fix: security flaw on auth tokens, error handling
This commit is contained in:
Sérgio Salgado
Josh Harvey
parent
40974dd501
commit
c00249586d
12 changed files with 185 additions and 144 deletions
|
|
@ -10,8 +10,9 @@ const authErrors = require('../errors/authentication')
|
|||
const REMEMBER_ME_AGE = 90 * T.day
|
||||
|
||||
function authenticateUser(username, password) {
|
||||
return loginHelper.checkUser(username)
|
||||
.then(hashedPassword => {
|
||||
return users.getUserByUsername(username)
|
||||
.then(user => {
|
||||
const hashedPassword = user.password
|
||||
if (!hashedPassword) throw new authErrors.InvalidCredentialsError()
|
||||
return Promise.all([bcrypt.compare(password, hashedPassword), hashedPassword])
|
||||
})
|
||||
|
|
@ -47,7 +48,7 @@ const confirm2FA = (token, context) => {
|
|||
|
||||
if (!requestingUser) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
return users.get2FASecret(requestingUser.id).then(user => {
|
||||
return users.getUserById(requestingUser.id).then(user => {
|
||||
const secret = user.twofa_code
|
||||
const isCodeValid = otplib.authenticator.verify({ token, secret })
|
||||
|
||||
|
|
@ -81,7 +82,7 @@ const validateReset2FALink = token => {
|
|||
return users.validate2FAResetToken(token)
|
||||
.then(r => {
|
||||
if (!r.success) throw new authErrors.InvalidUrlError()
|
||||
return users.findById(r.userID)
|
||||
return users.getUserById(r.userID)
|
||||
})
|
||||
.then(user => {
|
||||
const secret = otplib.authenticator.generateSecret()
|
||||
|
|
@ -101,7 +102,7 @@ const deleteSession = (sessionID, context) => {
|
|||
const login = (username, password) => {
|
||||
return authenticateUser(username, password).then(user => {
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
return users.get2FASecret(user.id).then(user => {
|
||||
return users.getUserById(user.id).then(user => {
|
||||
const twoFASecret = user.twofa_code
|
||||
return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
|
||||
})
|
||||
|
|
@ -112,7 +113,7 @@ const input2FA = (username, password, rememberMe, code, context) => {
|
|||
return authenticateUser(username, password).then(user => {
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
|
||||
return users.get2FASecret(user.id).then(user => {
|
||||
return users.getUserById(user.id).then(user => {
|
||||
const secret = user.twofa_code
|
||||
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
|
|
@ -138,7 +139,7 @@ const setup2FA = (username, password, secret, codeConfirmation) => {
|
|||
}
|
||||
|
||||
const createResetPasswordToken = userID => {
|
||||
return users.findById(userID)
|
||||
return users.getUserById(userID)
|
||||
.then(user => {
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
return users.createResetPasswordToken(user.id)
|
||||
|
|
@ -147,7 +148,7 @@ const createResetPasswordToken = userID => {
|
|||
}
|
||||
|
||||
const createReset2FAToken = userID => {
|
||||
return users.findById(userID)
|
||||
return users.getUserById(userID)
|
||||
.then(user => {
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
return users.createReset2FAToken(user.id)
|
||||
|
|
@ -156,7 +157,7 @@ const createReset2FAToken = userID => {
|
|||
}
|
||||
|
||||
const createRegisterToken = (username, role) => {
|
||||
return users.getByName(username)
|
||||
return users.getUserByUsername(username)
|
||||
.then(user => {
|
||||
if (user) throw new authErrors.UserAlreadyExistsError()
|
||||
|
||||
|
|
@ -165,29 +166,29 @@ const createRegisterToken = (username, role) => {
|
|||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const register = (username, password, role) => {
|
||||
return users.getByName(username)
|
||||
const register = (token, username, password, role) => {
|
||||
return users.getUserByUsername(username)
|
||||
.then(user => {
|
||||
if (user) throw new authErrors.UserAlreadyExistsError()
|
||||
return users.createUser(username, password, role).then(() => true)
|
||||
return users.register(token, username, password, role).then(() => true)
|
||||
})
|
||||
.catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const resetPassword = (userID, newPassword, context) => {
|
||||
return users.findById(userID).then(user => {
|
||||
const resetPassword = (token, userID, newPassword, context) => {
|
||||
return users.getUserById(userID).then(user => {
|
||||
if (!user) throw new authErrors.InvalidCredentialsError()
|
||||
if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
|
||||
return users.updatePassword(user.id, newPassword)
|
||||
return users.updatePassword(token, user.id, newPassword)
|
||||
}).then(() => true).catch(err => console.error(err))
|
||||
}
|
||||
|
||||
const reset2FA = (userID, token, secret, context) => {
|
||||
return users.findById(userID).then(user => {
|
||||
const isCodeValid = otplib.authenticator.verify({ token, secret })
|
||||
const reset2FA = (token, userID, code, secret, context) => {
|
||||
return users.getUserById(userID).then(user => {
|
||||
const isCodeValid = otplib.authenticator.verify({ token: code, secret })
|
||||
if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
|
||||
if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
|
||||
return users.save2FASecret(user.id, secret).then(() => true)
|
||||
return users.reset2FASecret(token, user.id, secret).then(() => true)
|
||||
}).catch(err => console.error(err))
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -15,20 +15,20 @@ const resolver = {
|
|||
validateReset2FALink: (...[, { token }]) => authentication.validateReset2FALink(token)
|
||||
},
|
||||
Mutation: {
|
||||
deleteUser: (...[, { id }]) => users.deleteUser(id),
|
||||
enableUser: (...[, { id }]) => users.enableUser(id),
|
||||
disableUser: (...[, { id }]) => users.disableUser(id),
|
||||
deleteSession: (root, args, context, info) => authentication.deleteSession(args.sid, context),
|
||||
deleteUserSessions: (...[, { username }]) => sessionManager.deleteSessionsByUsername(username),
|
||||
changeUserRole: (...[, { id, newRole }]) => users.changeUserRole(id, newRole),
|
||||
toggleUserEnable: (...[, { id }]) => users.toggleUserEnable(id),
|
||||
login: (...[, { username, password }]) => authentication.login(username, password),
|
||||
input2FA: (root, args, context, info) => authentication.input2FA(args.username, args.password, args.rememberMe, args.code, context),
|
||||
setup2FA: (...[, { username, password, secret, codeConfirmation }]) => authentication.setup2FA(username, password, secret, codeConfirmation),
|
||||
createResetPasswordToken: (...[, { userID }]) => authentication.createResetPasswordToken(userID),
|
||||
createReset2FAToken: (...[, { userID }]) => authentication.createReset2FAToken(userID),
|
||||
createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role),
|
||||
register: (...[, { username, password, role }]) => authentication.register(username, password, role),
|
||||
resetPassword: (root, args, context, info) => authentication.resetPassword(args.userID, args.newPassword, context),
|
||||
reset2FA: (root, args, context, info) => authentication.reset2FA(args.userID, args.code, args.secret, context)
|
||||
register: (...[, { token, username, password, role }]) => authentication.register(token, username, password, role),
|
||||
resetPassword: (root, args, context, info) => authentication.resetPassword(args.token, args.userID, args.newPassword, context),
|
||||
reset2FA: (root, args, context, info) => authentication.reset2FA(args.token, args.userID, args.code, args.secret, context)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -57,7 +57,8 @@ const typeDef = `
|
|||
}
|
||||
|
||||
type Mutation {
|
||||
deleteUser(id: ID!): User @auth(requires: [SUPERUSER])
|
||||
enableUser(id: ID!): User @auth(requires: [SUPERUSER])
|
||||
disableUser(id: ID!): User @auth(requires: [SUPERUSER])
|
||||
deleteSession(sid: String!): UserSession @auth(requires: [SUPERUSER])
|
||||
deleteUserSessions(username: String!): [UserSession] @auth(requires: [SUPERUSER])
|
||||
changeUserRole(id: ID!, newRole: String!): User @auth(requires: [SUPERUSER])
|
||||
|
|
@ -68,9 +69,9 @@ const typeDef = `
|
|||
createResetPasswordToken(userID: ID!): ResetToken @auth(requires: [SUPERUSER])
|
||||
createReset2FAToken(userID: ID!): ResetToken @auth(requires: [SUPERUSER])
|
||||
createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER])
|
||||
register(username: String!, password: String!, role: String!): Boolean
|
||||
resetPassword(userID: ID!, newPassword: String!): Boolean
|
||||
reset2FA(userID: ID!, secret: String!, code: String!): Boolean
|
||||
register(token: String!, username: String!, password: String!, role: String!): Boolean
|
||||
resetPassword(token: String!, userID: ID!, newPassword: String!): Boolean
|
||||
reset2FA(token: String!, userID: ID!, secret: String!, code: String!): Boolean
|
||||
}
|
||||
`
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue