krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-17 22:57:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Preparatory Work for Smaller user doc (WIP) (#10245)

Browse Source 
* protect all paths in user.pre(save using this.isDirectSelected to see if a field is available

* fix linting

* authWithHeaders: specify user fields to exclude instead of the ones to include, add comments, doc and improve test

* add more options to unit helper generateReq and add tests for excluding fields in authWithHeaders
This commit is contained in:
Matteo Pagliazzi
2018-04-12 21:17:47 +02:00
committed by GitHub
parent ace02893e5
commit 1ea9be8aa2
6 changed files with 90 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
website/server/middlewares/auth.js
View File

@@ -9,13 +9,22 @@ import url from 'url';
const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS:COMMUNITY_MANAGER_EMAIL');
function getUserFields (userFieldProjection, req) {
if (userFieldProjection) return `notifications ${userFieldProjection}`;
function getUserFields (userFieldsToExclude, req) {
// A list of user fields that aren't needed for the route and are not loaded from the db.
// Must be an array
if (userFieldsToExclude) {
return userFieldsToExclude.map(field => {
return `-${field}`; // -${field} means exclude ${field} in mongodb
}).join(' ');
}
// Allows GET requests to /user to specify a list of user fields to return instead of the entire doc
// Notifications are always included
const urlPath = url.parse(req.url).pathname;
if (!req.query.userFields || urlPath !== '/user') return '';
const userFields = req.query.userFields;
if (!userFields || urlPath !== '/user') return '';
const userFieldOptions = req.query.userFields.split(',');
const userFieldOptions = userFields.split(',');
if (userFieldOptions.length === 0) return '';
return `notifications ${userFieldOptions.join(' ')}`;
@@ -25,7 +34,7 @@ function getUserFields (userFieldProjection, req) {
// Authenticate a request through the x-api-user and x-api key header
// If optional is true, don't error on missing authentication
export function authWithHeaders (optional = false, userFieldProjection = '') {
export function authWithHeaders (optional = false, options = {}) {
return function authWithHeadersHandler (req, res, next) {
let userId = req.header('x-api-user');
let apiToken = req.header('x-api-key');
@@ -40,8 +49,8 @@ export function authWithHeaders (optional = false, userFieldProjection = '') {
apiToken,
};
const fields = getUserFields(userFieldProjection, req);
const findPromise = fields ? User.findOne(userQuery, fields) : User.findOne(userQuery);
const fields = getUserFields(options.userFieldsToExclude, req);
const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery);
return findPromise
.exec()