src/routes/accesscontrol.js

'use strict';

exports = module.exports = {
    passwordAuth: passwordAuth,
    tokenAuth: tokenAuth,

    authorize: authorize,
    websocketAuth: websocketAuth
};

var accesscontrol = require('../accesscontrol.js'),
    assert = require('assert'),
    BoxError = require('../boxerror.js'),
    externalLdap = require('../externalldap.js'),
    HttpError = require('connect-lastmile').HttpError,
    users = require('../users.js'),
    speakeasy = require('speakeasy');

function passwordAuth(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
    if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));

    const username = req.body.username;
    const password = req.body.password;

    function check2FA(user) {
        assert.strictEqual(typeof user, 'object');

        if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {
            if (!req.body.totpToken) return next(new HttpError(401, 'A totpToken must be provided'));

            let verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken, window: 2 });
            if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
        }

        req.user = user;

        next();
    }

    function createAndVerifyUserIfNotExist(identifier, password) {
        assert.strictEqual(typeof identifier, 'string');
        assert.strictEqual(typeof password, 'string');

        externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {
            if (error && error.reason === BoxError.BAD_STATE) return next(new HttpError(401, 'Unauthorized'));
            if (error && error.reason === BoxError.BAD_FIELD) return next(new HttpError(401, 'Unauthorized'));
            if (error && error.reason === BoxError.CONFLICT) return next(new HttpError(401, 'Unauthorized'));
            if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
            if (error) return next(new HttpError(500, error));

            check2FA(result);
        });
    }

    if (username.indexOf('@') === -1) {
        users.verifyWithUsername(username, password, users.AP_WEBADMIN, function (error, result) {
            if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);
            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
            if (error) return next(new HttpError(500, error));
            if (!result) return next(new HttpError(401, 'Unauthorized'));

            check2FA(result);
        });
    } else {
        users.verifyWithEmail(username, password, users.AP_WEBADMIN, function (error, result) {
            if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);
            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
            if (error) return next(new HttpError(500, error));
            if (!result) return next(new HttpError(401, 'Unauthorized'));

            check2FA(result);
        });
    }
}

function tokenAuth(req, res, next) {
    var token;

    // this determines the priority
    if (req.body && req.body.access_token) token = req.body.access_token;
    if (req.query && req.query.access_token) token = req.query.access_token;
    if (req.headers && req.headers.authorization) {
        var parts = req.headers.authorization.split(' ');
        if (parts.length == 2) {
            var scheme = parts[0];
            var credentials = parts[1];

            if (/^Bearer$/i.test(scheme)) token = credentials;
        }
    }

    if (!token) return next(new HttpError(401, 'Unauthorized'));

    accesscontrol.verifyToken(token, function (error, user) {
        if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
        if (error) return next(new HttpError(500, error.message));

        req.user = user;

        next();
    });
}

function authorize(requiredRole) {
    assert.strictEqual(typeof requiredRole, 'string');

    return function (req, res, next) {
        assert.strictEqual(typeof req.user, 'object');

        if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));

        next();
    };
}

function websocketAuth(requiredRole, req, res, next) {
    assert.strictEqual(typeof requiredRole, 'string');

    if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'Unauthorized'));

    accesscontrol.verifyToken(req.query.access_token, function (error, user) {
        if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
        if (error) return next(new HttpError(500, error.message));

        req.user = user;

        if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${user.role}'`));

        next();
    });
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
Remove passport 2020-02-06 14:50:12 +01:00			`passwordAuth: passwordAuth,`
			`tokenAuth: tokenAuth,`
spaces: verify app ownership in app management routes 2018-08-03 17:21:24 -07:00
Remove token scope business 2020-02-06 16:44:46 +01:00			`authorize: authorize,`
move verifyOperator to users routes 2018-09-05 23:03:17 -07:00			`websocketAuth: websocketAuth`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`};`

			`var accesscontrol = require('../accesscontrol.js'),`
			`assert = require('assert'),`
Move ClientsError to BoxError 2019-10-22 21:16:00 -07:00			`BoxError = require('../boxerror.js'),`
Only create external ldap users for oauth logins 2019-11-20 19:48:40 +01:00			`externalLdap = require('../externalldap.js'),`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`HttpError = require('connect-lastmile').HttpError,`
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00			`users = require('../users.js'),`
			`speakeasy = require('speakeasy');`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`function passwordAuth(req, res, next) {`
			`assert.strictEqual(typeof req.body, 'object');`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`if (!req.body.username \|\| typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));`
			`if (!req.body.password \|\| typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));`

			`const username = req.body.username;`
			`const password = req.body.password;`

Move 2fa validation in one place 2020-02-06 15:36:14 +01:00			`function check2FA(user) {`
			`assert.strictEqual(typeof user, 'object');`

			`if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {`
			`if (!req.body.totpToken) return next(new HttpError(401, 'A totpToken must be provided'));`

			`let verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken, window: 2 });`
			`if (!verified) return next(new HttpError(401, 'Invalid totpToken'));`
			`}`

			`req.user = user;`

			`next();`
			`}`

Remove passport 2020-02-06 14:50:12 +01:00			`function createAndVerifyUserIfNotExist(identifier, password) {`
			`assert.strictEqual(typeof identifier, 'string');`
			`assert.strictEqual(typeof password, 'string');`

			`externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {`
			`if (error && error.reason === BoxError.BAD_STATE) return next(new HttpError(401, 'Unauthorized'));`
			`if (error && error.reason === BoxError.BAD_FIELD) return next(new HttpError(401, 'Unauthorized'));`
			`if (error && error.reason === BoxError.CONFLICT) return next(new HttpError(401, 'Unauthorized'));`
			`if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));`
			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));`
			`if (error) return next(new HttpError(500, error));`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00			`check2FA(result);`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`});`
Remove passport 2020-02-06 14:50:12 +01:00			`}`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`if (username.indexOf('@') === -1) {`
			`users.verifyWithUsername(username, password, users.AP_WEBADMIN, function (error, result) {`
			`if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);`
			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));`
			`if (error) return next(new HttpError(500, error));`
			`if (!result) return next(new HttpError(401, 'Unauthorized'));`
Only create external ldap users for oauth logins 2019-11-20 19:48:40 +01:00
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00			`check2FA(result);`
Remove passport 2020-02-06 14:50:12 +01:00			`});`
			`} else {`
			`users.verifyWithEmail(username, password, users.AP_WEBADMIN, function (error, result) {`
			`if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);`
			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));`
			`if (error) return next(new HttpError(500, error));`
			`if (!result) return next(new HttpError(401, 'Unauthorized'));`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00			`check2FA(result);`
Remove passport 2020-02-06 14:50:12 +01:00			`});`
			`}`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`}`

Remove passport 2020-02-06 14:50:12 +01:00			`function tokenAuth(req, res, next) {`
			`var token;`

			`// this determines the priority`
			`if (req.body && req.body.access_token) token = req.body.access_token;`
			`if (req.query && req.query.access_token) token = req.query.access_token;`
			`if (req.headers && req.headers.authorization) {`
			`var parts = req.headers.authorization.split(' ');`
			`if (parts.length == 2) {`
			`var scheme = parts[0];`
			`var credentials = parts[1];`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`if (/^Bearer$/i.test(scheme)) token = credentials;`
			`}`
			`}`

			`if (!token) return next(new HttpError(401, 'Unauthorized'));`

Remove token scope business 2020-02-06 16:44:46 +01:00			`accesscontrol.verifyToken(token, function (error, user) {`
			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));`
Remove passport 2020-02-06 14:50:12 +01:00			`if (error) return next(new HttpError(500, error.message));`

			`req.user = user;`

			`next();`
			`});`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`}`

migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`function authorize(requiredRole) {`
			`assert.strictEqual(typeof requiredRole, 'string');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`return function (req, res, next) {`
Fix typo 2020-02-06 17:29:45 +01:00			`assert.strictEqual(typeof req.user, 'object');`
Remove scope from users.get 2018-06-17 15:25:41 -07:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`next();`
			`};`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`

Remove token scope business 2020-02-06 16:44:46 +01:00			`function websocketAuth(requiredRole, req, res, next) {`
			`assert.strictEqual(typeof requiredRole, 'string');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
			`if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'Unauthorized'));`

Remove token scope business 2020-02-06 16:44:46 +01:00			`accesscontrol.verifyToken(req.query.access_token, function (error, user) {`
			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`if (error) return next(new HttpError(500, error.message));`

			`req.user = user;`

migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${user.role}'`));
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
			`next();`
			`});`
			`}`