fix: security flaw on auth tokens, error handling

2021-04-06 19:12:36 +01:00 · 2021-04-06 19:12:36 +01:00 · c00249586d
commit c00249586d
parent 40974dd501
12 changed files with 185 additions and 144 deletions
--- a/lib/new-admin/graphql/modules/authentication.js
+++ b/lib/new-admin/graphql/modules/authentication.js
@ -10,8 +10,9 @@ const authErrors = require('../errors/authentication')
 const REMEMBER_ME_AGE = 90 * T.day

 function authenticateUser(username, password) {
-  return loginHelper.checkUser(username)
-    .then(hashedPassword => {
+  return users.getUserByUsername(username)
+    .then(user => {
+      const hashedPassword = user.password
      if (!hashedPassword) throw new authErrors.InvalidCredentialsError()
      return Promise.all([bcrypt.compare(password, hashedPassword), hashedPassword])
    })
@ -47,7 +48,7 @@ const confirm2FA = (token, context) => {

  if (!requestingUser) throw new authErrors.InvalidCredentialsError()

-  return users.get2FASecret(requestingUser.id).then(user => {
+  return users.getUserById(requestingUser.id).then(user => {
    const secret = user.twofa_code
    const isCodeValid = otplib.authenticator.verify({ token, secret })

@ -81,7 +82,7 @@ const validateReset2FALink = token => {
  return users.validate2FAResetToken(token)
    .then(r => {
      if (!r.success) throw new authErrors.InvalidUrlError()
-      return users.findById(r.userID)
+      return users.getUserById(r.userID)
    })
    .then(user => {
      const secret = otplib.authenticator.generateSecret()
@ -101,7 +102,7 @@ const deleteSession = (sessionID, context) => {
 const login = (username, password) => {
  return authenticateUser(username, password).then(user => {
    if (!user) throw new authErrors.InvalidCredentialsError()
-    return users.get2FASecret(user.id).then(user => {
+    return users.getUserById(user.id).then(user => {
      const twoFASecret = user.twofa_code
      return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
    })
@ -112,7 +113,7 @@ const input2FA = (username, password, rememberMe, code, context) => {
  return authenticateUser(username, password).then(user => {
    if (!user) throw new authErrors.InvalidCredentialsError()

-    return users.get2FASecret(user.id).then(user => {
+    return users.getUserById(user.id).then(user => {
      const secret = user.twofa_code
      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
      if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
@ -138,7 +139,7 @@ const setup2FA = (username, password, secret, codeConfirmation) => {
 }

 const createResetPasswordToken = userID => {
-  return users.findById(userID)
+  return users.getUserById(userID)
    .then(user => {
      if (!user) throw new authErrors.InvalidCredentialsError()
      return users.createResetPasswordToken(user.id)
@ -147,7 +148,7 @@ const createResetPasswordToken = userID => {
 }

 const createReset2FAToken = userID => {
-  return users.findById(userID)
+  return users.getUserById(userID)
    .then(user => {
      if (!user) throw new authErrors.InvalidCredentialsError()
      return users.createReset2FAToken(user.id)
@ -156,7 +157,7 @@ const createReset2FAToken = userID => {
 }

 const createRegisterToken = (username, role) => {
-  return users.getByName(username)
+  return users.getUserByUsername(username)
    .then(user => {
      if (user) throw new authErrors.UserAlreadyExistsError()

@ -165,29 +166,29 @@ const createRegisterToken = (username, role) => {
    .catch(err => console.error(err))
 }

-const register = (username, password, role) => {
-  return users.getByName(username)
+const register = (token, username, password, role) => {
+  return users.getUserByUsername(username)
    .then(user => {
      if (user) throw new authErrors.UserAlreadyExistsError()
-      return users.createUser(username, password, role).then(() => true)
+      return users.register(token, username, password, role).then(() => true)
    })
    .catch(err => console.error(err))
 }

-const resetPassword = (userID, newPassword, context) => {
-  return users.findById(userID).then(user => {
+const resetPassword = (token, userID, newPassword, context) => {
+  return users.getUserById(userID).then(user => {
    if (!user) throw new authErrors.InvalidCredentialsError()
    if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
-    return users.updatePassword(user.id, newPassword)
+    return users.updatePassword(token, user.id, newPassword)
  }).then(() => true).catch(err => console.error(err))
 }

-const reset2FA = (userID, token, secret, context) => {
-  return users.findById(userID).then(user => {
-    const isCodeValid = otplib.authenticator.verify({ token, secret })
+const reset2FA = (token, userID, code, secret, context) => {
+  return users.getUserById(userID).then(user => {
+    const isCodeValid = otplib.authenticator.verify({ token: code, secret })
    if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
    if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
-    return users.save2FASecret(user.id, secret).then(() => true)
+    return users.reset2FASecret(token, user.id, secret).then(() => true)
  }).catch(err => console.error(err))
 }