2023-07-25 19:37:04 +02:00
|
|
|
const { SystemSettings } = require("../../models/systemSettings");
|
|
|
|
const { User } = require("../../models/user");
|
2024-08-14 02:54:12 +02:00
|
|
|
const { EncryptionManager } = require("../EncryptionManager");
|
2023-06-09 20:27:27 +02:00
|
|
|
const { decodeJWT } = require("../http");
|
2024-08-14 02:54:12 +02:00
|
|
|
const EncryptionMgr = new EncryptionManager();
|
2023-06-09 20:27:27 +02:00
|
|
|
|
2023-07-25 19:37:04 +02:00
|
|
|
async function validatedRequest(request, response, next) {
|
|
|
|
const multiUserMode = await SystemSettings.isMultiUserMode();
|
|
|
|
response.locals.multiUserMode = multiUserMode;
|
|
|
|
if (multiUserMode)
|
|
|
|
return await validateMultiUserRequest(request, response, next);
|
|
|
|
|
2023-06-04 04:28:07 +02:00
|
|
|
// When in development passthrough auth token for ease of development.
|
2023-06-09 20:27:27 +02:00
|
|
|
// Or if the user simply did not set an Auth token or JWT Secret
|
|
|
|
if (
|
|
|
|
process.env.NODE_ENV === "development" ||
|
|
|
|
!process.env.AUTH_TOKEN ||
|
|
|
|
!process.env.JWT_SECRET
|
|
|
|
) {
|
2023-06-04 04:28:07 +02:00
|
|
|
next();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!process.env.AUTH_TOKEN) {
|
2023-11-13 23:51:16 +01:00
|
|
|
response.status(401).json({
|
2023-06-08 06:31:35 +02:00
|
|
|
error: "You need to set an AUTH_TOKEN environment variable.",
|
2023-06-04 04:28:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-06-08 06:31:35 +02:00
|
|
|
const auth = request.header("Authorization");
|
|
|
|
const token = auth ? auth.split(" ")[1] : null;
|
2023-06-04 04:28:07 +02:00
|
|
|
|
|
|
|
if (!token) {
|
2023-11-13 23:51:16 +01:00
|
|
|
response.status(401).json({
|
2023-06-08 06:31:35 +02:00
|
|
|
error: "No auth token found.",
|
2023-06-04 04:28:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-01-11 19:54:55 +01:00
|
|
|
const bcrypt = require("bcrypt");
|
2023-06-09 20:27:27 +02:00
|
|
|
const { p } = decodeJWT(token);
|
2024-03-27 00:47:25 +01:00
|
|
|
|
2024-08-14 02:54:12 +02:00
|
|
|
if (p === null || !/\w{32}:\w{32}/.test(p)) {
|
2024-03-27 00:47:25 +01:00
|
|
|
response.status(401).json({
|
|
|
|
error: "Token expired or failed validation.",
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-08-14 02:54:12 +02:00
|
|
|
// Since the blame of this comment we have been encrypting the `p` property of JWTs with the persistent
|
|
|
|
// encryptionManager PEM's. This prevents us from storing the `p` unencrypted in the JWT itself, which could
|
|
|
|
// be unsafe. As a consequence, existing JWTs with invalid `p` values that do not match the regex
|
|
|
|
// in ln:44 will be marked invalid so they can be logged out and forced to log back in and obtain an encrypted token.
|
|
|
|
// This kind of methodology only applies to single-user password mode.
|
|
|
|
if (
|
|
|
|
!bcrypt.compareSync(
|
|
|
|
EncryptionMgr.decrypt(p),
|
|
|
|
bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
|
|
|
|
)
|
|
|
|
) {
|
2023-11-13 23:51:16 +01:00
|
|
|
response.status(401).json({
|
2024-03-27 00:47:25 +01:00
|
|
|
error: "Invalid auth credentials.",
|
2023-06-04 04:28:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
next();
|
|
|
|
}
|
|
|
|
|
2023-07-25 19:37:04 +02:00
|
|
|
async function validateMultiUserRequest(request, response, next) {
|
|
|
|
const auth = request.header("Authorization");
|
|
|
|
const token = auth ? auth.split(" ")[1] : null;
|
|
|
|
|
|
|
|
if (!token) {
|
2023-11-13 23:51:16 +01:00
|
|
|
response.status(401).json({
|
2023-07-25 19:37:04 +02:00
|
|
|
error: "No auth token found.",
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const valid = decodeJWT(token);
|
|
|
|
if (!valid || !valid.id) {
|
2023-11-13 23:51:16 +01:00
|
|
|
response.status(401).json({
|
2023-07-25 19:37:04 +02:00
|
|
|
error: "Invalid auth token.",
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-09-28 23:00:03 +02:00
|
|
|
const user = await User.get({ id: valid.id });
|
2023-07-25 19:37:04 +02:00
|
|
|
if (!user) {
|
2023-11-13 23:51:16 +01:00
|
|
|
response.status(401).json({
|
2023-07-25 19:37:04 +02:00
|
|
|
error: "Invalid auth for user.",
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-11-13 23:51:16 +01:00
|
|
|
if (user.suspended) {
|
|
|
|
response.status(401).json({
|
|
|
|
error: "User is suspended from system",
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-07-25 19:37:04 +02:00
|
|
|
response.locals.user = user;
|
|
|
|
next();
|
|
|
|
}
|
|
|
|
|
2023-06-04 04:28:07 +02:00
|
|
|
module.exports = {
|
|
|
|
validatedRequest,
|
2023-06-08 06:31:35 +02:00
|
|
|
};
|