Accept full config for domains

.npmignore

@@ -3,6 +3,7 @@ domains/
 images/
 public/
 test/
+workspace/_exif/
 workspace/_tmp/
 log/
 cache/

config.js

@@ -246,9 +246,10 @@ const schema = {
         allowDomainOverride: true
       },
       path: {
-        doc: 'The remote host to request images from, for example http://media.example.com',
+        doc: 'The path to the assets directory',
         format: String,
-        default: './public'
+        default: './public',
+        allowDomainOverride: true
       }
     },
     s3: {
@@ -422,14 +423,14 @@ const schema = {
     clientId: {
       doc: 'Client ID used to access protected endpoints',
       format: String,
-      default: '1235488',
+      default: null,
       env: 'AUTH_TOKEN_ID',
       allowDomainOverride: true
     },
     secret: {
       doc: 'Client secret used to access protected endpoints',
       format: String,
-      default: 'asd544see68e52',
+      default: null,
       env: 'AUTH_TOKEN_SECRET',
       allowDomainOverride: true
     },
@@ -444,7 +445,7 @@ const schema = {
       doc: 'Private key for signing JSON Web Tokens',
       format: String,
       env: 'AUTH_KEY',
-      default: 'YOU-MUST-CHANGE-ME-NOW!',
+      default: null,
       allowDomainOverride: true
     }
   },

config/config.test.json.sample

@@ -67,7 +67,8 @@
   },
   "auth": {
     "clientId": "test",
-    "secret": "test"
+    "secret": "test",
+    "privateKey": "test"
   },
   "cloudfront": {
     "accessKey": "",

dadi/lib/auth/index.js

@@ -64,6 +64,17 @@ module.exports = function (router) {
     let clientId = req.body.clientId
     let secret = req.body.secret
 
+    // Fail if the auth.clientId or auth.secret haven't been set.
+    if (!clientId || !secret) {
+      return fail('NoAccess', res)
+    }
+
+    // Fail if the auth.privateKey hasn't been set.
+    if (!config.get('auth.privateKey')) {
+      return fail('NoPrivateKey', res)
+    }
+
+    // Fail if the auth.clientId and auth.secret don't match the configured values.
     if (
       clientId !== config.get('auth.clientId', req.__domain) ||
       secret !== config.get('auth.secret', req.__domain)
@@ -104,6 +115,9 @@ module.exports = function (router) {
       case 'InvalidToken':
         res.setHeader('WWW-Authenticate', 'Bearer, error="invalid_token", error_description="Invalid or expired access token"')
         break
+      case 'NoPrivateKey':
+        res.setHeader('WWW-Authenticate', 'Bearer, error="no_private_key", error_description="No private key configured in auth.privateKey"')
+        break
       default:
         res.setHeader('WWW-Authenticate', 'Bearer realm="/token"')
     }

dadi/lib/controller/domain.js

@@ -18,30 +18,8 @@ module.exports.post = (req, res) => {
 
   domains.forEach(item => {
     if (!DomainManager.getDomain(item.domain)) {
-      // Prepare the domain configuration.
-      let configContent = {
-        images: {
-          directory: {
-            enabled: false
-          },
-          remote: {
-            enabled: true,
-            path: item.data.remote.path
-          }
-        },
-        assets: {
-          directory: {
-            enabled: false
-          },
-          remote: {
-            enabled: true,
-            path: item.data.remote.path
-          }
-        }
-      }
-
       // Add the domain configuration.
-      DomainManager.addDomain(item.domain, configContent)
+      DomainManager.addDomain(item.domain, item.data)
     }
   })
 
@@ -55,11 +33,19 @@ module.exports.post = (req, res) => {
  * Accept PUT requests for modifying domains in the internal domain configuration.
  */
 module.exports.put = (req, res) => {
+  // Don't accept an empty body
+  if (!req.body || !req.body.data) {
+    return help.sendBackJSON(400, {
+      success: false,
+      errors: ['Bad Request']
+    }, res)
+  }
+
   let domain = req.params.domain
-  let payload = req.body
+  let configSchema = req.body.data
 
   // Don't accept an empty param.
-  if (!domain || Object.keys(payload).length === 0) {
+  if (!domain || Object.keys(configSchema).length === 0) {
     return help.sendBackJSON(400, {
       success: false,
       errors: ['Bad Request']
@@ -74,30 +60,8 @@ module.exports.put = (req, res) => {
     }, res)
   }
 
-  // Prepare the domain configuration.
-  let configContent = {
-    images: {
-      directory: {
-        enabled: false
-      },
-      remote: {
-        enabled: true,
-        path: payload.remote.path
-      }
-    },
-    assets: {
-      directory: {
-        enabled: false
-      },
-      remote: {
-        enabled: true,
-        path: payload.remote.path
-      }
-    }
-  }
-
   // Update the domain configuration.
-  DomainManager.addDomain(domain, configContent)
+  DomainManager.addDomain(domain, configSchema)
 
   return help.sendBackJSON(200, {
     success: true,

test/acceptance/auth.js

@@ -20,6 +20,13 @@ describe('Authentication', function () {
     })
   })
 
+  beforeEach(done => {
+    config.set('auth.clientId', 'test')
+    config.set('auth.secret', 'test')
+    config.set('auth.privateKey', 'test')
+    done()
+  })
+
   after(done => {
     app.stop(done)
   })
@@ -55,6 +62,41 @@ describe('Authentication', function () {
       .expect(401, done)
   })
 
+  it('should not issue token if credentials are the null defaults', done => {
+    config.set('auth.clientId', null)
+    config.set('auth.secret', null)
+
+    request(cdnUrl)
+      .post(tokenRoute)
+      .send({
+        clientId: 'test123',
+        secret: 'badSecret',
+        code: ' '
+      })
+      .end((err, res) => {
+        res.statusCode.should.eql(401)
+        res.headers['www-authenticate'].should.eql('Bearer realm="/token"')
+        done()
+      })
+  })
+
+  it('should not issue token if privateKey for token signing is not set', done => {
+    config.set('auth.privateKey', null)
+
+    request(cdnUrl)
+      .post(tokenRoute)
+      .send({
+        clientId: 'test123',
+        secret: 'badSecret',
+        code: ' '
+      })
+      .end((err, res) => {
+        res.statusCode.should.eql(401)
+        res.headers['www-authenticate'].should.eql('Bearer, error="no_private_key", error_description="No private key configured in auth.privateKey"')
+        done()
+      })
+  })
+
   it('should allow `/api/flush` request containing token', done => {
     help.getBearerToken((err, token) => {
       request(cdnUrl)
@@ -113,19 +155,27 @@ describe('Authentication', function () {
       config.set('multiDomain.directory', 'domains')
 
       config.loadDomainConfigs()
+
+      config.set('auth.clientId', 'testxyz', 'testdomain.com')
+      config.set('auth.secret', 'testabc', 'testdomain.com')
+      config.set('auth.privateKey', 'test123', 'testdomain.com')
     })
 
     after(() => {
       config.set('multiDomain.enabled', configBackup.multiDomain.enabled)
       config.set('multiDomain.directory', configBackup.multiDomain.directory)
+
+      config.set('auth.clientId', 'test', 'testdomain.com')
+      config.set('auth.secret', 'test', 'testdomain.com')
+      config.set('auth.privateKey', 'test', 'testdomain.com')
     })
 
     it('should encode the domain in the JWT', done => {
       request(cdnUrl)
         .post(tokenRoute)
         .send({
-          clientId: 'test',
-          secret: 'test'
+          clientId: 'testxyz',
+          secret: 'testabc'
         })
         .set('host', 'testdomain.com:80')
         .expect('content-type', 'application/json')
@@ -139,7 +189,7 @@ describe('Authentication', function () {
 
           jwt.verify(
             res.body.accessToken,
-            config.get('auth.privateKey'),
+            config.get('auth.privateKey', 'testdomain.com'),
             (err, decoded) => {
               if (err) return done(err)
 
@@ -155,8 +205,8 @@ describe('Authentication', function () {
       request(cdnUrl)
         .post(tokenRoute)
         .send({
-          clientId: 'test',
-          secret: 'test'
+          clientId: 'testxyz',
+          secret: 'testabc'
         })
         .set('host', 'testdomain.com:80')
         .expect('content-type', 'application/json')

test/acceptance/cache.js

@@ -256,6 +256,10 @@ describe('Cache', function () {
       before(() => {
         config.set('multiDomain.enabled', true)
         config.loadDomainConfigs()
+
+        config.set('auth.clientId', 'test')
+        config.set('auth.secret', 'test')
+        config.set('auth.privateKey', 'test')
       })
 
       after(() => {