RequireAdmin on userService

[cloudlena]

I followed the guides on http://docs.feathersjs.com/authorization/readme.html. Doing so, I created a userService which provides the /api/users endpoint. I'm trying to make it a secure endpoint using

userService.before({
  find: [auth.requireAdmin]
  remove: [auth.requireAdmin],
  create: [auth.requireAdmin, authHooks.hashPassword('password')]
});

where auth is an instance of the Auth class:

class Auth {

  requireAuth(hook) {
    if (!hook.params.user) {
      throw new Error('You must be logged in to do that.');
    }
  }

  requireAdmin(hook) {
    if (!hook.params.user) {
      throw new Error('You must be logged in to do that.');
    }
    if (!hook.params.user.admin) {
      throw new Error('Only admins can do that.');
    }
  }

}

When I'm trying to POST to the /api/# endpoint, the server runs into a 500 error and sends the following as a response to my request:

{
  "hook": {
    "params": {
      "internal": true,
      "query": {
        "username": "my-username"
      }
    },
    "method": "find",
    "type": "before"
  }
}

If I remove the find: [auth.requireAdmin] on userService, it works fine. Does that mean that I cannot put an ACL onto the GET /api/users endpoint? I think it's not a good idea to have this endpoint open because it would mean that anybody could look up my user list...

[cloudlena]

So I just learned about the restrictToSelf(idProp) method described here: http://docs.feathersjs.com/authorization/bundled-hooks.html#restricttoselfidprop. However, this doesn't seem to solve my problem... My hooks on the userService now look as follows:

userService.before({
  find: [authHooks.restrictToSelf()],
  get: [authHooks.restrictToSelf()],
  remove: [auth.requireAdmin],
  create: [
    auth.requireAdmin,
    authHooks.hashPassword(),
    authHooks.toLowerCase('username')
  ],
  update: [
    auth.requireAdmin,
    authHooks.hashPassword(),
    authHooks.toLowerCase('username')
  ],
  patch: [
    auth.requireAdmin,
    authHooks.hashPassword(),
    authHooks.toLowerCase('username')
  ]
});

but I'm still having the issue described above...

[marshallswain]

The solution to this is probably to update the hooks with a check for a hook.params.provider. If there's no provider then it's an internal call. I won't be able to get to this for a while. @mastertinner If you want to give it a shot, I'd really appreciate any feedback you can provide on how it works.

[marshallswain]

I got some time to look at this tonight and implemented a fix. Please try it out. I'm trying not to change this much since there's a big rewrite underway, but it's not really usable if you can't lock down your user service. :)

[marshallswain]

Reopening for docs and tests.

[cloudlena]

Thanks a lot for the quick reply and fix, @marshallswain! I saw that you only fixed the requireAuth hook so i took the liberty of applying the same fix for queryWithUserId, setUserId, requireAdminToSetAdmin and restrictToSelf in #39.

[ekryski]

This is now documented at http://docs.feathersjs.com/authorization/bundled-hooks.html. I'm going to close as we have another issue as a reminder to add more tests for things like this.