feat: token refresh

2018-10-12 16:39:02 -04:00 · 2018-10-12 16:39:02 -04:00 · aa08459daf
commit aa08459daf
parent 3abd2f917c
6 changed files with 34 additions and 26 deletions
--- a/client/components/login.vue
+++ b/client/components/login.vue
@ -11,7 +11,7 @@
            offset-xl4, xl4
            )
            transition(name='zoom')
-              v-card.elevation-5.radius-7(v-show='isShown')
+              v-card.elevation-5.md2(v-show='isShown')
                v-toolbar(color='primary', flat, dense, dark)
                  v-spacer
                  .subheading(v-if='screen === "tfa"') {{ $t('auth:tfa.subtitle') }}
@ -59,7 +59,7 @@
                    )
                v-card-actions.pb-4
                  v-spacer
-                  v-btn(
+                  v-btn.md2(
                    v-if='screen === "login"'
                    block
                    large
@ -68,7 +68,7 @@
                    round
                    :loading='isLoading'
                    ) {{ $t('auth:actions.login') }}
-                  v-btn(
+                  v-btn.md2(
                    v-if='screen === "tfa"'
                    block
                    large
--- a/client/scss/layout/_md2.scss
+++ b/client/scss/layout/_md2.scss
@ -1,7 +1,17 @@
 .md2 {

-  &.v-text-field .v-input__slot {
-    border-radius: 28px;
+  &.v-text-field {
+    .v-input__slot {
+      border-radius: 7px;
+    }
+  }
+
+  &.v-btn {
+    border-radius: 7px;
+  }
+
+  &.v-card {
+    border-radius: 7px;
  }

 }
--- a/server/graph/directives/auth.js
+++ b/server/graph/directives/auth.js
@ -1,5 +1,6 @@
 const { SchemaDirectiveVisitor } = require('graphql-tools')
 const { defaultFieldResolver } = require('graphql')
+const _ = require('lodash')

 class AuthDirective extends SchemaDirectiveVisitor {
  visitObject(type) {
@ -39,11 +40,13 @@ class AuthDirective extends SchemaDirectiveVisitor {
        }

        const context = args[2]
-        console.info(context.req.user)
-        // const user = await getUser(context.headers.authToken)
-        // if (!user.hasRole(requiredScopes)) {
-        //   throw new Error('not authorized')
-        // }
+        if (!context.req.user) {
+          throw new Error('Unauthorized')
+        }
+
+        if (!_.some(context.req.user.permissions, pm => _.includes(requiredScopes, pm))) {
+          throw new Error('Forbidden')
+        }

        return resolve.apply(this, args)
      }
--- a/server/helpers/security.js
+++ b/server/helpers/security.js
@ -24,8 +24,7 @@ module.exports = {
    })
  },

-  async extractJWT (req) {
-    return passportJWT.ExtractJwt.fromExtractors([
+  extractJWT: passportJWT.ExtractJwt.fromExtractors([
    passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(),
    (req) => {
      let token = null
@ -34,6 +33,5 @@ module.exports = {
      }
      return token
    }
-    ])(req)
-  }
+  ])
 }
--- a/server/middlewares/auth.js
+++ b/server/middlewares/auth.js
@ -13,12 +13,9 @@ module.exports = {
    WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
      if (err) { return next() }

-      console.info(err, user, info)
-
      // Expired but still valid within 7 days, just renew
      if (info instanceof jwt.TokenExpiredError && moment().subtract(7, 'days').isBefore(info.expiredAt)) {
        const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
-        console.info(jwtPayload)
        try {
          const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
          user = newToken.user
--- a/server/models/users.js
+++ b/server/models/users.js
@ -252,9 +252,9 @@ module.exports = class User extends Model {
        timezone: user.timezone,
        localeCode: user.localeCode,
        defaultEditor: user.defaultEditor,
-        permissions: []
+        permissions: ['manage:system']
      }, WIKI.config.sessionSecret, {
-        expiresIn: '10s',
+        expiresIn: '30m',
        audience: 'urn:wiki.js', // TODO: use value from admin
        issuer: 'urn:wiki.js'
      }),