src/routes/accesscontrol.js

'use strict';

exports = module.exports = {
    passwordAuth,
    tokenAuth,

    authorize,
    authorizeOperator,
};

const apps = require('../apps.js'),
    tokens = require('../tokens.js'),
    assert = require('assert'),
    BoxError = require('../boxerror.js'),
    HttpError = require('connect-lastmile').HttpError,
    safe = require('safetydance'),
    users = require('../users.js');

async function passwordAuth(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
    if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));
    if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));

    const { username, password, totpToken } = req.body;

    const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;

    let [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN, { totpToken, skipTotpCheck: false }));
    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
    if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
    if (error) return next(new HttpError(500, error));
    if (!user) return next(new HttpError(401, 'Unauthorized'));

    req.user = user;

    next();
}

async function tokenAuth(req, res, next) {
    let accessToken;

    // this determines the priority
    if (req.body && req.body.access_token) accessToken = req.body.access_token;
    if (req.query && req.query.access_token) accessToken = req.query.access_token;
    if (req.headers && req.headers.authorization) {
        const parts = req.headers.authorization.split(' ');
        if (parts.length == 2) {
            const [scheme, credentials] = parts;

            if (/^Bearer$/i.test(scheme)) accessToken = credentials;
        }
    }

    if (!accessToken) return next(new HttpError(401, 'Token required'));

    const token = await tokens.getByAccessToken(accessToken);
    if (!token) return next(new HttpError(401, 'No such token'));

    const user = await users.get(token.identifier);
    if (!user) return next(new HttpError(401,'User not found'));
    if (!user.active) return next(new HttpError(401,'User not active'));

    await safe(tokens.update(token.id, { lastUsedTime: new Date() })); // ignore any error

    req.token = token;
    req.user = user;

    next();
}

function authorize(requiredRole) {
    assert.strictEqual(typeof requiredRole, 'string');

    return function (req, res, next) {
        assert.strictEqual(typeof req.user, 'object');
        assert.strictEqual(typeof req.token, 'object');

        if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));
        if (!tokens.hasScope(req.token, req.method, req.path)) return next(new HttpError(403, 'access token does not have this scope'));

        next();
    };
}

async function authorizeOperator(req, res, next) {
    assert.strictEqual(typeof req.params.id, 'string');
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.app, 'object');
    assert.strictEqual(typeof req.token, 'object');

    if (!tokens.hasScope(req.token, req.method, req.path)) return next(new HttpError(403, 'access token does not have this scope'));
    if (apps.isOperator(req.app, req.user)) return next();

    return next(new HttpError(403, 'user is not an operator'));
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
eventlog: add logout fixes #757 2021-01-06 21:57:23 -08:00			`passwordAuth,`
			`tokenAuth,`
spaces: verify app ownership in app management routes 2018-08-03 17:21:24 -07:00
eventlog: add logout fixes #757 2021-01-06 21:57:23 -08:00			`authorize,`
Implement operator role for apps There are two main use cases: * A consultant/contractor/external developer is given access to just an app. * A "service" personnel (say upstream app author) is to be given access to single app for debugging. Since, this is an "app admin", they are also given access to apps to be consistent with the idea that Cloudron admin has access to all apps. part of #791 2021-09-21 10:11:27 -07:00			`authorizeOperator,`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`};`

Validate token scopes 2022-09-23 12:57:13 +02:00			`const apps = require('../apps.js'),`
			`tokens = require('../tokens.js'),`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`assert = require('assert'),`
Move ClientsError to BoxError 2019-10-22 21:16:00 -07:00			`BoxError = require('../boxerror.js'),`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`HttpError = require('connect-lastmile').HttpError,`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`safe = require('safetydance'),`
			`users = require('../users.js');`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function passwordAuth(req, res, next) {`
Remove passport 2020-02-06 14:50:12 +01:00			`assert.strictEqual(typeof req.body, 'object');`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`if (!req.body.username \|\| typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));`
			`if (!req.body.password \|\| typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));`
fix some typos 2020-12-20 14:41:16 -08:00			`if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));`
Remove passport 2020-02-06 14:50:12 +01:00
fix some typos 2020-12-20 14:41:16 -08:00			`const { username, password, totpToken } = req.body;`
Remove passport 2020-02-06 14:50:12 +01:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;`
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00
profile: unify password verification check 2024-01-22 13:53:40 +01:00			`let [error, user] = await safe(verifyFunc(username, password, users.AP_WEBADMIN, { totpToken, skipTotpCheck: false }));`
unify totp check the totp check is done in several places causing errors like 3552232e99 * ldap (addon) * accesscontrol (dashboard) * proxyauth * directoryserver (exposed ldap) * externalldap (the connector) The code also makes externalldap auto-create work now across all the cases where there is a username 2023-03-12 15:09:20 +01:00			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));`
			`if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error) return next(new HttpError(500, error));`
			`if (!user) return next(new HttpError(401, 'Unauthorized'));`
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`req.user = user;`

			`next();`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function tokenAuth(req, res, next) {`
Validate token scopes 2022-09-23 12:57:13 +02:00			`let accessToken;`
Remove passport 2020-02-06 14:50:12 +01:00
			`// this determines the priority`
Validate token scopes 2022-09-23 12:57:13 +02:00			`if (req.body && req.body.access_token) accessToken = req.body.access_token;`
			`if (req.query && req.query.access_token) accessToken = req.query.access_token;`
Remove passport 2020-02-06 14:50:12 +01:00			`if (req.headers && req.headers.authorization) {`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const parts = req.headers.authorization.split(' ');`
Remove passport 2020-02-06 14:50:12 +01:00			`if (parts.length == 2) {`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const [scheme, credentials] = parts;`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Validate token scopes 2022-09-23 12:57:13 +02:00			`if (/^Bearer$/i.test(scheme)) accessToken = credentials;`
Remove passport 2020-02-06 14:50:12 +01:00			`}`
			`}`

Validate token scopes 2022-09-23 12:57:13 +02:00			`if (!accessToken) return next(new HttpError(401, 'Token required'));`
Remove passport 2020-02-06 14:50:12 +01:00
Validate token scopes 2022-09-23 12:57:13 +02:00			`const token = await tokens.getByAccessToken(accessToken);`
			`if (!token) return next(new HttpError(401, 'No such token'));`
Remove passport 2020-02-06 14:50:12 +01:00
Validate token scopes 2022-09-23 12:57:13 +02:00			`const user = await users.get(token.identifier);`
			`if (!user) return next(new HttpError(401,'User not found'));`
			`if (!user.active) return next(new HttpError(401,'User not active'));`

			`await safe(tokens.update(token.id, { lastUsedTime: new Date() })); // ignore any error`

			`req.token = token;`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`req.user = user;`
Remove passport 2020-02-06 14:50:12 +01:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`next();`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`}`

migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`function authorize(requiredRole) {`
			`assert.strictEqual(typeof requiredRole, 'string');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`return function (req, res, next) {`
Fix typo 2020-02-06 17:29:45 +01:00			`assert.strictEqual(typeof req.user, 'object');`
Add authorization to all routes 2022-09-24 21:27:43 +02:00			`assert.strictEqual(typeof req.token, 'object');`
Remove scope from users.get 2018-06-17 15:25:41 -07:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));
Validate token scopes 2022-09-23 12:57:13 +02:00			`if (!tokens.hasScope(req.token, req.method, req.path)) return next(new HttpError(403, 'access token does not have this scope'));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`next();`
			`};`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`

Implement operator role for apps There are two main use cases: * A consultant/contractor/external developer is given access to just an app. * A "service" personnel (say upstream app author) is to be given access to single app for debugging. Since, this is an "app admin", they are also given access to apps to be consistent with the idea that Cloudron admin has access to all apps. part of #791 2021-09-21 10:11:27 -07:00			`async function authorizeOperator(req, res, next) {`
			`assert.strictEqual(typeof req.params.id, 'string');`
			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.app, 'object');`
Add authorization to all routes 2022-09-24 21:27:43 +02:00			`assert.strictEqual(typeof req.token, 'object');`
Implement operator role for apps There are two main use cases: * A consultant/contractor/external developer is given access to just an app. * A "service" personnel (say upstream app author) is to be given access to single app for debugging. Since, this is an "app admin", they are also given access to apps to be consistent with the idea that Cloudron admin has access to all apps. part of #791 2021-09-21 10:11:27 -07:00
Validate token scopes 2022-09-23 12:57:13 +02:00			`if (!tokens.hasScope(req.token, req.method, req.path)) return next(new HttpError(403, 'access token does not have this scope'));`
Implement operator role for apps There are two main use cases: * A consultant/contractor/external developer is given access to just an app. * A "service" personnel (say upstream app author) is to be given access to single app for debugging. Since, this is an "app admin", they are also given access to apps to be consistent with the idea that Cloudron admin has access to all apps. part of #791 2021-09-21 10:11:27 -07:00			`if (apps.isOperator(req.app, req.user)) return next();`

			`return next(new HttpError(403, 'user is not an operator'));`
			`}`