all repos — litestore @ 2b27b46ed183a5b55545f42d5cb08b75ee5007b3

A minimalist nosql document store.

Supporting wildcard resources and multiple resource scopes.
h3rald h3rald@h3rald.com
Sun, 14 Oct 2018 15:27:12 +0200
commit

2b27b46ed183a5b55545f42d5cb08b75ee5007b3

parent

c0685609db636296a5205d813e983d3c6a8da425

1 files changed, 22 insertions(+), 6 deletions(-)

jump to
M src/litestorepkg/lib/server.nimsrc/litestorepkg/lib/server.nim

@@ -36,15 +36,21 @@ LOG.info("Exiting...")

quit() proc processApiUrl(req: LSRequest, LS: LiteStore, info: ResourceInfo): LSResponse = - let reqUri = info.resource & "/" & info.id - let uriParts = reqUri.split("/") - let uri = "/" & uriParts[0..uriParts.len-2].join("/") & "/" + let uriSingle = "/" & info.resource & "/" & info.id + let uriParts = uriSingle.split("/") + let uriAny = uriParts[0..uriParts.len-2].join("/") & "/*" let reqMethod = $req.reqMethod # Authentication/Authorization if LS.auth != newJNull(): - if LS.auth["access"].hasKey(uri): + var uri = "" + if LS.auth["access"].hasKey(uriSingle): + uri = uriSingle + elif LS.auth["access"].hasKey(uriAny): + uri = uriAny + if uri != "": let access = LS.auth["access"][uri] if access.hasKey(reqMethod): + LOG.debug("Authenticating: " & reqMethod & " " & uri) if not req.headers.hasKey("Authorization"): return resError(Http401, "Unauthorized - No token") let token = req.headers["Authorization"].replace(peg"^ 'Bearer '", "")

@@ -54,10 +60,20 @@ let jwt = token.toJwt()

var sig = LS.auth["signature"].getStr discard verify(jwt, sig) verifyTimeClaims(jwt) + let scopes = access[reqMethod] # Validate scope - let scopes = $jwt.claims["scope"].node.str.split(peg"\s+") - if not scopes.contains access[reqMethod].getStr: + var authorized = "" + let reqScopes = ($jwt.claims["scope"].node.str).split(peg"\s+") + LOG.debug("Resource scopes: " & $scopes) + LOG.debug("Request scopes: " & $reqScopes) + for scope in scopes: + for reqScope in reqScopes: + if reqScope == scope.getStr: + authorized = scope.getStr + break + if authorized == "": return resError(Http403, "Forbidden - You are not permitted to access this resource") + LOG.debug("Authorization successful: " & authorized) except: return resError(Http401, "Unauthorized - Invalid token") if info.version == "v4":