How to check for admin auth in dynamic hook?

[inator]

@janl ar anyone who might know:

How might I ensure that my plugin dynamic.js hook "api" can only be executed by an authenticated admin? I'd like to allow for some POST/GETS from the admin dashboard only.

module.exports = function (hoodie) {
    return {
        'server.api.plugin-request': function (request, reply) {
            var pluginRoute = request.path.replace('/_api/_plugins/plugin_name/_api','');

            // switch for routing
            switch (pluginRoute) {
                case '/route1':
                    //do something here with hoodie but only if admin

                    return reply('success'); //for testing
                    break;
                default:
                    return reply('bad route');
            }
        }
    };
};

[janl]

heya @inator this “isn’t supported” at this point, but you could do it yourself:

Parse the bearer token in the incoming request, match it against the CouchDB admin user, if it fails, deny the request. See hoodie-server/lib/server/plugins/api/index.js for how bearer tokens work.

[inator]

Thanks @jan! I can read the bearer token from the request object with no problem, but where do I get the current admin user's issued token for comparison?

[inator]

@janl - While trying to be resourceful in the absence of your great advise, I hit up the #couchdb IRC channel:

[14:32:07]  <+rnewson>  I think inator is asking how to find the username of a user from the session cookie
[14:32:10]  <+rnewson>  and the answer is you can't
[14:32:29]  <+rnewson>  couchdb knows, of course, because it can decode the cookie data
[14:32:45]  <+rnewson>  I guess you could pass it to /_session in a separate request.
[14:33:20]  <inator>    +rnewson:  Thanks... can you explain that?  (pass it to _session)
[14:33:55]  <inator>    Are suggesting that I can set my own cookie with the results of a GET to /_session?
[14:34:58]  <+rnewson>  I'm saying you could find out the username by making a request with the cookie header to _session (separate from the request you are inspecting)

I'm at a bit of a loss on how to pull this off, but I'm thinking that I could use the nodes built in https.request method and somehow inject the cookie headers in a separate request to /_session. Is there some easier way? Is this even relevant as it relates to the use of bearer tokens?

[janl]

maybe @michielbdejong can chime in to explain the bearer token magic

[michielbdejong]

I think:

For normal requests that go to CouchDB, the bearer token on an incoming request is made into a cookie at the hapi layer, before the request gets passed on to CouchDB. and if CouchDB sets a cookie on the response, then this is made into a bearer token at the hapi layer.

The bearer tokens are only relevant for the communication between the client and hapi. For the communication between hapi and CouchDB, the cookie is used.

To restrict a database action only to admins, you should keep that entirely inside CouchDB, I think. Your API layer can just pass on the request, and if there is no valid logged-in user then CouchDB will reject it.

To restrict an action that would not normally go to CouchDB, sounds like you would have to make a request to CouchDB first, yes. This was already true before the switch to bearer tokens: only CouchDB knows if a token/cookie is a valid session, the hapi layer by itself has no persistence of that info. At least that's how I remember it. :) HTH!