From 68f5867f4d8fe2acf1c35e2f40a3cc52d5f53bda Mon Sep 17 00:00:00 2001 From: Tom J Date: Tue, 23 Aug 2016 17:48:06 -0700 Subject: [PATCH 1/3] Only allow basic auth credentials with a known appId --- src/middlewares.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/middlewares.js b/src/middlewares.js index 0311713207..6b1a9f1e29 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -31,9 +31,12 @@ export function handleParseHeaders(req, res, next) { var basicAuth = httpAuth(req); if (basicAuth) { - info.appId = basicAuth.appId - info.masterKey = basicAuth.masterKey || info.masterKey; - info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey; + var basicAuthAppId = basicAuth.appId; + if (_cache2.default.get(basicAuthAppId)) { + info.appId = basicAuthAppId; + info.masterKey = basicAuth.masterKey || info.masterKey; + info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey; + } } if (req.body) { From 693fe817eea9e865d5d9dd1a60b0efe09ed6c706 Mon Sep 17 00:00:00 2001 From: Tom J Date: Tue, 23 Aug 2016 22:47:55 -0700 Subject: [PATCH 2/3] Update middlewares.js --- src/middlewares.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/middlewares.js b/src/middlewares.js index 6b1a9f1e29..4fa8c9adc1 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -32,7 +32,7 @@ export function handleParseHeaders(req, res, next) { if (basicAuth) { var basicAuthAppId = basicAuth.appId; - if (_cache2.default.get(basicAuthAppId)) { + if (AppCache.get(basicAuthAppId)) { info.appId = basicAuthAppId; info.masterKey = basicAuth.masterKey || info.masterKey; info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey; From 94131e1f81f0e1f39dd74aaf515d4f3dbdd7f8c7 Mon Sep 17 00:00:00 2001 From: Tom J Date: Tue, 23 Aug 2016 22:49:14 -0700 Subject: [PATCH 3/3] Updating basic auth tests to use valid appId --- spec/index.spec.js | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/spec/index.spec.js b/spec/index.spec.js index c0c4a019e0..3987a0da3f 100644 --- a/spec/index.spec.js +++ b/spec/index.spec.js @@ -26,27 +26,31 @@ describe('server', () => { }); it('support http basic authentication with masterkey', done => { - request.get({ - url: 'http://localhost:8378/1/classes/TestObject', - headers: { - 'Authorization': 'Basic ' + new Buffer('test:' + 'test').toString('base64') - } - }, (error, response, body) => { - expect(response.statusCode).toEqual(200); - done(); - }); + reconfigureServer({ appId: 'test' }).then(() => { + request.get({ + url: 'http://localhost:8378/1/classes/TestObject', + headers: { + 'Authorization': 'Basic ' + new Buffer('test:' + 'test').toString('base64') + } + }, (error, response, body) => { + expect(response.statusCode).toEqual(200); + done(); + }); + }) }); it('support http basic authentication with javascriptKey', done => { - request.get({ - url: 'http://localhost:8378/1/classes/TestObject', - headers: { - 'Authorization': 'Basic ' + new Buffer('test:javascript-key=' + 'test').toString('base64') - } - }, (error, response, body) => { - expect(response.statusCode).toEqual(200); - done(); - }); + reconfigureServer({ appId: 'test' }).then(() => { + request.get({ + url: 'http://localhost:8378/1/classes/TestObject', + headers: { + 'Authorization': 'Basic ' + new Buffer('test:javascript-key=' + 'test').toString('base64') + } + }, (error, response, body) => { + expect(response.statusCode).toEqual(200); + done(); + }); + }) }); it('fails if database is unreachable', done => {