fix: naming and redundancy issues
This commit is contained in:
Sérgio Salgado
Josh Harvey
parent
fff9523988
commit
40974dd501
15 changed files with 194 additions and 143 deletions
|
|
@ -11,19 +11,15 @@ const cookieParser = require('cookie-parser')
|
|||
const bodyParser = require('body-parser')
|
||||
const { ApolloServer, AuthenticationError } = require('apollo-server-express')
|
||||
const _ = require('lodash/fp')
|
||||
const session = require('express-session')
|
||||
const pgSession = require('connect-pg-simple')(session)
|
||||
const hkdf = require('futoin-hkdf')
|
||||
const pify = require('pify')
|
||||
|
||||
const login = require('./services/login')
|
||||
const register = require('./routes/authentication')
|
||||
|
||||
const options = require('../options')
|
||||
const db = require('../db')
|
||||
const users = require('../users')
|
||||
const mnemonicHelpers = require('../mnemonic-helpers')
|
||||
|
||||
const session = require('./middlewares/session')
|
||||
const authRouter = require('./routes/auth')
|
||||
const { AuthDirective } = require('./graphql/directives')
|
||||
const { typeDefs, resolvers } = require('./graphql/schema')
|
||||
|
|
@ -46,33 +42,7 @@ app.use(cookieParser())
|
|||
app.use(bodyParser.json())
|
||||
app.use(bodyParser.urlencoded({ extended: true })) // support encoded bodies
|
||||
app.use(express.static(path.resolve(__dirname, '..', '..', 'public')))
|
||||
|
||||
const getSecret = () => {
|
||||
const mnemonic = fs.readFileSync(options.mnemonicPath, 'utf8')
|
||||
return hkdf(
|
||||
mnemonicHelpers.toEntropyBuffer(mnemonic),
|
||||
16,
|
||||
{ salt: 'lamassu-server-salt', info: 'operator-id' }
|
||||
).toString('hex')
|
||||
}
|
||||
|
||||
app.use('*', session({
|
||||
store: new pgSession({
|
||||
pgPromise: db,
|
||||
tableName: 'user_sessions'
|
||||
}),
|
||||
name: 'lid',
|
||||
secret: getSecret(),
|
||||
resave: false,
|
||||
saveUninitialized: false,
|
||||
cookie: {
|
||||
httpOnly: true,
|
||||
secure: true,
|
||||
domain: hostname,
|
||||
sameSite: true,
|
||||
maxAge: 60 * 10 * 1000 // 10 minutes
|
||||
}
|
||||
}))
|
||||
app.use(session)
|
||||
|
||||
const apolloServer = new ApolloServer({
|
||||
typeDefs,
|
||||
|
|
|
|||
36
lib/new-admin/graphql/errors/authentication.js
Normal file
36
lib/new-admin/graphql/errors/authentication.js
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
const { ApolloError } = require('apollo-server-express')
|
||||
|
||||
class InvalidCredentialsError extends ApolloError {
|
||||
constructor(message) {
|
||||
super(message, 'INVALID_CREDENTIALS')
|
||||
Object.defineProperty(this, 'name', { value: 'InvalidCredentialsError' })
|
||||
}
|
||||
}
|
||||
|
||||
class UserAlreadyExistsError extends ApolloError {
|
||||
constructor(message) {
|
||||
super(message, 'USER_ALREADY_EXISTS')
|
||||
Object.defineProperty(this, 'name', { value: 'UserAlreadyExistsError' })
|
||||
}
|
||||
}
|
||||
|
||||
class InvalidTwoFactorError extends ApolloError {
|
||||
constructor(message) {
|
||||
super(message, 'INVALID_TWO_FACTOR_CODE')
|
||||
Object.defineProperty(this, 'name', { value: 'InvalidTwoFactorError' })
|
||||
}
|
||||
}
|
||||
|
||||
class InvalidUrlError extends ApolloError {
|
||||
constructor(message) {
|
||||
super(message, 'INVALID_URL_TOKEN')
|
||||
Object.defineProperty(this, 'name', { value: 'InvalidUrlError' })
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
InvalidCredentialsError,
|
||||
UserAlreadyExistsError,
|
||||
InvalidTwoFactorError,
|
||||
InvalidUrlError
|
||||
}
|
||||
|
|
@ -5,27 +5,28 @@ const loginHelper = require('../../services/login')
|
|||
const T = require('../../../time')
|
||||
const users = require('../../../users')
|
||||
const sessionManager = require('../../../session-manager')
|
||||
const authErrors = require('../errors/authentication')
|
||||
|
||||
const REMEMBER_ME_AGE = 90 * T.day
|
||||
|
||||
function authenticateUser (username, password) {
|
||||
return loginHelper.checkUser(username).then(hashedPassword => {
|
||||
if (!hashedPassword) return null
|
||||
return Promise.all([bcrypt.compare(password, hashedPassword), hashedPassword])
|
||||
}).then(([isMatch, hashedPassword]) => {
|
||||
if (!isMatch) return null
|
||||
return loginHelper.validateUser(username, hashedPassword)
|
||||
}).then(user => {
|
||||
if (!user) return null
|
||||
return user
|
||||
}).catch(e => {
|
||||
console.error(e)
|
||||
})
|
||||
function authenticateUser(username, password) {
|
||||
return loginHelper.checkUser(username)
|
||||
.then(hashedPassword => {
|
||||
if (!hashedPassword) throw new authErrors.InvalidCredentialsError()
|
||||
return Promise.all([bcrypt.compare(password, hashedPassword), hashedPassword])
|
||||
})
|
||||
.then(([isMatch, hashedPassword]) => {
|
||||
if (!isMatch) throw new authErrors.InvalidCredentialsError()
|
||||
return loginHelper.validateUser(username, hashedPassword)
|
||||
})
|
||||
.catch(e => {
|
||||
console.error(e)
|
||||
})
|
||||
}
|
||||
|
||||
const getUserData = context => {
|
||||
const lidCookie = context.req.cookies && context.req.cookies.lid
|
||||
if (!lidCookie) return null
|
||||
if (!lidCookie) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
const user = context.req.session.user
|
||||
return user
|
||||
|
|
@ -33,7 +34,7 @@ const getUserData = context => {
|
|||
|
||||
const get2FASecret = (username, password) => {
|
||||
return authenticateUser(username, password).then(user => {
|
||||
if (!user) return null
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
const secret = otplib.authenticator.generateSecret()
|
||||
const otpauth = otplib.authenticator.keyuri(username, 'Lamassu Industries', secret)
|
||||
|
|
@ -41,46 +42,45 @@ const get2FASecret = (username, password) => {
|
|||
})
|
||||
}
|
||||
|
||||
const confirm2FA = (codeArg, context) => {
|
||||
const code = codeArg
|
||||
const confirm2FA = (token, context) => {
|
||||
const requestingUser = context.req.session.user
|
||||
|
||||
if (!requestingUser) return false
|
||||
if (!requestingUser) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
return users.get2FASecret(requestingUser.id).then(user => {
|
||||
const secret = user.twofa_code
|
||||
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
|
||||
const isCodeValid = otplib.authenticator.verify({ token, secret })
|
||||
|
||||
if (!isCodeValid) return false
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
return true
|
||||
})
|
||||
}
|
||||
|
||||
const validateRegisterLink = token => {
|
||||
if (!token) return null
|
||||
if (!token) throw new authErrors.InvalidUrlError()
|
||||
return users.validateUserRegistrationToken(token)
|
||||
.then(r => {
|
||||
if (!r.success) return null
|
||||
if (!r.success) throw new authErrors.InvalidUrlError()
|
||||
return { username: r.username, role: r.role }
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const validateResetPasswordLink = token => {
|
||||
if (!token) return null
|
||||
if (!token) throw new authErrors.InvalidUrlError()
|
||||
return users.validatePasswordResetToken(token)
|
||||
.then(r => {
|
||||
if (!r.success) return null
|
||||
if (!r.success) throw new authErrors.InvalidUrlError()
|
||||
return { id: r.userID }
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const validateReset2FALink = token => {
|
||||
if (!token) return null
|
||||
if (!token) throw new authErrors.InvalidUrlError()
|
||||
return users.validate2FAResetToken(token)
|
||||
.then(r => {
|
||||
if (!r.success) return null
|
||||
if (!r.success) throw new authErrors.InvalidUrlError()
|
||||
return users.findById(r.userID)
|
||||
})
|
||||
.then(user => {
|
||||
|
|
@ -95,12 +95,12 @@ const deleteSession = (sessionID, context) => {
|
|||
if (sessionID === context.req.session.id) {
|
||||
context.req.session.destroy()
|
||||
}
|
||||
return sessionManager.deleteSession(sessionID)
|
||||
return sessionManager.deleteSessionById(sessionID)
|
||||
}
|
||||
|
||||
const login = (username, password) => {
|
||||
return authenticateUser(username, password).then(user => {
|
||||
if (!user) return 'FAILED'
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
return users.get2FASecret(user.id).then(user => {
|
||||
const twoFASecret = user.twofa_code
|
||||
return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
|
||||
|
|
@ -110,12 +110,12 @@ const login = (username, password) => {
|
|||
|
||||
const input2FA = (username, password, rememberMe, code, context) => {
|
||||
return authenticateUser(username, password).then(user => {
|
||||
if (!user) return false
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
return users.get2FASecret(user.id).then(user => {
|
||||
const secret = user.twofa_code
|
||||
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
|
||||
if (!isCodeValid) return false
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
|
||||
const finalUser = { id: user.id, username: user.username, role: user.role }
|
||||
context.req.session.user = finalUser
|
||||
|
|
@ -128,48 +128,39 @@ const input2FA = (username, password, rememberMe, code, context) => {
|
|||
|
||||
const setup2FA = (username, password, secret, codeConfirmation) => {
|
||||
return authenticateUser(username, password).then(user => {
|
||||
if (!user || !secret) return false
|
||||
if (!user || !secret) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: secret })
|
||||
if (!isCodeValid) return false
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
|
||||
users.save2FASecret(user.id, secret)
|
||||
return true
|
||||
return users.save2FASecret(user.id, secret).then(() => true)
|
||||
})
|
||||
}
|
||||
|
||||
const createResetPasswordToken = userID => {
|
||||
return users.findById(userID)
|
||||
.then(user => {
|
||||
if (!user) return null
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
return users.createResetPasswordToken(user.id)
|
||||
})
|
||||
.then(token => {
|
||||
return token
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const createReset2FAToken = userID => {
|
||||
return users.findById(userID)
|
||||
.then(user => {
|
||||
if (!user) return null
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
return users.createReset2FAToken(user.id)
|
||||
})
|
||||
.then(token => {
|
||||
return token
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const createRegisterToken = (username, role) => {
|
||||
return users.getByName(username)
|
||||
.then(user => {
|
||||
if (user) return null
|
||||
if (user) throw new authErrors.UserAlreadyExistsError()
|
||||
|
||||
return users.createUserRegistrationToken(username, role).then(token => {
|
||||
return token
|
||||
})
|
||||
return users.createUserRegistrationToken(username, role)
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
|
@ -177,29 +168,26 @@ const createRegisterToken = (username, role) => {
|
|||
const register = (username, password, role) => {
|
||||
return users.getByName(username)
|
||||
.then(user => {
|
||||
if (user) return false
|
||||
|
||||
users.createUser(username, password, role)
|
||||
return true
|
||||
if (user) throw new authErrors.UserAlreadyExistsError()
|
||||
return users.createUser(username, password, role).then(() => true)
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const resetPassword = (userID, newPassword, context) => {
|
||||
return users.findById(userID).then(user => {
|
||||
if (!user) return false
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
|
||||
return users.updatePassword(user.id, newPassword)
|
||||
}).then(() => { return true }).catch(err => console.error(err))
|
||||
}).then(() => true).catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const reset2FA = (userID, code, secret, context) => {
|
||||
const reset2FA = (userID, token, secret, context) => {
|
||||
return users.findById(userID).then(user => {
|
||||
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
|
||||
if (!isCodeValid) return false
|
||||
|
||||
const isCodeValid = otplib.authenticator.verify({ token, secret })
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
|
||||
return users.save2FASecret(user.id, secret).then(() => { return true })
|
||||
return users.save2FASecret(user.id, secret).then(() => true)
|
||||
}).catch(err => console.error(err))
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@ const sessionManager = require('../../../session-manager')
|
|||
const resolver = {
|
||||
Query: {
|
||||
users: () => users.getUsers(),
|
||||
sessions: () => sessionManager.getSessionList(),
|
||||
userSessions: (...[, { username }]) => sessionManager.getUserSessions(username),
|
||||
sessions: () => sessionManager.getSessions(),
|
||||
userSessions: (...[, { username }]) => sessionManager.getSessionsByUsername(username),
|
||||
userData: (root, args, context, info) => authentication.getUserData(context),
|
||||
get2FASecret: (...[, { username, password }]) => authentication.get2FASecret(username, password),
|
||||
confirm2FA: (root, args, context, info) => authentication.confirm2FA(args.code, context),
|
||||
|
|
@ -17,7 +17,7 @@ const resolver = {
|
|||
Mutation: {
|
||||
deleteUser: (...[, { id }]) => users.deleteUser(id),
|
||||
deleteSession: (root, args, context, info) => authentication.deleteSession(args.sid, context),
|
||||
deleteUserSessions: (...[, { username }]) => sessionManager.deleteUserSessions(username),
|
||||
deleteUserSessions: (...[, { username }]) => sessionManager.deleteSessionsByUsername(username),
|
||||
changeUserRole: (...[, { id, newRole }]) => users.changeUserRole(id, newRole),
|
||||
toggleUserEnable: (...[, { id }]) => users.toggleUserEnable(id),
|
||||
login: (...[, { username, password }]) => authentication.login(username, password),
|
||||
|
|
|
|||
40
lib/new-admin/middlewares/session.js
Normal file
40
lib/new-admin/middlewares/session.js
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
const fs = require('fs')
|
||||
const express = require('express')
|
||||
const router = express.Router()
|
||||
const hkdf = require('futoin-hkdf')
|
||||
const session = require('express-session')
|
||||
const pgSession = require('connect-pg-simple')(session)
|
||||
const mnemonicHelpers = require('../../mnemonic-helpers')
|
||||
const db = require('../../db')
|
||||
const options = require('../../options')
|
||||
|
||||
const getSecret = () => {
|
||||
const mnemonic = fs.readFileSync(options.mnemonicPath, 'utf8')
|
||||
return hkdf(
|
||||
mnemonicHelpers.toEntropyBuffer(mnemonic),
|
||||
16,
|
||||
{ salt: 'lamassu-server-salt', info: 'operator-id' }
|
||||
).toString('hex')
|
||||
}
|
||||
|
||||
const hostname = options.hostname
|
||||
|
||||
router.use('*', session({
|
||||
store: new pgSession({
|
||||
pgPromise: db,
|
||||
tableName: 'user_sessions'
|
||||
}),
|
||||
name: 'lid',
|
||||
secret: getSecret(),
|
||||
resave: false,
|
||||
saveUninitialized: false,
|
||||
cookie: {
|
||||
httpOnly: true,
|
||||
secure: true,
|
||||
domain: hostname,
|
||||
sameSite: true,
|
||||
maxAge: 60 * 10 * 1000 // 10 minutes
|
||||
}
|
||||
}))
|
||||
|
||||
module.exports = router
|
||||
|
|
@ -10,7 +10,10 @@ function validateUser (username, password) {
|
|||
const sqlUpdateLastAccessed = 'UPDATE users SET last_accessed = now() WHERE username=$1'
|
||||
|
||||
return db.oneOrNone(sql, [username, password])
|
||||
.then(user => { db.none(sqlUpdateLastAccessed, [user.username]); return user })
|
||||
.then(user => {
|
||||
return db.none(sqlUpdateLastAccessed, [user.username])
|
||||
.then(() => user)
|
||||
})
|
||||
.catch(() => false)
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue