Turbasen
diff --git a/‎index.js‎
Lines changed: 25 additions & 107 deletions b/‎index.js‎
Lines changed: 25 additions & 107 deletions
diff --git a/‎lib/AbstractUser.js‎
Lines changed: 76 additions & 0 deletions b/‎lib/AbstractUser.js‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎lib/AuthUser.js‎
Lines changed: 103 additions & 0 deletions b/‎lib/AuthUser.js‎
Lines changed: 103 additions & 0 deletions
@@ -1,47 +1,44 @@
 'use strict';
 
 const HttpError = require('@starefossen/http-error');
-const redis = require('@turbasen/db-redis');
-const mongo = require('@turbasen/db-mongo');
 
-const UnauthUser = require('./lib/User').UnauthUser;
-const AuthUser = require('./lib/User').AuthUser;
-
-const CACHE_VALID = process.env.NTB_CACHE_VALID || 60 * 60 * 1000;
-const CACHE_INVALID = process.env.NTB_CACHE_INVALID || 24 * 60 * 60 * 1000;
-const API_ENV = process.env.NTB_API_ENV || 'dev';
-const RATELIMIT_UNAUTH = process.env.NTB_RATELIMIT_UNAUTH || 100;
+const AbstractUser = require('./lib/AbstractUser');
+const UnauthUser = require('./lib/UnauthUser');
+const AuthUser = require('./lib/AuthUser');
 
 module.exports = () => (req, res, next) => {
   let promise;
 
   // API key through Authorization header
   if (req.headers.authorization) {
     const token = req.headers.authorization.split(' ');
-    promise = module.exports.getUserByToken(token[1]);
+    promise = AuthUser.getByKey(token[1]);
 
   // API key through URL query parameter
   } else if (req.query && req.query.api_key) {
-    promise = module.exports.getUserByToken(req.query.api_key);
+    promise = AuthUser.getByKey(req.query.api_key);
 
   // No API key
   } else {
-    promise = module.exports.getUserByIp(
+    promise = UnauthUser.getByKey(
       req.headers['x-forwarded-for'] || req.connection.remoteAddres
     );
   }
 
   promise.then(user => {
     req.user = user;
 
+    // X-User headers
     res.set('X-User-Auth', user.auth);
     if (user.auth) {
       res.set('X-User-Provider', user.provider);
     }
 
+    // X-Rate-Limit headers
     res.set('X-RateLimit-Limit', user.limit);
     res.set('X-RateLimit-Reset', user.reset);
 
+    // Check if user has remaining rate limit quota
     if (!user.hasRemainingQuota()) {
       res.set('X-RateLimit-Remaining', 0);
 
@@ -50,115 +47,36 @@ module.exports = () => (req, res, next) => {
       ));
     }
 
+    // Charge user for this request
     res.set('X-RateLimit-Remaining', user.charge());
 
+    // Check if user can execute the HTTP method. Only authenticated users are
+    // allowed to execute POST, PUT, and DELETE requests.
     if (!user.can(req.method)) {
       return next(new HttpError(
         401, `API authentication required for "${req.method}" requests`
       ));
     }
 
-    res.on('finish', function resOnFinishCb() {
-      // Uncharge user when certain cache features are used.
-      // 304 Not Modified, and 412 Precondition Failed
-      if (this.statusCode === 304 || this.statusCode === 412) {
-        this.req.user.uncharge();
-      }
-
-      if (this.req.user.getCharge() > 0) {
-        redis.hincrby(this.req.user.cacheKey, 'remaining', -1);
-      }
-    });
+    // Attach the on finish callback which updates the user rate limit in cache.
+    res.on('finish', module.exports.onFinish);
 
     return next();
   }).catch(next);
 };
 
-module.exports.getUserByIp = function getUserByIp(key) {
-  return new Promise((resolve, reject) => {
-    redis.hgetall(AuthUser.getCacheKey(key), (redisErr, data) => {
-      if (redisErr) { return reject(redisErr); }
-
-      if (data && data.limit) {
-        return resolve(new UnauthUser(key, data));
-      } else {
-        const expireat = module.exports.expireat(CACHE_VALID);
-
-        const user = new UnauthUser(key, {
-          limit: RATELIMIT_UNAUTH,
-          remaining: RATELIMIT_UNAUTH,
-          reset: expireat,
-        });
-
-        redis.hmset(AuthUser.getCacheKey(key), user.toObject());
-        redis.expireat(AuthUser.getCacheKey(key), expireat);
-
-        return resolve(user);
-      }
-    });
-  });
-};
-
-module.exports.getUserByToken = function getUserByToken(key) {
-  return new Promise((resolve, reject) => {
-    redis.hgetall(UnauthUser.getCacheKey(key), (redisErr, data) => {
-      if (redisErr) { return reject(redisErr); }
-
-      if (data && data.access) {
-        if (data.access === 'true') {
-          return resolve(new AuthUser(key, data));
-        } else {
-          return reject(new HttpError(`Bad credentials for user "${key}"`, 401));
-        }
-      }
-
-      const query = {
-        [`apps.key.${API_ENV}`]: key,
-        'apps.active': true,
-      };
-
-      const opts = {
-        fields: {
-          provider: true,
-          apps: true,
-        },
-      };
-
-      return mongo.api.users.findOne(query, opts, (mongoErr, doc) => {
-        if (mongoErr) { return reject(mongoErr); }
-
-        if (!doc) {
-          const expireat = module.exports.expireat(CACHE_INVALID);
-
-          redis.hset(AuthUser.getCacheKey(key), 'access', 'false');
-          redis.expireat(AuthUser.getCacheKey(key), expireat);
-
-          return reject(new HttpError(`Bad credentials for user "${key}"`, 401));
-        }
-
-        const app = doc.apps.find(item => item.key[API_ENV] === key);
-        const expireat = module.exports.expireat(CACHE_VALID);
-
-        const user = new AuthUser(key, {
-          provider: doc.provider,
-          app: app.name,
-
-          limit: app.limit[API_ENV],
-          remaining: app.limit[API_ENV],
-          reset: expireat,
-        });
-
-        redis.hmset(AuthUser.getCacheKey(key), user.toObject());
-        redis.expireat(AuthUser.getCacheKey(key), expireat);
-
-        return resolve(user);
-      });
-    });
-  });
-};
+module.exports.onFinish = function onFinish() {
+  // Uncharge user when certain cache features are used.
+  // 304 Not Modified, and 412 Precondition Failed
+  if (this.statusCode === 304 || this.statusCode === 412) {
+    this.req.user.uncharge();
+  }
 
-module.exports.expireat = function expireat(seconds) {
-  return Math.floor((new Date().getTime() + seconds) / 1000);
+  // Update user rate-limit in cache if it has changed.
+  this.req.user.update();
 };
 
 module.exports.middleware = module.exports();
+module.exports.AbstractUser = AbstractUser;
+module.exports.AuthUser = AuthUser;
+module.exports.UnauthUser = UnauthUser;
@@ -0,0 +1,76 @@
+'use strict';
+
+const redis = require('@turbasen/db-redis');
+
+const CACHE_VALID = process.env.NTB_CACHE_VALID || 60 * 60 * 1000;
+
+class AbstractUser {
+  constructor(type, key, data) {
+    this.type = type;
+    this.key = key;
+
+    this.provider = data.provider || '';
+    this.app = data.app || '';
+
+    this.limit = parseInt(data.limit, 10);
+    this.remaining = parseInt(data.remaining, 10);
+    this.reset = parseInt(data.reset, 10) || module.exports.expireat(CACHE_VALID);
+
+    this.penalty = 0;
+  }
+
+  get cacheKey() {
+    return AbstractUser.getCacheKey(this.type, this.key);
+  }
+
+  toObject() {
+    return {
+      access: 'true',
+
+      provider: this.provider,
+      app: this.app,
+
+      limit: `${this.limit}`,
+      remaining: `${this.remaining - this.penalty}`,
+      reset: `${this.reset}`,
+    };
+  }
+
+  save() {
+    redis.hmset(this.cacheKey, this.toObject());
+    redis.expireat(this.cacheKey, this.reset);
+
+    return this;
+  }
+
+  update() {
+    if (this.penalty > 0) {
+      redis.hincrby(this.cacheKey, 'remaining', this.penalty);
+    }
+  }
+
+  charge() {
+    this.penalty = this.penalty + 1;
+    return this.remaining - this.penalty;
+  }
+
+  uncharge() {
+    this.penalty = 0;
+    return this.remaining;
+  }
+
+  getCharge() {
+    return this.penalty;
+  }
+
+  hasRemainingQuota() {
+    return this.remaining - this.penalty > 0;
+  }
+
+  static getCacheKey(type, key) {
+    return `api:${type}:${key}`;
+  }
+}
+
+module.exports = AbstractUser;
+module.exports.expireat = s => Math.floor((new Date().getTime() + s) / 1000);
@@ -0,0 +1,103 @@
+'use strict';
+
+const mongo = require('@turbasen/db-mongo');
+const redis = require('@turbasen/db-redis');
+const HttpError = require('@starefossen/http-error');
+const AbstractUser = require('./AbstractUser');
+
+const CACHE_INVALID = process.env.NTB_CACHE_INVALID || 24 * 60 * 60 * 1000;
+const API_ENV = process.env.NTB_API_ENV || 'dev';
+
+class AuthUser extends AbstractUser {
+  constructor(token, data) {
+    super('token', token, data);
+  }
+
+  get auth() { return true; }
+
+  get name() {
+    return `${this.provider} (${this.app})`;
+  }
+
+  isOwner(doc) {
+    return !!doc.tilbyder && this.provider === doc.tilbyder;
+  }
+
+  can() {
+    return true;
+  }
+
+  query(query) {
+    const publicStatus = new Set('Offentlig', 'Slettet');
+
+    if (query.tilbyder) {
+      if (query.tilbyder === this.provider) {
+        return query;
+      } else {
+        return Object.assign(query, { status: 'Offentlig' });
+      }
+    } else if (query.status) {
+      if (publicStatus.has(query.status)) {
+        return query;
+      } else {
+        return Object.assign(query, { tilbyder: this.provider });
+      }
+    } else {
+      return Object.assign(query, {
+        $or: [{ tilbyder: this.provider }, { status: 'Offentlig' }],
+      });
+    }
+  }
+
+  static getCacheKey(key) {
+    return super.getCacheKey('token', key);
+  }
+
+  static getFromMongo(key) {
+    return new Promise((resolve, reject) => {
+      const query = { [`apps.key.${API_ENV}`]: key, 'apps.active': true };
+      const opts = { fields: { provider: true, apps: true } };
+
+      mongo.api.users.findOne(query, opts).then(doc => {
+        if (!doc) {
+          const expireat = AbstractUser.expireat(CACHE_INVALID);
+
+          redis.hset(AuthUser.getCacheKey(key), 'access', 'false');
+          redis.expireat(AuthUser.getCacheKey(key), expireat);
+
+          reject(new HttpError(`Bad credentials for user "${key}"`, 401));
+        } else {
+          const app = doc.apps.find(item => item.key[API_ENV] === key);
+
+          const user = new AuthUser(key, {
+            provider: doc.provider,
+            app: app.name,
+
+            limit: app.limit[API_ENV],
+            remaining: app.limit[API_ENV],
+          });
+
+          resolve(user.save());
+        }
+      }).catch(reject);
+    });
+  }
+
+  static getByKey(key) {
+    return new Promise((resolve, reject) => {
+      redis.hgetall(AuthUser.getCacheKey(key)).then(data => {
+        if (data && data.access) {
+          if (data.access === 'true') {
+            resolve(new AuthUser(key, data));
+          } else {
+            reject(new HttpError(`Bad credentials for user "${key}"`, 401));
+          }
+        } else {
+          AuthUser.getFromMongo(key).then(resolve).catch(reject);
+        }
+      }).catch(reject);
+    });
+  }
+}
+
+module.exports = AuthUser;