From a00b72cc5395de10fd1a98ce93860e709497552d Mon Sep 17 00:00:00 2001 From: Eduardo Boucas Date: Sun, 21 Feb 2016 19:19:43 +0000 Subject: [PATCH] [WIP] Authentication on a per-method basis and CORS --- config.js | 5 +++++ dadi/lib/auth/index.js | 16 ++++++++++------ dadi/lib/help.js | 15 ++++++++++----- 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/config.js b/config.js index e3fc1867..5f4f8856 100755 --- a/config.js +++ b/config.js @@ -271,6 +271,11 @@ var conf = convict({ default: "development", env: "NODE_ENV", arg: "node_env" + }, + cors: { + doc: "If true, responses will include headers for cross-domain resource sharing", + format: Boolean, + default: false } }); diff --git a/dadi/lib/auth/index.js b/dadi/lib/auth/index.js index 01b787bf..1126099c 100755 --- a/dadi/lib/auth/index.js +++ b/dadi/lib/auth/index.js @@ -2,9 +2,9 @@ var url = require('url'); var _ = require('underscore'); var config = require(__dirname + '/../../../config.js'); var tokens = require(__dirname + '/tokens'); +var pathToRegexp = require('path-to-regexp'); -function mustAuthenticate(endpoints, path) { - +function mustAuthenticate(endpoints, path, reqMethod) { path = url.parse(path, true); // all /config requests must be authenticated @@ -13,12 +13,17 @@ function mustAuthenticate(endpoints, path) { // docs requests don't need to be authenticated if (path.pathname.indexOf('docs') > 0) return false; - var endpointKey = _.find(_.keys(endpoints), function (k){ return k.indexOf(path.pathname) > -1; }); + var endpointKey = _.find(_.keys(endpoints), function (k){ return path.pathname.match(pathToRegexp(k)); }); if (!endpointKey) return true; if (endpoints[endpointKey].model && endpoints[endpointKey].model.settings) { - return endpoints[endpointKey].model.settings.authenticate; + if (typeof endpoints[endpointKey].model.settings.authenticate === 'boolean') { + return endpoints[endpointKey].model.settings.authenticate; + } + else { + return endpoints[endpointKey].model.settings.authenticate.indexOf(reqMethod) > -1; + } } else { return true; @@ -82,9 +87,8 @@ module.exports = function (server) { // Authorize server.app.use(function (req, res, next) { - // Let requests for tokens through, along with endpoints configured to not use authentication - if (req.url === tokenRoute || !mustAuthenticate(server.components, req.url)) return next(); + if (req.url === tokenRoute || !mustAuthenticate(server.components, req.url, req.method)) return next(); // require an authorization header for every request if (!(req.headers && req.headers.authorization)) return fail(); diff --git a/dadi/lib/help.js b/dadi/lib/help.js index a3a5f3a3..0e1a5264 100755 --- a/dadi/lib/help.js +++ b/dadi/lib/help.js @@ -20,11 +20,16 @@ module.exports.sendBackJSON = function (successCode, res, next) { var resBody = JSON.stringify(results); - // log response if it's already been sent - if (res.finished) { - log.info({res: res}, 'Response already sent. Attempting to send results: ' + resBody); - return; - } + res.setHeader('Server', config.get('server.name')); + + if (config.get('cors') === true) { + res.setHeader('Access-Control-Allow-Origin', '*'); + res.setHeader('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization'); + } + + res.setHeader('content-type', 'application/json'); + res.setHeader('content-length', Buffer.byteLength(resBody)); + res.end(resBody); res.setHeader('Server', config.get('server.name'));