kuzzle 2.19.2 → 2.19.3

package/lib/core/security/tokenRepository.js

@@ -19,24 +19,24 @@
  * limitations under the License.
  */
 
-'use strict';
+"use strict";
 
-const _ = require('lodash');
-const jwt = require('jsonwebtoken');
-const ms = require('ms');
-const Bluebird = require('bluebird');
+const _ = require("lodash");
+const jwt = require("jsonwebtoken");
+const ms = require("ms");
+const Bluebird = require("bluebird");
 
-const ApiKey = require('../../model/storage/apiKey');
-const { UnauthorizedError } = require('../../kerror/errors');
-const { Token } = require('../../model/security/token');
-const Repository = require('../shared/repository');
-const kerror = require('../../kerror');
-const debug = require('../../util/debug')('kuzzle:bootstrap:tokens');
-const { Mutex } = require('../../util/mutex');
+const ApiKey = require("../../model/storage/apiKey");
+const { UnauthorizedError } = require("../../kerror/errors");
+const { Token } = require("../../model/security/token");
+const Repository = require("../shared/repository");
+const kerror = require("../../kerror");
+const debug = require("../../util/debug")("kuzzle:bootstrap:tokens");
+const { Mutex } = require("../../util/mutex");
 
-const securityError = kerror.wrap('security', 'token');
+const securityError = kerror.wrap("security", "token");
 
-const BOOTSTRAP_DONE_KEY = 'token/bootstrap';
+const BOOTSTRAP_DONE_KEY = "token/bootstrap";
 
 /**
  * @class TokenRepository
@@ -45,19 +45,21 @@ const BOOTSTRAP_DONE_KEY = 'token/bootstrap';
  * @param {object} [opts]
  */
 class TokenRepository extends Repository {
-  constructor (opts = {}) {
+  constructor(opts = {}) {
     super();
-    this.collection = 'token';
+    this.collection = "token";
     this.ObjectConstructor = Token;
     if (opts.ttl !== undefined) {
       this.ttl = opts.ttl;
     }
 
-    this.tokenGracePeriod = Math.floor(global.kuzzle.config.security.jwt.gracePeriod);
-    this.anonymousToken = new Token({ userId: '-1' });
+    this.tokenGracePeriod = Math.floor(
+      global.kuzzle.config.security.jwt.gracePeriod
+    );
+    this.anonymousToken = new Token({ userId: "-1" });
   }
 
-  async init () {
+  async init() {
     await this._loadApiKeys();
 
     /**
@@ -67,9 +69,9 @@ class TokenRepository extends Repository {
      * @param  {Number} ttl - token expiration delay
      * @returns {Token}
      */
-    global.kuzzle.onAsk(
-      'core:security:token:assign',
-      (hash, userId, ttl) => this.persistForUser(hash, userId, ttl));
+    global.kuzzle.onAsk("core:security:token:assign", (hash, userId, ttl) =>
+      this.persistForUser(hash, userId, ttl)
+    );
 
     /**
      * Creates and assigns a token to a user
@@ -77,24 +79,26 @@ class TokenRepository extends Repository {
      * @param  {Objects} opts (algorithm, expiresIn, bypassMaxTTL)
      * @returns {Token}
      */
-    global.kuzzle.onAsk(
-      'core:security:token:create',
-      (user, opts) => this.generateToken(user, opts));
+    global.kuzzle.onAsk("core:security:token:create", (user, opts) =>
+      this.generateToken(user, opts)
+    );
 
     /**
      * Deletes a token immediately
      * @param  {Token} token
      */
-    global.kuzzle.onAsk('core:security:token:delete', token => this.expire(token));
+    global.kuzzle.onAsk("core:security:token:delete", (token) =>
+      this.expire(token)
+    );
 
     /**
      * Deletes all tokens assigned to the provided user ID.
      * @param  {String} userId
      * @param  {Objects} opts (keepApiKeys)
      */
-    global.kuzzle.onAsk(
-      'core:security:token:deleteByKuid',
-      (kuid, opts) => this.deleteByKuid(kuid, opts));
+    global.kuzzle.onAsk("core:security:token:deleteByKuid", (kuid, opts) =>
+      this.deleteByKuid(kuid, opts)
+    );
 
     /**
      * Gets a token
@@ -102,9 +106,9 @@ class TokenRepository extends Repository {
      * @param  {String} hash - JWT
      * @returns {Token}
      */
-    global.kuzzle.onAsk(
-      'core:security:token:get',
-      (userId, hash) => this.loadForUser(userId, hash));
+    global.kuzzle.onAsk("core:security:token:get", (userId, hash) =>
+      this.loadForUser(userId, hash)
+    );
 
     /**
      * Refreshes an existing token for the given user.
@@ -118,8 +122,9 @@ class TokenRepository extends Repository {
      * @returns {Token} new token
      */
     global.kuzzle.onAsk(
-      'core:security:token:refresh',
-      (user, token, expiresIn) => this.refresh(user, token, expiresIn));
+      "core:security:token:refresh",
+      (user, token, expiresIn) => this.refresh(user, token, expiresIn)
+    );
 
     /**
      * Verifies if the provided hash is valid, and returns the corresponding
@@ -127,10 +132,9 @@ class TokenRepository extends Repository {
      * @param  {String} hash - JWT
      * @returns {Token}
      */
-    global.kuzzle.onAsk(
-      'core:security:token:verify',
-      hash => this.verifyToken(hash));
-
+    global.kuzzle.onAsk("core:security:token:verify", (hash) =>
+      this.verifyToken(hash)
+    );
   }
 
   /**
@@ -138,7 +142,7 @@ class TokenRepository extends Repository {
    * @param {Token} requestToken
    * @returns {Promise}
    */
-  async expire (token) {
+  async expire(token) {
     await super.expireFromCache(token);
     await global.kuzzle.tokenManager.expire(token);
   }
@@ -153,19 +157,17 @@ class TokenRepository extends Repository {
    * @param {String} expiresIn - new token expiration delay
    * @returns {Promise<Token>}
    */
-  async refresh (user, token, expiresIn) {
+  async refresh(user, token, expiresIn) {
     // do not refresh a token marked as already
     if (token.refreshed) {
-      throw securityError.get('invalid');
+      throw securityError.get("invalid");
     }
 
     // do not refresh API Keys or token that have an infinite TTL
-    if (token.type === 'apiKey' || token.ttl < 0) {
+    if (token.type === "apiKey" || token.ttl < 0) {
       throw securityError.get(
-        'refresh_forbidden',
-        token.type === 'apiKey'
-          ? 'API Key'
-          : 'Token with infinite TTL'
+        "refresh_forbidden",
+        token.type === "apiKey" ? "API Key" : "Token with infinite TTL"
       );
     }
 
@@ -186,37 +188,44 @@ class TokenRepository extends Repository {
    *
    * @returns {Promise.<Object>} { _id, jwt, userId, ttl, expiresAt }
    */
-  async generateToken (
+  async generateToken(
     user,
     {
       algorithm = global.kuzzle.config.security.jwt.algorithm,
       expiresIn = global.kuzzle.config.security.jwt.expiresIn,
       bypassMaxTTL = false,
-      type = 'authToken',
+      type = "authToken",
     } = {}
   ) {
-    if (! user || user._id === null) {
-      throw securityError.get('unknown_user');
+    if (!user || user._id === null) {
+      throw securityError.get("unknown_user");
     }
 
     const parsedExpiresIn = parseTimespan(expiresIn);
 
-    const maxTTL = type === 'apiKey'
-      ? global.kuzzle.config.security.apiKey.maxTTL
-      : global.kuzzle.config.security.jwt.maxTTL;
+    const maxTTL =
+      type === "apiKey"
+        ? global.kuzzle.config.security.apiKey.maxTTL
+        : global.kuzzle.config.security.jwt.maxTTL;
 
-    if ( ! bypassMaxTTL
-      && maxTTL > -1
-      && ( parsedExpiresIn > maxTTL
-        || parsedExpiresIn === -1)
+    if (
+      !bypassMaxTTL &&
+      maxTTL > -1 &&
+      (parsedExpiresIn > maxTTL || parsedExpiresIn === -1)
     ) {
-      throw securityError.get('ttl_exceeded');
+      throw securityError.get("ttl_exceeded");
     }
 
     const signOptions = { algorithm };
 
     if (parsedExpiresIn === 0) {
-      throw kerror.get('api', 'assert', 'invalid_argument', 'expiresIn', 'a number of milliseconds, or a parsable timespan string');
+      throw kerror.get(
+        "api",
+        "assert",
+        "invalid_argument",
+        "expiresIn",
+        "a number of milliseconds, or a parsable timespan string"
+      );
     }
     // -1 mean infite duration, so we don't pass the expiresIn option to
     // jwt.sign
@@ -229,16 +238,15 @@ class TokenRepository extends Repository {
       encodedToken = jwt.sign(
         { _id: user._id },
         global.kuzzle.secret,
-        signOptions);
-    }
-    catch (err) {
-      throw securityError.getFrom(err, 'generation_failed', err.message);
+        signOptions
+      );
+    } catch (err) {
+      throw securityError.getFrom(err, "generation_failed", err.message);
     }
 
-    if (type === 'apiKey') {
+    if (type === "apiKey") {
       encodedToken = Token.APIKEY_PREFIX + encodedToken;
-    }
-    else {
+    } else {
       encodedToken = Token.AUTH_PREFIX + encodedToken;
     }
 
@@ -254,7 +262,7 @@ class TokenRepository extends Repository {
    *
    * @returns {Promise}
    */
-  async persistForUser (encodedToken, userId, ttl) {
+  async persistForUser(encodedToken, userId, ttl) {
     const redisTTL = ttl === -1 ? 0 : ttl;
     const expiresAt = ttl === -1 ? -1 : Date.now() + ttl;
     const token = new Token({
@@ -267,18 +275,18 @@ class TokenRepository extends Repository {
 
     try {
       return await this.persistToCache(token, { ttl: redisTTL });
-    }
-    catch (err) {
+    } catch (err) {
       throw kerror.getFrom(
         err,
-        'services',
-        'cache',
-        'write_failed',
-        err.message);
+        "services",
+        "cache",
+        "write_failed",
+        err.message
+      );
     }
   }
 
-  async verifyToken (token) {
+  async verifyToken(token) {
     if (token === null) {
       return this.anonymousToken;
     }
@@ -289,67 +297,65 @@ class TokenRepository extends Repository {
       decoded = jwt.verify(this.removeTokenPrefix(token), global.kuzzle.secret);
 
       // probably forged token => throw without providing any information
-      if (! decoded._id) {
-        throw new jwt.JsonWebTokenError('Invalid token');
+      if (!decoded._id) {
+        throw new jwt.JsonWebTokenError("Invalid token");
       }
-    }
-    catch (err) {
+    } catch (err) {
       if (err instanceof jwt.TokenExpiredError) {
-        throw securityError.get('expired');
+        throw securityError.get("expired");
       }
 
       if (err instanceof jwt.JsonWebTokenError) {
-        throw securityError.get('invalid');
+        throw securityError.get("invalid");
       }
 
-      throw securityError.getFrom(err, 'verification_error', err.message);
+      throw securityError.getFrom(err, "verification_error", err.message);
     }
 
     let userToken;
 
     try {
       userToken = await this.loadForUser(decoded._id, token);
-    }
-    catch (err) {
+    } catch (err) {
       if (err instanceof UnauthorizedError) {
         throw err;
       }
 
-      throw securityError.getFrom(err, 'verification_error', err.message);
+      throw securityError.getFrom(err, "verification_error", err.message);
     }
 
     if (userToken === null) {
-      throw securityError.get('invalid');
+      throw securityError.get("invalid");
     }
 
     return userToken;
   }
 
-  removeTokenPrefix (token) {
+  removeTokenPrefix(token) {
     return token
-      .replace(Token.AUTH_PREFIX, '')
-      .replace(Token.APIKEY_PREFIX, '');
+      .replace(Token.AUTH_PREFIX, "")
+      .replace(Token.APIKEY_PREFIX, "");
   }
 
-  loadForUser (userId, encodedToken) {
+  loadForUser(userId, encodedToken) {
     return this.load(`${userId}#${encodedToken}`);
   }
 
-  async hydrate (userToken, data) {
-    if (! _.isObject(data)) {
+  async hydrate(userToken, data) {
+    if (!_.isObject(data)) {
       return userToken;
     }
 
     _.assignIn(userToken, data);
 
-    if (! userToken.userId) {
+    if (!userToken.userId) {
       return this.anonymousToken;
     }
 
     return userToken;
   }
 
-  serializeToDatabase (token) {
+  serializeToDatabase(token) {
     return this.serializeToCache(token);
   }
 
@@ -359,11 +365,14 @@ class TokenRepository extends Repository {
    * @param {string} kuid
    * @returns {Promise}
    */
-  async deleteByKuid (kuid, { keepApiKeys = true } = {}) {
-    const emptyKeyLength = super.getCacheKey('').length;
+  async deleteByKuid(kuid, { keepApiKeys = true } = {}) {
+    const emptyKeyLength = super.getCacheKey("").length;
     const userKey = super.getCacheKey(`${kuid}#*`);
 
-    const keys = await global.kuzzle.ask('core:cache:internal:searchKeys', userKey);
+    const keys = await global.kuzzle.ask(
+      "core:cache:internal:searchKeys",
+      userKey
+    );
 
     /*
      Given the fact that user ids have no restriction, and that Redis pattern
@@ -381,19 +390,18 @@ class TokenRepository extends Repository {
      JWT character
      */
     const ids = keys
-      .map(key => {
-        return key.indexOf('#', userKey.length - 1) === -1
+      .map((key) => {
+        return key.indexOf("#", userKey.length - 1) === -1
           ? key.slice(emptyKeyLength)
           : null;
       })
-      .filter(key => key !== null);
-
-    await Bluebird.map(ids, async token => {
+      .filter((key) => key !== null);
 
+    await Bluebird.map(ids, async (token) => {
       const cacheToken = await this.load(token);
 
       if (cacheToken !== null) {
-        if (keepApiKeys && cacheToken.type === 'apiKey') {
+        if (keepApiKeys && cacheToken.type === "apiKey") {
           return;
         }
 
@@ -407,8 +415,8 @@ class TokenRepository extends Repository {
    *
    * @returns {Promise}
    */
-  async _loadApiKeys () {
-    const mutex = new Mutex('ApiKeysBootstrap', {
+  async _loadApiKeys() {
+    const mutex = new Mutex("ApiKeysBootstrap", {
       timeout: -1,
       ttl: 30000,
     });
@@ -417,29 +425,35 @@ class TokenRepository extends Repository {
 
     try {
       const bootstrapped = await global.kuzzle.ask(
-        'core:cache:internal:get',
-        BOOTSTRAP_DONE_KEY);
+        "core:cache:internal:get",
+        BOOTSTRAP_DONE_KEY
+      );
 
       if (bootstrapped) {
-        debug('API keys already in cache. Skip.');
+        debug("API keys already in cache. Skip.");
         return;
       }
 
-      debug('Loading API keys into Redis');
+      debug("Loading API keys into Redis");
 
       const promises = [];
 
-      await ApiKey.batchExecute({ match_all: {} }, documents => {
+      await ApiKey.batchExecute({ match_all: {} }, (documents) => {
         for (const { _source } of documents) {
-          promises.push(this.persistForUser(_source.token, _source.userId, _source.ttl));
+          promises.push(
+            this.persistForUser(_source.token, _source.userId, _source.ttl)
+          );
         }
       });
 
       await Bluebird.all(promises);
 
-      await global.kuzzle.ask('core:cache:internal:store', BOOTSTRAP_DONE_KEY, 1);
-    }
-    finally {
+      await global.kuzzle.ask(
+        "core:cache:internal:store",
+        BOOTSTRAP_DONE_KEY,
+        1
+      );
+    } finally {
       await mutex.unlock();
     }
   }
@@ -453,7 +467,7 @@ class TokenRepository extends Repository {
    *
    * So we need to override the TTL auto-refresh function to disable it
    */
-  refreshCacheTTL () {
+  refreshCacheTTL() {
     // This comment is here to please Sonarqube. It requires a comment
     // explaining why a function is empty, but there is no sense
     // duplicating what has been just said in the JSDoc.
@@ -479,18 +493,18 @@ module.exports = TokenRepository;
  * @param {String|Number} time
  * @return {Number}
  */
-function parseTimespan (time) {
-  if (typeof time === 'string') {
+function parseTimespan(time) {
+  if (typeof time === "string") {
     const milliseconds = ms(time);
 
-    if (typeof milliseconds === 'undefined') {
+    if (typeof milliseconds === "undefined") {
       return 0;
     }
 
     return milliseconds;
   }
 
-  if (typeof time === 'number') {
+  if (typeof time === "number") {
     return time;
   }