I am trying to get this route to work
items/images/myimg.jpg
It responses 404 but work with
items/images/myimg
Also works with
items/images/myimg.jpg/
I tried the following router configuration
'get /items/images/:imageName': {
action: 'items/images/find',
skipAssets: true,
}
EDIT:
If I set skipAssets: false then the response will be unauthorized. I have the following ACL
'*': false,
'items/images/find': 'isLoggedIn',
In the isLoggedIn.js policy the req.session is undefined even when the user has a valid session.
if I set 'items/images/find': true it will work but I want access control for this route.
The route should be set like this:
'get /items/images/:imageName': {
action: 'items/images/find',
skipAssets: false,
}
This method should be added to config/session.js:
isSessionDisabled: function (req){
// Allow session for all item image requests.
if (req.path.match(/^\/items\/images\//) {
return false;
}
// Otherwise, disable session for all requests that look like assets.
return !!req.path.match(req._sails.LOOKS_LIKE_ASSET_RX);
}
More can be read about this here:
https://github.com/balderdashy/sails/issues/4216#issuecomment-337613995
Related
I'm using gapi.analytics for Embed API and I'm verifying the authentication using the below code in gapi.analytics.ready function.
if (gapi.analytics.auth.isAuthorized()) {
onAuthorize();
} else {
gapi.analytics.auth.on('success', onAuthorize);
}
but gapi.analytics.auth.isAuthorized() is always returning false on page load.
How I can fix this?
You can do it this way:
gapi.analytics.auth.on('needsAuthorization', function() {
console.log('User is not Authorized!');
});
When invoking the gapi.analytics.auth.authorize method, an initial check is made to see if the user is currently signed in. If the user is not signed in, this event is fired to indicate that further authorization is required.
I'm trying to implement the basic Passport integration in SailsJS. In my policies.js file, I have the default settings that every tutorial mentions.
'*': ['passport', 'sessionAuth'],
'auth': {
'*': ['passport']
}
My issue is that going to the main page localhost:1337/ doesn't seem to get passed through either policy. If I just set false there, everything still works. If I set false on the auth object for '*' though, I will get Forbidden on any /auth/* route. So, the policies seem to work, I just don't understand why the default catch-all doesn't. Thanks.
Do you use a controller or do you directly serve a view like in the sample homepage?
If you are serving the view directly with something similar to this:
// in config/routes.js
module.exports.routes = {
'/': {
view: 'homepage'
}
}
then you will have to modify it and use a controller in order to te able to use policies.
Create a route to a controller instead of a view:
// in config/routes.js
module.exports.routes = {
// Delete the previous definition and declare a route
// to a controller "index"
'get /': 'indexController.home'
}
Create the controller:
// in api/controllers/IndexController.js
module.exports = {
home: function (req, res) {
// Render the view located in "views/homepage.ejs"
res.view('homepage');
}
};
Then you will be able to manage the policies to apply to the controller index in the file config/policies.js.
I am trying to implement user authentication in my sails app.. But I am encountering a problem in different controllers that their action are being called twice.. I have checked from my browser and the request is only being sent once.. Here is an example..
// api/controllers/AuthController.js
...
logout: function (req, res) {
console.log("Loggin out");
req.logOut();
res.json({message: 'Logged out succesfully'});
},
...
Following is my config/routes.js file. (using get for many action just for sake of ease for testing api..)
module.exports.routes = {
// By default, your root route (aka home page) points to a view
// located at `views/home/index.ejs`
//
// (This would also work if you had a file at: `/views/home.ejs`)
'/': {
view: 'home/index'
},
// testing the api
'get /users/check' : 'UserController.test',
'get /login' : 'AuthController.process',
'get /logout' : 'AuthController.logout',
'get /signup': 'UserController.add',
'get /verify/username/:username?' : 'UserController.checkUsername',
'get /verify/email/:email?' : 'UserController.checkEmail',
// add friend
'get /:user?/addfriend': 'FriendController.addFriend',
// accept request
'get /:user?/friendrequest/:request?/accept': 'FriendController.acceptRequest',
};
I have applied the isAuthenticated policy on this action.. which is like
module.exports = function(req, res, next) {
if(req.isAuthenticated()) {
console.log("Valid User");
return next();
}
else {
console.log("User not logged in");
return res.json({error: "Please login"});
}
};
No whenever I call <myhost>/logout I get the following json back..
{
"error": "Please login"
}
and here is the output on the server..
Valid User
Loggin out
User not logged in
This means that my controller's action is being called twice.. and this is not the problem with only this controller. The UserController.add action has the same problem. I seem to be doing every thing fine but I don't know where this problem is coming from. Can any one suggest how can I debug it . Or what could be the root of the problem. As far as I have check..
Browser is not sending the request twice.
The Controller's action is being called twice and so are the middleware assosiated with it.
Oh i have the same Problem a few weeks ago.
Sails also call the middleware on static files (like your styles.css). Console.log the req-object than you see what your browser requested.
There a two Ways to handle this Problem:
1.) Try to set skipAssets: true in your route (see: http://beta.sailsjs.org/#/documentation/concepts/Routes/RouteTargetSyntax.html)
2.) In your policy add an if-condition to skip assets (like ".js", ".css" and so on).
I'm trying to use the routes.js to define a route to '/account'.
I want whoever is trying to access that path to go through the UserController and the checkLogin action and if the security check passes, then the user should be rendered with the defined view which is home/account
Here is my code:
routes.js:
'/account': {
controller: 'UserController',
action: 'checkLogin',
view: 'home/account'
}
policies.js:
UserController: {
'*': 'isAuthenticated',
'login': true,
'checkLogin': true
}
It let's me view /account without going through the isAuthenticated policy check for some reason.
There looks to be a little confusion here as to how policies, controllers and views work. As #bredikhin notes above, your controller will never be called because the route is being bound to a view. It's also important to note that policies cannot be bound to views, only to controllers. The correct setup should be something like:
In config/routes.js:
'/account': 'UserController.account'
In config/policies.js:
UserController: {
'*': 'isAuthenticated' // will run on all UserController actions
// or
'account': 'isAuthenticated' // will run just on account action
}
In api/policies/isAuthenticated.js:
module.exports = function(req, res, next) {
// Your auth code here, returning next() if auth passes, otherwise
// res.forbidden(), or throw error, or redirect, etc.
}
In api/controllers/UserController.js:
module.exports = {
account: function(req, res) {
res.view('home/account');
}
}
To put it short: either controller/action-style or view-style routing should be used within the same route in routes.js, not both simultaneously.
According to the router's source code, once there is a view property in a route object, binding stops, so basically Sails never knows to which controller your /account path should be routed, which means that your UserController-specific policy config never fires.
So, just remove the view property from the route, you can always specify the view path (if you want a non-standard one) with explicit rendering from within your action.
For statics work with policies, you can set your route with controller and action:
'GET /login': 'AuthController.index',
And set view/layout in your controller:
index: function (req, res) {
res.view('auth/login', { layout: 'path/layout' } );
},
I'm trying to get geolocation inside a webview in a Chrome Packaged App, in order to run my application properly. I've tried several ways to get the permission in manifest.json and injecting scripts, but it doesn't work and doesn't show any error message.
Could someone give me a light or a solution to get permission and show my geolocation?
Some features that usually require permissions in a normal web page are also available in a webview. However, instead of the normal popup "the website xyz.com wants to know your physical location - allow / deny", the app that contains the webview needs to explicitly authorize it. Here is how it works:
No need to change the web page inside the webview;
In the app, you listen for permissionrequest events on the <webview> element:
webview.addEventListener('permissionrequest', function(e) {
if ( e.permission === 'geolocation' ) {
e.request.allow();
} else {
console.log('Denied permission '+e.permission+' requested by webview');
e.request.deny();
}
});
One thing to note is that the request doesn't need to be handled immediately. You can do whatever you need to do before allowing or denying, as long as you call preventDefault in the permissionrequest event and keep the event object from being garbage collected. This is useful if you need to do any async operation, like going to a storage to check if the URL requesting a permission should be allowed or not.
For example:
webview.addEventListener('permissionrequest', function(e) {
if ( e.permission === 'geolocation' ) {
// Calling e.preventDefault() is necessary to delay the response.
// If the default is not prevented then the default action is to
// deny the permission request.
e.preventDefault();
setTimeout(function() { decidePermission(e); }, 0);
}
});
var decidePermission = function(e) {
if (e.url == 'http://www.google.com') {
e.request.allow();
}
// Calling e.request.deny() explicitly is not absolutely necessary because
// the request object is managed by the Javascript garbage collector.
// Once collected, the request will automatically be denied.
// If you wish to deny immediately call e.request.deny();
}
Also note that your app needs to also request the respective permission:
"permissions": ["geolocation"],
The webview sample has more code for other permissions, like pointerLock and media capture.
A bit more detail:
The response does not need to be made immediately as long as you preventDefault(). The default action is to deny the permission request.
webview.addEventListener('permissionrequest', function(e) {
if ( e.permission === 'geolocation' ) {
// Calling e.preventDefault() is necessary to delay the response.
// If the default is not prevented then the default action is to
// deny the permission request.
e.preventDefault();
setTimeout(function() { decidePermission(e); }, 0);
}
});
var decidePermission = function(e) {
if (e.url == 'http://www.google.com') {
e.request.allow();
}
// Calling e.request.deny() explicitly is not absolutely necessary because
// the request object is managed by the Javascript garbage collector.
// Once collected, the request will automatically be denied.
// If you wish to deny immediately call e.request.deny();
}