Merge pull request #1177 from solid/fix/#1176

jaxoncreed · web-flow · commit b06eacc091d9 · 2019-04-24T08:51:25.000-04:00
Users with invalid tokens can now access public resources
diff --git a/lib/api/authn/webid-oidc.js b/lib/api/authn/webid-oidc.js
@@ -31,7 +31,17 @@ function initialize (app, argv) {
   app.use('/', middleware(oidc))
 
   // Perform the actual authentication
-  app.use('/', oidc.rs.authenticate())
+  app.use('/', async (req, res, next) => {
+    oidc.rs.authenticate()(req, res, (err) => {
+      // Error handling should be deferred to the ldp in case a user with a bad token is trying
+      // to access a public resource
+      if (err) {
+        req.authError = err
+        res.status(200)
+      }
+      next()
+    })
+  })
 
   // Expose session.userId
   app.use('/', (req, res, next) => {
diff --git a/lib/handlers/allow.js b/lib/handlers/allow.js
@@ -66,7 +66,7 @@ function allow (mode, checkPermissionsForDirectory) {
         }
       }
     }
-    const error = await req.acl.getError(userId, mode)
+    const error = req.authError || await req.acl.getError(userId, mode)
     debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     next(error)
   }
diff --git a/test/integration/errors-oidc-test.js b/test/integration/errors-oidc-test.js
@@ -94,6 +94,12 @@ describe('OIDC error handling', function () {
           .expect('WWW-Authenticate', 'Bearer realm="https://localhost:3457", scope="openid webid", error="invalid_token", error_description="Access token is expired"')
           .expect(401)
       })
+
+      it('should return a 200 if the resource is public', () => {
+        return server.get('/public/')
+          .set('Authorization', 'Bearer ' + expiredToken)
+          .expect(200)
+      })
     })
   })
 })
diff --git a/test/resources/accounts/errortests/public/.acl b/test/resources/accounts/errortests/public/.acl
@@ -0,0 +1,19 @@
+# ACL resource for the public folder
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+# The owner has all permissions
+<#owner>
+    a acl:Authorization;
+    acl:agent <https://localhost:3457/profile/card#me>;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read, acl:Write, acl:Control.
+
+# The public has read permissions
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read.

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ function allow (mode, checkPermissionsForDirectory) {`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`	`}`
`69`		`- const error = await req.acl.getError(userId, mode)`
	`69`	`+ const error = req.authError \|\| await req.acl.getError(userId, mode)`
`70`	`70`	debug(`${mode} access denied to ${userId \|\| '(none)'}: ${error.status} - ${error.message}`)
`71`	`71`	`next(error)`
`72`	`72`	`}`