jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
7e16128b11d95bc47d110cc4bdb12f2b72270f2d
cloudron-box/src/proxyauth.js
Girish Ramakrishnan 7e16128b11 proxyauth: render as ejs tos end app title and icon
2020-11-11 00:36:02 -08:00

182 lines
5.8 KiB
JavaScript
Raw Blame History

'use strict';
// heavily inspired from https://gock.net/blog/2020/nginx-subrequest-authentication-server/ and https://github.com/andygock/auth-server
exports = module.exports = {
start,
stop
};
const apps = require('./apps.js'),
assert = require('assert'),
constants = require('./constants.js'),
debug = require('debug')('box:proxyAuth'),
express = require('express'),
fs = require('fs'),
hat = require('./hat.js'),
http = require('http'),
HttpError = require('connect-lastmile').HttpError,
HttpSuccess = require('connect-lastmile').HttpSuccess,
jwt = require('jsonwebtoken'),
middleware = require('./middleware'),
path = require('path'),
paths = require('./paths.js'),
safe = require('safetydance'),
users = require('./users.js');
let gHttpServer = null;
let TOKEN_SECRET = null;
const EXPIRY_DAYS = 7;
// middleware to check auth status
function jwtVerify(req, res, next) {
const token = req.cookies.authToken;
if (!token) return next();
jwt.verify(token, TOKEN_SECRET, function (error, decoded) {
if (error) {
debug('clearing token', error);
res.clearCookie('authToken');
return next(new HttpError(403, 'Malformed token or bad signature'));
}
req.user = decoded.user || null;
next();
});
}
function loginPage(req, res, next) {
const appId = req.headers['x-app-id'] || '';
if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));
apps.get(appId, function (error, app) {
if (error) return next(new HttpError(503, error.message));
const title = app.label || app.manifest.title;
apps.getIconPath(app, {}, function (error, iconPath) {
const icon = safe.fs.readFileSync(iconPath || '', 'base64');
return res.render(path.join(paths.DASHBOARD_DIR, 'templates/proxyauth-login.ejs'), { title, icon });
});
});
}
// called by nginx to authorize any protected route
function auth(req, res, next) {
if (!req.user) return next(new HttpError(401, 'Unauthorized'));
// user is already authenticated, refresh cookie
const token = jwt.sign({ user: req.user }, TOKEN_SECRET, { expiresIn: `${EXPIRY_DAYS}d` });
res.cookie('authToken', token, {
httpOnly: true,
maxAge: EXPIRY_DAYS * 86400 * 1000, // milliseconds
secure: true
});
return next(new HttpSuccess(200, {}));
}
// endpoint called by login page, username and password posted as JSON body
function login(req, res, next) {
assert.strictEqual(typeof req.body, 'object');
const appId = req.headers['x-app-id'] || '';
if (!appId) return next(new HttpError(503, 'Nginx misconfiguration'));
if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be non empty string' ));
if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string' ));
const { username, password } = req.body;
const api = username.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
api(username, password, appId, function (error, user) {
if (error) return next(new HttpError(403, 'Invalid username or password' ));
const token = jwt.sign({ user: users.removePrivateFields(user) }, TOKEN_SECRET, { expiresIn: `${EXPIRY_DAYS}d` });
res.cookie('authToken', token, {
httpOnly: true,
maxAge: EXPIRY_DAYS * 86400 * 1000, // milliseconds
secure: true
});
res.redirect('/');
});
}
function logoutPage(req, res) {
res.clearCookie('authToken');
res.redirect('/login');
}
function logout(req, res, next) {
res.clearCookie('authToken');
next(new HttpSuccess(200, {}));
}
// provides webhooks for the auth wall
function initializeAuthwallExpressSync() {
let app = express();
let httpServer = http.createServer(app);
let QUERY_LIMIT = '1mb'; // max size for json and urlencoded queries
let REQUEST_TIMEOUT = 10000; // timeout for all requests
let json = middleware.json({ strict: true, limit: QUERY_LIMIT }), // application/json
urlencoded = middleware.urlencoded({ extended: false, limit: QUERY_LIMIT }); // application/x-www-form-urlencoded
if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('proxyauth :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
var router = new express.Router();
router.del = router.delete; // amend router.del for readability further on
app.set('view engine', 'ejs');
app
.use(middleware.timeout(REQUEST_TIMEOUT))
.use(middleware.cookieParser())
.use(json)
.use(urlencoded)
.use(jwtVerify)
.use(router)
.use(middleware.lastMile());
router.get ('/', (req, res) => { res.redirect('/login'); }); // this can never happen
router.get ('/login', loginPage);
router.get ('/auth', auth);
router.post('/login', login);
router.get ('/logout', logoutPage);
router.post('/logout', logout);
return httpServer;
}
function start(callback) {
assert.strictEqual(typeof callback, 'function');
assert.strictEqual(gHttpServer, null, 'Authwall is already up and running.');
if (!fs.existsSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE)) {
TOKEN_SECRET = hat(64);
fs.writeFileSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE, TOKEN_SECRET, 'utf8');
} else {
TOKEN_SECRET = fs.readFileSync(paths.PROXY_AUTH_TOKEN_SECRET_FILE, 'utf8').trim();
}
gHttpServer = initializeAuthwallExpressSync();
gHttpServer.listen(constants.AUTHWALL_PORT, '127.0.0.1', callback);
}
function stop(callback) {
assert.strictEqual(typeof callback, 'function');
if (!gHttpServer) return callback(null);
gHttpServer.close(callback);
gHttpServer = null;
}
Reference in New Issue View Git Blame Copy Permalink