Move the auth handler out of JS. #7

2024-03-31 16:15:50 -04:00
parent 9ce30dee70
commit b04eccdbda
11 changed files with 872 additions and 242 deletions
--- a/core/auth.js
+++ b/core/auth.js
@ -1,8 +1,6 @@
 import * as core from './core.js';
 import * as form from './form.js';

-let gDatabase = new Database('auth');
-
 const kRefreshInterval = 1 * 7 * 24 * 60 * 60 * 1000;

 /**
@ -106,60 +104,6 @@ function readSession(session) {
 	}
 }

-/**
- * Check the provided password matches the hash
- * @param {string} password
- * @param {string} hash bcrypt hash
- * @returns true if the password matches the hash
- */
-function verifyPassword(password, hash) {
-	return bCrypt.hashpw(password, hash) === hash;
-}
-
-/**
- * Hashes a password
- * @param {string} password
- * @returns {string} TODOC
- */
-function hashPassword(password) {
-	let salt = bCrypt.gensalt(12);
-	return bCrypt.hashpw(password, salt);
-}
-
-/**
- * Check if there is an administrator on the instance
- * @returns TODOC
- */
-function noAdministrator() {
-	return (
-		!core.globalSettings ||
-		!core.globalSettings.permissions ||
-		!Object.keys(core.globalSettings.permissions).some(function (name) {
-			return (
-				core.globalSettings.permissions[name].indexOf('administration') != -1
-			);
-		})
-	);
-}
-
-/**
- * Makes a user an administrator
- * @param {string} name the user's name
- */
-function makeAdministrator(name) {
-	if (!core.globalSettings.permissions) {
-		core.globalSettings.permissions = {};
-	}
-	if (!core.globalSettings.permissions[name]) {
-		core.globalSettings.permissions[name] = [];
-	}
-	if (core.globalSettings.permissions[name].indexOf('administration') == -1) {
-		core.globalSettings.permissions[name].push('administration');
-	}
-
-	core.setGlobalSettings(core.globalSettings);
-}
-
 /**
 * TODOC
 * @param {*} headers most likely an object
@ -181,175 +125,6 @@ function getCookies(headers) {
 	return cookies;
 }

-/**
- * Validates a username
- * @param {string} name
- * @returns false | boolean[] ?
- */
-function isNameValid(name) {
-	// TODO(tasiaiso): convert this into a regex
-	let c = name.charAt(0);
-	return (
-		((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) &&
-		name
-			.split()
-			.map(
-				(x) =>
-					x >= ('a' && x <= 'z') ||
-					x >= ('A' && x <= 'Z') ||
-					x >= ('0' && x <= '9')
-			)
-	);
-}
-
-/**
- * Request handler ?
- * @param {*} request TODOC
- * @param {*} response
- * @returns
- */
-function handler(request, response) {
-	// TODO(tasiaiso): split this function
-	let session = getCookies(request.headers).session;
-	if (request.uri == '/login') {
-		let formData = form.decodeForm(request.query);
-		if (query(request.headers)?.permissions?.authenticated) {
-			if (formData.return) {
-				response.writeHead(303, {Location: formData.return});
-			} else {
-				response.writeHead(303, {
-					Location:
-						(request.client.tls ? 'https://' : 'http://') +
-						request.headers.host +
-						'/',
-					'Content-Length': '0',
-				});
-			}
-			response.end();
-			return;
-		}
-
-		let sessionIsNew = false;
-		let loginError;
-
-		if (request.method == 'POST' || formData.submit) {
-			sessionIsNew = true;
-			formData = form.decodeForm(utf8Decode(request.body), formData);
-			if (formData.submit == 'Login') {
-				let account = gDatabase.get('user:' + formData.name);
-				account = account ? JSON.parse(account) : account;
-				if (formData.register == '1') {
-					if (
-						!account &&
-						isNameValid(formData.name) &&
-						formData.password == formData.confirm
-					) {
-						let users = new Set();
-						let users_original = gDatabase.get('users');
-						try {
-							users = new Set(JSON.parse(users_original));
-						} catch {}
-						if (!users.has(formData.name)) {
-							users.add(formData.name);
-						}
-						users = JSON.stringify([...users].sort());
-						if (users !== users_original) {
-							gDatabase.set('users', users);
-						}
-						session = makeJwt({name: formData.name});
-						account = {password: hashPassword(formData.password)};
-						gDatabase.set('user:' + formData.name, JSON.stringify(account));
-						if (noAdministrator()) {
-							makeAdministrator(formData.name);
-						}
-					} else {
-						loginError = 'Error registering account.';
-					}
-				} else if (formData.change == '1') {
-					if (
-						account &&
-						isNameValid(formData.name) &&
-						formData.new_password == formData.confirm &&
-						verifyPassword(formData.password, account.password)
-					) {
-						session = makeJwt({name: formData.name});
-						account = {password: hashPassword(formData.new_password)};
-						gDatabase.set('user:' + formData.name, JSON.stringify(account));
-					} else {
-						loginError = 'Error changing password.';
-					}
-				} else {
-					if (
-						account &&
-						account.password &&
-						verifyPassword(formData.password, account.password)
-					) {
-						session = makeJwt({name: formData.name});
-						if (noAdministrator()) {
-							makeAdministrator(formData.name);
-						}
-					} else {
-						loginError = 'Invalid username or password.';
-					}
-				}
-			} else {
-				// Proceed as Guest
-				session = makeJwt({name: 'guest'});
-			}
-		}
-
-		let cookie = `session=${session}; path=/; Max-Age=${kRefreshInterval}; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; HttpOnly`;
-		let entry = readSession(session);
-		if (entry && formData.return) {
-			response.writeHead(303, {
-				Location: formData.return,
-				'Set-Cookie': cookie,
-			});
-			response.end();
-		} else {
-			File.readFile('core/auth.html')
-				.then(function (data) {
-					let html = utf8Decode(data);
-					let auth_data = {
-						session_is_new: sessionIsNew,
-						name: entry?.name,
-						error: loginError,
-						code_of_conduct: core.globalSettings.code_of_conduct,
-						have_administrator: !noAdministrator(),
-					};
-					html = utf8Encode(
-						html.replace('$AUTH_DATA', JSON.stringify(auth_data))
-					);
-					response.writeHead(200, {
-						'Content-Type': 'text/html; charset=utf-8',
-						'Set-Cookie': cookie,
-						'Content-Length': html.length,
-					});
-					response.end(html);
-				})
-				.catch(function (error) {
-					response.writeHead(404, {
-						'Content-Type': 'text/plain; charset=utf-8',
-						Connection: 'close',
-					});
-					response.end('404 File not found');
-				});
-		}
-	} else if (request.uri == '/login/logout') {
-		response.writeHead(303, {
-			'Set-Cookie': `session=; path=/; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly`,
-			Location: '/login' + (request.query ? '?' + request.query : ''),
-		});
-		response.end();
-	} else {
-		response.writeHead(200, {
-			'Content-Type': 'text/plain; charset=utf-8',
-			Connection: 'close',
-		});
-		response.end('Hello, ' + request.client.peerName + '.');
-	}
-}
-
 /**
 * Gets a user's permissions based on it's session ?
 * @param {*} session TODOC
@ -417,4 +192,4 @@ function makeRefresh(credentials) {
 	}
 }

-export {handler, query, makeRefresh};
+export {query, makeRefresh};
--- a/core/core.js
+++ b/core/core.js
@ -1334,8 +1334,6 @@ loadSettings()
 		if (tildefriends.https_port && gGlobalSettings.http_redirect) {
 			httpd.set_http_redirect(gGlobalSettings.http_redirect);
 		}
-		httpd.all('/login', auth.handler);
-		httpd.all('/login/logout', auth.handler);
 		httpd.all('/app/socket', app.socket);
 		httpd.all('', function default_http_handler(request, response) {
 			let match;