From 7680b2f85a3930c40b3ccbe09a53eff174b8eca7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Salgado?= Date: Mon, 19 Apr 2021 23:59:21 +0100 Subject: [PATCH] refactor: privileged actions --- .../graphql/modules/authentication.js | 98 +++++-------------- .../graphql/resolvers/users.resolver.js | 2 +- lib/new-admin/graphql/types/users.type.js | 2 +- lib/new-admin/services/login.js | 2 +- .../src/pages/Authentication/Setup2FAState.js | 3 - 5 files changed, 29 insertions(+), 78 deletions(-) diff --git a/lib/new-admin/graphql/modules/authentication.js b/lib/new-admin/graphql/modules/authentication.js index 55c7252f..43487d40 100644 --- a/lib/new-admin/graphql/modules/authentication.js +++ b/lib/new-admin/graphql/modules/authentication.js @@ -52,6 +52,18 @@ const initializeSession = (context, user, rememberMe) => { if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE } +const executeProtectedAction = (code, id, context, action) => { + return users.getUserById(id) + .then(user => { + if (user.role !== 'superuser') { + return action() + } + + return confirm2FA(code, context) + .then(() => action()) + }) +} + const getUserData = context => { const lidCookie = getLamassuCookie(context) if (!lidCookie) return @@ -93,7 +105,6 @@ const validateRegisterLink = token => { if (!r.success) throw new authErrors.InvalidUrlError() return { username: r.username, role: r.role } }) - .catch(err => console.error(err)) } const validateResetPasswordLink = token => { @@ -103,7 +114,6 @@ const validateResetPasswordLink = token => { if (!r.success) throw new authErrors.InvalidUrlError() return { id: r.userID } }) - .catch(err => console.error(err)) } const validateReset2FALink = token => { @@ -121,7 +131,6 @@ const validateReset2FALink = token => { .then(([_, user, secret, otpauth]) => { return { user_id: user.id, secret, otpauth } }) - .catch(err => console.error(err)) } const deleteSession = (sessionID, context) => { @@ -148,92 +157,41 @@ const input2FA = (username, password, rememberMe, code, context) => { }) } -const setup2FA = (username, password, rememberMe, secret, codeConfirmation, context) => { - if (!secret) throw new authErrors.InvalidTwoFactorError() - - const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: secret }) - if (!isCodeValid) throw new authErrors.InvalidTwoFactorError() - +const setup2FA = (username, password, rememberMe, codeConfirmation, context) => { return authenticateUser(username, password) .then(user => { - if (user.temp_twofa_code !== secret) { - throw new authErrors.InvalidTwoFactorError() - } + const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: user.temp_twofa_code }) + if (!isCodeValid) throw new authErrors.InvalidTwoFactorError() initializeSession(context, user, rememberMe) - return users.save2FASecret(user.id, secret) + return users.save2FASecret(user.id, user.temp_twofa_code) }) .then(() => true) } const changeUserRole = (code, id, newRole, context) => { - const action = (id, newRole) => users.changeUserRole(id, newRole) - - return users.getUserById(id) - .then(user => { - if (user.role !== 'superuser') { - return action(id, newRole) - } - - return confirm2FA(code, context) - }) - .then(() => action(id, newRole)) + const action = () => users.changeUserRole(id, newRole) + return executeProtectedAction(code, id, context, action) } const enableUser = (code, id, context) => { - const action = id => users.enableUser(id) - - return users.getUserById(id) - .then(user => { - if (user.role !== 'superuser') { - return action(id) - } - - return confirm2FA(code, context) - }) - .then(() => action(id)) + const action = () => users.enableUser(id) + return executeProtectedAction(code, id, context, action) } const disableUser = (code, id, context) => { - const action = id => users.disableUser(id) - - return users.getUserById(id) - .then(user => { - if (user.role !== 'superuser') { - return action(id) - } - - return confirm2FA(code, context) - }) - .then(() => action(id)) + const action = () => users.disableUser(id) + return executeProtectedAction(code, id, context, action) } const createResetPasswordToken = (code, userID, context) => { - const action = user => users.createAuthToken(user.id, 'reset_password') - - return users.getUserById(userID) - .then(user => { - if (user.role !== 'superuser') { - return action(user.id) - } - - return confirm2FA(code, context) - .then(() => action(user)) - }) + const action = () => users.createAuthToken(userID, 'reset_password') + return executeProtectedAction(code, id, context, action) } const createReset2FAToken = (code, userID, context) => { - const action = user => users.createAuthToken(user.id, 'reset_twofa') - - return users.getUserById(userID) - .then(user => { - if (user.role !== 'superuser') { - return action(user) - } - - return confirm2FA(code, context) - .then(() => action(user)) - }) + const action = () => users.createAuthToken(userID, 'reset_twofa') + return executeProtectedAction(code, id, context, action) } const createRegisterToken = (username, role) => { @@ -243,7 +201,6 @@ const createRegisterToken = (username, role) => { return users.createUserRegistrationToken(username, role) }) - .catch(err => console.error(err)) } const register = (token, username, password, role) => { @@ -252,7 +209,6 @@ const register = (token, username, password, role) => { if (user) throw new authErrors.UserAlreadyExistsError() return users.register(token, username, password, role).then(() => true) }) - .catch(err => console.error(err)) } const resetPassword = (token, userID, newPassword, context) => { @@ -262,7 +218,6 @@ const resetPassword = (token, userID, newPassword, context) => { return users.updatePassword(token, user.id, newPassword) }) .then(() => true) - .catch(err => console.error(err)) } const reset2FA = (token, userID, code, secret, context) => { @@ -278,7 +233,6 @@ const reset2FA = (token, userID, code, secret, context) => { return users.reset2FASecret(token, user.id, secret) }) .then(() => true) - .catch(err => console.error(err)) } module.exports = { diff --git a/lib/new-admin/graphql/resolvers/users.resolver.js b/lib/new-admin/graphql/resolvers/users.resolver.js index 97af898c..d26ca689 100644 --- a/lib/new-admin/graphql/resolvers/users.resolver.js +++ b/lib/new-admin/graphql/resolvers/users.resolver.js @@ -22,7 +22,7 @@ const resolver = { changeUserRole: (...[, { confirmationCode, id, newRole }, context]) => authentication.changeUserRole(confirmationCode, id, newRole, context), login: (...[, { username, password }]) => authentication.login(username, password), input2FA: (...[, { username, password, rememberMe, code }, context]) => authentication.input2FA(username, password, rememberMe, code, context), - setup2FA: (...[, { username, password, rememberMe, secret, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, secret, codeConfirmation, context), + setup2FA: (...[, { username, password, rememberMe, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, codeConfirmation, context), createResetPasswordToken: (...[, { confirmationCode, userID }, context]) => authentication.createResetPasswordToken(confirmationCode, userID, context), createReset2FAToken: (...[, { confirmationCode, userID }, context]) => authentication.createReset2FAToken(confirmationCode, userID, context), createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role), diff --git a/lib/new-admin/graphql/types/users.type.js b/lib/new-admin/graphql/types/users.type.js index 0816ff4d..a010ac61 100644 --- a/lib/new-admin/graphql/types/users.type.js +++ b/lib/new-admin/graphql/types/users.type.js @@ -65,7 +65,7 @@ const typeDef = ` toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER]) login(username: String!, password: String!): String input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean - setup2FA(username: String!, password: String!, rememberMe: Boolean!, secret: String!, codeConfirmation: String!): Boolean + setup2FA(username: String!, password: String!, rememberMe: Boolean!, codeConfirmation: String!): Boolean createResetPasswordToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER]) createReset2FAToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER]) createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER]) diff --git a/lib/new-admin/services/login.js b/lib/new-admin/services/login.js index 4895997c..8eb19c53 100644 --- a/lib/new-admin/services/login.js +++ b/lib/new-admin/services/login.js @@ -6,7 +6,7 @@ function validateUser (username, password) { const q2 = t.none('UPDATE users SET last_accessed = now() WHERE username=$1', [username]) return t.batch([q1, q2]) - .then(([user, _]) => user) + .then(([user]) => user) .catch(() => false) }) } diff --git a/new-lamassu-admin/src/pages/Authentication/Setup2FAState.js b/new-lamassu-admin/src/pages/Authentication/Setup2FAState.js index c2ee109f..346291b8 100644 --- a/new-lamassu-admin/src/pages/Authentication/Setup2FAState.js +++ b/new-lamassu-admin/src/pages/Authentication/Setup2FAState.js @@ -18,14 +18,12 @@ const SETUP_2FA = gql` $username: String! $password: String! $rememberMe: Boolean! - $secret: String! $codeConfirmation: String! ) { setup2FA( username: $username password: $password rememberMe: $rememberMe - secret: $secret codeConfirmation: $codeConfirmation ) } @@ -156,7 +154,6 @@ const Setup2FAState = ({ state, dispatch }) => { username: state.clientField, password: state.passwordField, rememberMe: state.rememberMeField, - secret: secret, codeConfirmation: twoFAConfirmation } })