added req.isRoot and allow user root user collection crud without _id

2026-05-14 05:10:10 +08:00 · 2012-03-12 11:31:50 -07:00
parent d61183bc35
commit edff092d54
3 changed files with 45 additions and 4 deletions
--- a/lib/server.js
+++ b/lib/server.js
@@ -39,10 +39,41 @@ middleware.listen = function (callback) {
  // host
  var hostname = url.hostname || 'localhost';
  
-  // remote flag
+  // remote flag / remote auth
  server.use(function (req, res, next) {
    req.isRemote = true;
-    next();
+    
+    // root auth
+    var rawHdr = req.headers['x-dssh-key']
+     , authErr = {status: 401}
+     , strength
+     , dssh;
+
+    if(rawHdr) {
+      try {
+        dssh = JSON.parse(rawHdr);
+        strength = Object.keys(dssh).length;
+      } catch(e) {
+        return next(authErr);
+      }
+
+      // dont even try to authenticate keys that arent secure
+      if(req.isRemote && !(dssh && dssh._id && (strength > 2))) return next(authErr);
+
+      // authenticate key
+      keys.get(dssh, function (err, key) {
+        if(req.isRemote && !key) {
+          // remote requests must have a registered key
+          return next(authErr);
+        } else {
+          req.isRoot = true;
+
+          next();
+        }
+      })
+    } else {
+      next();
+    }
  });
  
  // proxy requests into the current mdoq stack
--- a/lib/types/user-collection.js
+++ b/lib/types/user-collection.js
@@ -46,7 +46,8 @@ module.exports = function (req, res, next) {
    // always remove password
    req.fields = {password: 0};
    
-    if(req.method != 'POST' && !req.query._id) {
+    // prevent GET, PUT, DELETE without _id (unless root)
+    if(req.method != 'POST' && !req.query._id && !req.isRoot) {
      return next({message: 'Must include an _id when querying or updating a user'});
    } else {
      col.exec(req, function (err, docs) {
--- a/test/users.test.js
+++ b/test/users.test.js
@@ -70,11 +70,20 @@ describe('Users', function(){
    })
    
    it('should not return a user when an _id is not provided', function(done) {
-      client.use('/users').get(function (err, res) {
+      var unAuthed = require('../lib/client').use('http://localhost:3003/users');
+      
+      unAuthed.get(function (err, res) {
        expect(err).to.exist;
        expect(res).to.not.exist;
        done();
      })
    })
+    
+    it('should return a user when an _id is not provided and requested as root', function(done) {
+      client.use('/users').get(function (err, res) {
+        expect(res).to.exist;
+        done();
+      })
+    })
  })
 })