CartoDB-SQL-API/lib/api/middlewares/authorization.js

'use strict';

const AuthApi = require('../../auth/auth-api');
const basicAuth = require('basic-auth');

module.exports = function authorization (metadataBackend, forceToBeMaster = false) {
    return function authorizationMiddleware (req, res, next) {
        const { user } = res.locals;
        const credentials = getCredentialsFromRequest(req);

        if (!userMatches(credentials, user)) {
            if (req.profiler) {
                req.profiler.done('authorization');
            }

            return next(new Error('permission denied'));
        }

        res.locals.api_key = credentials.apiKeyToken;

        const params = Object.assign({ metadataBackend }, res.locals, req.query, req.body);
        const authApi = new AuthApi(req, params);

        authApi.verifyCredentials(function (err, authorizationLevel) {
            if (req.profiler) {
                req.profiler.done('authorization');
            }

            if (err) {
                return next(err);
            }

            res.locals.authorizationLevel = authorizationLevel;

            if (forceToBeMaster && authorizationLevel !== 'master') {
                return next(new Error('permission denied'));
            }

            res.set('vary', 'Authorization'); //Honor Authorization header when caching.

            next();
        });
    };
};

const credentialsGetters = [
    getCredentialsFromHeaderAuthorization,
    getCredentialsFromRequestQueryString,
    getCredentialsFromRequestBody,
];

function getCredentialsFromRequest (req) {
    let credentials = null;

    for (var getter of credentialsGetters) {
        credentials = getter(req);

        if (apiKeyTokenFound(credentials)) {
            break;
        }
    }

    return credentials;
}

function getCredentialsFromHeaderAuthorization(req) {
    const { pass, name } = basicAuth(req) || {};

    if (pass !== undefined && name !== undefined) {
        return {
            apiKeyToken: pass,
            user: name
        };
    }

    return false;
}

function getCredentialsFromRequestQueryString(req) {
    if (req.query.api_key) {
        return {
            apiKeyToken: req.query.api_key
        };
    }

    if (req.query.map_key) {
        return {
            apiKeyToken: req.query.map_key
        };
    }

    return false;
}

function getCredentialsFromRequestBody(req) {
    if (req.body && req.body.api_key) {
        return {
            apiKeyToken: req.body.api_key
        };
    }

    if (req.body && req.body.map_key) {
        return {
            apiKeyToken: req.body.map_key
        };
    }

    return false;
}

function apiKeyTokenFound(credentials) {
    if (typeof credentials === 'boolean') {
        return credentials;
    }

    if (credentials.apiKeyToken !== undefined) {
        return true;
    }

    return false;
}

function userMatches (credentials, user) {
    return !(credentials.user !== undefined && credentials.user !== user);
}
Use strict mode 2018-10-24 21:42:33 +08:00			`'use strict';`

Changed folder structure to reflect application functionallity. Renamed files using hyphens instead of underscore to have a more consistent naming across the whole project 2019-10-04 00:24:39 +08:00			`const AuthApi = require('../../auth/auth-api');`
Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00			`const basicAuth = require('basic-auth');`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00
refactor forceToBeAuthenticated to forceToBeMaster 2018-06-05 19:16:36 +08:00			`module.exports = function authorization (metadataBackend, forceToBeMaster = false) {`
Miss rename middleware 2018-02-19 22:54:05 +08:00			`return function authorizationMiddleware (req, res, next) {`
Use authenticated middleware in query controller 2018-02-19 20:24:44 +08:00			`const { user } = res.locals;`
Remove unused param 2018-02-19 23:04:57 +08:00			`const credentials = getCredentialsFromRequest(req);`
Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00
			`if (!userMatches(credentials, user)) {`
Improve profiling 2018-02-27 20:56:00 +08:00			`if (req.profiler) {`
			`req.profiler.done('authorization');`
			`}`

Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00			`return next(new Error('permission denied'));`
			`}`

			`res.locals.api_key = credentials.apiKeyToken;`

Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00			`const params = Object.assign({ metadataBackend }, res.locals, req.query, req.body);`
Actually pass just apikey instead of the entire "res" object 2018-02-20 02:16:33 +08:00			`const authApi = new AuthApi(req, params);`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00
refactor authenticated to authorizationLevel 2018-06-05 19:21:56 +08:00			`authApi.verifyCredentials(function (err, authorizationLevel) {`
Split authorization middleware, it was actually doing two things: authorize and get database connection params 2018-02-22 19:22:39 +08:00			`if (req.profiler) {`
Improve profiling 2018-02-27 20:56:00 +08:00			`req.profiler.done('authorization');`
Split authorization middleware, it was actually doing two things: authorize and get database connection params 2018-02-22 19:22:39 +08:00			`}`

DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`if (err) {`
Check user is the same user that sends the request when basic-auth is provided 2018-02-17 01:21:06 +08:00			`return next(err);`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`}`

refactor authenticated to authorizationLevel 2018-06-05 19:21:56 +08:00			`res.locals.authorizationLevel = authorizationLevel;`
Move authorization to auth-api and extract it from user-database-service 2018-02-22 18:46:34 +08:00
refactor authenticated to authorizationLevel 2018-06-05 19:21:56 +08:00			`if (forceToBeMaster && authorizationLevel !== 'master') {`
Check user is the same user that sends the request when basic-auth is provided 2018-02-17 01:21:06 +08:00			`return next(new Error('permission denied'));`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`}`

Set Vary Header to honor Authorization header when caching (fastly) 2018-03-13 18:59:07 +08:00			`res.set('vary', 'Authorization'); //Honor Authorization header when caching.`

Split authorization middleware, it was actually doing two things: authorize and get database connection params 2018-02-22 19:22:39 +08:00			`next();`
DRY while authenticating requests 2016-10-04 21:40:56 +08:00			`});`
			`};`
Rename middleware 2018-02-19 21:20:09 +08:00			`};`
Unify credentials and authenticated request midllewares 2018-02-19 22:44:28 +08:00
			`const credentialsGetters = [`
			`getCredentialsFromHeaderAuthorization,`
			`getCredentialsFromRequestQueryString,`
			`getCredentialsFromRequestBody,`
			`];`

			`function getCredentialsFromRequest (req) {`
			`let credentials = null;`

			`for (var getter of credentialsGetters) {`
			`credentials = getter(req);`

			`if (apiKeyTokenFound(credentials)) {`
			`break;`
			`}`
			`}`

			`return credentials;`
			`}`

			`function getCredentialsFromHeaderAuthorization(req) {`
			`const { pass, name } = basicAuth(req) \|\| {};`

			`if (pass !== undefined && name !== undefined) {`
			`return {`
			`apiKeyToken: pass,`
			`user: name`
			`};`
			`}`

			`return false;`
			`}`

			`function getCredentialsFromRequestQueryString(req) {`
			`if (req.query.api_key) {`
			`return {`
			`apiKeyToken: req.query.api_key`
			`};`
			`}`

			`if (req.query.map_key) {`
			`return {`
			`apiKeyToken: req.query.map_key`
			`};`
			`}`

			`return false;`
			`}`

			`function getCredentialsFromRequestBody(req) {`
			`if (req.body && req.body.api_key) {`
			`return {`
			`apiKeyToken: req.body.api_key`
			`};`
			`}`

			`if (req.body && req.body.map_key) {`
			`return {`
			`apiKeyToken: req.body.map_key`
			`};`
			`}`

			`return false;`
			`}`

			`function apiKeyTokenFound(credentials) {`
			`if (typeof credentials === 'boolean') {`
			`return credentials;`
			`}`

			`if (credentials.apiKeyToken !== undefined) {`
			`return true;`
			`}`

			`return false;`
			`}`

			`function userMatches (credentials, user) {`
			`return !(credentials.user !== undefined && credentials.user !== user);`
			`}`