From 0cb4731eca77832efd82799a17cebe88609eb629 Mon Sep 17 00:00:00 2001 From: OSPFNeighbour Date: Thu, 21 Jun 2018 20:55:51 +1000 Subject: [PATCH 1/3] Allow toggle of the DEFAULT user via an ENV variable. if ALLOW_ANON exists the DEFAULT USER will be used, else reject the connection --- server/src/main.js | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/server/src/main.js b/server/src/main.js index 7b790f2c..cae4df9c 100644 --- a/server/src/main.js +++ b/server/src/main.js @@ -54,7 +54,6 @@ const postJWTAuth = ({ id, device }) => { }, }); } else { - // If we didnt allow anon access we would reject the promise here returnUser = User.findById(DEFAULT_USER_ID); returnDevice = Device.findOne({ where: { @@ -63,7 +62,6 @@ const postJWTAuth = ({ id, device }) => { }, }); } - return Promise.resolve({ user: returnUser, device: returnDevice }); }; @@ -75,7 +73,7 @@ app.use( // used by later middleware for authorization and access control. jwt({ secret: JWT_SECRET, - credentialsRequired: false, + credentialsRequired: !process.env.ALLOW_ANON, }), graphqlExpress(req => postJWTAuth( req.user ? { id: req.user.id, device: req.user.device } : { id: null, device: null }, @@ -85,8 +83,9 @@ app.use( user, device, }, - })).catch(() => Promise.reject(Error('Unauthorised'))), - )); + })).catch(() => false), + ), +); app.use('/graphiql', graphiqlExpress(req => ({ endpointURL: '/graphql', @@ -105,11 +104,15 @@ SubscriptionServer.create({ subscribe, onConnect(connectionParams) { // theres no standard auth header in WS so we use jwt connection param + if (!connectionParams.jwt && !process.env.ALLOW_ANON) { + return Promise.reject(Error('Unauthorised')); + } return jsonwebtoken.verify(connectionParams.jwt || null, JWT_SECRET, (err, decoded) => postJWTAuth(!err ? { id: decoded.id, device: decoded.device } : { id: null, device: null }) .then(({ user, device }) => ({ user, device })) - .catch(() => Promise.error('Unauthorised')), + .catch(() => Promise.reject(Error('Unauthorised')), + ), ); }, // unpack the subscription request and load it into context From 56351c9d3a34e47081c2a5c44e3ca7de029f7b87 Mon Sep 17 00:00:00 2001 From: OSPFNeighbour Date: Fri, 22 Jun 2018 09:49:30 +1000 Subject: [PATCH 2/3] make travis work --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index da25b558..b6144bad 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,7 +42,7 @@ jobs: language: node_js node_js: 6 cache: yarn - env: COMPONENT=server CMD=test-integration + env: COMPONENT=server CMD=test-integration ALLOW_ANON=true before_install: cd server script: bash ../scripts/travis-yarn.sh - stage: run tests and linters From fc082bde3dc41725cf9ceb733374f276373e98f1 Mon Sep 17 00:00:00 2001 From: OSPFNeighbour Date: Fri, 22 Jun 2018 09:52:59 +1000 Subject: [PATCH 3/3] moved to global --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b6144bad..5b392be0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,6 +14,8 @@ env: - AWS_ACCESS_KEY_ID=AKIAIJKCIEXQV7AKWAXA - secure: jaDeAzMUjWsjjFS43zCIYKi/z6kmzfRSs4/1vYXvSkZM/Hx2YtvHcVONdR/eZpzjv4g49Q/lRtghOjSw+I9FpE6XQgSE8BgpU2VY+55iNXKp1kviJXYAfB/OE2601Dpa8/phaRy7esNoxOCEg7rR51Y2TbSZKGLTjOVRUBl5v1JUQ8f5FbxX5lJzaorve3zALv/VKytZPT/8+8eAXKBtUDb6dm8eWHIsoEqcdl7sw+UswGCrK2dZXp0He+Qh3O1DOxXQ6lTFJF0+Chif1ag0DdOMjlfSvc6ohIGwUDS9F++YbdmEkGLbWsGkyKCwfZTSahXVW26LwgdcUD6rXHJUP+qKRz3wJfWTsOM1s0ZrQmRUsXM0p3sB+e5+pncDiPvDk+24JOLFdPI3hyTbX9fmEYOV1fzWdQ3Ju+vImtKH4HmJ68vkyutN/7TkBDskjaMaqiFOlfjiudZHGvETSFgPGu53a27MUo3uVYYEnLjOxynv0GxXvuQycPA1P4udBrJ8ppsiQ/BJF8YDq25ImfVJHTyVwKMShOPBhpUMMyI04I141dzxZS8mrO/KuNkwvUlSgbJIiHImUxnCTJWQRDAs4WC+QJwuYK2pO5MppTiAbiD0BLlidz4qztS1CKinhRtttDOlNs9EDziGYR2Jbeb+qQTQoopYydmP0nKm4bz8b4M= + #Allow GQL Anon (No JWT Tokens) + - ALLOW_ANON=true # list of build stages to run. Stages with the same name get run in parallel. jobs: include: @@ -42,7 +44,7 @@ jobs: language: node_js node_js: 6 cache: yarn - env: COMPONENT=server CMD=test-integration ALLOW_ANON=true + env: COMPONENT=server CMD=test-integration before_install: cd server script: bash ../scripts/travis-yarn.sh - stage: run tests and linters