lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lamassu-server/lib/new-admin/routes/auth.js
Sérgio Salgado fded22f39a feat: add user management screen 
feat: login screen

fix: login routing and layout

feat: add users migration

feat: passport login strategy

fix: users migration

feat: simple authentication

fix: request body

feat: JWT authorization

feat: 2fa step on login

feat: 2fa flow

feat: add rememberme to req body

fix: hide 2fa secret from jwt

fix: block login access to logged in user

fix: rerouting to wizard

refactor: login screen

feat: setup 2fa state on login

feat: 2fa secret qr code

fix: remove jwt from 2fa secret

fix: wizard redirect after login

fix: 2fa setup flow

fix: user id to uuid

feat: user roles

feat: user sessions and db persistence

feat: session saving on DB and cookie

refactor: unused code

feat: cookie auto renew on request

feat: get user data endpoint

fix: repeated requests

feat: react routing

fix: private routes

refactor: auth

feat: sessions aware of ua and ip

feat: sessions on gql

feat: session management screen

feat: replace user_tokens usage for users

feat: user deletion also deletes active sessions

feat: remember me alters session cookie accordingly

feat: last session by all users

fix: login feedback

fix: page loading UX

feat: routes based on user role

feat: header aware of roles

feat: reset password

fix: reset password endpoint

feat: handle password change

feat: reset 2FA

feat: user role on management screen

feat: change user role

fix: user last session query

fix: context

fix: destroy own session

feat: reset password now resets sessions

feat: reset 2fa now resets sessions

refactor: user data

refactor: user management screen

feat: user enable

feat: schema directives

fix: remove schema directive temp

feat: create new users

feat: register endpoint

feat: modals for reset links

fix: directive Date errors

feat: superuser directive

feat: create user url modal

fix: user management layout

feat: confirmation modals

fix: info text

feat: 2fa input component

feat: code input on 2fa state

feat: add button styling

feat: confirmation modal on superuser action

feat: rework 2fa setup screen

feat: rework reset 2fa screen

fix: session management screen

fix: user management screen

fix: blacklist roles

chore: migrate old customer values to new columns

fix: value migration

fix: value migration

refactor: remove old code
2021-05-03 23:00:41 +01:00

259 lines
7.8 KiB
JavaScript
Raw Blame History

const otplib = require('otplib')
const bcrypt = require('bcrypt')
const users = require('../../users')
const login = require('../login')
async function isValidUser (username, password) {
const hashedPassword = await login.checkUser(username)
if (!hashedPassword) return false
const isMatch = await bcrypt.compare(password, hashedPassword)
if (!isMatch) return false
const user = await login.validateUser(username, hashedPassword)
if (!user) return false
return user
}
module.exports = function (app) {
app.post('/api/login', function (req, res, next) {
const usernameInput = req.body.username
const passwordInput = req.body.password
isValidUser(usernameInput, passwordInput).then(user => {
if (!user) return res.sendStatus(403)
users.get2FASecret(user.id).then(user => {
const twoFASecret = user.twofa_code
if (twoFASecret) return res.status(200).json({ message: 'INPUT2FA' })
if (!twoFASecret) return res.status(200).json({ message: 'SETUP2FA' })
})
})
})
app.post('/api/login/2fa', function (req, res, next) {
const code = req.body.twoFACode
const username = req.body.username
const password = req.body.password
const rememberMeInput = req.body.rememberMe
isValidUser(username, password).then(user => {
if (!user) return res.sendStatus(403)
users.get2FASecret(user.id).then(user => {
const secret = user.twofa_code
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
if (!isCodeValid) return res.sendStatus(403)
const finalUser = { id: user.id, username: user.username, role: user.role }
req.session.user = finalUser
if (rememberMeInput) req.session.cookie.maxAge = 90 * 24 * 60 * 60 * 1000 // 90 days
return res.sendStatus(200)
})
})
})
app.post('/api/login/2fa/setup', function (req, res, next) {
const username = req.body.username
const password = req.body.password
// TODO: maybe check if the user already has a 2fa secret
isValidUser(username, password).then(user => {
if (!user) return res.sendStatus(403)
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(username, 'Lamassu Industries', secret)
return res.status(200).json({ secret, otpauth })
})
})
app.post('/api/login/2fa/save', function (req, res, next) {
const username = req.body.username
const password = req.body.password
const secret = req.body.secret
const code = req.body.code
isValidUser(username, password).then(user => {
if (!user || !secret) return res.sendStatus(403)
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
if (!isCodeValid) return res.sendStatus(403)
users.save2FASecret(user.id, secret)
return res.sendStatus(200)
})
})
app.get('/user-data', function (req, res, next) {
const lidCookie = req.cookies && req.cookies.lid
if (!lidCookie) {
res.sendStatus(403)
return
}
const user = req.session.user
return res.status(200).json({ message: 'Success', user: user })
})
app.post('/api/resetpassword', function (req, res, next) {
const userID = req.body.userID
users.findById(userID)
.then(user => {
if (!user) return res.sendStatus(403)
return users.createResetPasswordToken(user.id)
})
.then(token => {
return res.status(200).json({ token })
})
.catch(err => console.log(err))
})
app.get('/api/resetpassword', function (req, res, next) {
const token = req.query.t
if (!token) return res.sendStatus(400)
return users.validatePasswordResetToken(token)
.then(r => {
if (!r.success) return res.status(200).send('The link has expired')
return res.status(200).json({ userID: r.userID })
})
.catch(err => {
console.log(err)
res.sendStatus(400)
})
})
app.post('/api/updatepassword', function (req, res, next) {
const userID = req.body.userID
const newPassword = req.body.newPassword
users.findById(userID).then(user => {
if (req.session.user && user.id === req.session.user.id) req.session.destroy()
return users.updatePassword(user.id, newPassword)
}).then(() => {
res.sendStatus(200)
}).catch(err => {
console.log(err)
res.sendStatus(400)
})
})
app.post('/api/reset2fa', function (req, res, next) {
const userID = req.body.userID
users.findById(userID)
.then(user => {
if (!user) return res.sendStatus(403)
return users.createReset2FAToken(user.id)
})
.then(token => {
return res.status(200).json({ token })
})
.catch(err => console.log(err))
})
app.get('/api/reset2fa', function (req, res, next) {
const token = req.query.t
if (!token) return res.sendStatus(400)
return users.validate2FAResetToken(token)
.then(r => {
if (!r.success) return res.status(200).send('The link has expired')
return users.findById(r.userID)
})
.then(user => {
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
return res.status(200).json({ userID: user.id, secret, otpauth })
})
.catch(err => {
console.log(err)
res.sendStatus(400)
})
})
app.post('/api/update2fa', function (req, res, next) {
const userID = req.body.userID
const secret = req.body.secret
const code = req.body.code
users.findById(userID).then(user => {
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
if (!isCodeValid) return res.sendStatus(401)
if (req.session.user && user.id === req.session.user.id) req.session.destroy()
users.save2FASecret(user.id, secret).then(() => { return res.sendStatus(200) })
}).catch(err => {
console.log(err)
return res.sendStatus(400)
})
})
app.post('/api/createuser', function (req, res, next) {
const username = req.body.username
const role = req.body.role
users.getByName(username)
.then(user => {
if (user) return res.status(200).json({ message: 'User already exists!' })
users.createUserRegistrationToken(username, role).then(token => {
return res.status(200).json({ token })
})
})
.catch(err => {
console.log(err)
res.sendStatus(400)
})
})
app.get('/api/register', function (req, res, next) {
const token = req.query.t
if (!token) return res.sendStatus(400)
users.validateUserRegistrationToken(token)
.then(r => {
if (!r.success) return res.status(200).json({ message: 'The link has expired' })
return res.status(200).json({ username: r.username, role: r.role })
})
.catch(err => {
console.log(err)
res.sendStatus(400)
})
})
app.post('/api/register', function (req, res, next) {
const username = req.body.username
const password = req.body.password
const role = req.body.role
users.getByName(username)
.then(user => {
if (user) return res.status(200).json({ message: 'User already exists!' })
users.createUser(username, password, role)
res.sendStatus(200)
})
.catch(err => {
console.log(err)
res.sendStatus(400)
})
})
app.post('/api/confirm2fa', function (req, res, next) {
const code = req.body.code
const requestingUser = req.session.user
if (!requestingUser) return res.status(403)
users.get2FASecret(requestingUser.id).then(user => {
const secret = user.twofa_code
const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
if (!isCodeValid) return res.sendStatus(401)
return res.sendStatus(200)
})
})
}
Reference in a new issue View git blame Copy permalink