CartoDB-SQL-API/app/middlewares/authorization.js

const AuthApi = require('../auth/auth_api');
const basicAuth = require('basic-auth');

module.exports = function authorization (userDatabaseService, forceToBeAuthenticated = false) {
    return function authorizationMiddleware (req, res, next) {
        const { user } = res.locals;
        const credentials = getCredentialsFromRequest(req, user);

        if (!userMatches(credentials, user)) {
            return next(new Error('permission denied'));
        }

        res.locals.api_key = credentials.apiKeyToken;

        const params = Object.assign({}, res.locals, req.query, req.body);
        const authApi = new AuthApi(req, res, params);

        userDatabaseService.getConnectionParams(authApi, user, function (err, userDbParams, authDbParams, userLimits) {
            if (req.profiler) {
                req.profiler.done('setDBAuth');
            }

            if (err) {
                return next(err);
            }

            if (forceToBeAuthenticated && !userDbParams.authenticated) {
                return next(new Error('permission denied'));
            }

            res.locals.userDbParams = userDbParams;
            res.locals.authDbParams = authDbParams;
            res.locals.userLimits = userLimits;

            next();
        });
    };
};

const credentialsGetters = [
    getCredentialsFromHeaderAuthorization,
    getCredentialsFromRequestQueryString,
    getCredentialsFromRequestBody,
];

function getCredentialsFromRequest (req) {
    let credentials = null;

    for (var getter of credentialsGetters) {
        credentials = getter(req);

        if (apiKeyTokenFound(credentials)) {
            break;
        }
    }

    return credentials;
}

function getCredentialsFromHeaderAuthorization(req) {
    const { pass, name } = basicAuth(req) || {};

    if (pass !== undefined && name !== undefined) {
        return {
            apiKeyToken: pass,
            user: name
        };
    }

    return false;
}

function getCredentialsFromRequestQueryString(req) {
    if (req.query.api_key) {
        return {
            apiKeyToken: req.query.api_key
        };
    }

    if (req.query.map_key) {
        return {
            apiKeyToken: req.query.map_key
        };
    }

    return false;
}

function getCredentialsFromRequestBody(req) {
    if (req.body && req.body.api_key) {
        return {
            apiKeyToken: req.body.api_key
        };
    }

    if (req.body && req.body.map_key) {
        return {
            apiKeyToken: req.body.map_key
        };
    }

    return false;
}

function apiKeyTokenFound(credentials) {
    if (typeof credentials === 'boolean') {
        return credentials;
    }

    if (credentials.apiKeyToken !== undefined) {
        return true;
    }

    return false;
}

function userMatches (credentials, user) {
    return !(credentials.user !== undefined && credentials.user !== user);
}
Do not use underscore 2018-02-19 21:41:06 +08:00			`const AuthApi = require('../auth/auth_api');`
Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00			`const basicAuth = require('basic-auth');`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00
Miss rename middleware 2018-02-19 22:54:05 +08:00			`module.exports = function authorization (userDatabaseService, forceToBeAuthenticated = false) {`
			`return function authorizationMiddleware (req, res, next) {`
Use authenticated middleware in query controller 2018-02-19 20:24:44 +08:00			`const { user } = res.locals;`
Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00			`const credentials = getCredentialsFromRequest(req, user);`

			`if (!userMatches(credentials, user)) {`
			`return next(new Error('permission denied'));`
			`}`

			`res.locals.api_key = credentials.apiKeyToken;`

			`const params = Object.assign({}, res.locals, req.query, req.body);`
Rename middleware 2018-02-19 21:20:09 +08:00			`const authApi = new AuthApi(req, res, params);`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00
Rename param 2018-02-19 22:58:48 +08:00			`userDatabaseService.getConnectionParams(authApi, user, function (err, userDbParams, authDbParams, userLimits) {`
Do not use underscore 2018-02-19 21:41:06 +08:00			`if (req.profiler) {`
			`req.profiler.done('setDBAuth');`
			`}`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00
			`if (err) {`
Check user is the same user that sends the request when basic-auth is provided 2018-02-17 01:21:06 +08:00			`return next(err);`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`}`

Rename param 2018-02-19 22:58:48 +08:00			`if (forceToBeAuthenticated && !userDbParams.authenticated) {`
Check user is the same user that sends the request when basic-auth is provided 2018-02-17 01:21:06 +08:00			`return next(new Error('permission denied'));`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`}`

Rename param 2018-02-19 22:58:48 +08:00			`res.locals.userDbParams = userDbParams;`
Use authenticated middleware in query controller 2018-02-19 20:24:44 +08:00			`res.locals.authDbParams = authDbParams;`
			`res.locals.userLimits = userLimits;`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00
Check user is the same user that sends the request when basic-auth is provided 2018-02-17 01:21:06 +08:00			`next();`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`});`
			`};`
Rename middleware 2018-02-19 21:20:09 +08:00			`};`
Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00
			`const credentialsGetters = [`
			`getCredentialsFromHeaderAuthorization,`
			`getCredentialsFromRequestQueryString,`
			`getCredentialsFromRequestBody,`
			`];`

			`function getCredentialsFromRequest (req) {`
			`let credentials = null;`

			`for (var getter of credentialsGetters) {`
			`credentials = getter(req);`

			`if (apiKeyTokenFound(credentials)) {`
			`break;`
			`}`
			`}`

			`return credentials;`
			`}`

			`function getCredentialsFromHeaderAuthorization(req) {`
			`const { pass, name } = basicAuth(req) \|\| {};`

			`if (pass !== undefined && name !== undefined) {`
			`return {`
			`apiKeyToken: pass,`
			`user: name`
			`};`
			`}`

			`return false;`
			`}`

			`function getCredentialsFromRequestQueryString(req) {`
			`if (req.query.api_key) {`
			`return {`
			`apiKeyToken: req.query.api_key`
			`};`
			`}`

			`if (req.query.map_key) {`
			`return {`
			`apiKeyToken: req.query.map_key`
			`};`
			`}`

			`return false;`
			`}`

			`function getCredentialsFromRequestBody(req) {`
			`if (req.body && req.body.api_key) {`
			`return {`
			`apiKeyToken: req.body.api_key`
			`};`
			`}`

			`if (req.body && req.body.map_key) {`
			`return {`
			`apiKeyToken: req.body.map_key`
			`};`
			`}`

			`return false;`
			`}`

			`function apiKeyTokenFound(credentials) {`
			`if (typeof credentials === 'boolean') {`
			`return credentials;`
			`}`

			`if (credentials.apiKeyToken !== undefined) {`
			`return true;`
			`}`

			`return false;`
			`}`

			`function userMatches (credentials, user) {`
			`return !(credentials.user !== undefined && credentials.user !== user);`
			`}`