Notes/src/routes/login.ts

"use strict";

import utils from "../services/utils.js";
import optionService from "../services/options.js";
import myScryptService from "../services/encryption/my_scrypt.js";
import log from "../services/log.js";
import passwordService from "../services/encryption/password.js";
import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import ValidationError from "../errors/validation_error.js";
import { Request, Response } from 'express';
import recoveryCodeService from '../services/encryption/recovery_codes.js';
import openIDService from '../services/open_id.js';
import openIDEncryption from '../services/encryption/open_id_encryption.js';
import totp from '../services/totp.js';
import open_id from '../services/open_id.js';

function loginPage(req: Request, res: Response) {
    if (open_id.isOpenIDEnabled()) {
      res.redirect('/authenticate');
    } else {
      res.render('login', {
        failedAuth: false,
        totpEnabled: totp.isTotpEnabled(),
        assetPath: assetPath,
        appPath: appPath,
      });
    }
  }

 function setPasswordPage(req: Request, res: Response) {
    res.render('set_password', {
        error: false,
        assetPath: assetPath,
        appPath: appPath
    });
}

function setPassword(req: Request, res: Response) {
    if (passwordService.isPasswordSet()) {
        throw new ValidationError("Password has been already set");
    }

    let {password1, password2} = req.body;
    password1 = password1.trim();
    password2 = password2.trim();

    let error;

    if (password1 !== password2) {
        error = "Entered passwords don't match.";
    } else if (password1.length < 4) {
        error = "Password must be at least 4 characters long.";
    }

    if (error) {
        res.render('set_password', {
            error,
            assetPath: assetPath
        });
        return;
    }

    passwordService.setPassword(password1);

    res.redirect('login');
}

function login(req: Request, res: Response) {
    const guessedPassword = req.body.password;
    const guessedTotp = req.body.token;

    if (verifyPassword(guessedPassword)) {
        if (totp.isTotpEnabled()){
            if (!verifyTOTP(guessedTotp)) {
            sendLoginError(req, res);
            return;
            }
        }

        const rememberMe = req.body.rememberMe;

        req.session.regenerate(() => {
            if (rememberMe) {
                req.session.cookie.maxAge = 21 * 24 * 3600000;  // 3 weeks
            } else {
                req.session.cookie.expires = null;
            }

            req.session.loggedIn = true;
            res.redirect('.');
        });
    }
    else {
        sendLoginError(req, res);
    }
}

function verifyTOTP(guessedToken: string) {
    if (totp.validateTOTP(guessedToken)) return true;

    const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(guessedToken);

    return recoveryCodeValidates;
}

function verifyPassword(guessedPassword: string) {
    const hashed_password = utils.fromBase64(optionService.getOption('passwordVerificationHash'));

    const guess_hashed = myScryptService.getVerificationHash(guessedPassword);

    return guess_hashed.equals(hashed_password);
}

function sendLoginError(req: Request, res: Response) {
    // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
    if ( totp.isTotpEnabled( )){
        log.info(`WARNING: Wrong password or TOTP from ${req.ip}, rejecting.`);
    }else{
        log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
    }

    res.status(401).render('login', {
      failedAuth: true,
      totpEnabled: optionService.getOption('totpEnabled') && totp.checkForTotSecret(),
      assetPath: assetPath,
    });
}

function logout(req: Request, res: Response) {
    req.session.regenerate(() => {
        req.session.loggedIn = false;
        if (openIDService.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {
            res.oidc.logout({ returnTo: '/authenticate' });
        } else res.redirect('login');
    });

}

export default {
    loginPage,
    setPasswordPage,
    setPassword,
    login,
    logout
};
use strict in all JS files 2017-10-21 21:10:33 -04:00			`"use strict";`

server-esm: Change simple local import statements 2024-07-18 21:35:17 +03:00			`import utils from "../services/utils.js";`
			`import optionService from "../services/options.js";`
			`import myScryptService from "../services/encryption/my_scrypt.js";`
			`import log from "../services/log.js";`
			`import passwordService from "../services/encryption/password.js";`
			`import assetPath from "../services/asset_path.js";`
			`import appPath from "../services/app_path.js";`
			`import ValidationError from "../errors/validation_error.js";`
server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00			`import { Request, Response } from 'express';`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`import recoveryCodeService from '../services/encryption/recovery_codes.js';`
			`import openIDService from '../services/open_id.js';`
			`import openIDEncryption from '../services/encryption/open_id_encryption.js';`
			`import totp from '../services/totp.js';`
			`import open_id from '../services/open_id.js';`
server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00
			`function loginPage(req: Request, res: Response) {`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`if (open_id.isOpenIDEnabled()) {`
			`res.redirect('/authenticate');`
			`} else {`
			`res.render('login', {`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`failedAuth: false,`
TOTP working 2024-09-07 11:41:54 -07:00			`totpEnabled: totp.isTotpEnabled(),`
fix missing doc resources for launchers, closes #3455 2022-12-25 11:58:24 +01:00			`assetPath: assetPath,`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`appPath: appPath,`
			`});`
			`}`
			`}`
node authentication 2017-10-15 16:32:49 -04:00
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`function setPasswordPage(req: Request, res: Response) {`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`res.render('set_password', {`
			`error: false,`
fix missing doc resources for launchers, closes #3455 2022-12-25 11:58:24 +01:00			`assetPath: assetPath,`
			`appPath: appPath`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`});`
set password WIP 2021-12-29 23:19:05 +01:00			`}`

server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00			`function setPassword(req: Request, res: Response) {`
resetting/setting password from options 2021-12-30 22:54:08 +01:00			`if (passwordService.isPasswordSet()) {`
introduced new exception classes for structured error reporting 2022-12-09 16:04:13 +01:00			`throw new ValidationError("Password has been already set");`
set password from web trilium 2021-12-29 23:37:12 +01:00			`}`

			`let {password1, password2} = req.body;`
			`password1 = password1.trim();`
			`password2 = password2.trim();`

			`let error;`

			`if (password1 !== password2) {`
			`error = "Entered passwords don't match.";`
			`} else if (password1.length < 4) {`
			`error = "Password must be at least 4 characters long.";`
			`}`
node authentication 2017-10-15 16:32:49 -04:00
set password from web trilium 2021-12-29 23:37:12 +01:00			`if (error) {`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`res.render('set_password', {`
			`error,`
			`assetPath: assetPath`
			`});`
set password from web trilium 2021-12-29 23:37:12 +01:00			`return;`
			`}`

resetting/setting password from options 2021-12-30 22:54:08 +01:00			`passwordService.setPassword(password1);`
set password from web trilium 2021-12-29 23:37:12 +01:00
			`res.redirect('login');`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function login(req: Request, res: Response) {`
node authentication 2017-10-15 16:32:49 -04:00			`const guessedPassword = req.body.password;`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`const guessedTotp = req.body.token;`
node authentication 2017-10-15 16:32:49 -04:00
set password from web trilium 2021-12-29 23:37:12 +01:00			`if (verifyPassword(guessedPassword)) {`
Changed Verification order. 2024-09-07 11:51:29 -07:00			`if (totp.isTotpEnabled()){`
			`if (!verifyTOTP(guessedTotp)) {`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`sendLoginError(req, res);`
			`return;`
Changed Verification order. 2024-09-07 11:51:29 -07:00			`}`
TOTP working 2024-09-07 11:41:54 -07:00			`}`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
small refactorings and fixes 2023-06-29 23:32:19 +02:00			`const rememberMe = req.body.rememberMe;`
node authentication 2017-10-15 16:32:49 -04:00
regenerate session after login/logout 2017-10-15 20:16:30 -04:00			`req.session.regenerate(() => {`
remember me reimplemented 2017-10-16 19:14:15 -04:00			`if (rememberMe) {`
			`req.session.cookie.maxAge = 21 * 24 * 3600000; // 3 weeks`
			`} else {`
server-ts: Convert etapi/notes 2024-04-07 16:56:45 +03:00			`req.session.cookie.expires = null;`
remember me reimplemented 2017-10-16 19:14:15 -04:00			`}`

regenerate session after login/logout 2017-10-15 20:16:30 -04:00			`req.session.loggedIn = true;`
fix redirect after login 2019-05-22 21:25:13 +02:00			`res.redirect('.');`
regenerate session after login/logout 2017-10-15 20:16:30 -04:00			`});`
node authentication 2017-10-15 16:32:49 -04:00			`}`
			`else {`
TOTP working 2024-09-07 11:41:54 -07:00			`sendLoginError(req, res);`
node authentication 2017-10-15 16:32:49 -04:00			`}`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`}`
node authentication 2017-10-15 16:32:49 -04:00
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`function verifyTOTP(guessedToken: string) {`
			`if (totp.validateTOTP(guessedToken)) return true;`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(guessedToken);`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`return recoveryCodeValidates;`
			`}`

server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00			`function verifyPassword(guessedPassword: string) {`
syncification 2020-06-20 12:31:38 +02:00			`const hashed_password = utils.fromBase64(optionService.getOption('passwordVerificationHash'));`
node authentication 2017-10-15 16:32:49 -04:00
syncification 2020-06-20 12:31:38 +02:00			`const guess_hashed = myScryptService.getVerificationHash(guessedPassword);`
node authentication 2017-10-15 16:32:49 -04:00
			`return guess_hashed.equals(hashed_password);`
			`}`

Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00			`function sendLoginError(req: Request, res: Response) {`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`// note that logged IP address is usually meaningless since the traffic should come from a reverse proxy`
TOTP working 2024-09-07 11:41:54 -07:00			`if ( totp.isTotpEnabled( )){`
			log.info(`WARNING: Wrong password or TOTP from ${req.ip}, rejecting.`);
			`}else{`
			log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
			`}`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`res.status(401).render('login', {`
			`failedAuth: true,`
			`totpEnabled: optionService.getOption('totpEnabled') && totp.checkForTotSecret(),`
			`assetPath: assetPath,`
			`});`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function logout(req: Request, res: Response) {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`req.session.regenerate(() => {`
			`req.session.loggedIn = false;`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`if (openIDService.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {`
			`res.oidc.logout({ returnTo: '/authenticate' });`
			`} else res.redirect('login');`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`});`

			`}`

server-esm: Change some more export object to export default object 2024-07-18 21:47:30 +03:00			`export default {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`loginPage,`
set password WIP 2021-12-29 23:19:05 +01:00			`setPasswordPage,`
set password from web trilium 2021-12-29 23:37:12 +01:00			`setPassword,`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`login,`
			`logout`
			`};`