Adds endpoint for non-revocable session token upgrade (#2646)

2016-09-09 14:48:06 -04:00
parent c5fdd91aa3
commit 340eb46fe1
4 changed files with 156 additions and 3 deletions
--- a/src/Auth.js
+++ b/src/Auth.js
@@ -78,6 +78,23 @@ var getAuthForSessionToken = function({ config, sessionToken, installationId } =
  });
 };

+var getAuthForLegacySessionToken = function({config, sessionToken, installationId } = {}) {
+  var restOptions = {
+      limit: 1
+  };
+  var query = new RestQuery(config, master(config), '_User', { sessionToken: sessionToken}, restOptions);
+  return query.execute().then((response) => {
+    var results = response.results;
+    if (results.length !== 1) {
+        throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid legacy session token');
+    }
+    let obj = results[0];
+    obj.className = '_User';
+    let userObject = Parse.Object.fromJSON(obj);
+    return new Auth({config, isMaster: false, installationId, user: userObject});
+  });
+}
+
 // Returns a promise that resolves to an array of role names
 Auth.prototype.getUserRoles = function() {
  if (this.isMaster || !this.user) {
@@ -195,5 +212,6 @@ module.exports = {
  Auth: Auth,
  master: master,
  nobody: nobody,
-  getAuthForSessionToken: getAuthForSessionToken
+  getAuthForSessionToken,
+  getAuthForLegacySessionToken
 };
--- a/src/Routers/SessionsRouter.js
+++ b/src/Routers/SessionsRouter.js
@@ -3,6 +3,8 @@ import ClassesRouter from './ClassesRouter';
 import PromiseRouter from '../PromiseRouter';
 import rest          from '../rest';
 import Auth          from '../Auth';
+import RestWrite     from '../RestWrite';
+import { newToken }  from '../cryptoUtils';

 export class SessionsRouter extends ClassesRouter {
  handleFind(req) {
@@ -51,12 +53,45 @@ export class SessionsRouter extends ClassesRouter {
      });
  }

+  handleUpdateToRevocableSession(req) {
+    const config = req.config;
+    const masterAuth = Auth.master(config)
+    const user = req.auth.user;
+    const expiresAt = config.generateSessionExpiresAt();
+    const sessionData = {
+      sessionToken: 'r:' + newToken(),
+      user: {
+        __type: 'Pointer',
+        className: '_User',
+        objectId: user.id
+      },
+      createdWith: {
+        'action': 'upgrade',
+      },
+      restricted: false,
+      installationId: req.auth.installationId,
+      expiresAt: Parse._encode(expiresAt)
+    };
+    const create = new RestWrite(config, masterAuth, '_Session', null, sessionData);
+    return create.execute().then(() => {
+      // delete the session token, use the db to skip beforeSave
+      return config.database.update('_User', {
+        objectId: user.id
+      }, {
+        sessionToken: {__op: 'Delete'}
+      });
+    }).then((res) => {
+      return Promise.resolve({ response: sessionData });
+    });
+  }
+
  mountRoutes() {
    this.route('GET', '/sessions', req => { return this.handleFind(req); });
    this.route('GET', '/sessions/:objectId', req => { return this.handleGet(req); });
    this.route('POST', '/sessions', req => { return this.handleCreate(req); });
    this.route('PUT', '/sessions/:objectId', req => { return this.handleUpdate(req); });
    this.route('DELETE', '/sessions/:objectId', req => { return this.handleDelete(req); });
+    this.route('POST', '/upgradeToRevocableSession', req => { return this.handleUpdateToRevocableSession(req); })
  }
 }

--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -147,8 +147,16 @@ export function handleParseHeaders(req, res, next) {
    return;
  }

-  return auth.getAuthForSessionToken({ config: req.config, installationId: info.installationId, sessionToken: info.sessionToken })
-    .then((auth) => {
+  return Promise.resolve().then(() => {
+    // handle the upgradeToRevocableSession path on it's own
+    if (info.sessionToken && 
+        req.url === '/upgradeToRevocableSession' && 
+        info.sessionToken.indexOf('r:') != 0) {
+        return auth.getAuthForLegacySessionToken({ config: req.config, installationId: info.installationId, sessionToken: info.sessionToken })
+    } else {
+        return auth.getAuthForSessionToken({ config: req.config, installationId: info.installationId, sessionToken: info.sessionToken })
+    }
+  }).then((auth) => {
      if (auth) {
        req.auth = auth;
        next();