Merge pull request #2 from kozzztya/deny-not-allowed

Deny not allowed routes
kostia-official · May 6, 2017 · 3fa43e4 · 3fa43e4
2 parents 69745f4 + 34501ea
commit 3fa43e4
Show file tree

Hide file tree

Showing 10 changed files with 67 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@ const app = feathers();
 app.configure(rest())
   .configure(services)
   .configure(acl(aclConfig, {
+    denyNotAllowed: true,   // deny all routes without "allow" rules
     mongooseConnection: db, // need for owner rule
     jwt: {
       secret: 'blab',

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "feathers-acl",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Declarative ACL for FeathersJS and Express apps",
   "main": "dist/index.js",
   "scripts": {

diff --git a/src/deny-not-allowed.js b/src/deny-not-allowed.js
@@ -0,0 +1,6 @@
+const _ = require('lodash');
+
+module.exports = () => (req, res, next) => {
+  if (!_.has(req, 'acl.allowed')) return res.status(403).send('Route is not allowed.');
+  next();
+};
diff --git a/src/index.js b/src/index.js
@@ -1,22 +1,24 @@
 const _ = require('lodash');
 const ruleChecker = require('./rule-checker');
 const jwtDecode = require('./jwt-decode');
+const denyNotAllowed = require('./deny-not-allowed');
 
-module.exports = (configs, { customRules, mongooseConnection, jwt } = {}) => function () {
+module.exports = (configs, options = {}) => function () {
   const app = this;
-  if (jwt) app.use(jwtDecode(jwt));
 
-  const check = ruleChecker({ customRules, mongooseConnection, jwt });
+  const check = ruleChecker(options);
+  if (options.jwt) app.use(jwtDecode(options.jwt));
 
   _.forEach(configs, ({ url, method, allow }) => {
-
     app.all(url, (req, res, next) => {
       if (method !== req.method) return next();
+      req.acl = { allowed: true };
 
       check(req.payload, allow, req)
         .then(() => next())
         .catch(err => res.status(err.status || 500).send(err.message));
     });
-
   });
+
+  if (options.denyNotAllowed) app.use(denyNotAllowed());
 };
diff --git a/test/env/app.js b/test/env/app.js
@@ -8,20 +8,22 @@ const lib = require('../../src');
 const db = require('./db');
 const jwt = require('./jwt');
 
-module.exports = (config, customRules, payload) => {
+module.exports = (config, options, payload) => {
   const app = feathers();
 
   app.use(bodyParser.json());
   app.use(bodyParser.urlencoded({ extended: true }));
   app.configure(rest());
   app.configure(hooks());
   app.use((req, res, next) => {
+    if (payload) req.payload = payload;
     if (payload) req.headers.authorization = jwt.sign(payload);
     next();
   });
-  app.configure(lib(config, {
-    customRules, mongooseConnection: db, jwt: { secret: jwt.secret }
-  }));
+  app.configure(lib(config, options &&
+    Object.assign({
+      mongooseConnection: db, jwt: { secret: jwt.secret }, denyNotAllowed: true
+    }, options)));
   app.service('/posts', new Service({
     Model: db.model('posts')
   }));

diff --git a/test/integration/deny-not-allowed.test.js b/test/integration/deny-not-allowed.test.js
@@ -0,0 +1,27 @@
+const { test, App } = require('../env');
+
+const config = [
+  {
+    url: '/posts', method: 'GET',
+    allow: { roles: ['client'] }
+  }
+];
+
+test('should be allowed to read for client', async (t) => {
+  const app = App(config, {}, { roles: ['client'] });
+  const { error } = await app.get('/posts');
+  t.falsy(error);
+});
+
+test('should be allowed to delete all if no option set', async (t) => {
+  const app = App(config, { denyNotAllowed: false }, { roles: ['client'] });
+  const { error } = await app.delete('/posts');
+  t.falsy(error);
+});
+
+test('should be denied to delete all for client', async (t) => {
+  const app = App(config, {}, { roles: ['client'] });
+  const { error } = await app.delete('/posts');
+  t.is(error.status, 403);
+  t.is(error.text, 'Route is not allowed.');
+});
diff --git a/test/integration/lib-options.test.js b/test/integration/lib-options.test.js
@@ -0,0 +1,12 @@
+const { test, App } = require('../env');
+
+const config = [{
+  url: '/posts', method: 'GET',
+  allow: { roles: ['client'] }
+}];
+
+test('should work without options', async (t) => {
+  const app = App(config, undefined, { roles: ['client'] });
+  const { error } = await app.get('/posts');
+  t.falsy(error);
+});
diff --git a/test/integration/rules.test.js b/test/integration/rules.test.js
@@ -1,6 +1,9 @@
 const { test, App } = require('../env');
 
 const config = [{
+  url: '/posts', method: 'POST',
+  allow: { roles: ['admin'] }
+}, {
   url: '/posts/:id', method: 'GET',
   allow: {
     owner: { where: { _id: '{params.id}' }, model: 'posts', ownerField: 'userId' },

diff --git a/test/integration/url.test.js b/test/integration/url.test.js
@@ -1,6 +1,10 @@
 const { test, App } = require('../env');
 
 const config = [
+  {
+    url: '/posts', method: 'POST',
+    allow: { roles: ['client'] }
+  },
   {
     url: '/posts', method: 'GET',
     allow: { roles: ['admin'] }
@@ -40,11 +44,3 @@ test('should be denied to read one post for admin', async (t) => {
 
   t.truthy(error);
 });
-
-test('should be allowed to delete post if no acl set', async (t) => {
-  const app = App(config, {}, {});
-  const post = await app.post('/posts');
-  const { error } = await app.delete('/posts/' + post.body._id);
-
-  t.falsy(error);
-});
diff --git a/test/unit/lib-arguments.test.js b/test/unit/lib-arguments.test.js