2020-11-09 20:34:48 -08:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
|
|
// heavily inspired from https://gock.net/blog/2020/nginx-subrequest-authentication-server/ and https://github.com/andygock/auth-server
|
|
|
|
|
|
|
|
|
|
exports = module.exports = {
|
|
|
|
|
start,
|
|
|
|
|
stop
|
|
|
|
|
};
|
|
|
|
|
|
2020-11-11 00:21:51 -08:00
|
|
|
const apps = require('./apps.js'),
|
|
|
|
|
assert = require('assert'),
|
2020-11-11 13:25:52 -08:00
|
|
|
basicAuth = require('basic-auth'),
|
2020-11-09 20:34:48 -08:00
|
|
|
constants = require('./constants.js'),
|
2020-11-10 09:59:28 -08:00
|
|
|
debug = require('debug')('box:proxyAuth'),
|
2020-11-09 20:34:48 -08:00
|
|
|
express = require('express'),
|
2020-11-10 17:10:57 -08:00
|
|
|
fs = require('fs'),
|
|
|
|
|
hat = require('./hat.js'),
|
2020-11-09 20:34:48 -08:00
|
|
|
http = require('http'),
|
|
|
|
|
HttpError = require('connect-lastmile').HttpError,
|
|
|
|
|
HttpSuccess = require('connect-lastmile').HttpSuccess,
|
|
|
|
|
jwt = require('jsonwebtoken'),
|
|
|
|
|
middleware = require('./middleware'),
|
|
|
|
|
path = require('path'),
|
2020-11-10 17:10:57 -08:00
|
|
|
paths = require('./paths.js'),
|
2020-11-11 00:21:51 -08:00
|
|
|
safe = require('safetydance'),
|
2020-11-09 20:34:48 -08:00
|
|
|
users = require('./users.js');
|
|
|
|
|
|
|
|
|
|
let gHttpServer = null;
|
2020-11-10 17:10:57 -08:00
|
|
|
let TOKEN_SECRET = null;
|
2020-11-09 20:34:48 -08:00
|
|
|
const EXPIRY_DAYS = 7;
|
|
|
|
|
|
|
|
|
|
function jwtVerify(req, res, next) {
|
|
|
|
|
const token = req.cookies.authToken;
|
|
|
|
|
|
|
|
|
|
if (!token) return next();
|
|
|
|
|
|
|
|
|
|
jwt.verify(token, TOKEN_SECRET, function (error, decoded) {
|
|
|
|
|
if (error) {
|
|
|
|
|
debug('clearing token', error);
|
|
|
|
|
res.clearCookie('authToken');
|
|
|
|
|
return next(new HttpError(403, 'Malformed token or bad signature'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req.user = decoded.user || null;
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-11 13:25:52 -08:00
|
|
|
function basicAuthVerify(req, res, next) {
|
|
|
|
|
const appId = req.headers['x-app-id'] || '';
|
|
|
|
|
const credentials = basicAuth(req);
|
|
|
|
|
if (!appId || !credentials) return next();
|
|
|
|
|
|
|
|
|
|
const api = credentials.name.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
|
|
|
|
|
|
|
|
|
|
api(credentials.name, credentials.pass, appId, function (error, user) {
|
|
|
|
|
if (error) return next(new HttpError(403, 'Invalid username or password' ));
|
|
|
|
|
|
|
|
|
|
req.user = user;
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-11 00:21:51 -08:00
|
|
|
function loginPage(req, res, next) {
|
|
|
|
|
const appId = req.headers['x-app-id'] || '';
|
|
|
|
|
if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));
|
|
|
|
|
|
|
|
|
|
apps.get(appId, function (error, app) {
|
|
|
|
|
if (error) return next(new HttpError(503, error.message));
|
|
|
|
|
|
|
|
|
|
const title = app.label || app.manifest.title;
|
|
|
|
|
|
|
|
|
|
apps.getIconPath(app, {}, function (error, iconPath) {
|
2020-11-11 11:24:20 +01:00
|
|
|
const icon = 'data:image/png;base64,' + safe.fs.readFileSync(iconPath || '', 'base64');
|
2020-11-11 00:21:51 -08:00
|
|
|
|
|
|
|
|
return res.render(path.join(paths.DASHBOARD_DIR, 'templates/proxyauth-login.ejs'), { title, icon });
|
|
|
|
|
});
|
|
|
|
|
});
|
2020-11-09 20:34:48 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// called by nginx to authorize any protected route
|
|
|
|
|
function auth(req, res, next) {
|
|
|
|
|
if (!req.user) return next(new HttpError(401, 'Unauthorized'));
|
|
|
|
|
|
|
|
|
|
// user is already authenticated, refresh cookie
|
|
|
|
|
const token = jwt.sign({ user: req.user }, TOKEN_SECRET, { expiresIn: `${EXPIRY_DAYS}d` });
|
|
|
|
|
|
|
|
|
|
res.cookie('authToken', token, {
|
|
|
|
|
httpOnly: true,
|
|
|
|
|
maxAge: EXPIRY_DAYS * 86400 * 1000, // milliseconds
|
|
|
|
|
secure: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return next(new HttpSuccess(200, {}));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// endpoint called by login page, username and password posted as JSON body
|
2020-11-20 17:54:17 -08:00
|
|
|
function authenticate(req, res, next) {
|
2020-11-09 20:34:48 -08:00
|
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
|
|
|
|
|
|
|
|
const appId = req.headers['x-app-id'] || '';
|
|
|
|
|
if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));
|
|
|
|
|
|
2020-11-10 20:04:31 -08:00
|
|
|
if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be non empty string' ));
|
|
|
|
|
if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string' ));
|
2020-11-09 20:34:48 -08:00
|
|
|
|
|
|
|
|
const { username, password } = req.body;
|
|
|
|
|
|
|
|
|
|
const api = username.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
|
|
|
|
|
|
|
|
|
|
api(username, password, appId, function (error, user) {
|
2020-11-10 20:04:31 -08:00
|
|
|
if (error) return next(new HttpError(403, 'Invalid username or password' ));
|
2020-11-09 20:34:48 -08:00
|
|
|
|
2020-11-20 17:54:17 -08:00
|
|
|
req.user = user;
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
}
|
2020-11-09 20:34:48 -08:00
|
|
|
|
2020-11-20 17:54:17 -08:00
|
|
|
function authorize(req, res, next) {
|
|
|
|
|
const appId = req.headers['x-app-id'] || '';
|
|
|
|
|
if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));
|
2020-11-09 20:34:48 -08:00
|
|
|
|
2020-11-20 17:54:17 -08:00
|
|
|
apps.get(appId, function (error, app) {
|
|
|
|
|
if (error) return next(new HttpError(403, 'No such app' ));
|
|
|
|
|
|
|
|
|
|
apps.hasAccessTo(app, req.user, function (error, hasAccess) {
|
|
|
|
|
if (error) return next(new HttpError(403, 'Forbidden' ));
|
|
|
|
|
if (!hasAccess) return next(new HttpError(403, 'Forbidden' ));
|
|
|
|
|
|
|
|
|
|
const token = jwt.sign({ user: users.removePrivateFields(req.user) }, TOKEN_SECRET, { expiresIn: `${EXPIRY_DAYS}d` });
|
|
|
|
|
|
|
|
|
|
res.cookie('authToken', token, {
|
|
|
|
|
httpOnly: true,
|
|
|
|
|
maxAge: EXPIRY_DAYS * 86400 * 1000, // milliseconds
|
|
|
|
|
secure: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
res.redirect('/');
|
|
|
|
|
});
|
2020-11-09 20:34:48 -08:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function logoutPage(req, res) {
|
|
|
|
|
res.clearCookie('authToken');
|
2020-11-20 18:13:23 -08:00
|
|
|
res.redirect('/'); // do not redirect to '/login' as it may not be protected
|
2020-11-09 20:34:48 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function logout(req, res, next) {
|
|
|
|
|
res.clearCookie('authToken');
|
|
|
|
|
next(new HttpSuccess(200, {}));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// provides webhooks for the auth wall
|
|
|
|
|
function initializeAuthwallExpressSync() {
|
|
|
|
|
let app = express();
|
|
|
|
|
let httpServer = http.createServer(app);
|
|
|
|
|
|
|
|
|
|
let QUERY_LIMIT = '1mb'; // max size for json and urlencoded queries
|
|
|
|
|
let REQUEST_TIMEOUT = 10000; // timeout for all requests
|
|
|
|
|
|
2020-11-11 13:25:52 -08:00
|
|
|
let json = middleware.json({ strict: true, limit: QUERY_LIMIT }); // application/json
|
2020-11-09 20:34:48 -08:00
|
|
|
|
2020-11-10 19:49:57 -08:00
|
|
|
if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('proxyauth :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
|
2020-11-09 20:34:48 -08:00
|
|
|
|
|
|
|
|
var router = new express.Router();
|
|
|
|
|
router.del = router.delete; // amend router.del for readability further on
|
|
|
|
|
|
2020-11-11 00:21:51 -08:00
|
|
|
app.set('view engine', 'ejs');
|
|
|
|
|
|
2020-11-09 20:34:48 -08:00
|
|
|
app
|
|
|
|
|
.use(middleware.timeout(REQUEST_TIMEOUT))
|
|
|
|
|
.use(middleware.cookieParser())
|
|
|
|
|
.use(router)
|
|
|
|
|
.use(middleware.lastMile());
|
|
|
|
|
|
|
|
|
|
router.get ('/login', loginPage);
|
2020-11-11 13:25:52 -08:00
|
|
|
router.get ('/auth', jwtVerify, basicAuthVerify, auth);
|
2020-11-20 17:54:17 -08:00
|
|
|
router.post('/login', json, authenticate, authorize);
|
2020-11-09 20:34:48 -08:00
|
|
|
router.get ('/logout', logoutPage);
|
2020-11-11 13:25:52 -08:00
|
|
|
router.post('/logout', json, logout);
|
2020-11-09 20:34:48 -08:00
|
|
|
|
|
|
|
|
return httpServer;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function start(callback) {
|
|
|
|
|
assert.strictEqual(typeof callback, 'function');
|
|
|
|
|
assert.strictEqual(gHttpServer, null, 'Authwall is already up and running.');
|
|
|
|
|
|
2020-11-10 17:10:57 -08:00
|
|
|
if (!fs.existsSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE)) {
|
|
|
|
|
TOKEN_SECRET = hat(64);
|
|
|
|
|
fs.writeFileSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE, TOKEN_SECRET, 'utf8');
|
|
|
|
|
} else {
|
|
|
|
|
TOKEN_SECRET = fs.readFileSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE, 'utf8').trim();
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 20:34:48 -08:00
|
|
|
gHttpServer = initializeAuthwallExpressSync();
|
|
|
|
|
|
|
|
|
|
gHttpServer.listen(constants.AUTHWALL_PORT, '127.0.0.1', callback);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function stop(callback) {
|
|
|
|
|
assert.strictEqual(typeof callback, 'function');
|
|
|
|
|
|
|
|
|
|
if (!gHttpServer) return callback(null);
|
|
|
|
|
|
|
|
|
|
gHttpServer.close(callback);
|
|
|
|
|
gHttpServer = null;
|
|
|
|
|
}
|
