add authorization with cookie

fireice.topcoder · fireice.topcoder · commit 748eb0d5f858 · 2015-01-08T03:03:08.000Z
diff --git a/deploy/development.bat b/deploy/development.bat
@@ -90,4 +90,6 @@ set WATERMARK_FILE_PATH=test/test_files/design_image_file_generator/studio_logo_
 
 set WKHTMLTOIMAGE_COMMAND_PATH=/home/ubuntu/tmp/wkhtmltox-0.12.1/static-build/posix-local/wkhtmltox-0.12.1/bin/wkhtmltoimage
 set WKHTMLTOIMAGE_IMAGE_WIDTH=1024
-set HIGHLIGHT_STYLE_LINK=http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.3/styles/%OVERRIDE_STYLE_NAME%.min.css
+set HIGHLIGHT_STYLE_LINK=http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.3/styles/%OVERRIDE_STYLE_NAME%.min.css
+
+set JWT_TOKEN_COOKIE_KEY="tcjwt_vm"
diff --git a/deploy/development.sh b/deploy/development.sh
@@ -96,3 +96,5 @@ export WATERMARK_FILE_PATH=test/test_files/design_image_file_generator/studio_lo
 export WKHTMLTOIMAGE_COMMAND_PATH=/home/ubuntu/tmp/wkhtmltox-0.12.1/static-build/posix-local/wkhtmltox-0.12.1/bin/wkhtmltoimage
 export WKHTMLTOIMAGE_IMAGE_WIDTH=1024
 export HIGHLIGHT_STYLE_LINK=http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.3/styles/%OVERRIDE_STYLE_NAME%.min.css
+
+export JWT_TOKEN_COOKIE_KEY="tcjwt_vm"
diff --git a/initializers/middleware.js b/initializers/middleware.js
@@ -81,20 +81,27 @@ exports.middleware = function (api, next) {
             isCachedReturned,
             cacheKey,
             socialUserId,
-            socialProvider;
-        if (!_.isDefined(authHeader)) {
+            socialProvider,
+            cookieToken = api.utils.parseCookies(connection.rawConnection.req)[process.env.JWT_TOKEN_COOKIE_KEY];
+
+        if (_.isUndefined(authHeader) && _.isUndefined(cookieToken)) {
             connection.caller = {accessLevel: "anon"};
             next(connection, true);
             return;
         }
+
         async.waterfall([
             function (cb) {
-                var reg = /^bearer ([\s\S]+)$/i;
-                if (!reg.test(authHeader)) {
-                    cb(new IllegalArgumentError("Malformed Auth header"));
-                    return;
+                if (_.isUndefined(authHeader)) {
+                    cb(null, cookieToken);
+                } else {
+                    var reg = /^bearer ([\s\S]+)$/i;
+                    if (!reg.test(authHeader)) {
+                        cb(new IllegalArgumentError("Malformed Auth header"));
+                        return;
+                    }
+                    cb(null, reg.exec(authHeader)[1]);
                 }
-                cb(null, reg.exec(authHeader)[1]);
             }, function (token, cb) {
                 jwt.verify(token,
                     api.config.tcConfig.oauthClientSecret,
@@ -107,6 +114,11 @@ exports.middleware = function (api, next) {
                     return;
                 }
                 var split = decoded.sub.split("|");
+                if (split.length == 1) {
+                    // token.sub should contain "|"
+                    cb(new IllegalArgumentError('Malformed Auth header. token.sub is in bad format!'));
+                    return;
+                }
                 try {
                     socialUserId = (split[split.length-1] || "").trim();
                     socialProvider = (split[0] || "").trim();
@@ -212,7 +224,8 @@ exports.middleware = function (api, next) {
             //error messages returned by jwt.verify(...) method
             if (err.message.indexOf('Invalid token') !== -1 ||
                     String(err.message).startsWith("jwt audience invalid.") ||
-                    err.message === "invalid signature") {
+                    err.message === "invalid signature" ||
+                    err.message === "jwt malformed") {
                 errorMessage = "Malformed Auth header";
                 baseError = api.helper.apiCodes.badRequest;
             } else if (err.message === "jwt expired") {
diff --git a/test/test.oauth.js b/test/test.oauth.js
@@ -45,6 +45,7 @@ describe('Test Oauth', function () {
         adminSubAD = "ad|400001",
         notFoundSub = "google-oauth|458965118758";
     var jwtToken = "";
+    var jwtTokenCookieKey = process.env.JWT_TOKEN_COOKIE_KEY;
 
 
     /**
@@ -83,15 +84,19 @@ describe('Test Oauth', function () {
      * Create request and return it
      * @param {Number} statusCode the expected status code
      * @param {String} authHeader the Authorization header. Optional
+     * @param {String} authCookie the Authorization cookie. Optional
      * @return {Object} request
      */
-    function createRequest(statusCode, authHeader) {
+    function createRequest(statusCode, authHeader, authCookie) {
         var req = request(API_ENDPOINT)
             .get('/test/oauth')
             .set('Accept', 'application/json');
         if (authHeader) {
             req = req.set('Authorization', authHeader);
         }
+        if (authCookie) {
+            req = req.set('cookie', authCookie);
+        }
         return req.expect('Content-Type', /json/).expect(statusCode);
     }
 
@@ -114,6 +119,26 @@ describe('Test Oauth', function () {
             });
     }
 
+    /**
+     * Get response and assert response from /test/oauth
+     * @param {Object} expectedResponse the expected response
+     * @param {String} authHeader the Authorization header. Optional
+     * @param {String} authCookie the Authorization cookie. Optional
+     * @param {Function<err>} done the callback
+     */
+    function assertResponseWithCookie(expectedResponse, authHeader, authCookie, done) {
+        createRequest(200, authHeader, authCookie)
+            .end(function (err, res) {
+                assert.ifError(err);
+                assert.ok(res.body);
+                var response = res.body;
+                delete response.serverInformation;
+                delete response.requesterInformation;
+                assert.deepEqual(response, expectedResponse);
+                done(err);
+            });
+    }
+
     /**
      * Get response and assert response from /test/oauth
      * @param {Number} statusCode the expected status code
@@ -137,6 +162,30 @@ describe('Test Oauth', function () {
             });
     }
 
+    /**
+     * Get response and assert response from /test/oauth
+     * @param {Number} statusCode the expected status code
+     * @param {String} authHeader the Authorization header. Optional
+     * @param {String} authCookie the Authorization cookie. Optional
+     * @param {String} errorMessage the expected error message header. Optional
+     * @param {Function<err>} done the callback
+     */
+    function assertErrorResponseWithCookie(statusCode, authHeader, authCookie, errorMessage, done) {
+        createRequest(statusCode, authHeader, authCookie)
+            .end(function (err, res) {
+                if (err) {
+                    done(err);
+                    return;
+                }
+                if (errorMessage) {
+                    assert.ok(res.body);
+                    assert.ok(res.body.error);
+                    assert.equal(res.body.error.details, errorMessage);
+                }
+                done();
+            });
+    }
+
 
     /**
      * Generate an auth header
@@ -147,6 +196,15 @@ describe('Test Oauth', function () {
         return "Bearer " + jwt.sign(data || {}, SECRET, {expiresInMinutes: 1000, audience: CLIENT_ID});
     }
 
+    /**
+     * Generate an auth cookie
+     * @param {Object} data the data to generate
+     * @return {String} the generated string
+     */
+    function generateAuthCookie(data) {
+        return jwtTokenCookieKey + "=" + jwt.sign(data || {}, SECRET, {expiresInMinutes: 1000, audience: CLIENT_ID});
+    }
+
     /**
      * /test/oauth/ with no header
      */
@@ -245,11 +303,37 @@ describe('Test Oauth', function () {
     /**
      * /test/oauth/ with header
      */
-    it('should be authorized as admin (ac)', function (done) {
+    it('should be authorized as admin (ad)', function (done) {
         var oauth = generateAuthHeader({ sub: adminSubAD});
         assertResponse({accessLevel: "admin", userId: 400001, handle: "admin_user"}, oauth, done);
     });
 
+    /**
+     * /test/oauth/ with header and cookie
+     */
+    it('should be authorized as admin (ad) with both header and cookie', function (done) {
+        var authHeader = generateAuthHeader({ sub: adminSubAD});
+        var authCookie = generateAuthCookie({ sub: adminSubAD});
+        assertResponseWithCookie({accessLevel: "admin", userId: 400001, handle: "admin_user"}, authHeader, authCookie, done);
+    });
+
+    /**
+     * /test/oauth/ with header and cookie
+     */
+    it('should be authorized as admin (ad) with header but invalid cookie', function (done) {
+        var authHeader = generateAuthHeader({ sub: adminSubAD});
+        var authCookie = jwtTokenCookieKey + "=asd";
+        assertResponseWithCookie({accessLevel: "admin", userId: 400001, handle: "admin_user"}, authHeader, authCookie, done);
+    });
+
+    /**
+     * /test/oauth/ without header but with cookie
+     */
+    it('should be authorized as admin (ad) without header but with cookie', function (done) {
+        var authCookie = generateAuthCookie({ sub: adminSubAD});
+        assertResponseWithCookie({accessLevel: "admin", userId: 400001, handle: "admin_user"}, null, authCookie, done);
+    });
+
     /**
      * /test/oauth/ with expired header
      */
@@ -282,6 +366,23 @@ describe('Test Oauth', function () {
         assertErrorResponse(400, oauth + "asd", "Malformed Auth header", done);
     });
 
+    /**
+     * /test/oauth/ with invalid header but valid cookie
+     */
+    it('should return error if header is invalid but cookie is valid', function (done) {
+        var authHeader = generateAuthHeader({ sub: userSubGoogle});
+        var authCookie = generateAuthCookie({ sub: userSubGoogle});
+        assertErrorResponseWithCookie(400, authHeader + "asd", authCookie, "Malformed Auth header", done);
+    });
+
+    /**
+     * /test/oauth/ with no header but invalid cookie
+     */
+    it('should return error if no header provided but cookie is invalid', function (done) {
+        var authCookie = generateAuthCookie({ sub: userSubGoogle});
+        assertErrorResponseWithCookie(400, null, authCookie + "asd", "Malformed Auth header", done);
+    });
+
     /**
      * /test/oauth/ with invalid header
      */
@@ -293,8 +394,16 @@ describe('Test Oauth', function () {
     /**
      * /test/oauth/ with invalid header
      */
-    it('should return error if header is invalid (no provider in sub)', function (done) {
+    it('should return error if header is invalid (bad format)', function (done) {
         var oauth = generateAuthHeader({ sub: "123" });
+        assertErrorResponse(400, oauth, "Malformed Auth header. token.sub is in bad format!", done);
+    });
+
+    /**
+     * /test/oauth/ with invalid header
+     */
+    it('should return error if header is invalid (no provider in sub)', function (done) {
+        var oauth = generateAuthHeader({ sub: "|123" });
         assertErrorResponse(400, oauth, "Malformed Auth header. No provider in token.sub!", done);
     });
 
