Merge pull request #5 from exoframejs/develop

Merge branch 'develop', prepare v0.21.0

Author: yamalight

.gitignore

@@ -1,3 +1,4 @@
 node_modules
 .nyc_output
 coverage
+test/fixtures/auth.db

src/auth/index.js

@@ -10,7 +10,7 @@ const uuid = require('uuid');
 // our packages
 const {auth} = require('../../config');
 const {getConfig} = require('../config');
-const {reqCollection} = require('../db');
+const {reqCollection, getTokenCollection} = require('../db');
 
 // promisify readfile
 const readFile = promisify(fs.readFile);
@@ -22,7 +22,15 @@ const publicKeysPath = join(keysFolder, 'authorized_keys');
 
 // validation function
 const validate = (request, decodedToken, callback) => {
-  const {user, loggedIn} = decodedToken;
+  const {user, loggedIn, deploy, tokenName} = decodedToken;
+
+  // if it's a deployment token - check if it's still in db
+  if (deploy) {
+    const existingToken = getTokenCollection().findOne({tokenName, user: user.username});
+    if (!existingToken) {
+      return callback(null, false, user);
+    }
+  }
 
   if (!user || !loggedIn) {
     return callback(null, false, user);
@@ -65,19 +73,58 @@ module.exports = server =>
       });
 
       server.route({
-        method: 'GET',
+        method: 'POST',
         path: '/deployToken',
         config: {auth: 'token'},
         handler(request, reply) {
           // generate new deploy token
+          const tokenName = request.payload.tokenName;
           const user = request.auth.credentials;
-          const token = jwt.sign({loggedIn: true, user, deploy: true}, auth.privateKey, {
+          // generate new private key
+          const token = jwt.sign({loggedIn: true, user, tokenName, deploy: true}, auth.privateKey, {
             algorithm: 'HS256',
           });
+          // save token name to config
+          getTokenCollection().insert({tokenName, user: user.username});
+          // send back to user
           reply({token});
         },
       });
 
+      server.route({
+        method: 'GET',
+        path: '/deployToken',
+        config: {auth: 'token'},
+        handler(request, reply) {
+          // generate new deploy token
+          const user = request.auth.credentials;
+          // save token name to config
+          const tokens = getTokenCollection().find({user: user.username});
+          // send back to user
+          reply({tokens});
+        },
+      });
+
+      server.route({
+        method: 'DELETE',
+        path: '/deployToken',
+        config: {auth: 'token'},
+        handler(request, reply) {
+          // generate new deploy token
+          const tokenName = request.payload.tokenName;
+          const user = request.auth.credentials;
+          const existingToken = getTokenCollection().findOne({user: user.username, tokenName});
+          if (!existingToken) {
+            reply({removed: false, reason: 'Token does not exist'}).code(200);
+            return;
+          }
+          // remove token from collection
+          getTokenCollection().remove(existingToken);
+          // send back to user
+          reply().code(204);
+        },
+      });
+
       server.route({
         method: 'GET',
         path: '/login',
@@ -114,7 +161,10 @@ module.exports = server =>
 
           try {
             const publicKeysFile = await readFile(publicKeysPath);
-            const publicKeys = publicKeysFile.toString().split('\n').filter(k => k && k.length > 0);
+            const publicKeys = publicKeysFile
+              .toString()
+              .split('\n')
+              .filter(k => k && k.length > 0);
             const res = await Promise.all(publicKeys.map(key => verifyWithKey({key, token, phrase: loginReq.phrase})));
             if (!res.some(r => r === true)) {
               reply({error: 'Not authorized!'}).code(401);

src/config/index.js

@@ -19,6 +19,9 @@ const publicKeysPath =
     ? path.join(os.homedir(), '.ssh')
     : path.join(__dirname, '..', '..', 'test', 'fixtures');
 
+// export paths for others
+exports.baseFolder = baseFolder;
+
 // create base folder if doesn't exist
 try {
   fs.statSync(baseFolder);

src/db/index.js

@@ -1,17 +1,44 @@
 // npm packages
+const path = require('path');
 const Loki = require('lokijs');
 
-// init in-memory db for login requests
+// our packages
+const {baseFolder} = require('../config');
+
+// TTL for auth requests
 const REQ_TTL =
   process.env.NODE_ENV !== 'testing'
     ? 5 * 60 * 1000 // 5 mins for prod
     : 0; // 0 for tests
+
+// init in-memory adapter for login requests
 const memAdapter = new Loki.LokiMemoryAdapter();
+const fsAdapter = new Loki.LokiFsAdapter();
+
+// init in-memory requests db
 const db = new Loki('requests.db', {adapter: memAdapter, autoload: true});
+// init persistent tokens db
+let tokenCollection = {};
+const tokenDb = new Loki(path.join(baseFolder, 'auth.db'), {
+  adapter: process.env.NODE_ENV !== 'testing' ? fsAdapter : memAdapter,
+  autoload: true,
+  autoloadCallback() {
+    // get of create tokens collection
+    tokenCollection = tokenDb.getCollection('tokens');
+    if (tokenCollection === null) {
+      tokenCollection = tokenDb.addCollection('tokens');
+    }
+  },
+  autosave: process.env.NODE_ENV !== 'testing',
+});
+
+// create requests collection
 const reqCollection = db.addCollection('requests', {
   ttl: REQ_TTL,
   ttlInterval: REQ_TTL,
 });
 
 exports.db = db;
+exports.tokenDb = tokenDb;
 exports.reqCollection = reqCollection;
+exports.getTokenCollection = () => tokenCollection;

test/login.js

@@ -6,12 +6,14 @@ const jwt = require('jsonwebtoken');
 
 // our packages
 const {auth: authConfig} = require('../config');
+const {getTokenCollection} = require('../src/db');
 
 module.exports = server =>
   new Promise(async resolve => {
     let token = '';
     let phrase = '';
     let loginReqId = '';
+    let deployToken = '';
 
     tap.test('Should get login id and login phrase', t => {
       const options = {
@@ -68,11 +70,14 @@ module.exports = server =>
 
     tap.test('Should generate valid deploy token', t => {
       const options = {
-        method: 'GET',
+        method: 'POST',
         url: '/deployToken',
         headers: {
           Authorization: `Bearer ${token}`,
         },
+        payload: {
+          tokenName: 'test',
+        },
       };
 
       server.inject(options, response => {
@@ -84,9 +89,99 @@ module.exports = server =>
         const decodedUser = jwt.verify(result.token, authConfig.privateKey);
 
         t.equal(decodedUser.user.username, 'admin', 'Login matches request');
+        t.equal(decodedUser.tokenName, 'test', 'Token name matches request');
         t.ok(decodedUser.loggedIn, 'Is logged in');
         t.ok(decodedUser.deploy, 'Is logged in');
 
+        // store for further tests
+        deployToken = result.token;
+
+        t.end();
+      });
+    });
+
+    tap.test('Should allow request with valid deploy token', t => {
+      const options = {
+        method: 'GET',
+        url: '/checkToken',
+        headers: {
+          Authorization: `Bearer ${deployToken}`,
+        },
+      };
+
+      server.inject(options, response => {
+        const result = response.result;
+
+        t.equal(response.statusCode, 200, 'Correct status code');
+        t.ok(result.credentials, 'Has token');
+
+        t.equal(result.message, 'Token is valid', 'Has correct message');
+        t.equal(result.credentials.username, 'admin', 'Login matches request');
+
+        t.end();
+      });
+    });
+
+    tap.test('Should list generated deploy tokens', t => {
+      const options = {
+        method: 'GET',
+        url: '/deployToken',
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      };
+
+      server.inject(options, response => {
+        const result = response.result;
+
+        t.equal(response.statusCode, 200, 'Correct status code');
+        t.ok(result.tokens, 'Has token');
+
+        t.equal(result.tokens.length, 1, 'Should have on generated token');
+        t.equal(result.tokens[0].tokenName, 'test', 'Should have correct token name');
+
+        t.end();
+      });
+    });
+
+    tap.test('Should remove generated deploy tokens', t => {
+      const options = {
+        method: 'DELETE',
+        url: '/deployToken',
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+        payload: {
+          tokenName: 'test',
+        },
+      };
+
+      server.inject(options, response => {
+        t.equal(response.statusCode, 204, 'Correct status code');
+
+        // read tokens from DB and make sure there are none
+        const tokens = getTokenCollection().find();
+        t.equal(tokens.length, 0, 'All tokens were deleted');
+
+        t.end();
+      });
+    });
+
+    tap.test('Should not allow request with removed deploy token', t => {
+      const options = {
+        method: 'GET',
+        url: '/checkToken',
+        headers: {
+          Authorization: `Bearer ${deployToken}`,
+        },
+      };
+
+      server.inject(options, response => {
+        const result = response.result;
+
+        t.equal(response.statusCode, 401, 'Correct status code');
+        t.equal(result.error, 'Unauthorized', 'Correct error message');
+
         t.end();
       });
     });