Merge pull request #8 from tyler-johnson/dev

Author: tyler-johnson

.gitignore

@@ -1,2 +1,3 @@
 node_modules/
 /index.js
+/test.js

.travis.yml

@@ -7,8 +7,6 @@ notifications:
   email: false
 node_js:
   - '6'
-before_install:
-  - npm i -g npm@latest
 before_script:
   - npm run lint
 script:

Makefile

@@ -6,7 +6,10 @@ build: index.js
 index.js: src/index.js $(SRC)
 	$(BIN)/rollup $< -c > $@
 
+test.js: test/index.js $(SRC)
+	$(BIN)/rollup $< -c > $@
+
 clean:
-	rm -rf index.js
+	rm -rf index.js test.js
 
 .PHONY: build clean

README.md

@@ -1,6 +1,6 @@
-# couchdb-auth-proxy
+# CouchDB Auth Proxy
 
-[![npm](https://img.shields.io/npm/v/couchdb-auth-proxy.svg)](https://www.npmjs.com/package/couchdb-auth-proxy) [![David](https://img.shields.io/david/tyler-johnson/couchdb-auth-proxy.svg)](https://david-dm.org/tyler-johnson/couchdb-auth-proxy) [![Build Status](https://travis-ci.org/tyler-johnson/couchdb-auth-proxy.svg?branch=master)](https://travis-ci.org/tyler-johnson/couchdb-auth-proxy)
+[![npm](https://img.shields.io/npm/v/couchdb-auth-proxy.svg)](https://www.npmjs.com/package/couchdb-auth-proxy) [![Build Status](https://travis-ci.org/tyler-johnson/couchdb-auth-proxy.svg?branch=master)](https://travis-ci.org/tyler-johnson/couchdb-auth-proxy)
 
 A Node.js HTTP reverse proxy library for quick and dirty CouchDB proxy authentication.
 
@@ -66,7 +66,7 @@ const server = http.createServer(couchdbProxy(function(req, res, next) {
 - `userCtxFn` (Function, *required*) - Method called on every request, with the request `req` and response `res` as arguments. This method should return a plain object with `name` and `roles` fields, representing the authenticated user. To run an async task, return a promise or pass a third argument `next` for a callback.
 - `options` (Object) - Options to configure the proxy.
   - `options.target` (String) - The URL of the CouchDB server to proxy to. This server must have [proxy authentication enabled](http://docs.couchdb.org/en/1.6.1/api/server/authn.html#proxy-authentication). Defaults to `http://localhost:5984`.
-  - `options.secret` (String) - The [CouchDB secret](http://docs.couchdb.org/en/1.6.1/config/auth.html#couch_httpd_auth/secret) used to sign proxy tokens and cookies. This is very much an optional parameter and in general there is very little reason to use a secret. This is only absolutely required if `couch_httpd_auth/proxy_use_secret` is enabled on CouchDB.
+  - `options.secret` (String) - The [CouchDB secret](http://docs.couchdb.org/en/1.6.1/config/auth.html#couch_httpd_auth/secret) used to sign proxy tokens and cookies. This is only required if `couch_httpd_auth/proxy_use_secret` is enabled on CouchDB (which is recommended).
   - `options.via` (String) - The name of the proxy to add to the `Via` header. This is so consumers of the HTTP API can tell that the request was directed through a proxy. This is optional and the `Via` header will be excluded when not provided.
   - `options.headerFields` (Object) - A map of custom header fields to use for the proxy. This should match what is declared in CouchDB `couch_httpd_auth` configuration, under `x_auth_roles`, `x_auth_token`, and `x_auth_username`. This is the default map:
   ```json

package.json

@@ -11,6 +11,7 @@
   "scripts": {
     "lint": "eslint src/ test/",
     "build": "make clean && make",
+    "test": "make test.js && node test.js",
     "prepublish": "npm run build",
     "autorelease": "autorelease pre && npm publish && autorelease post"
   },
@@ -29,9 +30,13 @@
     "babel-plugin-transform-es2015-parameters": "^6.11.4",
     "babel-plugin-transform-object-rest-spread": "^6.8.0",
     "eslint": "^3.2.2",
+    "express": "^4.15.2",
     "rollup": "^0.34.3",
     "rollup-plugin-babel": "^2.6.1",
-    "rollup-plugin-json": "^2.0.1"
+    "rollup-plugin-json": "^2.0.1",
+    "supertest": "^3.0.0",
+    "tape": "^4.6.3",
+    "tape-promise": "^2.0.1"
   },
   "keywords": [],
   "license": "MIT",

src/index.js

@@ -4,7 +4,7 @@ import {parse} from "url";
 import httpProxy from "http-proxy";
 import transformerProxy from "transformer-proxy";
 
-export default function(fn, opts={}) {
+export default function couchdbAuthProxy(fn, opts={}) {
 	if (typeof fn === "object") [opts,fn] = [fn,opts];
 
 	let {
@@ -51,10 +51,12 @@ export default function(fn, opts={}) {
 			// inject couchdb proxy headers into request
 			const ctx = await confusedAsync(fn, null, [ req, res ]);
 			if (ctx != null) {
+				const { username, roles, token } = headerFields;
+				cleanHeaders(req, [ username, roles, token ]);
 				const n = typeof ctx.name === "string" ? ctx.name : "";
-				req.headers[headerFields.username] = n;
-				req.headers[headerFields.roles] = Array.isArray(ctx.roles) ? ctx.roles.join(",") : "";
-				if (secret) req.headers[headerFields.token] = signRequest(n, secret);
+				req.headers[username] = n;
+				req.headers[roles] = Array.isArray(ctx.roles) ? ctx.roles.join(",") : "";
+				if (secret) req.headers[token] = sign(n, secret);
 			}
 
 			proxy.web(req, res);
@@ -66,9 +68,9 @@ export default function(fn, opts={}) {
 }
 
 // couchdb proxy signed token
-function signRequest(user, secret) {
+const sign = couchdbAuthProxy.sign = function(user, secret) {
 	return createHmac("sha1", secret).update(user).digest("hex");
-}
+};
 
 // for methods that we don't know if they are callback or promise async
 function confusedAsync(fn, ctx, args=[]) {
@@ -83,3 +85,13 @@ function confusedAsync(fn, ctx, args=[]) {
 		return Promise.resolve(fn.apply(ctx, args));
 	}
 }
+
+// removes a list of headers from a request
+// accounts for Node.js lowercase headers
+// https://github.com/tyler-johnson/couchdb-auth-proxy/issues/7
+function cleanHeaders(req, headers) {
+	headers.forEach(header => {
+		delete req.headers[header];
+		delete req.headers[header.toLowerCase()];
+	});
+}

test/index.js

@@ -0,0 +1,100 @@
+import {test} from "./utils";
+import couchdbProxy from "../src/index";
+import request from "supertest";
+
+test("attaches proxy headers", async function(t, couchdb, target) {
+  t.plan(4);
+
+  couchdb.use(function(req, res) {
+    t.equals(req.get("X-Auth-CouchDB-UserName"), "test", "proxied correct user name");
+    t.equals(req.get("X-Auth-CouchDB-Roles"), "testrole1,testrole2", "proxied correct roles");
+    t.notOk(req.get("X-Auth-CouchDB-Token"), "did not proxy a token");
+    res.json({ foo: "bar" });
+  });
+
+  const proxy = couchdbProxy(function() {
+    return {
+      name: "test",
+      roles: [ "testrole1", "testrole2" ]
+    };
+  }, {
+    target
+  });
+
+  const {body} = await request(proxy).get("/").expect(200);
+  t.equals(body.foo, "bar", "has original json content");
+});
+
+test("signs request with secret", async function(t, couchdb, target) {
+  t.plan(3);
+  const secret = "mysupersecret";
+  const token = couchdbProxy.sign("test", secret);
+
+  couchdb.use(function(req, res) {
+    t.equals(req.get("X-Auth-CouchDB-Token"), token, "proxied signed token");
+    res.json({ foo: "bar" });
+  });
+
+  const proxy = couchdbProxy(function() {
+    return {
+      name: "test",
+      roles: [ "testrole1", "testrole2" ]
+    };
+  }, {
+    target, secret
+  });
+
+  t.ok(token, "created a token");
+
+  const {body} = await request(proxy).get("/").expect(200);
+  t.equals(body.foo, "bar", "has original json content");
+});
+
+test("injects proxy info into root response", async function(t, couchdb, target) {
+  t.plan(2);
+
+  couchdb.get("/", (req, res) => {
+    res.json({ foo: "bar" });
+  });
+
+  const proxy = couchdbProxy(function() {
+    return {
+      name: "test",
+      roles: [ "testrole1", "testrole2" ]
+    };
+  }, {
+    target,
+    info: { hello: "world" }
+  });
+
+  const {body} = await request(proxy).get("/").expect(200);
+  t.equals(body.foo, "bar", "has original json content");
+  t.deepEquals(body.proxy, { hello: "world" }, "has custom info contents");
+});
+
+test("removes original session headers", async function(t, couchdb, target) {
+  t.plan(3);
+
+  couchdb.get("/", (req, res) => {
+    t.equals(req.get("X-Auth-CouchDB-UserName"), "test", "proxied correct user name");
+    t.equals(req.get("X-Auth-CouchDB-Roles"), "testrole1,testrole2", "proxied correct roles");
+    res.json({ foo: "bar" });
+  });
+
+  const proxy = couchdbProxy(function() {
+    return {
+      name: "test",
+      roles: [ "testrole1", "testrole2" ]
+    };
+  }, {
+    target
+  });
+
+  const {body} = await request(proxy)
+    .get("/")
+    .set("X-Auth-CouchDB-UserName", "previous")
+    .set("X-Auth-CouchDB-Roles", "prevrole1,prevrole2")
+    .expect(200);
+
+  t.equals(body.foo, "bar", "has original json content");
+});

test/utils.js

@@ -0,0 +1,32 @@
+import tape from "tape";
+import tapePromise from "tape-promise";
+import http from "http";
+import express from "express";
+
+const tapeTest = tapePromise(tape);
+
+export async function startServer(server) {
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(0, () => {
+      server.removeListener("error", reject);
+      resolve();
+    });
+  });
+
+  return "http://127.0.0.1:" + server.address().port;
+}
+
+export function test(name, fn) {
+  return tapeTest(name, async function(t) {
+    const couchdb = express();
+    const couchdbServer = http.createServer(couchdb);
+
+    try {
+      const couchdbUrl = await startServer(couchdbServer);
+      await fn.call(this, t, couchdb, couchdbUrl);
+    } finally {
+      couchdbServer.close();
+    }
+  });
+}