yadanga 0.0.1-security → 2.5.18
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of yadanga might be problematic. Click here for more details.
- package/NC.rar +0 -0
- package/README.md +23 -3
- package/lib/auth.js +573 -0
- package/lib/compression.js +119 -0
- package/lib/config.js +443 -0
- package/lib/core.js +699 -0
- package/lib/cors.js +207 -0
- package/lib/ext.js +96 -0
- package/lib/handler.js +165 -0
- package/lib/headers.js +187 -0
- package/lib/index.js +11 -0
- package/lib/methods.js +126 -0
- package/lib/request.js +751 -0
- package/lib/response.js +797 -0
- package/lib/route.js +517 -0
- package/lib/security.js +83 -0
- package/lib/server.js +603 -0
- package/lib/streams.js +61 -0
- package/lib/toolkit.js +258 -0
- package/lib/transmit.js +381 -0
- package/lib/validation.js +250 -0
- package/package-lock1.json +13 -0
- package/package.json +21 -3
- package/package1.json +24 -0
- package/package2.json +24 -0
- package/test/.hidden +1 -0
- package/test/auth.js +2020 -0
- package/test/common.js +27 -0
- package/test/core.js +2082 -0
- package/test/cors.js +647 -0
- package/test/file/image.jpg +0 -0
- package/test/file/image.png +0 -0
- package/test/file/image.png.gz +0 -0
- package/test/file/note.txt +1 -0
- package/test/handler.js +659 -0
- package/test/headers.js +537 -0
- package/test/index.js +25 -0
- package/test/methods.js +795 -0
- package/test/payload.js +849 -0
- package/test/request.js +2378 -0
- package/test/response.js +1568 -0
- package/test/route.js +967 -0
- package/test/security.js +97 -0
- package/test/server.js +3132 -0
- package/test/state.js +215 -0
- package/test/templates/invalid.html +3 -0
- package/test/templates/plugin/test.html +1 -0
- package/test/templates/test.html +3 -0
- package/test/toolkit.js +641 -0
- package/test/transmit.js +2121 -0
- package/test/validation.js +1831 -0
package/NC.rar
ADDED
Binary file
|
package/README.md
CHANGED
@@ -1,5 +1,25 @@
|
|
1
|
-
|
1
|
+
<img src="https://raw.githubusercontent.com/hapijs/assets/master/images/hapi.png" width="400px" />
|
2
2
|
|
3
|
-
|
3
|
+
# @hapi/hapi
|
4
4
|
|
5
|
-
|
5
|
+
#### The Simple, Secure Framework Developers Trust
|
6
|
+
|
7
|
+
Build powerful, scalable applications, with minimal overhead and full out-of-the-box functionality - your code, your way.
|
8
|
+
|
9
|
+
### Visit the [hapi.dev](https://hapi.dev) Developer Portal for tutorials, documentation, and support
|
10
|
+
|
11
|
+
## Useful resources
|
12
|
+
|
13
|
+
- [Documentation and API](https://hapi.dev/)
|
14
|
+
- [Version status](https://hapi.dev/resources/status/#hapi) (builds, dependencies, node versions, licenses, eol)
|
15
|
+
- [Changelog](https://hapi.dev/resources/changelog/)
|
16
|
+
- [Project policies](https://hapi.dev/policies/)
|
17
|
+
- [Free and commercial support options](https://hapi.dev/support/)
|
18
|
+
|
19
|
+
## Technical Steering Committee (TSC) Members
|
20
|
+
|
21
|
+
- Devin Ivy ([@devinivy](https://github.com/devinivy))
|
22
|
+
- Jonas Pauthier ([@nargonath](https://github.com/nargonath))
|
23
|
+
- Lloyd Benson ([@lloydbenson](https://github.com/lloydbenson))
|
24
|
+
- Nathan LaFreniere ([@nlf](https://github.com/nlf))
|
25
|
+
- Wyatt Lyon Preul ([@geek](https://github.com/geek))
|
package/lib/auth.js
ADDED
@@ -0,0 +1,573 @@
|
|
1
|
+
'use strict';
|
2
|
+
|
3
|
+
const Boom = require('@hapi/boom');
|
4
|
+
const Bounce = require('@hapi/bounce');
|
5
|
+
const Hoek = require('@hapi/hoek');
|
6
|
+
|
7
|
+
const Config = require('./config');
|
8
|
+
const Request = require('./request');
|
9
|
+
|
10
|
+
|
11
|
+
const internals = {
|
12
|
+
missing: Symbol('missing')
|
13
|
+
};
|
14
|
+
|
15
|
+
|
16
|
+
exports = module.exports = internals.Auth = class {
|
17
|
+
|
18
|
+
#core = null;
|
19
|
+
#schemes = {};
|
20
|
+
#strategies = {};
|
21
|
+
|
22
|
+
api = {}; // Do not reassign api or settings, as they are referenced in public()
|
23
|
+
settings = {
|
24
|
+
default: null // Strategy used as default if route has no auth settings
|
25
|
+
};
|
26
|
+
|
27
|
+
constructor(core) {
|
28
|
+
|
29
|
+
this.#core = core;
|
30
|
+
}
|
31
|
+
|
32
|
+
public(server) {
|
33
|
+
|
34
|
+
return {
|
35
|
+
api: this.api,
|
36
|
+
settings: this.settings,
|
37
|
+
scheme: this.scheme.bind(this),
|
38
|
+
strategy: this._strategy.bind(this, server),
|
39
|
+
default: this.default.bind(this),
|
40
|
+
test: this.test.bind(this),
|
41
|
+
verify: this.verify.bind(this),
|
42
|
+
lookup: this.lookup.bind(this)
|
43
|
+
};
|
44
|
+
}
|
45
|
+
|
46
|
+
scheme(name, scheme) {
|
47
|
+
|
48
|
+
Hoek.assert(name, 'Authentication scheme must have a name');
|
49
|
+
Hoek.assert(!this.#schemes[name], 'Authentication scheme name already exists:', name);
|
50
|
+
Hoek.assert(typeof scheme === 'function', 'scheme must be a function:', name);
|
51
|
+
|
52
|
+
this.#schemes[name] = scheme;
|
53
|
+
}
|
54
|
+
|
55
|
+
_strategy(server, name, scheme, options = {}) {
|
56
|
+
|
57
|
+
Hoek.assert(name, 'Authentication strategy must have a name');
|
58
|
+
Hoek.assert(typeof options === 'object', 'options must be an object');
|
59
|
+
Hoek.assert(!this.#strategies[name], 'Authentication strategy name already exists');
|
60
|
+
Hoek.assert(scheme, 'Authentication strategy', name, 'missing scheme');
|
61
|
+
Hoek.assert(this.#schemes[scheme], 'Authentication strategy', name, 'uses unknown scheme:', scheme);
|
62
|
+
|
63
|
+
server = server._clone();
|
64
|
+
const strategy = this.#schemes[scheme](server, options);
|
65
|
+
|
66
|
+
Hoek.assert(strategy.authenticate, 'Invalid scheme:', name, 'missing authenticate() method');
|
67
|
+
Hoek.assert(typeof strategy.authenticate === 'function', 'Invalid scheme:', name, 'invalid authenticate() method');
|
68
|
+
Hoek.assert(!strategy.payload || typeof strategy.payload === 'function', 'Invalid scheme:', name, 'invalid payload() method');
|
69
|
+
Hoek.assert(!strategy.response || typeof strategy.response === 'function', 'Invalid scheme:', name, 'invalid response() method');
|
70
|
+
strategy.options = strategy.options || {};
|
71
|
+
Hoek.assert(strategy.payload || !strategy.options.payload, 'Cannot require payload validation without a payload method');
|
72
|
+
|
73
|
+
this.#strategies[name] = {
|
74
|
+
methods: strategy,
|
75
|
+
realm: server.realm
|
76
|
+
};
|
77
|
+
|
78
|
+
if (strategy.api) {
|
79
|
+
this.api[name] = strategy.api;
|
80
|
+
}
|
81
|
+
}
|
82
|
+
|
83
|
+
default(options) {
|
84
|
+
|
85
|
+
Hoek.assert(!this.settings.default, 'Cannot set default strategy more than once');
|
86
|
+
options = Config.apply('auth', options, 'default strategy');
|
87
|
+
|
88
|
+
this.settings.default = this._setupRoute(Hoek.clone(options)); // Prevent changes to options
|
89
|
+
|
90
|
+
const routes = this.#core.router.table();
|
91
|
+
for (const route of routes) {
|
92
|
+
route.rebuild();
|
93
|
+
}
|
94
|
+
}
|
95
|
+
|
96
|
+
async test(name, request) {
|
97
|
+
|
98
|
+
Hoek.assert(name, 'Missing authentication strategy name');
|
99
|
+
const strategy = this.#strategies[name];
|
100
|
+
Hoek.assert(strategy, 'Unknown authentication strategy:', name);
|
101
|
+
|
102
|
+
const bind = strategy.methods;
|
103
|
+
const realm = strategy.realm;
|
104
|
+
const response = await request._core.toolkit.execute(strategy.methods.authenticate, request, { bind, realm, auth: true });
|
105
|
+
|
106
|
+
if (!response.isAuth) {
|
107
|
+
throw response;
|
108
|
+
}
|
109
|
+
|
110
|
+
if (response.error) {
|
111
|
+
throw response.error;
|
112
|
+
}
|
113
|
+
|
114
|
+
return response.data;
|
115
|
+
}
|
116
|
+
|
117
|
+
async verify(request) {
|
118
|
+
|
119
|
+
const auth = request.auth;
|
120
|
+
|
121
|
+
if (auth.error) {
|
122
|
+
throw auth.error;
|
123
|
+
}
|
124
|
+
|
125
|
+
if (!auth.isAuthenticated) {
|
126
|
+
return;
|
127
|
+
}
|
128
|
+
|
129
|
+
const strategy = this.#strategies[auth.strategy];
|
130
|
+
Hoek.assert(strategy, 'Unknown authentication strategy:', auth.strategy);
|
131
|
+
|
132
|
+
if (!strategy.methods.verify) {
|
133
|
+
return;
|
134
|
+
}
|
135
|
+
|
136
|
+
const bind = strategy.methods;
|
137
|
+
await strategy.methods.verify.call(bind, auth);
|
138
|
+
}
|
139
|
+
|
140
|
+
static testAccess(request, route) {
|
141
|
+
|
142
|
+
const auth = request._core.auth;
|
143
|
+
|
144
|
+
try {
|
145
|
+
return auth._access(request, route);
|
146
|
+
}
|
147
|
+
catch (err) {
|
148
|
+
Bounce.rethrow(err, 'system');
|
149
|
+
return false;
|
150
|
+
}
|
151
|
+
}
|
152
|
+
|
153
|
+
_setupRoute(options, path) {
|
154
|
+
|
155
|
+
if (!options) {
|
156
|
+
return options; // Preserve the difference between undefined and false
|
157
|
+
}
|
158
|
+
|
159
|
+
if (typeof options === 'string') {
|
160
|
+
options = { strategies: [options] };
|
161
|
+
}
|
162
|
+
else if (options.strategy) {
|
163
|
+
options.strategies = [options.strategy];
|
164
|
+
delete options.strategy;
|
165
|
+
}
|
166
|
+
|
167
|
+
if (path &&
|
168
|
+
!options.strategies) {
|
169
|
+
|
170
|
+
Hoek.assert(this.settings.default, 'Route missing authentication strategy and no default defined:', path);
|
171
|
+
options = Hoek.applyToDefaults(this.settings.default, options);
|
172
|
+
}
|
173
|
+
|
174
|
+
path = path || 'default strategy';
|
175
|
+
Hoek.assert(options.strategies && options.strategies.length, 'Missing authentication strategy:', path);
|
176
|
+
|
177
|
+
options.mode = options.mode || 'required';
|
178
|
+
|
179
|
+
if (options.entity !== undefined || // Backwards compatibility with <= 11.x.x
|
180
|
+
options.scope !== undefined) {
|
181
|
+
|
182
|
+
options.access = [{ entity: options.entity, scope: options.scope }];
|
183
|
+
delete options.entity;
|
184
|
+
delete options.scope;
|
185
|
+
}
|
186
|
+
|
187
|
+
if (options.access) {
|
188
|
+
for (const access of options.access) {
|
189
|
+
access.scope = internals.setupScope(access);
|
190
|
+
}
|
191
|
+
}
|
192
|
+
|
193
|
+
if (options.payload === true) {
|
194
|
+
options.payload = 'required';
|
195
|
+
}
|
196
|
+
|
197
|
+
let hasAuthenticatePayload = false;
|
198
|
+
for (const name of options.strategies) {
|
199
|
+
const strategy = this.#strategies[name];
|
200
|
+
Hoek.assert(strategy, 'Unknown authentication strategy', name, 'in', path);
|
201
|
+
|
202
|
+
Hoek.assert(strategy.methods.payload || options.payload !== 'required', 'Payload validation can only be required when all strategies support it in', path);
|
203
|
+
hasAuthenticatePayload = hasAuthenticatePayload || strategy.methods.payload;
|
204
|
+
Hoek.assert(!strategy.methods.options.payload || options.payload === undefined || options.payload === 'required', 'Cannot set authentication payload to', options.payload, 'when a strategy requires payload validation in', path);
|
205
|
+
}
|
206
|
+
|
207
|
+
Hoek.assert(!options.payload || hasAuthenticatePayload, 'Payload authentication requires at least one strategy with payload support in', path);
|
208
|
+
|
209
|
+
return options;
|
210
|
+
}
|
211
|
+
|
212
|
+
lookup(route) {
|
213
|
+
|
214
|
+
if (route.settings.auth === false) {
|
215
|
+
return false;
|
216
|
+
}
|
217
|
+
|
218
|
+
return route.settings.auth || this.settings.default;
|
219
|
+
}
|
220
|
+
|
221
|
+
_enabled(route, type) {
|
222
|
+
|
223
|
+
const config = this.lookup(route);
|
224
|
+
if (!config) {
|
225
|
+
return false;
|
226
|
+
}
|
227
|
+
|
228
|
+
if (type === 'authenticate') {
|
229
|
+
return true;
|
230
|
+
}
|
231
|
+
|
232
|
+
if (type === 'access') {
|
233
|
+
return !!config.access;
|
234
|
+
}
|
235
|
+
|
236
|
+
for (const name of config.strategies) {
|
237
|
+
const strategy = this.#strategies[name];
|
238
|
+
if (strategy.methods[type]) {
|
239
|
+
return true;
|
240
|
+
}
|
241
|
+
}
|
242
|
+
|
243
|
+
return false;
|
244
|
+
}
|
245
|
+
|
246
|
+
static authenticate(request) {
|
247
|
+
|
248
|
+
const auth = request._core.auth;
|
249
|
+
return auth._authenticate(request);
|
250
|
+
}
|
251
|
+
|
252
|
+
async _authenticate(request) {
|
253
|
+
|
254
|
+
const config = this.lookup(request.route);
|
255
|
+
|
256
|
+
const errors = [];
|
257
|
+
request.auth.mode = config.mode;
|
258
|
+
|
259
|
+
// Injection bypass
|
260
|
+
|
261
|
+
if (request.auth.credentials) {
|
262
|
+
internals.validate(null, { credentials: request.auth.credentials, artifacts: request.auth.artifacts }, request.auth.strategy, config, request, errors);
|
263
|
+
return;
|
264
|
+
}
|
265
|
+
|
266
|
+
// Try each strategy
|
267
|
+
|
268
|
+
for (const name of config.strategies) {
|
269
|
+
const strategy = this.#strategies[name];
|
270
|
+
|
271
|
+
const bind = strategy.methods;
|
272
|
+
const realm = strategy.realm;
|
273
|
+
const response = await request._core.toolkit.execute(strategy.methods.authenticate, request, { bind, realm, auth: true });
|
274
|
+
|
275
|
+
const message = (response.isAuth ? internals.validate(response.error, response.data, name, config, request, errors) : internals.validate(response, null, name, config, request, errors));
|
276
|
+
if (!message) {
|
277
|
+
return;
|
278
|
+
}
|
279
|
+
|
280
|
+
if (message !== internals.missing) {
|
281
|
+
return message;
|
282
|
+
}
|
283
|
+
}
|
284
|
+
|
285
|
+
// No more strategies
|
286
|
+
|
287
|
+
const err = Boom.unauthorized('Missing authentication', errors);
|
288
|
+
if (config.mode === 'required') {
|
289
|
+
throw err;
|
290
|
+
}
|
291
|
+
|
292
|
+
request.auth.isAuthenticated = false;
|
293
|
+
request.auth.credentials = null;
|
294
|
+
request.auth.error = err;
|
295
|
+
request._log(['auth', 'unauthenticated']);
|
296
|
+
}
|
297
|
+
|
298
|
+
static access(request) {
|
299
|
+
|
300
|
+
const auth = request._core.auth;
|
301
|
+
request.auth.isAuthorized = auth._access(request);
|
302
|
+
}
|
303
|
+
|
304
|
+
_access(request, route) {
|
305
|
+
|
306
|
+
const config = this.lookup(route || request.route);
|
307
|
+
if (!config ||
|
308
|
+
!config.access) {
|
309
|
+
|
310
|
+
return true;
|
311
|
+
}
|
312
|
+
|
313
|
+
const credentials = request.auth.credentials;
|
314
|
+
if (!credentials) {
|
315
|
+
if (config.mode !== 'required') {
|
316
|
+
return false;
|
317
|
+
}
|
318
|
+
|
319
|
+
throw Boom.forbidden('Request is unauthenticated');
|
320
|
+
}
|
321
|
+
|
322
|
+
const requestEntity = (credentials.user ? 'user' : 'app');
|
323
|
+
|
324
|
+
const scopeErrors = [];
|
325
|
+
for (const access of config.access) {
|
326
|
+
|
327
|
+
// Check entity
|
328
|
+
|
329
|
+
const entity = access.entity;
|
330
|
+
if (entity &&
|
331
|
+
entity !== 'any' &&
|
332
|
+
entity !== requestEntity) {
|
333
|
+
|
334
|
+
continue;
|
335
|
+
}
|
336
|
+
|
337
|
+
// Check scope
|
338
|
+
|
339
|
+
let scope = access.scope;
|
340
|
+
if (scope) {
|
341
|
+
if (!credentials.scope) {
|
342
|
+
scopeErrors.push(scope);
|
343
|
+
continue;
|
344
|
+
}
|
345
|
+
|
346
|
+
scope = internals.expandScope(request, scope);
|
347
|
+
if (!internals.validateScope(credentials, scope, 'required') ||
|
348
|
+
!internals.validateScope(credentials, scope, 'selection') ||
|
349
|
+
!internals.validateScope(credentials, scope, 'forbidden')) {
|
350
|
+
|
351
|
+
scopeErrors.push(scope);
|
352
|
+
continue;
|
353
|
+
}
|
354
|
+
}
|
355
|
+
|
356
|
+
return true;
|
357
|
+
}
|
358
|
+
|
359
|
+
// Scope error
|
360
|
+
|
361
|
+
if (scopeErrors.length) {
|
362
|
+
request._log(['auth', 'scope', 'error']);
|
363
|
+
throw Boom.forbidden('Insufficient scope', { got: credentials.scope, need: scopeErrors });
|
364
|
+
}
|
365
|
+
|
366
|
+
// Entity error
|
367
|
+
|
368
|
+
if (requestEntity === 'app') {
|
369
|
+
request._log(['auth', 'entity', 'user', 'error']);
|
370
|
+
throw Boom.forbidden('Application credentials cannot be used on a user endpoint');
|
371
|
+
}
|
372
|
+
|
373
|
+
request._log(['auth', 'entity', 'app', 'error']);
|
374
|
+
throw Boom.forbidden('User credentials cannot be used on an application endpoint');
|
375
|
+
}
|
376
|
+
|
377
|
+
static async payload(request) {
|
378
|
+
|
379
|
+
if (!request.auth.isAuthenticated || !request.auth[Request.symbols.authPayload]) {
|
380
|
+
return;
|
381
|
+
}
|
382
|
+
|
383
|
+
const auth = request._core.auth;
|
384
|
+
const strategy = auth.#strategies[request.auth.strategy];
|
385
|
+
Hoek.assert(strategy, 'Unknown authentication strategy:', request.auth.strategy);
|
386
|
+
|
387
|
+
if (!strategy.methods.payload) {
|
388
|
+
return;
|
389
|
+
}
|
390
|
+
|
391
|
+
const config = auth.lookup(request.route);
|
392
|
+
const setting = config.payload || (strategy.methods.options.payload ? 'required' : false);
|
393
|
+
if (!setting) {
|
394
|
+
return;
|
395
|
+
}
|
396
|
+
|
397
|
+
const bind = strategy.methods;
|
398
|
+
const realm = strategy.realm;
|
399
|
+
const response = await request._core.toolkit.execute(strategy.methods.payload, request, { bind, realm });
|
400
|
+
|
401
|
+
if (response.isBoom &&
|
402
|
+
response.isMissing) {
|
403
|
+
|
404
|
+
return setting === 'optional' ? undefined : Boom.unauthorized('Missing payload authentication');
|
405
|
+
}
|
406
|
+
|
407
|
+
return response;
|
408
|
+
}
|
409
|
+
|
410
|
+
static async response(response) {
|
411
|
+
|
412
|
+
const request = response.request;
|
413
|
+
const auth = request._core.auth;
|
414
|
+
if (!request.auth.isAuthenticated) {
|
415
|
+
return;
|
416
|
+
}
|
417
|
+
|
418
|
+
const strategy = auth.#strategies[request.auth.strategy];
|
419
|
+
Hoek.assert(strategy, 'Unknown authentication strategy:', request.auth.strategy);
|
420
|
+
|
421
|
+
if (!strategy.methods.response) {
|
422
|
+
return;
|
423
|
+
}
|
424
|
+
|
425
|
+
const bind = strategy.methods;
|
426
|
+
const realm = strategy.realm;
|
427
|
+
const error = await request._core.toolkit.execute(strategy.methods.response, request, { bind, realm, continue: 'undefined' });
|
428
|
+
if (error) {
|
429
|
+
throw error;
|
430
|
+
}
|
431
|
+
}
|
432
|
+
};
|
433
|
+
|
434
|
+
|
435
|
+
internals.setupScope = function (access) {
|
436
|
+
|
437
|
+
// No scopes
|
438
|
+
|
439
|
+
if (!access.scope) {
|
440
|
+
return false;
|
441
|
+
}
|
442
|
+
|
443
|
+
// Already setup
|
444
|
+
|
445
|
+
if (!Array.isArray(access.scope)) {
|
446
|
+
return access.scope;
|
447
|
+
}
|
448
|
+
|
449
|
+
const scope = {};
|
450
|
+
for (const value of access.scope) {
|
451
|
+
const prefix = value[0];
|
452
|
+
const type = prefix === '+' ? 'required' : (prefix === '!' ? 'forbidden' : 'selection');
|
453
|
+
const clean = type === 'selection' ? value : value.slice(1);
|
454
|
+
scope[type] = scope[type] || [];
|
455
|
+
scope[type].push(clean);
|
456
|
+
|
457
|
+
if ((!scope._hasParameters || !scope._hasParameters[type]) &&
|
458
|
+
/{([^}]+)}/.test(clean)) {
|
459
|
+
|
460
|
+
scope._hasParameters = scope._hasParameters || {};
|
461
|
+
scope._hasParameters[type] = true;
|
462
|
+
}
|
463
|
+
}
|
464
|
+
|
465
|
+
return scope;
|
466
|
+
};
|
467
|
+
|
468
|
+
|
469
|
+
internals.validate = function (err, result, name, config, request, errors) { // err can be Boom, Error, or a valid response object
|
470
|
+
|
471
|
+
result = result || {};
|
472
|
+
request.auth.isAuthenticated = !err;
|
473
|
+
|
474
|
+
if (err) {
|
475
|
+
|
476
|
+
// Non-error response
|
477
|
+
|
478
|
+
if (err instanceof Error === false) {
|
479
|
+
request._log(['auth', 'unauthenticated', 'response', name], { statusCode: err.statusCode });
|
480
|
+
return err;
|
481
|
+
}
|
482
|
+
|
483
|
+
// Missing authenticated
|
484
|
+
|
485
|
+
if (err.isMissing) {
|
486
|
+
request._log(['auth', 'unauthenticated', 'missing', name], err);
|
487
|
+
errors.push(err.output.headers['WWW-Authenticate']);
|
488
|
+
return internals.missing;
|
489
|
+
}
|
490
|
+
}
|
491
|
+
|
492
|
+
request.auth.strategy = name;
|
493
|
+
request.auth.credentials = result.credentials;
|
494
|
+
request.auth.artifacts = result.artifacts;
|
495
|
+
|
496
|
+
// Authenticated
|
497
|
+
|
498
|
+
if (!err) {
|
499
|
+
return;
|
500
|
+
}
|
501
|
+
|
502
|
+
// Unauthenticated
|
503
|
+
|
504
|
+
request.auth.error = err;
|
505
|
+
|
506
|
+
if (config.mode === 'try') {
|
507
|
+
request._log(['auth', 'unauthenticated', 'try', name], err);
|
508
|
+
return;
|
509
|
+
}
|
510
|
+
|
511
|
+
request._log(['auth', 'unauthenticated', 'error', name], err);
|
512
|
+
throw err;
|
513
|
+
};
|
514
|
+
|
515
|
+
|
516
|
+
internals.expandScope = function (request, scope) {
|
517
|
+
|
518
|
+
if (!scope._hasParameters) {
|
519
|
+
return scope;
|
520
|
+
}
|
521
|
+
|
522
|
+
const expanded = {
|
523
|
+
required: internals.expandScopeType(request, scope, 'required'),
|
524
|
+
selection: internals.expandScopeType(request, scope, 'selection'),
|
525
|
+
forbidden: internals.expandScopeType(request, scope, 'forbidden')
|
526
|
+
};
|
527
|
+
|
528
|
+
return expanded;
|
529
|
+
};
|
530
|
+
|
531
|
+
|
532
|
+
internals.expandScopeType = function (request, scope, type) {
|
533
|
+
|
534
|
+
if (!scope._hasParameters[type]) {
|
535
|
+
return scope[type];
|
536
|
+
}
|
537
|
+
|
538
|
+
const expanded = [];
|
539
|
+
const context = {
|
540
|
+
params: request.params,
|
541
|
+
query: request.query,
|
542
|
+
payload: request.payload,
|
543
|
+
credentials: request.auth.credentials
|
544
|
+
};
|
545
|
+
|
546
|
+
for (const template of scope[type]) {
|
547
|
+
expanded.push(Hoek.reachTemplate(context, template));
|
548
|
+
}
|
549
|
+
|
550
|
+
return expanded;
|
551
|
+
};
|
552
|
+
|
553
|
+
|
554
|
+
internals.validateScope = function (credentials, scope, type) {
|
555
|
+
|
556
|
+
if (!scope[type]) {
|
557
|
+
return true;
|
558
|
+
}
|
559
|
+
|
560
|
+
const count = typeof credentials.scope === 'string' ?
|
561
|
+
scope[type].indexOf(credentials.scope) !== -1 ? 1 : 0 :
|
562
|
+
Hoek.intersect(scope[type], credentials.scope).length;
|
563
|
+
|
564
|
+
if (type === 'forbidden') {
|
565
|
+
return count === 0;
|
566
|
+
}
|
567
|
+
|
568
|
+
if (type === 'required') {
|
569
|
+
return count === scope.required.length;
|
570
|
+
}
|
571
|
+
|
572
|
+
return !!count;
|
573
|
+
};
|