lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: privileged actions

Browse source
This commit is contained in:
Sérgio Salgado 2021-04-19 23:59:21 +01:00 committed by Josh Harvey
parent 357fe75427
commit 7680b2f85a
5 changed files with 29 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

98
lib/new-admin/graphql/modules/authentication.js
View file

@ -52,6 +52,18 @@ const initializeSession = (context, user, rememberMe) => {
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
} }
const executeProtectedAction = (code, id, context, action) => {
return users.getUserById(id)
.then(user => {
if (user.role !== 'superuser') {
return action()
}
return confirm2FA(code, context)
.then(() => action())
})
}
const getUserData = context => { const getUserData = context => {
const lidCookie = getLamassuCookie(context) const lidCookie = getLamassuCookie(context)
if (!lidCookie) return if (!lidCookie) return
@ -93,7 +105,6 @@ const validateRegisterLink = token => {
if (!r.success) throw new authErrors.InvalidUrlError() if (!r.success) throw new authErrors.InvalidUrlError()
return { username: r.username, role: r.role } return { username: r.username, role: r.role }
}) })
.catch(err => console.error(err))
} }
const validateResetPasswordLink = token => { const validateResetPasswordLink = token => {
@ -103,7 +114,6 @@ const validateResetPasswordLink = token => {
if (!r.success) throw new authErrors.InvalidUrlError() if (!r.success) throw new authErrors.InvalidUrlError()
return { id: r.userID } return { id: r.userID }
}) })
.catch(err => console.error(err))
} }
const validateReset2FALink = token => { const validateReset2FALink = token => {
@ -121,7 +131,6 @@ const validateReset2FALink = token => {
.then(([_, user, secret, otpauth]) => { .then(([_, user, secret, otpauth]) => {
return { user_id: user.id, secret, otpauth } return { user_id: user.id, secret, otpauth }
}) })
.catch(err => console.error(err))
} }
const deleteSession = (sessionID, context) => { const deleteSession = (sessionID, context) => {
@ -148,92 +157,41 @@ const input2FA = (username, password, rememberMe, code, context) => {
}) })
} }
const setup2FA = (username, password, rememberMe, secret, codeConfirmation, context) => { const setup2FA = (username, password, rememberMe, codeConfirmation, context) => {
if (!secret) throw new authErrors.InvalidTwoFactorError()
const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: secret })
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
return authenticateUser(username, password) return authenticateUser(username, password)
.then(user => { .then(user => {
if (user.temp_twofa_code !== secret) { const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: user.temp_twofa_code })
throw new authErrors.InvalidTwoFactorError() if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
}
initializeSession(context, user, rememberMe) initializeSession(context, user, rememberMe)
return users.save2FASecret(user.id, secret) return users.save2FASecret(user.id, user.temp_twofa_code)
}) })
.then(() => true) .then(() => true)
} }
const changeUserRole = (code, id, newRole, context) => { const changeUserRole = (code, id, newRole, context) => {
const action = (id, newRole) => users.changeUserRole(id, newRole) const action = () => users.changeUserRole(id, newRole)
return executeProtectedAction(code, id, context, action)
return users.getUserById(id)
.then(user => {
if (user.role !== 'superuser') {
return action(id, newRole)
}
return confirm2FA(code, context)
})
.then(() => action(id, newRole))
} }
const enableUser = (code, id, context) => { const enableUser = (code, id, context) => {
const action = id => users.enableUser(id) const action = () => users.enableUser(id)
return executeProtectedAction(code, id, context, action)
return users.getUserById(id)
.then(user => {
if (user.role !== 'superuser') {
return action(id)
}
return confirm2FA(code, context)
})
.then(() => action(id))
} }
const disableUser = (code, id, context) => { const disableUser = (code, id, context) => {
const action = id => users.disableUser(id) const action = () => users.disableUser(id)
return executeProtectedAction(code, id, context, action)
return users.getUserById(id)
.then(user => {
if (user.role !== 'superuser') {
return action(id)
}
return confirm2FA(code, context)
})
.then(() => action(id))
} }
const createResetPasswordToken = (code, userID, context) => { const createResetPasswordToken = (code, userID, context) => {
const action = user => users.createAuthToken(user.id, 'reset_password') const action = () => users.createAuthToken(userID, 'reset_password')
return executeProtectedAction(code, id, context, action)
return users.getUserById(userID)
.then(user => {
if (user.role !== 'superuser') {
return action(user.id)
}
return confirm2FA(code, context)
.then(() => action(user))
})
} }
const createReset2FAToken = (code, userID, context) => { const createReset2FAToken = (code, userID, context) => {
const action = user => users.createAuthToken(user.id, 'reset_twofa') const action = () => users.createAuthToken(userID, 'reset_twofa')
return executeProtectedAction(code, id, context, action)
return users.getUserById(userID)
.then(user => {
if (user.role !== 'superuser') {
return action(user)
}
return confirm2FA(code, context)
.then(() => action(user))
})
} }
const createRegisterToken = (username, role) => { const createRegisterToken = (username, role) => {
@ -243,7 +201,6 @@ const createRegisterToken = (username, role) => {
return users.createUserRegistrationToken(username, role) return users.createUserRegistrationToken(username, role)
}) })
.catch(err => console.error(err))
} }
const register = (token, username, password, role) => { const register = (token, username, password, role) => {
@ -252,7 +209,6 @@ const register = (token, username, password, role) => {
if (user) throw new authErrors.UserAlreadyExistsError() if (user) throw new authErrors.UserAlreadyExistsError()
return users.register(token, username, password, role).then(() => true) return users.register(token, username, password, role).then(() => true)
}) })
.catch(err => console.error(err))
} }
const resetPassword = (token, userID, newPassword, context) => { const resetPassword = (token, userID, newPassword, context) => {
@ -262,7 +218,6 @@ const resetPassword = (token, userID, newPassword, context) => {
return users.updatePassword(token, user.id, newPassword) return users.updatePassword(token, user.id, newPassword)
}) })
.then(() => true) .then(() => true)
.catch(err => console.error(err))
} }
const reset2FA = (token, userID, code, secret, context) => { const reset2FA = (token, userID, code, secret, context) => {
@ -278,7 +233,6 @@ const reset2FA = (token, userID, code, secret, context) => {
return users.reset2FASecret(token, user.id, secret) return users.reset2FASecret(token, user.id, secret)
}) })
.then(() => true) .then(() => true)
.catch(err => console.error(err))
} }
module.exports = { module.exports = {

2
lib/new-admin/graphql/resolvers/users.resolver.js
View file

@ -22,7 +22,7 @@ const resolver = {
changeUserRole: (...[, { confirmationCode, id, newRole }, context]) => authentication.changeUserRole(confirmationCode, id, newRole, context), changeUserRole: (...[, { confirmationCode, id, newRole }, context]) => authentication.changeUserRole(confirmationCode, id, newRole, context),
login: (...[, { username, password }]) => authentication.login(username, password), login: (...[, { username, password }]) => authentication.login(username, password),
input2FA: (...[, { username, password, rememberMe, code }, context]) => authentication.input2FA(username, password, rememberMe, code, context), input2FA: (...[, { username, password, rememberMe, code }, context]) => authentication.input2FA(username, password, rememberMe, code, context),
setup2FA: (...[, { username, password, rememberMe, secret, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, secret, codeConfirmation, context), setup2FA: (...[, { username, password, rememberMe, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, codeConfirmation, context),
createResetPasswordToken: (...[, { confirmationCode, userID }, context]) => authentication.createResetPasswordToken(confirmationCode, userID, context), createResetPasswordToken: (...[, { confirmationCode, userID }, context]) => authentication.createResetPasswordToken(confirmationCode, userID, context),
createReset2FAToken: (...[, { confirmationCode, userID }, context]) => authentication.createReset2FAToken(confirmationCode, userID, context), createReset2FAToken: (...[, { confirmationCode, userID }, context]) => authentication.createReset2FAToken(confirmationCode, userID, context),
createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role), createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role),

2
lib/new-admin/graphql/types/users.type.js
View file

@ -65,7 +65,7 @@ const typeDef = `
toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER]) toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER])
login(username: String!, password: String!): String login(username: String!, password: String!): String
input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean
setup2FA(username: String!, password: String!, rememberMe: Boolean!, secret: String!, codeConfirmation: String!): Boolean setup2FA(username: String!, password: String!, rememberMe: Boolean!, codeConfirmation: String!): Boolean
createResetPasswordToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER]) createResetPasswordToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
createReset2FAToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER]) createReset2FAToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER]) createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER])

2
lib/new-admin/services/login.js
View file

@ -6,7 +6,7 @@ function validateUser (username, password) {
const q2 = t.none('UPDATE users SET last_accessed = now() WHERE username=$1', [username]) const q2 = t.none('UPDATE users SET last_accessed = now() WHERE username=$1', [username])
return t.batch([q1, q2]) return t.batch([q1, q2])
.then(([user, _]) => user) .then(([user]) => user)
.catch(() => false) .catch(() => false)
}) })
} }

3
new-lamassu-admin/src/pages/Authentication/Setup2FAState.js
View file

@ -18,14 +18,12 @@ const SETUP_2FA = gql`
$username: String! $username: String!
$password: String! $password: String!
$rememberMe: Boolean! $rememberMe: Boolean!
$secret: String!
$codeConfirmation: String! $codeConfirmation: String!
) { ) {
setup2FA( setup2FA(
username: $username username: $username
password: $password password: $password
rememberMe: $rememberMe rememberMe: $rememberMe
secret: $secret
codeConfirmation: $codeConfirmation codeConfirmation: $codeConfirmation
) )
} }
@ -156,7 +154,6 @@ const Setup2FAState = ({ state, dispatch }) => {
username: state.clientField, username: state.clientField,
password: state.passwordField, password: state.passwordField,
rememberMe: state.rememberMeField, rememberMe: state.rememberMeField,
secret: secret,
codeConfirmation: twoFAConfirmation codeConfirmation: twoFAConfirmation
} }
}) })