lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: server code formatting

Browse source
This commit is contained in:
Rafael Taranto 2025-05-12 15:35:00 +01:00
parent aedabcbdee
commit 68517170e2
234 changed files with 9824 additions and 6195 deletions
Download patch file Download diff file Expand all files Collapse all files

246
packages/server/lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js
View file

@ -12,60 +12,70 @@ const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day
const generateAttestationOptions = (session, options) => {
return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => {
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID: options.domain,
userName: user.username,
userID: user.id,
timeout: 60000,
attestationType: 'indirect',
excludeCredentials: userDevices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal']
})),
authenticatorSelection: {
userVerification: 'discouraged',
requireResidentKey: false
}
return users
.getUserById(options.userId)
.then(user => {
return Promise.all([
credentials.getHardwareCredentialsByUserId(user.id),
user,
])
})
session.webauthn = {
attestation: {
challenge: opts.challenge
}
}
return opts
})
}
const generateAssertionOptions = (session, options) => {
return userManagement.authenticateUser(options.username, options.password).then(user => {
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const opts = simpleWebauthn.generateAssertionOptions({
.then(([userDevices, user]) => {
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID: options.domain,
userName: user.username,
userID: user.id,
timeout: 60000,
allowCredentials: devices.map(dev => ({
attestationType: 'indirect',
excludeCredentials: userDevices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal']
transports: ['usb', 'ble', 'nfc', 'internal'],
})),
userVerification: 'discouraged',
rpID: options.domain
authenticatorSelection: {
userVerification: 'discouraged',
requireResidentKey: false,
},
})
session.webauthn = {
assertion: {
challenge: opts.challenge
}
attestation: {
challenge: opts.challenge,
},
}
return opts
})
})
}
const generateAssertionOptions = (session, options) => {
return userManagement
.authenticateUser(options.username, options.password)
.then(user => {
return credentials
.getHardwareCredentialsByUserId(user.id)
.then(devices => {
const opts = simpleWebauthn.generateAssertionOptions({
timeout: 60000,
allowCredentials: devices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal'],
})),
userVerification: 'discouraged',
rpID: options.domain,
})
session.webauthn = {
assertion: {
challenge: opts.challenge,
},
}
return opts
})
})
}
const validateAttestation = (session, options) => {
@ -78,98 +88,112 @@ const validateAttestation = (session, options) => {
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain
})
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification
expectedRPID: options.domain,
}),
]).then(([user, verification]) => {
const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) {
session.webauthn = null
return false
}
if (!(verified || attestationInfo)) {
session.webauthn = null
return false
}
const {
counter,
credentialPublicKey,
credentialID
} = attestationInfo
const { counter, credentialPublicKey, credentialID } = attestationInfo
return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
return credentials
.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(
device => device.data.credentialID === credentialID,
)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID
}
credentials.createHardwareCredential(user.id, newDevice)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID,
}
credentials.createHardwareCredential(user.id, newDevice)
}
session.webauthn = null
return verified
})
})
session.webauthn = null
return verified
})
})
}
const validateAssertion = (session, options) => {
return userManagement.authenticateUser(options.username, options.password).then(user => {
const expectedChallenge = session.webauthn.assertion.challenge
return userManagement
.authenticateUser(options.username, options.password)
.then(user => {
const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices)
return credentials
.getHardwareCredentialsByUserId(user.id)
.then(devices => {
const dbAuthenticator = _.find(dev => {
return (
Buffer.from(dev.data.credentialID).compare(
base64url.toBuffer(options.assertionResponse.rawId),
) === 0
)
}, devices)
if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
}
if (!dbAuthenticator.data) {
throw new Error(
`Could not find authenticator matching ${options.assertionResponse.id}`,
)
}
const convertedAuthenticator = _.merge(
dbAuthenticator.data,
{ credentialPublicKey: Buffer.from(dbAuthenticator.data.credentialPublicKey) }
)
const convertedAuthenticator = _.merge(dbAuthenticator.data, {
credentialPublicKey: Buffer.from(
dbAuthenticator.data.credentialPublicKey,
),
})
let verification
try {
verification = simpleWebauthn.verifyAssertionResponse({
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator
})
} catch (err) {
console.error(err)
return false
}
let verification
try {
verification = simpleWebauthn.verifyAssertionResponse({
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator,
})
} catch (err) {
console.error(err)
return false
}
const { verified, assertionInfo } = verification
const { verified, assertionInfo } = verification
if (!verified) {
session.webauthn = null
return false
}
if (!verified) {
session.webauthn = null
return false
}
dbAuthenticator.data.counter = assertionInfo.newCounter
return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role }
session.user = finalUser
if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
dbAuthenticator.data.counter = assertionInfo.newCounter
return credentials
.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = {
id: user.id,
username: user.username,
role: user.role,
}
session.user = finalUser
if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
session.webauthn = null
return verified
session.webauthn = null
return verified
})
})
})
})
}
module.exports = {
generateAttestationOptions,
generateAssertionOptions,
validateAttestation,
validateAssertion
validateAssertion,
}

161
packages/server/lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js
View file

@ -11,35 +11,41 @@ const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day
const generateAttestationOptions = (session, options) => {
return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => {
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID: options.domain,
userName: user.username,
userID: user.id,
timeout: 60000,
attestationType: 'indirect',
excludeCredentials: userDevices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal']
})),
authenticatorSelection: {
userVerification: 'discouraged',
requireResidentKey: false
}
return users
.getUserById(options.userId)
.then(user => {
return Promise.all([
credentials.getHardwareCredentialsByUserId(user.id),
user,
])
})
.then(([userDevices, user]) => {
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID: options.domain,
userName: user.username,
userID: user.id,
timeout: 60000,
attestationType: 'indirect',
excludeCredentials: userDevices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal'],
})),
authenticatorSelection: {
userVerification: 'discouraged',
requireResidentKey: false,
},
})
session.webauthn = {
attestation: {
challenge: opts.challenge
session.webauthn = {
attestation: {
challenge: opts.challenge,
},
}
}
return opts
})
return opts
})
}
const generateAssertionOptions = (session, options) => {
@ -50,16 +56,16 @@ const generateAssertionOptions = (session, options) => {
allowCredentials: devices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal']
transports: ['usb', 'ble', 'nfc', 'internal'],
})),
userVerification: 'discouraged',
rpID: options.domain
rpID: options.domain,
})
session.webauthn = {
assertion: {
challenge: opts.challenge
}
challenge: opts.challenge,
},
}
return opts
@ -77,40 +83,38 @@ const validateAttestation = (session, options) => {
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain
})
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification
expectedRPID: options.domain,
}),
]).then(([user, verification]) => {
const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) {
session.webauthn = null
return false
}
if (!(verified || attestationInfo)) {
session.webauthn = null
return false
}
const {
counter,
credentialPublicKey,
credentialID
} = attestationInfo
const { counter, credentialPublicKey, credentialID } = attestationInfo
return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
return credentials
.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(
device => device.data.credentialID === credentialID,
)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID
}
credentials.createHardwareCredential(user.id, newDevice)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID,
}
credentials.createHardwareCredential(user.id, newDevice)
}
session.webauthn = null
return verified
})
})
session.webauthn = null
return verified
})
})
}
const validateAssertion = (session, options) => {
@ -119,17 +123,24 @@ const validateAssertion = (session, options) => {
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
return (
Buffer.from(dev.data.credentialID).compare(
base64url.toBuffer(options.assertionResponse.rawId),
) === 0
)
}, devices)
if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
throw new Error(
`Could not find authenticator matching ${options.assertionResponse.id}`,
)
}
const convertedAuthenticator = _.merge(
dbAuthenticator.data,
{ credentialPublicKey: Buffer.from(dbAuthenticator.data.credentialPublicKey) }
)
const convertedAuthenticator = _.merge(dbAuthenticator.data, {
credentialPublicKey: Buffer.from(
dbAuthenticator.data.credentialPublicKey,
),
})
let verification
try {
@ -138,7 +149,7 @@ const validateAssertion = (session, options) => {
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator
authenticator: convertedAuthenticator,
})
} catch (err) {
console.error(err)
@ -148,20 +159,22 @@ const validateAssertion = (session, options) => {
const { verified, assertionInfo } = verification
if (!verified) {
context.req.session.webauthn = null
return false
}
dbAuthenticator.data.counter = assertionInfo.newCounter
return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role }
session.user = finalUser
if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
return credentials.updateHardwareCredential(dbAuthenticator).then(() => {
const finalUser = {
id: user.id,
username: user.username,
role: user.role,
}
session.user = finalUser
if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
session.webauthn = null
return verified
})
session.webauthn = null
return verified
})
})
})
}
@ -170,5 +183,5 @@ module.exports = {
generateAttestationOptions,
generateAssertionOptions,
validateAttestation,
validateAssertion
validateAssertion,
}

148
packages/server/lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js
View file

@ -22,19 +22,19 @@ const generateAttestationOptions = (session, options) => {
excludeCredentials: devices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal']
transports: ['usb', 'ble', 'nfc', 'internal'],
})),
authenticatorSelection: {
authenticatorAttachment: 'cross-platform',
userVerification: 'discouraged',
requireResidentKey: false
}
requireResidentKey: false,
},
})
session.webauthn = {
attestation: {
challenge: opts.challenge
}
challenge: opts.challenge,
},
}
return opts
@ -48,16 +48,16 @@ const generateAssertionOptions = (session, options) => {
allowCredentials: devices.map(dev => ({
id: dev.data.credentialID,
type: 'public-key',
transports: ['usb', 'ble', 'nfc', 'internal']
transports: ['usb', 'ble', 'nfc', 'internal'],
})),
userVerification: 'discouraged',
rpID: options.domain
rpID: options.domain,
})
session.webauthn = {
assertion: {
challenge: opts.challenge
}
challenge: opts.challenge,
},
}
return opts
})
@ -73,50 +73,52 @@ const validateAttestation = (session, options) => {
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain
})
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification
expectedRPID: options.domain,
}),
]).then(([user, verification]) => {
const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) {
session.webauthn = null
return verified
}
const {
fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject,
} = attestationInfo
return credentials
.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(
device => device.data.credentialID === credentialID,
)
if (!existingDevice) {
const newDevice = {
fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject,
}
credentials.createHardwareCredential(user.id, newDevice)
}
if (!(verified || attestationInfo)) {
session.webauthn = null
return verified
}
const {
fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject
} = attestationInfo
return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject
}
credentials.createHardwareCredential(user.id, newDevice)
}
session.webauthn = null
return verified
})
})
})
})
}
const validateAssertion = (session, options) => {
@ -124,17 +126,24 @@ const validateAssertion = (session, options) => {
return credentials.getHardwareCredentials().then(devices => {
const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
return (
Buffer.from(dev.data.credentialID).compare(
base64url.toBuffer(options.assertionResponse.rawId),
) === 0
)
}, devices)
if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
throw new Error(
`Could not find authenticator matching ${options.assertionResponse.id}`,
)
}
const convertedAuthenticator = _.merge(
dbAuthenticator.data,
{ credentialPublicKey: Buffer.from(dbAuthenticator.data.credentialPublicKey) }
)
const convertedAuthenticator = _.merge(dbAuthenticator.data, {
credentialPublicKey: Buffer.from(
dbAuthenticator.data.credentialPublicKey,
),
})
let verification
try {
@ -143,7 +152,7 @@ const validateAssertion = (session, options) => {
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator
authenticator: convertedAuthenticator,
})
} catch (err) {
console.error(err)
@ -160,16 +169,19 @@ const validateAssertion = (session, options) => {
dbAuthenticator.data.counter = assertionInfo.newCounter
return Promise.all([
credentials.updateHardwareCredential(dbAuthenticator),
users.getUserById(dbAuthenticator.user_id)
])
.then(([_, user]) => {
const finalUser = { id: user.id, username: user.username, role: user.role }
session.user = finalUser
session.cookie.maxAge = REMEMBER_ME_AGE
session.webauthn = null
return verified
})
users.getUserById(dbAuthenticator.user_id),
]).then(([, user]) => {
const finalUser = {
id: user.id,
username: user.username,
role: user.role,
}
session.user = finalUser
session.cookie.maxAge = REMEMBER_ME_AGE
session.webauthn = null
return verified
})
})
}
@ -177,5 +189,5 @@ module.exports = {
generateAttestationOptions,
generateAssertionOptions,
validateAttestation,
validateAssertion
validateAssertion,
}

4
packages/server/lib/new-admin/graphql/modules/authentication/index.js
View file

@ -5,7 +5,7 @@ const FIDOUsernameless = require('./FIDOUsernamelessStrategy')
const STRATEGIES = {
FIDO2FA,
FIDOPasswordless,
FIDOUsernameless
FIDOUsernameless,
}
// FIDO2FA, FIDOPasswordless or FIDOUsernameless
@ -13,5 +13,5 @@ const CHOSEN_STRATEGY = 'FIDO2FA'
module.exports = {
CHOSEN_STRATEGY,
strategy: STRATEGIES[CHOSEN_STRATEGY]
strategy: STRATEGIES[CHOSEN_STRATEGY],
}

151
packages/server/lib/new-admin/graphql/modules/userManagement.js
View file

@ -14,11 +14,16 @@ const credentials = require('../../../hardware-credentials')
const REMEMBER_ME_AGE = 90 * T.day
const authenticateUser = (username, password) => {
return users.getUserByUsername(username)
return users
.getUserByUsername(username)
.then(user => {
const hashedPassword = user.password
if (!hashedPassword || !user.enabled) throw new authErrors.InvalidCredentialsError()
return Promise.all([argon2.verify(hashedPassword, password), hashedPassword])
if (!hashedPassword || !user.enabled)
throw new authErrors.InvalidCredentialsError()
return Promise.all([
argon2.verify(hashedPassword, password),
hashedPassword,
])
})
.then(([isMatch, hashedPassword]) => {
if (!isMatch) throw new authErrors.InvalidCredentialsError()
@ -32,7 +37,9 @@ const authenticateUser = (username, password) => {
const destroySessionIfSameUser = (context, user) => {
const sessionUser = getUserFromCookie(context)
if (sessionUser && user.id === sessionUser.id) { context.req.session.destroy() }
if (sessionUser && user.id === sessionUser.id) {
context.req.session.destroy()
}
}
const destroySessionIfBeingUsed = (sessID, context) => {
@ -56,15 +63,13 @@ const initializeSession = (context, user, rememberMe) => {
}
const executeProtectedAction = (code, id, context, action) => {
return users.getUserById(id)
.then(user => {
if (user.role !== 'superuser') {
return action()
}
return users.getUserById(id).then(user => {
if (user.role !== 'superuser') {
return action()
}
return confirm2FA(code, context)
.then(() => action())
})
return confirm2FA(code, context).then(() => action())
})
}
const getUserData = context => {
@ -79,10 +84,18 @@ const get2FASecret = (username, password) => {
return authenticateUser(username, password)
.then(user => {
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, constants.AUTHENTICATOR_ISSUER_ENTITY, secret)
return Promise.all([users.saveTemp2FASecret(user.id, secret), secret, otpauth])
const otpauth = otplib.authenticator.keyuri(
user.username,
constants.AUTHENTICATOR_ISSUER_ENTITY,
secret,
)
return Promise.all([
users.saveTemp2FASecret(user.id, secret),
secret,
otpauth,
])
})
.then(([_, secret, otpauth]) => {
.then(([, secret, otpauth]) => {
return { secret, otpauth }
})
}
@ -103,35 +116,43 @@ const confirm2FA = (token, context) => {
const validateRegisterLink = token => {
if (!token) throw new authErrors.InvalidUrlError()
return users.validateUserRegistrationToken(token)
.then(r => {
if (!r.success) throw new authErrors.InvalidUrlError()
return { username: r.username, role: r.role }
})
return users.validateUserRegistrationToken(token).then(r => {
if (!r.success) throw new authErrors.InvalidUrlError()
return { username: r.username, role: r.role }
})
}
const validateResetPasswordLink = token => {
if (!token) throw new authErrors.InvalidUrlError()
return users.validateAuthToken(token, 'reset_password')
.then(r => {
if (!r.success) throw new authErrors.InvalidUrlError()
return { id: r.userID }
})
return users.validateAuthToken(token, 'reset_password').then(r => {
if (!r.success) throw new authErrors.InvalidUrlError()
return { id: r.userID }
})
}
const validateReset2FALink = token => {
if (!token) throw new authErrors.InvalidUrlError()
return users.validateAuthToken(token, 'reset_twofa')
return users
.validateAuthToken(token, 'reset_twofa')
.then(r => {
if (!r.success) throw new authErrors.InvalidUrlError()
return users.getUserById(r.userID)
})
.then(user => {
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, constants.AUTHENTICATOR_ISSUER_ENTITY, secret)
return Promise.all([users.saveTemp2FASecret(user.id, secret), user, secret, otpauth])
const otpauth = otplib.authenticator.keyuri(
user.username,
constants.AUTHENTICATOR_ISSUER_ENTITY,
secret,
)
return Promise.all([
users.saveTemp2FASecret(user.id, secret),
user,
secret,
otpauth,
])
})
.then(([_, user, secret, otpauth]) => {
.then(([, user, secret, otpauth]) => {
return { user_id: user.id, secret, otpauth }
})
}
@ -144,7 +165,10 @@ const deleteSession = (sessionID, context) => {
const login = (username, password) => {
return authenticateUser(username, password)
.then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user.twofa_code])
return Promise.all([
credentials.getHardwareCredentialsByUserId(user.id),
user.twofa_code,
])
})
.then(([devices, twoFASecret]) => {
if (!_.isEmpty(devices)) return 'FIDO'
@ -153,21 +177,32 @@ const login = (username, password) => {
}
const input2FA = (username, password, rememberMe, code, context) => {
return authenticateUser(username, password)
.then(user => {
const secret = user.twofa_code
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
initializeSession(context, user, rememberMe)
return true
return authenticateUser(username, password).then(user => {
const secret = user.twofa_code
const isCodeValid = otplib.authenticator.verify({
token: code,
secret: secret,
})
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
initializeSession(context, user, rememberMe)
return true
})
}
const setup2FA = (username, password, rememberMe, codeConfirmation, context) => {
const setup2FA = (
username,
password,
rememberMe,
codeConfirmation,
context,
) => {
return authenticateUser(username, password)
.then(user => {
const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: user.temp_twofa_code })
const isCodeValid = otplib.authenticator.verify({
token: codeConfirmation,
secret: user.temp_twofa_code,
})
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
initializeSession(context, user, rememberMe)
@ -202,24 +237,23 @@ const createReset2FAToken = (code, userID, context) => {
}
const createRegisterToken = (username, role) => {
return users.getUserByUsername(username)
.then(user => {
if (user) throw new authErrors.UserAlreadyExistsError()
return users.getUserByUsername(username).then(user => {
if (user) throw new authErrors.UserAlreadyExistsError()
return users.createUserRegistrationToken(username, role)
})
return users.createUserRegistrationToken(username, role)
})
}
const register = (token, username, password, role) => {
return users.getUserByUsername(username)
.then(user => {
if (user) throw new authErrors.UserAlreadyExistsError()
return users.register(token, username, password, role).then(() => true)
})
return users.getUserByUsername(username).then(user => {
if (user) throw new authErrors.UserAlreadyExistsError()
return users.register(token, username, password, role).then(() => true)
})
}
const resetPassword = (token, userID, newPassword, context) => {
return users.getUserById(userID)
return users
.getUserById(userID)
.then(user => {
destroySessionIfSameUser(context, user)
return users.updatePassword(token, user.id, newPassword)
@ -228,9 +262,13 @@ const resetPassword = (token, userID, newPassword, context) => {
}
const reset2FA = (token, userID, code, context) => {
return users.getUserById(userID)
return users
.getUserById(userID)
.then(user => {
const isCodeValid = otplib.authenticator.verify({ token: code, secret: user.temp_twofa_code })
const isCodeValid = otplib.authenticator.verify({
token: code,
secret: user.temp_twofa_code,
})
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
destroySessionIfSameUser(context, user)
@ -240,7 +278,10 @@ const reset2FA = (token, userID, code, context) => {
}
const getToken = context => {
if (_.isNil(context.req.cookies['lamassu_sid']) || _.isNil(context.req.session.user.id))
if (
_.isNil(context.req.cookies['lamassu_sid']) ||
_.isNil(context.req.session.user.id)
)
throw new authErrors.AuthenticationError('Authentication failed')
return context.req.session.user.id
@ -267,5 +308,5 @@ module.exports = {
register,
resetPassword,
reset2FA,
getToken
getToken,
}