Add auth middleware in api unit. Now only authorized user can access api unit

2025-10-05 19:42:01 +02:00 · 2015-12-02 21:14:42 +09:00 · 2015-12-02 21:14:42 +09:00 · e0a45391ab
commit e0a45391ab
parent 41f306a7f0
5 changed files with 102 additions and 0 deletions
--- a/lib/units/api/index.js
+++ b/lib/units/api/index.js
@ -3,9 +3,12 @@ var path = require('path')

 var express = require('express')
 var SwaggerExpress = require('swagger-express-mw')
+var cookieSession = require('cookie-session')

 var logger = require('../../util/logger')

+var auth = require('./middleware/auth')
+
 module.exports = function(options) {
  var log = logger.createLogger('api')
    , app = express()
@ -22,6 +25,17 @@ module.exports = function(options) {
      swaggerExpress.register(app);
    })

+    // TODO: Remove this once frontend is stateless
+    app.use(cookieSession({
+      name: options.ssid
+    , keys: [options.secret]
+    }))
+
+    app.use(auth({
+      secret: options.secret
+    , authUrl: options.authUrl
+    }))
+
    server.listen(options.port)
    log.info('Listening on port %d', options.port)
 }
--- a/lib/units/api/middleware/auth.js
+++ b/lib/units/api/middleware/auth.js
@ -0,0 +1,65 @@
+var jwtutil = require('../../../util/jwtutil')
+var urlutil = require('../../../util/urlutil')
+var logger = require('../../../util/logger')
+var dbapi = require('../../../db/api')
+
+module.exports = function(options) {
+  return function(req, res, next) {
+
+    var log = logger.createLogger('api:auth')
+
+    if (req.headers.authorization) {
+      var tokenId = req.headers.authorization.split(" ")[1]
+
+      if (tokenId) {
+        dbapi.loadAccessToken(tokenId)
+          .then(function(token) {
+            var jwt = token.jwt
+              , data = jwtutil.decode(jwt, options.secret)
+
+            if (data) {
+              dbapi.loadUser(data.email)
+                .then(function(user) {
+                  if (user) {
+                    req.user = user
+                    next()
+                  }
+                })
+              }
+            })
+          .catch(function(err) {
+            log.error('Failed to load token: ', err.stack)
+            res.json(500, {
+              success: false,
+              description: "Bad Access Token"
+            })
+          })
+      } else {
+        log.error("Bad Access Token")
+        res.json(500, {
+          success: false,
+          description: "Bad Access Token Header"
+        })
+      }
+    }
+    // TODO: Remove this once frontend become stateless
+    else if (req.session && req.session.jwt) {
+      dbapi.loadUser(req.session.jwt.email)
+        .then(function(user) {
+          if (user) {
+            req.user = user
+            next()
+          }
+          else {
+            // We no longer have the user in the database
+            res.redirect(options.authUrl)
+          }
+        })
+        .catch(next)
+    }
+    else {
+      // No session, forward to auth client
+     res.redirect(options.authUrl)
+    }
+  }
+}
--- a/lib/units/api/swagger/api_v1.yaml
+++ b/lib/units/api/swagger/api_v1.yaml
@ -33,6 +33,7 @@ paths:
          description: Unexpected Error
          schema:
            $ref: "#/definitions/ErrorResponse"
+
 definitions:
  UserResponse:
    required: