#288: refined logic a bit

grtjn · grtjn · commit 69e8b6046790 · 2016-06-17T18:00:57.000+02:00
diff --git a/app/templates/node-server/node-app.js b/app/templates/node-server/node-app.js
@@ -17,25 +17,11 @@ app.use(expressSession({
   resave: true
 }));
 
-//
-// Uncomment the following to by-pass authentication entirely by enforcing defaultUser on the session.
-//
-// Note: consider blocking update calls in the proxy when enabling this.
-//
-// app.use(function (req, res, next) {
-//   var options = require('./utils/options')();
-//   req.session.user = { name: options.defaultUser, password: options.defaultPass, profile: { fullname: 'Guest' } };
-//   next();
-// });
-
 app.use(logger('dev'));
 
 app.use('/v1', require('./proxy'));
 app.use('/api', require('./routes'));
 
-app.use('/create', express.static('./build/index.html'));
-app.use('/profile', express.static('./build/index.html'));
-
 console.log('About to crank up node');
 console.log('PORT=' + port);
 console.log('NODE_ENV=' + environment);
diff --git a/app/templates/node-server/proxy.js b/app/templates/node-server/proxy.js
@@ -22,7 +22,7 @@ var options = require('./utils/options')();
 // For any other GET request, proxy it on to MarkLogic.
 router.get('*', function(req, res) {
   noCache(res);
-  if (req.session.user === undefined) {
+  if (!options.guestAccess && req.session.user === undefined) {
     res.status(401).send('Unauthorized');
   } else {
     proxy(req, res);
@@ -35,9 +35,9 @@ router.put('*', function(req, res) {
   // For PUT requests, require authentication
   if (req.session.user === undefined) {
     res.status(401).send('Unauthorized');
-  } else if (req.path === '/v1/documents' &&
+  } else if (options.readOnlyAccess || (req.path === '/v1/documents' &&
     req.query.uri.match('/api/users/') &&
-    req.query.uri.match(new RegExp('/api/users/[^(' + req.session.user.name + ')]+.json'))) {
+    req.query.uri.match(new RegExp('/api/users/[^(' + req.session.user.name + ')]+.json')))) {
     // The user is trying to PUT to a profile document other than his/her own. Not allowed.
     res.status(403).send('Forbidden');
   } else {
@@ -50,10 +50,20 @@ router.put('*', function(req, res) {
 });
 
 // Require authentication for POST requests
+router.post(/^\/(alert\/match|search|suggest|values\/.*)$/, function(req, res) {
+  noCache(res);
+  if (!options.guestAccess && req.session.user === undefined) {
+    res.status(401).send('Unauthorized');
+  } else {
+    proxy(req, res);
+  }
+});
 router.post('*', function(req, res) {
   noCache(res);
   if (req.session.user === undefined) {
     res.status(401).send('Unauthorized');
+  } else if (options.readOnlyAccess) {
+    res.status(403).send('Forbidden');
   } else {
     proxy(req, res);
   }
@@ -64,6 +74,8 @@ router.delete('*', function(req, res) {
   noCache(res);
   if (req.session.user === undefined) {
     res.status(401).send('Unauthorized');
+  } else if (options.readOnlyAccess) {
+    res.status(403).send('Forbidden');
   } else {
     proxy(req, res);
   }
diff --git a/app/templates/node-server/routes.js b/app/templates/node-server/routes.js
@@ -16,7 +16,15 @@ router.get('/user/status', function(req, res) {
   var headers = req.headers;
   noCache(res);
   if (req.session.user === undefined) {
-    res.send({authenticated: false});
+    if (options.guestAccess) {
+      res.send({
+        authenticated: true,
+        username: options.defaultUser,
+        profile: { fullname: 'Guest' }
+      });
+    } else {
+      res.send({authenticated: false});
+    }
   } else {
     delete headers['content-length'];
     var status = http.get({
@@ -29,15 +37,15 @@ router.get('/user/status', function(req, res) {
       if (response.statusCode === 200) {
         response.on('data', function(chunk) {
           var json = JSON.parse(chunk);
-          if (json.user !== undefined) {
-            res.status(200).send({
-              authenticated: true,
-              username: req.session.user.name,
-              profile: json.user
-            });
-          } else {
+          if (json.user === undefined) {
             console.log('did not find chunk.user');
           }
+          res.status(200).send({
+            authenticated: true,
+            username: req.session.user.name,
+            profile: json.user || {}
+          });
+          req.session.user.profile = json.user || {};
         });
       } else if (response.statusCode === 404) {
         //no profile yet for user
@@ -62,68 +70,74 @@ router.post('/user/login', function(req, res) {
   // Attempt to read the user's profile, then check the response code.
   // 404 - valid credentials, but no profile yet
   // 401 - bad credentials
-  var username = req.body.username;
-  var password = req.body.password;
+  var username = req.body.username || '';
+  var password = req.body.password || '';
   var headers = req.headers;
+
   //make sure login isn't cached
   noCache(res);
 
-  // remove content length so ML doesn't wait for request body
-  // that isn't being passed.
-  delete headers['content-length'];
-  var login = http.get({
-    hostname: options.mlHost,
-    port: options.mlHttpPort,
-    path: '/v1/documents?uri=/api/users/' + username + '.json',
-    headers: headers,
-    auth: username + ':' + password
-  }, function(response) {
-    if (response.statusCode === 401) {
-      res.statusCode = 401;
-      res.send('Unauthenticated');
-    } else if (response.statusCode === 404) {
-      // authentication successful, but no profile defined
-      req.session.user = {
-        name: username,
-        password: password
-      };
-      res.status(200).send({
-        authenticated: true,
-        username: username,
-        profile: {}
-      });
-    } else {
-      console.log('code: ' + response.statusCode);
-      if (response.statusCode === 200) {
-        // authentication successful, remember the username
+  var startsWithMatch = new RegExp('^' + options.appName + '-');
+  if (options.appUsersOnly && !startsWithMatch.test(username)) {
+    res.status(403).send('Forbidden');
+  } else {
+    // remove content length so ML doesn't wait for request body
+    // that isn't being passed.
+    delete headers['content-length'];
+
+    var login = http.get({
+      hostname: options.mlHost,
+      port: options.mlHttpPort,
+      path: '/v1/documents?uri=/api/users/' + username + '.json',
+      headers: headers,
+      auth: username + ':' + password
+    }, function(response) {
+
+      if (response.statusCode === 401) {
+        res.status(401).send('Unauthenticated');
+      } else if (response.statusCode === 404) {
+        // authentication successful, but no profile defined
         req.session.user = {
           name: username,
           password: password
         };
-        response.on('data', function(chunk) {
-          var json = JSON.parse(chunk);
-          if (json.user !== undefined) {
+        res.status(200).send({
+          authenticated: true,
+          username: username,
+          profile: {}
+        });
+      } else {
+        console.log('code: ' + response.statusCode);
+        if (response.statusCode === 200) {
+          // authentication successful, remember the username
+          req.session.user = {
+            name: username,
+            password: password
+          };
+          response.on('data', function(chunk) {
+            var json = JSON.parse(chunk);
+            if (json.user === undefined) {
+              console.log('did not find chunk.user');
+            }
             res.status(200).send({
               authenticated: true,
               username: username,
-              profile: json.user
+              profile: json.user || {}
             });
-            req.session.user.profile = json.user;
-          } else {
-            console.log('did not find chunk.user');
-          }
-        });
-      } else {
-        res.statusCode = response.statusCode;
-        res.send(response.statusMessage);
+            req.session.user.profile = json.user || {};
+          });
+        } else {
+          res.status(response.statusCode).send(response.statusMessage);
+        }
       }
-    }
-  });
 
-  login.on('error', function(e) {
-    console.log(JSON.stringify(e));
-    console.log('login failed: ' + e.statusCode);
-  });
+    });
+
+    login.on('error', function(e) {
+      console.log(JSON.stringify(e));
+      console.log('login failed: ' + e.statusCode);
+    });
+  }
 });
 
 router.get('/user/logout', function(req, res) {
diff --git a/app/templates/node-server/utils/options.js b/app/templates/node-server/utils/options.js
@@ -10,11 +10,15 @@ module.exports = function(){
   var envJson = getEnvOptions(environment === 'build' ? 'prod' : 'local');
 
   var options = {
+    appName: process.env.APP_NAME || envJson['app-name'] || 'slush-app',
     appPort: process.env.APP_PORT || envJson['node-port'] || config.defaultPort,
     mlHost: process.env.ML_HOST || envJson['ml-host'] || config.marklogic.host,
     mlHttpPort: process.env.ML_PORT || envJson['ml-http-port'] || config.marklogic.httpPort,
     defaultUser: process.env.ML_APP_USER || envJson['ml-app-user'] || config.marklogic.user,
-    defaultPass: process.env.ML_APP_PASS || envJson['ml-app-pass'] || config.marklogic.password
+    defaultPass: process.env.ML_APP_PASS || envJson['ml-app-pass'] || config.marklogic.password,
+    guestAccess: bool(process.env.GUEST_ACCESS || envJson['guest-access'] || config.marklogic.guestAccess || false),
+    readOnlyAccess: bool(process.env.READ_ONLY_ACCESS || envJson['read-only-access'] || config.marklogic.readOnlyAccess || false),
+    appUsersOnly: bool(process.env.APP_USERS_ONLY || envJson['app-users-only'] || config.marklogic.appUsersOnly || false)
   };
 
   return options;
@@ -35,4 +39,8 @@ module.exports = function(){
     return envJson;
   }
 
+  function bool(x) {
+    return (x === 'true' || x === true);
+  }
+
 };
diff --git a/app/templates/ui/app/login/login.service.js b/app/templates/ui/app/login/login.service.js
@@ -25,7 +25,7 @@
     }
 
     function failLogin(response) {
-      if (response.status === 401) {
+      if (response.status > 200) {
         _loginError = true;
       }
     }
@@ -35,7 +35,7 @@
     }
 
     function getAuthenticatedStatus() {
-      if (_isAuthenticated) {
+      if (_isAuthenticated !== undefined) {
         return _isAuthenticated;
       }
 
diff --git a/slushfile.js b/slushfile.js
@@ -187,6 +187,12 @@ function configRoxy() {
     var matches = passwordMatch.exec(properties);
     settings.appuserPassword = matches[1];
 
+    // fix bug in Roxy causing { in pwd to get escaped mistakenly
+    if (settings.appuserPassword.match(/\{/g)) {
+      settings.appuserPassword = settings.appuserPassword.replace(/\{/g, '');
+      properties = properties.replace(passwordMatch, 'appuser-password=' + settings.appuserPassword);
+    }
+
     fs.writeFileSync('deploy/build.properties', properties);
   } catch (e) {
     console.log('failed to update properties: ' + e.message);
@@ -311,6 +317,7 @@ gulp.task('configGulp', ['init'], function(done) {
 
   try {
     var configJSON = {};
+    configJSON['app-name'] = settings.appName;
     configJSON['ml-version'] = settings.mlVersion;
     configJSON['ml-host'] = settings.marklogicHost;
     configJSON['ml-admin-user'] = settings.marklogicAdminUser;

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`function failLogin(response) {`
`28`		`- if (response.status === 401) {`
	`28`	`+ if (response.status > 200) {`
`29`	`29`	`_loginError = true;`
`30`	`30`	`}`
`31`	`31`	`}`
`@@ -35,7 +35,7 @@`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`function getAuthenticatedStatus() {`
`38`		`- if (_isAuthenticated) {`
	`38`	`+ if (_isAuthenticated !== undefined) {`
`39`	`39`	`return _isAuthenticated;`
`40`	`40`	`}`
`41`	`41`