merge userdb.js into users.js

2021-07-15 09:50:11 -07:00
parent 2840bba4bf
commit a1c61facdc
27 changed files with 1021 additions and 1456 deletions
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -17,7 +17,7 @@ const accesscontrol = require('../accesscontrol.js'),
    speakeasy = require('speakeasy'),
    users = require('../users.js');

-function passwordAuth(req, res, next) {
+async function passwordAuth(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
@@ -26,56 +26,29 @@ function passwordAuth(req, res, next) {

    const { username, password, totpToken } = req.body;

-    function check2FA(user) {
-        assert.strictEqual(typeof user, 'object');
+    const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;

-        if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {
-            if (!totpToken) return next(new HttpError(401, 'A totpToken must be provided'));
+    let [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN));
+    if (error && error.reason === BoxError.NOT_FOUND) {
+        [error, user] = await safe(externalLdap.maybeCreateUser(username.toLowerCase(), password));
+        if (error) return next(new HttpError(401, 'Unauthorized'));
+        [error] = await safe(externalLdap.verifyPassword(user));
+        if (error) return next(new HttpError(401, 'Unauthorized'));
+    }
+    if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
+    if (error) return next(new HttpError(500, error));
+    if (!user) return next(new HttpError(401, 'Unauthorized'));

-            let verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: totpToken, window: 2 });
-            if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
-        }
+    if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {
+        if (!totpToken) return next(new HttpError(401, 'A totpToken must be provided'));

-        req.user = user;
-
-        next();
+        const verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: totpToken, window: 2 });
+        if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
    }

-    function createAndVerifyUserIfNotExist(identifier, password) {
-        assert.strictEqual(typeof identifier, 'string');
-        assert.strictEqual(typeof password, 'string');
+    req.user = user;

-        externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {
-            if (error && error.reason === BoxError.BAD_STATE) return next(new HttpError(401, 'Unauthorized'));
-            if (error && error.reason === BoxError.BAD_FIELD) return next(new HttpError(401, 'Unauthorized'));
-            if (error && error.reason === BoxError.CONFLICT) return next(new HttpError(401, 'Unauthorized'));
-            if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
-            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
-            if (error) return next(new HttpError(500, error));
-
-            check2FA(result);
-        });
-    }
-
-    if (username.indexOf('@') === -1) {
-        users.verifyWithUsername(username, password, users.AP_WEBADMIN, function (error, result) {
-            if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);
-            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
-            if (error) return next(new HttpError(500, error));
-            if (!result) return next(new HttpError(401, 'Unauthorized'));
-
-            check2FA(result);
-        });
-    } else {
-        users.verifyWithEmail(username, password, users.AP_WEBADMIN, function (error, result) {
-            if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password);
-            if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
-            if (error) return next(new HttpError(500, error));
-            if (!result) return next(new HttpError(401, 'Unauthorized'));
-
-            check2FA(result);
-        });
-    }
+    next();
 }

 async function tokenAuth(req, res, next) {