From 053346fe572bf2deac02e90a8b70820796511c16 Mon Sep 17 00:00:00 2001 From: nexdrew Date: Mon, 12 Dec 2016 15:23:56 -0500 Subject: [PATCH 1/2] feat: indicate that upstream caching should not be allowed since this plugin does its own caching --- lib/authorizer.js | 3 +++ test/authorizer.js | 51 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/lib/authorizer.js b/lib/authorizer.js index 6b65a73..4bf5ced 100644 --- a/lib/authorizer.js +++ b/lib/authorizer.js @@ -18,6 +18,9 @@ AuthorizerOAuth2.prototype.authorize = AuthorizerOAuth2.prototype.whoami = funct if (err) return cb(err) else if (!user.accessToken) return _this.session.oauthURL(cb, token) else { + // since this plugin manages its own caching, let the upstream service + // know that it should not cache results itself + user.cacheAllowed = false // we hold a lock in redis for a few minutes, to prevent // a thundering herd of auth requests. _this.session.checkLock(token, function (locked) { diff --git a/test/authorizer.js b/test/authorizer.js index d1c47c7..d4b4a0c 100644 --- a/test/authorizer.js +++ b/test/authorizer.js @@ -103,6 +103,57 @@ tap.test('it returns error with login url if SSO dance is not complete', functio }) }) +tap.test('it indicates that upstream caching is not allowed with OAuth-verified response', t => { + var authorizer = new Authorizer() + var profile = nock('https://api.github.com') + .get('/user') + .reply(200) + + session.unlock('ben@example.com-abc123') + + session.set('ben@example.com-abc123', userComplete, function (err) { + t.equal(err, null) + authorizer.authorize({ + headers: { + authorization: 'Bearer ben@example.com-abc123' + } + }, function (err, user) { + authorizer.end() + session.unlock('ben@example.com-abc123') + session.delete('ben@example.com-abc123') + + profile.done() + t.equal(err, null) + t.equal(user.email, 'ben@example.com') + t.equal(user.cacheAllowed, false) + t.end() + }) + }) +}) + +tap.test('it indicates that upstream caching is not allowed with cached response', t => { + var authorizer = new Authorizer() + + session.lock('ben@example.com-abc123') + session.set('ben@example.com-abc123', userComplete, function (err) { + t.equal(err, null) + authorizer.authorize({ + headers: { + authorization: 'Bearer ben@example.com-abc123' + } + }, function (err, user) { + authorizer.end() + session.delete('ben@example.com-abc123') + session.unlock('ben@example.com-abc123') + + t.equal(err, null) + t.equal(user.email, 'ben@example.com') + t.equal(user.cacheAllowed, false) + t.end() + }) + }) +}) + tap.test('after', function (t) { session.end(true) t.end() From 596f5837c09a98b63e5f4d8671d6d29258a8eb60 Mon Sep 17 00:00:00 2001 From: nexdrew Date: Wed, 14 Dec 2016 15:14:17 -0500 Subject: [PATCH 2/2] make lockTime configurable via env var --- lib/session.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/session.js b/lib/session.js index 1a91157..c1ee153 100644 --- a/lib/session.js +++ b/lib/session.js @@ -6,7 +6,7 @@ function SessionOAuth2 (opts) { _.extend(this, { sessionLookupPrefix: 'user-', sessionLockPrefix: 'user-token-lock-', - lockTime: 300, + lockTime: toInt(process.env.AUTHZ_CACHE_DEFAULT_TTL_SECONDS, 300), client: redis.createClient(process.env.LOGIN_CACHE_REDIS), clientId: process.env.OAUTH2_CLIENT_ID, clientSecret: process.env.OAUTH2_CLIENT_SECRET, @@ -113,4 +113,9 @@ function error500 () { return error } +function toInt (val, _default) { + const integer = parseInt(val, 10) + return isNaN(integer) ? _default : integer +} + module.exports = SessionOAuth2