audiobookshelf/server/Auth.js

const bcrypt = require('./libs/bcryptjs')
const jwt = require('./libs/jsonwebtoken')
const requestIp = require('./libs/requestIp')
const Logger = require('./Logger')
const Database = require('./Database')

class Auth {
  constructor() { }

  cors(req, res, next) {
    res.header('Access-Control-Allow-Origin', '*')
    res.header("Access-Control-Allow-Methods", 'GET, POST, PATCH, PUT, DELETE, OPTIONS')
    res.header('Access-Control-Allow-Headers', '*')
    // TODO: Make sure allowing all headers is not a security concern. It is required for adding custom headers for SSO
    // res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding, Range, Authorization")
    res.header('Access-Control-Allow-Credentials', true)
    if (req.method === 'OPTIONS') {
      res.sendStatus(200)
    } else {
      next()
    }
  }

  async initTokenSecret() {
    if (process.env.TOKEN_SECRET) { // User can supply their own token secret
      Logger.debug(`[Auth] Setting token secret - using user passed in TOKEN_SECRET env var`)
      Database.serverSettings.tokenSecret = process.env.TOKEN_SECRET
    } else {
      Logger.debug(`[Auth] Setting token secret - using random bytes`)
      Database.serverSettings.tokenSecret = require('crypto').randomBytes(256).toString('base64')
    }
    await Database.updateServerSettings()

    // New token secret creation added in v2.1.0 so generate new API tokens for each user
    if (Database.users.length) {
      for (const user of Database.users) {
        user.token = await this.generateAccessToken({ userId: user.id, username: user.username })
        Logger.warn(`[Auth] User ${user.username} api token has been updated using new token secret`)
      }
      await Database.updateBulkUsers(Database.users)
    }
  }

  async authMiddleware(req, res, next) {
    var token = null

    // If using a get request, the token can be passed as a query string
    if (req.method === 'GET' && req.query && req.query.token) {
      token = req.query.token
    } else {
      const authHeader = req.headers['authorization']
      token = authHeader && authHeader.split(' ')[1]
    }

    if (token == null) {
      Logger.error('Api called without a token', req.path)
      return res.sendStatus(401)
    }

    const user = await this.verifyToken(token)
    if (!user) {
      Logger.error('Verify Token User Not Found', token)
      return res.sendStatus(404)
    }
    if (!user.isActive) {
      Logger.error('Verify Token User is disabled', token, user.username)
      return res.sendStatus(403)
    }
    req.user = user
    next()
  }

  hashPass(password) {
    return new Promise((resolve) => {
      bcrypt.hash(password, 8, (err, hash) => {
        if (err) {
          Logger.error('Hash failed', err)
          resolve(null)
        } else {
          resolve(hash)
        }
      })
    })
  }

  generateAccessToken(payload) {
    return jwt.sign(payload, Database.serverSettings.tokenSecret)
  }

  authenticateUser(token) {
    return this.verifyToken(token)
  }

  verifyToken(token) {
    return new Promise((resolve) => {
      jwt.verify(token, Database.serverSettings.tokenSecret, (err, payload) => {
        if (!payload || err) {
          Logger.error('JWT Verify Token Failed', err)
          return resolve(null)
        }
        const user = Database.users.find(u => (u.id === payload.userId || u.oldUserId === payload.userId) && u.username === payload.username)
        resolve(user || null)
      })
    })
  }

  getUserLoginResponsePayload(user) {
    return {
      user: user.toJSONForBrowser(),
      userDefaultLibraryId: user.getDefaultLibraryId(Database.libraries),
      serverSettings: Database.serverSettings.toJSONForBrowser(),
      ereaderDevices: Database.emailSettings.getEReaderDevices(user),
      Source: global.Source
    }
  }

  async login(req, res) {
    const ipAddress = requestIp.getClientIp(req)
    const username = (req.body.username || '').toLowerCase()
    const password = req.body.password || ''

    const user = Database.users.find(u => u.username.toLowerCase() === username)

    if (!user?.isActive) {
      Logger.warn(`[Auth] Failed login attempt ${req.rateLimit.current} of ${req.rateLimit.limit} from ${ipAddress}`)
      if (req.rateLimit.remaining <= 2) {
        Logger.error(`[Auth] Failed login attempt for username ${username} from ip ${ipAddress}. Attempts: ${req.rateLimit.current}`)
        return res.status(401).send(`Invalid user or password (${req.rateLimit.remaining === 0 ? '1 attempt remaining' : `${req.rateLimit.remaining + 1} attempts remaining`})`)
      }
      return res.status(401).send('Invalid user or password')
    }

    // Check passwordless root user
    if (user.type === 'root' && (!user.pash || user.pash === '')) {
      if (password) {
        return res.status(401).send('Invalid root password (hint: there is none)')
      } else {
        Logger.info(`[Auth] ${user.username} logged in from ${ipAddress}`)
        return res.json(this.getUserLoginResponsePayload(user))
      }
    }

    // Check password match
    const compare = await bcrypt.compare(password, user.pash)
    if (compare) {
      Logger.info(`[Auth] ${user.username} logged in from ${ipAddress}`)
      res.json(this.getUserLoginResponsePayload(user))
    } else {
      Logger.warn(`[Auth] Failed login attempt ${req.rateLimit.current} of ${req.rateLimit.limit} from ${ipAddress}`)
      if (req.rateLimit.remaining <= 2) {
        Logger.error(`[Auth] Failed login attempt for user ${user.username} from ip ${ipAddress}. Attempts: ${req.rateLimit.current}`)
        return res.status(401).send(`Invalid user or password (${req.rateLimit.remaining === 0 ? '1 attempt remaining' : `${req.rateLimit.remaining + 1} attempts remaining`})`)
      }
      return res.status(401).send('Invalid user or password')
    }
  }

  comparePassword(password, user) {
    if (user.type === 'root' && !password && !user.pash) return true
    if (!password || !user.pash) return false
    return bcrypt.compare(password, user.pash)
  }

  async userChangePassword(req, res) {
    var { password, newPassword } = req.body
    newPassword = newPassword || ''
    const matchingUser = Database.users.find(u => u.id === req.user.id)

    // Only root can have an empty password
    if (matchingUser.type !== 'root' && !newPassword) {
      return res.json({
        error: 'Invalid new password - Only root can have an empty password'
      })
    }

    const compare = await this.comparePassword(password, matchingUser)
    if (!compare) {
      return res.json({
        error: 'Invalid password'
      })
    }

    let pw = ''
    if (newPassword) {
      pw = await this.hashPass(newPassword)
      if (!pw) {
        return res.json({
          error: 'Hash failed'
        })
      }
    }

    matchingUser.pash = pw

    const success = await Database.updateUser(matchingUser)
    if (success) {
      res.json({
        success: true
      })
    } else {
      res.json({
        error: 'Unknown error'
      })
    }
  }
}
module.exports = Auth
Remove bcryptjs dependency 2022-07-07 02:01:27 +02:00			`const bcrypt = require('./libs/bcryptjs')`
Remove jsonwebtoken dependency 2022-07-07 01:45:43 +02:00			`const jwt = require('./libs/jsonwebtoken')`
Update:Add client ip address in server log for failed auth attempts #1172 2022-11-18 01:04:11 +01:00			`const requestIp = require('./libs/requestIp')`
Init 2021-08-18 00:01:11 +02:00			`const Logger = require('./Logger')`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`const Database = require('./Database')`
Init 2021-08-18 00:01:11 +02:00
			`class Auth {`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`constructor() { }`
Init 2021-08-18 00:01:11 +02:00
			`cors(req, res, next) {`
			`res.header('Access-Control-Allow-Origin', '*')`
			`res.header("Access-Control-Allow-Methods", 'GET, POST, PATCH, PUT, DELETE, OPTIONS')`
Allow custom headers in requests 2022-06-25 17:36:37 +02:00			`res.header('Access-Control-Allow-Headers', '*')`
			`// TODO: Make sure allowing all headers is not a security concern. It is required for adding custom headers for SSO`
			`// res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding, Range, Authorization")`
Init 2021-08-18 00:01:11 +02:00			`res.header('Access-Control-Allow-Credentials', true)`
			`if (req.method === 'OPTIONS') {`
			`res.sendStatus(200)`
			`} else {`
			`next()`
			`}`
			`}`

Update:JWT signing 2022-07-19 00:19:16 +02:00			`async initTokenSecret() {`
			`if (process.env.TOKEN_SECRET) { // User can supply their own token secret`
			Logger.debug(`[Auth] Setting token secret - using user passed in TOKEN_SECRET env var`)
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`Database.serverSettings.tokenSecret = process.env.TOKEN_SECRET`
Update:JWT signing 2022-07-19 00:19:16 +02:00			`} else {`
			Logger.debug(`[Auth] Setting token secret - using random bytes`)
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`Database.serverSettings.tokenSecret = require('crypto').randomBytes(256).toString('base64')`
Update:JWT signing 2022-07-19 00:19:16 +02:00			`}`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`await Database.updateServerSettings()`
Update:JWT signing 2022-07-19 00:19:16 +02:00
			`// New token secret creation added in v2.1.0 so generate new API tokens for each user`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`if (Database.users.length) {`
			`for (const user of Database.users) {`
Update:JWT signing 2022-07-19 00:19:16 +02:00			`user.token = await this.generateAccessToken({ userId: user.id, username: user.username })`
			Logger.warn(`[Auth] User ${user.username} api token has been updated using new token secret`)
			`}`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`await Database.updateBulkUsers(Database.users)`
Update:JWT signing 2022-07-19 00:19:16 +02:00			`}`
			`}`

Init 2021-08-18 00:01:11 +02:00			`async authMiddleware(req, res, next) {`
Book cover uploader, moving streams to /metadata/streams, adding jwt auth from query string, auth check static metadata 2021-09-22 03:57:33 +02:00			`var token = null`

			`// If using a get request, the token can be passed as a query string`
			`if (req.method === 'GET' && req.query && req.query.token) {`
			`token = req.query.token`
			`} else {`
			`const authHeader = req.headers['authorization']`
			`token = authHeader && authHeader.split(' ')[1]`
			`}`

Init 2021-08-18 00:01:11 +02:00			`if (token == null) {`
Fix dynamic route requests, add auth middleware 2021-08-24 02:37:40 +02:00			`Logger.error('Api called without a token', req.path)`
Init 2021-08-18 00:01:11 +02:00			`return res.sendStatus(401)`
			`}`

Init sqlite take 2 2023-07-05 01:14:44 +02:00			`const user = await this.verifyToken(token)`
Init 2021-08-18 00:01:11 +02:00			`if (!user) {`
			`Logger.error('Verify Token User Not Found', token)`
Update scanner v3, add isActive support for users 2021-09-11 02:55:02 +02:00			`return res.sendStatus(404)`
			`}`
			`if (!user.isActive) {`
			`Logger.error('Verify Token User is disabled', token, user.username)`
Init 2021-08-18 00:01:11 +02:00			`return res.sendStatus(403)`
			`}`
			`req.user = user`
			`next()`
			`}`

			`hashPass(password) {`
			`return new Promise((resolve) => {`
			`bcrypt.hash(password, 8, (err, hash) => {`
			`if (err) {`
			`Logger.error('Hash failed', err)`
			`resolve(null)`
			`} else {`
			`resolve(hash)`
			`}`
			`})`
			`})`
			`}`

			`generateAccessToken(payload) {`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`return jwt.sign(payload, Database.serverSettings.tokenSecret)`
Init 2021-08-18 00:01:11 +02:00			`}`

Add: User listening sessions and user listening stats #167 2021-11-13 02:43:16 +01:00			`authenticateUser(token) {`
			`return this.verifyToken(token)`
			`}`

Init 2021-08-18 00:01:11 +02:00			`verifyToken(token) {`
			`return new Promise((resolve) => {`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`jwt.verify(token, Database.serverSettings.tokenSecret, (err, payload) => {`
Fix scan for audiobook directories in root dir 2021-08-23 21:08:54 +02:00			`if (!payload \|\| err) {`
			`Logger.error('JWT Verify Token Failed', err)`
			`return resolve(null)`
			`}`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`const user = Database.users.find(u => (u.id === payload.userId \|\| u.oldUserId === payload.userId) && u.username === payload.username)`
Init 2021-08-18 00:01:11 +02:00			`resolve(user \|\| null)`
			`})`
			`})`
			`}`

Update:Remove RSS feeds from login response payload and include feeds from library items request 2022-12-31 17:59:12 +01:00			`getUserLoginResponsePayload(user) {`
Fix:Series covers on home page not spread out correctly #505, Update:Server settings are now returned with auth requests 2022-04-30 00:43:46 +02:00			`return {`
			`user: user.toJSONForBrowser(),`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`userDefaultLibraryId: user.getDefaultLibraryId(Database.libraries),`
			`serverSettings: Database.serverSettings.toJSONForBrowser(),`
			`ereaderDevices: Database.emailSettings.getEReaderDevices(user),`
Update:Send source back with auth request 2022-05-21 18:21:03 +02:00			`Source: global.Source`
Fix:Series covers on home page not spread out correctly #505, Update:Server settings are now returned with auth requests 2022-04-30 00:43:46 +02:00			`}`
			`}`

Update:Remove RSS feeds from login response payload and include feeds from library items request 2022-12-31 17:59:12 +01:00			`async login(req, res) {`
Update:Add client ip address in server log for failed auth attempts #1172 2022-11-18 01:04:11 +01:00			`const ipAddress = requestIp.getClientIp(req)`
Add:Log user and ip on successful login #1740 2023-04-28 23:16:47 +02:00			`const username = (req.body.username \|\| '').toLowerCase()`
			`const password = req.body.password \|\| ''`
Init 2021-08-18 00:01:11 +02:00
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`const user = Database.users.find(u => u.username.toLowerCase() === username)`
Init 2021-08-18 00:01:11 +02:00
Add:Log user and ip on successful login #1740 2023-04-28 23:16:47 +02:00			`if (!user?.isActive) {`
Update:Add client ip address in server log for failed auth attempts #1172 2022-11-18 01:04:11 +01:00			Logger.warn(`[Auth] Failed login attempt ${req.rateLimit.current} of ${req.rateLimit.limit} from ${ipAddress}`)
Write metadata file option, rate limiting login attempts, generic failed login message 2021-09-29 17:16:38 +02:00			`if (req.rateLimit.remaining <= 2) {`
Update:Add client ip address in server log for failed auth attempts #1172 2022-11-18 01:04:11 +01:00			Logger.error(`[Auth] Failed login attempt for username ${username} from ip ${ipAddress}. Attempts: ${req.rateLimit.current}`)
Write metadata file option, rate limiting login attempts, generic failed login message 2021-09-29 17:16:38 +02:00			return res.status(401).send(`Invalid user or password (${req.rateLimit.remaining === 0 ? '1 attempt remaining' : `${req.rateLimit.remaining + 1} attempts remaining`})`)
			`}`
			`return res.status(401).send('Invalid user or password')`
Update scanner v3, add isActive support for users 2021-09-11 02:55:02 +02:00			`}`

Init 2021-08-18 00:01:11 +02:00			`// Check passwordless root user`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`if (user.type === 'root' && (!user.pash \|\| user.pash === '')) {`
Init 2021-08-18 00:01:11 +02:00			`if (password) {`
Write metadata file option, rate limiting login attempts, generic failed login message 2021-09-29 17:16:38 +02:00			`return res.status(401).send('Invalid root password (hint: there is none)')`
Init 2021-08-18 00:01:11 +02:00			`} else {`
Add:Log user and ip on successful login #1740 2023-04-28 23:16:47 +02:00			Logger.info(`[Auth] ${user.username} logged in from ${ipAddress}`)
Update:Remove RSS feeds from login response payload and include feeds from library items request 2022-12-31 17:59:12 +01:00			`return res.json(this.getUserLoginResponsePayload(user))`
Init 2021-08-18 00:01:11 +02:00			`}`
			`}`

			`// Check password match`
Add:Log user and ip on successful login #1740 2023-04-28 23:16:47 +02:00			`const compare = await bcrypt.compare(password, user.pash)`
Init 2021-08-18 00:01:11 +02:00			`if (compare) {`
Add:Log user and ip on successful login #1740 2023-04-28 23:16:47 +02:00			Logger.info(`[Auth] ${user.username} logged in from ${ipAddress}`)
Update:Remove RSS feeds from login response payload and include feeds from library items request 2022-12-31 17:59:12 +01:00			`res.json(this.getUserLoginResponsePayload(user))`
Init 2021-08-18 00:01:11 +02:00			`} else {`
Update:Add client ip address in server log for failed auth attempts #1172 2022-11-18 01:04:11 +01:00			Logger.warn(`[Auth] Failed login attempt ${req.rateLimit.current} of ${req.rateLimit.limit} from ${ipAddress}`)
Write metadata file option, rate limiting login attempts, generic failed login message 2021-09-29 17:16:38 +02:00			`if (req.rateLimit.remaining <= 2) {`
Update:Add client ip address in server log for failed auth attempts #1172 2022-11-18 01:04:11 +01:00			Logger.error(`[Auth] Failed login attempt for user ${user.username} from ip ${ipAddress}. Attempts: ${req.rateLimit.current}`)
Write metadata file option, rate limiting login attempts, generic failed login message 2021-09-29 17:16:38 +02:00			return res.status(401).send(`Invalid user or password (${req.rateLimit.remaining === 0 ? '1 attempt remaining' : `${req.rateLimit.remaining + 1} attempts remaining`})`)
			`}`
			`return res.status(401).send('Invalid user or password')`
Init 2021-08-18 00:01:11 +02:00			`}`
			`}`

Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`comparePassword(password, user) {`
			`if (user.type === 'root' && !password && !user.pash) return true`
			`if (!password \|\| !user.pash) return false`
			`return bcrypt.compare(password, user.pash)`
			`}`

			`async userChangePassword(req, res) {`
			`var { password, newPassword } = req.body`
			`newPassword = newPassword \|\| ''`
Init sqlite take 2 2023-07-05 01:14:44 +02:00			`const matchingUser = Database.users.find(u => u.id === req.user.id)`
Init 2021-08-18 00:01:11 +02:00
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`// Only root can have an empty password`
			`if (matchingUser.type !== 'root' && !newPassword) {`
Init 2021-08-18 00:01:11 +02:00			`return res.json({`
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`error: 'Invalid new password - Only root can have an empty password'`
Init 2021-08-18 00:01:11 +02:00			`})`
			`}`

Init sqlite take 2 2023-07-05 01:14:44 +02:00			`const compare = await this.comparePassword(password, matchingUser)`
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`if (!compare) {`
			`return res.json({`
			`error: 'Invalid password'`
			`})`
Init 2021-08-18 00:01:11 +02:00			`}`

Init sqlite take 2 2023-07-05 01:14:44 +02:00			`let pw = ''`
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`if (newPassword) {`
			`pw = await this.hashPass(newPassword)`
Init 2021-08-18 00:01:11 +02:00			`if (!pw) {`
			`return res.json({`
			`error: 'Hash failed'`
			`})`
			`}`
			`}`

Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`matchingUser.pash = pw`
Init sqlite take 2 2023-07-05 01:14:44 +02:00
			`const success = await Database.updateUser(matchingUser)`
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`if (success) {`
Init 2021-08-18 00:01:11 +02:00			`res.json({`
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`success: true`
Init 2021-08-18 00:01:11 +02:00			`})`
			`} else {`
			`res.json({`
Reset password and users table on settings page 2021-08-22 17:46:04 +02:00			`error: 'Unknown error'`
Init 2021-08-18 00:01:11 +02:00			`})`
			`}`
			`}`
			`}`
			`module.exports = Auth`