all repos — litestore @ 6732e2c78e3c88c59f45c0705e07483cfe6e736e

A minimalist nosql document store. 

Supporting wildcard resources and multiple resource scopes.
h3rald h3rald@h3rald.com
Sun, 14 Oct 2018 15:27:12 +0200
commit

6732e2c78e3c88c59f45c0705e07483cfe6e736e

parent

5cfd43c13e38cf73a1a9965764e20a41c33a6e29

1 files changed, 22 insertions(+), 6 deletions(-)

jump to
M src/litestorepkg/lib/server.nimsrc/litestorepkg/lib/server.nim 
@@ -36,15 +36,21 @@ LOG.info("Exiting...")
   quit()
 
 proc processApiUrl(req: LSRequest, LS: LiteStore, info: ResourceInfo): LSResponse = 
-  let reqUri = info.resource & "/" & info.id
-  let uriParts = reqUri.split("/")
-  let uri = "/" & uriParts[0..uriParts.len-2].join("/") & "/"
+  let uriSingle = "/" & info.resource & "/" & info.id
+  let uriParts = uriSingle.split("/")
+  let uriAny = uriParts[0..uriParts.len-2].join("/") & "/*"
   let reqMethod = $req.reqMethod
   # Authentication/Authorization
   if LS.auth != newJNull():
-    if LS.auth["access"].hasKey(uri):
+    var uri = ""
+    if LS.auth["access"].hasKey(uriSingle):
+      uri = uriSingle
+    elif LS.auth["access"].hasKey(uriAny):
+      uri = uriAny
+    if uri != "":
       let access = LS.auth["access"][uri]
       if access.hasKey(reqMethod):
+        LOG.debug("Authenticating: " & reqMethod & " " & uri)
         if not req.headers.hasKey("Authorization"): 
           return resError(Http401, "Unauthorized - No token")
         let token = req.headers["Authorization"].replace(peg"^ 'Bearer '", "")

@@ -54,10 +60,20 @@ let jwt = token.toJwt()
           var sig = LS.auth["signature"].getStr 
           discard verify(jwt, sig) 
           verifyTimeClaims(jwt)
+          let scopes = access[reqMethod]
           # Validate scope
-          let scopes = $jwt.claims["scope"].node.str.split(peg"\s+")
-          if not scopes.contains access[reqMethod].getStr:
+          var authorized = ""
+          let reqScopes = ($jwt.claims["scope"].node.str).split(peg"\s+")
+          LOG.debug("Resource scopes: " & $scopes)
+          LOG.debug("Request scopes: " & $reqScopes)
+          for scope in scopes:
+            for reqScope in reqScopes:
+              if reqScope == scope.getStr:
+                authorized = scope.getStr
+                break
+          if authorized == "":
             return resError(Http403, "Forbidden - You are not permitted to access this resource")
+          LOG.debug("Authorization successful: " & authorized)
         except:
           return resError(Http401, "Unauthorized - Invalid token")
   if info.version == "v4":