feat: indicate that upstream caching should not be allowed (#2)

* feat: indicate that upstream caching should not be allowed since this plugin does its own caching * make lockTime configurable via env var
npm · Dec 19, 2016 · 39c6bc3 · 39c6bc3
1 parent 8e957c0
commit 39c6bc3
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 1 deletion.
diff --git a/lib/authorizer.js b/lib/authorizer.js
@@ -18,6 +18,9 @@ AuthorizerOAuth2.prototype.authorize = AuthorizerOAuth2.prototype.whoami = funct
     if (err) return cb(err)
     else if (!user.accessToken) return _this.session.oauthURL(cb, token)
     else {
+      // since this plugin manages its own caching, let the upstream service
+      // know that it should not cache results itself
+      user.cacheAllowed = false
       // we hold a lock in redis for a few minutes, to prevent
       // a thundering herd of auth requests.
       _this.session.checkLock(token, function (locked) {

diff --git a/lib/session.js b/lib/session.js
@@ -6,7 +6,7 @@ function SessionOAuth2 (opts) {
   _.extend(this, {
     sessionLookupPrefix: 'user-',
     sessionLockPrefix: 'user-token-lock-',
-    lockTime: 300,
+    lockTime: toInt(process.env.AUTHZ_CACHE_DEFAULT_TTL_SECONDS, 300),
     client: redis.createClient(process.env.LOGIN_CACHE_REDIS),
     clientId: process.env.OAUTH2_CLIENT_ID,
     clientSecret: process.env.OAUTH2_CLIENT_SECRET,
@@ -113,4 +113,9 @@ function error500 () {
   return error
 }
 
+function toInt (val, _default) {
+  const integer = parseInt(val, 10)
+  return isNaN(integer) ? _default : integer
+}
+
 module.exports = SessionOAuth2
diff --git a/test/authorizer.js b/test/authorizer.js
@@ -103,6 +103,57 @@ tap.test('it returns error with login url if SSO dance is not complete', functio
   })
 })
 
+tap.test('it indicates that upstream caching is not allowed with OAuth-verified response', t => {
+  var authorizer = new Authorizer()
+  var profile = nock('https://api.github.com')
+    .get('/user')
+    .reply(200)
+
+  session.unlock('ben@example.com-abc123')
+
+  session.set('ben@example.com-abc123', userComplete, function (err) {
+    t.equal(err, null)
+    authorizer.authorize({
+      headers: {
+        authorization: 'Bearer ben@example.com-abc123'
+      }
+    }, function (err, user) {
+      authorizer.end()
+      session.unlock('ben@example.com-abc123')
+      session.delete('ben@example.com-abc123')
+
+      profile.done()
+      t.equal(err, null)
+      t.equal(user.email, 'ben@example.com')
+      t.equal(user.cacheAllowed, false)
+      t.end()
+    })
+  })
+})
+
+tap.test('it indicates that upstream caching is not allowed with cached response', t => {
+  var authorizer = new Authorizer()
+
+  session.lock('ben@example.com-abc123')
+  session.set('ben@example.com-abc123', userComplete, function (err) {
+    t.equal(err, null)
+    authorizer.authorize({
+      headers: {
+        authorization: 'Bearer ben@example.com-abc123'
+      }
+    }, function (err, user) {
+      authorizer.end()
+      session.delete('ben@example.com-abc123')
+      session.unlock('ben@example.com-abc123')
+
+      t.equal(err, null)
+      t.equal(user.email, 'ben@example.com')
+      t.equal(user.cacheAllowed, false)
+      t.end()
+    })
+  })
+})
+
 tap.test('after', function (t) {
   session.end(true)
   t.end()