npm - @kalisio/kdk - Versions diffs - 2.4.1 → 2.5.2 - Mend

@kalisio/kdk 2.4.1 → 2.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (638) hide show

package/core/api/application.js CHANGED Viewed

@@ -99,10 +99,10 @@ export async function configureService (name, service, servicesPath) {
     }
   } catch (error) {
     debug('No ' + name + ' service hooks configured on path ' + servicesPath)
-    if (error.code !== 'ERR_MODULE_NOT_FOUND') {
-      // Log error in this case as this might be linked to a syntax error in required file
-      debug(filepath, error)
-    }
+    // if (error.code !== 'ERR_MODULE_NOT_FOUND') {
+    // Log error in this case as this might be linked to a syntax error in required file
+    debug(filepath, error)
+    // }
     // As this is optionnal this require has to fail silently
   }
@@ -119,10 +119,10 @@ export async function configureService (name, service, servicesPath) {
     }
   } catch (error) {
     debug('No ' + name + ' service channels configured on path ' + servicesPath)
-    if (error.code !== 'ERR_MODULE_NOT_FOUND') {
-      // Log error in this case as this might be linked to a syntax error in required file
-      debug(filepath, error)
-    }
+    // if (error.code !== 'ERR_MODULE_NOT_FOUND') {
+    // Log error in this case as this might be linked to a syntax error in required file
+    debug(filepath, error)
+    // }
     // As this is optionnal this require has to fail silently
   }
@@ -198,10 +198,10 @@ async function createService (name, app, options = {}) {
     }
   } catch (error) {
     debug('No ' + fileName + ' service model configured on path ' + serviceOptions.modelsPath)
-    if (error.code !== 'ERR_MODULE_NOT_FOUND') {
-      // Log error in this case as this might be linked to a syntax error in required file
-      debug(fileName, error)
-    }
+    // if (error.code !== 'ERR_MODULE_NOT_FOUND') {
+    // Log error in this case as this might be linked to a syntax error in required file
+    debug(fileName, error)
+    // }
     // As this is optionnal this require has to fail silently
   }

package/core/api/authentication.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import makeDebug from 'debug'
 import _ from 'lodash'
+import qs from 'qs'
 import 'winston-daily-rotate-file'
 // import { RateLimiter } from 'limiter'
 import HttpLimiter from 'express-rate-limit'
@@ -32,6 +33,23 @@ export class Authentication extends AuthenticationService {
 }
 export class AuthenticationProviderStrategy extends OAuthStrategy {
+  setAuthentication (auth) {
+    super.setAuthentication(auth)
+    const authConfig = this.authentication.configuration
+    const { oauth } = authConfig
+    // Single logout supported ?
+    const { logout_url: logoutUrl, post_logout_url: postLogoutUrl, key } = this.configuration
+    if (logoutUrl && key) {
+      // Cannot use oauth/:provider/logout route as oauth/:provider is already intercepted by feathers and this causes an error
+      this.app.get(`/oauth-logout/${this.name}`, (req, res) => {
+        return res.redirect(logoutUrl + '?' + qs.stringify({
+          post_logout_redirect_uri: postLogoutUrl || oauth.redirect,
+          client_id: key
+        }))
+      })
+    }
+  }
   async getEntityData (profile, entity) {
     const createEntity = _.isNil(entity)
     // Add provider Id
@@ -50,6 +68,13 @@ export class AuthenticationProviderStrategy extends OAuthStrategy {
   }
   async getEntityQuery (profile) {
+    // Ensure the profile is right before requesting based on it
+    // as when an error is raised the profile will not contain any ID or email
+    // and we might build a request retrieving any user
+    if (!_.has(profile, 'id') && !_.has(profile, 'sub') && !_.has(profile, this.emailFieldInProfile || 'email')) {
+      // This ensure no user will be retrieved
+      return { $limit: 0 }
+    }
     const query = {
       $or: [
         { [`${this.name}Id`]: profile.id || profile.sub },
@@ -76,6 +101,8 @@ export class AuthenticationProviderStrategy extends OAuthStrategy {
 export class JWTAuthenticationStrategy extends JWTStrategy {
   async authenticate (authentication, params) {
     const { accessToken } = authentication
+    const authConfig = this.authentication.configuration
+    const { identityFields } = authConfig
     const { entity } = this.configuration
     const renewJwt = _.get(this.configuration, 'renewJwt', true)
@@ -99,14 +126,31 @@ export class JWTAuthenticationStrategy extends JWTStrategy {
     // Second key trick
     // Return user attached to the token if any
     // Return basic information for a stateless token otherwise
-    // As we only target MongoDB now, check for a valid ID otherwise assume a stateless token as well
-    if (payload.sub && ObjectID.isValid(payload.sub)) {
-      const entityId = await this.getEntityId(result, params)
-      const value = await this.getEntity(entityId, params)
+    if (payload.sub) {
+      // Check for a valid MongoDB ID
+      if (ObjectID.isValid(payload.sub)) {
+        const entityId = await this.getEntityId(result, params)
+        const value = await this.getEntity(entityId, params)
-      return {
-        ...result,
-        [entity]: value
+        return {
+          ...result,
+          [entity]: value
+        }
+      } else if (identityFields) {
+        // Otherwise use others fields to identify the user if defined
+        const query = {
+          $or: _.reduce(identityFields, (or, field) => or.concat([{ [field]: payload.sub }]), []),
+          $limit: 1
+        }
+        const response = await this.entityService.find({ ...params, query })
+        const [value = null] = response.data ? response.data : response
+        // Otherwise assume a stateless token
+        if (value) {
+          return {
+            ...result,
+            [entity]: value
+          }
+        }
       }
     }

package/core/api/hooks/hooks.authentication.js CHANGED Viewed

@@ -5,67 +5,9 @@ import local from '@feathersjs/authentication-local'
 const debug = makeDebug('kdk:core:authentication:hooks')
 const { discard } = common
-// Make it more easy to acces
+// Make it more easy to access
 export const hashPassword = local.hooks.hashPassword
-export async function verifyGuest (hook) {
-  if (hook.type !== 'after') {
-    throw new Error('The \'verifyGuest\' hook should only be used as a \'after\' hook.')
-  }
-  const app = hook.app
-  const user = hook.result.user
-  if (!user) return hook
-  debug('verifyGuest hook called on ', user._id)
-  // Check whether the user has been inivted. If not, nothing to do
-  if (!user.sponsor) {
-    debug('Logged user is not a guest')
-    return hook
-  }
-  // Check whether has been already verified. If yes, nothing to do
-  if (user.isVerified) {
-    debug('Logged guest is already verified')
-    return hook
-  }
-  // The user is a guest and need to be verified
-  debug('Verifying logged guest')
-  const userService = app.getService('users')
-  await userService.patch(user._id, { isVerified: true })
-  return hook
-}
-export async function consentGuest (hook) {
-  if (hook.type !== 'after') {
-    throw new Error('The \'consentGuest\' hook should only be used as a \'after\' hook.')
-  }
-  const app = hook.app
-  const user = hook.result.user
-  if (!user) return hook
-  debug('consentGuest hook called on ', user._id)
-  // Check whether the user has been invited. If not, nothing to do
-  if (!user.sponsor) {
-    debug('Logged user is not a guest')
-    return hook
-  }
-  // Check whether consent has been already checked. If yes, nothing to do
-  if (user.consentTerms) {
-    debug('Logged guest is already verified')
-    return hook
-  }
-  // The user is a guest and need to be consent
-  debug('Consenting logged guest')
-  const userService = app.getService('users')
-  await userService.patch(user._id, { consentTerms: true, expireAt: null })
-  return hook
-}
 export function discardAuthenticationProviders (hook) {
   const providers = hook.app.authenticationProviders || []

package/core/api/hooks/hooks.authorisations.js CHANGED Viewed

@@ -8,7 +8,6 @@ import {
   hasServiceAbilities, hasResourceAbilities, getQueryForAbilities,
   Roles, RoleNames, countSubjectsForResource
 } from '../../common/permissions.js'
-import { isTagEqual } from '../utils.js'
 const { getItems, replaceItems } = common
 const { Forbidden } = errors
@@ -25,7 +24,7 @@ export function createJWT (options = {}) {
     const accessTokens = await Promise.all(items.map(item => hook.app.getService('authentication').createAccessToken(
       // Provided function can be used to pick or omit properties in JWT payload
       (typeof options.payload === 'function' ? options.payload(user) : {}),
-      // Provided function can be used for custom options cdepending on the user,
+      // Provided function can be used for custom options depending on the user,
       // then we merge with default auth options for global properties like aud, iss, etc.
       _.merge({}, defaults, (typeof options.jwt === 'function' ? options.jwt(user) : options)))
     ))
@@ -186,13 +185,15 @@ export async function authorise (hook) {
   if (checkAuthorisation) {
     // Build ability for user
     const authorisationService = hook.app.getService('authorisations')
-    // If no user we allow for a stateless token with permissions inside
     let subject = hook.params.user
-    if (!subject) {
-      const payload = _.get(hook.params, 'authentication.payload')
-      // Token targeting API gateway (sub = keyId) or app used through iframe (appId = keyId)
-      if (payload && (payload.sub || payload.appId)) {
+    const payload = _.get(hook.params, 'authentication.payload')
+    if (payload) {
+      // If no user we allow for a stateless token with permissions inside, e.g.
+      // token targeting API gateway (sub = keyId) or app used through iframe (appId = keyId)
+      if (!subject && (payload.sub || payload.appId)) {
         subject = Object.assign({ _id: (payload.sub || payload.appId) }, payload)
+      } else if (subject) { // Otherwise we allow to "extend" user abilities by providing additional information in the token
+        subject = Object.assign(subject, _.omit(payload, ['aud', 'iss', 'exp', 'sub', 'iat', 'jti', 'nbf']))
       }
     }
     const abilities = await authorisationService.getAbilities(subject)
@@ -283,104 +284,8 @@ export function updateAbilities (options = {}) {
     if (options.fetchSubject) {
       subject = await app.getService('users').get(subject._id.toString())
     }
-    const abilities = await authorisationService.updateAbilities(subject)
-    debug('Abilities updated on subject', subject, abilities.rules)
+    await authorisationService.updateAbilities(subject)
     return hook
   }
 }
-export function preventRemovingLastOwner (resourceScope) {
-  return async function (hook) {
-    // By pass check ?
-    if (hook.params.force) return hook
-    const params = hook.params
-    const data = hook.data || {}
-    const query = params.query || {}
-    const scope = data.scope || query.scope
-    const grantedPermissions = data.permissions || query.permissions
-    const grantedRole = (grantedPermissions ? Roles[grantedPermissions] : undefined)
-    const resource = hook.params.resource
-    const subjects = hook.params.subjects
-    const subjectService = hook.params.subjectsService
-    // On create check if we try to downgrade permissions otherwise let pass through
-    if (!_.isUndefined(grantedRole) && (grantedRole === Roles.owner)) return hook
-    if ((scope === resourceScope) && resource && resource._id) {
-      // Count existing owners
-      const owners = await countSubjectsForResource(subjectService, resourceScope, resource._id, Roles.owner)
-      // Now count owners we change/remove permissions on
-      const removedOwners = subjects.reduce((count, subject) => {
-        const resources = _.get(subject, resourceScope, [])
-        const ownedResource = _.find(resources, { _id: resource._id, permissions: RoleNames[Roles.owner] })
-        return (ownedResource ? count + 1 : count)
-      }, 0)
-      // If none remains stop
-      if (removedOwners >= owners.total) {
-        debug('Cannot remove the last owner of resource ', resource)
-        const resourceName = resource.name ? resource.name : resource._id.toString()
-        throw new Forbidden('You are not allowed to remove the last owner of resource ' + resourceName, {
-          translation: {
-            key: 'CANNOT_REMOVE_LAST_OWNER',
-            params: { resource: resourceName }
-          }
-        })
-      }
-    }
-    return hook
-  }
-}
-export async function removeOrganisationGroupsAuthorisations (hook) {
-  const app = hook.app
-  const authorisationService = app.getService('authorisations')
-  const org = hook.params.resource
-  const user = hook.params.user
-  // Unset membership for the all org groups
-  const orgGroupService = app.getService('groups', org)
-  const groups = await orgGroupService.find({ paginate: false })
-  await Promise.all(groups.map(group => {
-  // Unset membership on group for the all org users
-    return authorisationService.remove(group._id.toString(), {
-      query: {
-        scope: 'groups'
-      },
-      user,
-      force: hook.params.force,
-      // Because we already have resource set it as objects to avoid populating
-      // Moreover used as an after hook the resource might not already exist anymore
-      subjects: hook.params.subjects,
-      subjectsService: hook.params.subjectsService,
-      resource: group,
-      resourcesService: orgGroupService
-    })
-  }))
-  debug('Authorisations unset on groups for organisation ' + org._id)
-  return hook
-}
-export async function removeOrganisationTagsAuthorisations (hook) {
-  const app = hook.app
-  const org = hook.params.resource
-  const subjectService = hook.params.subjectsService
-  const orgTagsService = app.getService('tags', org)
-  const subjects = hook.params.subjects || []
-  if (subjects.length === 0) return hook
-  // Retrieve org tags
-  const orgTags = await orgTagsService.find({ paginate: false })
-  const promises = []
-  subjects.forEach(subject => {
-    const tags = subject.tags || []
-    // Find tags from org
-    const fromOrg = _.intersectionWith(tags, orgTags, isTagEqual)
-    // Clear removed tags
-    const notFromOrg = _.differenceWith(tags, orgTags, isTagEqual)
-    // Update subject if required
-    if (fromOrg.length > 0) {
-      promises.push(subjectService.patch(subject._id.toString(), { tags: notFromOrg }))
-    }
-  })
-  // Perform subject updates in parallel
-  await Promise.all(promises)
-  debug(`Tags unset on ${promises.length} subjects for organisation ` + org._id)
-  return hook
-}

package/core/api/hooks/hooks.model.js CHANGED Viewed

@@ -233,6 +233,10 @@ export async function distinct (hook) {
 // Check for already existing object according to given service/id field
 export function checkUnique (options = {}) {
   return async (hook) => {
+    if (hook.app) {
+      const serviceConfig = hook.app.get(hook.service.name)
+      if (serviceConfig && serviceConfig.checkUnique) options = serviceConfig.checkUnique
+    }
     const service = (options.service ? hook.app.getService(options.service) : hook.service)
     const field = options.field || 'name'
     const id = _.get(hook, `data.${field}`)

package/core/api/hooks/hooks.push.js CHANGED Viewed

@@ -14,35 +14,41 @@ export async function sendNewSubscriptionEmail (hook) {
   if (hook.type !== 'after') {
     throw new Error('The \'sendNewSubscriptionEmail\' hook should only be used as a \'after\' hook.')
   }
   // Check for a new subscription if any
-  const updatedUser = hook.result
+  const currentUser = hook.result
   const previousUser = hook.params.user
   // If we can't compare abort, eg f-a-m might patch user to update tokens
-  if (!updatedUser || !previousUser) return hook
-  const newSubscription = _.differenceBy(_.get(updatedUser, 'subscriptions', []), _.get(previousUser, 'subscriptions', []), 'endpoint')
-  if (_.size(newSubscription) !== 1) return
-  // Data
+  if (!currentUser || !previousUser) return
+  // Retrieve the last subscription
+  const lastSubscription = _.last(_.get(currentUser, 'subscriptions', []))
+  if (!lastSubscription) return
+  // Check whether the subscription has an existing fingerprint
+  const existingSubscription = _.find(_.get(previousUser, 'subscriptions', []), subscription => {
+    return _.isEqual(subscription.fingerprint, lastSubscription.fingerprint)
+  })
+  if (existingSubscription) {
+    debug('Last subscription uses an existing fingerprint')
+    return
+  }
+  debug('Last subscription uses uses a new fingerprint')
+  // Send an email to notify the user
   const app = hook.app
   const mailerService = app.getService('mailer')
   const domainPath = app.get('domain') + '/#/'
   const email = {
     subject: 'Security alert - new browser detected',
-    from: mailerService.options.auth.user,
-    // When changing email send to the new one so that it can be verified
-    to: updatedUser.email,
+    from: mailerService.options.from || mailerService.options.auth.user,
+    to: currentUser.email,
     link: domainPath,
     domainPath
   }
   // Build the subject & link to the app to perform the different actions
   const templateDir = path.join(mailerService.options.templateDir, 'newSubscription')
   const template = new emails.EmailTemplate(templateDir)
   // Errors does not seem to be correctly catched by the caller
   // so we catch them here to avoid any problem
   try {
-    const emailContent = await template.render({ email, user: updatedUser, subscription: _.first(newSubscription) }, updatedUser.locale || 'en-us')
+    const emailContent = await template.render({ email, user: currentUser, subscription: lastSubscription }, currentUser.locale || 'en-us')
     // Update compiled content
     email.html = emailContent.html
     debug('Sending email ', email)
@@ -51,6 +57,4 @@ export async function sendNewSubscriptionEmail (hook) {
     debug('Sending email failed', error)
     app.logger.error(error)
   }
-  return hook
 }

package/core/api/hooks/hooks.users.js CHANGED Viewed

@@ -135,86 +135,6 @@ export function generatePassword (options = {}) {
   }
 }
-export function preventRemoveUser (hook) {
-  if (hook.type !== 'before') {
-    throw new Error('The \'preventRemoveUser\' hook should only be used as a \'before\' hook.')
-  }
-  // By pass check ?
-  if (hook.params.force) return hook
-  const user = hook.params.user
-  // Check if the target is the current user
-  if ((user._id.toString() === hook.id.toString()) && user.organisations) {
-    // We must ensure the user is no more a owner of an organisation
-    const owningOrganisations = _.filter(user.organisations, { permissions: RoleNames[Roles.owner] })
-    if (!_.isEmpty(owningOrganisations)) {
-      debug('Cannot remove the user: ', user)
-      throw new Forbidden('You are not allowed to delete the user ' + user.name, {
-        translation: {
-          key: 'CANNOT_REMOVE_USER',
-          params: { user: _.get(user, 'profile.name') }
-        }
-      })
-    }
-  }
-  return hook
-}
-export async function joinOrganisation (hook) {
-  const app = hook.app
-  const subject = getItems(hook)
-  const authorisationService = app.getService('authorisations')
-  const usersService = app.getService('users')
-  // Set membership for the created user
-  await authorisationService.create({
-    scope: 'organisations',
-    permissions: subject.sponsor.roleGranted, // Member by default
-    resource: subject.sponsor.organisationId,
-    resourcesService: 'organisations'
-  }, {
-    subjectsService: usersService,
-    subjects: [subject]
-  })
-  debug('Organisation membership set for user ' + subject._id)
-  return hook
-}
-export function leaveOrganisations (options = { skipPrivate: true }) {
-  return async function (hook) {
-    if (hook.type !== 'after') {
-      throw new Error('The \'leaveOrganisations\' hook should only be used as a \'after\' hook.')
-    }
-    const app = hook.app
-    const organisationsService = app.getService('organisations')
-    const authorisationService = app.getService('authorisations')
-    const usersService = app.getService('users')
-    const subject = getItems(hook)
-    const organisations = _.get(subject, 'organisations', [])
-    await Promise.all(organisations.map(organisation => {
-      // Unset membership on org except private org if required
-      if (options.skipPrivate && organisation._id.toString() === subject._id.toString()) return Promise.resolve()
-      return authorisationService.remove(organisation._id.toString(), {
-        query: {
-          scope: 'organisations'
-        },
-        user: hook.params.user,
-        // Because we already have resource set it as objects to avoid populating
-        // Moreover used as an after hook the subject might not already exist anymore
-        subjects: [subject],
-        subjectsService: usersService,
-        resource: organisation,
-        resourcesService: organisationsService
-      })
-    }))
-    debug('Membership unset for all organisations on user ' + subject._id)
-    return hook
-  }
-}
 export async function sendVerificationEmail (hook) {
   if (hook.type !== 'after') {
     throw new Error('The \'sendVerificationEmail\' hook should only be used as a \'after\' hook.')
@@ -230,17 +150,6 @@ export async function sendVerificationEmail (hook) {
   return hook
 }
-export async function sendInvitationEmail (hook) {
-  // Before because we need to send the clear password by email
-  if (hook.type !== 'before') {
-    throw new Error('The \'sendInvitationEmail\' hook should only be used as a \'before\' hook.')
-  }
-  const accountService = hook.app.getService('account')
-  await accountService.options.notifier('sendInvitation', hook.data)
-  return hook
-}
 export function addVerification (hook) {
   const accountService = hook.app.getService('account')

package/core/api/hooks/index.js CHANGED Viewed

@@ -1,9 +1,7 @@
 export * from './hooks.authentication.js'
 export * from './hooks.authorisations.js'
-export * from './hooks.groups.js'
 export * from './hooks.logger.js'
 export * from './hooks.model.js'
-export * from './hooks.organisations.js'
 export * from './hooks.query.js'
 export * from './hooks.schemas.js'
 export * from './hooks.service.js'

package/core/api/services/account/account.service.js CHANGED Viewed

@@ -42,7 +42,7 @@ export default function (name, app, options) {
     const mailerService = app.getService('mailer')
     const domainPath = app.get('domain') + '/#/'
     const email = {
-      from: mailerService.options.auth.user,
+      from: mailerService.options.from || mailerService.options.auth.user,
       // When changing email send to the new one so that it can be verified
       to: (type === 'identityChange' ? user.verifyChanges.email : user.email),
       domainPath

package/core/api/services/authorisations/authorisations.service.js CHANGED Viewed

@@ -22,10 +22,6 @@ export default {
       const scope = _.get(subject, scopeName, [])
       // Then the target resource
       let resource = _.find(scope, resource => resource._id && (resource._id.toString() === params.resource._id.toString()))
-      if (!resource) {
-        // Fallback as name
-        resource = _.find(scope, resource => resource.name && (resource.name === params.resource.name))
-      }
       // On first authorisation create the resource in scope
       if (!resource) {
         resource = Object.assign({}, params.resource)
@@ -46,7 +42,6 @@ export default {
       }, {
         user: params.user
       })
-      await this.updateAbilities(subject)
       debug('Authorisation ' + data.permissions + ' set for subject ' + subject._id + ' on resource ' + params.resource._id + ' with scope ' + scopeName)
       return subject
     }))
@@ -79,7 +74,6 @@ export default {
           }, {
             user: params.user
           })
-          await this.updateAbilities(subject)
           debug('Authorisation unset for subject ' + subject._id + ' on resource ' + id + ' with scope ' + scopeName)
           return subject
         }
@@ -91,37 +85,40 @@ export default {
   setup (app) {
     const config = app.get('authorisation')
     if (config && config.cache) {
+      this.cacheConfig = config.cache
       // Store abilities of the N most active users in LRU cache (defaults to 1000)
-      const max = config.cache.maxUsers || 1000
+      const max = this.cacheConfig.maxUsers || 1000
       // LRU cache lib switched from positional parameters to options object at some point
       // so that now we directly pass the options to it while before we used the max argument
-      if (!config.cache.max && !config.cache.ttl && !config.cache.maxSize) config.cache.max = max
-      this.cache = new LRUCache(config.cache)
+      if (!this.cacheConfig.max && !this.cacheConfig.ttl && !this.cacheConfig.maxSize) this.cacheConfig.max = max
+      this.cache = new LRUCache(this.cacheConfig)
       debug('Using LRU cache for user abilities')
     } else {
       debug('Do not use LRU cache for user abilities')
     }
   },
+  getCacheKey (subject) {
+    if (!this.cache) return null
+    let cacheKey
+    // Compute cache key based on provided function or user ID
+    if (typeof this.cacheConfig.key === 'function') cacheKey = this.cacheConfig.key(subject)
+    if (!cacheKey && subject && subject._id) cacheKey = subject._id.toString()
+    return cacheKey || ANONYMOUS_USER
+  },
   // Compute abilities for a given user and set it in cache the first time
   // or get it from cache if found
   async getAbilities (subject) {
-    if (this.cache) {
-      if (subject && subject._id) {
-        if (this.cache.has(subject._id.toString())) return this.cache.get(subject._id.toString())
-      } else {
-        if (this.cache.has(ANONYMOUS_USER)) return this.cache.get(ANONYMOUS_USER)
-      }
-    }
+    const cacheKey = this.getCacheKey(subject)
+    if (cacheKey && this.cache.has(cacheKey)) return this.cache.get(cacheKey)
     // Provide app for any complex use case requiring to make requests
     const abilities = await defineAbilities(subject, this.app)
-    if (this.cache) {
-      if (subject && subject._id) {
-        this.cache.set(subject._id.toString(), abilities)
-      } else {
-        this.cache.set(ANONYMOUS_USER, abilities)
-      }
+    if (cacheKey) {
+      debug('Updating abilities of subject ' + (subject ? subject._id : ANONYMOUS_USER) + ' with cache key ' + cacheKey)
+      this.cache.set(cacheKey, abilities)
     }
     return abilities
@@ -129,20 +126,20 @@ export default {
   // Compute abilities for a given user and update it in cache
   async updateAbilities (subject) {
-    if (this.cache) {
-      if (subject && subject._id) {
-        this.cache.delete(subject._id.toString())
-      } else {
-        this.cache.delete(ANONYMOUS_USER)
-      }
-    }
+    const cacheKey = this.getCacheKey(subject)
+    // Remove abilities from cache so that next call will populate it again
+    if (cacheKey && this.cache.has(cacheKey)) this.cache.delete(cacheKey)
     const abilities = await this.getAbilities(subject)
     return abilities
   },
   // Clear abilities
   clearAbilities() {
-    if (this.cache) this.cache.clear()
+    if (this.cache) {
+      debug('Clearing user abilities cache')
+      this.cache.clear()
+    }
   }
 }