CartoDB-SQL-API/lib/auth/apikey.js

'use strict';

/**
 * this module allows to auth user using an pregenerated api key
 */
function ApikeyAuth (req, metadataBackend, username, apikeyToken) {
    this.req = req;
    this.metadataBackend = metadataBackend;
    this.username = username;
    this.apikeyToken = apikeyToken;
}

module.exports = ApikeyAuth;

function usernameMatches (basicAuthUsername, requestUsername) {
    return !(basicAuthUsername && (basicAuthUsername !== requestUsername));
}

ApikeyAuth.prototype.verifyCredentials = function (callback) {
    this.metadataBackend.getApikey(this.username, this.apikeyToken, (err, apikey) => {
        if (err) {
            err.http_status = 500;
            err.message = 'Unexpected error';

            return callback(err);
        }

        if (isApiKeyFound(apikey)) {
            if (!usernameMatches(apikey.user, this.username)) {
                const usernameError = new Error('Forbidden');
                usernameError.type = 'auth';
                usernameError.subtype = 'api-key-username-mismatch';
                usernameError.http_status = 403;

                return callback(usernameError);
            }

            if (!apikey.grantsSql) {
                const forbiddenError = new Error('forbidden');
                forbiddenError.http_status = 403;

                return callback(forbiddenError);
            }

            return callback(null, getAuthorizationLevel(apikey));
        } else {
            const apiKeyNotFoundError = new Error('Unauthorized');
            apiKeyNotFoundError.type = 'auth';
            apiKeyNotFoundError.subtype = 'api-key-not-found';
            apiKeyNotFoundError.http_status = 401;

            return callback(apiKeyNotFoundError);
        }
    });
};

ApikeyAuth.prototype.hasCredentials = function () {
    return !!this.apikeyToken;
};

ApikeyAuth.prototype.getCredentials = function () {
    return this.apikeyToken;
};

function getAuthorizationLevel (apikey) {
    return apikey.type;
}

function isApiKeyFound (apikey) {
    return apikey.type !== null &&
        apikey.user !== null &&
        apikey.databasePassword !== null &&
        apikey.databaseRole !== null;
}
Use strict mode 2018-10-24 21:42:33 +08:00			`'use strict';`

added auth using api token 2011-12-27 02:16:41 +08:00			`/**`
			`* this module allows to auth user using an pregenerated api key`
			`*/`
Run eslint --fix 2019-12-24 01:19:08 +08:00			`function ApikeyAuth (req, metadataBackend, username, apikeyToken) {`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`this.req = req;`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`this.metadataBackend = metadataBackend;`
			`this.username = username;`
refactor apikey to apikeyToken 2018-06-05 19:13:09 +08:00			`this.apikeyToken = apikeyToken;`
Generalize CartoDB username extraction, allowing for multiuser setups Closes #124 2013-12-18 18:57:46 +08:00			`}`

			`module.exports = ApikeyAuth;`

Run eslint --fix 2019-12-24 01:19:08 +08:00			`function usernameMatches (basicAuthUsername, requestUsername) {`
remove api key fallback 2018-05-17 23:13:59 +08:00			`return !(basicAuthUsername && (basicAuthUsername !== requestUsername));`
			`}`

Fix common interface for auth-backends 2018-02-27 02:02:05 +08:00			`ApikeyAuth.prototype.verifyCredentials = function (callback) {`
refactor apikey to apikeyToken 2018-06-05 19:13:09 +08:00			`this.metadataBackend.getApikey(this.username, this.apikeyToken, (err, apikey) => {`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`if (err) {`
check user exists in user middleware This way, we keep sending a 404 error if the user does not exist. 2018-05-29 19:23:50 +08:00			`err.http_status = 500;`
reduce error info 2018-06-06 21:23:53 +08:00			`err.message = 'Unexpected error';`
Template for User not found error 2018-02-23 00:49:02 +08:00
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`return callback(err);`
			`}`
please jshint 2018-05-18 17:35:54 +08:00
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`if (isApiKeyFound(apikey)) {`
remove api key fallback 2018-05-17 23:13:59 +08:00			`if (!usernameMatches(apikey.user, this.username)) {`
please jshint 2018-05-18 17:35:54 +08:00			`const usernameError = new Error('Forbidden');`
			`usernameError.type = 'auth';`
			`usernameError.subtype = 'api-key-username-mismatch';`
			`usernameError.http_status = 403;`
remove api key fallback 2018-05-17 23:13:59 +08:00
please jshint 2018-05-18 17:35:54 +08:00			`return callback(usernameError);`
remove api key fallback 2018-05-17 23:13:59 +08:00			`}`
Use strict mode 2018-10-24 21:42:33 +08:00
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`if (!apikey.grantsSql) {`
			`const forbiddenError = new Error('forbidden');`
			`forbiddenError.http_status = 403;`

			`return callback(forbiddenError);`
			`}`

refactor authenticated to authorizationLevel 2018-06-05 19:21:56 +08:00			`return callback(null, getAuthorizationLevel(apikey));`
Run eslint --fix 2019-12-24 01:19:08 +08:00			`} else {`
please jshint 2018-05-18 17:35:54 +08:00			`const apiKeyNotFoundError = new Error('Unauthorized');`
			`apiKeyNotFoundError.type = 'auth';`
			`apiKeyNotFoundError.subtype = 'api-key-not-found';`
			`apiKeyNotFoundError.http_status = 401;`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00
Use strict mode 2018-10-24 21:42:33 +08:00			`return callback(apiKeyNotFoundError);`
			`}`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`});`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`};`

Get api_key from specific middleware and save it into res.locals 2018-02-16 00:23:35 +08:00			`ApikeyAuth.prototype.hasCredentials = function () {`
refactor apikey to apikeyToken 2018-06-05 19:13:09 +08:00			`return !!this.apikeyToken;`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`};`

Get api_key from specific middleware and save it into res.locals 2018-02-16 00:23:35 +08:00			`ApikeyAuth.prototype.getCredentials = function () {`
refactor apikey to apikeyToken 2018-06-05 19:13:09 +08:00			`return this.apikeyToken;`
Implement new auth system based on api-key tokens with scoped permissions 2017-11-25 00:57:54 +08:00			`};`

Run eslint --fix 2019-12-24 01:19:08 +08:00			`function getAuthorizationLevel (apikey) {`
refactor authenticated to authorizationLevel 2018-06-05 19:21:56 +08:00			`return apikey.type;`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`}`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00
Run eslint --fix 2019-12-24 01:19:08 +08:00			`function isApiKeyFound (apikey) {`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`return apikey.type !== null &&`
			`apikey.user !== null &&`
			`apikey.databasePassword !== null &&`
			`apikey.databaseRole !== null;`
			`}`