Add the concept of require_fresh_login to both the backend and frontend. Sensitive methods will now be marked with the annotation, which requires that the user has performed a login within 10 minutes or they are asked to do so in the UI before running the operation again.

2014-09-04 14:24:20 -04:00 · 2014-09-04 14:24:20 -04:00 · e783df31e0
commit e783df31e0
parent 1e7e012b92
9 changed files with 174 additions and 61 deletions
--- a/static/js/app.js
+++ b/static/js/app.js
@ -713,7 +713,7 @@ quayApp = angular.module('quay', quayDependencies, function($provide, cfpLoading
      return config;
    }]);

-    $provide.factory('ApiService', ['Restangular', function(Restangular) {
+  $provide.factory('ApiService', ['Restangular', '$q', function(Restangular, $q) {
      var apiService = {};

      var getResource = function(path, opt_background) {
@ -810,6 +810,65 @@ quayApp = angular.module('quay', quayDependencies, function($provide, cfpLoading
        }
      };

+      var freshLoginFailCheck = function(opName, opArgs) {
+        return function(resp) {
+          var deferred = $q.defer();
+          
+          // If the error is a fresh login required, show the dialog.
+          if (resp.status == 401 && resp.data['error_type'] == 'fresh_login_required') {
+            bootbox.dialog({
+              "message": 'It has been more than a few minutes since you last logged in, ' +
+                'so please verify your password to perform this sensitive operation:' + 
+                '<form style="margin-top: 10px" action="javascript:void(0)">' +
+                '<input id="freshPassword" class="form-control" type="password" placeholder="Current Password">' + 
+                '</form>',
+              "title": 'Please Verify',
+              "buttons": {
+                "verify": {
+                  "label": "Verify",
+                  "className": "btn-success",
+                  "callback": function() {
+                    var info = {
+                      'password': $('#freshPassword').val()
+                    };
+
+                    $('#freshPassword').val('');
+
+                    // Conduct the sign in of the user.
+                    apiService.verifyUser(info).then(function() {
+                      // On success, retry the operation. if it succeeds, then resolve the
+                      // deferred promise with the result. Otherwise, reject the same.
+                      apiService[opName].apply(apiService, opArgs).then(function(resp) {
+                        deferred.resolve(resp);
+                      }, function(resp) {
+                        deferred.reject(resp);
+                      });
+                    }, function(resp) {
+                      // Reject with the sign in error.
+                      deferred.reject({'data': {'message': 'Invalid verification credentials'}});
+                    });
+                  }
+                },
+                "close": {
+                  "label": "Cancel",
+                  "className": "btn-default",
+                  "callback": function() {
+                    deferred.reject(resp);
+                  }
+                }
+              }
+            });
+
+            // Return a new promise. We'll accept or reject it based on the result
+            // of the login.
+            return deferred.promise;
+          }
+
+          // Otherwise, we just 'raise' the error via the reject method on the promise.
+          return $q.reject(resp);
+        };
+      };
+
      var buildMethodsForOperation = function(operation, resource, resourceMap) {
        var method = operation['method'].toLowerCase();
        var operationName = operation['nickname'];
@ -823,7 +882,15 @@ quayApp = angular.module('quay', quayDependencies, function($provide, cfpLoading
              'ignoreLoadingBar': true
            });
          }
-          return one['custom' + method.toUpperCase()](opt_options);
+          
+          var opObj = one['custom' + method.toUpperCase()](opt_options);
+
+          // If the operation requires_fresh_login, then add a specialized error handler that
+          // will defer the operation's result if sudo is requested.
+          if (operation['requires_fresh_login']) {
+            opObj = opObj.catch(freshLoginFailCheck(operationName, arguments));
+          }
+          return opObj;
        };

        // If the method for the operation is a GET, add an operationAsResource method.
@ -3923,9 +3990,11 @@ quayApp.directive('billingOptions', function () {

      var save = function() {
        $scope.working = true;
+
+        var errorHandler = ApiService.errorDisplay('Could not change user details');
        ApiService.changeDetails($scope.organization, $scope.obj).then(function(resp) {
          $scope.working = false;
-        });
+        }, errorHandler);
      };

      var checkSave = function() {
@ -5699,11 +5768,10 @@ quayApp.run(['$location', '$rootScope', 'Restangular', 'UserService', 'PlanServi

  // Handle session expiration.
  Restangular.setErrorInterceptor(function(response) {
-    if (response.status == 401) {
-      if (response.data['session_required'] == null || response.data['session_required'] === true) {
-        $('#sessionexpiredModal').modal({});
-        return false;
-      }
+    if (response.status == 401 && response.data['error_type'] == 'invalid_token' &&
+        response.data['session_required'] !== false) {
+      $('#sessionexpiredModal').modal({});
+      return false;
    }

    if (response.status == 503) {