Disable cookie authentication if credentials are missing.

Author: smithsz

CHANGES.md

@@ -6,6 +6,8 @@
 - [FIXED] Ensure IAM API key can be correctly changed.
 - [FIXED] Callback with an error when a user cannot be authenticated using IAM.
 - [FIXED] Ensure authorization tokens are not unnecessarily requested.
+- [IMPROVED] Do not apply cookie authentication by default in the case that no
+  credentials are provided.
 - [IMPROVED] Preemptively renew authorization tokens that are due to expire.
 
 # 4.2.1 (2019-08-29)

cloudant.js

@@ -294,7 +294,7 @@ function Cloudant(options, callback) {
   nano.generate_api_key = generate_api_key; // eslint-disable-line camelcase
 
   if (callback) {
-    nano.cc._addPlugins('cookieauth');
+    nano.cc._addPlugins({ cookieauth: { errorOnNoCreds: false } });
     nano.ping(function(error, pong) {
       if (error) {
         callback(error);

lib/client.js

@@ -51,7 +51,7 @@ class CloudantClient {
       plugins = [ { iamauth: { iamApiKey: self._cfg.creds.iamApiKey } } ];
     } else if (typeof this._cfg.plugins === 'undefined') {
       // => No plugins specified - Add 'cookieauth' plugin.
-      plugins = [ 'cookieauth' ];
+      plugins = [ { cookieauth: { errorOnNoCreds: false } } ];
     }
 
     // Add user specified plugins.

lib/clientutils.js

@@ -131,6 +131,9 @@ var runHooks = function(hookName, r, data, end) {
     async.eachSeries(r.plugins, function(plugin, done) {
       if (typeof plugin[hookName] !== 'function') {
         done(); // no hooks for plugin
+      } else if (plugin.disabled) {
+        debug(`Skipping hook ${hookName} for disabled plugin '${plugin.id}'.`);
+        done();
       } else {
         debug(`Running hook ${hookName} for plugin '${plugin.id}'.`);
         var oldState = Object.assign({}, r.state);

plugins/base.js

@@ -29,13 +29,23 @@ class BasePlugin {
   constructor(client, cfg) {
     this._client = client;
     this._cfg = cfg;
+    this._disabled = false;
     this._lockFile = tmp.tmpNameSync({ postfix: '.lock' });
   }
 
   get id() {
     return this.constructor.id;
   }
 
+  get disabled() {
+    return this._disabled;
+  }
+
+  // Disable a plugin to prevent all hooks from being executed.
+  set disabled(disabled) {
+    this._disabled = disabled;
+  }
+
   // NOOP Base Hooks
 
   onRequest(state, request, callback) {

plugins/cookieauth.js

@@ -25,14 +25,22 @@ const CookieTokenManager = require('../lib/tokens/CookieTokenManager');
  */
 class CookiePlugin extends BasePlugin {
   constructor(client, cfg) {
-    cfg = Object.assign({ autoRenew: true }, cfg);
+    cfg = Object.assign({
+      autoRenew: true,
+      errorOnNoCreds: true
+    }, cfg);
 
     super(client, cfg);
 
     let sessionUrl = new u.URL(cfg.serverUrl);
     sessionUrl.pathname = '/_session';
     if (!sessionUrl.username || !sessionUrl.password) {
-      throw new Error('Credentials are required for cookie authentication.');
+      if (cfg.errorOnNoCreds) {
+        throw new Error('Credentials are required for cookie authentication.');
+      }
+      debug('Missing credentials for cookie authentication. Permanently disabling plugin.');
+      this.disabled = true;
+      return;
     }
 
     this._jar = request.jar();

test/client.js

@@ -316,6 +316,77 @@ describe('CloudantClient', function() {
     });
   });
 
+  describe('disables a plugin', function() {
+    it('skips all plugin hooks on good response', function(done) {
+      var mocks = nock(SERVER)
+        .get(DBNAME)
+        .reply(200, {doc_count: 1});
+
+      var cloudantClient = new Client({ plugins: [] });
+      cloudantClient._addPlugins(testPlugin.NoopPlugin);
+      assert.equal(cloudantClient._plugins.length, 1);
+
+      var options = {
+        url: SERVER + DBNAME,
+        auth: { username: ME, password: PASSWORD },
+        method: 'GET'
+      };
+
+      // disable the plugin
+      cloudantClient.getPlugin('noop').disabled = true;
+
+      cloudantClient.request(options, function(err, resp, data) {
+        assert.equal(err, null);
+        assert.equal(resp.statusCode, 200);
+        assert.ok(data.indexOf('"doc_count":1') > -1);
+
+        // assert hooks are _not_ executed
+        assert.equal(cloudantClient._plugins[0].onRequestCallCount, 0);
+        assert.equal(cloudantClient._plugins[0].onErrorCallCount, 0);
+        assert.equal(cloudantClient._plugins[0].onResponseCallCount, 0);
+
+        mocks.done();
+        done();
+      });
+    });
+
+    it('skips all plugin hooks on error response', function(done) {
+      if (process.env.NOCK_OFF) {
+        this.skip();
+      }
+
+      var mocks = nock(SERVER)
+        .get(DBNAME)
+        .replyWithError({code: 'ECONNRESET', message: 'socket hang up'});
+
+      var cloudantClient = new Client({ plugins: [] });
+      cloudantClient._addPlugins(testPlugin.NoopPlugin);
+      assert.equal(cloudantClient._plugins.length, 1);
+
+      var options = {
+        url: SERVER + DBNAME,
+        auth: { username: ME, password: PASSWORD },
+        method: 'GET'
+      };
+
+      // disable the plugin
+      cloudantClient.getPlugin('noop').disabled = true;
+
+      cloudantClient.request(options, function(err, resp, data) {
+        assert.equal(err.code, 'ECONNRESET');
+        assert.equal(err.message, 'socket hang up');
+
+        // assert hooks are _not_ executed
+        assert.equal(cloudantClient._plugins[0].onRequestCallCount, 0);
+        assert.equal(cloudantClient._plugins[0].onErrorCallCount, 0);
+        assert.equal(cloudantClient._plugins[0].onResponseCallCount, 0);
+
+        mocks.done();
+        done();
+      });
+    });
+  });
+
   describe('#db using callbacks', function() {
     describe('with no plugins', function() {
       it('performs request and returns response', function(done) {

test/plugins/cookieauth.js

@@ -151,6 +151,40 @@ describe('#db CookieAuth Plugin', function() {
       });
     });
 
+    it('disables cookie authentication for missing credentials when using default cookieauth plugin', function(done) {
+      var mocks = nock(SERVER)
+        .get(DBNAME)
+        .reply(401, { error: 'unauthorized' });
+
+      // 'cookieauth' plugin is added by default with `errorOnNoCreds: false`
+      var cloudantClient = new Client({ creds: { outUrl: SERVER } });
+      var req = { url: SERVER + DBNAME, method: 'GET' };
+
+      cloudantClient.request(req, function(err, resp, data) {
+        assert.equal(err, null);
+        assert.equal(resp.request.uri.auth, null);
+        assert.equal(resp.statusCode, 401);
+        assert.ok(data.indexOf('unauthorized') > -1);
+
+        // assert 'cookieauth' plugin has been disabled
+        assert.ok(cloudantClient.getPlugin('cookieauth').disabled);
+
+        mocks.done();
+        done();
+      });
+    });
+
+    it('throws error for missing credentials when cookieauth plugin is specified', function() {
+      assert.throws(
+        () => {
+          /* eslint-disable no-new */
+          new Client({ creds: { outUrl: SERVER }, plugins: COOKIEAUTH_PLUGIN });
+        },
+        /Credentials are required for cookie authentication/,
+        'did not throw with expected message'
+      );
+    });
+
     it('performs request and returns 500 response', function(done) {
       if (process.env.NOCK_OFF) {
         this.skip();