src/routes/accesscontrol.js

'use strict';

exports = module.exports = {
    passwordAuth,
    tokenAuth,

    authorize,
    websocketAuth
};

const accesscontrol = require('../accesscontrol.js'),
    assert = require('assert'),
    BoxError = require('../boxerror.js'),
    externalLdap = require('../externalldap.js'),
    HttpError = require('connect-lastmile').HttpError,
    safe = require('safetydance'),
    speakeasy = require('speakeasy'),
    users = require('../users.js');

async function passwordAuth(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
    if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));
    if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));

    const { username, password, totpToken } = req.body;

    const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;

    let [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN));
    if (error && error.reason === BoxError.NOT_FOUND) {
        [error, user] = await safe(externalLdap.maybeCreateUser(username.toLowerCase(), password));
        if (error) return next(new HttpError(401, 'Unauthorized'));
        [error] = await safe(externalLdap.verifyPassword(user));
        if (error) return next(new HttpError(401, 'Unauthorized'));
    }
    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
    if (error) return next(new HttpError(500, error));
    if (!user) return next(new HttpError(401, 'Unauthorized'));

    if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {
        if (!totpToken) return next(new HttpError(401, 'A totpToken must be provided'));

        const verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: totpToken, window: 2 });
        if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
    }

    req.user = user;

    next();
}

async function tokenAuth(req, res, next) {
    let token;

    // this determines the priority
    if (req.body && req.body.access_token) token = req.body.access_token;
    if (req.query && req.query.access_token) token = req.query.access_token;
    if (req.headers && req.headers.authorization) {
        const parts = req.headers.authorization.split(' ');
        if (parts.length == 2) {
            const [scheme, credentials] = parts;

            if (/^Bearer$/i.test(scheme)) token = credentials;
        }
    }

    if (!token) return next(new HttpError(401, 'Token required'));

    const [error, user] = await safe(accesscontrol.verifyToken(token));
    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
    if (error) return next(new HttpError(500, error.message));

    req.access_token = token; // used in logout route
    req.user = user;

    next();
}

function authorize(requiredRole) {
    assert.strictEqual(typeof requiredRole, 'string');

    return function (req, res, next) {
        assert.strictEqual(typeof req.user, 'object');

        if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));

        next();
    };
}

async function websocketAuth(requiredRole, req, res, next) {
    assert.strictEqual(typeof requiredRole, 'string');

    if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'access_token must be a string'));

    const [error, user] = await safe(accesscontrol.verifyToken(req.query.access_token));
    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
    if (error) return next(new HttpError(500, error.message));

    req.user = user;

    if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${user.role}'`));

    next();
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
eventlog: add logout fixes #757 2021-01-06 21:57:23 -08:00			`passwordAuth,`
			`tokenAuth,`
spaces: verify app ownership in app management routes 2018-08-03 17:21:24 -07:00
eventlog: add logout fixes #757 2021-01-06 21:57:23 -08:00			`authorize,`
			`websocketAuth`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`};`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`const accesscontrol = require('../accesscontrol.js'),`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`assert = require('assert'),`
Move ClientsError to BoxError 2019-10-22 21:16:00 -07:00			`BoxError = require('../boxerror.js'),`
Only create external ldap users for oauth logins 2019-11-20 19:48:40 +01:00			`externalLdap = require('../externalldap.js'),`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`HttpError = require('connect-lastmile').HttpError,`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`safe = require('safetydance'),`
			`speakeasy = require('speakeasy'),`
			`users = require('../users.js');`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function passwordAuth(req, res, next) {`
Remove passport 2020-02-06 14:50:12 +01:00			`assert.strictEqual(typeof req.body, 'object');`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`if (!req.body.username \|\| typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));`
			`if (!req.body.password \|\| typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));`
fix some typos 2020-12-20 14:41:16 -08:00			`if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));`
Remove passport 2020-02-06 14:50:12 +01:00
fix some typos 2020-12-20 14:41:16 -08:00			`const { username, password, totpToken } = req.body;`
Remove passport 2020-02-06 14:50:12 +01:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;`
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`let [error, user] = await safe(verifyFunc(username, password, users.AP_WEBADMIN));`
			`if (error && error.reason === BoxError.NOT_FOUND) {`
			`[error, user] = await safe(externalLdap.maybeCreateUser(username.toLowerCase(), password));`
			`if (error) return next(new HttpError(401, 'Unauthorized'));`
			`[error] = await safe(externalLdap.verifyPassword(user));`
			`if (error) return next(new HttpError(401, 'Unauthorized'));`
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00			`}`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));`
			`if (error) return next(new HttpError(500, error));`
			`if (!user) return next(new HttpError(401, 'Unauthorized'));`
Move 2fa validation in one place 2020-02-06 15:36:14 +01:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {`
			`if (!totpToken) return next(new HttpError(401, 'A totpToken must be provided'));`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`const verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: totpToken, window: 2 });`
			`if (!verified) return next(new HttpError(401, 'Invalid totpToken'));`
Remove passport 2020-02-06 14:50:12 +01:00			`}`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`req.user = user;`

			`next();`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function tokenAuth(req, res, next) {`
			`let token;`
Remove passport 2020-02-06 14:50:12 +01:00
			`// this determines the priority`
			`if (req.body && req.body.access_token) token = req.body.access_token;`
			`if (req.query && req.query.access_token) token = req.query.access_token;`
			`if (req.headers && req.headers.authorization) {`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const parts = req.headers.authorization.split(' ');`
Remove passport 2020-02-06 14:50:12 +01:00			`if (parts.length == 2) {`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const [scheme, credentials] = parts;`
Move passport logic to routes 2018-06-15 17:31:28 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`if (/^Bearer$/i.test(scheme)) token = credentials;`
			`}`
			`}`

better error messages for 401 2021-06-05 21:26:43 -07:00			`if (!token) return next(new HttpError(401, 'Token required'));`
Remove passport 2020-02-06 14:50:12 +01:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const [error, user] = await safe(accesscontrol.verifyToken(token));`
better error messages for 401 2021-06-05 21:26:43 -07:00			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`if (error) return next(new HttpError(500, error.message));`
Remove passport 2020-02-06 14:50:12 +01:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`req.access_token = token; // used in logout route`
			`req.user = user;`
Remove passport 2020-02-06 14:50:12 +01:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`next();`
Move passport logic to routes 2018-06-15 17:31:28 -07:00			`}`

migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`function authorize(requiredRole) {`
			`assert.strictEqual(typeof requiredRole, 'string');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`return function (req, res, next) {`
Fix typo 2020-02-06 17:29:45 +01:00			`assert.strictEqual(typeof req.user, 'object');`
Remove scope from users.get 2018-06-17 15:25:41 -07:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove passport 2020-02-06 14:50:12 +01:00			`next();`
			`};`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`

tokens: async'ify 2021-06-04 09:28:40 -07:00			`async function websocketAuth(requiredRole, req, res, next) {`
Remove token scope business 2020-02-06 16:44:46 +01:00			`assert.strictEqual(typeof requiredRole, 'string');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
better error messages for 401 2021-06-05 21:26:43 -07:00			`if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'access_token must be a string'));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`const [error, user] = await safe(accesscontrol.verifyToken(req.query.access_token));`
better error messages for 401 2021-06-05 21:26:43 -07:00			`if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));`
tokens: async'ify 2021-06-04 09:28:40 -07:00			`if (error) return next(new HttpError(500, error.message));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`req.user = user;`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${user.role}'`));
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
tokens: async'ify 2021-06-04 09:28:40 -07:00			`next();`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`