3/issuer_oauth3.org.git /srv/walnut/packages/rest/issuer@oauth3.org
git clone https://git.daplie.com/OAuth3/org.oauth3.provider.git /srv/walnut/packages/rest/issuer@oauth3.org
pushd /srv/walnut/packages/rest/issuer@oauth3.org/
git checkout v1.2
npm install

42
LICENSE
View File

@ -1,41 +1,3 @@
Copyright 2017 Daplie, Inc
Copyright 2017 Daplie Inc.
This is open source software; you can redistribute it and/or modify it under the
terms of either:
a) the "MIT License"
b) the "Apache-2.0 License"
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Apache-2.0 License Summary
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
All Rights Reserved

48
README.md
View File

@ -19,7 +19,7 @@ Security Features
* disallows cookies, except for protected static assets
* api.* subdomain for apis
* assets.* subdomain for protected assets
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.coolaj86.com/coolaj86/goldilocks.js))
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js))
* HTTPS-only (checks for X-Forwarded-For)
* AES, RSA, and ECDSA encryption and signing
* Safe against CSRF, XSS, and SQL injection
@ -34,14 +34,14 @@ Application Features
* JSON-only expressjs APIs
* Capability-based permissions system for (oauth3-discoverable) packages such as
* large file access (files@oauth3.org)
* database access (data@oauth3.org)
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@oauth3.org)
* payments (credit card) (payments@oauth3.org)
* email (email@oauth3.org)
* SMS (texting) (tel@oauth3.org)
* voice (calls and answering machine) (tel@oauth3.org)
* lamba-style functions (functions@oauth3.org)
* large file access (files@daplie.com)
* database access (data@daplie.com)
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com)
* payments (credit card) (payments@daplie.com)
* email (email@daplie.com)
* SMS (texting) (tel@daplie.com)
* voice (calls and answering machine) (tel@daplie.com)
* lamba-style functions (functions@daplie.com)
* Per-app, per-site, and per-user configurations
* Multi-Tentated Application Management
* Built-in OAuth2 & OAuth3 support
@ -53,18 +53,8 @@ Installation
We're still in a stage where the installation generally requires many manual steps.
```bash
curl https://git.coolaj86.com/coolaj86/walnut.js/raw/v1.2/installer/get.sh | bash
```
See [INSTALL.md](/INSTALL.md)
### Uninstall
```bash
rm -rf /srv/walnut/ /var/walnut/ /etc/walnut/ /opt/walnut/ /var/log/walnut/ /etc/systemd/system/walnut.service /etc/tmpfiles.d/walnut.conf
```
Usage
-----
@ -131,7 +121,7 @@ Initialization
needs to know its primary domain
```
POST https://api.<domain.tld>/api/walnut@oauth3.org/init
POST https://api.<domain.tld>/api/walnut@daplie.com/init
{ "domain": "<domain.tld>" }
```
@ -153,18 +143,18 @@ api.<domain.tld>
assets.<domain.tld>
```
The domains can be setup through the OAuth3 Desktop App or with `oauth3-tools`
The domains can be setup through the Daplie Desktop App or with `daplie-tools`
```bash
# set device address and attach primary domain
oauth3 devices:attach -d foodevice -n example.com -a 127.0.0.1
daplie devices:attach -d foodevice -n example.com -a 127.0.0.1
# attach all other domains with same device/address
oauth3 devices:attach -d foodevice -n www.example.com
oauth3 devices:attach -d foodevice -n api.example.com
oauth3 devices:attach -d foodevice -n assets.example.com
oauth3 devices:attach -d foodevice -n cloud.example.com
oauth3 devices:attach -d foodevice -n api.cloud.example.com
daplie devices:attach -d foodevice -n www.example.com
daplie devices:attach -d foodevice -n api.example.com
daplie devices:attach -d foodevice -n assets.example.com
daplie devices:attach -d foodevice -n cloud.example.com
daplie devices:attach -d foodevice -n api.cloud.example.com
```
Example `/etc/goldilocks/goldilocks.yml`:
@ -194,7 +184,7 @@ Resetting the Initialization
Once you run the app the initialization files will appear in these locations
```
/srv/walnut/var/walnut+config@oauth3.org.sqlite3
/srv/walnut/var/walnut+config@daplie.com.sqlite3
/srv/walnut/config/<domain.tld>/config.json
```
@ -290,7 +280,7 @@ The permissions:
```
/srv/walnut/var/
└── sites
└── example.com
└── daplie.me
'''
seed@example.com # refers to /srv/walnut/packages/pages/seed@example.com
'''

7
boot/worker.js
View File

@ -149,10 +149,9 @@ module.exports.create = function () {
process.on('unhandledRejection', function (err) {
// this should always throw
// (it means somewhere we're not using bluebird by accident)
console.error('[caught unhandledRejection]:', err.message || '');
Object.keys(err).forEach(function (key) {
console.log('\t'+key+': '+err[key]);
});
console.error('[caught] [unhandledRejection]');
console.error(Object.keys(err));
console.error(err);
console.error(err.stack);
});
process.on('rejectionHandled', function (msg) {

10
dist/etc/systemd/system/walnut.service vendored
View File

@ -19,15 +19,15 @@ StartLimitBurst=3
# User and group the process will run as
# (www-data is the de facto standard on most systems)
User=MY_USER
Group=MY_GROUP
User=www-data
Group=www-data
# If we need to pass environment variables in the future
; Environment=GOLDILOCKS_PATH=/opt/walnut
# Set a sane working directory, sane flags, and specify how to reload the config file
WorkingDirectory=/opt/walnut
ExecStart=/opt/walnut/bin/node /opt/walnut/core/bin/walnut.js --config=/etc/walnut/walnut.yml
WorkingDirectory=/srv/www
ExecStart=/opt/walnut/bin/node /srv/walnut/core/bin/walnut.js --config=/etc/walnut/walnut.yml
ExecReload=/bin/kill -USR1 $MAINPID
# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
@ -46,7 +46,7 @@ ProtectSystem=full
# … except TLS/SSL, ACME, and Let's Encrypt certificates
# and /var/log/, because we want a place where logs can go.
# This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/walnut /var/log/walnut /var/walnut /opt/walnut /srv/walnut
ReadWriteDirectories=/etc/walnut /var/log/walnut /var/walnut /opt/walnut /srv/www
# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
; ReadWritePaths=/etc/walnut /var/log/walnut

11
dist/etc/tmpfiles.d/walnut.conf vendored
View File

@ -1,5 +1,12 @@
# /etc/tmpfiles.d/goldilocks.conf
# /etc/tmpfiles.d/walnut.conf
# See https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
# Type Path Mode UID GID Age Argument
d /run/goldilocks 0755 MY_USER MY_GROUP - -
d /etc/walnut 0755 www-data www-data - -
d /etc/ssl/walnut 0750 www-data www-data - -
d /srv/walnut 0775 www-data www-data - -
d /srv/www 0775 www-data www-data - -
d /opt/walnut 0775 www-data www-data - -
d /var/walnut 0775 www-data www-data - -
d /var/log/walnut 0750 www-data www-data - -
#d /run/walnut 0755 www-data www-data - -

0
dist/etc/walnut/walnut.example.yml vendored
View File

300
install-helper.sh Executable file
View File

@ -0,0 +1,300 @@
#!/bin/bash
set -e
set -u
# something or other about android and tmux using PREFIX
#: "${PREFIX:=''}"
MY_ROOT=""
if [ -z "${PREFIX-}" ]; then
MY_ROOT=""
else
MY_ROOT="$PREFIX"
fi
# Not every platform has or needs sudo, gotta save them O(1)s...
sudo_cmd=""
((EUID)) && [[ -z "${ANDROID_ROOT-}" ]] && sudo_cmd="sudo"
###############################
# #
# http_get #
# boilerplate for curl / wget #
# #
###############################
# See https://git.daplie.com/Daplie/daplie-snippets/blob/master/bash/http-get.sh
http_curl_opts="-fsSL"
http_wget_opts="--quiet"
http_bin=""
http_opts=""
http_out=""
detect_http_bin()
{
if type -p curl >/dev/null 2>&1; then
http_bin="curl"
http_opts="$http_curl_opts"
http_out="-o"
#curl -fsSL "$url" -o "$PREFIX/tmp/$pkg"
elif type -p wget >/dev/null 2>&1; then
http_bin="wget"
http_opts="$http_wget_opts"
http_out="-O"
#wget --quiet "$url" -O "$PREFIX/tmp/$pkg"
else
echo "Aborted, could not find curl or wget"
return 7
fi
}
http_get()
{
if [ -e "$1" ]; then
rsync -a "$1" "$2"
elif type -p curl >/dev/null 2>&1; then
$http_bin $http_curl_opts $http_out "$2" "$1"
elif type -p wget >/dev/null 2>&1; then
$http_bin $http_wget_opts $http_out "$2" "$1"
else
echo "Aborted, could not find curl or wget"
return 7
fi
}
dap_dl()
{
http_get "$1" "$2"
}
dap_dl_bash()
{
dap_url=$1
#dap_args=$2
rm -rf /tmp/dap-tmp-runner.sh
$http_bin $http_opts $http_out /tmp/dap-tmp-runner.sh "$dap_url"; bash /tmp/dap-tmp-runner.sh; rm /tmp/dap-tmp-runner.sh
}
detect_http_bin
## END HTTP_GET ##
mvdir_backward_compat()
{
old_dir=$1
new_dir=$2
# The symlink has already been set up, so no need to do anything.
if [ -L $old_dir ] && [ $(readlink $old_dir) == "$new_dir" ]; then
return 0
fi
if [ -d $old_dir ]; then
if [ $(ls $old_dir | wc -l) -gt 0 ]; then
mv ${old_dir}/* ${new_dir}/
fi
rm -r ${old_dir}
#rmdir ${old_dir}
fi
ln -snf $new_dir $old_dir
}
###################
# #
# Install service #
# #
###################
install_for_systemd()
{
echo ""
echo "Installing as systemd service"
echo ""
mkdir -p $(dirname "$my_app_dir/$my_app_systemd_service")
dap_dl "$installer_base/$my_app_systemd_service" "$my_app_dir/$my_app_systemd_service"
$sudo_cmd mv "$my_app_dir/$my_app_systemd_service" "$MY_ROOT/$my_app_systemd_service"
$sudo_cmd chown -R root:root "$MY_ROOT/$my_app_systemd_service"
$sudo_cmd chmod 644 "$MY_ROOT/$my_app_systemd_service"
mkdir -p $(dirname "$my_app_dir/$my_app_systemd_tmpfiles")
dap_dl "$installer_base/$my_app_systemd_tmpfiles" "$my_app_dir/$my_app_systemd_tmpfiles"
$sudo_cmd mv "$my_app_dir/$my_app_systemd_tmpfiles" "$MY_ROOT/$my_app_systemd_tmpfiles"
$sudo_cmd chown -R root:root "$MY_ROOT/$my_app_systemd_tmpfiles"
$sudo_cmd chmod 644 "$MY_ROOT/$my_app_systemd_tmpfiles"
$sudo_cmd systemctl stop "${my_app_name}.service" >/dev/null 2>/dev/null
$sudo_cmd systemctl daemon-reload
$sudo_cmd systemctl start "${my_app_name}.service"
$sudo_cmd systemctl enable "${my_app_name}.service"
echo "$my_app_name started with systemctl, check its status like so"
echo " $sudo_cmd systemctl status $my_app_name"
echo " $sudo_cmd journalctl -xe -u $my_app_name"
}
install_for_launchd()
{
echo ""
echo "Installing as launchd service"
echo ""
# See http://www.launchd.info/
mkdir -p $(dirname "$my_app_dir/$my_app_launchd_service")
dap_dl "$installer_base/$my_app_launchd_service" "$my_app_dir/$my_app_launchd_service"
$sudo_cmd mv "$my_app_dir/$my_app_launchd_service" "$MY_ROOT/$my_app_launchd_service"
$sudo_cmd chown root:wheel "$MY_ROOT/$my_app_launchd_service"
$sudo_cmd chmod 0644 "$MY_ROOT/$my_app_launchd_service"
$sudo_cmd launchctl unload -w "$MY_ROOT/$my_app_launchd_service" >/dev/null 2>/dev/null
$sudo_cmd launchctl load -w "$MY_ROOT/$my_app_launchd_service"
echo "$my_app_name started with launchd"
}
install_etc_config()
{
#echo "install etc config $MY_ROOT / $my_app_etc_config"
if [ ! -e "$MY_ROOT/$my_app_etc_config" ]; then
$sudo_cmd mkdir -p $(dirname "$MY_ROOT/$my_app_etc_config")
mkdir -p $(dirname "$my_app_dir/$my_app_etc_config")
dap_dl "$installer_base/$my_app_etc_config" "$my_app_dir/$my_app_etc_config"
$sudo_cmd mv "$my_app_dir/$my_app_etc_config" "$MY_ROOT/$my_app_etc_config"
fi
$sudo_cmd chown -R www-data:www-data $(dirname "$MY_ROOT/$my_app_etc_config") || true
$sudo_cmd chown -R _www:_www $(dirname "$MY_ROOT/$my_app_etc_config") || true
$sudo_cmd chmod 775 $(dirname "$MY_ROOT/$my_app_etc_config")
$sudo_cmd chmod 664 "$MY_ROOT/$my_app_etc_config"
}
install_service()
{
install_etc_config
#echo "install service"
installable=""
if [ -d "$MY_ROOT/etc/systemd/system" ]; then
install_for_systemd
installable="true"
fi
if [ -d "/Library/LaunchDaemons" ]; then
install_for_launchd
installable="true"
fi
if [ -z "$installable" ]; then
echo ""
echo "Unknown system service init type. You must install as a system service manually."
echo '(please file a bug with the output of "uname -a")'
echo ""
fi
echo ""
}
## END SERVICE_INSTALL ##
# Create dirs, set perms
create_skeleton()
{
$sudo_cmd mkdir -p /srv/www
$sudo_cmd mkdir -p /var/log/$my_app_name
$sudo_cmd mkdir -p /etc/$my_app_name
$sudo_cmd mkdir -p /var/$my_app_name
$sudo_cmd mkdir -p /srv/$my_app_name
$sudo_cmd mkdir -p /opt/$my_app_name
}
# Unistall
install_uninstaller()
{
#echo "install uninstaller"
dap_dl "https://git.daplie.com/Daplie/walnut.js/raw/master/uninstall.sh" "./walnut-uninstall"
$sudo_cmd chmod 755 "./walnut-uninstall"
$sudo_cmd chown root:root "./walnut-uninstall"
$sudo_cmd mv "./walnut-uninstall" "/usr/local/bin/uninstall-walnut"
}
# Dependencies
export NODE_PATH=/opt/walnut/lib/node_modules
export NPM_CONFIG_PREFIX=/opt/walnut
$sudo_cmd mkdir -p $NODE_PATH
$sudo_cmd chown -R $(whoami) /opt/walnut
dap_dl_bash "https://git.daplie.com/coolaj86/node-install-script/raw/master/setup-min.sh"
# Install
# npm install -g 'git+https://git@git.daplie.com/Daplie/walnut.js.git#v1'
my_app_name=walnut
my_app_pkg_name=com.daplie.walnut.web
my_app_dir=$(mktemp -d)
#installer_base="https://git.daplie.com/Daplie/walnut.js/raw/master/dist"
#installer_base="$( dirname "${BASH_SOURCE[0]}" )/dist"
installer_base="/srv/walnut/core/dist"
my_app_etc_config="etc/${my_app_name}/${my_app_name}.yml"
my_app_systemd_service="etc/systemd/system/${my_app_name}.service"
my_app_systemd_tmpfiles="etc/tmpfiles.d/${my_app_name}.conf"
my_app_launchd_service="Library/LaunchDaemons/${my_app_pkg_name}.plist"
# Install
install_my_app()
{
# This function shouldn't need to use $sudo_cmd because it is called immediately after
# /srv/walnut is chown-ed and we only mess with things in that directory.
#git clone git@git.daplie.com:Daplie/walnut.js.git
#git clone https://git.daplie.com/Daplie/walnut.js.git /srv/walnut/core
mkdir -p /srv/walnut/{core,lib,var,etc,config,node_modules}
rm -rf /srv/walnut/core/node_modules
ln -sf ../node_modules /srv/walnut/core/node_modules
mkdir -p /srv/walnut/var/sites
mkdir -p /srv/walnut/etc/org.oauth3.consumer
mkdir -p /srv/walnut/etc/org.oauth3.provider
mkdir -p /srv/walnut/etc/client-api-grants
mkdir -p /srv/walnut/packages/{rest,api,pages,services}
# backwards compat
mvdir_backward_compat /srv/walnut/packages/client-api-grants /srv/walnut/etc/client-api-grants
mvdir_backward_compat /srv/walnut/packages/sites /srv/walnut/var/sites
if [ ! -d "/srv/walnut/core/lib/walnut@daplie.com/setup" ]; then
git clone https://git.daplie.com/Daplie/walnut_launchpad.git /srv/walnut/core/lib/walnut@daplie.com/setup
fi
pushd /srv/walnut/core/lib/walnut@daplie.com/setup
if [ ! -d "./.git/" ]; then
echo "'/srv/walnut/core/lib/walnut@daplie.com/setup' exists but is not a git repository... not sure what to do here..."
fi
git checkout master
git pull
popd
pushd /srv/walnut/core
export NODE_PATH=/opt/walnut/lib/node_modules
export NPM_CONFIG_PREFIX=/opt/walnut
/opt/walnut/bin/npm install
popd
}
$sudo_cmd mkdir -p /srv/walnut
$sudo_cmd chown -R $(whoami) /srv/walnut
install_my_app
create_skeleton
install_uninstaller
install_service
$sudo_cmd chown -R www-data:www-data /opt/walnut || true
$sudo_cmd chown -R _www:_www /opt/walnut || true
$sudo_cmd chown -R www-data:www-data /srv/walnut || true
$sudo_cmd chown -R _www:_www /srv/walnut || true
$sudo_cmd chmod -R ug+rwX /srv/walnut
$sudo_cmd chmod -R ug+rwX /opt/walnut
# +s sets the setuid/setgid bit, which when set on directories makes it so anything
# created inside the directory maintains the same user/group (depending on the bits
# set). Any directory created within a directory with those bits set will also have
# those bits set. When setuid or setgid bits are set on a file however it means that
# if the file is executed it will run with the permissions of the user/group no matter
# who actually runs it (see the ping executable for example).
# I'm not sure that all systems actually support the use of these bits.
find /srv/walnut -type d -exec $sudo_cmd chmod ug+s {} \; || true
find /opt/walnut -type d -exec $sudo_cmd chmod ug+s {} \; || true

121
install.sh Normal file
View File

@ -0,0 +1,121 @@
#!/bin/bash
# Not every platform has or needs sudo, gotta save them O(1)s...
sudo_cmd=""
((EUID)) && [[ -z "$ANDROID_ROOT" ]] && sudo_cmd="sudo"
set -e
set -u
###############################
# #
# boilerplate for curl / wget #
# #
###############################
http_get=""
http_opts=""
http_out=""
detect_http_get()
{
if type -p curl >/dev/null 2>&1; then
http_get="curl"
http_opts="-fsSL"
http_out="-o"
#curl -fsSL "$caddy_url" -o "$PREFIX/tmp/$caddy_pkg"
elif type -p wget >/dev/null 2>&1; then
http_get="wget"
http_opts="--quiet"
http_out="-O"
#wget --quiet "$caddy_url" -O "$PREFIX/tmp/$caddy_pkg"
else
echo "Aborted, could not find curl or wget"
return 7
fi
}
dap_dl()
{
$http_get $http_opts $http_out "$2" "$1"
}
dap_dl_bash()
{
dap_url=$1
#dap_args=$2
rm -rf dap-tmp-runner.sh
$http_get $http_opts $http_out dap-tmp-runner.sh "$dap_url"; bash dap-tmp-runner.sh; rm dap-tmp-runner.sh
}
detect_http_get
###############################
# #
# actual script continues... #
# #
###############################
install_walnut()
{
$sudo_cmd mkdir -p /srv/walnut/{var,etc,packages,node_modules}
# www-data exists on linux, _www exists on mac OS
$sudo_cmd chown -R $(whoami):www-data /srv/walnut || $sudo_cmd chown -R $(whoami):_www /srv/walnut
if [ ! -d "/srv/walnut/core/" ]; then
git clone https://git.daplie.com/Daplie/walnut.js.git /srv/walnut/core
fi
pushd /srv/walnut/core
if [ ! -d "./.git/" ]; then
echo "'/srv/walnut/core' exists but is not a git repository... not sure what to do here..."
fi
git checkout master
git pull
popd
rm -rf /srv/walnut/core/node_modules
ln -sf ../node_modules /srv/walnut/core/node_modules
/srv/walnut/core/install-helper.sh /srv/walnut
# Now that the install is finished we need to set the owner to the user that will actually
# be running the walnut server.
$sudo_cmd chown -R www-data:www-data /srv/walnut || $sudo_cmd chown -R _www:_www /srv/walnut
}
# Install node
echo "----Installing Nodejs and NPM----"
echo "v8.2.1" > /tmp/NODEJS_VER
daplie-install-node-dev
npm install -g npm@4
# Install goldilocks
echo "----Installing goldilocks.js----"
daplie-install-goldilocks
echo "----Installing walnut.js----"
#$sudo_cmd mkdir -p /opt/goldilocks/{lib,bin,etc}
#export NODE_PATH=/opt/walnut/lib/node_modules
#export NPM_CONFIG_PREFIX=/opt/walnut
old_PATH=$PATH
export PATH=/opt/walnut/bin:$PATH
# Install walnut
install_walnut
# Install bower, some systems may be missing it, and it is a dependency
/opt/walnut/bin/npm install -g bower
touch /.bowerrc
echo '{ "allow_root": true }' > /.bowerrc
# Restore PATH to original value
export PATH=$old_PATH
echo ""
echo "You must have some set of domain set up to properly use goldilocks+walnut:"
echo ""
echo " example.com"
echo " www.example.com"
echo " api.example.com"
echo " assets.example.com"
echo " cloud.example.com"
echo " api.cloud.example.com"
echo ""
echo "Check the WALNUT README.md for more info and how to set up /etc/goldilocks/goldilocks.yml"
echo ""

20
installer/get.sh
View File

@ -1,20 +0,0 @@
set -e
set -u
my_name=walnut
# TODO provide an option to supply my_ver and my_tmp
my_ver=master
my_tmp=$(mktemp -d)
mkdir -p $my_tmp/opt/$my_name/lib/node_modules/$my_name
git clone https://git.coolaj86.com/coolaj86/walnut.js.git $my_tmp/opt/$my_name/core
echo "Installing to $my_tmp (will be moved after install)"
pushd $my_tmp/opt/$my_name/core
git checkout $my_ver
source ./installer/install.sh
popd
echo "Installation successful, now cleaning up $my_tmp ..."
rm -rf $my_tmp
echo "Done"

48
installer/http-get.sh
View File

@ -1,48 +0,0 @@
###############################
# #
# http_get #
# boilerplate for curl / wget #
# #
###############################
# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh
_h_http_get=""
_h_http_opts=""
_h_http_out=""
detect_http_get()
{
set +e
if type -p curl >/dev/null 2>&1; then
_h_http_get="curl"
_h_http_opts="-fsSL"
_h_http_out="-o"
elif type -p wget >/dev/null 2>&1; then
_h_http_get="wget"
_h_http_opts="--quiet"
_h_http_out="-O"
else
echo "Aborted, could not find curl or wget"
return 7
fi
set -e
}
http_get()
{
$_h_http_get $_h_http_opts $_h_http_out "$2" "$1"
touch "$2"
}
http_bash()
{
_http_url=$1
#dap_args=$2
rm -rf dap-tmp-runner.sh
$_h_http_get $_h_http_opts $_h_http_out dap-tmp-runner.sh "$_http_url"; bash dap-tmp-runner.sh; rm dap-tmp-runner.sh
}
detect_http_get
## END HTTP_GET ##

17
installer/install-for-launchd.sh
View File

@ -1,17 +0,0 @@
set -u
my_app_launchd_service="Library/LaunchDaemons/${my_app_pkg_name}.plist"
echo ""
echo "Installing as launchd service"
echo ""
# See http://www.launchd.info/
safe_copy_config "$my_app_dist/$my_app_launchd_service" "$my_root/$my_app_launchd_service"
$sudo_cmd chown root:wheel "$my_root/$my_app_launchd_service"
$sudo_cmd launchctl unload -w "$my_root/$my_app_launchd_service" >/dev/null 2>/dev/null
$sudo_cmd launchctl load -w "$my_root/$my_app_launchd_service"
echo "$my_app_name started with launchd"

35
installer/install-for-systemd.sh
View File

@ -1,35 +0,0 @@
set -u
my_app_systemd_service="etc/systemd/system/${my_app_name}.service"
my_app_systemd_tmpfiles="etc/tmpfiles.d/${my_app_name}.conf"
echo ""
echo "Installing as systemd service"
echo ""
sed "s/MY_USER/$my_user/g" "$my_app_dist/$my_app_systemd_service" > "$my_app_dist/$my_app_systemd_service.2"
sed "s/MY_GROUP/$my_group/g" "$my_app_dist/$my_app_systemd_service.2" > "$my_app_dist/$my_app_systemd_service"
rm "$my_app_dist/$my_app_systemd_service.2"
safe_copy_config "$my_app_dist/$my_app_systemd_service" "$my_root/$my_app_systemd_service"
sed "s/MY_USER/$my_user/g" "$my_app_dist/$my_app_systemd_tmpfiles" > "$my_app_dist/$my_app_systemd_tmpfiles.2"
sed "s/MY_GROUP/$my_group/g" "$my_app_dist/$my_app_systemd_tmpfiles.2" > "$my_app_dist/$my_app_systemd_tmpfiles"
rm "$my_app_dist/$my_app_systemd_tmpfiles.2"
safe_copy_config "$my_app_dist/$my_app_systemd_tmpfiles" "$my_root/$my_app_systemd_tmpfiles"
$sudo_cmd systemctl stop "${my_app_name}.service" >/dev/null 2>/dev/null || true
$sudo_cmd systemctl daemon-reload
$sudo_cmd systemctl start "${my_app_name}.service"
$sudo_cmd systemctl enable "${my_app_name}.service"
echo ""
echo ""
echo "Fun systemd commands to remember:"
echo " $sudo_cmd systemctl daemon-reload"
echo " $sudo_cmd systemctl restart $my_app_name.service"
echo ""
echo "$my_app_name started with systemctl, check its status like so:"
echo " $sudo_cmd systemctl status $my_app_name"
echo " $sudo_cmd journalctl -xefu $my_app_name"
echo ""
echo ""

37
installer/install-system-service.sh
View File

@ -1,37 +0,0 @@
safe_copy_config()
{
src=$1
dst=$2
$sudo_cmd mkdir -p $(dirname "$dst")
if [ -f "$dst" ]; then
$sudo_cmd rsync -a "$src" "$dst.latest"
# TODO edit config file with $my_user and $my_group
if [ "$(cat $dst)" == "$(cat $dst.latest)" ]; then
$sudo_cmd rm $dst.latest
else
echo "MANUAL INTERVENTION REQUIRED: check the systemd script update and manually decide what you want to do"
echo "diff $dst $dst.latest"
$sudo_cmd chown -R root:root "$dst.latest"
fi
else
$sudo_cmd rsync -a --ignore-existing "$src" "$dst"
fi
$sudo_cmd chown -R root:root "$dst"
$sudo_cmd chmod 644 "$dst"
}
installable=""
if [ -d "$my_root/etc/systemd/system" ]; then
source ./installer/install-for-systemd.sh
installable="true"
fi
if [ -d "/Library/LaunchDaemons" ]; then
source ./installer/install-for-launchd.sh
installable="true"
fi
if [ -z "$installable" ]; then
echo ""
echo "Unknown system service init type. You must install as a system service manually."
echo '(please file a bug with the output of "uname -a")'
echo ""
fi

195
installer/install.sh
View File

@ -1,195 +0,0 @@
#!/bin/bash
set -e
set -u
### IMPORTANT ###
### VERSION ###
my_name=walnut
my_app_pkg_name=org.oauth3.walnut.web
my_app_ver="v1.2"
my_azp_oauth3_ver="v1.2"
# is the old version still needed in launchpad?
#my_azp_oauth3_ver="v1.1.3"
export NODE_VERSION="v8.9.0"
if [ -z "${my_tmp-}" ]; then
my_tmp="$(mktemp -d)"
mkdir -p $my_tmp/opt/$my_name/core
echo "Installing to $my_tmp (will be moved after install)"
git clone ./ $my_tmp/opt/$my_name/core
pushd $my_tmp/opt/$my_name/core
fi
#################
### IMPORTANT ###
### VERSION ###
#my_app_ver="v1.1"
my_app_ver="v1.2"
my_launchpad_ver="v1.2"
my_iss_oauth3_rest_ver="v1.2.0"
my_iss_oauth3_pages_ver="v1.2.1"
my_www_ppl_ver=v1.0.15
export NODE_VERSION="v8.9.0"
#################
export NODE_PATH=$my_tmp/opt/$my_name/lib/node_modules
export PATH=$my_tmp/opt/$my_name/bin/:$PATH
export NPM_CONFIG_PREFIX=$my_tmp/opt/$my_name
my_npm="$NPM_CONFIG_PREFIX/bin/npm"
#################
# TODO un-hardcode core at al
#my_app_dist=$my_tmp/opt/$my_name/lib/node_modules/$my_name/dist
my_app_dist=$my_tmp/opt/$my_name/core/dist
installer_base="https://git.coolaj86.com/coolaj86/goldilocks.js/raw/$my_app_ver"
# Backwards compat
# some scripts still use the old names
my_app_dir=$my_tmp
my_app_name=$my_name
git checkout $my_app_ver
mkdir -p $my_tmp/{etc,opt,srv,var}/$my_name
mkdir -p "$my_tmp/var/log/$my_name"
mkdir -p "$my_tmp/opt/$my_name"/{bin,config,core,etc,lib,node_modules,var}
ln -s ../core/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name
ln -s ../core/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name.js
#ln -s ../lib/node_modules/$my_name/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name
#ln -s ../lib/node_modules/$my_name/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name.js
mkdir -p "$my_tmp/opt/$my_name"/packages/{api,pages,rest,services}
mkdir -p "$my_tmp/opt/$my_name"/etc/client-api-grants
# TODO move packages and sites to /srv, grants to /etc
ln -s ../etc/client-api-grants "$my_tmp/opt/$my_name"/packages/client-api-grants
mkdir -p "$my_tmp/opt/$my_name"/var/sites
ln -s ../var/sites "$my_tmp/opt/$my_name"/packages/sites
mkdir -p "$my_tmp/etc/$my_name"
chmod 775 "$my_tmp/etc/$my_name"
cat "$my_app_dist/etc/$my_name/$my_name.example.yml" > "$my_tmp/etc/$my_name/$my_name.example.yml"
chmod 664 "$my_tmp/etc/$my_name/$my_name.example.yml"
mkdir -p $my_tmp/var/log/$my_name
#
# Helpers
#
source ./installer/sudo-cmd.sh
source ./installer/http-get.sh
#
# Dependencies
#
echo $NODE_VERSION > /tmp/NODEJS_VER
# This will read the NODE_* and PATH variables set previously, as well as /tmp/NODEJS_VER
http_bash "https://git.coolaj86.com/coolaj86/node-installer.sh/raw/v1.1/install.sh"
$my_npm install -g npm@4
$my_npm install -g bower
touch $my_tmp/opt/$my_name/.bowerrc
echo '{ "allow_root": true }' > $my_tmp/opt/$my_name/.bowerrc
#pushd $my_tmp/opt/$my_name/lib/node_modules/$my_name
pushd $my_tmp/opt/$my_name/core
mkdir -p ../node_modules
ln -s ../node_modules node_modules
$my_npm install
popd
git clone https://git.coolaj86.com/coolaj86/walnut_launchpad.html.git $my_tmp/opt/$my_name/core/lib/walnut@oauth3.org/setup
pushd $my_tmp/opt/$my_name/core/lib/walnut@oauth3.org/setup
git pull
git checkout $my_launchpad_ver
git clone https://git.oauth3.org/OAuth3/oauth3.js.git ./assets/oauth3.org
pushd assets/oauth3.org
git checkout $my_azp_oauth3_ver
popd
popd
pushd $my_tmp/opt/$my_name/packages
git clone https://git.oauth3.org/OAuth3/issuer.rest.walnut.js.git rest/issuer@oauth3.org
pushd rest/issuer@oauth3.org/
git checkout $my_iss_oauth3_rest_ver
$my_npm install
popd
git clone https://git.oauth3.org/OAuth3/issuer.html.git pages/issuer@oauth3.org
pushd pages/issuer@oauth3.org
git checkout $my_iss_oauth3_pages_ver
bash ./install.sh
pushd ./assets/oauth3.org
git checkout $my_azp_oauth3_ver
popd
popd
git clone https://git.coolaj86.com/coolaj86/walnut_rest_www_oauth3.org.js.git rest/www@oauth3.org
pushd rest/www@oauth3.org
git checkout $my_www_ppl_ver
$my_npm install
popd
popd
#
# System Service
#
source ./installer/my-root.sh
echo "Pre-installation to $my_tmp complete, now installing to $my_root/ ..."
set +e
if type -p tree >/dev/null 2>/dev/null; then
#tree -I "node_modules|include|share" $my_tmp
tree -L 6 -I "include|share|npm" $my_tmp
else
ls $my_tmp
fi
set -e
source ./installer/my-user-my-group.sh
echo "User $my_user Group $my_group"
$sudo_cmd chown -R $my_user:$my_group $my_tmp
$sudo_cmd chown root:root $my_tmp/*
$sudo_cmd chown root:root $my_tmp
$sudo_cmd chmod 0755 $my_tmp
$sudo_cmd rsync -a --ignore-existing $my_tmp/ $my_root/
$sudo_cmd rsync -a --ignore-existing $my_app_dist/etc/$my_name/$my_name.yml $my_root/etc/$my_name/$my_name.yml
source ./installer/install-system-service.sh
# Change to admin perms
$sudo_cmd chown -R $my_user:$my_group $my_root/opt/$my_name
$sudo_cmd chown -R $my_user:$my_group $my_root/var/www $my_root/srv/www
# make sure the files are all read/write for the owner and group, and then set
# the setuid and setgid bits so that any files/directories created inside these
# directories have the same owner and group.
$sudo_cmd chmod -R ug+rwX $my_root/opt/$my_name
find $my_root/opt/$my_name -type d -exec $sudo_cmd chmod ug+s {} \;
echo ""
echo "You must have some set of domain set up to properly use goldilocks+walnut:"
echo ""
echo " example.com"
echo " www.example.com"
echo " api.example.com"
echo " assets.example.com"
echo " cloud.example.com"
echo " api.cloud.example.com"
echo ""
echo "Check the WALNUT README.md for more info and how to set up /etc/goldilocks/goldilocks.yml"
echo ""
echo "Unistall: rm -rf /srv/walnut/ /var/walnut/ /etc/walnut/ /opt/walnut/ /var/log/walnut/ /etc/systemd/system/walnut.service /etc/tmpfiles.d/walnut.conf"
rm -rf $my_tmp

8
installer/my-root.sh
View File

@ -1,8 +0,0 @@
# something or other about android and tmux using PREFIX
#: "${PREFIX:=''}"
my_root=""
if [ -z "${PREFIX-}" ]; then
my_root=""
else
my_root="$PREFIX"
fi

19
installer/my-user-my-group.sh
View File

@ -1,19 +0,0 @@
if type -p adduser >/dev/null 2>/dev/null; then
if [ -z "$(cat $my_root/etc/passwd | grep $my_app_name)" ]; then
$sudo_cmd adduser --home $my_root/opt/$my_app_name --gecos '' --disabled-password $my_app_name
fi
my_user=$my_app_name
my_group=$my_app_name
elif [ -n "$(cat /etc/passwd | grep www-data:)" ]; then
# Linux (Ubuntu)
my_user=www-data
my_group=www-data
elif [ -n "$(cat /etc/passwd | grep _www:)" ]; then
# Mac
my_user=_www
my_group=_www
else
# Unsure
my_user=$(whoami)
my_group=$(id -g -n)
fi

7
installer/sudo-cmd.sh
View File

@ -1,7 +0,0 @@
# Not every platform has or needs sudo, gotta save them O(1)s...
sudo_cmd=""
set +e
if type -p sudo >/dev/null 2>/dev/null; then
((EUID)) && [[ -z "${ANDROID_ROOT-}" ]] && sudo_cmd="sudo"
fi
set -e

497
lib/apis.js
View File

@ -8,7 +8,7 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
var express = require('express-lazy');
var fs = PromiseA.promisifyAll(require('fs'));
var path = require('path');
var localCache = { rests: {}, pkgs: {}, assets: {} };
var localCache = { rests: {}, pkgs: {} };
var promisableRequest = require('./common').promisableRequest;
var rejectableRequest = require('./common').rejectableRequest;
var crypto = require('crypto');
@ -32,7 +32,7 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
}
*/
function isThisClientAllowedToUseThisPkg(req, myConf, clientUrih, pkgId) {
function isThisClientAllowedToUseThisPkg(myConf, clientUrih, pkgId) {
var appApiGrantsPath = path.join(myConf.appApiGrantsPath, clientUrih);
return fs.readFileAsync(appApiGrantsPath, 'utf8').then(function (text) {
@ -51,23 +51,12 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
return true;
}
console.log('#################################################');
console.log('assets.' + xconfx.setupDomain);
console.log('assets.' + clientUrih);
console.log(req.clientAssetsUri);
console.log(pkgId);
if (req.clientAssetsUri === ('assets.' + clientUrih) && -1 !== [ 'session', 'session@oauth3.org', 'azp@oauth3.org', 'issuer@oauth3.org' ].indexOf(pkgId)) {
if (clientUrih === ('api.' + xconfx.setupDomain) && 'org.oauth3.consumer' === pkgId) {
// fallthrough
return true;
}
if (clientUrih === ('api.' + xconfx.setupDomain) && -1 !== ['org.oauth3.consumer', 'azp@oauth3.org', 'oauth3.org'].indexOf(pkgId)) {
// fallthrough
return true;
}
} else {
return null;
}
});
}
@ -161,7 +150,7 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
function accountRequired(req, res, next) {
// if this already has auth, great
if (req.oauth3.ppid && req.oauth3.accountIdx) {
if (req.oauth3.ppid) {
next();
return;
}
@ -222,66 +211,34 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
rejectableRequest(req, res, promise, "[walnut@daplie.com] required account (not /public)");
}
function grantsRequired(grants) {
if (!Array.isArray(grants)) {
throw new Error("Usage: app.grantsRequired([ 'name|altname|altname2', 'othergrant' ])");
}
if (!grants.length) {
return function (req, res, next) {
next();
};
}
return function (req, res, next) {
var tokenScopes;
if (!(req.oauth3 || req.oauth3.token)) {
// TODO some error generator for standard messages
res.send({ error: { message: "You must be logged in", code: "E_NO_AUTHN" } });
return;
}
var scope = req.oauth3.token.scope || req.oauth3.token.scp || req.oauth3.token.grants;
if ('string' !== typeof scope) {
res.send({ error: { message: "Token must contain a grants string in 'scope'", code: "E_NO_GRANTS" } });
return;
}
tokenScopes = scope.split(/[,\s]+/mg);
if (-1 !== tokenScopes.indexOf('*')) {
// has full account access
next();
return;
}
// every grant in the array must be present, though some grants can be satisfied
// by multiple scopes.
var missing = grants.filter(function (grant) {
return !grant.split('|').some(function (scp) {
return tokenScopes.indexOf(scp) !== -1;
});
});
if (missing.length) {
res.send({ error: { message: "Token missing required grants: '" + missing.join(',') + "'", code: "E_NO_GRANTS" } });
return;
}
next();
};
}
function loadRestHelperApi(myConf, clientUrih, pkg, pkgId, pkgPath) {
function loadRestHelper(myConf, clientUrih, pkgId) {
var pkgPath = path.join(myConf.restPath, pkgId);
var pkgLinks = [];
pkgLinks.push(pkgId);
var pkgRestApi;
// TODO allow recursion, but catch cycles
return fs.lstatAsync(pkgPath).then(function (stat) {
if (!stat.isFile()) {
return;
}
return fs.readFileAsync(pkgPath, 'utf8').then(function (text) {
pkgId = text.trim();
pkgPath = path.join(myConf.restPath, pkgId);
});
}, function () {
// ignore error
return;
}).then(function () {
// TODO should not require package.json. Should work with files alone.
return fs.readFileAsync(path.join(pkgPath, 'package.json'), 'utf8').then(function (text) {
var pkg = JSON.parse(text);
var pkgDeps = {};
var myApp;
var pkgPathApi;
pkgPathApi = pkgPath;
if (pkg.walnut) {
pkgPathApi = path.join(pkgPath, pkg.walnut);
pkgPath = path.join(pkgPath, pkg.walnut);
}
pkgRestApi = require(pkgPathApi);
Object.keys(apiDeps).forEach(function (key) {
pkgDeps[key] = apiDeps[key];
@ -300,32 +257,63 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
// let's go with this one for now and the api can choose to scope or not to scope
pkgDeps.memstore = apiFactories.memstoreFactory.create(pkgId);
console.log('DEBUG pkgPath', pkgPath);
myApp = express();
myApp.handlePromise = promisableRequest;
myApp.handleRejection = rejectableRequest;
myApp.grantsRequired = grantsRequired;
function getSitePackageStoreProp(otherPkgId) {
var restPath = path.join(myConf.restPath, otherPkgId);
var apiPath = path.join(myConf.apiPath, otherPkgId);
var dir;
// TODO usage package.json as a falback if the standard location is not used
try {
dir = require(path.join(apiPath, 'models.js'));
} catch(e) {
dir = require(path.join(restPath, 'models.js'));
myApp.grantsRequired = function (grants) {
if (!Array.isArray(grants)) {
throw new Error("Usage: app.grantsRequired([ 'name|altname|altname2', 'othergrant' ])");
}
return getSiteStore(clientUrih, otherPkgId, dir);
if (!grants.length) {
return function (req, res, next) {
next();
};
}
function attachOauth3(req, res, next) {
return getSitePackageStoreProp('issuer@oauth3.org').then(function (Models) {
return require('./oauth3').attachOauth3(Models, req, res, next);
return function (req, res, next) {
var tokenScopes;
if (!(req.oauth3 || req.oauth3.token)) {
// TODO some error generator for standard messages
res.send({ error: { message: "You must be logged in", code: "E_NO_AUTHN" } });
return;
}
if ('string' !== typeof req.oauth3.token.scp) {
res.send({ error: { message: "Token must contain a grants string in 'scp'", code: "E_NO_GRANTS" } });
return;
}
tokenScopes = req.oauth3.token.scp.split(/[,\s]+/mg);
if (-1 !== tokenScopes.indexOf('*')) {
// has full account access
next();
return;
}
// every grant in the array must be present
if (!grants.every(function (grant) {
var scopes = grant.split(/\|/g);
return scopes.some(function (scp) {
return tokenScopes.some(function (s) {
return scp === s;
});
});
})) {
res.send({ error: { message: "Token does not contain valid grants: '" + grants + "'", code: "E_NO_GRANTS" } });
return;
}
myApp.use('/', attachOauth3);
next();
};
};
var _getOauth3Controllers = pkgDeps.getOauth3Controllers = require('oauthcommon/example-oauthmodels').create(
{ sqlite3Sock: xconfx.sqlite3Sock, ipcKey: xconfx.ipcKey }
).getControllers;
//require('oauthcommon').inject(packagedApi._getOauth3Controllers, packagedApi._api, pkgConf, pkgDeps);
require('oauthcommon').inject(_getOauth3Controllers, myApp/*, pkgConf, pkgDeps*/);
// TODO delete these caches when config changes
var _stripe;
@ -335,12 +323,8 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
var _twilio;
var _get_response;
myApp.use('/', function preHandler(req, res, next) {
//if (xconfx.debug) { console.log('[api.js] loading handler prereqs'); }
return getSiteConfig(clientUrih).then(function (siteConfig) {
//if (xconfx.debug) { console.log('[api.js] loaded handler site config'); }
// Use getSiteCapability('email@daplie.com') instead
Object.defineProperty(req, 'getSiteMailer' /*deprecated*/, {
Object.defineProperty(req, 'getSiteMailer', {
enumerable: true
, configurable: false
, writable: false
@ -377,13 +361,6 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
}
});
Object.defineProperty(req, 'getSitePackageStore', {
enumerable: true
, configurable: false
, writable: false
, value: getSitePackageStoreProp
});
Object.defineProperty(req, 'getSiteStore', {
enumerable: true
, configurable: false
@ -525,6 +502,7 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
// (realized later)
// HAHA HAHA HAHAHAHAHA this is my own gist... so much more polite attribution
var scmp = require('scmp')
, crypto = require('crypto')
, mailgunExpirey = 15 * 60 * 1000
, mailgunHashType = 'sha256'
, mailgunSignatureEncoding = 'hex'
@ -621,64 +599,11 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
});
}
var settingsPromise = PromiseA.resolve();
function manageSiteSettings(section) {
var submanager;
var manager = {
set: function (section, value) {
if ('email@daplie.com' === section) {
section = 'mailgun.org';
}
settingsPromise = settingsPromise.then(function () {
return manager.get().then(function () {
siteConfig[section] = value;
var siteConfigPath = path.join(xconfx.appConfigPath, clientUrih);
return mkdirpAsync(siteConfigPath).then(function () {
return fs.writeFileAsync(path.join(siteConfigPath, 'config.json'), JSON.stringify(siteConfig), 'utf8');
});
});
});
return settingsPromise;
}
, get: function (section) {
if ('email@daplie.com' === section) {
section = 'mailgun.org';
}
settingsPromise = settingsPromise.then(function () {
return getSiteConfig(clientUrih).then(function (_siteConfig) {
siteConfig = _siteConfig;
return PromiseA.resolve((_siteConfig || {})[section]);
});
});
return settingsPromise;
}
};
submanager = manager;
if (section) {
submanager = {
set: function (value) {
return manager.set(section, value);
}
, get: function () {
return manager.get(section);
}
};
}
return apiDeps.Promise.resolve(submanager);
}
var caps = {
//
// Capabilities for APIs
//
'settings.site@daplie.com': manageSiteSettings
, 'email@daplie.com': mailgunMail // whichever mailer
'email@daplie.com': mailgunMail // whichever mailer
, 'mailer@daplie.com': mailgunMail // whichever mailer
, 'mailgun@daplie.com': mailgunMail // specifically mailgun
, 'tel@daplie.com': daplieTel // whichever telephony service
@ -797,218 +722,21 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
//
// TODO handle /accounts/:accountId
//
return PromiseA.resolve(pkgRestApi.create({
return PromiseA.resolve(require(pkgPath).create({
etcpath: xconfx.etcpath
}/*pkgConf*/, pkgDeps/*pkgDeps*/, myApp/*myApp*/)).then(function (handler) {
//if (xconfx.debug) { console.log('[api.js] got handler'); }
myApp.use('/', function postHandler(req, res, next) {
req.url = req._walnutOriginalUrl;
next();
});
localCache.pkgs[pkgId] = { pkgId: pkgId, pkg: pkg, handler: handler || myApp, createdAt: Date.now() };
pkgLinks.forEach(function (pkgLink) {
localCache.pkgs[pkgLink] = localCache.pkgs[pkgId];
});
return localCache.pkgs[pkgId];
});
}
function loadRestHelperAssets(myConf, clientUrih, pkg, pkgId, pkgPath) {
var myApp;
var pkgDeps = {};
var pkgRestAssets;
try {
pkgRestAssets = require(path.join(pkgPath, 'assets.js'));
} catch(e) {
return PromiseA.reject(e);
}
Object.keys(apiDeps).forEach(function (key) {
pkgDeps[key] = apiDeps[key];
});
Object.keys(apiFactories).forEach(function (key) {
pkgDeps[key] = apiFactories[key];
});
// TODO pull db stuff from package.json somehow and pass allowed data models as deps
//
// how can we tell which of these would be correct?
// deps.memstore = apiFactories.memstoreFactory.create(pkgId);
// deps.memstore = apiFactories.memstoreFactory.create(req.experienceId);
// deps.memstore = apiFactories.memstoreFactory.create(req.experienceId + pkgId);
// let's go with this one for now and the api can choose to scope or not to scope
pkgDeps.memstore = apiFactories.memstoreFactory.create(pkgId);
myApp = express();
myApp.handlePromise = promisableRequest;
myApp.handleRejection = rejectableRequest;
myApp.grantsRequired = grantsRequired;
function otherGetSitePackageStoreProp(otherPkgId) {
var restPath = path.join(myConf.restPath, otherPkgId);
var apiPath = path.join(myConf.apiPath, otherPkgId);
var dir;
// TODO usage package.json as a falback if the standard location is not used
try {
dir = require(path.join(apiPath, 'models.js'));
} catch(e) {
dir = require(path.join(restPath, 'models.js'));
}
return getSiteStore(clientUrih, otherPkgId, dir);
}
myApp.use('/', function cookieAttachOauth3(req, res, next) {
return otherGetSitePackageStoreProp('issuer@oauth3.org').then(function (Models) {
return require('./oauth3').cookieOauth3(Models, req, res, next);
});
});
myApp.use('/', function (req, res, next) {
console.log('########################################### session ###############################');
console.log('req.url', req.url);
console.log('req.oauth3', req.oauth3);
next();
});
function otherAttachOauth3(req, res, next) {
return otherGetSitePackageStoreProp('issuer@oauth3.org').then(function (Models) {
return require('./oauth3').attachOauth3(Models, req, res, next);
});
}
myApp.post('/assets/issuer@oauth3.org/session', otherAttachOauth3, function (req, res) {
console.log('get the session');
console.log(req.url);
console.log("req.cookies:");
console.log(req.cookies);
console.log("req.oauth3:");
console.log(req.oauth3);
res.cookie('jwt', req.oauth3.encodedToken, { domain: req.clientAssetsUri, path: '/assets', httpOnly: true });
//req.url;
res.send({ success: true });
});
// TODO delete these caches when config changes
myApp.use('/', function preHandler(req, res, next) {
//if (xconfx.debug) { console.log('[api.js] loading handler prereqs'); }
return getSiteConfig(clientUrih).then(function (siteConfig) {
//if (xconfx.debug) { console.log('[api.js] loaded handler site config'); }
Object.defineProperty(req, 'getSiteConfig', {
enumerable: true
, configurable: false
, writable: false
, value: function getSiteConfigProp(section) {
return PromiseA.resolve((siteConfig || {})[section]);
}
});
Object.defineProperty(req, 'getSitePackageConfig', {
enumerable: true
, configurable: false
, writable: false
, value: function getSitePackageConfigProp() {
return getSitePackageConfig(clientUrih, pkgId);
}
});
Object.defineProperty(req, 'getSiteStore', {
enumerable: true
, configurable: false
, writable: false
, value: function getSiteStoreProp() {
var restPath = path.join(myConf.restPath, pkgId);
var apiPath = path.join(myConf.apiPath, pkgId);
var dir;
// TODO usage package.json as a falback if the standard location is not used
try {
dir = require(path.join(apiPath, 'models.js'));
} catch(e) {
dir = require(path.join(restPath, 'models.js'));
}
return getSiteStore(clientUrih, pkgId, dir);
}
});
req._walnutOriginalUrl = req.url;
// "/path/api/com.example/hello".replace(/.*\/api\//, '').replace(/([^\/]*\/+)/, '/') => '/hello'
req.url = req.url.replace(/\/(api|assets)\//, '').replace(/.*\/(api|assets)\//, '').replace(/([^\/]*\/+)/, '/');
next();
});
});
myApp.use('/public', function preHandler(req, res, next) {
// TODO authenticate or use guest user
req.isPublic = true;
next();
});
myApp.use('/accounts/:accountId', accountRequiredById);
myApp.use('/acl', accountRequired);
//
// TODO handle /accounts/:accountId
//
function myAppWrapper(req, res, next) {
return myApp(req, res, next);
}
Object.keys(myApp).forEach(function (key) {
myAppWrapper[key] = myApp[key];
});
myAppWrapper.use = function () { myApp.use.apply(myApp, arguments); };
myAppWrapper.get = function () { myApp.get.apply(myApp, arguments); };
myAppWrapper.post = function () { myApp.use(function (req, res, next) { next(); }); /*throw new Error("assets may not handle POST");*/ };
myAppWrapper.put = function () { throw new Error("assets may not handle PUT"); };
myAppWrapper.del = function () { throw new Error("assets may not handle DELETE"); };
myAppWrapper.delete = function () { throw new Error("assets may not handle DELETE"); };
return PromiseA.resolve(pkgRestAssets.create({
etcpath: xconfx.etcpath
}/*pkgConf*/, pkgDeps/*pkgDeps*/, myAppWrapper)).then(function (assetsHandler) {
//if (xconfx.debug) { console.log('[api.js] got handler'); }
myApp.use('/', function postHandler(req, res, next) {
req.url = req._walnutOriginalUrl;
next();
});
return assetsHandler || myApp;
});
}
function loadRestHelper(myConf, clientUrih, pkgId) {
var pkgPath = path.join(myConf.restPath, pkgId);
// TODO allow recursion, but catch cycles
return fs.lstatAsync(pkgPath).then(function (stat) {
if (!stat.isFile()) {
return;
}
return fs.readFileAsync(pkgPath, 'utf8').then(function (text) {
pkgId = text.trim();
pkgPath = path.join(myConf.restPath, pkgId);
});
}, function () {
// ignore error
return;
}).then(function () {
// TODO should not require package.json. Should work with files alone.
return fs.readFileAsync(path.join(pkgPath, 'package.json'), 'utf8').then(function (text) {
var pkg = JSON.parse(text);
return loadRestHelperApi(myConf, clientUrih, pkg, pkgId, pkgPath).then(function (stuff) {
return loadRestHelperAssets(myConf, clientUrih, pkg, pkgId, pkgPath).then(function (assetsHandler) {
stuff.assetsHandler = assetsHandler;
return stuff;
}, function (err) {
console.error('[lib/api.js] no assets handler:');
console.error(err);
return stuff;
});
});
});
});
}
@ -1049,45 +777,31 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
return function (req, res, next) {
cors(req, res, function () {
//if (xconfx.debug) { console.log('[api.js] after cors'); }
if (xconfx.debug) { console.log('[api.js] post cors'); }
// Canonical client names
// example.com should use api.example.com/api for all requests
// sub.example.com/api should resolve to sub.example.com
// example.com/subapp/api should resolve to example.com#subapp
// sub.example.com/subapp/api should resolve to sub.example.com#subapp
var appUri = req.hostname.replace(/^(api|assets)\./, '') + req.url.replace(/\/(api|assets)\/.*/, '/').replace(/\/$/, '');
var clientUrih = appUri.replace(/\/+/g, '#').replace(/#$/, '');
var clientApiUri = req.hostname.replace(/^(api|assets)\./, 'api.') + req.url.replace(/\/(api|assets)\/.*/, '/').replace(/\/$/, '');
var clientAssetsUri = req.hostname.replace(/^(api|assets)\./, 'assets.') + req.url.replace(/\/(api|assets)\/.*/, '/').replace(/\/$/, '');
//var clientAssetsUri = req.hostname.replace(/^(api|assets)\./, 'api.') + req.url.replace(/\/(api|assets)\/.*/, '/').replace(/\/$/, '');
// example.com/subpath/api should resolve to example.com#subapp
// sub.example.com/subpath/api should resolve to sub.example.com#subapp
var clientUrih = req.hostname.replace(/^api\./, '') + req.url.replace(/\/api\/.*/, '/').replace(/\/+/g, '#').replace(/#$/, '');
var clientApiUri = req.hostname + req.url.replace(/\/api\/.*/, '/').replace(/\/$/, '');
// Canonical package names
// '/api/com.daplie.hello/hello' should resolve to 'com.daplie.hello'
// '/subapp/api/com.daplie.hello/hello' should also 'com.daplie.hello'
// '/subapp/api/com.daplie.hello/' may exist... must be a small api
var pkgId = req.url.replace(/.*\/(api|assets)\//, '').replace(/^\//, '').replace(/\/.*/, '');
var pkgId = req.url.replace(/.*\/api\//, '').replace(/^\//, '').replace(/\/.*/, '');
var now = Date.now();
var hasBeenHandled = false;
Object.defineProperty(req, 'clientUrl', {
enumerable: true
, configurable: false
, writable: false
, value: (req.headers.referer || ('https://' + appUri)).replace(/\/$/, '').replace(/\?.*/, '')
});
// Existing (Deprecated)
Object.defineProperty(req, 'apiUrlPrefix', {
enumerable: true
, configurable: false
, writable: false
, value: 'https://' + clientApiUri + '/api/' + pkgId
});
Object.defineProperty(req, 'assetsUrlPrefix', {
enumerable: true
, configurable: false
, writable: false
, value: 'https://' + clientAssetsUri + '/assets/' + pkgId
});
Object.defineProperty(req, 'experienceId' /*deprecated*/, {
Object.defineProperty(req, 'experienceId', {
enumerable: true
, configurable: false
, writable: false
@ -1099,12 +813,6 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
, writable: false
, value: clientApiUri
});
Object.defineProperty(req, 'clientAssetsUri', {
enumerable: true
, configurable: false
, writable: false
, value: clientAssetsUri
});
Object.defineProperty(req, 'apiId', {
enumerable: true
, configurable: false
@ -1112,6 +820,7 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
, value: pkgId
});
// New
Object.defineProperty(req, 'clientUrih', {
enumerable: true
, configurable: false
@ -1129,61 +838,37 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
});
// TODO cache permission (although the FS is already cached, NBD)
var promise = isThisClientAllowedToUseThisPkg(req, xconfx, clientUrih, pkgId).then(function (yes) {
//if (xconfx.debug) { console.log('[api.js] azp is allowed?', yes); }
var promise = isThisClientAllowedToUseThisPkg(xconfx, clientUrih, pkgId).then(function (yes) {
if (!yes) {
notConfigured(req, res);
return null;
}
function handleWithHandler() {
if (/\/assets\//.test(req.url) || /(^|\.)assets\./.test(req.hostname)) {
if (localCache.assets[pkgId]) {
if ('function' !== typeof localCache.assets[pkgId].handler) { console.log('localCache.assets[pkgId]'); console.log(localCache.assets[pkgId]); }
localCache.assets[pkgId].handler(req, res, next);
} else {
next();
return true;
}
} else {
localCache.rests[pkgId].handler(req, res, next);
}
}
if (localCache.rests[pkgId]) {
if (handleWithHandler()) {
return;
}
localCache.rests[pkgId].handler(req, res, next);
hasBeenHandled = true;
if (now - localCache.rests[pkgId].createdAt > staleAfter) {
localCache.rests[pkgId] = null;
localCache.assets[pkgId] = null;
}
}
if (!localCache.rests[pkgId]) {
//return doesThisPkgExist
//if (xconfx.debug) { console.log('[api.js] before rest handler'); }
return loadRestHandler(xconfx, clientUrih, pkgId).then(function (myHandler) {
if (!myHandler) {
//if (xconfx.debug) { console.log('[api.js] not configured'); }
notConfigured(req, res);
return;
}
localCache.rests[pkgId] = { handler: myHandler.handler, createdAt: now };
localCache.assets[pkgId] = { handler: myHandler.assetsHandler, createdAt: now };
if (!hasBeenHandled) {
if (handleWithHandler()) {
return;
}
myHandler.handler(req, res, next);
}
});
}
});
rejectableRequest(req, res, promise, "[walnut@daplie.com] load api package");
});
};

21
lib/common.js
View File

@ -1,21 +1,20 @@
'use strict';
function rejectableRequest(req, res, promise, msg) {
module.exports.rejectableRequest = function rejectableRequest(req, res, promise, msg) {
return promise.error(function (err) {
res.error(err);
}).catch(function (err) {
console.error('[ERROR] \'' + msg + '\'');
// The stack contains the message as well, so no need to log the message when we log the stack
console.error(err.stack || err.message || JSON.stringify(err));
console.error(err.message);
console.error(err.stack);
res.error(err);
});
}
module.exports.rejectableRequest = rejectableRequest;
};
module.exports.promisableRequest =
module.exports.promiseRequest = function promiseRequest(req, res, promise, msg) {
promise = promise.then(function (result) {
return promise.then(function (result) {
if (result._cache) {
res.setHeader('Cache-Control', 'public, max-age=' + (result._cache / 1000));
res.setHeader('Expires', new Date(Date.now() + result._cache).toUTCString());
@ -27,7 +26,13 @@ module.exports.promiseRequest = function promiseRequest(req, res, promise, msg)
result = result._value;
}
res.send(result);
});
}).error(function (err) {
res.error(err);
}).catch(function (err) {
console.error('[ERROR] \'' + msg + '\'');
console.error(err.message);
console.error(err.stack);
return rejectableRequest(req, res, promise, msg);
res.error(err);
});
};

26
lib/main.js
View File

@ -1,6 +1,6 @@
'use strict';
module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi, errorIfAssets) {
module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi) {
var PromiseA = require('bluebird');
var path = require('path');
var fs = PromiseA.promisifyAll(require('fs'));
@ -293,27 +293,10 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi
// TODO handle assets.example.com/sub/assets/com.example.xyz/
app.use('/api', require('connect-send-error').error());
app.use('/assets', require('connect-send-error').error());
app.use('/', function (req, res, next) {
// If this doesn't look like an API or assets we can move along
/*
console.log('.');
console.log('[main.js] req.url, req.hostname');
console.log(req.url);
console.log(req.hostname);
console.log('.');
*/
if (!/\/(api|assets)(\/|$)/.test(req.url)) {
//console.log('[main.js] api|assets');
next();
return;
}
// keep https://assets.example.com/assets but skip https://example.com/assets
if (/\/assets(\/|$)/.test(req.url) && !/(^|\.)(api|assets)(\.)/.test(req.hostname) && !/^[0-9\.]+$/.test(req.hostname)) {
//console.log('[main.js] skip');
// If this doesn't look like an API we can move along
if (!/\/api(\/|$)/.test(req.url)) {
// /^api\./.test(req.hostname) &&
next();
return;
}
@ -342,7 +325,6 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi
return;
});
app.use('/', errorIfApi);
app.use('/', errorIfAssets);
app.use('/', serveStatic);
app.use('/', serveApps);

306
lib/oauth3.js
View File

@ -1,306 +0,0 @@
'use strict';
var PromiseA = require('bluebird');
function generateRescope(req, Models, decoded, fullPpid, ppid) {
return function (/*sub*/) {
// TODO: this function is supposed to convert PPIDs of different parties to some account
// ID that allows application to keep track of permisions and what-not.
console.log('[rescope] Attempting ', fullPpid);
return Models.IssuerOauth3OrgGrants.find({ azpSub: fullPpid }).then(function (results) {
if (results[0]) {
console.log('[rescope] lukcy duck: got it on the 1st try');
return PromiseA.resolve(results);
}
// XXX BUG XXX
// should be able to distinguish between own ids and 3rd party via @whatever.com
return Models.IssuerOauth3OrgGrants.find({ azpSub: ppid });
}).then(function (results) {
var result = results[0];
if (!result || !result.sub || !decoded.iss) {
// XXX BUG XXX TODO swap this external ppid for an internal (and ask user to link with existing profile)
//req.oauth3.accountIdx = fullPpid;
throw new Error("internal / external ID swapping not yet implemented. TODO: "
+ "No profile found with that credential. Would you like to create a new profile or link to an existing profile?");
}
// XXX BUG XXX need to pass own url in to use as issuer for own tokens
req.oauth3.accountIdx = result.sub + '@' + decoded.iss;
console.log('[rescope] result:');
console.log(results);
console.log(req.oauth3.accountIdx);
return PromiseA.resolve(req.oauth3.accountIdx);
});
};
}
function extractAccessToken(req) {
var token = null;
var parts;
var scheme;
var credentials;
if (req.headers && req.headers.authorization) {
// Works for all of Authorization: Bearer {{ token }}, Token {{ token }}, JWT {{ token }}
parts = req.headers.authorization.split(' ');
if (parts.length !== 2) {
return PromiseA.reject(new Error("malformed Authorization header"));
}
scheme = parts[0];
credentials = parts[1];
if (-1 !== ['token', 'bearer'].indexOf(scheme.toLowerCase())) {
token = credentials;
}
}
if (req.body && req.body.access_token) {
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
token = req.body.access_token;
}
// TODO disallow query with req.method === 'GET'
// NOTE: the case of DDNS on routers requires a GET and access_token
// (cookies should be used for protected static assets)
if (req.query && req.query.access_token) {
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
token = req.query.access_token;
}
/*
err = new Error(challenge());
err.code = 'E_BEARER_REALM';
if (!token) { return PromiseA.reject(err); }
*/
return PromiseA.resolve(token);
}
function verifyToken(token) {
var jwt = require('jsonwebtoken');
var decoded;
if (!token) {
return PromiseA.reject({
message: 'no token provided'
, code: 'E_NO_TOKEN'
, url: 'https://oauth3.org/docs/errors#E_NO_TOKEN'
});
}
try {
decoded = jwt.decode(token, {complete: true});
} catch (e) {}
if (!decoded) {
return PromiseA.reject({
message: 'provided token not a JSON Web Token'
, code: 'E_NOT_JWT'
, url: 'https://oauth3.org/docs/errors#E_NOT_JWT'
});
}
var sub = decoded.payload.sub || decoded.payload.ppid || decoded.payload.appScopedId;
if (!sub) {
return PromiseA.reject({
message: 'token missing sub'
, code: 'E_MISSING_SUB'
, url: 'https://oauth3.org/docs/errors#E_MISSING_SUB'
});
}
var kid = decoded.header.kid || decoded.payload.kid;
if (!kid) {
return PromiseA.reject({
message: 'token missing kid'
, code: 'E_MISSING_KID'
, url: 'https://oauth3.org/docs/errors#E_MISSING_KID'
});
}
if (!decoded.payload.iss) {
return PromiseA.reject({
message: 'token missing iss'
, code: 'E_MISSING_ISS'
, url: 'https://oauth3.org/docs/errors#E_MISSING_ISS'
});
}
var OAUTH3 = require('oauth3.js');
OAUTH3._hooks = require('oauth3.js/oauth3.node.storage.js');
return OAUTH3.discover(decoded.payload.iss).then(function (directives) {
var args = (directives || {}).retrieve_jwk;
if (typeof args === 'string') {
args = { url: args, method: 'GET' };
}
if (typeof (args || {}).url !== 'string') {
return PromiseA.reject({
message: 'token issuer does not support retrieving JWKs'
, code: 'E_INVALID_ISS'
, url: 'https://oauth3.org/docs/errors#E_INVALID_ISS'
});
}
var params = {
sub: sub
, kid: kid
};
var url = args.url;
var body;
Object.keys(params).forEach(function (key) {
if (url.indexOf(':'+key) !== -1) {
url = url.replace(':'+key, params[key]);
delete params[key];
}
});
if (Object.keys(params).length > 0) {
if ('GET' === (args.method || 'GET').toUpperCase()) {
url += '?' + OAUTH3.query.stringify(params);
} else {
body = params;
}
}
return OAUTH3.request({
url: OAUTH3.url.resolve(directives.api, url)
, method: args.method
, data: body
}).catch(function (err) {
return PromiseA.reject({
message: 'failed to retrieve public key from token issuer'
, code: 'E_NO_PUB_KEY'
, url: 'https://oauth3.org/docs/errors#E_NO_PUB_KEY'
, subErr: err.toString()
});
});
}, function (err) {
return PromiseA.reject({
message: 'token issuer is not a valid OAuth3 provider'
, code: 'E_INVALID_ISS'
, url: 'https://oauth3.org/docs/errors#E_INVALID_ISS'
, subErr: err.toString()
});
}).then(function (res) {
if (res.data.error) {
return PromiseA.reject(res.data.error);
}
var opts = {};
if (Array.isArray(res.data.alg)) {
opts.algorithms = res.data.alg;
} else if (typeof res.data.alg === 'string') {
opts.algorithms = [res.data.alg];
}
try {
return jwt.verify(token, require('jwk-to-pem')(res.data), opts);
} catch (err) {
return PromiseA.reject({
message: 'token verification failed'
, code: 'E_INVALID_TOKEN'
, url: 'https://oauth3.org/docs/errors#E_INVALID_TOKEN'
, subErr: err.toString()
});
}
});
}
function deepFreeze(obj) {
Object.keys(obj).forEach(function (key) {
if (obj[key] && typeof obj[key] === 'object') {
deepFreeze(obj[key]);
}
});
Object.freeze(obj);
}
function cookieOauth3(Models, req, res, next) {
req.oauth3 = {};
var token = req.cookies.jwt;
req.oauth3.encodedToken = token;
req.oauth3.verifyAsync = function (jwt) {
return verifyToken(jwt || token);
};
return verifyToken(token).then(function (decoded) {
req.oauth3.token = decoded;
if (!decoded) {
return null;
}
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
req.oauth3.ppid = ppid;
req.oauth3.accountIdx = ppid+'@'+decoded.iss;
var hash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
req.oauth3.accountHash = hash;
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
}).then(function () {
deepFreeze(req.oauth3);
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
next();
}, function (err) {
if ('E_NO_TOKEN' === err.code) {
next();
return;
}
console.error('[walnut] cookie lib/oauth3 error:');
console.error(err);
res.send(err);
});
}
function attachOauth3(Models, req, res, next) {
req.oauth3 = {};
extractAccessToken(req).then(function (token) {
req.oauth3.encodedToken = token;
req.oauth3.verifyAsync = function (jwt) {
return verifyToken(jwt || token);
};
if (!token) {
return null;
}
return verifyToken(token);
}).then(function (decoded) {
req.oauth3.token = decoded;
if (!decoded) {
return null;
}
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
var fullPpid = ppid+'@'+decoded.iss;
req.oauth3.ppid = ppid;
// TODO we can anonymize the relationship between our user as the other service's user
// in our own database by hashing the remote service's ppid and using that as the lookup
var hash = require('crypto').createHash('sha256').update(fullPpid).digest('base64');
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
req.oauth3.accountHash = hash;
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
console.log('############### assigned req.oauth3:');
console.log(req.oauth3);
}).then(function () {
//deepFreeze(req.oauth3);
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
next();
}, function (err) {
console.error('[walnut] JWT lib/oauth3 error:');
console.error(err);
res.send(err);
});
}
module.exports.attachOauth3 = attachOauth3;
module.exports.cookieOauth3 = cookieOauth3;
module.exports.verifyToken = verifyToken;

14
lib/package-server-apis.js
View File

@ -55,7 +55,19 @@ function getApi(conf, pkgConf, pkgDeps, packagedApi) {
packagedApi._api = require('express-lazy')();
packagedApi._api_app = myApp;
packagedApi._api.use('/', require('./oauth3').attachOauth3);
//require('./oauth3-auth').inject(conf, packagedApi._api, pkgConf, pkgDeps);
pkgDeps.getOauth3Controllers =
packagedApi._getOauth3Controllers = require('oauthcommon/example-oauthmodels').create(conf).getControllers;
require('oauthcommon').inject(packagedApi._getOauth3Controllers, packagedApi._api, pkgConf, pkgDeps);
// DEBUG
//
/*
packagedApi._api.use('/', function (req, res, next) {
console.log('[DEBUG pkgApiApp]', req.method, req.hostname, req.url);
next();
});
//*/
// TODO fix backwards compat

58
lib/worker.js
View File

@ -150,21 +150,6 @@ module.exports.create = function (webserver, xconfx, state) {
models: models
// TODO don't let packages use this directly
, Promise: PromiseA
, dns: PromiseA.promisifyAll(require('dns'))
, crypto: PromiseA.promisifyAll(require('crypto'))
, fs: PromiseA.promisifyAll(require('fs'))
, path: require('path')
, validate: {
isEmail: function (email) {
return /@/.test(email) && !/\s+/.test(email);
}
, email: function (email) {
if (apiDeps.validate.isEmail(email)) {
return null;
}
return new Error('invalid email address');
}
}
};
var apiFactories = {
memstoreFactory: { create: scopeMemstore }
@ -195,7 +180,7 @@ module.exports.create = function (webserver, xconfx, state) {
function setupMain() {
if (xconfx.debug) { console.log('[main] setup'); }
mainApp = express();
require('./main').create(mainApp, xconfx, apiFactories, apiDeps, errorIfApi, errorIfAssets).then(function () {
require('./main').create(mainApp, xconfx, apiFactories, apiDeps, errorIfApi).then(function () {
if (xconfx.debug) { console.log('[main] ready'); }
// TODO process.send({});
});
@ -240,24 +225,6 @@ module.exports.create = function (webserver, xconfx, state) {
next();
}
function errorIfNotAssets(req, res, next) {
var hostname = req.hostname || req.headers.host;
if (!/^assets\.[a-z0-9\-]+/.test(hostname)) {
res.send({ error:
{ message: "['" + hostname + req.url + "'] protected asset access is restricted to proper 'asset'-prefixed lowercase subdomains."
+ " The HTTP 'Host' header must exist and must begin with 'assets.' as in 'assets.example.com'."
+ " For development you may test with assets.localhost.daplie.me (or any domain by modifying your /etc/hosts)"
, code: 'E_NOT_API'
, _hostname: hostname
}
});
return;
}
next();
}
function errorIfApi(req, res, next) {
if (!/^api\./.test(req.headers.host)) {
next();
@ -273,25 +240,7 @@ module.exports.create = function (webserver, xconfx, state) {
return;
}
res.send({ error: { code: 'E_NO_IMPL', message: "API not implemented" } });
}
function errorIfAssets(req, res, next) {
if (!/^assets\./.test(req.headers.host)) {
next();
return;
}
// has api. hostname prefix
// doesn't have /api url prefix
if (!/^\/assets\//.test(req.url)) {
console.log('[walnut/worker assets] req.url', req.url);
res.send({ error: { message: "missing /assets/ url prefix" } });
return;
}
res.send({ error: { code: 'E_NO_IMPL', message: "assets handler not implemented" } });
res.send({ error: { code: 'E_NO_IMPL', message: "not implemented" } });
}
app.disable('x-powered-by');
@ -309,11 +258,8 @@ module.exports.create = function (webserver, xconfx, state) {
}));
app.use('/api', recase);
var cookieParser = require('cookie-parser'); // signing is done in JWT
app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
app.use('/api', errorIfNotApi);
app.use('/assets', /*errorIfNotAssets,*/ cookieParser()); // serializer { path: '/assets', httpOnly: true, sameSite: true/*, domain: assets.example.com*/ }
app.use('/', function (req, res) {
if (!(req.encrypted || req.secure)) {
// did not come from https

34
package.json
View File

@ -1,6 +1,6 @@
{
"name": "walnut",
"version": "1.2.5",
"version": "0.1.0",
"description": "zero-config home cloud server",
"main": "walnut.js",
"scripts": {
@ -8,7 +8,7 @@
},
"repository": {
"type": "git",
"url": "https://git.coolaj86.com/coolaj86/walnut.js.git"
"url": "https://github.com/Daplie/walnut.git"
},
"bin": {
"walnut": "./bin/walnut.js"
@ -33,48 +33,38 @@
"private",
"public"
],
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com)",
"license": "(MIT or Apache2)",
"author": "AJ ONeal <aj@daplie.com> (https://daplie.com)",
"license": "Apache2",
"bugs": {
"url": "https://git.coolaj86.com/coolaj86/walnut.js/issues"
"url": "https://github.com/Daplie/walnut/issues"
},
"homepage": "https://git.coolaj86.com/coolaj86/walnut.js",
"homepage": "https://github.com/Daplie/walnut",
"dependencies": {
"bluebird": "3.x",
"body-parser": "1.x",
"cluster-store": "^2.0.8",
"cluster-store": "git+https://git.daplie.com/Daplie/cluster-store.git#v2",
"connect": "3.x",
"connect-cors": "0.5.x",
"connect-recase": "^1.0.2",
"connect-send-error": "1.x",
"cookie-parser": "^1.4.3",
"escape-html": "^1.0.2",
"escape-string-regexp": "1.x",
"express": "4.x",
"express-lazy": "^1.1.1",
"express-session": "^1.11.3",
"jsonwebtoken": "^7.4.1",
"jwk-to-pem": "^1.2.6",
"mailchimp-api-v3": "^1.7.0",
"mandrill-api": "^1.0.45",
"masterquest-sqlite3": "^1.1.1",
"masterquest-sqlite3": "git+https://git.daplie.com/node/masterquest-sqlite3.git",
"mkdirp": "^0.5.1",
"multiparty": "^4.1.3",
"nodemailer": "^1.4.0",
"nodemailer-mailgun-transport": "1.x",
"oauth3.js": "git+https://git.oauth3.org/OAuth3/oauth3.js.git#v1.2",
"recase": "^1.0.4",
"oauthcommon": "git+https://git.daplie.com/node/oauthcommon.git",
"request": "^2.81.0",
"scmp": "^2.0.0",
"serve-static": "1.x",
"sqlite3-cluster": "^2.1.2",
"sqlite3-cluster": "git+https://git.daplie.com/coolaj86/sqlite3-cluster.git#v2",
"stripe": "^4.22.0",
"twilio": "1.x"
},
"gitDependencies": {
"cluster-store": "git+https://git.coolaj86.com/coolaj86/cluster-store.git#v2",
"masterquest-sqlite3": "git+https://git.coolaj86.com/coolaj86/masterquest-sqlite3.git",
"oauth3.js": "git+https://git.oauth3.org/OAuth3/oauth3.js.git#v1.2",
"sqlite3-cluster": "git+https://git.coolaj86.com/coolaj86/sqlite3-cluster.git#v2"
"twilio": "1.x",
"ursa": "^0.9.1"
}
}