anything-llm/server/utils/middleware/validatedRequest.js

112 lines
2.9 KiB
JavaScript
Raw Normal View History

const { SystemSettings } = require("../../models/systemSettings");
const { User } = require("../../models/user");
const { EncryptionManager } = require("../EncryptionManager");
const { decodeJWT } = require("../http");
const EncryptionMgr = new EncryptionManager();
async function validatedRequest(request, response, next) {
const multiUserMode = await SystemSettings.isMultiUserMode();
response.locals.multiUserMode = multiUserMode;
if (multiUserMode)
return await validateMultiUserRequest(request, response, next);
2023-06-04 04:28:07 +02:00
// When in development passthrough auth token for ease of development.
// Or if the user simply did not set an Auth token or JWT Secret
if (
process.env.NODE_ENV === "development" ||
!process.env.AUTH_TOKEN ||
!process.env.JWT_SECRET
) {
2023-06-04 04:28:07 +02:00
next();
return;
}
if (!process.env.AUTH_TOKEN) {
response.status(401).json({
2023-06-08 06:31:35 +02:00
error: "You need to set an AUTH_TOKEN environment variable.",
2023-06-04 04:28:07 +02:00
});
return;
}
2023-06-08 06:31:35 +02:00
const auth = request.header("Authorization");
const token = auth ? auth.split(" ")[1] : null;
2023-06-04 04:28:07 +02:00
if (!token) {
response.status(401).json({
2023-06-08 06:31:35 +02:00
error: "No auth token found.",
2023-06-04 04:28:07 +02:00
});
return;
}
const bcrypt = require("bcrypt");
const { p } = decodeJWT(token);
if (p === null || !/\w{32}:\w{32}/.test(p)) {
response.status(401).json({
error: "Token expired or failed validation.",
});
return;
}
// Since the blame of this comment we have been encrypting the `p` property of JWTs with the persistent
// encryptionManager PEM's. This prevents us from storing the `p` unencrypted in the JWT itself, which could
// be unsafe. As a consequence, existing JWTs with invalid `p` values that do not match the regex
// in ln:44 will be marked invalid so they can be logged out and forced to log back in and obtain an encrypted token.
// This kind of methodology only applies to single-user password mode.
if (
!bcrypt.compareSync(
EncryptionMgr.decrypt(p),
bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
)
) {
response.status(401).json({
error: "Invalid auth credentials.",
2023-06-04 04:28:07 +02:00
});
return;
}
next();
}
async function validateMultiUserRequest(request, response, next) {
const auth = request.header("Authorization");
const token = auth ? auth.split(" ")[1] : null;
if (!token) {
response.status(401).json({
error: "No auth token found.",
});
return;
}
const valid = decodeJWT(token);
if (!valid || !valid.id) {
response.status(401).json({
error: "Invalid auth token.",
});
return;
}
Replace custom sqlite dbms with prisma (#239) * WIP converted all sqlite models into prisma calls * modify db setup and fix ApiKey model calls in admin.js * renaming function params to be consistent * converted adminEndpoints to utilize prisma orm * converted chatEndpoints to utilize prisma orm * converted inviteEndpoints to utilize prisma orm * converted systemEndpoints to utilize prisma orm * converted workspaceEndpoints to utilize prisma orm * converting sql queries to prisma calls * fixed default param bug for orderBy and limit * fixed typo for workspace chats * fixed order of deletion to account for sql relations * fix invite CRUD and workspace management CRUD * fixed CRUD for api keys * created prisma setup scripts/docs for understanding how to use prisma * prisma dependency change * removing unneeded console.logs * removing unneeded sql escape function * linting and creating migration script * migration from depreciated sqlite script update * removing unneeded migrations in prisma folder * create backup of old sqlite db and use transactions to ensure all operations complete successfully * adding migrations to gitignore * updated PRISMA.md docs for info on how to use sqlite migration script * comment changes * adding back migrations folder to repo * Reviewing SQL and prisma integraiton on fresh repo * update inline key replacement * ensure migration script executes and maps foreign_keys regardless of db ordering * run migration endpoint * support new prisma backend * bump version * change migration call --------- Co-authored-by: timothycarambat <rambat1010@gmail.com>
2023-09-28 23:00:03 +02:00
const user = await User.get({ id: valid.id });
if (!user) {
response.status(401).json({
error: "Invalid auth for user.",
});
return;
}
if (user.suspended) {
response.status(401).json({
error: "User is suspended from system",
});
return;
}
response.locals.user = user;
next();
}
2023-06-04 04:28:07 +02:00
module.exports = {
validatedRequest,
2023-06-08 06:31:35 +02:00
};