UNPKG

q3-core-composer/lib/middleware/index.js

Version:

2.13 kBJavaScriptView Raw

1const { Grant } = require('q3-core-access');
2
3class Session {
constructor(req) {
  this.method = req.method;
  this.auth = req.get('Authorization');
}
8
getToken() {
  if (!this.auth) return '';
  return this.auth.startsWith('Apikey') ||
    this.auth.startsWith('Bearer')
    ? this.auth.substr(7)
    : this.auth;
}
16
setOperation() {
  switch (this.method) {
    case 'PATCH':
    case 'PUT':
      this.op = 'Update';
      break;
    case 'GET':
      this.op = 'Read';
      break;
    case 'POST':
      this.op = 'Create';
      break;
    case 'DELETE':
      this.op = 'Delete';
      break;
    default:
      throw new Error('Method not allowed');
  }
35
  return this;
}
38
getPermission(collectionName, sessionUser) {
  const gen = (op) =>
    new Grant(sessionUser)
      .can(op)
      .on(collectionName)
      .first();
45
  const primary = gen(this.op);
  const secondary = gen('Read');
48
  /**
   * @NOTE
   * Used to redact responses on non-read operations.
   */
  if (primary && secondary)
    primary.readOnly = secondary.fields;
55
  return primary;
}
58}
59
60function middleware(UserModel) {
if (!UserModel)
  throw new Error(
    'Cannot run middleware without User models',
  );
65
return async (req, res, next) => {
  const hasMethod = (method) =>
    method in UserModel && !req.user;
69
  const identity = new Session(req);
  const token = identity.getToken();
  const nonce = req.header('X-Session-Nonce');
  const host = req.get('host');
74
  if (hasMethod('findbyBearerToken'))
    req.user = await UserModel.findbyBearerToken(
      token,
      nonce,
      host,
    );
81
  if (hasMethod('findByApiKey'))
    req.user = await UserModel.findByApiKey(
      token,
      nonce,
      host,
    );
88
  req.authorize = (collectionName) =>
    identity
      .setOperation()
      .getPermission(collectionName, req.user);
93
  next();
};
96}
97
98module.exports = middleware;

1	`const { Grant } = require('q3-core-access');`
2
3	`class Session {`
4	`constructor(req) {`
5	`this.method = req.method;`
6	`this.auth = req.get('Authorization');`
7	`}`
8
9	`getToken() {`
10	`if (!this.auth) return '';`
11	`return this.auth.startsWith('Apikey') \|\|`
12	`this.auth.startsWith('Bearer')`
13	`? this.auth.substr(7)`
14	`: this.auth;`
15	`}`
16
17	`setOperation() {`
18	`switch (this.method) {`
19	`case 'PATCH':`
20	`case 'PUT':`
21	`this.op = 'Update';`
22	`break;`
23	`case 'GET':`
24	`this.op = 'Read';`
25	`break;`
26	`case 'POST':`
27	`this.op = 'Create';`
28	`break;`
29	`case 'DELETE':`
30	`this.op = 'Delete';`
31	`break;`
32	`default:`
33	`throw new Error('Method not allowed');`
34	`}`
35
36	`return this;`
37	`}`
38
39	`getPermission(collectionName, sessionUser) {`
40	`const gen = (op) =>`
41	`new Grant(sessionUser)`
42	`.can(op)`
43	`.on(collectionName)`
44	`.first();`
45
46	`const primary = gen(this.op);`
47	`const secondary = gen('Read');`
48
49	`/**`
50	`* @NOTE`
51	`* Used to redact responses on non-read operations.`
52	`*/`
53	`if (primary && secondary)`
54	`primary.readOnly = secondary.fields;`
55
56	`return primary;`
57	`}`
58	`}`
59
60	`function middleware(UserModel) {`
61	`if (!UserModel)`
62	`throw new Error(`
63	`'Cannot run middleware without User models',`
64	`);`
65
66	`return async (req, res, next) => {`
67	`const hasMethod = (method) =>`
68	`method in UserModel && !req.user;`
69
70	`const identity = new Session(req);`
71	`const token = identity.getToken();`
72	`const nonce = req.header('X-Session-Nonce');`
73	`const host = req.get('host');`
74
75	`if (hasMethod('findbyBearerToken'))`
76	`req.user = await UserModel.findbyBearerToken(`
77	`token,`
78	`nonce,`
79	`host,`
80	`);`
81
82	`if (hasMethod('findByApiKey'))`
83	`req.user = await UserModel.findByApiKey(`
84	`token,`
85	`nonce,`
86	`host,`
87	`);`
88
89	`req.authorize = (collectionName) =>`
90	`identity`
91	`.setOperation()`
92	`.getPermission(collectionName, req.user);`
93
94	`next();`
95	`};`
96	`}`
97
98	`module.exports = middleware;`