Notes/src/routes/api/login.js

"use strict";

const options = require('../../services/options');
const utils = require('../../services/utils');
const dateUtils = require('../../services/date_utils');
const sourceIdService = require('../../services/source_id');
const passwordEncryptionService = require('../../services/password_encryption');
const protectedSessionService = require('../../services/protected_session');
const appInfo = require('../../services/app_info');
const eventService = require('../../services/events');
const cls = require('../../services/cls');
const sqlInit = require('../../services/sql_init');
const sql = require('../../services/sql');
const optionService = require('../../services/options');
const ApiToken = require('../../entities/api_token');

function loginSync(req) {
    if (!sqlInit.schemaExists()) {
        return [500, { message: "DB schema does not exist, can't sync." }];
    }

    const timestampStr = req.body.timestamp;

    const timestamp = dateUtils.parseDateTime(timestampStr);

    const now = new Date();

    // login token is valid for 5 minutes
    if (Math.abs(timestamp.getTime() - now.getTime()) > 5 * 60 * 1000) {
        return [401, { message: 'Auth request time is out of sync, please check that both client and server have correct time.' }];
    }

    const syncVersion = req.body.syncVersion;

    if (syncVersion !== appInfo.syncVersion) {
        return [400, { message: `Non-matching sync versions, local is version ${appInfo.syncVersion}, remote is ${syncVersion}. It is recommended to run same version of Trilium on both sides of sync.` }];
    }

    const documentSecret = options.getOption('documentSecret');
    const expectedHash = utils.hmac(documentSecret, timestampStr);

    const givenHash = req.body.hash;

    if (expectedHash !== givenHash) {
        return [400, { message: "Sync login credentials are incorrect. It looks like you're trying to sync two different initialized documents which is not possible." }];
    }

    req.session.loggedIn = true;

    return {
        sourceId: sourceIdService.getCurrentSourceId(),
        maxEntityChangeId: sql.getValue("SELECT COALESCE(MAX(id), 0) FROM entity_changes WHERE isSynced = 1")
    };
}

function loginToProtectedSession(req) {
    const password = req.body.password;

    if (!passwordEncryptionService.verifyPassword(password)) {
        return {
            success: false,
            message: "Given current password doesn't match hash"
        };
    }

    const decryptedDataKey = passwordEncryptionService.getDataKey(password);

    const protectedSessionId = protectedSessionService.setDataKey(decryptedDataKey);

    // this is set here so that event handlers have access to the protected session
    cls.set('protectedSessionId', protectedSessionId);

    eventService.emit(eventService.ENTER_PROTECTED_SESSION);

    return {
        success: true,
        protectedSessionId: protectedSessionId
    };
}

function token(req) {
    const username = req.body.username;
    const password = req.body.password;

    const isUsernameValid = username === optionService.getOption('username');
    const isPasswordValid = passwordEncryptionService.verifyPassword(password);

    if (!isUsernameValid || !isPasswordValid) {
        return [401, "Incorrect username/password"];
    }

    const apiToken = new ApiToken({
        token: utils.randomSecureToken()
    }).save();

    return {
        token: apiToken.token
    };
}

module.exports = {
    loginSync,
    loginToProtectedSession,
    token
};
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00			`"use strict";`

sync of options 2017-11-02 20:48:02 -04:00			`const options = require('../../services/options');`
API auth (untested) 2017-10-28 22:17:00 -04:00			`const utils = require('../../services/utils');`
split out dateUtils on the backend 2018-04-02 20:46:46 -04:00			`const dateUtils = require('../../services/date_utils');`
refactored backend to use new naming convention for modules 2018-04-01 21:27:46 -04:00			`const sourceIdService = require('../../services/source_id');`
			`const passwordEncryptionService = require('../../services/password_encryption');`
			`const protectedSessionService = require('../../services/protected_session');`
			`const appInfo = require('../../services/app_info');`
autocomplete supports encrypted notes now as well 2018-04-20 00:12:01 -04:00			`const eventService = require('../../services/events');`
			`const cls = require('../../services/cls');`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`const sqlInit = require('../../services/sql_init');`
lower lastSyncedPull if server max sync ID is lower 2019-01-04 18:58:46 +01:00			`const sql = require('../../services/sql');`
token auth to /login 2019-06-23 21:22:08 +02:00			`const optionService = require('../../services/options');`
			`const ApiToken = require('../../entities/api_token');`
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00
syncification 2020-06-20 12:31:38 +02:00			`function loginSync(req) {`
			`if (!sqlInit.schemaExists()) {`
return 401 when auth request is out of sync, closes #1056 2020-05-29 22:06:36 +02:00			`return [500, { message: "DB schema does not exist, can't sync." }];`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`}`

fixes for dates in sync 2017-12-10 15:45:17 -05:00			`const timestampStr = req.body.timestamp;`
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00
split out dateUtils on the backend 2018-04-02 20:46:46 -04:00			`const timestamp = dateUtils.parseDateTime(timestampStr);`
fixes for dates in sync 2017-12-10 15:45:17 -05:00
			`const now = new Date();`

stretch sync login token validity to 5 minutes #277 2019-01-07 23:29:56 +01:00			`// login token is valid for 5 minutes`
			`if (Math.abs(timestamp.getTime() - now.getTime()) > 5 * 60 * 1000) {`
return 401 when auth request is out of sync, closes #1056 2020-05-29 22:06:36 +02:00			`return [401, { message: 'Auth request time is out of sync, please check that both client and server have correct time.' }];`
API auth (untested) 2017-10-28 22:17:00 -04:00			`}`

Introduced separate sync version (previously DB version was used to check sync compatibility), closes #120 2018-06-10 15:55:29 -04:00			`const syncVersion = req.body.syncVersion;`
API auth (untested) 2017-10-28 22:17:00 -04:00
Introduced separate sync version (previously DB version was used to check sync compatibility), closes #120 2018-06-10 15:55:29 -04:00			`if (syncVersion !== appInfo.syncVersion) {`
sync changes for note content 2019-02-15 00:15:09 +01:00			return [400, { message: `Non-matching sync versions, local is version ${appInfo.syncVersion}, remote is ${syncVersion}. It is recommended to run same version of Trilium on both sides of sync.` }];
API auth (untested) 2017-10-28 22:17:00 -04:00			`}`

syncification 2020-06-20 12:31:38 +02:00			`const documentSecret = options.getOption('documentSecret');`
fixes for dates in sync 2017-12-10 15:45:17 -05:00			`const expectedHash = utils.hmac(documentSecret, timestampStr);`
API auth (untested) 2017-10-28 22:17:00 -04:00
			`const givenHash = req.body.hash;`

			`if (expectedHash !== givenHash) {`
tree settings popup fixes 2020-05-02 13:52:02 +02:00			`return [400, { message: "Sync login credentials are incorrect. It looks like you're trying to sync two different initialized documents which is not possible." }];`
API auth (untested) 2017-10-28 22:17:00 -04:00			`}`

			`req.session.loggedIn = true;`

converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`return {`
lower lastSyncedPull if server max sync ID is lower 2019-01-04 18:58:46 +01:00			`sourceId: sourceIdService.getCurrentSourceId(),`
refactored "sync" table to "entity_changes" 2020-08-02 23:27:48 +02:00			`maxEntityChangeId: sql.getValue("SELECT COALESCE(MAX(id), 0) FROM entity_changes WHERE isSynced = 1")`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`};`
			`}`
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00
syncification 2020-06-20 12:31:38 +02:00			`function loginToProtectedSession(req) {`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`const password = req.body.password;`

syncification 2020-06-20 12:31:38 +02:00			`if (!passwordEncryptionService.verifyPassword(password)) {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`return {`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`success: false,`
			`message: "Given current password doesn't match hash"`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`};`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`}`

syncification 2020-06-20 12:31:38 +02:00			`const decryptedDataKey = passwordEncryptionService.getDataKey(password);`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00
autocomplete supports encrypted notes now as well 2018-04-20 00:12:01 -04:00			`const protectedSessionId = protectedSessionService.setDataKey(decryptedDataKey);`

fix ordering 2018-04-21 12:23:35 -04:00			`// this is set here so that event handlers have access to the protected session`
fixes and polish 2020-06-15 17:56:53 +02:00			`cls.set('protectedSessionId', protectedSessionId);`
autocomplete supports encrypted notes now as well 2018-04-20 00:12:01 -04:00
syncification 2020-06-20 12:31:38 +02:00			`eventService.emit(eventService.ENTER_PROTECTED_SESSION);`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`return {`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`success: true,`
			`protectedSessionId: protectedSessionId`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`};`
			`}`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00
syncification 2020-06-20 12:31:38 +02:00			`function token(req) {`
token auth to /login 2019-06-23 21:22:08 +02:00			`const username = req.body.username;`
			`const password = req.body.password;`

syncification 2020-06-20 12:31:38 +02:00			`const isUsernameValid = username === optionService.getOption('username');`
			`const isPasswordValid = passwordEncryptionService.verifyPassword(password);`
token auth to /login 2019-06-23 21:22:08 +02:00
			`if (!isUsernameValid \|\| !isPasswordValid) {`
			`return [401, "Incorrect username/password"];`
			`}`

syncification 2020-06-20 12:31:38 +02:00			`const apiToken = new ApiToken({`
token auth to /login 2019-06-23 21:22:08 +02:00			`token: utils.randomSecureToken()`
			`}).save();`

			`return {`
			`token: apiToken.token`
			`};`
			`}`

converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`module.exports = {`
			`loginSync,`
token auth to /login 2019-06-23 21:22:08 +02:00			`loginToProtectedSession,`
			`token`
return 401 when auth request is out of sync, closes #1056 2020-05-29 22:06:36 +02:00			`};`