jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

proxyAuth: persist the secret token

Browse Source
This commit is contained in:
Girish Ramakrishnan
2022-02-01 17:16:25 -08:00
parent 46144ae07a
commit aeef815bf7
4 changed files with 50 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/proxyauth.js
View File

@@ -1,5 +1,7 @@
'use strict';
const blobs = require('./blobs.js');
// heavily inspired from https://gock.net/blog/2020/nginx-subrequest-authentication-server/ and https://github.com/andygock/auth-server
exports = module.exports = {
@@ -14,7 +16,6 @@ const apps = require('./apps.js'),
debug = require('debug')('box:proxyAuth'),
ejs = require('ejs'),
express = require('express'),
fs = require('fs'),
hat = require('./hat.js'),
http = require('http'),
HttpError = require('connect-lastmile').HttpError,
@@ -31,16 +32,16 @@ const apps = require('./apps.js'),
util = require('util');
let gHttpServer = null;
let TOKEN_SECRET = null;
let gTokenSecret = null;
function jwtVerify(req, res, next) {
const token = req.cookies.authToken;
if (!token) return next();
jwt.verify(token, TOKEN_SECRET, function (error, decoded) {
jwt.verify(token, gTokenSecret, function (error, decoded) {
if (error) {
debug('clearing token', error);
debug('jwtVerify: clearing token', error);
res.clearCookie('authToken');
return next(new HttpError(403, 'Malformed token or bad signature'));
}
@@ -95,7 +96,7 @@ async function loginPage(req, res, next) {
try {
finalContent = ejs.render(translatedContent, { title, icon, dashboardOrigin });
} catch (e) {
debug('Error rendering proxyauth-login.ejs', e);
debug('loginPage: Error rendering proxyauth-login.ejs', e);
return next(new HttpError(500, 'Login template error'));
}
@@ -123,7 +124,7 @@ function auth(req, res, next) {
}
// user is already authenticated, refresh cookie
const token = jwt.sign({ user: req.user }, TOKEN_SECRET, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });
const token = jwt.sign({ user: req.user }, gTokenSecret, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });
res.cookie('authToken', token, {
httpOnly: true,
@@ -171,7 +172,7 @@ async function authorize(req, res, next) {
if (!apps.canAccess(app, req.user)) return next(new HttpError(403, 'Forbidden' ));
const token = jwt.sign({ user: users.removePrivateFields(req.user) }, TOKEN_SECRET, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });
const token = jwt.sign({ user: users.removePrivateFields(req.user) }, gTokenSecret, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` });
res.cookie('authToken', token, {
httpOnly: true,
@@ -251,11 +252,11 @@ function initializeAuthwallExpressSync() {
async function start() {
assert.strictEqual(gHttpServer, null, 'Authwall is already up and running.');
if (!fs.existsSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE)) {
TOKEN_SECRET = hat(64);
fs.writeFileSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE, TOKEN_SECRET, 'utf8');
} else {
TOKEN_SECRET = fs.readFileSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE, 'utf8').trim();
gTokenSecret = await blobs.getString(blobs.PROXY_AUTH_TOKEN_SECRET);
if (!gTokenSecret) {
debug('start: generating new token secret');
gTokenSecret = hat(64);
await blobs.setString(blobs.PROXY_AUTH_TOKEN_SECRET, gTokenSecret);
}
gHttpServer = initializeAuthwallExpressSync();