src/proxyauth.js

'use strict';

// heavily inspired from https://gock.net/blog/2020/nginx-subrequest-authentication-server/ and https://github.com/andygock/auth-server

exports = module.exports = {
    start,
    stop
};

const apps = require('./apps.js'),
    assert = require('assert'),
    basicAuth = require('basic-auth'),
    blobs = require('./blobs.js'),
    constants = require('./constants.js'),
    dashboard = require('./dashboard.js'),
    debug = require('debug')('box:proxyAuth'),
    ejs = require('ejs'),
    express = require('express'),
    hat = require('./hat.js'),
    http = require('http'),
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    jwt = require('jsonwebtoken'),
    middleware = require('./middleware'),
    oidc = require('./oidc.js'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    translation = require('./translation.js'),
    users = require('./users.js'),
    util = require('util');

let gHttpServer = null;
let gTokenSecret = null;

function jwtVerify(req, res, next) {
    const token = req.cookies.authToken;

    if (!token) return next();

    jwt.verify(token, gTokenSecret, function (error, decoded) {
        if (error) {
            debug('jwtVerify: malformed token or bad signature', error.message);
            req.user = null;
        } else {
            req.user = decoded.user || null;
        }

        next();
    });
}

async function authorizationHeader(req, res, next) {
    const appId = req.headers['x-app-id'] || '';
    if (!appId) return next();

    if (!req.headers.authorization) return next();

    const [error, app] = await safe(apps.get(appId));
    if (error) return next(new HttpError(503, error.message));
    if (!app) return next(new HttpError(503, 'Error getting app'));

    // only if the app supports bearer auth, pass it through to the app. without this flag, anyone can access the app with Bearer auth!
    if (req.headers.authorization.startsWith('Bearer ') && app.manifest.addons.proxyAuth.supportsBearerAuth) return next(new HttpSuccess(200, {}));

    const credentials = basicAuth(req);
    if (!credentials) return next();

    if (!app.manifest.addons.proxyAuth.basicAuth) return next(); // this is a flag because this allows auth to bypass 2FA

    const verifyFunc = credentials.name.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
    const [verifyError, user] = await safe(verifyFunc(credentials.name, credentials.pass, appId, { skipTotpCheck: true }));
    if (verifyError) return next(new HttpError(403, 'Invalid username or password' ));

    req.user = user;
    next();
}

async function loginPage(req, res, next) {
    const appId = req.headers['x-app-id'] || '';
    if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));

    const [error, translationAssets] = await safe(translation.getTranslations());
    if (error) return next(new HttpError(500, 'No translation found'));

    const raw = safe.fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'templates/proxyauth-login.ejs'), 'utf8');
    if (raw === null) return next(new HttpError(500, 'Login template not found'));

    const translatedContent = translation.translate(raw, translationAssets.translations || {}, translationAssets.fallback || {});
    let finalContent = '';

    const [getError, app] = await safe(apps.get(appId));
    if (getError) return next(new HttpError(503, getError.message));

    const title = app.label || app.manifest.title;

    let [iconError, iconBuffer] = await safe(apps.getIcon(app, {}));
    if (iconError) return next(new HttpError(500, `Error getting app icon: ${error.message}`));
    if (!iconBuffer) {
        iconBuffer = safe.fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'img/appicon_fallback.png'));
        if (!iconBuffer) return next(new HttpError(500, 'App icon and fallback icon is missing'));
    }

    const icon = 'data:image/png;base64,' + iconBuffer.toString('base64');
    const { fqdn:dashboardFqdn } = await dashboard.getLocation();
    const dashboardOrigin = `https://${dashboardFqdn}`;

    try {
        finalContent = ejs.render(translatedContent, { title, icon, dashboardOrigin });
    } catch (e) {
        debug('loginPage: Error rendering proxyauth-login.ejs', e);
        return next(new HttpError(500, 'Login template error'));
    }

    res.set('Content-Type', 'text/html');
    return res.send(finalContent);
}

// someday this can be more sophisticated and check for a real browser
function isBrowser(req) {
    const userAgent = req.get('user-agent');
    if (!userAgent) return false;

    // https://github.com/docker/engine/blob/master/dockerversion/useragent.go#L18
    return !userAgent.toLowerCase().includes('docker') && !userAgent.toLowerCase().includes('container');
}

// called by nginx to authorize any protected route. this route must return only 2xx or 401/403 (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html)
function auth(req, res, next) {
    if (!req.user) {
        res.clearCookie('authToken');
        if (isBrowser(req)) return next(new HttpError(401, 'Unauthorized'));

        // the header has to be generated here and cannot be set in nginx config - https://forum.nginx.org/read.php?2,171461,171469#msg-171469
        res.set('www-authenticate', 'Basic realm="Cloudron"');
        return next(new HttpError(401, 'Unauthorized'));
    }

    // user is already authenticated, refresh cookie
    const token = jwt.sign({ user: req.user }, gTokenSecret, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });

    res.cookie('authToken', token, {
        httpOnly: true,
        maxAge: constants.DEFAULT_TOKEN_EXPIRATION_MSECS,
        secure: true
    });
    res.set('x-remote-user', req.user.username);
    res.set('x-remote-email', req.user.email);
    // ensure ascii in header, node will crash with ERR_INVALID_CHAR otherwise
    // eslint-disable-next-line no-control-regex
    res.set('x-remote-name', /^[\x00-\x7F]*$/.test(req.user.displayName) ? req.user.displayName : req.user.username);

    next(new HttpSuccess(200, {}));
}

async function callback(req, res, next) {
    if (!req.query.code) return next(new HttpError(400, 'missing query argument "code"'));

    debug(`callback: with code ${req.query.code}`);

    req.user = await oidc.getUserByAuthCode(req.query.code);

    // this is one-time use
    await oidc.consumeAuthCode(req.query.code);

    next();
}

// endpoint called by login page, username and password posted as JSON body
async function passwordAuth(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    const appId = req.headers['x-app-id'] || '';
    if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));

    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be non empty string' ));
    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string' ));
    if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));

    const { username, password, totpToken } = req.body;

    const verifyFunc = username.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
    const [error, user] = await safe(verifyFunc(username, password, appId, { totpToken, skipTotpCheck: false }));
    if (error) return next(new HttpError(403, error.message));

    req.user = user;
    next();
}

async function authorize(req, res, next) {
    const appId = req.headers['x-app-id'] || '';
    if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));

    const [error, app] = await safe(apps.get(appId));
    if (error) return next(new HttpError(403, 'No such app' ));

    if (!apps.canAccess(app, req.user)) return next(new HttpError(403, 'Forbidden' ));

    const token = jwt.sign({ user: users.removePrivateFields(req.user) }, gTokenSecret, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });

    res.cookie('authToken', token, {
        httpOnly: true,
        maxAge: constants.DEFAULT_TOKEN_EXPIRATION_MSECS,
        secure: true
    });

    res.redirect(302, '/');
}

async function logoutPage(req, res, next) {
    const appId = req.headers['x-app-id'] || '';
    if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));

    const [error, app] = await safe(apps.get(appId));
    if (error) return next(new HttpError(503, error.message));

    res.clearCookie('authToken');

    // when we have no path, redirect to the login page. we cannot redirect to '/' because browsers will immediately serve up the cached page
    // if a path is set, we can assume '/' is a public page
    res.redirect(302, app.manifest.addons.proxyAuth.path ? '/' : '/login');
}

// provides webhooks for the auth wall
function initializeAuthwallExpressSync() {
    const app = express();
    const httpServer = http.createServer(app);

    const QUERY_LIMIT = '1mb'; // max size for json and urlencoded queries
    const REQUEST_TIMEOUT = 10000; // timeout for all requests

    const json = middleware.json({ strict: true, limit: QUERY_LIMIT }); // application/json

    const router = new express.Router();
    router.del = router.delete; // amend router.del for readability further on

    app
        .use(middleware.timeout(REQUEST_TIMEOUT))
        .use(middleware.cookieParser())
        .use(router)
        .use(middleware.lastMile());

    router.get ('/callback',  callback, authorize);
    router.get ('/login',     loginPage);
    router.get ('/auth',      jwtVerify, authorizationHeader, auth); // called by nginx before accessing protected page
    router.post('/login',     json, passwordAuth, authorize);
    router.get ('/logout',    logoutPage);
    router.post('/logout',    json, logoutPage);

    return httpServer;
}

async function start() {
    assert.strictEqual(gHttpServer, null, 'Authwall is already up and running.');

    gTokenSecret = await blobs.getString(blobs.PROXY_AUTH_TOKEN_SECRET);
    if (!gTokenSecret) {
        debug('start: generating new token secret');
        gTokenSecret = hat(64);
        await blobs.setString(blobs.PROXY_AUTH_TOKEN_SECRET, gTokenSecret);
    }

    gHttpServer = initializeAuthwallExpressSync();

    await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.AUTHWALL_PORT, '127.0.0.1');
}

async function stop() {
    if (!gHttpServer) return;

    await util.promisify(gHttpServer.close.bind(gHttpServer))();
    gHttpServer = null;
}
add support for protected sites 2020-11-09 20:34:48 -08:00			`'use strict';`

			`// heavily inspired from https://gock.net/blog/2020/nginx-subrequest-authentication-server/ and https://github.com/andygock/auth-server`

			`exports = module.exports = {`
			`start,`
			`stop`
			`};`

proxyauth: render as ejs tos end app title and icon 2020-11-11 00:21:51 -08:00			`const apps = require('./apps.js'),`
			`assert = require('assert'),`
proxyauth: support basic auth 2020-11-11 13:25:52 -08:00			`basicAuth = require('basic-auth'),`
proxyauth: on invalid token, redirect user 2022-02-01 17:56:40 -08:00			`blobs = require('./blobs.js'),`
add support for protected sites 2020-11-09 20:34:48 -08:00			`constants = require('./constants.js'),`
move dashboard setting into dashboard.js 2023-08-11 19:41:05 +05:30			`dashboard = require('./dashboard.js'),`
Add proxyAuth as an addon 2020-11-10 09:59:28 -08:00			`debug = require('debug')('box:proxyAuth'),`
Make proxyauth login translatable 2020-11-24 20:57:13 +01:00			`ejs = require('ejs'),`
add support for protected sites 2020-11-09 20:34:48 -08:00			`express = require('express'),`
proxy auth: create token secret 2020-11-10 17:10:57 -08:00			`hat = require('./hat.js'),`
add support for protected sites 2020-11-09 20:34:48 -08:00			`http = require('http'),`
			`HttpError = require('connect-lastmile').HttpError,`
			`HttpSuccess = require('connect-lastmile').HttpSuccess,`
			`jwt = require('jsonwebtoken'),`
			`middleware = require('./middleware'),`
proxyauth: user OpenID instead of basic auth 2024-04-15 12:35:03 +02:00			`oidc = require('./oidc.js'),`
add support for protected sites 2020-11-09 20:34:48 -08:00			`path = require('path'),`
proxy auth: create token secret 2020-11-10 17:10:57 -08:00			`paths = require('./paths.js'),`
proxyauth: render as ejs tos end app title and icon 2020-11-11 00:21:51 -08:00			`safe = require('safetydance'),`
Make proxyauth login translatable 2020-11-24 20:57:13 +01:00			`translation = require('./translation.js'),`
proxyauth: fix crash 2021-08-22 16:19:22 -07:00			`users = require('./users.js'),`
			`util = require('util');`
add support for protected sites 2020-11-09 20:34:48 -08:00
			`let gHttpServer = null;`
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`let gTokenSecret = null;`
add support for protected sites 2020-11-09 20:34:48 -08:00
			`function jwtVerify(req, res, next) {`
			`const token = req.cookies.authToken;`

			`if (!token) return next();`

proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`jwt.verify(token, gTokenSecret, function (error, decoded) {`
add support for protected sites 2020-11-09 20:34:48 -08:00			`if (error) {`
proxyauth: on invalid token, redirect user 2022-02-01 17:56:40 -08:00			`debug('jwtVerify: malformed token or bad signature', error.message);`
			`req.user = null;`
			`} else {`
			`req.user = decoded.user \|\| null;`
add support for protected sites 2020-11-09 20:34:48 -08:00			`}`

			`next();`
			`});`
			`}`

proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`async function authorizationHeader(req, res, next) {`
proxyauth: support basic auth 2020-11-11 13:25:52 -08:00			`const appId = req.headers['x-app-id'] \|\| '';`
proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`if (!appId) return next();`

			`if (!req.headers.authorization) return next();`
proxyauth: support basic auth 2020-11-11 13:25:52 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const [error, app] = await safe(apps.get(appId));`
			`if (error) return next(new HttpError(503, error.message));`
proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`if (!app) return next(new HttpError(503, 'Error getting app'));`

add note on the reason for the flag 2022-08-25 16:36:57 +02:00			`// only if the app supports bearer auth, pass it through to the app. without this flag, anyone can access the app with Bearer auth!`
proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`if (req.headers.authorization.startsWith('Bearer ') && app.manifest.addons.proxyAuth.supportsBearerAuth) return next(new HttpSuccess(200, {}));`

			`const credentials = basicAuth(req);`
			`if (!credentials) return next();`
proxyauth: support basic auth 2020-11-11 13:25:52 -08:00
proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`if (!app.manifest.addons.proxyAuth.basicAuth) return next(); // this is a flag because this allows auth to bypass 2FA`
proxyAuth: check for basicAuth flag to permit basic auth 2021-02-23 21:52:58 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const verifyFunc = credentials.name.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;`
externalldap: add tests 2024-01-07 22:01:57 +01:00			`const [verifyError, user] = await safe(verifyFunc(credentials.name, credentials.pass, appId, { skipTotpCheck: true }));`
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`if (verifyError) return next(new HttpError(403, 'Invalid username or password' ));`
proxyAuth: check for basicAuth flag to permit basic auth 2021-02-23 21:52:58 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`req.user = user;`
			`next();`
proxyauth: support basic auth 2020-11-11 13:25:52 -08:00			`}`

merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`async function loginPage(req, res, next) {`
proxyauth: render as ejs tos end app title and icon 2020-11-11 00:21:51 -08:00			`const appId = req.headers['x-app-id'] \|\| '';`
			`if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));`

merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const [error, translationAssets] = await safe(translation.getTranslations());`
			`if (error) return next(new HttpError(500, 'No translation found'));`
Make proxyauth login translatable 2020-11-24 20:57:13 +01:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const raw = safe.fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'templates/proxyauth-login.ejs'), 'utf8');`
			`if (raw === null) return next(new HttpError(500, 'Login template not found'));`
Make proxyauth login translatable 2020-11-24 20:57:13 +01:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const translatedContent = translation.translate(raw, translationAssets.translations \|\| {}, translationAssets.fallback \|\| {});`
			`let finalContent = '';`
Make proxyauth login translatable 2020-11-24 20:57:13 +01:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const [getError, app] = await safe(apps.get(appId));`
			`if (getError) return next(new HttpError(503, getError.message));`
proxyauth: render as ejs tos end app title and icon 2020-11-11 00:21:51 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const title = app.label \|\| app.manifest.title;`
proxyauth: render as ejs tos end app title and icon 2020-11-11 00:21:51 -08:00
proxyAuth: use default fallback icon when no appstore icon or custom icon 2022-04-26 19:26:27 -07:00			`let [iconError, iconBuffer] = await safe(apps.getIcon(app, {}));`
			if (iconError) return next(new HttpError(500, `Error getting app icon: ${error.message}`));
			`if (!iconBuffer) {`
			`iconBuffer = safe.fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'img/appicon_fallback.png'));`
			`if (!iconBuffer) return next(new HttpError(500, 'App icon and fallback icon is missing'));`
			`}`
proxyauth: render as ejs tos end app title and icon 2020-11-11 00:21:51 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const icon = 'data:image/png;base64,' + iconBuffer.toString('base64');`
move dashboard setting into dashboard.js 2023-08-11 19:41:05 +05:30			`const { fqdn:dashboardFqdn } = await dashboard.getLocation();`
			const dashboardOrigin = `https://${dashboardFqdn}`;
Make proxyauth login translatable 2020-11-24 20:57:13 +01:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`try {`
Provide dashboardOrigin to proxy auth for stylesheet sourcing 2021-11-03 22:12:30 +01:00			`finalContent = ejs.render(translatedContent, { title, icon, dashboardOrigin });`
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`} catch (e) {`
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`debug('loginPage: Error rendering proxyauth-login.ejs', e);`
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`return next(new HttpError(500, 'Login template error'));`
			`}`

			`res.set('Content-Type', 'text/html');`
			`return res.send(finalContent);`
add support for protected sites 2020-11-09 20:34:48 -08:00			`}`

proxyauth: make auth error handler return 401 for docker client 2021-01-26 23:25:56 -08:00			`// someday this can be more sophisticated and check for a real browser`
			`function isBrowser(req) {`
			`const userAgent = req.get('user-agent');`
			`if (!userAgent) return false;`

proxyAuth: Fix docker UA detection 2021-02-09 13:44:34 -08:00			`// https://github.com/docker/engine/blob/master/dockerversion/useragent.go#L18`
Accomodate redhat client 2021-08-13 09:36:06 -07:00			`return !userAgent.toLowerCase().includes('docker') && !userAgent.toLowerCase().includes('container');`
proxyauth: make auth error handler return 401 for docker client 2021-01-26 23:25:56 -08:00			`}`

			`// called by nginx to authorize any protected route. this route must return only 2xx or 401/403 (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html)`
add support for protected sites 2020-11-09 20:34:48 -08:00			`function auth(req, res, next) {`
proxyauth: make auth error handler return 401 for docker client 2021-01-26 23:25:56 -08:00			`if (!req.user) {`
proxyauth: on invalid token, redirect user 2022-02-01 17:56:40 -08:00			`res.clearCookie('authToken');`
proxyauth: make auth error handler return 401 for docker client 2021-01-26 23:25:56 -08:00			`if (isBrowser(req)) return next(new HttpError(401, 'Unauthorized'));`

			`// the header has to be generated here and cannot be set in nginx config - https://forum.nginx.org/read.php?2,171461,171469#msg-171469`
			`res.set('www-authenticate', 'Basic realm="Cloudron"');`
			`return next(new HttpError(401, 'Unauthorized'));`
			`}`
add support for protected sites 2020-11-09 20:34:48 -08:00
			`// user is already authenticated, refresh cookie`
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			const token = jwt.sign({ user: req.user }, gTokenSecret, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });
add support for protected sites 2020-11-09 20:34:48 -08:00
			`res.cookie('authToken', token, {`
			`httpOnly: true,`
proxyAuth: use default expiry time in cookie (1 year) 2021-04-30 10:31:09 -07:00			`maxAge: constants.DEFAULT_TOKEN_EXPIRATION_MSECS,`
add support for protected sites 2020-11-09 20:34:48 -08:00			`secure: true`
			`});`
proxyAuth: set X-Remote-User, X-Remote-Email headers 2022-04-21 15:47:50 -07:00			`res.set('x-remote-user', req.user.username);`
			`res.set('x-remote-email', req.user.email);`
proxyauth: ensure ascii in x-remote-name 2023-01-30 12:27:58 +01:00			`// ensure ascii in header, node will crash with ERR_INVALID_CHAR otherwise`
			`// eslint-disable-next-line no-control-regex`
			`res.set('x-remote-name', /^[\x00-\x7F]*$/.test(req.user.displayName) ? req.user.displayName : req.user.username);`
add support for protected sites 2020-11-09 20:34:48 -08:00
proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`next(new HttpSuccess(200, {}));`
add support for protected sites 2020-11-09 20:34:48 -08:00			`}`

proxyauth: user OpenID instead of basic auth 2024-04-15 12:35:03 +02:00			`async function callback(req, res, next) {`
			`if (!req.query.code) return next(new HttpError(400, 'missing query argument "code"'));`

			debug(`callback: with code ${req.query.code}`);

			`req.user = await oidc.getUserByAuthCode(req.query.code);`

			`// this is one-time use`
			`await oidc.consumeAuthCode(req.query.code);`

			`next();`
			`}`

add support for protected sites 2020-11-09 20:34:48 -08:00			`// endpoint called by login page, username and password posted as JSON body`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function passwordAuth(req, res, next) {`
add support for protected sites 2020-11-09 20:34:48 -08:00			`assert.strictEqual(typeof req.body, 'object');`

			`const appId = req.headers['x-app-id'] \|\| '';`
			`if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));`

serve proxyauth login file from the dashboard 2020-11-10 20:04:31 -08:00			`if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be non empty string' ));`
			`if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string' ));`
fix some typos 2020-12-20 14:41:16 -08:00			`if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));`
add support for protected sites 2020-11-09 20:34:48 -08:00
fix some typos 2020-12-20 14:41:16 -08:00			`const { username, password, totpToken } = req.body;`
add support for protected sites 2020-11-09 20:34:48 -08:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`const verifyFunc = username.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;`
external ldap: ensure dashboard login does totp check 2024-01-08 11:55:35 +01:00			`const [error, user] = await safe(verifyFunc(username, password, appId, { totpToken, skipTotpCheck: false }));`
unify totp check 2023-03-12 15:09:20 +01:00			`if (error) return next(new HttpError(403, error.message));`
proxyauth: add 2fa 2020-12-20 13:13:36 -08:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`req.user = user;`
			`next();`
proxyAuth: authorization logic 2020-11-20 17:54:17 -08:00			`}`
add support for protected sites 2020-11-09 20:34:48 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`async function authorize(req, res, next) {`
proxyAuth: authorization logic 2020-11-20 17:54:17 -08:00			`const appId = req.headers['x-app-id'] \|\| '';`
			`if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));`
add support for protected sites 2020-11-09 20:34:48 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const [error, app] = await safe(apps.get(appId));`
			`if (error) return next(new HttpError(403, 'No such app' ));`
proxyAuth: authorization logic 2020-11-20 17:54:17 -08:00
apps: hasAccessTo -> canAccess 2021-09-21 10:00:47 -07:00			`if (!apps.canAccess(app, req.user)) return next(new HttpError(403, 'Forbidden' ));`
proxyAuth: authorization logic 2020-11-20 17:54:17 -08:00
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			const token = jwt.sign({ user: users.removePrivateFields(req.user) }, gTokenSecret, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });
proxyAuth: authorization logic 2020-11-20 17:54:17 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`res.cookie('authToken', token, {`
			`httpOnly: true,`
			`maxAge: constants.DEFAULT_TOKEN_EXPIRATION_MSECS,`
			`secure: true`
add support for protected sites 2020-11-09 20:34:48 -08:00			`});`
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00
			`res.redirect(302, '/');`
add support for protected sites 2020-11-09 20:34:48 -08:00			`}`

merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`async function logoutPage(req, res, next) {`
proxyAuth: redirect to /login when logout 2020-12-19 12:30:06 -08:00			`const appId = req.headers['x-app-id'] \|\| '';`
			`if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));`

merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const [error, app] = await safe(apps.get(appId));`
			`if (error) return next(new HttpError(503, error.message));`
proxyAuth: redirect to /login when logout 2020-12-19 12:30:06 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`res.clearCookie('authToken');`
proxyAuth: redirect to /login when logout 2020-12-19 12:30:06 -08:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`// when we have no path, redirect to the login page. we cannot redirect to '/' because browsers will immediately serve up the cached page`
			`// if a path is set, we can assume '/' is a public page`
			`res.redirect(302, app.manifest.addons.proxyAuth.path ? '/' : '/login');`
add support for protected sites 2020-11-09 20:34:48 -08:00			`}`

			`// provides webhooks for the auth wall`
			`function initializeAuthwallExpressSync() {`
more async'ification 2021-09-07 09:57:49 -07:00			`const app = express();`
			`const httpServer = http.createServer(app);`
add support for protected sites 2020-11-09 20:34:48 -08:00
more async'ification 2021-09-07 09:57:49 -07:00			`const QUERY_LIMIT = '1mb'; // max size for json and urlencoded queries`
			`const REQUEST_TIMEOUT = 10000; // timeout for all requests`
add support for protected sites 2020-11-09 20:34:48 -08:00
more async'ification 2021-09-07 09:57:49 -07:00			`const json = middleware.json({ strict: true, limit: QUERY_LIMIT }); // application/json`
add support for protected sites 2020-11-09 20:34:48 -08:00
more async'ification 2021-09-07 09:57:49 -07:00			`const router = new express.Router();`
add support for protected sites 2020-11-09 20:34:48 -08:00			`router.del = router.delete; // amend router.del for readability further on`

			`app`
			`.use(middleware.timeout(REQUEST_TIMEOUT))`
			`.use(middleware.cookieParser())`
			`.use(router)`
			`.use(middleware.lastMile());`

proxyauth: user OpenID instead of basic auth 2024-04-15 12:35:03 +02:00			`router.get ('/callback', callback, authorize);`
add support for protected sites 2020-11-09 20:34:48 -08:00			`router.get ('/login', loginPage);`
proxyAuth: add supportsBearerAuth flag 2022-08-25 16:12:41 +02:00			`router.get ('/auth', jwtVerify, authorizationHeader, auth); // called by nginx before accessing protected page`
proxyauth: add 2fa 2020-12-20 13:13:36 -08:00			`router.post('/login', json, passwordAuth, authorize);`
add support for protected sites 2020-11-09 20:34:48 -08:00			`router.get ('/logout', logoutPage);`
proxyAuth: make the POST to /logout redirect 2022-05-03 18:15:18 -07:00			`router.post('/logout', json, logoutPage);`
add support for protected sites 2020-11-09 20:34:48 -08:00
			`return httpServer;`
			`}`

more async'ification 2021-09-07 09:57:49 -07:00			`async function start() {`
add support for protected sites 2020-11-09 20:34:48 -08:00			`assert.strictEqual(gHttpServer, null, 'Authwall is already up and running.');`

proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`gTokenSecret = await blobs.getString(blobs.PROXY_AUTH_TOKEN_SECRET);`
			`if (!gTokenSecret) {`
			`debug('start: generating new token secret');`
			`gTokenSecret = hat(64);`
			`await blobs.setString(blobs.PROXY_AUTH_TOKEN_SECRET, gTokenSecret);`
proxy auth: create token secret 2020-11-10 17:10:57 -08:00			`}`

add support for protected sites 2020-11-09 20:34:48 -08:00			`gHttpServer = initializeAuthwallExpressSync();`

more async'ification 2021-09-07 09:57:49 -07:00			`await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.AUTHWALL_PORT, '127.0.0.1');`
add support for protected sites 2020-11-09 20:34:48 -08:00			`}`

more async'ification 2021-09-07 09:57:49 -07:00			`async function stop() {`
			`if (!gHttpServer) return;`
add support for protected sites 2020-11-09 20:34:48 -08:00
more async'ification 2021-09-07 09:57:49 -07:00			`await util.promisify(gHttpServer.close.bind(gHttpServer))();`
add support for protected sites 2020-11-09 20:34:48 -08:00			`gHttpServer = null;`
			`}`