2021-10-23 10:35:13 +02:00
|
|
|
const basicAuth = require("express-basic-auth");
|
2021-07-27 19:47:13 +02:00
|
|
|
const passwordHash = require("./password-hash");
|
|
|
|
const { R } = require("redbean-node");
|
2021-08-02 18:08:46 +02:00
|
|
|
const { setting } = require("./util-server");
|
2023-06-25 22:49:49 +02:00
|
|
|
const { log } = require("../src/util");
|
2023-02-15 22:53:49 +01:00
|
|
|
const { loginRateLimiter, apiRateLimiter } = require("./rate-limiter");
|
2023-02-15 01:39:29 +01:00
|
|
|
const { Settings } = require("./settings");
|
|
|
|
const dayjs = require("dayjs");
|
2021-07-27 18:52:31 +02:00
|
|
|
|
|
|
|
/**
|
2022-04-20 20:56:40 +02:00
|
|
|
* Login to web app
|
2023-08-11 09:46:41 +02:00
|
|
|
* @param {string} username Username to login with
|
|
|
|
* @param {string} password Password to login with
|
|
|
|
* @returns {Promise<(Bean|null)>} User or null if login failed
|
2021-07-27 18:52:31 +02:00
|
|
|
*/
|
|
|
|
exports.login = async function (username, password) {
|
2022-03-29 11:38:48 +02:00
|
|
|
if (typeof username !== "string" || typeof password !== "string") {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
2023-01-01 15:19:00 +01:00
|
|
|
let user = await R.findOne("user", " username = ? AND active = 1 ", [
|
2021-07-27 19:47:13 +02:00
|
|
|
username,
|
2021-10-23 10:35:13 +02:00
|
|
|
]);
|
2021-07-27 18:52:31 +02:00
|
|
|
|
|
|
|
if (user && passwordHash.verify(password, user.password)) {
|
|
|
|
// Upgrade the hash to bcrypt
|
|
|
|
if (passwordHash.needRehash(user.password)) {
|
|
|
|
await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
|
|
|
|
passwordHash.generate(password),
|
2021-07-27 19:47:13 +02:00
|
|
|
user.id,
|
2021-07-27 18:52:31 +02:00
|
|
|
]);
|
|
|
|
}
|
|
|
|
return user;
|
|
|
|
}
|
2021-07-27 19:47:13 +02:00
|
|
|
|
|
|
|
return null;
|
2021-10-23 10:35:13 +02:00
|
|
|
};
|
2021-07-27 18:52:31 +02:00
|
|
|
|
2023-02-15 01:39:29 +01:00
|
|
|
/**
|
|
|
|
* Validate a provided API key
|
2023-02-15 22:53:49 +01:00
|
|
|
* @param {string} key API key to verify
|
2023-08-11 09:46:41 +02:00
|
|
|
* @returns {boolean} API is ok?
|
2023-02-15 01:39:29 +01:00
|
|
|
*/
|
2023-02-15 22:53:49 +01:00
|
|
|
async function verifyAPIKey(key) {
|
2023-02-15 01:39:29 +01:00
|
|
|
if (typeof key !== "string") {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2023-02-26 17:47:34 +01:00
|
|
|
// uk prefix + key ID is before _
|
|
|
|
let index = key.substring(2, key.indexOf("_"));
|
|
|
|
let clear = key.substring(key.indexOf("_") + 1, key.length);
|
2023-02-15 01:39:29 +01:00
|
|
|
|
|
|
|
let hash = await R.findOne("api_key", " id=? ", [ index ]);
|
|
|
|
|
2023-02-15 12:15:15 +01:00
|
|
|
if (hash === null) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2023-02-15 01:39:29 +01:00
|
|
|
let current = dayjs();
|
|
|
|
let expiry = dayjs(hash.expires);
|
2023-02-15 12:15:15 +01:00
|
|
|
if (expiry.diff(current) < 0 || !hash.active) {
|
2023-02-15 01:39:29 +01:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return hash && passwordHash.verify(clear, hash.key);
|
|
|
|
}
|
|
|
|
|
2022-04-20 20:56:40 +02:00
|
|
|
/**
|
2023-02-15 22:53:49 +01:00
|
|
|
* Callback for basic auth authorizers
|
|
|
|
* @callback authCallback
|
2022-04-20 20:56:40 +02:00
|
|
|
* @param {any} err Any error encountered
|
|
|
|
* @param {boolean} authorized Is the client authorized?
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Custom authorizer for express-basic-auth
|
2023-08-11 09:46:41 +02:00
|
|
|
* @param {string} username Username to login with
|
|
|
|
* @param {string} password Password to login with
|
|
|
|
* @param {authCallback} callback Callback to handle login result
|
|
|
|
* @returns {void}
|
2022-04-20 20:56:40 +02:00
|
|
|
*/
|
2023-02-15 22:53:49 +01:00
|
|
|
function apiAuthorizer(username, password, callback) {
|
|
|
|
// API Rate Limit
|
|
|
|
apiRateLimiter.pass(null, 0).then((pass) => {
|
|
|
|
if (pass) {
|
|
|
|
verifyAPIKey(password).then((valid) => {
|
2023-06-25 22:49:49 +02:00
|
|
|
if (!valid) {
|
|
|
|
log.warn("api-auth", "Failed API auth attempt: invalid API Key");
|
|
|
|
}
|
2023-02-15 22:53:49 +01:00
|
|
|
callback(null, valid);
|
|
|
|
// Only allow a set number of api requests per minute
|
|
|
|
// (currently set to 60)
|
|
|
|
apiRateLimiter.removeTokens(1);
|
|
|
|
});
|
|
|
|
} else {
|
2023-06-25 22:49:49 +02:00
|
|
|
log.warn("api-auth", "Failed API auth attempt: rate limit exceeded");
|
2023-02-15 22:53:49 +01:00
|
|
|
callback(null, false);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Custom authorizer for express-basic-auth
|
2023-08-11 09:46:41 +02:00
|
|
|
* @param {string} username Username to login with
|
|
|
|
* @param {string} password Password to login with
|
|
|
|
* @param {authCallback} callback Callback to handle login result
|
|
|
|
* @returns {void}
|
2023-02-15 22:53:49 +01:00
|
|
|
*/
|
|
|
|
function userAuthorizer(username, password, callback) {
|
2022-03-24 11:02:34 +01:00
|
|
|
// Login Rate Limit
|
|
|
|
loginRateLimiter.pass(null, 0).then((pass) => {
|
|
|
|
if (pass) {
|
|
|
|
exports.login(username, password).then((user) => {
|
|
|
|
callback(null, user != null);
|
2021-10-23 10:35:13 +02:00
|
|
|
|
2022-03-24 11:02:34 +01:00
|
|
|
if (user == null) {
|
2023-06-25 22:49:49 +02:00
|
|
|
log.warn("basic-auth", "Failed basic auth attempt: invalid username/password");
|
2022-03-24 11:02:34 +01:00
|
|
|
loginRateLimiter.removeTokens(1);
|
2021-10-23 10:35:13 +02:00
|
|
|
}
|
|
|
|
});
|
2022-03-24 11:02:34 +01:00
|
|
|
} else {
|
2023-06-25 22:49:49 +02:00
|
|
|
log.warn("basic-auth", "Failed basic auth attempt: rate limit exceeded");
|
2022-03-24 11:02:34 +01:00
|
|
|
callback(null, false);
|
2021-10-23 10:35:13 +02:00
|
|
|
}
|
|
|
|
});
|
2021-07-27 18:52:31 +02:00
|
|
|
}
|
|
|
|
|
2023-01-05 23:19:05 +01:00
|
|
|
/**
|
|
|
|
* Use basic auth if auth is not disabled
|
|
|
|
* @param {express.Request} req Express request object
|
|
|
|
* @param {express.Response} res Express response object
|
2023-08-11 09:46:41 +02:00
|
|
|
* @param {express.NextFunction} next Next handler in chain
|
|
|
|
* @returns {void}
|
2023-01-05 23:19:05 +01:00
|
|
|
*/
|
2022-03-24 11:02:34 +01:00
|
|
|
exports.basicAuth = async function (req, res, next) {
|
|
|
|
const middleware = basicAuth({
|
2023-02-15 22:53:49 +01:00
|
|
|
authorizer: userAuthorizer,
|
2022-03-24 11:02:34 +01:00
|
|
|
authorizeAsync: true,
|
|
|
|
challenge: true,
|
|
|
|
});
|
|
|
|
|
|
|
|
const disabledAuth = await setting("disableAuth");
|
|
|
|
|
|
|
|
if (!disabledAuth) {
|
|
|
|
middleware(req, res, next);
|
|
|
|
} else {
|
|
|
|
next();
|
|
|
|
}
|
|
|
|
};
|
2023-02-15 01:39:29 +01:00
|
|
|
|
|
|
|
/**
|
2023-02-26 17:47:34 +01:00
|
|
|
* Use use API Key if API keys enabled, else use basic auth
|
2023-02-15 01:39:29 +01:00
|
|
|
* @param {express.Request} req Express request object
|
|
|
|
* @param {express.Response} res Express response object
|
2023-08-11 09:46:41 +02:00
|
|
|
* @param {express.NextFunction} next Next handler in chain
|
|
|
|
* @returns {void}
|
2023-02-15 01:39:29 +01:00
|
|
|
*/
|
|
|
|
exports.apiAuth = async function (req, res, next) {
|
|
|
|
if (!await Settings.get("disableAuth")) {
|
|
|
|
let usingAPIKeys = await Settings.get("apiKeysEnabled");
|
2023-02-15 22:53:49 +01:00
|
|
|
let middleware;
|
|
|
|
if (usingAPIKeys) {
|
|
|
|
middleware = basicAuth({
|
|
|
|
authorizer: apiAuthorizer,
|
|
|
|
authorizeAsync: true,
|
|
|
|
challenge: true,
|
|
|
|
});
|
|
|
|
} else {
|
|
|
|
middleware = basicAuth({
|
|
|
|
authorizer: userAuthorizer,
|
|
|
|
authorizeAsync: true,
|
|
|
|
challenge: true,
|
|
|
|
});
|
|
|
|
}
|
|
|
|
middleware(req, res, next);
|
2023-02-15 01:39:29 +01:00
|
|
|
} else {
|
|
|
|
next();
|
|
|
|
}
|
|
|
|
};
|