Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for scoped access tokens
Define a new property `AccessToken.scopes` to contain the list of scopes granted to this access token. Define a new remote method metadata `accessScopes` to contain a list of scope name required by this method. Define a special built-in scope name "DEFAULT" that's used when a method/token does not provide any scopes. This allows access tokens to grant access to both the default scope and any additional custom scopes at the same time. Modify the authorization algorithm to ensure that at least one of the scopes required by a remote method is allowed by the scopes granted to the requesting access token. The "DEFAULT" scope preserve backwards compatibility because existing remote methods with no `accessScopes` can be accessed by (existing) access tokens with no `scopes` defined. Impact on existing applications: - Database schema must be updated after upgrading the loopback version - If the application was already using a custom `AccessToken.scopes` property with a type different from an array, then the relevant code must be updated to work with the new type "array of strings".
- Loading branch information
Showing
7 changed files
with
182 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
'use strict'; | ||
|
||
const loopback = require('../'); | ||
const supertest = require('supertest'); | ||
const strongErrorHandler = require('strong-error-handler'); | ||
|
||
describe('Authorization scopes', () => { | ||
const CUSTOM_SCOPE = 'read:custom'; | ||
|
||
let app, request, User, testUser, regularToken, scopedToken; | ||
beforeEach(givenAppAndRequest); | ||
beforeEach(givenRemoteMethodWithCustomScope); | ||
beforeEach(givenUser); | ||
beforeEach(givenDefaultToken); | ||
beforeEach(givenScopedToken); | ||
|
||
it('denies regular token to invoke custom-scoped method', () => { | ||
logServerErrorsOtherThan(401); | ||
return request.get('/users/scoped') | ||
.set('Authorization', regularToken.id) | ||
.expect(401); | ||
}); | ||
|
||
it('allows regular tokens to invoke default-scoped method', () => { | ||
logAllServerErrors(); | ||
return request.get('/users/' + testUser.id) | ||
.set('Authorization', regularToken.id) | ||
.expect(200); | ||
}); | ||
|
||
it('allows scoped token to invoke custom-scoped method', () => { | ||
logAllServerErrors(); | ||
return request.get('/users/scoped') | ||
.set('Authorization', scopedToken.id) | ||
.expect(204); | ||
}); | ||
|
||
it('denies scoped token to invoke default-scoped method', () => { | ||
logServerErrorsOtherThan(401); | ||
return request.get('/users/' + testUser.id) | ||
.set('Authorization', scopedToken.id) | ||
.expect(401); | ||
}); | ||
|
||
describe('token granted both default and custom scope', () => { | ||
beforeEach('given token with default and custom scope', | ||
() => givenScopedToken(['DEFAULT', CUSTOM_SCOPE])); | ||
beforeEach(logAllServerErrors); | ||
|
||
it('allows invocation of default-scoped method', () => { | ||
return request.get('/users/' + testUser.id) | ||
.set('Authorization', scopedToken.id) | ||
.expect(200); | ||
}); | ||
|
||
it('allows invocation of custom-scoped method', () => { | ||
return request.get('/users/scoped') | ||
.set('Authorization', scopedToken.id) | ||
.expect(204); | ||
}); | ||
}); | ||
|
||
it('allows invocation when at least one method scope is matched', () => { | ||
givenRemoteMethodWithCustomScope(['read', 'write']); | ||
givenScopedToken(['read', 'execute']).then(() => { | ||
return request.get('/users/scoped') | ||
.set('Authorization', scopedToken.id) | ||
.expect(204); | ||
}); | ||
}); | ||
|
||
function givenAppAndRequest() { | ||
app = loopback({localRegistry: true, loadBuiltinModels: true}); | ||
app.set('remoting', {rest: {handleErrors: false}}); | ||
app.dataSource('db', {connector: 'memory'}); | ||
app.enableAuth({dataSource: 'db'}); | ||
request = supertest(app); | ||
|
||
app.use(loopback.rest()); | ||
|
||
User = app.models.User; | ||
} | ||
|
||
function givenRemoteMethodWithCustomScope() { | ||
const accessScopes = arguments[0] || [CUSTOM_SCOPE]; | ||
User.scoped = function(cb) { cb(); }; | ||
User.remoteMethod('scoped', { | ||
accessScopes, | ||
http: {verb: 'GET', path: '/scoped'}, | ||
}); | ||
User.settings.acls.push({ | ||
principalType: 'ROLE', | ||
principalId: '$authenticated', | ||
permission: 'ALLOW', | ||
property: 'scoped', | ||
accessType: 'EXECUTE', | ||
}); | ||
} | ||
|
||
function givenUser() { | ||
return User.create({email: 'test@example.com', password: 'pass'}) | ||
.then(u => testUser = u); | ||
} | ||
|
||
function givenDefaultToken() { | ||
return testUser.createAccessToken(60) | ||
.then(t => regularToken = t); | ||
} | ||
|
||
function givenScopedToken() { | ||
const scopes = arguments[0] || [CUSTOM_SCOPE]; | ||
return testUser.accessTokens.create({ttl: 60, scopes}) | ||
.then(t => scopedToken = t); | ||
} | ||
|
||
function logAllServerErrors() { | ||
logServerErrorsOtherThan(-1); | ||
} | ||
|
||
function logServerErrorsOtherThan(statusCode) { | ||
app.use((err, req, res, next) => { | ||
if ((err.statusCode || 500) !== statusCode) { | ||
console.log('Unhandled error for request %s %s: %s', | ||
req.method, req.url, err.stack || err); | ||
} | ||
res.statusCode = err.statusCode || 500; | ||
res.json(err); | ||
}); | ||
} | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters