index.js

var memdb = require('memdb')
var debug = require('debug')('auth')
var cookie = require('./cookie.js')

module.exports = Auth

function deny(req, res, cb) {
  setImmediate(function() {
    cb(new Error('not authorized'))
  })
}

function Auth(opts) {
  var self = this
  if (!(this instanceof Auth)) return new Auth(opts)
  if (!opts) opts = {}
  this.cookie = cookie(opts)
  this.sessions = opts.sessions || memdb()
  this.authenticator = opts.authenticator || deny
}

Auth.prototype.handle = function(req, res, cb) {
  var self = this
  self.getSession(req, function(err, session) { // ignore errors
    if (session) return cb(null, session)
    self.authenticator(req, res, function(err) {
      // user is not authorized
      if (err) {
        debug('not authorized', err)
        if (!session) return setImmediate(function() { cb(err) })
        self.sessions.del(session.session, function(delErr) {
          cb(err)
        })
        return
      }

      // authenticate user
      self.login(res, cb)
    })
  })
}

Auth.prototype.getSession = function(req, cb) {
  var sessionKey = this.cookie.get(req)  
  this.sessions.get(sessionKey, {valueEncoding: 'json'}, function(err, data) {
    if (err) return cb(err)
    var resp = {session: sessionKey, created: data.created, data: data.data}
    debug('session OK', resp)
    return cb(null, resp)
  })
}

Auth.prototype.login = function(res, data, cb) {
  var self = this
  if (typeof data === 'function') {
    cb = data
    data = undefined
  }
  var newSession = self.cookie.create(res)
  var val = {
    created: new Date().toISOString(),
    data: data
  }
  self.sessions.put(newSession, val, {valueEncoding: 'json'}, function(err) {
    debug('new session', newSession)
    cb(err, {session: newSession, created: val.created, data: val.data})
  })
}

Auth.prototype.delete = function(req, cb) {
  var session = this.cookie.get(req)
  if (session) {
    this.sessions.del(session, cb)
  } else {
    setImmediate(cb)
  }  
}


Auth.prototype.logout = function(req, res, cb) {
  var self = this
  this.delete(req, logout)
  function logout() { // ignore err
    res.statusCode = 401
    res.setHeader('content-type', 'application/json')
    self.cookie.destroy(res)
    res.end(JSON.stringify({error: "Unauthorized", loggedOut: true}) + '\n')
    if (cb) setImmediate(cb)
  }
}