feat: add user management screen

feat: login screen fix: login routing and layout feat: add users migration feat: passport login strategy fix: users migration feat: simple authentication fix: request body feat: JWT authorization feat: 2fa step on login feat: 2fa flow feat: add rememberme to req body fix: hide 2fa secret from jwt fix: block login access to logged in user fix: rerouting to wizard refactor: login screen feat: setup 2fa state on login feat: 2fa secret qr code fix: remove jwt from 2fa secret fix: wizard redirect after login fix: 2fa setup flow fix: user id to uuid feat: user roles feat: user sessions and db persistence feat: session saving on DB and cookie refactor: unused code feat: cookie auto renew on request feat: get user data endpoint fix: repeated requests feat: react routing fix: private routes refactor: auth feat: sessions aware of ua and ip feat: sessions on gql feat: session management screen feat: replace user_tokens usage for users feat: user deletion also deletes active sessions feat: remember me alters session cookie accordingly feat: last session by all users fix: login feedback fix: page loading UX feat: routes based on user role feat: header aware of roles feat: reset password fix: reset password endpoint feat: handle password change feat: reset 2FA feat: user role on management screen feat: change user role fix: user last session query fix: context fix: destroy own session feat: reset password now resets sessions feat: reset 2fa now resets sessions refactor: user data refactor: user management screen feat: user enable feat: schema directives fix: remove schema directive temp feat: create new users feat: register endpoint feat: modals for reset links fix: directive Date errors feat: superuser directive feat: create user url modal fix: user management layout feat: confirmation modals fix: info text feat: 2fa input component feat: code input on 2fa state feat: add button styling feat: confirmation modal on superuser action feat: rework 2fa setup screen feat: rework reset 2fa screen fix: session management screen fix: user management screen fix: blacklist roles chore: migrate old customer values to new columns fix: value migration fix: value migration refactor: remove old code
2020-10-27 10:05:06 +00:00 · 2020-10-27 10:05:06 +00:00 · fded22f39a
commit fded22f39a
parent 368781864e
50 changed files with 9839 additions and 4501 deletions
--- a/lib/new-admin/admin-server.js
+++ b/lib/new-admin/admin-server.js
@ -8,14 +8,20 @@ const cors = require('cors')
 const helmet = require('helmet')
 const nocache = require('nocache')
 const cookieParser = require('cookie-parser')
+const bodyParser = require('body-parser')
 const { ApolloServer, AuthenticationError } = require('apollo-server-express')
 const _ = require('lodash/fp')
+const session = require('express-session')
+const pgSession = require('connect-pg-simple')(session)

-const { typeDefs, resolvers } = require('./graphql/schema')
 const login = require('./services/login')
 const register = require('./routes/authentication')

 const options = require('../options')
+const db = require('../db')
+const users = require('../users')
+
+const { typeDefs, resolvers, AuthDirective, SuperuserDirective } = require('./graphql/schema')

 const devMode = require('minimist')(process.argv.slice(2)).dev
 const idPhotoCardBasedir = _.get('idPhotoCardDir', options)
@ -32,11 +38,35 @@ app.use(helmet())
 app.use(compression())
 app.use(nocache())
 app.use(cookieParser())
+app.use(bodyParser.json())
+app.use(bodyParser.urlencoded({ extended: true })) // support encoded bodies
 app.use(express.static(path.resolve(__dirname, '..', '..', 'public')))

+app.use(['*'], session({
+  store: new pgSession({
+    pgPromise: db,
+    tableName: 'user_sessions'
+  }),
+  name: 'lid',
+  secret: 'MY_SECRET',
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,
+    secure: true,
+    domain: hostname,
+    sameSite: true,
+    maxAge: 60 * 10 * 1000 // 10 minutes
+  }
+}))
+
 const apolloServer = new ApolloServer({
  typeDefs,
  resolvers,
+  schemaDirectives: {
+    auth: AuthDirective,
+    superuser: SuperuserDirective
+  },
  playground: false,
  introspection: false,
  formatError: error => {
@ -44,10 +74,19 @@ const apolloServer = new ApolloServer({
    return error
  },
  context: async ({ req }) => {
-    const token = req.cookies && req.cookies.token
+    if (!req.session.user) throw new AuthenticationError('Authentication failed')
+    const user = await users.verifyAndUpdateUser(
+      req.session.user.id,
+      req.headers['user-agent'] || 'Unknown',
+      req.ip
+    )
+    if (!user || !user.enabled) throw new AuthenticationError('Authentication failed')

-    const success = await login.authenticate(token)
-    if (!success) throw new AuthenticationError('Authentication failed')
+    req.session.ua = req.headers['user-agent'] || 'Unknown'
+    req.session.ipAddress = req.ip
+    req.session.lastUsed = new Date(Date.now()).toISOString()
+    req.session.user.id = user.id
+    req.session.user.role = user.role
    return { req: { ...req } }
  }
 })
@ -67,6 +106,8 @@ app.use('/id-card-photo', serveStatic(idPhotoCardBasedir, { index: false }))
 app.use('/front-camera-photo', serveStatic(frontCameraBasedir, { index: false }))
 app.use('/api', register)

+require('./routes/auth')(app)
+
 // Everything not on graphql or api/register is redirected to the front-end
 app.get('*', (req, res) => res.sendFile(path.resolve(__dirname, '..', '..', 'public', 'index.html')))

--- a/lib/new-admin/routes/auth.js
+++ b/lib/new-admin/routes/auth.js
@ -0,0 +1,259 @@
+const otplib = require('otplib')
+const bcrypt = require('bcrypt')
+
+const users = require('../../users')
+const login = require('../login')
+
+async function isValidUser (username, password) {
+  const hashedPassword = await login.checkUser(username)
+  if (!hashedPassword) return false
+
+  const isMatch = await bcrypt.compare(password, hashedPassword)
+  if (!isMatch) return false
+
+  const user = await login.validateUser(username, hashedPassword)
+  if (!user) return false
+  return user
+}
+
+module.exports = function (app) {
+  app.post('/api/login', function (req, res, next) {
+    const usernameInput = req.body.username
+    const passwordInput = req.body.password
+
+    isValidUser(usernameInput, passwordInput).then(user => {
+      if (!user) return res.sendStatus(403)
+      users.get2FASecret(user.id).then(user => {
+        const twoFASecret = user.twofa_code
+        if (twoFASecret) return res.status(200).json({ message: 'INPUT2FA' })
+        if (!twoFASecret) return res.status(200).json({ message: 'SETUP2FA' })
+      })
+    })
+  })
+
+  app.post('/api/login/2fa', function (req, res, next) {
+    const code = req.body.twoFACode
+    const username = req.body.username
+    const password = req.body.password
+    const rememberMeInput = req.body.rememberMe
+
+    isValidUser(username, password).then(user => {
+      if (!user) return res.sendStatus(403)
+
+      users.get2FASecret(user.id).then(user => {
+        const secret = user.twofa_code
+        const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+        if (!isCodeValid) return res.sendStatus(403)
+
+        const finalUser = { id: user.id, username: user.username, role: user.role }
+        req.session.user = finalUser
+        if (rememberMeInput) req.session.cookie.maxAge = 90 * 24 * 60 * 60 * 1000 // 90 days
+
+        return res.sendStatus(200)
+      })
+    })
+  })
+
+  app.post('/api/login/2fa/setup', function (req, res, next) {
+    const username = req.body.username
+    const password = req.body.password
+
+    // TODO: maybe check if the user already has a 2fa secret
+    isValidUser(username, password).then(user => {
+      if (!user) return res.sendStatus(403)
+
+      const secret = otplib.authenticator.generateSecret()
+      const otpauth = otplib.authenticator.keyuri(username, 'Lamassu Industries', secret)
+      return res.status(200).json({ secret, otpauth })
+    })
+  })
+
+  app.post('/api/login/2fa/save', function (req, res, next) {
+    const username = req.body.username
+    const password = req.body.password
+    const secret = req.body.secret
+    const code = req.body.code
+
+    isValidUser(username, password).then(user => {
+      if (!user || !secret) return res.sendStatus(403)
+
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return res.sendStatus(403)
+
+      users.save2FASecret(user.id, secret)
+      return res.sendStatus(200)
+    })
+  })
+
+  app.get('/user-data', function (req, res, next) {
+    const lidCookie = req.cookies && req.cookies.lid
+    if (!lidCookie) {
+      res.sendStatus(403)
+      return
+    }
+
+    const user = req.session.user
+    return res.status(200).json({ message: 'Success', user: user })
+  })
+
+  app.post('/api/resetpassword', function (req, res, next) {
+    const userID = req.body.userID
+
+    users.findById(userID)
+      .then(user => {
+        if (!user) return res.sendStatus(403)
+        return users.createResetPasswordToken(user.id)
+      })
+      .then(token => {
+        return res.status(200).json({ token })
+      })
+      .catch(err => console.log(err))
+  })
+
+  app.get('/api/resetpassword', function (req, res, next) {
+    const token = req.query.t
+
+    if (!token) return res.sendStatus(400)
+    return users.validatePasswordResetToken(token)
+      .then(r => {
+        if (!r.success) return res.status(200).send('The link has expired')
+        return res.status(200).json({ userID: r.userID })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/updatepassword', function (req, res, next) {
+    const userID = req.body.userID
+    const newPassword = req.body.newPassword
+
+    users.findById(userID).then(user => {
+      if (req.session.user && user.id === req.session.user.id) req.session.destroy()
+      return users.updatePassword(user.id, newPassword)
+    }).then(() => {
+      res.sendStatus(200)
+    }).catch(err => {
+      console.log(err)
+      res.sendStatus(400)
+    })
+  })
+
+  app.post('/api/reset2fa', function (req, res, next) {
+    const userID = req.body.userID
+
+    users.findById(userID)
+      .then(user => {
+        if (!user) return res.sendStatus(403)
+        return users.createReset2FAToken(user.id)
+      })
+      .then(token => {
+        return res.status(200).json({ token })
+      })
+      .catch(err => console.log(err))
+  })
+
+  app.get('/api/reset2fa', function (req, res, next) {
+    const token = req.query.t
+
+    if (!token) return res.sendStatus(400)
+    return users.validate2FAResetToken(token)
+      .then(r => {
+        if (!r.success) return res.status(200).send('The link has expired')
+        return users.findById(r.userID)
+      })
+      .then(user => {
+        const secret = otplib.authenticator.generateSecret()
+        const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
+        return res.status(200).json({ userID: user.id, secret, otpauth })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/update2fa', function (req, res, next) {
+    const userID = req.body.userID
+    const secret = req.body.secret
+    const code = req.body.code
+
+    users.findById(userID).then(user => {
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return res.sendStatus(401)
+
+      if (req.session.user && user.id === req.session.user.id) req.session.destroy()
+      users.save2FASecret(user.id, secret).then(() => { return res.sendStatus(200) })
+    }).catch(err => {
+      console.log(err)
+      return res.sendStatus(400)
+    })
+  })
+
+  app.post('/api/createuser', function (req, res, next) {
+    const username = req.body.username
+    const role = req.body.role
+
+    users.getByName(username)
+      .then(user => {
+        if (user) return res.status(200).json({ message: 'User already exists!' })
+
+        users.createUserRegistrationToken(username, role).then(token => {
+          return res.status(200).json({ token })
+        })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.get('/api/register', function (req, res, next) {
+    const token = req.query.t
+
+    if (!token) return res.sendStatus(400)
+    users.validateUserRegistrationToken(token)
+      .then(r => {
+        if (!r.success) return res.status(200).json({ message: 'The link has expired' })
+        return res.status(200).json({ username: r.username, role: r.role })
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/register', function (req, res, next) {
+    const username = req.body.username
+    const password = req.body.password
+    const role = req.body.role
+
+    users.getByName(username)
+      .then(user => {
+        if (user) return res.status(200).json({ message: 'User already exists!' })
+
+        users.createUser(username, password, role)
+        res.sendStatus(200)
+      })
+      .catch(err => {
+        console.log(err)
+        res.sendStatus(400)
+      })
+  })
+
+  app.post('/api/confirm2fa', function (req, res, next) {
+    const code = req.body.code
+    const requestingUser = req.session.user
+
+    if (!requestingUser) return res.status(403)
+
+    users.get2FASecret(requestingUser.id).then(user => {
+      const secret = user.twofa_code
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return res.sendStatus(401)
+
+      return res.sendStatus(200)
+    })
+  })
+}
--- a/lib/new-admin/services/login.js
+++ b/lib/new-admin/services/login.js
@ -1,48 +1,20 @@
-const crypto = require('crypto')
-
 const db = require('../../db')

-function generateOTP (name) {
-  const otp = crypto.randomBytes(32).toString('hex')
-
-  const sql = 'insert into one_time_passes (token, name) values ($1, $2)'
-
-  return db.none(sql, [otp, name])
-    .then(() => otp)
+function checkUser (username) {
+  const sql = 'select * from users where username=$1'
+  return db.oneOrNone(sql, [username]).then(value => { return value.password }).catch(() => false)
 }

-function validateOTP (otp) {
-  const sql = `delete from one_time_passes
-    where token=$1
-    returning name, created < now() - interval '1 hour' as expired`
+function validateUser (username, password) {
+  const sql = 'select id, username from users where username=$1 and password=$2'
+  const sqlUpdateLastAccessed = 'update users set last_accessed = now() where username=$1'

-  return db.one(sql, [otp])
-    .then(r => ({ success: !r.expired, expired: r.expired, name: r.name }))
-    .catch(() => ({ success: false, expired: false }))
-}
-
-function register (otp, ua, ip) {
-  return validateOTP(otp)
-    .then(r => {
-      if (!r.success) return r
-
-      const token = crypto.randomBytes(32).toString('hex')
-      const sql = 'insert into user_tokens (token, name, user_agent, ip_address) values ($1, $2, $3, $4)'
-
-      return db.none(sql, [token, r.name, ua, ip])
-        .then(() => ({ success: true, token: token }))
-    })
-    .catch(() => ({ success: false, expired: false }))
-}
-
-function authenticate (token) {
-  const sql = 'select token from user_tokens where token=$1'
-
-  return db.one(sql, [token]).then(() => true).catch(() => false)
+  return db.oneOrNone(sql, [username, password])
+    .then(user => { db.none(sqlUpdateLastAccessed, [user.username]); return user })
+    .catch(() => false)
 }

 module.exports = {
-  generateOTP,
-  register,
-  authenticate
+  checkUser,
+  validateUser
 }