[WIP] Authentication on a per-method basis and CORS

dadi · Mar 8, 2016 · a00b72c · a00b72c
1 parent 865e7f6
commit a00b72c
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 11 deletions.
diff --git a/config.js b/config.js
@@ -271,6 +271,11 @@ var conf = convict({
     default: "development",
     env: "NODE_ENV",
     arg: "node_env"
+  },
+  cors: {
+    doc: "If true, responses will include headers for cross-domain resource sharing",
+    format: Boolean,
+    default: false
   }
 });
 

diff --git a/dadi/lib/auth/index.js b/dadi/lib/auth/index.js
@@ -2,9 +2,9 @@ var url = require('url');
 var _ = require('underscore');
 var config = require(__dirname + '/../../../config.js');
 var tokens = require(__dirname + '/tokens');
+var pathToRegexp = require('path-to-regexp');
 
-function mustAuthenticate(endpoints, path) {
-
+function mustAuthenticate(endpoints, path, reqMethod) {
     path = url.parse(path, true);
 
     // all /config requests must be authenticated
@@ -13,12 +13,17 @@ function mustAuthenticate(endpoints, path) {
     // docs requests don't need to be authenticated
     if (path.pathname.indexOf('docs') > 0) return false;
 
-    var endpointKey = _.find(_.keys(endpoints), function (k){ return k.indexOf(path.pathname) > -1; });
+    var endpointKey = _.find(_.keys(endpoints), function (k){ return path.pathname.match(pathToRegexp(k)); });
 
     if (!endpointKey) return true;
 
     if (endpoints[endpointKey].model && endpoints[endpointKey].model.settings) {
-        return endpoints[endpointKey].model.settings.authenticate;
+        if (typeof endpoints[endpointKey].model.settings.authenticate === 'boolean') {
+            return endpoints[endpointKey].model.settings.authenticate;
+        }
+        else {
+            return endpoints[endpointKey].model.settings.authenticate.indexOf(reqMethod) > -1;
+        }
     }
     else {
         return true;
@@ -82,9 +87,8 @@ module.exports = function (server) {
 
     // Authorize
     server.app.use(function (req, res, next) {
-
         // Let requests for tokens through, along with endpoints configured to not use authentication
-        if (req.url === tokenRoute || !mustAuthenticate(server.components, req.url)) return next();
+        if (req.url === tokenRoute || !mustAuthenticate(server.components, req.url, req.method)) return next();
 
         // require an authorization header for every request
         if (!(req.headers && req.headers.authorization)) return fail();

diff --git a/dadi/lib/help.js b/dadi/lib/help.js
@@ -20,11 +20,16 @@ module.exports.sendBackJSON = function (successCode, res, next) {
 
     var resBody = JSON.stringify(results);
 
-    // log response if it's already been sent
-    if (res.finished) {
-      log.info({res: res}, 'Response already sent. Attempting to send results: ' + resBody);
-      return;
-    }
+        res.setHeader('Server', config.get('server.name'));
+
+        if (config.get('cors') === true) {
+            res.setHeader('Access-Control-Allow-Origin', '*');
+            res.setHeader('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
+        }
+
+        res.setHeader('content-type', 'application/json');
+        res.setHeader('content-length', Buffer.byteLength(resBody));
+        res.end(resBody);
 
     res.setHeader('Server', config.get('server.name'));