'use strict'; var PromiseA = require('bluebird'); module.exports.inject = function (app) { //var jwsUtils = require('./lib/jws-utils').create(signer); var CORS = require('connect-cors'); var cors = CORS({ credentials: true, headers: [ 'X-Requested-With' , 'X-HTTP-Method-Override' , 'Content-Type' , 'Accept' , 'Authorization' ], methods: [ "GET", "POST", "PATCH", "PUT", "DELETE" ] }); // Allows CORS access to API with ?access_token= // TODO Access-Control-Max-Age: 600 // TODO How can we help apps handle this? token? // TODO allow apps to configure trustedDomains, auth, etc //function weakDecipher(secret, val) { return require('./weak-crypt').weakDecipher(val, secret); } // // Generic Session / Login / Account Routes // function parseAccessToken(req, opts) { var token; var parts; var scheme; var credentials; if (req.headers && req.headers.authorization) { parts = req.headers.authorization.split(' '); if (parts.length !== 2) { return PromiseA.reject(new Error("malformed Authorization header")); } scheme = parts[0]; credentials = parts[1]; if (-1 !== (opts && opts.schemes || ['token', 'bearer']).indexOf(scheme.toLowerCase())) { token = credentials; } } if (req.body && req.body.access_token) { if (token) { PromiseA.reject(new Error("token exists in header and body")); } token = req.body.access_token; } // TODO disallow query with req.method === 'GET' // (cookies should be used for protected static assets) if (req.query && req.query.access_token) { if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); } token = req.query.access_token; } /* err = new Error(challenge()); err.code = 'E_BEARER_REALM'; if (!token) { return PromiseA.reject(err); } */ return PromiseA.resolve(token); } function getToken(req, res, next) { req.oauth3 = {}; parseAccessToken(req).then(function (token) { if (!token) { next(); return; } var jwt = require('jsonwebtoken'); var data = jwt.decode(token); var err; if (!data) { err = new Error('not a json web token'); err.code = 'E_NOT_JWT'; res.send({ error: err.code , error_description: err.message , error_url: 'https://oauth3.org/docs/errors#' + (err.code || 'E_UNKNOWN_EXCEPTION') }); // PromiseA.reject(err); return; } req.oauth3.token = token; next(); }); } /* app.use('/', function (req, res, next) { console.log('[DEBUG CORS]', req.method, req.hostname, req.url); cors(req, res, next); }); */ app.use('/', getToken); };