Fixed #288: by-pass auth entirely in node with few lines

Author: grtjn

app/templates/node-server/node-app.js

@@ -17,6 +17,17 @@ app.use(expressSession({
   resave: true
 }));
 
+//
+// Uncomment the following to by-pass authentication entirely by enforcing defaultUser on the session.
+//
+// Note: consider blocking update calls in the proxy when enabling this.
+//
+// app.use(function (req, res, next) {
+//   var options = require('./utils/options')();
+//   req.session.user = { name: options.defaultUser, password: options.defaultPass, profile: { fullname: 'Guest' } };
+//   next();
+// });
+
 app.use(logger('dev'));
 
 app.use('/v1', require('./proxy'));

app/templates/node-server/proxy.js

@@ -4,18 +4,21 @@
 
 var router = require('express').Router();
 var http = require('http');
-var config = require('../gulp.config')();
-
-var options = {
-  mlHost: process.env.ML_HOST || config.marklogic.host,
-  mlHttpPort: process.env.ML_PORT || config.marklogic.httpPort,
-  defaultUser: process.env.ML_APP_USER || config.marklogic.user,
-  defaultPass: process.env.ML_APP_PASS || config.marklogic.password
-};
+var options = require('./utils/options')();
 
 // ==================================
 // MarkLogic REST API endpoints
 // ==================================
+
+//
+// To not require authentication for a specific route, simply use the route below.
+// Copy and change according to your needs.
+//
+//router.get('/my/route', function(req, res) {
+//  noCache(res);
+//  proxy(req, res);
+//});
+
 // For any other GET request, proxy it on to MarkLogic.
 router.get('*', function(req, res) {
   noCache(res);
@@ -24,10 +27,9 @@ router.get('*', function(req, res) {
   } else {
     proxy(req, res);
   }
-  // To not require authentication, simply use the proxy below:
-  //proxy(req, res);
 });
 
+// PUT requires special treatment, as a user could be trying to PUT a profile update..
 router.put('*', function(req, res) {
   noCache(res);
   // For PUT requests, require authentication
@@ -36,11 +38,12 @@ router.put('*', function(req, res) {
   } else if (req.path === '/v1/documents' &&
     req.query.uri.match('/api/users/') &&
     req.query.uri.match(new RegExp('/api/users/[^(' + req.session.user.name + ')]+.json'))) {
-    // The user is try to PUT to a profile document other than his/her own. Not allowed.
+    // The user is trying to PUT to a profile document other than his/her own. Not allowed.
     res.status(403).send('Forbidden');
   } else {
     if (req.path === '/v1/documents' && req.query.uri.match('/users/')) {
-      // TODO: The user is updating the profile. Update the session info.
+      var json = req.body.user ? req.body : JSON.parse(req.body);
+      req.session.user.profile = json.user;
     }
     proxy(req, res);
   }
@@ -122,9 +125,9 @@ function proxy(req, res) {
 }
 
 function noCache(response){
-  response.append('Cache-Control', 'no-cache, must-revalidate');//HTTP 1.1 - must-revalidate
-  response.append('Pragma', 'no-cache');//HTTP 1.0
-  response.append('Expires', 'Sat, 26 Jul 1997 05:00:00 GMT'); // Date in the past
+  response.append('Cache-Control', 'no-cache, must-revalidate');     // HTTP 1.1 - must-revalidate
+  response.append('Pragma',        'no-cache');                      // HTTP 1.0
+  response.append('Expires',       'Sat, 26 Jul 1997 05:00:00 GMT'); // Date in the past
 }
 
 module.exports = router;

app/templates/node-server/routes.js

@@ -6,15 +6,7 @@ var router = require('express').Router();
 var bodyParser = require('body-parser');
 var four0four = require('./utils/404')();
 var http = require('http');
-var config = require('../gulp.config')();
-
-var options = {
-  appPort: process.env.APP_PORT || config.defaultPort,
-  mlHost: process.env.ML_HOST || config.marklogic.host,
-  mlHttpPort: process.env.ML_PORT || config.marklogic.httpPort,
-  defaultUser: process.env.ML_APP_USER || config.marklogic.user,
-  defaultPass: process.env.ML_APP_PASS || config.marklogic.password
-};
+var options = require('./utils/options')();
 
 // [GJo] (#31) Moved bodyParsing inside routing, otherwise it might try to parse uploaded binaries as json..
 router.use(bodyParser.urlencoded({extended: true}));
@@ -52,7 +44,7 @@ router.get('/user/status', function(req, res) {
         res.status(200).send({
           authenticated: true,
           username: req.session.user.name,
-          profile: {}
+          profile: req.session.user.profile || {}
         });
       } else {
         res.send({authenticated: false});
@@ -97,7 +89,8 @@ router.post('/user/login', function(req, res) {
       };
       res.status(200).send({
         authenticated: true,
-        username: username
+        username: username,
+        profile: {}
       });
     } else {
       console.log('code: ' + response.statusCode);
@@ -115,6 +108,7 @@ router.post('/user/login', function(req, res) {
               username: username,
               profile: json.user
             });
+            req.session.user.profile = json.user;
           } else {
             console.log('did not find chunk.user');
           }

app/templates/node-server/utils/options.js

@@ -0,0 +1,38 @@
+/* jshint node:true */
+
+'use strict';
+
+var config = require('../../gulp.config')();
+
+module.exports = function(){
+
+  var environment = process.env.NODE_ENV;
+  var envJson = getEnvOptions(environment === 'build' ? 'prod' : 'local');
+
+  var options = {
+    appPort: process.env.APP_PORT || envJson['node-port'] || config.defaultPort,
+    mlHost: process.env.ML_HOST || envJson['ml-host'] || config.marklogic.host,
+    mlHttpPort: process.env.ML_PORT || envJson['ml-http-port'] || config.marklogic.httpPort,
+    defaultUser: process.env.ML_APP_USER || envJson['ml-app-user'] || config.marklogic.user,
+    defaultPass: process.env.ML_APP_PASS || envJson['ml-app-pass'] || config.marklogic.password
+  };
+
+  return options;
+
+  function getEnvOptions(env) {
+    var envJson;
+    var envFile = '../../' + env + '.json';
+
+    try {
+      envJson = require(envFile);
+    }
+    catch (e) {
+      envJson = {};
+      console.log('Couldn\'t find ' + envFile + '; you can create this file to override properties - ' +
+        '`gulp init-local` creates local.json which can be modified for other environments as well');
+    }
+
+    return envJson;
+  }
+
+};

slushfile.js

@@ -182,6 +182,11 @@ function configRoxy() {
     // set the authentication-method property to digestbasic
     properties = properties.replace(/^authentication\-method=digest/m, 'authentication-method=digestbasic');
 
+    // capture appuser-password generated by Roxy for later use
+    var passwordMatch = /^appuser\-password=(.*)$/m;
+    var matches = passwordMatch.exec(properties);
+    settings.appuserPassword = matches[1];
+
     fs.writeFileSync('deploy/build.properties', properties);
   } catch (e) {
     console.log('failed to update properties: ' + e.message);
@@ -254,6 +259,18 @@ function configRoxy() {
       '          <range-value-positions>false</range-value-positions>\n' +
       '        </geospatial-element-pair-index>\n');
 
+    // fix default app-role privileges to match rest-style applications
+    foo = foo.replace(/<privileges>[^]*?<\/privileges>/,
+      '<privileges>\n' +
+      '        <privilege>\n' +
+      '          <privilege-name>rest-reader</privilege-name>\n' +
+      '        </privilege>\n' +
+      '        <!-- remove the rest-writer privilege if read-only access is required -->\n' +
+      '        <privilege>\n' +
+      '          <privilege-name>rest-writer</privilege-name>\n' +
+      '        </privilege>\n' +
+      '      </privileges>\n');
+
     fs.writeFileSync('deploy/ml-config.xml', foo);
   } catch (e) {
     console.log('failed to update configuration: ' + e.message);
@@ -298,8 +315,8 @@ gulp.task('configGulp', ['init'], function(done) {
     configJSON['ml-host'] = settings.marklogicHost;
     configJSON['ml-admin-user'] = settings.marklogicAdminUser;
     configJSON['ml-admin-pass'] = settings.marklogicAdminPass;
-    configJSON['ml-app-user'] = settings.marklogicAdminUser; //THIS NEEDS TO CHANGE
-    configJSON['ml-app-pass'] = settings.marklogicAdminPass; //THIS NEEDS TO CHANGE
+    configJSON['ml-app-user'] = settings.appName + '-user';
+    configJSON['ml-app-pass'] = settings.appuserPassword;
     configJSON['ml-http-port'] = settings.appPort;
     configJSON['node-port'] = settings.nodePort;
 
@@ -372,6 +389,7 @@ gulp.task('init', ['checkForUpdates'], function (done) {
     settings.nodePort = answers.nodePort;
     settings.appPort = answers.appPort;
     settings.xccPort = answers.xccPort || null;
+    settings.appName = answers.nameDashed;
 
     getRoxyScript(answers.nameDashed, answers.mlVersion, appType, branch)
       .then(runRoxy)