CartoDB-SQL-API/app/auth/apikey.js

/**
 * this module allows to auth user using an pregenerated api key
 */
function ApikeyAuth(req, metadataBackend, username, apikey) {
    this.req = req;
    this.metadataBackend = metadataBackend;
    this.username = username;
    this.apikey = apikey;
}

module.exports = ApikeyAuth;

function errorUserNotFoundMessageTemplate (user) {
    return `Sorry, we can't find CARTO user '${user}'. Please check that you have entered the correct domain.`;
}

function usernameMatches(basicAuthUsername, requestUsername) {
    return !(basicAuthUsername && (basicAuthUsername !== requestUsername));
}

ApikeyAuth.prototype.verifyCredentials = function (callback) {
    this.metadataBackend.getApikey(this.username, this.apikey, (err, apikey) => {
        if (err) {
            err.http_status = 404;
            err.message = errorUserNotFoundMessageTemplate(this.username);

            return callback(err);
        }
        
        if (isApiKeyFound(apikey)) {
            if (!usernameMatches(apikey.user, this.username)) {
                const error = new Error('Forbidden');
                error.type = 'auth';
                error.subtype = 'api-key-username-mismatch';
                error.http_status = 403;

                return callback(error);
            }
            
            if (!apikey.grantsSql) {
                const forbiddenError = new Error('forbidden');
                forbiddenError.http_status = 403;

                return callback(forbiddenError);
            }

            return callback(null, verifyRequest(this.apikey, this.apikey));
        }  else {
            const error = new Error('Unauthorized');
            error.type = 'auth';
            error.subtype = 'api-key-not-found';
            error.http_status = 401;

            return callback(error);  
        }      
    });
};

ApikeyAuth.prototype.hasCredentials = function () {
    return !!this.apikey;
};

ApikeyAuth.prototype.getCredentials = function () {
    return this.apikey;
};

function verifyRequest(apikey, requiredApikey) {
    return (apikey === requiredApikey && apikey !== 'default_public');
}

function isApiKeyFound(apikey) {
    return apikey.type !== null &&
        apikey.user !== null &&
        apikey.databasePassword !== null &&
        apikey.databaseRole !== null;
}
added auth using api token 2011-12-27 02:16:41 +08:00			`/**`
			`* this module allows to auth user using an pregenerated api key`
			`*/`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`function ApikeyAuth(req, metadataBackend, username, apikey) {`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`this.req = req;`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`this.metadataBackend = metadataBackend;`
			`this.username = username;`
Actually pass just apikey instead of the entire "res" object 2018-02-20 02:16:33 +08:00			`this.apikey = apikey;`
Generalize CartoDB username extraction, allowing for multiuser setups Closes #124 2013-12-18 18:57:46 +08:00			`}`

			`module.exports = ApikeyAuth;`

Template for User not found error 2018-02-23 00:49:02 +08:00			`function errorUserNotFoundMessageTemplate (user) {`
			return `Sorry, we can't find CARTO user '${user}'. Please check that you have entered the correct domain.`;
			`}`

remove api key fallback 2018-05-17 23:13:59 +08:00			`function usernameMatches(basicAuthUsername, requestUsername) {`
			`return !(basicAuthUsername && (basicAuthUsername !== requestUsername));`
			`}`

Fix common interface for auth-backends 2018-02-27 02:02:05 +08:00			`ApikeyAuth.prototype.verifyCredentials = function (callback) {`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`this.metadataBackend.getApikey(this.username, this.apikey, (err, apikey) => {`
			`if (err) {`
			`err.http_status = 404;`
Template for User not found error 2018-02-23 00:49:02 +08:00			`err.message = errorUserNotFoundMessageTemplate(this.username);`

Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`return callback(err);`
			`}`
remove api key fallback 2018-05-17 23:13:59 +08:00
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`if (isApiKeyFound(apikey)) {`
remove api key fallback 2018-05-17 23:13:59 +08:00			`if (!usernameMatches(apikey.user, this.username)) {`
			`const error = new Error('Forbidden');`
			`error.type = 'auth';`
			`error.subtype = 'api-key-username-mismatch';`
			`error.http_status = 403;`

			`return callback(error);`
			`}`

Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`if (!apikey.grantsSql) {`
			`const forbiddenError = new Error('forbidden');`
			`forbiddenError.http_status = 403;`

			`return callback(forbiddenError);`
			`}`

			`return callback(null, verifyRequest(this.apikey, this.apikey));`
remove api key fallback 2018-05-17 23:13:59 +08:00			`} else {`
			`const error = new Error('Unauthorized');`
			`error.type = 'auth';`
			`error.subtype = 'api-key-not-found';`
			`error.http_status = 401;`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00
remove api key fallback 2018-05-17 23:13:59 +08:00			`return callback(error);`
			`}`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`});`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`};`

Get api_key from specific middleware and save it into res.locals 2018-02-16 00:23:35 +08:00			`ApikeyAuth.prototype.hasCredentials = function () {`
Actually pass just apikey instead of the entire "res" object 2018-02-20 02:16:33 +08:00			`return !!this.apikey;`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`};`

Get api_key from specific middleware and save it into res.locals 2018-02-16 00:23:35 +08:00			`ApikeyAuth.prototype.getCredentials = function () {`
Actually pass just apikey instead of the entire "res" object 2018-02-20 02:16:33 +08:00			`return this.apikey;`
Implement new auth system based on api-key tokens with scoped permissions 2017-11-25 00:57:54 +08:00			`};`

Get api_key from specific middleware and save it into res.locals 2018-02-16 00:23:35 +08:00			`function verifyRequest(apikey, requiredApikey) {`
Don't authenticate when default_public api-key is provided 2018-02-21 18:14:31 +08:00			`return (apikey === requiredApikey && apikey !== 'default_public');`
New authentication mechanism: checks in advance if credentials are provided in order to do a single request to redis to retrieve the required database connection parameters. 2014-08-05 22:20:06 +08:00			`}`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00
			`function isApiKeyFound(apikey) {`
			`return apikey.type !== null &&`
			`apikey.user !== null &&`
			`apikey.databasePassword !== null &&`
			`apikey.databaseRole !== null;`
			`}`