0.7 Release

.travis.yml

@@ -3,11 +3,3 @@ node_js:
   - 'node'
   - 'iojs'
   - '0.12'
-before_install:
-  - sudo apt-get install python-software-properties
-  - sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y
-  - sudo apt-get update -y
-  - sudo apt-get install gcc-4.9 g++-4.9 -y
-  - sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.9 20
-  - sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.9 20
-  - sudo update-alternatives --install /usr/bin/gcov gcov /usr/bin/gcov-4.9 20

package.json

@@ -45,7 +45,7 @@
     "./lib/index": "./lib/client/index"
   },
   "dependencies": {
-    "bcrypt": "^0.8.5",
+    "bcryptjs": "^2.3.0",
     "debug": "^2.2.0",
     "feathers-errors": "^2.0.1",
     "feathers-hooks": "^1.5.0",

src/client/index.js

@@ -1,8 +1,16 @@
-import * as hooks from './hooks';
-import { connected, authenticateSocket, getJWT, getStorage } from './utils';
 import errors from 'feathers-errors';
+import * as hooks from './hooks';
+import {
+  connected,
+  authenticateSocket,
+  logoutSocket,
+  getJWT,
+  getStorage,
+  clearCookie
+} from './utils';
 
 const defaults = {
+  cookie: 'fathers-jwt',
   tokenKey: 'feathers-jwt',
   localEndpoint: '/auth/local',
   tokenEndpoint: '/auth/token'
@@ -24,7 +32,7 @@ export default function(opts = {}) {
 
       // If no type was given let's try to authenticate with a stored JWT
       if (!options.type) {
-        getOptions = getJWT(config.tokenKey, this.get('storage')).then(token => {
+        getOptions = getJWT(config.tokenKey, config.cookie, this.get('storage')).then(token => {
           if (!token) {
             return Promise.reject(new errors.NotAuthenticated(`Could not find stored JWT and no authentication type was given`));
           }
@@ -66,12 +74,23 @@ export default function(opts = {}) {
       });
     };
 
+    // Set our logout method with the correct socket context
     app.logout = function() {
       app.set('user', null);
       app.set('token', null);
+
+      clearCookie(config.cookie);
 
-      // TODO (EK): invalidate token with server
-      return Promise.resolve(app.get('storage').setItem(config.tokenKey, ''));
+      // remove the token from localStorage
+      return Promise.resolve(app.get('storage').setItem(config.tokenKey, '')).then(() => {
+        // If using sockets de-authenticate the socket
+        if (app.io || app.primus) {
+          const method = app.io ? 'emit' : 'send';
+          const socket = app.io ? app.io : app.primus;
+
+          return logoutSocket(socket, method);
+        }
+      });
     };
 
     // Set up hook that adds adds token and user to params so that

src/client/utils.js

@@ -36,9 +36,27 @@ export function authenticateSocket(options, socket, method) {
   });
 }
 
+// Returns a promise that de-authenticates a socket
+export function logoutSocket(socket, method) {
+  return new Promise((resolve, reject) => {
+    // If we don't get a logged out message within 10 seconds
+    // consider it a failure. 
+    const timeout = setTimeout(function() {
+      reject(new Error('Could not logout over socket'));
+    }, 10000);
+
+    socket.once('logged out', function() {
+      clearTimeout(timeout);
+      resolve();
+    });
+
+    socket[method]('logout');
+  });
+}
+
 // Returns the value for a cookie
 export function getCookie(name) {
-  if(typeof document !== 'undefined') {
+  if (typeof document !== 'undefined') {
     const value = `; ${document.cookie}`;
     const parts = value.split(`; ${name}=`);
 
@@ -50,13 +68,22 @@ export function getCookie(name) {
   return null;
 }
 
+// Returns the value for a cookie
+export function clearCookie(name) {
+  if (typeof document !== 'undefined') {
+    document.cookie = `${name}=;expires=Thu, 01 Jan 1970 00:00:01 GMT;`; 
+  }
+
+  return null;
+}
+
 // Tries the JWT from the given key either from a storage or the cookie
-export function getJWT(key, storage) {
-  return Promise.resolve(storage.getItem(key)).then(jwt => {
-    const cookieKey = getCookie(key);
+export function getJWT(tokenKey, cookieKey, storage) {
+  return Promise.resolve(storage.getItem(tokenKey)).then(jwt => {
+    const cookieToken = getCookie(cookieKey);
 
-    if(cookieKey) {
-      return cookieKey;
+    if (cookieToken) {
+      return cookieToken;
     }
 
     return jwt;

src/hooks/associate-current-user.js

@@ -10,6 +10,10 @@ export default function(options = {}){
     }
 
     if (!hook.params.user) {
+      if (!hook.params.provider) {
+        return hook;
+      }
+
       throw new Error('There is no current user to associate.');
     }
 

src/hooks/hash-password.js

@@ -1,5 +1,6 @@
-import bcrypt from 'bcrypt';
 import errors from 'feathers-errors';
+import bcrypt from 'bcryptjs';
+
 
 const defaults = { passwordField: 'password' };
 
@@ -11,23 +12,29 @@ export default function(options = {}){
 
     options = Object.assign({}, defaults, hook.app.get('auth'), options);
 
+    const crypto = options.bcrypt || bcrypt;
+
     if (hook.data === undefined) {
       return hook;
     }
 
     const password = hook.data[options.passwordField];
 
     if (password === undefined) {
+      if (!hook.params.provider) {
+        return hook;
+      }
+
       throw new errors.BadRequest(`'${options.passwordField}' field is missing.`);
     }
 
     return new Promise(function(resolve, reject){
-      bcrypt.genSalt(10, function(err, salt) {
-        bcrypt.hash(password, salt, function(err, hash) {
-          if (err) {
-            return reject(err);
+      crypto.genSalt(10, function(error, salt) {
+        crypto.hash(password, salt, function(error, hash) {
+          if (error) {
+            return reject(error);
           }
-          
+
           hook.data[options.passwordField] = hash;
           resolve(hook);
         });

src/hooks/query-with-current-user.js

@@ -10,6 +10,10 @@ export default function(options = {}) {
     }
 
     if (!hook.params.user) {
+      if (!hook.params.provider) {
+        return hook;
+      }
+
       throw new Error('There is no current user to associate.');
     }
 

src/hooks/restrict-to-owner.js

@@ -11,6 +11,10 @@ export default function(options = {}){
       throw new Error(`The 'restrictToOwner' hook should only be used as a 'before' hook.`);
     }
 
+    if (!hook.id) {
+      throw new Error(`The 'restrictToOwner' hook should only be used on the 'get', 'update', 'patch' and 'remove' service methods.`);
+    }
+
     // If it was an internal call then skip this hook
     if (!hook.params.provider) {
       return hook;
@@ -30,13 +34,17 @@ export default function(options = {}){
       throw new Error(`'${options.idField} is missing from current user.'`);
     }
 
-    // NOTE (EK): This just scopes the query for the resource requested to the
-    // current user, which will result in a 404 if they are not the owner.
-    hook.params.query[options.ownerField] = id;
-
-    // TODO (EK): Maybe look up the actual document in this hook and throw a Forbidden error
-    // if (field && id && field.toString() !== id.toString()) {
-    //   throw new errors.Forbidden('You do not have valid permissions to access this.');
-    // }
+    // look up the document and throw a Forbidden error if the user is not an owner
+    return new Promise((resolve, reject) => {
+      this.get(hook.id).then(data => {
+        const field = data[options.ownerField];
+
+        if ( field === undefined || field.toString() !== id.toString() ) {
+          reject(new errors.Forbidden('You do not have the permissions to access this.'));
+        }
+
+        resolve(hook);
+      }).catch(reject);
+    });
   };
 }

src/hooks/restrict-to-roles.js

@@ -17,6 +17,10 @@ export default function(options = {}){
       throw new Error(`The 'restrictToRoles' hook should only be used as a 'before' hook.`);
     }
 
+    if (!hook.id) {
+      throw new Error(`The 'restrictToRoles' hook should only be used on the 'get', 'update', 'patch' and 'remove' service methods.`);
+    }
+
     // If it was an internal call then skip this hook
     if (!hook.params.provider) {
       return hook;
@@ -57,15 +61,18 @@ export default function(options = {}){
     // If we should allow users that own the resource and they don't already have
     // the permitted roles check to see if they are the owner of the requested resource
     if (options.owner && !authorized) {
-      // NOTE (EK): This just scopes the query for the resource requested to the
-      // current user, which will result in a 404 if they are not the owner.
-      hook.params.query[options.ownerField] = id;
-      authorized = true;
-
-      // TODO (EK): Maybe look up the actual document in this hook and throw a Forbidden error
-      // if (field && id && field.toString() !== id.toString()) {
-      //   throw new errors.Forbidden('You do not have valid permissions to access this.');
-      // }
+      // look up the document and throw a Forbidden error if the user is not an owner
+      return new Promise((resolve, reject) => {
+        this.get(hook.id).then(data => {
+          const field = data[options.ownerField];
+
+          if ( field === undefined || field.toString() !== id.toString() ) {
+            reject(new errors.Forbidden('You do not have the permissions to access this.'));
+          }
+
+          resolve(hook);
+        }).catch(reject);
+      });
     }
 
     if (!authorized) {

src/index.js

@@ -21,13 +21,21 @@ const PROVIDERS = {
 // Options that apply to any provider
 const defaults = {
   idField: '_id',
+  shouldSetupSuccessRoute: true,
+  shouldSetupFailureRoute: true,
   successRedirect: '/auth/success',
   failureRedirect: '/auth/failure',
   tokenEndpoint: '/auth/token',
   localEndpoint: '/auth/local',
   userEndpoint: '/users',
   header: 'authorization',
-  cookie: 'feathers-jwt'
+  cookie: {
+    enabled: true,
+    name: 'feathers-jwt',
+    httpOnly: false,
+    secure: process.env.NODE_ENV === 'production' ? true : false,
+    expires: new Date()
+  }
 };
 
 export default function auth(config = {}) {
@@ -52,27 +60,17 @@ export default function auth(config = {}) {
 
     // Merge and flatten options
     const authOptions = Object.assign({}, defaults, app.get('auth'), config);
-
-    // If we should redirect on success and the redirect route is the same as the
-    // default then we'll set up a route handler. Otherwise we'll leave it to the developer
-    // to set up their own custom route handler.
-    if (authOptions.successRedirect === defaults.successRedirect) {
-      debug(`Setting up successRedirect route: ${authOptions.successRedirect}`);
-
-      app.get(authOptions.successRedirect, function(req, res){
-        res.sendFile(path.resolve(__dirname, 'public', 'auth-success.html'));
-      });
+
+    // If a custom success redirect is passed in or it is disabled then we
+    // won't setup the default route handler.
+    if (authOptions.successRedirect !== defaults.successRedirect) {
+      authOptions.shouldSetupSuccessRoute = false;
     }
 
-    // If we should redirect on failure and the redirect route is the same as the
-    // default then we'll set up a route handler. Otherwise we'll leave it to the developer
-    // to set up their own custom route handler.
-    if (authOptions.failureRedirect === defaults.failureRedirect) {
-      debug(`Setting up failureRedirect route: ${authOptions.failureRedirect}`);
-
-      app.get(authOptions.failureRedirect, function(req, res){
-        res.sendFile(path.resolve(__dirname, 'public', 'auth-fail.html'));
-      });
+    // If a custom failure redirect is passed in or it is disabled then we
+    // won't setup the default route handler.
+    if (authOptions.failureRedirect !== defaults.failureRedirect) {
+      authOptions.shouldSetupFailureRoute = false;
     }
 
     // Set the options on the app
@@ -115,7 +113,7 @@ export default function auth(config = {}) {
       // be dealing with a config param and not a provider config
       // If that's the case we don't need to merge params and we
       // shouldn't try to set up a service for this key.
-      if (!isObject(config[key])) {
+      if (!isObject(config[key]) || key === 'cookie') {
         return;
       }
 
@@ -145,6 +143,24 @@ export default function auth(config = {}) {
     // Register error handling middleware for redirecting to support
     // redirecting on authentication failure.
     app.use(middleware.failedLogin(authOptions));
+
+    // Setup route handler for default success redirect
+    if (authOptions.shouldSetupSuccessRoute) {
+      debug(`Setting up successRedirect route: ${authOptions.successRedirect}`);
+
+      app.get(authOptions.successRedirect, function(req, res){
+        res.sendFile(path.resolve(__dirname, 'public', 'auth-success.html'));
+      });
+    }
+
+    // Setup route handler for default failure redirect
+    if (authOptions.shouldSetupFailureRoute) {
+      debug(`Setting up failureRedirect route: ${authOptions.failureRedirect}`);
+
+      app.get(authOptions.failureRedirect, function(req, res){
+        res.sendFile(path.resolve(__dirname, 'public', 'auth-fail.html'));
+      });
+    }
   };
 }