gogo/apxtri
1
0
Fork 0
forked from apxtri/apxtri
Code Pull Requests Activity
apxtri/middlewares/isAuthenticated.js
philc 9bf76a17dc modif recovery email
2024-04-15 09:26:54 +02:00

208 lines
8.5 KiB
JavaScript
Executable File
Raw Blame History

const fs = require("fs-extra");
const dayjs = require("dayjs");
//const path=require('path');
const glob = require("glob");
// To debug it could be easier with source code:
// const openpgp = require("/media/phil/usbfarm/apxtri/node_modules/openpgp/dist/node/openpgp.js");
const openpgp = require("openpgp");
const conf = require(`../../../conf.json`);
const currentmod='isAuthenticated';
const log = conf.api.activelog.includes(currentmod)
/**
* @api {get} / - isAuthenticated
* @apiGroup Middlewares
* @apiName isAuthenticated
* @apiDescription - valid if exist xalias_xdays_xhash.substr(20,200) in town/tmp/tokens/
* - if not,
* - valid if xhash signature sign xalias_xdays with alias's publickey.
* - if not valid => not allowed
* - If valid =>
* - store a xalias_xdays_xhash.substr (20,200) into /tmp/tokens with xprofils array from person.
* - update header.xprofils from this token
*
* apxtri profils are anonymous, pagans, mayor (on a node server), druid (on a tribe like smatchit).
*
* pagan identity is independant of domain (tribe), by default profils are :['anonymous','pagans']. if this alias exist in a tribe domain as a person then his profils come from /tribes/{tribeId}/objects/person/itm/{alias}.json profils:['anonymous','pagans','person','seeker'] any profils allowed to act on tribe objects.
*
* Each profil have CRUD accessright on object managed in schema in apxaccessrights:{owner,profil:{"C":[],"R":[properties],"U":[properties],"D":[]}}, see Odmdb for details.
*
* A process run once each day to clean up all xhash tmp/tokens oldest than 24 hours.
*
**/
const isAuthenticated = async (req, res, next) => {
/*
console.log(__dirname)
console.log(path.resolve('../tmp/tokens'))
if (fs.existsSync('../tmp/tokens')) console.log('pass A')
if (fs.existsSync('../tmp/tokens')) console.log('pass B')
*/
const currentday = dayjs().date();
fs.ensureDirSync(`../tmp/tokens`);
let menagedone = fs.existsSync(
`../../tmp/tokens/menagedone${currentday}`
);
if (menagedone) console.log(Date.now(),`menagedone${currentday} was it done today?:${menagedone}`);
if (!menagedone) {
// clean oldest
const tsday = dayjs().valueOf(); // now in timestamp format
glob.sync(`../../tmp/tokens/menagedone*`).forEach((f) => {
fs.removeSync(f);
});
glob.sync(`../../tmp/tokens/*.json`).forEach((f) => {
const fsplit = f.split("_");
const elapse = tsday - parseInt(fsplit[2]);
//24h 86400000 milliseconde 15mn 900000
if (elapse && elapse > 86400000) {
fs.remove(f);
}
});
//clean tmp
glob.sync(`../../tmp/*.txt`).forEach((f) => {
fs.remove(f);
});
fs.outputFile(
`../../tmp/tokens/menagedone${currentday}`,
"done by middleware/isAUthenticated"
);
}
//Check register in tmp/tokens/
if (log) console.log( currentmod," isAuthenticate?", req.session.header, req.body);
const resnotauth = {
ref: "middlewares",
msg: "notauthenticated",
data: {
xalias: req.session.header.xalias,
xaliasexists: true,
},
};
if (
req.session.header.xalias == "anonymous" ||
req.session.header.xhash == "anonymous"
) {
if (log) console.log(currentmod,"alias anonymous means not auth");
resnotauth.status = 401;
return res.status(resnotauth.status).json(resnotauth);
}
let tmpfs = `../../tmp/tokens/${req.session.header.xalias}_${req.session.header.xtribe}_${req.session.header.xdays}`;
//max filename in ext4: 255 characters
tmpfs += `_${req.session.header.xhash.substring(
150,
150 + tmpfs.length - 249
)}.json`;
const bruteforcepenalty = async (alias, action) => {
const sleep = (ms) => {
return new Promise((resolve) => setTimeout(resolve, ms));
};
const failstamp = `../../tmp/tokens/${alias}.json`;
if (action == "clean") {
//to reinit bruteforce checker
if (log) console.log(currentmod, "try to clean penalty file ", failstamp);
fs.remove(failstamp, (err) => {
if (err) console.log(Date.now(),currentmod,"Check forcebrut ", err);
});
} else if (action == "penalty") {
const stamp = fs.existsSync(failstamp)
? fs.readJSONSync(failstamp)
: { lastfail: dayjs().format(), numberfail: 0 };
stamp.lastfail = dayjs().format();
stamp.numberfail += 1;
fs.outputJSON(failstamp, stamp);
if (log) console.log(currentmod,"penalty:", stamp);
await sleep(stamp.numberfail * 100); //increase of 0,1 second the answer time per fail
if (log) console.log(currentmod,"time out penalty");
}
};
if (!fs.existsSync(tmpfs)) {
// need to check detached sign
let publickey = "";
const aliasinfo = `../objects/pagans/itm/${req.session.header.xalias}.json`;
if (fs.existsSync(aliasinfo)) {
publickey = fs.readJsonSync(aliasinfo).publickey;
} else if (req.body.publickey) {
resnotauth.data.xaliasexists = false;
publickey = req.body.publickey;
}
if (publickey == "") {
if (log) console.log(currentmod,"header xalias unknown:",req.session.header.xalias);
resnotauth.status = 404;
resnotauth.data.xaliasexists = false;
return res.status(resnotauth.status).send(resnotauth);
}
if (log) console.log(currentmod,"publickey", publickey);
if (publickey.substring(0, 31) !== "-----BEGIN PGP PUBLIC KEY BLOCK") {
console.log(Date.now(),currentmod,"Publickey is not valid as armored key:", publickey);
await bruteforcepenalty(req.session.header.xalias, "penalty");
resnotauth.status = 404;
return res.status(resnotauth.status).send(resnotauth);
}
const clearmsg = Buffer.from(req.session.header.xhash, "base64").toString();
if (clearmsg.substring(0, 10) !== "-----BEGIN") {
if (log) console.log(currentmod,"xhash conv is not valid as armored key:", clearmsg);
await bruteforcepenalty(req.session.header.xalias, "penalty");
resnotauth.status = 404;
return res.status(resnotauth.status).send(resnotauth);
}
if (log) console.log(currentmod, "clearmsg", clearmsg);
let signedMessage=""
const pubkey = await openpgp.readKey({ armoredKey: publickey });
try{
signedMessage = await openpgp.readCleartextMessage({
cleartextMessage: clearmsg,
});
}catch(err){
return res.status(422).send({status:422,ref:"Middleware",msg:"unconsistentcleartextmessage",data:{xhash:req.session.header.xhash,clearmsg}})
}
const verificationResult = await openpgp.verify({
message: signedMessage,
verificationKeys: pubkey,
});
if (log) console.log(currentmod,verificationResult);
if (log) console.log(currentmod,verificationResult.signatures[0].keyID.toHex());
try {
await verificationResult.signatures[0].verified;
if (
verificationResult.data !=
`${req.session.header.xalias}_${req.session.header.xdays}`
) {
resnotauth.msg = "signaturefailled";
if (log) console.log(currentmod,`message recu:${verificationResult.data} , message attendu:${req.session.header.xalias}_${req.session.header.xdays}`
);
await bruteforcepenalty(req.session.header.xalias, "penalty");
resnotauth.status = 401;
return res.status(resnotauth.status).send(resnotauth);
}
} catch (e) {
resnotauth.msg = "signaturefailled";
if (log) console.log(currentmod,"erreur", e);
await bruteforcepenalty(req.session.header.xalias, "penalty");
resnotauth.status = 401;
return res.status(resnotauth.status).send(resnotauth);
}
// authenticated then get person profils (person = pagan for a xtrib)
const person = `../../${req.session.header.xtribe}/objects/persons/itm/${req.session.header.xalias}.json`;
if (log) console.log(currentmod,"Profils tribe/app management");
if (log) console.log(currentmod,"person", person);
if (fs.existsSync(person)) {
const infoperson = fs.readJSONSync(person);
if (log) console.log(currentmod,"infoperson",infoperson);
infoperson.profils.forEach((p) => {
if (!req.session.header.xprofils.includes(p)) req.session.header.xprofils.push(p);
})
}else{
if (!req.session.header.xprofils.includes('pagans')) req.session.header.xprofils.push("pagans");
}
fs.outputJSONSync(tmpfs, req.session.header.xprofils);
} else {
//tmpfs exist get profils from identification process
req.session.header.xprofils = fs.readJSONSync(tmpfs);
}
bruteforcepenalty(req.session.header.xalias, "clean");
if (log) console.log(currentmod,`${req.session.header.xalias} Authenticated`);
next();
};
module.exports = isAuthenticated;
View Git Blame Copy Permalink