add token authentication, only admin can use api

.meteor/packages

@@ -77,3 +77,4 @@ simple:json-routes
 rajit:bootstrap3-datepicker
 kadira:flow-router
 shell-server@0.2.3
+simple:rest-accounts-password

.meteor/versions

@@ -134,7 +134,11 @@ service-configuration@1.0.11
 session@1.1.7
 sha@1.0.9
 shell-server@0.2.3
+simple:authenticate-user-by-token@1.0.1
 simple:json-routes@2.1.0
+simple:rest-accounts-password@1.1.2
+simple:rest-bearer-token-parser@1.0.1
+simple:rest-json-error-handler@1.0.1
 softwarerero:accounts-t9n@1.3.9
 spacebars@1.0.15
 spacebars-compiler@1.1.2

models/boards.js

@@ -557,6 +557,7 @@ if (Meteor.isServer) {
 //BOARDS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/boards', function (req, res, next) {
+    Authentication.checkUserId(req.userId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Boards.find({ permission: 'public' }).map(function (doc) {
@@ -569,6 +570,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:id', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = req.params.id;
     JsonRoutes.sendResult(res, {
       code: 200,
@@ -577,6 +579,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('POST', '/api/boards', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = Boards.insert({
       title: req.body.title,
       members: [
@@ -599,6 +602,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/boards/:id', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = req.params.id;
     Boards.remove({ _id: id });
     JsonRoutes.sendResult(res, {

models/cardComments.js

@@ -84,6 +84,7 @@ if (Meteor.isServer) {
 //CARD COMMENT REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramCardId = req.params.cardId;
     JsonRoutes.sendResult(res, {
@@ -99,6 +100,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramCommentId = req.params.commentId;
     const paramCardId = req.params.cardId;
@@ -109,6 +111,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramCardId = req.params.cardId;
     const id = CardComments.insert({
@@ -126,6 +129,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramCommentId = req.params.commentId;
     const paramCardId = req.params.cardId;

models/cards.js

@@ -373,6 +373,7 @@ if (Meteor.isServer) {
 //LISTS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     JsonRoutes.sendResult(res, {
@@ -388,6 +389,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     const paramCardId = req.params.cardId;
@@ -398,6 +400,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('POST', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     const id = Cards.insert({
@@ -418,6 +421,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     const paramCardId = req.params.cardId;

models/checklists.js

@@ -177,6 +177,7 @@ if (Meteor.isServer) {
 //CARD COMMENT REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramCardId = req.params.cardId;
     JsonRoutes.sendResult(res, {
       code: 200,
@@ -190,6 +191,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramChecklistId = req.params.checklistId;
     const paramCardId = req.params.cardId;
     JsonRoutes.sendResult(res, {
@@ -199,6 +201,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramCardId = req.params.cardId;
 
     const checklistToSend = {};
@@ -221,6 +224,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramCommentId = req.params.commentId;
     const paramCardId = req.params.cardId;
     Checklists.remove({ _id: paramCommentId, cardId: paramCardId });

models/lists.js

@@ -132,6 +132,7 @@ if (Meteor.isServer) {
 //LISTS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/boards/:boardId/lists', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     JsonRoutes.sendResult(res, {
       code: 200,
@@ -145,6 +146,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     JsonRoutes.sendResult(res, {
@@ -154,6 +156,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('POST', '/api/boards/:boardId/lists', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const id = Lists.insert({
       title: req.body.title,
@@ -168,6 +171,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     Lists.remove({ _id: paramListId, boardId: paramBoardId });

models/users.js

@@ -528,6 +528,7 @@ if (Meteor.isServer) {
 // USERS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/users', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Meteor.users.find({}).map(function (doc) {
@@ -536,6 +537,7 @@ if (Meteor.isServer) {
     });
   });
   JsonRoutes.add('GET', '/api/users/:id', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = req.params.id;
     JsonRoutes.sendResult(res, {
       code: 200,
@@ -543,6 +545,7 @@ if (Meteor.isServer) {
     });
   });
   JsonRoutes.add('POST', '/api/users/', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = Accounts.createUser({
       username: req.body.username,
       email: req.body.email,
@@ -558,6 +561,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/users/:id', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = req.params.id;
     Meteor.users.remove({ _id: id });
     JsonRoutes.sendResult(res, {

server/authentication.js

@@ -0,0 +1,21 @@
+Meteor.startup(() => {
+  Authentication = {};
+
+  Authentication.checkUserId = function (userId) {
+    if (userId === undefined) {
+      const error = new Meteor.Error('Unauthorized', 'Unauthorized');
+      error.statusCode = 401;
+      throw error;
+    }
+    const admin = Users.findOne({ _id: userId, isAdmin: true });
+
+    if (admin === undefined) {
+      const error = new Meteor.Error('Forbidden', 'Forbidden');
+      error.statusCode = 403;
+      throw error;
+    }
+
+  };
+
+});
+