Use current Accounts token location in auth endpoints

- Update the default auth endpoints to store and remove tokens from the location expected by the Meteor Accounts package - The `accounts-base` package now stores hashed tokens in `services.resume.loginTokens.hashedToken`, instead of storing a `services.resume.loginTokens.token` unhashed. - Resolve kahmali#79
jazeee · Jun 15, 2015 · abe390d · abe390d
1 parent a19dfa6
commit abe390d
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,17 +3,14 @@
 ## [Unreleased]
 
 #### Warning - Potentially breaking change
-- Restivus used to store the account login token in the user document: services.resume.loginTokens.token
-- Restivus now stores the account login token as a hashed token, in the user document: services.resume.loginTokens.hashedToken
+- Restivus used to store the account login token in the user document: `services.resume.loginTokens.token`
+- Restivus now stores the account login token as a hashed token, in the user document: `services.resume.loginTokens.hashedToken`
 - This matches Meteor Accounts package
 
-#### Fixed
-- Issue #79:
-  - Update to match standard Meteor login and Account token storage
-
 #### Changed
+- Update default auth endpoints to match current Accounts token storage (see #79)
 - Return "Unauthorized" for failed authentication
-- To match Meteor, storepassword token as hashedToken
+- To match Meteor, store password token as `hashedToken`
 - Add unit tests for authentication
 
 

diff --git a/README.md b/README.md
@@ -264,7 +264,7 @@ but all properties are optional):
 - _Object_
   - `token`  _String_
     - Default: `'services.resume.loginTokens.hashedToken'`
-    - The path to the auth hashed token in the `Meteor.user` document. This location will be checked for a
+    - The path to the hashed auth token in the `Meteor.user` document. This location will be checked for a
       matching token if one is returned in `auth.user()`.
   - `user`  _Function_
     - Default: Get user ID and auth token from `X-User-Id` and `X-Auth-Token` headers
@@ -287,7 +287,7 @@ but all properties are optional):
         - `userId`: The ID of the user being authenticated
         - `token`: The auth token to be verified
         - If both a `userId` and `token` are returned, Restivus will hash the token, then,
-          authentication will succeed if the `hashed token`
+          authentication will succeed if the `hashedToken`
           exists in the given `Meteor.user` document at the location specified in `auth.token`
       - Complete auth
         - `user`: The fully authenticated `Meteor.user`

diff --git a/lib/restivus.coffee b/lib/restivus.coffee
@@ -312,14 +312,15 @@ class @Restivus
         # Remove the given auth token from the user's account
         authToken = @request.headers['x-auth-token']
         hashedToken = Accounts._hashLoginToken authToken
-        tokenPaths = self.config.auth.token.split '.'
-        tokenPrefix = tokenPaths[..-2].join '.'
-        tokenSuffix = tokenPaths[-1..][0]
-        pullQueryTarget = {}
-        pullQueryTarget[tokenSuffix] = hashedToken
-        pullQuery = {}
-        pullQuery[tokenPrefix] = pullQueryTarget
-        Meteor.users.update @user._id, {$pull: pullQuery}
+        tokenLocation = self.config.auth.token
+        index = tokenLocation.lastIndexOf '.'
+        tokenPath = tokenLocation.substring 0, index
+        tokenFieldName = tokenLocation.substring index + 1
+        tokenToRemove = {}
+        tokenToRemove[tokenFieldName] = hashedToken
+        tokenRemovalQuery = {}
+        tokenRemovalQuery[tokenPath] = tokenToRemove
+        Meteor.users.update @user._id, {$pull: tokenRemovalQuery}
 
         # TODO: Add any return data to response as data.extra
         # Call the logout hook with the logged out user attached

diff --git a/lib/route.coffee b/lib/route.coffee
@@ -159,12 +159,11 @@ class @Route
     auth = @api.config.auth.user.call(endpointContext)
 
     # Get the user from the database
-    if not auth?.user
-      if auth?.userId and auth?.token
-        userSelector = {}
-        userSelector._id = auth.userId
-        userSelector[@api.config.auth.token] = Accounts._hashLoginToken auth.token
-        auth.user = Meteor.users.findOne userSelector
+    if auth?.userId and auth?.token and not auth?.user
+      userSelector = {}
+      userSelector._id = auth.userId
+      userSelector[@api.config.auth.token] = Accounts._hashLoginToken auth.token
+      auth.user = Meteor.users.findOne userSelector
 
     # Attach the user and their ID to the context if the authentication was successful
     if auth?.user