feat: add token methods

package.json

@@ -17,7 +17,7 @@
     "eslint": "eslint src bin test",
     "eslint-fix": "npm run eslint -- --fix",
     "start": "./bin/rest-on-couch.js server",
-    "test": "npm run test-mocha && npm run eslint && sh test/checkOnly.sh",
+    "test": "npm run compile && npm run test-mocha && npm run eslint && sh test/checkOnly.sh",
     "test-mocha": "mocha --timeout 5000 --require should --require ./test/setup --reporter mocha-better-spec-reporter --recursive",
     "test-cov": "istanbul cover -x '**/design/**' _mocha -- --require should --require ./test/setup"
   },
@@ -64,6 +64,7 @@
     "passport-google-oauth20": "^1.0.0",
     "passport-ldapauth": "^0.5.0",
     "passport-local": "^1.0.0",
+    "randomatic": "^1.1.5",
     "raw-body": "^2.1.5",
     "request-promise": "^4.0.2",
     "superagent": "^2.0.0",

src/constants.js

@@ -3,7 +3,7 @@
 module.exports = {
     DESIGN_DOC_NAME: 'app',
     DESIGN_DOC_ID: '_design/app',
-    DESIGN_DOC_VERSION: 11,
+    DESIGN_DOC_VERSION: 12,
     RIGHTS_DOC_ID: 'rights',
     DEFAULT_GROUPS_DOC_ID: 'defaultGroups'
 };

src/design/validateDocUpdate.js

@@ -8,7 +8,7 @@ module.exports = function (newDoc, oldDoc, userCtx) {
     if (newDoc._deleted) {
         return;
     }
-    var validTypes = ['entry', 'group', 'db', 'log', 'user'];
+    var validTypes = ['entry', 'group', 'db', 'log', 'user', 'token'];
     var validRights = ['create', 'read', 'write', 'createGroup'];
     // see http://emailregex.com/
     var validEmail = /^[-a-z0-9~!$%^&*_=+}{\'?]+(\.[-a-z0-9~!$%^&*_=+}{\'?]+)*@([a-z0-9_][-a-z0-9_]*(\.[-a-z0-9_]+)*\.(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|travel|mobi|[a-z][a-z])|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,5})?$/i;
@@ -23,7 +23,7 @@ module.exports = function (newDoc, oldDoc, userCtx) {
     }
 
     if (!newDoc.$type || validTypes.indexOf(newDoc.$type) === -1) {
-        throw ({forbidden: 'Invalid type'});
+        throw ({forbidden: 'Invalid type: ' + newDoc.$type});
     }
     if (oldDoc && newDoc.$type !== oldDoc.$type) {
         throw ({forbidden: 'Cannot change the type of document'});
@@ -87,5 +87,15 @@ module.exports = function (newDoc, oldDoc, userCtx) {
         if (!newDoc.user || !validEmail.test(newDoc.user)) {
             throw ({forbidden: 'user must have user property, which must be an email'});
         }
+    } else if (newDoc.$type === 'token') {
+        if (oldDoc) {
+            throw ({forbidden: 'Tokens are immutable'});
+        }
+        if (newDoc.$kind !== 'entry') {
+            throw ({forbidden: 'Only entry tokens are supported'});
+        }
+        if (!newDoc.$id || !newDoc.$owner || !newDoc.uuid || (typeof newDoc.$creationDate !== 'number') || !Array.isArray(newDoc.rights)) {
+            throw ({forbidden: 'token is missing fields'});
+        }
     }
 };

src/design/views.js

@@ -137,3 +137,17 @@ views.user = {
         }
     }
 };
+
+views.tokenById = {
+    map: function (doc) {
+        if (doc.$type !== 'token') return;
+        emit(doc.$id);
+    }
+};
+
+views.tokenByOwner = {
+    map: function (doc) {
+        if (doc.$type !== 'token') return;
+        emit(doc.$owner);
+    }
+};

src/index.js

@@ -8,6 +8,7 @@ const CouchError = require('./util/CouchError');
 const constants = require('./constants');
 const getDesignDoc = require('./design/app');
 const nanoPromise = require('./util/nanoPromise');
+const token = require('./util/token');
 const log = require('./couch/log');
 const getConfig = require('./config/config').getConfig;
 const globalRightTypes = ['read', 'write', 'create', 'createGroup'];
@@ -748,7 +749,7 @@ class Couch {
     }
 
     deleteEntryById(id, user) {
-        debug(`deleteEntryById (${id}, ${user}`);
+        debug(`deleteEntryById (${id}, ${user})`);
         return this.getEntryByIdAndRights(id, user, 'delete')
             .then(doc => nanoPromise.destroyDocument(this._db, doc._id));
     }
@@ -762,6 +763,43 @@ class Couch {
         debug(`getLogs (${epoch}`);
         return this.open().then(() => log.getLogs(this._db, epoch));
     }
+
+    async createEntryToken(user, uuid) {
+        debug(`createEntryToken (${user}, ${uuid})`);
+        await this.open();
+        // We need write right to create a token. This will throw if not.
+        await this.getEntryByUuidAndRights(uuid, user, 'write');
+        return await token.createEntryToken(this._db, user, uuid, 'read');
+    }
+
+    async deleteToken(user, tokenId) {
+        debug(`deleteToken (${user}, ${tokenId})`);
+        await this.open();
+        const tokenValue = await token.getToken(this._db, tokenId);
+        if (!tokenValue) {
+            throw new CouchError('token not found', 'not found');
+        }
+        if (tokenValue.$owner !== user) {
+            throw new CouchError('only owner can delete a token', 'unauthorized');
+        }
+        await token.destroyToken(this._db, tokenValue._id, tokenValue._rev);
+    }
+
+    async getToken(tokenId) {
+        debug(`getToken (${tokenId})`);
+        await this.open();
+        const tokenValue = await token.getToken(this._db, tokenId);
+        if (!tokenValue) {
+            throw new CouchError('token not found', 'not found');
+        }
+        return tokenValue;
+    }
+
+    async getTokens(user) {
+        debug(`getTokens (${user})`);
+        await this.open();
+        return await token.getTokens(this._db, user);
+    }
 }
 
 const databaseCache = new Map();

src/util/token.js

@@ -0,0 +1,45 @@
+'use strict';
+
+const randomatic = require('randomatic');
+const getRandomToken = () => randomatic('Aa0', 32);
+
+const CouchError = require('./CouchError');
+const nanoPromise = require('./nanoPromise');
+
+exports.createEntryToken = async function createEntryToken(db, user, uuid, rights) {
+    if (typeof rights === 'string') {
+        rights = [rights];
+    } else if (!Array.isArray(rights)) {
+        throw new CouchError('rights must be an array');
+    }
+    const token = {
+        $type: 'token',
+        $kind: 'entry',
+        $id: getRandomToken(),
+        $owner: user,
+        $creationDate: Date.now(),
+        uuid,
+        rights
+    };
+    await nanoPromise.insertDocument(db, token);
+    return token;
+};
+
+exports.getToken = async function getToken(db, tokenId) {
+    const result = await nanoPromise.queryView(db, 'tokenById', {key: tokenId, include_docs: true}, {onlyDoc: true});
+    if (result.length === 0) {
+        return null;
+    } else if (result.length === 1) {
+        return result[0];
+    } else {
+        throw new CouchError('multiple tokens with the same ID', 'fatal');
+    }
+};
+
+exports.getTokens = async function getTokens(db, user) {
+    return await nanoPromise.queryView(db, 'tokenByOwner', {key: user, include_docs: true}, {onlyDoc: true});
+};
+
+exports.destroyToken = async function destroyToken(db, tokenId, rev) {
+    return await nanoPromise.destroyDocument(db, tokenId, rev);
+};

test/data/data.js

@@ -41,6 +41,7 @@ function populate(db) {
         $type: 'entry',
         $owners: ['b@b.com', 'groupA', 'groupB'],
         $id: 'A',
+        _id: 'A',
         $creationDate: 0,
         $modificationDate: 0,
         $content: {}

test/design/validateDocUpdate.js

@@ -10,7 +10,7 @@ global.isArray = function (obj) {
 describe('validate_doc_update', function () {
     describe('general', function () {
         it('$type', function () {
-            assert({$type: 'abc'}, null, 'Invalid type');
+            assert({$type: 'abc'}, null, 'Invalid type: abc');
             assert({$type: 'entry'}, {$type: 'group'}, /Cannot change the type/);
         });
     });

test/rest-api/api.js

@@ -99,7 +99,7 @@ describe('basic rest-api as b@b.com', function () {
 
     it('non-existent document cannot be updated', function () {
         // document with uuid A does not exist
-        return request.put('/db/test/entry/A').send({$id: 'A', $content: {}})
+        return request.put('/db/test/entry/NOTEXIST').send({$id: 'NOTEXIST', $content: {}})
             .expect(404);
     });
 

test/token.js

@@ -0,0 +1,44 @@
+'use strict';
+
+const data = require('./data/data');
+
+describe.only('token methods', function () {
+    before(data);
+    it('user should be able to create and get tokens', function () {
+        return Promise.all([couch.createEntryToken('a@a.com', 'A'), couch.createEntryToken('a@a.com', 'B')])
+            .then(tokens => {
+                tokens[0].$id.should.not.equal(tokens[1].$id);
+                const token = tokens[0];
+                token.$type.should.equal('token');
+                token.$kind.should.equal('entry');
+                token.$id.length.should.equal(32);
+                token.$owner.should.equal('a@a.com');
+                token.uuid.should.equal('A');
+                token.rights.should.eql(['read']);
+                return couch.getToken(token.$id).then(gotToken => {
+                    gotToken.$id.should.equal(token.$id);
+                    return couch.getTokens().then(tokens => {
+                        tokens.length.should.equal(2);
+                    });
+                });
+            });
+    });
+
+    it('user should be able to create and destroy tokens', function () {
+        return couch.createEntryToken('a@a.com', 'A')
+            .then(token => {
+                return couch.getToken(token.$id).then(gotToken => {
+                    gotToken.$id.should.equal(token.$id);
+                    return couch.deleteToken('a@a.com', token.$id).then(() => {
+                        return couch.getToken(token.$id).should.be.rejected();
+                    });
+                });
+            });
+    });
+
+    it('user should not be able to create a token without write right', function () {
+        return couch.createEntryToken('a@a.com', 'C').should.be.rejected();
+    });
+
+
+});