2021-08-18 00:01:11 +02:00
|
|
|
const bcrypt = require('bcryptjs')
|
|
|
|
const jwt = require('jsonwebtoken')
|
|
|
|
const Logger = require('./Logger')
|
|
|
|
|
|
|
|
class Auth {
|
|
|
|
constructor(db) {
|
|
|
|
this.db = db
|
|
|
|
|
|
|
|
this.user = null
|
|
|
|
}
|
|
|
|
|
|
|
|
get username() {
|
|
|
|
return this.user ? this.user.username : 'nobody'
|
|
|
|
}
|
|
|
|
|
|
|
|
get users() {
|
|
|
|
return this.db.users
|
|
|
|
}
|
|
|
|
|
|
|
|
init() {
|
|
|
|
var root = this.users.find(u => u.type === 'root')
|
|
|
|
if (!root) {
|
|
|
|
Logger.fatal('No Root User', this.users)
|
|
|
|
throw new Error('No Root User')
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
cors(req, res, next) {
|
|
|
|
res.header('Access-Control-Allow-Origin', '*')
|
|
|
|
res.header("Access-Control-Allow-Methods", 'GET, POST, PATCH, PUT, DELETE, OPTIONS')
|
|
|
|
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
|
|
|
|
res.header('Access-Control-Allow-Credentials', true)
|
|
|
|
if (req.method === 'OPTIONS') {
|
|
|
|
res.sendStatus(200)
|
|
|
|
} else {
|
|
|
|
next()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
async authMiddleware(req, res, next) {
|
|
|
|
const authHeader = req.headers['authorization']
|
|
|
|
const token = authHeader && authHeader.split(' ')[1]
|
|
|
|
if (token == null) {
|
2021-08-24 02:37:40 +02:00
|
|
|
Logger.error('Api called without a token', req.path)
|
2021-08-18 00:01:11 +02:00
|
|
|
return res.sendStatus(401)
|
|
|
|
}
|
|
|
|
|
|
|
|
var user = await this.verifyToken(token)
|
|
|
|
if (!user) {
|
|
|
|
Logger.error('Verify Token User Not Found', token)
|
2021-09-11 02:55:02 +02:00
|
|
|
return res.sendStatus(404)
|
|
|
|
}
|
|
|
|
if (!user.isActive) {
|
|
|
|
Logger.error('Verify Token User is disabled', token, user.username)
|
2021-08-18 00:01:11 +02:00
|
|
|
return res.sendStatus(403)
|
|
|
|
}
|
|
|
|
req.user = user
|
|
|
|
next()
|
|
|
|
}
|
|
|
|
|
|
|
|
hashPass(password) {
|
|
|
|
return new Promise((resolve) => {
|
|
|
|
bcrypt.hash(password, 8, (err, hash) => {
|
|
|
|
if (err) {
|
|
|
|
Logger.error('Hash failed', err)
|
|
|
|
resolve(null)
|
|
|
|
} else {
|
|
|
|
resolve(hash)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
generateAccessToken(payload) {
|
2021-09-06 01:20:29 +02:00
|
|
|
return jwt.sign(payload, process.env.TOKEN_SECRET);
|
2021-08-18 00:01:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
verifyToken(token) {
|
|
|
|
return new Promise((resolve) => {
|
|
|
|
jwt.verify(token, process.env.TOKEN_SECRET, (err, payload) => {
|
2021-08-23 21:08:54 +02:00
|
|
|
if (!payload || err) {
|
|
|
|
Logger.error('JWT Verify Token Failed', err)
|
|
|
|
return resolve(null)
|
|
|
|
}
|
2021-08-18 00:01:11 +02:00
|
|
|
var user = this.users.find(u => u.id === payload.userId)
|
|
|
|
resolve(user || null)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
async login(req, res) {
|
|
|
|
var username = req.body.username
|
|
|
|
var password = req.body.password || ''
|
|
|
|
Logger.debug('Check Auth', username, !!password)
|
|
|
|
|
2021-08-27 14:01:47 +02:00
|
|
|
var user = this.users.find(u => u.username === username)
|
2021-08-18 00:01:11 +02:00
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return res.json({ error: 'User not found' })
|
|
|
|
}
|
|
|
|
|
2021-09-11 02:55:02 +02:00
|
|
|
if (!user.isActive) {
|
|
|
|
return res.json({ error: 'User unavailable' })
|
|
|
|
}
|
|
|
|
|
2021-08-18 00:01:11 +02:00
|
|
|
// Check passwordless root user
|
|
|
|
if (user.id === 'root' && (!user.pash || user.pash === '')) {
|
|
|
|
if (password) {
|
|
|
|
return res.json({ error: 'Invalid root password (hint: there is none)' })
|
|
|
|
} else {
|
|
|
|
return res.json({ user: user.toJSONForBrowser() })
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check password match
|
|
|
|
var compare = await bcrypt.compare(password, user.pash)
|
|
|
|
if (compare) {
|
|
|
|
res.json({
|
|
|
|
user: user.toJSONForBrowser()
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
res.json({
|
|
|
|
error: 'Invalid Password'
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-22 17:46:04 +02:00
|
|
|
comparePassword(password, user) {
|
|
|
|
if (user.type === 'root' && !password && !user.pash) return true
|
|
|
|
if (!password || !user.pash) return false
|
|
|
|
return bcrypt.compare(password, user.pash)
|
|
|
|
}
|
|
|
|
|
|
|
|
async userChangePassword(req, res) {
|
|
|
|
var { password, newPassword } = req.body
|
|
|
|
newPassword = newPassword || ''
|
|
|
|
var matchingUser = this.users.find(u => u.id === req.user.id)
|
2021-08-18 00:01:11 +02:00
|
|
|
|
2021-08-22 17:46:04 +02:00
|
|
|
// Only root can have an empty password
|
|
|
|
if (matchingUser.type !== 'root' && !newPassword) {
|
2021-08-18 00:01:11 +02:00
|
|
|
return res.json({
|
2021-08-22 17:46:04 +02:00
|
|
|
error: 'Invalid new password - Only root can have an empty password'
|
2021-08-18 00:01:11 +02:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2021-08-22 17:46:04 +02:00
|
|
|
var compare = await this.comparePassword(password, matchingUser)
|
|
|
|
if (!compare) {
|
|
|
|
return res.json({
|
|
|
|
error: 'Invalid password'
|
|
|
|
})
|
2021-08-18 00:01:11 +02:00
|
|
|
}
|
|
|
|
|
2021-08-22 17:46:04 +02:00
|
|
|
var pw = ''
|
|
|
|
if (newPassword) {
|
|
|
|
pw = await this.hashPass(newPassword)
|
2021-08-18 00:01:11 +02:00
|
|
|
if (!pw) {
|
|
|
|
return res.json({
|
|
|
|
error: 'Hash failed'
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-22 17:46:04 +02:00
|
|
|
matchingUser.pash = pw
|
|
|
|
var success = await this.db.updateEntity('user', matchingUser)
|
|
|
|
if (success) {
|
2021-08-18 00:01:11 +02:00
|
|
|
res.json({
|
2021-08-22 17:46:04 +02:00
|
|
|
success: true
|
2021-08-18 00:01:11 +02:00
|
|
|
})
|
|
|
|
} else {
|
|
|
|
res.json({
|
2021-08-22 17:46:04 +02:00
|
|
|
error: 'Unknown error'
|
2021-08-18 00:01:11 +02:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
module.exports = Auth
|