Merge branch 'master' into reject-username

client/coral-framework/actions/auth.js

@@ -96,7 +96,13 @@ export const logout = () => async (
   _,
   { rest, client, pym, localStorage }
 ) => {
-  await rest('/auth', { method: 'DELETE' });
+  try {
+    await rest('/auth', { method: 'DELETE' });
+  } catch (err) {
+    // We ignore any REST related errors from the delete action, which may/may
+    // not have had a cookie/token attached to it. The logout action was still
+    // called, so we still want to cleanup.
+  }
 
   // Clear the auth data persisted to localStorage.
   cleanAuthData(localStorage);

middleware/authorization.js

@@ -40,15 +40,15 @@ authorization.has = (user, ...roles) => {
  * @return {Callback}    connect middleware
  */
 authorization.needed = (...roles) => [
-  // Insert the pre-needed middlware.
+  // Insert the pre-needed middleware.
   ...authorization.middleware,
 
   // Insert the actual middleware to check for the required role.
   (req, res, next) => {
-    // All routes that are wrapepd with this middleware actually require a role.
+    // All routes that are wrapped with this middleware actually require a role.
     if (!req.user) {
-      debug(`No user on request, returning with ${ErrNotAuthorized}`);
-      return next(ErrNotAuthorized);
+      debug(`No user on request, returning with ErrNotAuthorized`);
+      return next(new ErrNotAuthorized());
     }
 
     // Check to see if the current user has all the roles requested for the given
@@ -56,7 +56,7 @@ authorization.needed = (...roles) => [
     // evaluate to true.
     if (!authorization.has(req.user, ...roles)) {
       debug('User does not have all the required roles to access this page');
-      return next(ErrNotAuthorized);
+      return next(new ErrNotAuthorized());
     }
 
     // Looks like they're allowed!