shimapan/app/routes/api/auth.js

const express = require('express');
const router = express.Router();
const config = require('config');
const fs = require('fs').promises;
const passport = require('passport');

const canonicalize = require('../../util/auth/canonicalize');

const ModelPath = '../../models/';
const User = require(ModelPath + 'User.js');
const Invite = require(ModelPath + 'Invite.js');


const requireAuth = require('../../util/auth').requireAuth;
const verifyBody = require('../../util/verifyBody');
const rateLimit = require('../../util/rateLimit');

// Wraps passport.authenticate to return a promise
const authenticate = (req, res, next) => {
    return new Promise((resolve) => {
        passport.authenticate('local', (err, user) => {
            resolve(user);
        })(req, res, next);
    });
};

// Wraps passport session creation to return a promise
const login = (user, req) => {
    return new Promise((resolve) => {
        req.login(user, resolve);
    });
};

const registerParams = [
    {name: 'displayname', type: 'string', maxLength: config.get('User.Username.maxLength'), sanitize: true, restrict: new RegExp(config.get('User.Username.restrictedChars'))},
    {name: 'password', type: 'string'},
    {name: 'invite', type: 'string'}];

router.post('/register',
    rateLimit(config.get('RateLimit.register.window'), config.get('RateLimit.register.max'), true),
    verifyBody(registerParams),
    async (req, res) => {
        const username = canonicalize(req.body.displayname);

        // Retrieve invite and username status
        const [invite, usernameCount] = await Promise.all([
            Invite.findOne({code: req.body.invite}),
            User.countDocuments({username: username})
        ]);

        // Validate the invite
        if (!invite)
            return res.status(422).json({message: 'Invalid invite code.'});
        if (invite.used)
            return res.status(422).json({message: 'Invite already used.'});
        if (invite.expires != null && invite.expires < Date.now())
            return res.status(422).json({message: 'Invite expired.'});

        // Validate the username
        if (usernameCount !== 0)
            return res.status(422).json({message: 'Username in use.'});

        // Create the user object
        await User.register({
            username: username,
            displayname: req.body.displayname,
            scope: invite.scope,
            date: Date.now()
        }, req.body.password);

        // Update the invite as used
        await Invite.updateOne({code: invite.code}, {recipient: username, used: Date.now()});

        res.status(200).json({'message': 'Registration successful.'});
    });


const loginParams = [
    {name: 'displayname', type: 'string'},
    {name: 'password', type: 'string'}];

router.post('/login',
    rateLimit(config.get('RateLimit.login.window'), config.get('RateLimit.login.max'), true),
    verifyBody(loginParams),
    async (req, res, next) => {
        req.body.username = canonicalize(req.body.displayname);

        // Authenticate
        const user = await authenticate(req, res, next);
        if (!user) {
            // Log failure
            await fs.appendFile('auth.log', `${new Date().toISOString()} login ${req.ip}\n`);
            return res.status(401).json({'message': 'Unauthorized.'});
        }

        // Create session
        await login(user, req);

        // Set session vars
        req.session.passport.displayname = user.displayname;
        req.session.passport.scope = user.scope;

        res.status(200).json({'message': 'Logged in.'});
    });


router.post('/logout', (req, res) => {
    if (!req.isAuthenticated())
        return res.status(400).json({message: 'Not logged in.'});

    req.logout();
    res.status(200).json({'message': 'Logged out.'});
});


router.get('/whoami', requireAuth(), (req, res) => {
    res.status(200).json({
        username: req.username,
        displayname: req.displayname,
        scope: req.scope,
        key: req.key
    });
});

module.exports = router;
Properly async-ify registration code 2018-07-25 01:45:05 -04:00			`const express = require('express');`
			`const router = express.Router();`
Replace constants with configurable values 2018-07-26 17:34:47 -04:00			`const config = require('config');`
Add auth failure logging 2018-12-26 19:02:59 -05:00			`const fs = require('fs').promises;`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`const passport = require('passport');`

			`const canonicalize = require('../../util/auth/canonicalize');`
Refactor all base auth routes, allowing for case insensitivity and unicode usernames. 2018-01-15 15:29:32 -05:00
Clean up routes folder 2018-08-01 11:54:35 -04:00			`const ModelPath = '../../models/';`
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`const User = require(ModelPath + 'User.js');`
			`const Invite = require(ModelPath + 'Invite.js');`


Clean up routes folder 2018-08-01 11:54:35 -04:00			`const requireAuth = require('../../util/auth').requireAuth;`
Separate verification logic and add QueryVerifier 2019-01-02 14:20:10 -05:00			`const verifyBody = require('../../util/verifyBody');`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`const rateLimit = require('../../util/rateLimit');`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`// Wraps passport.authenticate to return a promise`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const authenticate = (req, res, next) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`return new Promise((resolve) => {`
			`passport.authenticate('local', (err, user) => {`
			`resolve(user);`
			`})(req, res, next);`
			`});`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`};`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`// Wraps passport session creation to return a promise`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const login = (user, req) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`return new Promise((resolve) => {`
			`req.login(user, resolve);`
			`});`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`};`
Clean up and parallelize auth code 2017-10-12 12:50:02 -04:00
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`const registerParams = [`
			`{name: 'displayname', type: 'string', maxLength: config.get('User.Username.maxLength'), sanitize: true, restrict: new RegExp(config.get('User.Username.restrictedChars'))},`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`{name: 'password', type: 'string'},`
			`{name: 'invite', type: 'string'}];`
Clean up auth code and util 2019-01-02 15:20:53 -05:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`router.post('/register',`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`rateLimit(config.get('RateLimit.register.window'), config.get('RateLimit.register.max'), true),`
			`verifyBody(registerParams),`
			`async (req, res) => {`
			`const username = canonicalize(req.body.displayname);`

			`// Retrieve invite and username status`
			`const [invite, usernameCount] = await Promise.all([`
			`Invite.findOne({code: req.body.invite}),`
			`User.countDocuments({username: username})`
			`]);`

			`// Validate the invite`
			`if (!invite)`
			`return res.status(422).json({message: 'Invalid invite code.'});`
			`if (invite.used)`
			`return res.status(422).json({message: 'Invite already used.'});`
			`if (invite.expires != null && invite.expires < Date.now())`
			`return res.status(422).json({message: 'Invite expired.'});`

			`// Validate the username`
			`if (usernameCount !== 0)`
			`return res.status(422).json({message: 'Username in use.'});`

			`// Create the user object`
			`await User.register({`
			`username: username,`
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`displayname: req.body.displayname,`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`scope: invite.scope,`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`date: Date.now()`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`}, req.body.password);`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`// Update the invite as used`
			`await Invite.updateOne({code: invite.code}, {recipient: username, used: Date.now()});`
Work on stuff... 2017-10-11 10:15:19 -04:00
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`res.status(200).json({'message': 'Registration successful.'});`
			`});`



			`const loginParams = [`
			`{name: 'displayname', type: 'string'},`
Fix login body verification 2018-07-29 11:00:14 -04:00			`{name: 'password', type: 'string'}];`
Clean up auth code and util 2019-01-02 15:20:53 -05:00
Add rate limiting instead of fail2ban 2018-12-26 20:47:04 -05:00			`router.post('/login',`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`rateLimit(config.get('RateLimit.login.window'), config.get('RateLimit.login.max'), true),`
			`verifyBody(loginParams),`
Update to latest express and remove wrap from auth 2019-01-02 14:23:43 -05:00			`async (req, res, next) => {`
Clean up auth code and util 2019-01-02 15:20:53 -05:00			`req.body.username = canonicalize(req.body.displayname);`

			`// Authenticate`
			`const user = await authenticate(req, res, next);`
			`if (!user) {`
			`// Log failure`
			await fs.appendFile('auth.log', `${new Date().toISOString()} login ${req.ip}\n`);
			`return res.status(401).json({'message': 'Unauthorized.'});`
			`}`

			`// Create session`
			`await login(user, req);`

			`// Set session vars`
			`req.session.passport.displayname = user.displayname;`
			`req.session.passport.scope = user.scope;`

			`res.status(200).json({'message': 'Logged in.'});`
			`});`


Work on stuff... 2017-10-11 10:15:19 -04:00
Update to latest express and remove wrap from auth 2019-01-02 14:23:43 -05:00			`router.post('/logout', (req, res) => {`
Add checks for bad requests in auth.js to prevent 500 2018-07-28 12:53:49 -04:00			`if (!req.isAuthenticated())`
			`return res.status(400).json({message: 'Not logged in.'});`

Work on stuff 2017-10-18 13:31:08 -04:00			`req.logout();`
			`res.status(200).json({'message': 'Logged out.'});`
Add fallback cookie auth method 2017-10-14 17:49:11 -04:00			`});`

Clean up auth code and util 2019-01-02 15:20:53 -05:00

Make requireAuth() add request variables 2018-07-26 13:15:54 -04:00			`router.get('/whoami', requireAuth(), (req, res) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`res.status(200).json({`
Add banned field and tests to User 2018-08-12 05:30:50 -04:00			`username: req.username,`
			`displayname: req.displayname,`
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`scope: req.scope,`
			`key: req.key`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`});`
Work on stuff 2017-10-18 13:31:08 -04:00			`});`
Work on stuff... 2017-10-11 10:15:19 -04:00
			`module.exports = router;`