use jwt to create authorized tokens for access keys

nightscout · Jul 30, 2016 · f4e1b30 · f4e1b30
1 parent 810b0e3
commit f4e1b30
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 1 deletion.
diff --git a/app.js b/app.js
@@ -33,6 +33,7 @@ function create (env, ctx) {
   app.use('/api/v1', bodyParser({limit: 1048576 * 50 }), api);
 
   app.use('/api/v2/properties', ctx.properties);
+  app.use('/api/v2/access', ctx.access.endpoints);
 
   // pebble data
   app.get('/pebble', ctx.pebble);

diff --git a/lib/api/access.js b/lib/api/access.js
@@ -0,0 +1,91 @@
+'use strict';
+
+var _ = require('lodash');
+var express = require('express');
+var crypto = require('crypto');
+var jwt = require('jsonwebtoken');
+
+var consts = require('../constants');
+
+function create (env, ctx) {
+  var endpoints = express( );
+
+  var wares = require('../middleware/')(env);
+
+  endpoints.use(wares.sendJSONStatus);
+  // text body types get handled as raw buffer stream
+  endpoints.use(wares.bodyParser.raw());
+  // json body types get handled as parsed json
+  endpoints.use(wares.bodyParser.json());
+  // also support url-encoded content-type
+  endpoints.use(wares.bodyParser.urlencoded({ extended: true }));
+
+
+  //TODO: load from mongo
+  var tokens = _.map([
+    {_id: '579cf4ad65110bbfc193acc3', name: 'Dad', roles: ['admin']}
+    , {_id: '579cef9265110bbfc193acbd', name: 'Mom', roles: ['admin']}
+    , {_id: '579ce3dd65110bbfc193acaf', name: 'Health Office', roles: ['careportal']}
+  ], function eachToken(token) {
+    var shasum = crypto.createHash('sha1');
+    shasum.update(env.api_secret);
+    shasum.update(token._id);
+
+    delete token._id
+    token.key = shasum.digest('hex');
+
+    return token;
+  });
+
+  var roles = [
+    {name: 'admin', activities: ['*:*']}
+    , {name: 'careportal', activities: ['treatments:post']}
+  ];
+
+  endpoints.get('/tokens', wares.verifyAuthorization, function getTokens (req, res) {
+    res.json(tokens);
+  });
+
+  endpoints.get('/roles', wares.verifyAuthorization, function getRoles (req, res) {
+    res.json(roles);
+  });
+
+  endpoints.post('/authorize', function authorize (req, res) {
+    var key = req.body && req.body.key;
+
+    var token = _.find(tokens, {key: key});
+
+    if (token) {
+      var authorized = jwt.sign({ name: token.name, roles: token.roles }, env.api_secret);
+      res.send(authorized);
+    } else {
+      res.status(consts.HTTP_UNAUTHORIZED).send('Unauthorized - Invalid/Missing');
+    }
+  });
+
+  endpoints.post('/verify', function authorize (req, res) {
+    var authorized = req.body && req.body.authorized;
+
+    if (authorized) {
+      jwt.verify(authorized, env.api_secret, function result (err, verified) {
+        if (err) {
+          console.info('Error verifiing Authorized Token', err);
+          res.status(consts.HTTP_UNAUTHORIZED).send('Unauthorized - Invalid/Missing');
+        } else {
+          console.info('Verified Authorized Token', verified);
+          res.send(true);
+        }
+      });
+    } else {
+      res.status(consts.HTTP_UNAUTHORIZED).send('Unauthorized - Invalid/Missing');
+    }
+
+  });
+
+
+  return {
+    endpoints: endpoints
+  };
+}
+
+module.exports = create;
diff --git a/lib/bootevent.js b/lib/bootevent.js
@@ -57,6 +57,7 @@ function boot (env) {
     ctx.food = require('./food')(env, ctx);
     ctx.pebble = require('./pebble')(env, ctx);
     ctx.properties = require('./api/properties')(env, ctx);
+    ctx.access = require('./api/access')(env, ctx);
     ctx.bus = require('./bus')(env.settings, ctx);
     ctx.ddata = require('./data/ddata')();
     ctx.dataloader = require('./data/dataloader')(env, ctx);

diff --git a/lib/middleware/verify-token.js b/lib/middleware/verify-token.js
@@ -8,7 +8,7 @@ function configure (env) {
         // Retrieve the secret values to be compared.
         var api_secret = env.api_secret;
 
-        var secret = req.params.secret ? req.params.secret : req.header('api-secret');
+        var secret = req.query && req.query.secret ? req.query.secret : req.header('api-secret');
 
         // try to get the scret from the body, but don't leave it there
         if (!secret && req.body) {

diff --git a/package.json b/package.json
@@ -63,6 +63,7 @@
     "forever": "~0.13.0",
     "git-rev": "git://github.com/bewest/git-rev.git",
     "jquery": "^2.1.4",
+    "jsonwebtoken": "^7.1.7",
     "lodash": "^4.0.0",
     "long": "~2.2.3",
     "mfb": "^0.12.0",