jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Remove passport

Browse Source
This commit is contained in:
Johannes Zellner
2020-02-06 14:50:12 +01:00
parent 58d8f688e5
commit 12aa8ac0ad
8 changed files with 129 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
src/routes/accesscontrol.js
View File

@@ -1,8 +1,8 @@
'use strict';
exports = module.exports = {
initialize: initialize,
uninitialize: uninitialize,
passwordAuth: passwordAuth,
tokenAuth: tokenAuth,
scope: scope,
websocketAuth: websocketAuth
@@ -10,83 +10,91 @@ exports = module.exports = {
var accesscontrol = require('../accesscontrol.js'),
assert = require('assert'),
BearerStrategy = require('passport-http-bearer').Strategy,
BoxError = require('../boxerror.js'),
externalLdap = require('../externalldap.js'),
HttpError = require('connect-lastmile').HttpError,
LocalStrategy = require('passport-local').Strategy,
passport = require('passport'),
users = require('../users.js');
function initialize(callback) {
assert.strictEqual(typeof callback, 'function');
function passwordAuth(req, res, next) {
assert.strictEqual(typeof req.body, 'object');
// serialize user into session
passport.serializeUser(function (user, callback) {
callback(null, user.id);
});
if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));
// deserialize user from session
passport.deserializeUser(function(userId, callback) {
users.get(userId, function (error, result) {
if (error) return callback(null, null /* user */, error.message); // will end up as a 401. can happen if user with active session got deleted
const username = req.body.username;
const password = req.body.password;
callback(null, result);
// TODO we should only do this for dashboard logins
function createAndVerifyUserIfNotExist(identifier, password) {
assert.strictEqual(typeof identifier, 'string');
assert.strictEqual(typeof password, 'string');
externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {
if (error && error.reason === BoxError.BAD_STATE) return next(new HttpError(401, 'Unauthorized'));
if (error && error.reason === BoxError.BAD_FIELD) return next(new HttpError(401, 'Unauthorized'));
if (error && error.reason === BoxError.CONFLICT) return next(new HttpError(401, 'Unauthorized'));
if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
if (error) return next(new HttpError(500, error));
req.user = result;
next();
});
});
}
// used when username/password is sent in request body. used in CLI login & oauth2 login route
passport.use(new LocalStrategy(function (username, password, callback) {
if (username.indexOf('@') === -1) {
users.verifyWithUsername(username, password, users.AP_WEBADMIN, function (error, result) {
if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
if (error) return next(new HttpError(500, error));
if (!result) return next(new HttpError(401, 'Unauthorized'));
// TODO we should only do this for dashboard logins
function createAndVerifyUserIfNotExist(identifier, password, callback) {
assert.strictEqual(typeof identifier, 'string');
assert.strictEqual(typeof password, 'string');
assert.strictEqual(typeof callback, 'function');
req.user = result;
externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {
if (error && error.reason === BoxError.BAD_STATE) return callback(null, false);
if (error && error.reason === BoxError.BAD_FIELD) return callback(null, false);
if (error && error.reason === BoxError.CONFLICT) return callback(null, false);
if (error && error.reason === BoxError.NOT_FOUND) return callback(null, false);
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
if (error) return callback(error);
next();
});
} else {
users.verifyWithEmail(username, password, users.AP_WEBADMIN, function (error, result) {
if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
if (error) return next(new HttpError(500, error));
if (!result) return next(new HttpError(401, 'Unauthorized'));
callback(null, result);
});
}
req.user = result;
if (username.indexOf('@') === -1) {
users.verifyWithUsername(username, password, users.AP_WEBADMIN, function (error, result) {
if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password, callback);
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
if (error) return callback(error);
if (!result) return callback(null, false);
callback(null, result);
});
} else {
users.verifyWithEmail(username, password, users.AP_WEBADMIN, function (error, result) {
if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password, callback);
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
if (error) return callback(error);
if (!result) return callback(null, false);
callback(null, result);
});
}
}));
// used for "Authorization: Bearer token" or access_token query param authentication
passport.use(new BearerStrategy(function (token, callback) {
accesscontrol.validateToken(token, callback);
}));
callback(null);
next();
});
}
}
function uninitialize(callback) {
assert.strictEqual(typeof callback, 'function');
function tokenAuth(req, res, next) {
var token;
callback(null);
// this determines the priority
if (req.body && req.body.access_token) token = req.body.access_token;
if (req.query && req.query.access_token) token = req.query.access_token;
if (req.headers && req.headers.authorization) {
var parts = req.headers.authorization.split(' ');
if (parts.length == 2) {
var scheme = parts[0];
var credentials = parts[1];
if (/^Bearer$/i.test(scheme)) token = credentials;
}
}
if (!token) return next(new HttpError(401, 'Unauthorized'));
accesscontrol.validateToken(token, function (error, user, info) {
if (error) return next(new HttpError(500, error.message));
if (!user) return next(new HttpError(401, 'Unauthorized'));
req.user = user;
req.authInfo = info;
next();
});
}
// The scope middleware provides an auth middleware for routes.
@@ -103,18 +111,14 @@ function scope(requiredScope) {
var requiredScopes = requiredScope.split(',');
return [
passport.authenticate(['bearer'], { session: false }),
return function (req, res, next) {
assert(req.authInfo && typeof req.authInfo === 'object');
function (req, res, next) {
assert(req.authInfo && typeof req.authInfo === 'object');
var error = accesscontrol.hasScopes(req.authInfo.authorizedScopes, requiredScopes);
if (error) return next(new HttpError(403, error.message));
var error = accesscontrol.hasScopes(req.authInfo.authorizedScopes, requiredScopes);
if (error) return next(new HttpError(403, error.message));
next();
}
];
next();
};
}
function websocketAuth(requiredScopes, req, res, next) {