feat: add user management screen

feat: login screen fix: login routing and layout feat: add users migration feat: passport login strategy fix: users migration feat: simple authentication fix: request body feat: JWT authorization feat: 2fa step on login feat: 2fa flow feat: add rememberme to req body fix: hide 2fa secret from jwt fix: block login access to logged in user fix: rerouting to wizard refactor: login screen feat: setup 2fa state on login feat: 2fa secret qr code fix: remove jwt from 2fa secret fix: wizard redirect after login fix: 2fa setup flow fix: user id to uuid feat: user roles feat: user sessions and db persistence feat: session saving on DB and cookie refactor: unused code feat: cookie auto renew on request feat: get user data endpoint fix: repeated requests feat: react routing fix: private routes refactor: auth feat: sessions aware of ua and ip feat: sessions on gql feat: session management screen feat: replace user_tokens usage for users feat: user deletion also deletes active sessions feat: remember me alters session cookie accordingly feat: last session by all users fix: login feedback fix: page loading UX feat: routes based on user role feat: header aware of roles feat: reset password fix: reset password endpoint feat: handle password change feat: reset 2FA feat: user role on management screen feat: change user role fix: user last session query fix: context fix: destroy own session feat: reset password now resets sessions feat: reset 2fa now resets sessions refactor: user data refactor: user management screen feat: user enable feat: schema directives fix: remove schema directive temp feat: create new users feat: register endpoint feat: modals for reset links fix: directive Date errors feat: superuser directive feat: create user url modal fix: user management layout feat: confirmation modals fix: info text feat: 2fa input component feat: code input on 2fa state feat: add button styling feat: confirmation modal on superuser action feat: rework 2fa setup screen feat: rework reset 2fa screen fix: session management screen fix: user management screen fix: blacklist roles chore: migrate old customer values to new columns fix: value migration fix: value migration refactor: remove old code
2020-10-27 10:05:06 +00:00 · 2020-10-27 10:05:06 +00:00 · fded22f39a
commit fded22f39a
parent 368781864e
50 changed files with 9839 additions and 4501 deletions
--- a/lib/new-admin/admin-server.js
+++ b/lib/new-admin/admin-server.js
@ -8,14 +8,20 @@ const cors = require('cors')
 const helmet = require('helmet')
 const nocache = require('nocache')
 const cookieParser = require('cookie-parser')
+const bodyParser = require('body-parser')
 const { ApolloServer, AuthenticationError } = require('apollo-server-express')
 const _ = require('lodash/fp')
+const session = require('express-session')
+const pgSession = require('connect-pg-simple')(session)

-const { typeDefs, resolvers } = require('./graphql/schema')
 const login = require('./services/login')
 const register = require('./routes/authentication')

 const options = require('../options')
+const db = require('../db')
+const users = require('../users')
+
+const { typeDefs, resolvers, AuthDirective, SuperuserDirective } = require('./graphql/schema')

 const devMode = require('minimist')(process.argv.slice(2)).dev
 const idPhotoCardBasedir = _.get('idPhotoCardDir', options)
@ -32,11 +38,35 @@ app.use(helmet())
 app.use(compression())
 app.use(nocache())
 app.use(cookieParser())
+app.use(bodyParser.json())
+app.use(bodyParser.urlencoded({ extended: true })) // support encoded bodies
 app.use(express.static(path.resolve(__dirname, '..', '..', 'public')))

+app.use(['*'], session({
+  store: new pgSession({
+    pgPromise: db,
+    tableName: 'user_sessions'
+  }),
+  name: 'lid',
+  secret: 'MY_SECRET',
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,
+    secure: true,
+    domain: hostname,
+    sameSite: true,
+    maxAge: 60 * 10 * 1000 // 10 minutes
+  }
+}))
+
 const apolloServer = new ApolloServer({
  typeDefs,
  resolvers,
+  schemaDirectives: {
+    auth: AuthDirective,
+    superuser: SuperuserDirective
+  },
  playground: false,
  introspection: false,
  formatError: error => {
@ -44,10 +74,19 @@ const apolloServer = new ApolloServer({
    return error
  },
  context: async ({ req }) => {
-    const token = req.cookies && req.cookies.token
+    if (!req.session.user) throw new AuthenticationError('Authentication failed')
+    const user = await users.verifyAndUpdateUser(
+      req.session.user.id,
+      req.headers['user-agent'] || 'Unknown',
+      req.ip
+    )
+    if (!user || !user.enabled) throw new AuthenticationError('Authentication failed')

-    const success = await login.authenticate(token)
-    if (!success) throw new AuthenticationError('Authentication failed')
+    req.session.ua = req.headers['user-agent'] || 'Unknown'
+    req.session.ipAddress = req.ip
+    req.session.lastUsed = new Date(Date.now()).toISOString()
+    req.session.user.id = user.id
+    req.session.user.role = user.role
    return { req: { ...req } }
  }
 })
@ -67,6 +106,8 @@ app.use('/id-card-photo', serveStatic(idPhotoCardBasedir, { index: false }))
 app.use('/front-camera-photo', serveStatic(frontCameraBasedir, { index: false }))
 app.use('/api', register)

+require('./routes/auth')(app)
+
 // Everything not on graphql or api/register is redirected to the front-end
 app.get('*', (req, res) => res.sendFile(path.resolve(__dirname, '..', '..', 'public', 'index.html')))

--- a/lib/new-admin/routes/auth.js
+++ b/lib/new-admin/routes/auth.js
@ -0,0 +1,259 @@
+const otplib = require('otplib')
+const bcrypt = require('bcrypt')
+
+const users = require('../../users')
+const login = require('../login')
+
+async function isValidUser (username, password) {
+  const hashedPassword = await login.checkUser(username)
+  if (!hashedPassword) return false
+
+  const isMatch = await bcrypt.compare(password, hashedPassword)
+  if (!isMatch) return false
+
+  const user = await login.validateUser(username, hashedPassword)
+  if (!user) return false
+  return user
+}
+
+module.exports = function (app) {
+  app.post('/api/login', function (req, res, next) {
+    const usernameInput = req.body.username
+    const passwordInput = req.body.password
+
+    isValidUser(usernameInput, passwordInput).then(user => {
+      if (!user) return res.sendStatus(403)
+      users.get2FASecret(user.id).then(user => {
+        const twoFASecret = user.twofa_code
+        if (twoFASecret) return res.status(200).json({ message: 'INPUT2FA' })
+        if (!twoFASecret) return res.status(200).json({ message: 'SETUP2FA' })
+      })
+    })
+  })
+
+  app.post('/api/login/2fa', function (req, res, next) {
+    const code = req.body.twoFACode
+    const username = req.body.username
+    const password = req.body.password
+    const rememberMeInput = req.body.rememberMe
+
+    isValidUser(username, password).then(user => {
+      if (!user) return res.sendStatus(403)
+
+      users.get2FASecret(user.id).then(user => {
+        const secret = user.twofa_code
+        const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+        if (!isCodeValid) return res.sendStatus(403)
+
+        const finalUser = { id: user.id, username: user.username, role: user.role }
+        req.session.user = finalUser
+        if (rememberMeInput) req.session.cookie.maxAge = 90 * 24 * 60 * 60 * 1000 // 90 days
+
+        return res.sendStatus(200)
+      })
+    })
+  })
+
+  app.post('/api/login/2fa/setup', function (req, res, next) {
+    const username = req.body.username
+    const password = req.body.password
+
+    // TODO: maybe check if the user already has a 2fa secret
+    isValidUser(username, password).then(user => {
+      if (!user) return res.sendStatus(403)
+
+      const secret = otplib.authenticator.generateSecret()
+      const otpauth = otplib.authenticator.keyuri(username, 'Lamassu Industries', secret)
+      return res.status(200).json({ secret, otpauth })
+    })
+  })
+
+  app.post('/api/login/2fa/save', function (req, res, next) {
+    const username = req.body.username
+    const password = req.body.password
+    const secret = req.body.secret
+    const code = req.body.code
+
+    isValidUser(username, password).then(user => {
+      if (!user || !secret) return res.sendStatus(403)
+
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return res.sendStatus(403)
+
+      users.save2FASecret(user.id, secret)
+      return res.sendStatus(200)
+    })
+  })
+
+  app.get('/user-data', function (req, res, next) {
+    const lidCookie = req.cookies && req.cookies.lid
+    if (!lidCookie) {
+      res.sendStatus(403)
+      return
+    }
+
+    const user = req.session.user
+    return res.status(200).json({ message: 'Success', user: user })
+  })
+
+  app.post('/api/resetpassword', function (req, res, next) {
+    const userID = req.body.userID
+
+    users.findById(userID)
+      .then(user => {
+        if (!user) return res.sendStatus(403)
+        return users.createResetPasswordToken(user.id)
+      })
+      .then(token => {
+        return res.status(200).json({ token })
+      })
+      .catch(err => console.log(err))
+  })
+
+  app.get('/api/resetpassword', function (req, res, next) {
+    const token = req.query.t
+
+    if (!token) return res.sendStatus(400)
+    return users.validatePasswordResetToken(token)
+      .then(r => {
+        if (!r.success) return res.status(200).send('The link has expired')
+        return res.status(200).json({ userID: r.userID })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/updatepassword', function (req, res, next) {
+    const userID = req.body.userID
+    const newPassword = req.body.newPassword
+
+    users.findById(userID).then(user => {
+      if (req.session.user && user.id === req.session.user.id) req.session.destroy()
+      return users.updatePassword(user.id, newPassword)
+    }).then(() => {
+      res.sendStatus(200)
+    }).catch(err => {
+      console.log(err)
+      res.sendStatus(400)
+    })
+  })
+
+  app.post('/api/reset2fa', function (req, res, next) {
+    const userID = req.body.userID
+
+    users.findById(userID)
+      .then(user => {
+        if (!user) return res.sendStatus(403)
+        return users.createReset2FAToken(user.id)
+      })
+      .then(token => {
+        return res.status(200).json({ token })
+      })
+      .catch(err => console.log(err))
+  })
+
+  app.get('/api/reset2fa', function (req, res, next) {
+    const token = req.query.t
+
+    if (!token) return res.sendStatus(400)
+    return users.validate2FAResetToken(token)
+      .then(r => {
+        if (!r.success) return res.status(200).send('The link has expired')
+        return users.findById(r.userID)
+      })
+      .then(user => {
+        const secret = otplib.authenticator.generateSecret()
+        const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
+        return res.status(200).json({ userID: user.id, secret, otpauth })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/update2fa', function (req, res, next) {
+    const userID = req.body.userID
+    const secret = req.body.secret
+    const code = req.body.code
+
+    users.findById(userID).then(user => {
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return res.sendStatus(401)
+
+      if (req.session.user && user.id === req.session.user.id) req.session.destroy()
+      users.save2FASecret(user.id, secret).then(() => { return res.sendStatus(200) })
+    }).catch(err => {
+      console.log(err)
+      return res.sendStatus(400)
+    })
+  })
+
+  app.post('/api/createuser', function (req, res, next) {
+    const username = req.body.username
+    const role = req.body.role
+
+    users.getByName(username)
+      .then(user => {
+        if (user) return res.status(200).json({ message: 'User already exists!' })
+
+        users.createUserRegistrationToken(username, role).then(token => {
+          return res.status(200).json({ token })
+        })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.get('/api/register', function (req, res, next) {
+    const token = req.query.t
+
+    if (!token) return res.sendStatus(400)
+    users.validateUserRegistrationToken(token)
+      .then(r => {
+        if (!r.success) return res.status(200).json({ message: 'The link has expired' })
+        return res.status(200).json({ username: r.username, role: r.role })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/register', function (req, res, next) {
+    const username = req.body.username
+    const password = req.body.password
+    const role = req.body.role
+
+    users.getByName(username)
+      .then(user => {
+        if (user) return res.status(200).json({ message: 'User already exists!' })
+
+        users.createUser(username, password, role)
+        res.sendStatus(200)
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/confirm2fa', function (req, res, next) {
+    const code = req.body.code
+    const requestingUser = req.session.user
+
+    if (!requestingUser) return res.status(403)
+
+    users.get2FASecret(requestingUser.id).then(user => {
+      const secret = user.twofa_code
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return res.sendStatus(401)
+
+      return res.sendStatus(200)
+    })
+  })
+}
--- a/lib/new-admin/services/login.js
+++ b/lib/new-admin/services/login.js
@ -1,48 +1,20 @@
-const crypto = require('crypto')
-
 const db = require('../../db')

-function generateOTP (name) {
-  const otp = crypto.randomBytes(32).toString('hex')
-
-  const sql = 'insert into one_time_passes (token, name) values ($1, $2)'
-
-  return db.none(sql, [otp, name])
-    .then(() => otp)
+function checkUser (username) {
+  const sql = 'select * from users where username=$1'
+  return db.oneOrNone(sql, [username]).then(value => { return value.password }).catch(() => false)
 }

-function validateOTP (otp) {
-  const sql = `delete from one_time_passes
-    where token=$1
-    returning name, created < now() - interval '1 hour' as expired`
+function validateUser (username, password) {
+  const sql = 'select id, username from users where username=$1 and password=$2'
+  const sqlUpdateLastAccessed = 'update users set last_accessed = now() where username=$1'

-  return db.one(sql, [otp])
-    .then(r => ({ success: !r.expired, expired: r.expired, name: r.name }))
-    .catch(() => ({ success: false, expired: false }))
-}
-
-function register (otp, ua, ip) {
-  return validateOTP(otp)
-    .then(r => {
-      if (!r.success) return r
-
-      const token = crypto.randomBytes(32).toString('hex')
-      const sql = 'insert into user_tokens (token, name, user_agent, ip_address) values ($1, $2, $3, $4)'
-
-      return db.none(sql, [token, r.name, ua, ip])
-        .then(() => ({ success: true, token: token }))
-    })
-    .catch(() => ({ success: false, expired: false }))
-}
-
-function authenticate (token) {
-  const sql = 'select token from user_tokens where token=$1'
-
-  return db.one(sql, [token]).then(() => true).catch(() => false)
+  return db.oneOrNone(sql, [username, password])
+    .then(user => { db.none(sqlUpdateLastAccessed, [user.username]); return user })
+    .catch(() => false)
 }

 module.exports = {
-  generateOTP,
-  register,
-  authenticate
+  checkUser,
+  validateUser
 }
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@ -0,0 +1,42 @@
+const db = require('./db')
+
+function getSessionList () {
+  const sql = `select * from user_sessions order by sess -> 'user' ->> 'username'`
+  return db.any(sql)
+}
+
+function getLastSessionByUser () {
+  const sql = `select b.username, a.user_agent, a.ip_address, a.last_used, b.role from (
+    select sess -> 'user' ->> 'username' as username,
+    sess ->> 'ua' as user_agent,
+    sess ->> 'ipAddress' as ip_address,
+    sess ->> 'lastUsed' as last_used
+    from user_sessions
+    ) a right join (
+    select distinct on (username)
+    username, role
+    from users) b on a.username = b.username`
+  return db.any(sql)
+}
+
+function getUserSessions (username) {
+  const sql = `select * from user_sessions where sess -> 'user' ->> 'username'=$1`
+  return db.any(sql, [username])
+}
+
+function getSession (sessionID) {
+  const sql = `select * from user_sessions where sid=$1`
+  return db.any(sql, [sessionID])
+}
+
+function deleteUserSessions (username) {
+  const sql = `delete from user_sessions where sess -> 'user' ->> 'username'=$1`
+  return db.none(sql, [username])
+}
+
+function deleteSession (sessionID) {
+  const sql = `delete from user_sessions where sid=$1`
+  return db.none(sql, [sessionID])
+}
+
+module.exports = { getSessionList, getLastSessionByUser, getUserSessions, getSession, deleteUserSessions, deleteSession }
--- a/lib/token-manager.js
+++ b/lib/token-manager.js
@ -1,13 +0,0 @@
-const db = require('./db')
-
-function getTokenList () {
-  const sql = `select * from user_tokens`
-  return db.any(sql)
-}
-
-function revokeToken (token) {
-  const sql = `delete from user_tokens where token = $1`
-  return db.none(sql, [token])
-}
-
-module.exports = { getTokenList, revokeToken }
--- a/lib/users.js
+++ b/lib/users.js
@ -1,5 +1,8 @@
 const _ = require('lodash/fp')
 const pgp = require('pg-promise')()
+const crypto = require('crypto')
+const bcrypt = require('bcrypt')
+const uuid = require('uuid')

 const db = require('./db')

@ -33,4 +36,143 @@ function getByIds (tokens) {
  const tokensClause = _.map(pgp.as.text, tokens).join(',')
  return db.any(sql, [tokensClause])
 }
-module.exports = { get, getByIds }
+
+function getUsers () {
+  const sql = `select id, username, role, enabled, last_accessed, last_accessed_from, last_accessed_address from users order by username`
+  return db.any(sql)
+}
+
+function getByName (username) {
+  const sql = `select id, username, role, last_accessed from users where username=$1 limit 1`
+  return db.oneOrNone(sql, [username])
+}
+
+function verifyAndUpdateUser (id, ua, ip) {
+  const sql = `select id, username, role, enabled from users where id=$1 limit 1`
+  return db.oneOrNone(sql, [id]).then(user => {
+    if (!user) return null
+
+    const sql2 = `update users set last_accessed=now(), last_accessed_from=$1, last_accessed_address=$2 where id=$3 returning id, role, enabled`
+    return db.one(sql2, [ua, ip, id]).then(user => {
+      return user
+    })
+  })
+}
+
+function createUser (username, password, role) {
+  const sql = `insert into users (id, username, password, role) values ($1, $2, $3, $4)`
+  bcrypt.hash(password, 12).then(function (hash) {
+    return db.none(sql, [uuid.v4(), username, hash, role])
+  })
+}
+
+function deleteUser (id) {
+  const sql = `delete from users where id=$1`
+  const sql2 = `delete from user_sessions where sess -> 'user' ->> 'id'=$1`
+
+  return db.none(sql, [id]).then(() => db.none(sql2, [id]))
+}
+
+function findById (id) {
+  const sql = 'select id, username from users where id=$1'
+  return db.oneOrNone(sql, [id])
+}
+
+function get2FASecret (id) {
+  const sql = 'select id, username, twofa_code, role from users where id=$1'
+  return db.oneOrNone(sql, [id])
+}
+
+function save2FASecret (id, secret) {
+  const sql = 'update users set twofa_code=$1 where id=$2'
+  const sql2 = `delete from user_sessions where sess -> 'user' ->> 'id'=$1`
+  return db.none(sql, [secret, id]).then(() => db.none(sql2, [id]))
+}
+
+function validate2FAResetToken (token) {
+  const sql = `delete from reset_twofa
+    where token=$1
+    returning user_id, now() < expire as success`
+
+  return db.one(sql, [token])
+    .then(res => ({ userID: res.user_id, success: res.success }))
+}
+
+function createReset2FAToken (userID) {
+  const token = crypto.randomBytes(32).toString('hex')
+  const sql = `insert into reset_twofa (token, user_id) values ($1, $2) on conflict (user_id) do update set token=$1, expire=now() + interval '30 minutes' returning *`
+
+  return db.one(sql, [token, userID])
+}
+
+function updatePassword (id, password) {
+  bcrypt.hash(password, 12).then(function (hash) {
+    const sql = `update users set password=$1 where id=$2`
+    const sql2 = `delete from user_sessions where sess -> 'user' ->> 'id'=$1`
+    return db.none(sql, [hash, id]).then(() => db.none(sql2, [id]))
+  })
+}
+
+function validatePasswordResetToken (token) {
+  const sql = `delete from reset_password
+    where token=$1
+    returning user_id, now() < expire as success`
+
+  return db.one(sql, [token])
+    .then(res => ({ userID: res.user_id, success: res.success }))
+}
+
+function createResetPasswordToken (userID) {
+  const token = crypto.randomBytes(32).toString('hex')
+  const sql = `insert into reset_password (token, user_id) values ($1, $2) on conflict (user_id) do update set token=$1, expire=now() + interval '30 minutes' returning *`
+
+  return db.one(sql, [token, userID])
+}
+
+function createUserRegistrationToken (username, role) {
+  const token = crypto.randomBytes(32).toString('hex')
+  const sql = `insert into user_register_tokens (token, username, role) values ($1, $2, $3) on conflict (username)
+    do update set token=$1, expire=now() + interval '30 minutes' returning *`
+
+  return db.one(sql, [token, username, role])
+}
+
+function validateUserRegistrationToken (token) {
+  const sql = `delete from user_register_tokens where token=$1
+    returning username, role, now() < expire as success`
+
+  return db.one(sql, [token])
+    .then(res => ({ username: res.username, role: res.role, success: res.success }))
+}
+
+function changeUserRole (id, newRole) {
+  const sql = `update users set role=$1 where id=$2`
+  return db.none(sql, [newRole, id])
+}
+
+function toggleUserEnable (id) {
+  const sql = `update users set enabled=not enabled where id=$1`
+  return db.none(sql, [id])
+}
+
+module.exports = {
+  get,
+  getByIds,
+  getUsers,
+  getByName,
+  verifyAndUpdateUser,
+  createUser,
+  deleteUser,
+  findById,
+  updatePassword,
+  get2FASecret,
+  save2FASecret,
+  validate2FAResetToken,
+  createReset2FAToken,
+  validatePasswordResetToken,
+  createResetPasswordToken,
+  createUserRegistrationToken,
+  validateUserRegistrationToken,
+  changeUserRole,
+  toggleUserEnable
+}