jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

appPassword: add expiry

Browse Source
This commit is contained in:
Girish Ramakrishnan
2026-02-12 12:58:50 +01:00
parent 93a0063941
commit e9c3e42aa6
16 changed files with 226 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/apppasswords.js
+8 -6
View File
@@ -17,7 +17,7 @@ const assert = require('node:assert'),
safe = require('safetydance'),
_ = require('./underscore.js');
const APP_PASSWORD_FIELDS = [ 'id', 'name', 'userId', 'identifier', 'hashedPassword', 'creationTime' ].join(',');
const APP_PASSWORD_FIELDS = [ 'id', 'name', 'userId', 'identifier', 'hashedPassword', 'creationTime', 'expiresAt' ].join(',');
function validateAppPasswordName(name) {
assert.strictEqual(typeof name, 'string');
@@ -29,7 +29,7 @@ function validateAppPasswordName(name) {
}
function removePrivateFields(appPassword) {
return _.pick(appPassword, ['id', 'name', 'userId', 'identifier', 'creationTime']);
return _.pick(appPassword, ['id', 'name', 'userId', 'identifier', 'creationTime', 'expiresAt']);
}
async function get(id) {
@@ -40,10 +40,11 @@ async function get(id) {
return result[0];
}
async function add(userId, identifier, name) {
async function add(userId, identifier, name, expiresAt) {
assert.strictEqual(typeof userId, 'string');
assert.strictEqual(typeof identifier, 'string');
assert.strictEqual(typeof name, 'string');
assert(expiresAt === null || typeof expiresAt === 'string');
let error = validateAppPasswordName(name);
if (error) throw error;
@@ -59,11 +60,12 @@ async function add(userId, identifier, name) {
userId,
identifier,
password,
hashedPassword
hashedPassword,
expiresAt
};
const query = 'INSERT INTO appPasswords (id, userId, identifier, name, hashedPassword) VALUES (?, ?, ?, ?, ?)';
const args = [ appPassword.id, appPassword.userId, appPassword.identifier, appPassword.name, appPassword.hashedPassword ];
const query = 'INSERT INTO appPasswords (id, userId, identifier, name, hashedPassword, expiresAt) VALUES (?, ?, ?, ?, ?, ?)';
const args = [ appPassword.id, appPassword.userId, appPassword.identifier, appPassword.name, appPassword.hashedPassword, appPassword.expiresAt ? new Date(appPassword.expiresAt) : null ];
[error] = await safe(database.query(query, args));
if (error && error.sqlCode === 'ER_DUP_ENTRY' && error.sqlMessage.indexOf('appPasswords_name_userId_identifier') !== -1) throw new BoxError(BoxError.ALREADY_EXISTS, 'name/app combination already exists');
src/routes/apppasswords.js
+4 -4
View File
@@ -31,8 +31,9 @@ async function add(req, res, next) {
if (typeof req.body.name !== 'string') return next(new HttpError(400, 'name must be string'));
if (typeof req.body.identifier !== 'string') return next(new HttpError(400, 'identifier must be string'));
if (req.body.expiresAt !== null && (typeof req.body.expiresAt !== 'string' || isNaN(new Date(req.body.expiresAt).getTime()))) return next(new HttpError(400, 'expiresAt must be null or a valid date string'));
const [error, result] = await safe(appPasswords.add(req.user.id, req.body.identifier, req.body.name));
const [error, result] = await safe(appPasswords.add(req.user.id, req.body.identifier, req.body.name, req.body.expiresAt));
if (error) return next(BoxError.toHttpError(error));
next(new HttpSuccess(201, { id: result.id, password: result.password }));
@@ -41,11 +42,10 @@ async function add(req, res, next) {
async function list(req, res, next) {
assert.strictEqual(typeof req.user, 'object');
let [error, result] = await safe(appPasswords.list(req.user.id));
const [error, result] = await safe(appPasswords.list(req.user.id));
if (error) return next(BoxError.toHttpError(error));
result = result.map(appPasswords.removePrivateFields);
next(new HttpSuccess(200, { appPasswords: result }));
next(new HttpSuccess(200, { appPasswords: result.map(appPasswords.removePrivateFields) }));
}
async function del(req, res, next) {
src/routes/test/apppasswords-test.js
+43 -3
View File
@@ -29,7 +29,34 @@ describe('App Passwords', function () {
it('cannot add app password without name', async function () {
const response = await superagent.post(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token })
.send({ identifier: 'someapp' })
.send({ identifier: 'someapp', expiresAt: null })
.ok(() => true);
expect(response.status).to.equal(400);
});
it('cannot add app password without expiresAt', async function () {
const response = await superagent.post(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token })
.send({ name: 'my-device', identifier: 'someapp' })
.ok(() => true);
expect(response.status).to.equal(400);
});
it('cannot add app password with invalid expiresAt type', async function () {
const response = await superagent.post(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token })
.send({ name: 'my-device', identifier: 'someapp', expiresAt: 12345 })
.ok(() => true);
expect(response.status).to.equal(400);
});
it('cannot add app password with invalid expiresAt date', async function () {
const response = await superagent.post(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token })
.send({ name: 'my-device', identifier: 'someapp', expiresAt: 'not-a-date' })
.ok(() => true);
expect(response.status).to.equal(400);
@@ -39,24 +66,36 @@ describe('App Passwords', function () {
it('can add app password', async function () {
const response = await superagent.post(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token })
.send({ name: 'my-device', identifier: 'someapp' });
.send({ name: 'my-device', identifier: 'someapp', expiresAt: null });
expect(response.status).to.equal(201);
expect(response.body.password).to.be.a('string');
pwd = response.body;
});
it('can add app password with expiresAt', async function () {
const response = await superagent.post(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token })
.send({ name: 'expiring-device', identifier: 'someapp', expiresAt: new Date(Date.now() + 86400000).toISOString() });
expect(response.status).to.equal(201);
expect(response.body.password).to.be.a('string');
});
it('can get app passwords', async function () {
const response = await superagent.get(`${serverUrl}/api/v1/app_passwords`)
.query({ access_token: user.token });
expect(response.status).to.equal(200);
expect(response.body.appPasswords).to.be.an(Array);
expect(response.body.appPasswords.length).to.be(1);
expect(response.body.appPasswords.length).to.be(2);
expect(response.body.appPasswords[0].name).to.be('my-device');
expect(response.body.appPasswords[0].identifier).to.be('someapp');
expect(response.body.appPasswords[0].expiresAt).to.be(null);
expect(response.body.appPasswords[0].hashedPassword).to.be(undefined);
expect(response.body.appPasswords[0].password).to.be(undefined);
expect(response.body.appPasswords[1].name).to.be('expiring-device');
expect(response.body.appPasswords[1].expiresAt).to.be.a('string');
});
it('can get app password', async function () {
@@ -66,6 +105,7 @@ describe('App Passwords', function () {
expect(response.status).to.equal(200);
expect(response.body.name).to.be('my-device');
expect(response.body.identifier).to.be('someapp');
expect(response.body.expiresAt).to.be(null);
expect(response.body.hashedPassword).to.be(undefined);
expect(response.body.password).to.be(undefined);
});
src/test/apppasswords-test.js
+36 -2
View File
@@ -21,12 +21,12 @@ describe('App passwords', function () {
let id, password;
it('cannot add bad app password', async function () {
const [error] = await safe(appPasswords.add(admin.id, 'appid', 'x'.repeat(201)));
const [error] = await safe(appPasswords.add(admin.id, 'appid', 'x'.repeat(201), null));
expect(error.reason).to.be(BoxError.BAD_FIELD);
});
it('can add app password', async function () {
const result = await appPasswords.add(admin.id, 'appid', 'spark');
const result = await appPasswords.add(admin.id, 'appid', 'spark', null);
expect(result.id).to.be.a('string');
expect(result.password).to.be.a('string');
id = result.id;
@@ -90,4 +90,38 @@ describe('App passwords', function () {
const [error] = await safe(appPasswords.del('random'));
expect(error.reason).to.be(BoxError.NOT_FOUND);
});
// expiry tests
let expiredPassword;
it('can add app password with expiry', async function () {
const result = await appPasswords.add(admin.id, 'appid', 'expiring', new Date(Date.now() + 60000).toISOString());
expect(result.id).to.be.a('string');
expect(result.password).to.be.a('string');
expiredPassword = result.password;
});
it('can verify non-expired app password', async function () {
const result = await users.verifyWithId(admin.id, expiredPassword, 'appid', {});
expect(result).to.be.ok();
expect(result.appPassword).to.be(true);
});
let pastId, pastPassword;
it('can add app password with past expiry', async function () {
const result = await appPasswords.add(admin.id, 'appid', 'expired', new Date(Date.now() - 60000).toISOString());
expect(result.id).to.be.a('string');
expect(result.password).to.be.a('string');
pastId = result.id;
pastPassword = result.password;
});
it('cannot verify expired app password', async function () {
const [error, result] = await safe(users.verifyWithId(admin.id, pastPassword, 'appid', {}));
expect(result).to.not.be.ok();
expect(error.reason).to.be(BoxError.INVALID_CREDENTIALS);
});
it('can del expired app password', async function () {
await appPasswords.del(pastId);
});
});
src/users.js
+2 -1
View File
@@ -619,7 +619,8 @@ async function verifyAppPassword(userId, password, identifier) {
const results = await appPasswords.list(userId);
const hashedPasswords = results.filter(r => r.identifier === identifier).map(r => r.hashedPassword);
const now = new Date();
const hashedPasswords = results.filter(r => r.identifier === identifier).filter(r => !r.expiresAt || new Date(r.expiresAt) > now).map(r => r.hashedPassword);
const hash = crypto.createHash('sha256').update(password).digest('base64');
if (hashedPasswords.includes(hash)) return;