feat: token refresh

2018-10-12 16:39:02 -04:00
parent 3abd2f917c
commit aa08459daf
6 changed files with 34 additions and 26 deletions
--- a/server/graph/directives/auth.js
+++ b/server/graph/directives/auth.js
@@ -1,5 +1,6 @@
 const { SchemaDirectiveVisitor } = require('graphql-tools')
 const { defaultFieldResolver } = require('graphql')
+const _ = require('lodash')

 class AuthDirective extends SchemaDirectiveVisitor {
  visitObject(type) {
@@ -39,11 +40,13 @@ class AuthDirective extends SchemaDirectiveVisitor {
        }

        const context = args[2]
-        console.info(context.req.user)
-        // const user = await getUser(context.headers.authToken)
-        // if (!user.hasRole(requiredScopes)) {
-        //   throw new Error('not authorized')
-        // }
+        if (!context.req.user) {
+          throw new Error('Unauthorized')
+        }
+
+        if (!_.some(context.req.user.permissions, pm => _.includes(requiredScopes, pm))) {
+          throw new Error('Forbidden')
+        }

        return resolve.apply(this, args)
      }
--- a/server/helpers/security.js
+++ b/server/helpers/security.js
@@ -24,16 +24,14 @@ module.exports = {
    })
  },

-  async extractJWT (req) {
-    return passportJWT.ExtractJwt.fromExtractors([
-      passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(),
-      (req) => {
-        let token = null
-        if (req && req.cookies) {
-          token = req.cookies['jwt']
-        }
-        return token
+  extractJWT: passportJWT.ExtractJwt.fromExtractors([
+    passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(),
+    (req) => {
+      let token = null
+      if (req && req.cookies) {
+        token = req.cookies['jwt']
      }
-    ])(req)
-  }
+      return token
+    }
+  ])
 }
--- a/server/middlewares/auth.js
+++ b/server/middlewares/auth.js
@@ -13,12 +13,9 @@ module.exports = {
    WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
      if (err) { return next() }

-      console.info(err, user, info)
-
      // Expired but still valid within 7 days, just renew
      if (info instanceof jwt.TokenExpiredError && moment().subtract(7, 'days').isBefore(info.expiredAt)) {
        const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
-        console.info(jwtPayload)
        try {
          const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
          user = newToken.user
--- a/server/models/users.js
+++ b/server/models/users.js
@@ -252,9 +252,9 @@ module.exports = class User extends Model {
        timezone: user.timezone,
        localeCode: user.localeCode,
        defaultEditor: user.defaultEditor,
-        permissions: []
+        permissions: ['manage:system']
      }, WIKI.config.sessionSecret, {
-        expiresIn: '10s',
+        expiresIn: '30m',
        audience: 'urn:wiki.js', // TODO: use value from admin
        issuer: 'urn:wiki.js'
      }),