Switched herokaiOnlyHandler to a general-purpose authCallback.

README.md

@@ -81,7 +81,8 @@ To log a user out, send them to `/auth/heroku/logout`.
 | `sessionSyncNonce` | No | `null` | The name of a nonce cookie to validate sessions against |
 | `ignoredRoutes` | No | `[]` | An array of regular expressions to match routes to be ignored when there is no session active |
 | `oAuthServerURL` | No | `"https://id.heroku.com"` | The location of the Heroku OAuth server |
-| `herokaiOnlyHandler` | No | `null` | A route handler that will be called on requests by non-Herokai |
+| `authCallback` | No | `null` | An authorization callback that will be passed the [account object](https://devcenter.heroku.com/articles/platform-api-reference#account). Return `true` to allow access; `false` to not. |
+| `authCallbackFailedHandler` | No | `null` | A route handler called if `authCallback` returns `false` |
 
 ## Test
 

index.js

@@ -70,13 +70,33 @@ function setOptions(options) {
     throw new Error('`herokaiOnlyHandler` must be a handler function');
   }
 
+  if (options.authCallback && typeof(options.authCallback) !== 'function') {
+    throw new Error('`authCallback` must be a handler function');
+  }
+
+  if (options.authCallbackFailed && typeof(options.authCallbackFailed) !== 'function') {
+    throw new Error('`authCallbackFailed` must be a handler function');
+  }
+
+  if (options.authCallback && options.herokaiOnlyHandler) {
+    throw new Error('can\'t pass both `herokaiOnlyHandler` and `authCallback`');
+  }
+
+  // backwards-compat for herokaiOnlyHandler
+  if (options.herokaiOnlyHandler) {
+    options.authCallback = function(user) { return /@heroku\.com$/.test(user.email); };
+    options.authCallbackFailedHandler = options.herokaiOnlyHandler;
+  }
+
   var defaults = {
     herokaiOnlyHandler: null,
     herokuAPIHost     : null,
     ignoredRoutes     : [],
     oAuthServerURL    : 'https://id.heroku.com',
     oAuthScope        : 'identity',
     sessionSyncNonce  : null,
+    authCallback      : null,
+    authCallbackFailedHandler: null,
   };
 
   for (var key in defaults) {

lib/middleware.js

@@ -32,10 +32,13 @@ module.exports = function(options) {
     }
 
     if (userSession) {
-      var isHerokai = /@heroku\.com$/.test(userSession.user.email);
-
-      if (options.herokaiOnlyHandler && !isHerokai) {
-        return options.herokaiOnlyHandler(req, res, next);
+      if (options.authCallback && !options.authCallback(userSession.user)) {
+        if (options.authCallbackFailedHandler) {
+          return options.authCallbackFailedHandler(req, res, next);
+        } else {
+          // FIXME: is this the right thing? Or a default 401?
+          reauthenticate(req, res);
+        }
       }
 
       ensureValidToken(userSession, function(err) {

test/bouncer-test.js

@@ -285,6 +285,24 @@ describe('bouncer', function() {
         });
       });
     });
+
+    context('and authCallback is set', function() {
+      var clientOptions;
+
+      beforeEach(function() {
+        clientOptions = { 
+          authCallback: function(user) { return /@example\.com$/.test(user.email) }, 
+          authCallbackFailedHandler: function(req, res) { res.end('You are not allowed.'); } 
+        };
+      });
+
+      context('and the user is authorized', function() {
+        it('performs the request like normal', function() {
+          herokuStubber.stubUser({ email: 'user@example.com' });
+          return itBehavesLikeANormalRequest(clientOptions);
+        });
+      });
+    });
   });
 
   describe('logging out', function() {