refactor: privileged actions
This commit is contained in:
Sérgio Salgado
Josh Harvey
parent
357fe75427
commit
7680b2f85a
5 changed files with 29 additions and 78 deletions
|
|
@ -52,6 +52,18 @@ const initializeSession = (context, user, rememberMe) => {
|
|||
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
|
||||
}
|
||||
|
||||
const executeProtectedAction = (code, id, context, action) => {
|
||||
return users.getUserById(id)
|
||||
.then(user => {
|
||||
if (user.role !== 'superuser') {
|
||||
return action()
|
||||
}
|
||||
|
||||
return confirm2FA(code, context)
|
||||
.then(() => action())
|
||||
})
|
||||
}
|
||||
|
||||
const getUserData = context => {
|
||||
const lidCookie = getLamassuCookie(context)
|
||||
if (!lidCookie) return
|
||||
|
|
@ -93,7 +105,6 @@ const validateRegisterLink = token => {
|
|||
if (!r.success) throw new authErrors.InvalidUrlError()
|
||||
return { username: r.username, role: r.role }
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const validateResetPasswordLink = token => {
|
||||
|
|
@ -103,7 +114,6 @@ const validateResetPasswordLink = token => {
|
|||
if (!r.success) throw new authErrors.InvalidUrlError()
|
||||
return { id: r.userID }
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const validateReset2FALink = token => {
|
||||
|
|
@ -121,7 +131,6 @@ const validateReset2FALink = token => {
|
|||
.then(([_, user, secret, otpauth]) => {
|
||||
return { user_id: user.id, secret, otpauth }
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const deleteSession = (sessionID, context) => {
|
||||
|
|
@ -148,92 +157,41 @@ const input2FA = (username, password, rememberMe, code, context) => {
|
|||
})
|
||||
}
|
||||
|
||||
const setup2FA = (username, password, rememberMe, secret, codeConfirmation, context) => {
|
||||
if (!secret) throw new authErrors.InvalidTwoFactorError()
|
||||
|
||||
const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: secret })
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
|
||||
const setup2FA = (username, password, rememberMe, codeConfirmation, context) => {
|
||||
return authenticateUser(username, password)
|
||||
.then(user => {
|
||||
if (user.temp_twofa_code !== secret) {
|
||||
throw new authErrors.InvalidTwoFactorError()
|
||||
}
|
||||
const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: user.temp_twofa_code })
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
|
||||
initializeSession(context, user, rememberMe)
|
||||
return users.save2FASecret(user.id, secret)
|
||||
return users.save2FASecret(user.id, user.temp_twofa_code)
|
||||
})
|
||||
.then(() => true)
|
||||
}
|
||||
|
||||
const changeUserRole = (code, id, newRole, context) => {
|
||||
const action = (id, newRole) => users.changeUserRole(id, newRole)
|
||||
|
||||
return users.getUserById(id)
|
||||
.then(user => {
|
||||
if (user.role !== 'superuser') {
|
||||
return action(id, newRole)
|
||||
}
|
||||
|
||||
return confirm2FA(code, context)
|
||||
})
|
||||
.then(() => action(id, newRole))
|
||||
const action = () => users.changeUserRole(id, newRole)
|
||||
return executeProtectedAction(code, id, context, action)
|
||||
}
|
||||
|
||||
const enableUser = (code, id, context) => {
|
||||
const action = id => users.enableUser(id)
|
||||
|
||||
return users.getUserById(id)
|
||||
.then(user => {
|
||||
if (user.role !== 'superuser') {
|
||||
return action(id)
|
||||
}
|
||||
|
||||
return confirm2FA(code, context)
|
||||
})
|
||||
.then(() => action(id))
|
||||
const action = () => users.enableUser(id)
|
||||
return executeProtectedAction(code, id, context, action)
|
||||
}
|
||||
|
||||
const disableUser = (code, id, context) => {
|
||||
const action = id => users.disableUser(id)
|
||||
|
||||
return users.getUserById(id)
|
||||
.then(user => {
|
||||
if (user.role !== 'superuser') {
|
||||
return action(id)
|
||||
}
|
||||
|
||||
return confirm2FA(code, context)
|
||||
})
|
||||
.then(() => action(id))
|
||||
const action = () => users.disableUser(id)
|
||||
return executeProtectedAction(code, id, context, action)
|
||||
}
|
||||
|
||||
const createResetPasswordToken = (code, userID, context) => {
|
||||
const action = user => users.createAuthToken(user.id, 'reset_password')
|
||||
|
||||
return users.getUserById(userID)
|
||||
.then(user => {
|
||||
if (user.role !== 'superuser') {
|
||||
return action(user.id)
|
||||
}
|
||||
|
||||
return confirm2FA(code, context)
|
||||
.then(() => action(user))
|
||||
})
|
||||
const action = () => users.createAuthToken(userID, 'reset_password')
|
||||
return executeProtectedAction(code, id, context, action)
|
||||
}
|
||||
|
||||
const createReset2FAToken = (code, userID, context) => {
|
||||
const action = user => users.createAuthToken(user.id, 'reset_twofa')
|
||||
|
||||
return users.getUserById(userID)
|
||||
.then(user => {
|
||||
if (user.role !== 'superuser') {
|
||||
return action(user)
|
||||
}
|
||||
|
||||
return confirm2FA(code, context)
|
||||
.then(() => action(user))
|
||||
})
|
||||
const action = () => users.createAuthToken(userID, 'reset_twofa')
|
||||
return executeProtectedAction(code, id, context, action)
|
||||
}
|
||||
|
||||
const createRegisterToken = (username, role) => {
|
||||
|
|
@ -243,7 +201,6 @@ const createRegisterToken = (username, role) => {
|
|||
|
||||
return users.createUserRegistrationToken(username, role)
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const register = (token, username, password, role) => {
|
||||
|
|
@ -252,7 +209,6 @@ const register = (token, username, password, role) => {
|
|||
if (user) throw new authErrors.UserAlreadyExistsError()
|
||||
return users.register(token, username, password, role).then(() => true)
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const resetPassword = (token, userID, newPassword, context) => {
|
||||
|
|
@ -262,7 +218,6 @@ const resetPassword = (token, userID, newPassword, context) => {
|
|||
return users.updatePassword(token, user.id, newPassword)
|
||||
})
|
||||
.then(() => true)
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const reset2FA = (token, userID, code, secret, context) => {
|
||||
|
|
@ -278,7 +233,6 @@ const reset2FA = (token, userID, code, secret, context) => {
|
|||
return users.reset2FASecret(token, user.id, secret)
|
||||
})
|
||||
.then(() => true)
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ const resolver = {
|
|||
changeUserRole: (...[, { confirmationCode, id, newRole }, context]) => authentication.changeUserRole(confirmationCode, id, newRole, context),
|
||||
login: (...[, { username, password }]) => authentication.login(username, password),
|
||||
input2FA: (...[, { username, password, rememberMe, code }, context]) => authentication.input2FA(username, password, rememberMe, code, context),
|
||||
setup2FA: (...[, { username, password, rememberMe, secret, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, secret, codeConfirmation, context),
|
||||
setup2FA: (...[, { username, password, rememberMe, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, codeConfirmation, context),
|
||||
createResetPasswordToken: (...[, { confirmationCode, userID }, context]) => authentication.createResetPasswordToken(confirmationCode, userID, context),
|
||||
createReset2FAToken: (...[, { confirmationCode, userID }, context]) => authentication.createReset2FAToken(confirmationCode, userID, context),
|
||||
createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role),
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ const typeDef = `
|
|||
toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER])
|
||||
login(username: String!, password: String!): String
|
||||
input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean
|
||||
setup2FA(username: String!, password: String!, rememberMe: Boolean!, secret: String!, codeConfirmation: String!): Boolean
|
||||
setup2FA(username: String!, password: String!, rememberMe: Boolean!, codeConfirmation: String!): Boolean
|
||||
createResetPasswordToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
|
||||
createReset2FAToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
|
||||
createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER])
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ function validateUser (username, password) {
|
|||
const q2 = t.none('UPDATE users SET last_accessed = now() WHERE username=$1', [username])
|
||||
|
||||
return t.batch([q1, q2])
|
||||
.then(([user, _]) => user)
|
||||
.then(([user]) => user)
|
||||
.catch(() => false)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,14 +18,12 @@ const SETUP_2FA = gql`
|
|||
$username: String!
|
||||
$password: String!
|
||||
$rememberMe: Boolean!
|
||||
$secret: String!
|
||||
$codeConfirmation: String!
|
||||
) {
|
||||
setup2FA(
|
||||
username: $username
|
||||
password: $password
|
||||
rememberMe: $rememberMe
|
||||
secret: $secret
|
||||
codeConfirmation: $codeConfirmation
|
||||
)
|
||||
}
|
||||
|
|
@ -156,7 +154,6 @@ const Setup2FAState = ({ state, dispatch }) => {
|
|||
username: state.clientField,
|
||||
password: state.passwordField,
|
||||
rememberMe: state.rememberMeField,
|
||||
secret: secret,
|
||||
codeConfirmation: twoFAConfirmation
|
||||
}
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue