/*
* GPII Untrusted Settings Put Handler
*
* Copyright 2017 OCAD University
*
* Licensed under the New BSD license. You may not use this file except in
* compliance with this License.
*
* You may obtain a copy of the License at
* https://github.com/GPII/universal/blob/master/LICENSE.txt
*/
"use strict";
var fluid = require("infusion"),
gpii = fluid.registerNamespace("gpii");
// Update preferences by first ensuring the client that requests the update action does have the privilege
// to update, by verifying the access token embedded in the request "Authorization" header.
fluid.defaults("gpii.flowManager.cloudBased.untrustedSettings.put.handler", {
gradeNames: ["kettle.request.http"],
invokers: {
handleRequest: {
funcName: "gpii.flowManager.cloudBased.untrustedSettings.put.handleRequest",
args: [
"{flowManager}.preferencesDataSource",
"{request}",
"{request}.req.params.userToken",
"{request}.req.body",
"{gpii.flowManager.cloudBased.oauth2}.authGrantFinder"
]
}
}
});
gpii.flowManager.cloudBased.untrustedSettings.put.messages = {
success: "Successfully updated."
};
gpii.flowManager.cloudBased.untrustedSettings.put.handleRequest = function (preferencesDataSource, request, userToken, preferences, authGrantFinder) {
var authorizationPromise = gpii.oauth2.getAuthorization(request.req, authGrantFinder);
authorizationPromise.then(function (authorization) {
if (authorization && authorization.gpiiToken === userToken && authorization.allowUntrustedSettingsPut) {
// TODO: Verify the received preferences with metadata to make sure they are the ones that are allowed to be updated.
// This is not supported at the first release of PSP
var directModel = {
userToken: userToken
};
// Verify the existence of the preferences set that associates with the key
var queryPromise = preferencesDataSource.get(directModel);
queryPromise.then(function (origPreferences) {
var targetPreferences = fluid.merge("replace", origPreferences, preferences);
// Call the preferences server endpoint to update preferences
var updatePromise = preferencesDataSource.set(directModel, targetPreferences, { writeMethod: "PUT" });
fluid.log("The preferences set for the key (", userToken, ") is being updated to: ", targetPreferences);
updatePromise.then(function (response) {
// The default success response from the preference server contains the updated preferences,
request.events.onSuccess.fire({
userToken: response.userToken,
message: gpii.flowManager.cloudBased.untrustedSettings.put.messages.success
});
}, request.events.onError.fire);
}, function (error) {
request.events.onError.fire(error);
return;
});
} else {
fluid.log("CloudBased flowManager: unauthorized PUT request at /untrusted-settings due to one of these reasons: 1. authorization record is missing; 2. gpiiToken associated with the authorization does not match the in-used token " + userToken + "; 3. the access token is unauthorized for using PUT method at /untrusted-settings endpoint.");
request.events.onError.fire(gpii.oauth2.errors.unauthorized);
return;
}
}, function (error) {
fluid.log("CloudBased flowManager: PUT request at /untrusted-settings failed with error ", error);
request.events.onError.fire(gpii.oauth2.errors.unauthorized);
return;
});
};
|