]> git.immae.eu Git - perso/Immae/Projets/Nodejs/Surfer.git/blob - src/auth.js
projects / perso / Immae / Projets / Nodejs / Surfer.git / blob
? search:


25326889a78affd4173687869ff0765d4bd4582e
[perso/Immae/Projets/Nodejs/Surfer.git] / src / auth.js
1 'use strict';
2
3 var path = require('path'),
4 safe = require('safetydance'),
5 fs = require('fs'),
6 bcrypt = require('bcryptjs'),
7 uuid = require('uuid/v4'),
8 ldapjs = require('ldapjs'),
9 HttpError = require('connect-lastmile').HttpError,
10 HttpSuccess = require('connect-lastmile').HttpSuccess,
11 webdavErrors = require('webdav-server').v2.Errors;
12
13 const LDAP_URL = process.env.CLOUDRON_LDAP_URL;
14 const LDAP_USERS_BASE_DN = process.env.CLOUDRON_LDAP_USERS_BASE_DN;
15 const LOCAL_AUTH_FILE = path.resolve(process.env.LOCAL_AUTH_FILE || './.users.json');
16 const TOKENSTORE_FILE = path.resolve(process.env.TOKENSTORE_FILE || './.tokens.json');
17 const AUTH_METHOD = (LDAP_URL && LDAP_USERS_BASE_DN) ? 'ldap' : 'local';
18
19 if (AUTH_METHOD === 'ldap') {
20 console.log('Use ldap auth');
21 } else {
22 console.log(`Use local auth file ${LOCAL_AUTH_FILE}`);
23 }
24
25 var tokenStore = {
26 data: {},
27 save: function () {
28 try {
29 fs.writeFileSync(TOKENSTORE_FILE, JSON.stringify(tokenStore.data), 'utf-8');
30 } catch (e) {
31 console.error(`Unable to save tokenstore file at ${TOKENSTORE_FILE}`, e);
32 }
33 },
34 get: function (token, callback) {
35 callback(tokenStore.data[token] ? null : 'not found', tokenStore.data[token]);
36 },
37 set: function (token, data, callback) {
38 tokenStore.data[token] = data;
39 tokenStore.save();
40 callback(null);
41 },
42 del: function (token, callback) {
43 delete tokenStore.data[token];
44 tokenStore.save();
45 callback(null);
46 }
47 };
48
49 // load token store data if any
50 try {
51 console.log(`Using tokenstore file: ${TOKENSTORE_FILE}`);
52 tokenStore.data = JSON.parse(fs.readFileSync(TOKENSTORE_FILE, 'utf-8'));
53 } catch (e) {
54 // start with empty token store
55 }
56
57 function verifyUser(username, password, callback) {
58 if (AUTH_METHOD === 'ldap') {
59 var ldapClient = ldapjs.createClient({ url: process.env.CLOUDRON_LDAP_URL });
60 ldapClient.on('error', function (error) {
61 console.error('LDAP error', error);
62 });
63
64 ldapClient.bind(process.env.CLOUDRON_LDAP_BIND_DN, process.env.CLOUDRON_LDAP_BIND_PASSWORD, function (error) {
65 if (error) return callback(error);
66
67 var filter = `(|(uid=${username})(mail=${username})(username=${username})(sAMAccountName=${username}))`;
68 ldapClient.search(process.env.CLOUDRON_LDAP_USERS_BASE_DN, { filter: filter }, function (error, result) {
69 if (error) return callback(error);
70
71 var items = [];
72
73 result.on('searchEntry', function(entry) { items.push(entry.object); });
74 result.on('error', callback);
75 result.on('end', function (result) {
76 if (result.status !== 0 || items.length === 0) return callback('Invalid credentials');
77
78 // pick the first found
79 var user = items[0];
80
81 ldapClient.bind(user.dn, password, function (error) {
82 if (error) return callback('Invalid credentials');
83
84 callback(null, { username: username });
85 });
86 });
87 });
88 });
89 } else {
90 var users = safe.JSON.parse(safe.fs.readFileSync(LOCAL_AUTH_FILE));
91 if (!users || !users[username]) return callback('Invalid credentials');
92
93 bcrypt.compare(password, users[username].passwordHash, function (error, valid) {
94 if (error || !valid) return callback('Invalid credentials');
95
96 callback(null, { username: username });
97 });
98 }
99 }
100
101 exports.login = function (req, res, next) {
102 verifyUser(req.body.username, req.body.password, function (error, user) {
103 if (error) return next(new HttpError(401, 'Invalid credentials'));
104
105 var accessToken = uuid();
106
107 tokenStore.set(accessToken, user, function (error) {
108 if (error) return next(new HttpError(500, error));
109
110 next(new HttpSuccess(201, { accessToken: accessToken, user: user }));
111 });
112 });
113 };
114
115 exports.verify = function (req, res, next) {
116 var accessToken = req.query.access_token || req.body.accessToken;
117
118 tokenStore.get(accessToken, function (error, user) {
119 if (error) return next(new HttpError(401, 'Invalid Access Token'));
120
121 req.user = user;
122
123 next();
124 });
125
126 };
127
128 exports.logout = function (req, res, next) {
129 var accessToken = req.query.access_token || req.body.accessToken;
130
131 tokenStore.del(accessToken, function (error) {
132 if (error) console.error(error);
133
134 next(new HttpSuccess(200, {}));
135 });
136 };
137
138 exports.getProfile = function (req, res, next) {
139 next(new HttpSuccess(200, { username: req.user.username }));
140 };
141
142 // webdav usermanager
143 exports.WebdavUserManager = WebdavUserManager;
144
145 // This implements the required interface only for the Basic Authentication for webdav-server
146 function WebdavUserManager() {};
147
148 WebdavUserManager.prototype.getDefaultUser = function (callback) {
149 // this is only a dummy user, since we always require authentication
150 var user = {
151 username: 'DefaultUser',
152 password: null,
153 isAdministrator: false,
154 isDefaultUser: true,
155 uid: 'DefaultUser'
156 };
157
158 callback(user);
159 };
160
161 WebdavUserManager.prototype.getUserByNamePassword = function (username, password, callback) {
162 verifyUser(username, password, function (error, user) {
163 if (error) return callback(webdavErrors.UserNotFound);
164
165 callback(null, {
166 username: user.username,
167 isAdministrator: true,
168 isDefaultUser: false,
169 uid: user.username
170 });
171 });
172 };
Surfer is a Simple static file server