Add URL authorization token. Rename token function.

Author: Amir Tocker

lib/utils.js

@@ -0,0 +1,47 @@
+###*
+  * Authorization Token
+  * @module auth_token
+###
+crypto = require('crypto')
+config = require('./config')
+
+digest = (message, key) ->
+  crypto.createHmac("sha256", new Buffer(key, "hex"))
+    .update message
+    .digest 'hex'
+
+###*
+  * Generate an authorization token
+  * @param {Object} options
+  * @param {string} options.key - the secret key required to sign the token
+  * @param {string} [options.ip] - the IP address of the client
+  * @param {number} [options.start_time=now] - the start time of the token in seconds from epoch
+  * @param {string} [options.expiration] - the expiration time of the token in seconds from epoch
+  * @param {string} [options.duration] - the duration of the token (from start_time)
+  * @param {string} [options.acl] - the ACL for the token
+  * @param {string} [options.url] - the URL to authentication in case of a URL token
+  * @returns {string} the authorization token
+###
+module.exports = (options)->
+  params = Object.assign {}, config().auth_token, options
+  tokenName = params.token_name ? "__cld_token__"
+
+  unless params.expiration?
+    if params.duration?
+      start = params.start_time ? Math.round(Date.now() / 1000)
+      params.expiration = start + params.duration
+    else
+      throw new Error( "Must provide either end_time or window")
+
+  tokenParts = []
+  tokenParts.push("ip=#{params.ip}") if params.ip?
+  tokenParts.push("st=#{params.start_time}") if params.start_time?
+  tokenParts.push("exp=#{params.expiration}")
+  tokenParts.push("acl=#{params.acl}") if params.acl?
+  toSign = (part for part in tokenParts)
+  if params.url
+    url = encodeURIComponent(params.url).replace(/%../g, (match)-> match.toLowerCase())
+    toSign.push "url=#{url}"
+  auth = digest(toSign.join("~"), params.key)
+  tokenParts.push("hmac=#{auth}")
+  "#{tokenName}=#{tokenParts.join('~')}"

lib/utils.js.map

@@ -2,8 +2,10 @@ _ = require("lodash")
 config = require("./config")
 crypto = require('crypto')
 querystring = require('querystring')
+url = require('url')
+
 utils = exports
-exports.generateAkamaiToken = require("./generateAkamaiToken")
+exports.generate_auth_token = require("./auth_token")
 exports.CF_SHARED_CDN = "d3jpl91pxevbkh.cloudfront.net"
 exports.OLD_AKAMAI_SHARED_CDN = "cloudinary-a.akamaihd.net"
 exports.AKAMAI_SHARED_CDN = "res.cloudinary.com"
@@ -388,6 +390,7 @@ exports.url = (public_id, options = {}) ->
   api_secret = utils.option_consume(options, "api_secret", config().api_secret)
   url_suffix = utils.option_consume(options, "url_suffix")
   use_root_path = utils.option_consume(options, "use_root_path", config().use_root_path)
+  auth_token = utils.option_consume(options, "auth_token", config().auth_token)
 
   preloaded = /^(image|raw)\/([a-z0-9_]+)\/v(\d+)\/([^#]+)$/.exec(public_id)
   if preloaded
@@ -415,7 +418,7 @@ exports.url = (public_id, options = {}) ->
   version = "v#{version}" if version?
 
   transformation = transformation.replace(/([^:])\/\//g, '$1/')
-  if sign_url
+  if sign_url && !auth_token
     to_sign = [transformation, source_to_sign].filter((part) -> part? && part != '').join('/')
     shasum = crypto.createHash('sha1')
     shasum.update(utf8_encode(to_sign + api_secret), 'binary')
@@ -424,9 +427,12 @@ exports.url = (public_id, options = {}) ->
 
 
   prefix = unsigned_url_prefix(public_id, cloud_name, private_cdn, cdn_subdomain, secure_cdn_subdomain, cname, secure, secure_distribution)
-  url = [prefix, resource_type, type, signature, transformation, version,
+  resultUrl = [prefix, resource_type, type, signature, transformation, version,
     public_id].filter((part) -> part? && part != '').join('/')
-  url
+  if sign_url && auth_token
+    token = utils.generate_auth_token exports.merge(url: url.parse(resultUrl).path, auth_token)
+    resultUrl += "?#{token}"
+  resultUrl
 
 exports.video_url = (public_id, options) ->
   options = _.extend({resource_type: 'video'}, options)

src/auth_token.coffee

@@ -0,0 +1,61 @@
+expect = require("expect.js")
+cloudinary = require("../cloudinary.js")
+utils = cloudinary.utils
+
+KEY = "00112233FF99"
+ALT_KEY = "CCBB2233FF00"
+describe "authToken", ->
+  urlBackup = process.env.CLOUDINARY_URL
+
+  beforeEach ->
+    process.env.CLOUDINARY_URL = "cloudinary://a:b@test123?load_strategies=false"
+    cloudinary.config true
+    cloudinary.config().auth_token = {key: KEY, duration: 300, start_time: 11111111}
+  after ->
+    process.env.CLOUDINARY_URL = urlBackup
+    cloudinary.config true
+
+  it "should generate with start and window",  ->
+    token = utils.generate_auth_token start_time: 1111111111, acl: "/image/*", duration: 300
+    expect(token).to.eql '__cld_token__=st=1111111111~exp=1111111411~acl=/image/*~hmac=0854e8b6b6a46471a80b2dc28c69bd352d977a67d031755cc6f3486c121b43af'
+
+  describe "authenticated url", ->
+    beforeEach ->
+      cloudinary.config private_cdn: true
+
+    it "should add token if authToken is globally set and signed = true", ->
+      url = cloudinary.url "sample.jpg", sign_url: true, resource_type: "image", type: "authenticated", version: "1486020273"
+      expect(url).to.eql("http://test123-res.cloudinary.com/image/authenticated/v1486020273/sample.jpg?__cld_token__=st=11111111~exp=11111411~hmac=8db0d753ee7bbb9e2eaf8698ca3797436ba4c20e31f44527e43b6a6e995cfdb3")
+
+      it "should add token for 'public' resource", ->
+      url = cloudinary.url "sample.jpg", sign_url: true, resource_type: "image", type: "public",  version: "1486020273"
+      expect(url).to.eql("http://test123-res.cloudinary.com/image/public/v1486020273/sample.jpg?__cld_token__=st=11111111~exp=11111411~hmac=c2b77d9f81be6d89b5d0ebc67b671557e88a40bcf03dd4a6997ff4b994ceb80e")
+
+      it "should not add token if signed is false", ->
+      url = cloudinary.url "sample.jpg", type: "authenticated", version: "1486020273"
+      expect(url).to.eql("http://test123-res.cloudinary.com/image/authenticated/v1486020273/sample.jpg")
+
+      it "should not add token if authToken is globally set but null auth token is explicitly set and signed = true", ->
+      url = cloudinary.url "sample.jpg", auth_token: false, sign_url: true, type: "authenticated", version: "1486020273"
+      expect(url).to.eql("http://test123-res.cloudinary.com/image/authenticated/s--v2fTPYTu--/v1486020273/sample.jpg")
+
+      it "explicit authToken should override global setting", ->
+      url = cloudinary.url "sample.jpg", sign_url: true, auth_token: {key: ALT_KEY, start_time: 222222222, duration: 100}, type: "authenticated", transformation: {crop: "scale", width: 300}
+      expect(url).to.eql("http://test123-res.cloudinary.com/image/authenticated/c_scale,w_300/sample.jpg?__cld_token__=st=222222222~exp=222222322~hmac=7d276841d70c4ecbd0708275cd6a82e1f08e47838fbb0bceb2538e06ddfa3029")
+
+      it "should compute expiration as start time + duration", ->
+      token = {key: KEY, start_time: 11111111, duration: 300}
+      url = cloudinary.url "sample.jpg", sign_url: true, auth_token: token, resource_type: "image", type: "authenticated", version: "1486020273"
+      expect(url).to.eql("http://test123-res.cloudinary.com/image/authenticated/v1486020273/sample.jpg?__cld_token__=st=11111111~exp=11111411~hmac=8db0d753ee7bbb9e2eaf8698ca3797436ba4c20e31f44527e43b6a6e995cfdb3")
+
+  describe "authentication token", ->
+    it "should generate token string", ->
+      user = "foobar" # we can't rely on the default "now" value in tests
+      tokenOptions = {key: KEY, duration: 300, acl: "/*/t_#{user}"}
+      tokenOptions.start_time = 222222222 # we can't rely on the default "now" value in tests
+      cookieToken = utils.generate_auth_token tokenOptions
+      expect(cookieToken).to.eql("__cld_token__=st=222222222~exp=222222522~acl=/*/t_foobar~hmac=eb5e2266c8ec9573f696025f075b92998080347e1c12ac39a26c94d7d712704a")
+
+  it "should add token to an image tag url", ->
+    tag = cloudinary.image "sample.jpg", sign_url: true, type: "authenticated", version: "1486020273"
+    expect(tag).to.match /<img.*src='http:\/\/res.cloudinary.com\/test123\/image\/authenticated\/v1486020273\/sample.jpg\?__cld_token__=st=11111111~exp=11111411~hmac=9bd6f41e2a5893da8343dc8eb648de8bf73771993a6d1457d49851250caf3b80.*>/

src/generateAkamaiToken.coffee

@@ -573,30 +573,3 @@ describe "utils", ->
           "if": "w = 0 && height != 0 || aspectRatio < 0 and pageCount > 0 and faceCount <= 0 and width >= 0",
           "effect": "grayscale",
         )).to.match(new RegExp(allOperators))
-
-  describe 'generateAkamaiToken', ->
-    beforeEach ->
-      cloudinary.config( akamai_key: '00112233FF99')
-    afterEach ->
-      cloudinary.config(true)
-
-    it "should generate an Akamai token with start_time and window", ->
-      token = utils.generateAkamaiToken start_time: 1111111111, acl: '/image/*', window: 300
-      expect(token).to.eql('__cld_token__=st=1111111111~exp=1111111411~acl=/image/*~hmac=0854e8b6b6a46471a80b2dc28c69bd352d977a67d031755cc6f3486c121b43af')
-    it "should generate an Akamai token with window", ->
-      first_exp = Math.round(Date.now() / 1000 )+ 300
-      # expiration is calculated automatically as now + window
-      token = utils.generateAkamaiToken acl: '*', window: 300
-      second_exp = Math.round(Date.now() / 1000 )+ 300
-      match = /exp=(\d+)/.exec(token)
-      expect(match[1]).to.be.ok()
-      expiration = parseInt(match[1])
-      expect(expiration).to.be.within(first_exp, second_exp)
-      expect(utils.generateAkamaiToken acl: '*', end_time: expiration).to.eql(token)
-
-    it "should accept a key", ->
-      expect(utils.generateAkamaiToken acl: '*', end_time: 10000000, key: '00aabbff')
-        .to.eql('__cld_token__=exp=10000000~acl=*~hmac=030eafb6b19e499659d699b3d43e7595e35e3c0060e8a71904b3b8c8759f4890')
-
-    it "should throw if no end_time or window is provided", ->
-      expect( -> utils.generateAkamaiToken( acl: '*') ).to.throwError()