cansecurity
Advanced tools
Comparing version 0.5.1 to 0.6.0
@@ -10,3 +10,3 @@ /*jslint node:true, nomen:false */ | ||
if (!req[csauth]) { | ||
next(errors.unauthenticated()); | ||
res.send(401,errors.unauthenticated()); | ||
logged = false; | ||
@@ -97,3 +97,3 @@ } | ||
if (!checkSelf(req,res,next)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -110,3 +110,3 @@ } | ||
if (!checkUserRoles(req,res,next,roles)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -123,3 +123,3 @@ } | ||
if (!checkUserRoles(req,res,next,roles)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -135,3 +135,3 @@ } | ||
if (!checkParam(req,res,next,param)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -151,3 +151,3 @@ } | ||
if (!checkParam(req,res,next,param)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -165,3 +165,3 @@ } | ||
if (!checkField(req,res,next,field,getField)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -180,3 +180,3 @@ } | ||
if (!checkField(req,res,next,field,getField)) { | ||
next(errors.unauthorized()); | ||
res.send(403,errors.unauthorized()); | ||
} | ||
@@ -183,0 +183,0 @@ } |
/*jslint node:true, nomen:true */ | ||
var fs = require('fs'), vm = require('vm'), _ = require('lodash'), csauth = "X-CS-Auth", | ||
var fs = require('fs'), vm = require('vm'), _ = require('lodash'), errors = require('./errors'), csauth = "X-CS-Auth", | ||
/* | ||
@@ -114,5 +114,5 @@ * pathRegexp from expressjs https://github.com/visionmedia/express/blob/master/lib/utils.js and modified per our needs | ||
if (!authenticated) { | ||
res.send(401); | ||
res.send(401,errors.unauthenticated()); | ||
} else if (!authorized) { | ||
res.send(403); | ||
res.send(403,errors.unauthorized()); | ||
} else { | ||
@@ -119,0 +119,0 @@ next(); |
/*global module, require, Buffer */ | ||
var errors = { | ||
unauthorized: function(msg){ return {status: 403, message: msg || "unauthorized"};}, | ||
unauthenticated: function(msg){ return {status: 401, message: msg || "unauthenticated"};}, | ||
unauthorized: function(msg){ return msg || "unauthorized";}, | ||
unauthenticated: function(msg){ return msg || "unauthenticated";}, | ||
// 409 is a resource conflict - see RFC2616 | ||
conflict: function(msg){ return {status: 409, message: msg || "conflict"};}, | ||
badRequest: function(msg){ return {status: 400, message: msg || "badrequest"};}, | ||
notFound: function(msg){ return {status: 404, message: msg || "notfound"};}, | ||
server: function(msg) {return {status: 500, message: msg || ""};} | ||
conflict: function(msg){ return msg || "conflict";}, | ||
badRequest: function(msg){ return msg || "badrequest";}, | ||
notFound: function(msg){ return msg || "notfound";}, | ||
server: function(msg) {return msg || "";} | ||
}; | ||
@@ -12,0 +12,0 @@ |
@@ -102,3 +102,3 @@ /*global module, require, Buffer */ | ||
session({req: req, res: res, message: message}); | ||
next(errors.unauthenticated(message)); | ||
res.send(401,errors.unauthenticated(message)); | ||
} | ||
@@ -114,3 +114,3 @@ }); | ||
session({req: req, res: res, message: message}); | ||
next(errors.unauthenticated(message)); | ||
res.send(401,errors.unauthenticated(message)); | ||
} | ||
@@ -117,0 +117,0 @@ }); |
{ | ||
"name": "cansecurity", | ||
"description": "cansecurity is your all-in-one security library for user authentication, authorization and management in node expressjs apps", | ||
"version": "0.5.1", | ||
"version": "0.6.0", | ||
"url": "http://github.com/deitch/cansecurity", | ||
@@ -6,0 +6,0 @@ "author": "Avi Deitcher <avi@deitcher.net>", |
@@ -69,24 +69,5 @@ # cansecurity | ||
#### Changes to version 0.5.0 | ||
These notes apply to anyone using cansecurity *prior* to v0.5.0. These changes may be breaking, so read carefully. | ||
#### Changes | ||
For any breaking changes, please see the end of this README. | ||
##### express 3.x required | ||
Prior to version 0.5.0 (and preferably prior to 0.4.8), cansecurity worked with express 2.x and 3.x, although the full testing regimen worked properly only in express 2.x. Beginning with 0.5.0, only express 3.x will work. | ||
##### validatePassword and getUser consolidated into | ||
In versions of cansecurity prior to 0.5.0, there were two functions passed to `init()`: | ||
* `validatePassword()` was called when the user authenticated with credentials to be checked. | ||
* `getUser()` was called when the user was authenticated *already* using a token or session, and we just needed the user object. | ||
As of version 0.5.0, these are consolidated into a single `validate()` function. Please check the documentation below. | ||
Until version 1.0 of cansecurity, the legacy functions will continue to operate, if deprecated, under the following circumstances: | ||
IF `validate()` is `undefined`, AND (`validatePassword()` and `getUser()`) are present, THEN cansecurity will use the old API. | ||
IF `validate()` is defined, THEN (`validatePassword()` and `getUser()`) will be ignored, whether present or not. | ||
Beginning with cansecurity 1.0, the old API will not function at all. | ||
### Authentication | ||
@@ -189,11 +170,11 @@ cansecurity will manage your user authentication, including managing stateless sessions. It can use either native express sessions and or its own **stateless** sessions. cansecurity stateless sessions can keep a user logged in automatically across multiple nodejs instances, essentially creating free single-sign-on. | ||
### Unauthenticated Errors | ||
cansecurity will never directly return errors. It will authenticate a user, or fail to do so, set request["X-CS-Auth"], and request.session["X-CS-Auth"] if sessions are enabled, and then call next() to jump to the next middleware. | ||
When authnetication fails, cansecurity will directly return 401 with the message "unauthenticated". | ||
cansecurity **will** call next(error) in only the following case: | ||
* If authentication is required and succeeds, it will set request["X-CS-Auth"], and request.session["X-CS-Auth"] if sessions are enabled, and then call next() to jump to the next middleware. | ||
* If authentication is required and fails, it will return `401` with the text message `unauthenticated` | ||
* If authentication is **not** required, it will jump to the next middleware | ||
If the user has provided HTTP Basic Authentication credentials in the form of username/password **and** the authentication via `validate()` fails. In that case, cansecurity will call | ||
next({status: 401, message:"some message"}); | ||
It is up to you to make sure that you use expressjs's app.use() error handler to correctly handle this error. | ||
### Why We Need the "Password" in the Validate() Callback | ||
@@ -352,10 +333,6 @@ The callback to `validate()` expects you to return a "pass", or any user-unique string. Although this is never given to any other function, let alone to the client, why is the "pass" necessary? | ||
#### Unauthorized Errors | ||
cansecurity authorization will never directly return errors. If a restrictTo* middleware is called, and authorization fails, it will call next(error). The error will always be structured as follows: | ||
cansecurity authorization will directly return a `403` and message `unauthorized` if authorization is required, i.e. a restrictTo* middleware is called, **and** fails. | ||
next({status: 401, message:"unauthorized"}); | ||
Obviously, authentication comes before authorization, and if the user fails to authenticate, you may get a 401 from the authentication section without ever trying authorization. | ||
Obviously, authentication comes before authorization, and if the user fails to authenticated, you may get a 401 from the authentication section without ever reaching authorization. | ||
It is up to you to make sure that you use expressjs's app.user() error handler to correctly handle this error. | ||
#### Middleware API | ||
@@ -672,4 +649,33 @@ The following authorization middleware methods are available. Each one is followed by an example. There are two sections | ||
## Testing | ||
To run the tests, from the root directory, run `npm test`. | ||
## Breaking Changes | ||
#### Changes to version 0.6.0 | ||
Prior to version 0.6.0, cansecurity *sometimes* would send back a 401 or 403 as `res.send(401,"unauthenticated")` or `res.send(403,"unauthorized")`, and sometimes would just call `next({status:401,message:"unauthenticated"})` or `next({status:403,message:"unauthorized"})`. | ||
Beginnign with version 0.6.0, cansecurity will **always** return 401 if authentication is required and not present / fails, and will **always** return a 403 if authorization is required and fails. | ||
This makes the results far more consistent. | ||
#### Changes to version 0.5.0 | ||
These notes apply to anyone using cansecurity *prior* to v0.5.0. These changes may be breaking, so read carefully. | ||
##### express 3.x required | ||
Prior to version 0.5.0 (and preferably prior to 0.4.8), cansecurity worked with express 2.x and 3.x, although the full testing regimen worked properly only in express 2.x. Beginning with 0.5.0, only express 3.x will work. | ||
##### validatePassword and getUser consolidated into | ||
In versions of cansecurity prior to 0.5.0, there were two functions passed to `init()`: | ||
* `validatePassword()` was called when the user authenticated with credentials to be checked. | ||
* `getUser()` was called when the user was authenticated *already* using a token or session, and we just needed the user object. | ||
As of version 0.5.0, these are consolidated into a single `validate()` function. Please check the documentation below. | ||
Until version 1.0 of cansecurity, the legacy functions will continue to operate, if deprecated, under the following circumstances: | ||
IF `validate()` is `undefined`, AND (`validatePassword()` and `getUser()`) are present, THEN cansecurity will use the old API. | ||
IF `validate()` is defined, THEN (`validatePassword()` and `getUser()`) will be ignored, whether present or not. | ||
Beginning with cansecurity 1.0, the old API will not function at all. |
@@ -5,3 +5,3 @@ /*jslint node:true, nomen:true */ | ||
cansec = require('./resources/cs').init(), errorHandler = require('./resources/error'), | ||
r, path, q, unauthenticated = {message:"unauthenticated"}, unauthorized = {message:"unauthorized"}, | ||
r, path, q, unauthenticated = "unauthenticated", unauthorized = "unauthorized", | ||
send200 = function(req,res,next){ | ||
@@ -8,0 +8,0 @@ // send a 200 |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
87627
678