Notes/src/routes/login.ts

import utils from "../services/utils.js";
import optionService from "../services/options.js";
import myScryptService from "../services/encryption/my_scrypt.js";
import log from "../services/log.js";
import passwordService from "../services/encryption/password.js";
import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import ValidationError from "../errors/validation_error.js";
import type { Request, Response } from 'express';
import totp from '../services/totp.js';
import recoveryCodeService from '../services/encryption/recovery_codes.js';
import openID from '../services/open_id.js';
import openIDEncryption from '../services/encryption/open_id_encryption.js';

function loginPage(req: Request, res: Response) {
    res.render('login', {
        wrongPassword: false,
        wrongTotp: false,
        totpEnabled: totp.isTotpEnabled(),
        ssoEnabled: openID.isOpenIDEnabled(),
        assetPath: assetPath,
        appPath: appPath,
    });
}

function setPasswordPage(req: Request, res: Response) {
    res.render("set_password", {
        error: false,
        assetPath,
        appPath
    });
}

function setPassword(req: Request, res: Response) {
    if (passwordService.isPasswordSet()) {
        throw new ValidationError("Password has been already set");
    }

    let { password1, password2 } = req.body;
    password1 = password1.trim();
    password2 = password2.trim();

    let error;

    if (password1 !== password2) {
        error = "Entered passwords don't match.";
    } else if (password1.length < 4) {
        error = "Password must be at least 4 characters long.";
    }

    if (error) {
        res.render("set_password", {
            error,
            assetPath,
            appPath
        });
        return;
    }

    passwordService.setPassword(password1);

    res.redirect("login");
}

function login(req: Request, res: Response) {
    if (openID.isOpenIDEnabled()) {
        res.oidc.login({
            returnTo: '/',
            authorizationParams: {
                prompt: 'consent',
                access_type: 'offline'
            }
        });
        return;
    }

    const submittedPassword = req.body.password;
    const submittedTotpToken = req.body.totpToken;

    if (totp.isTotpEnabled()) {
        if (!verifyTOTP(submittedTotpToken)) {
            sendLoginError(req, res, 'totp');
            return;
        }
    }

    if (!verifyPassword(submittedPassword)) {
        sendLoginError(req, res, 'password');
        return;
    }

    const rememberMe = req.body.rememberMe;

    req.session.regenerate(() => {
        if (!rememberMe) {
            // unset default maxAge set by sessionParser
            // Cookie becomes non-persistent and expires
            // after current browser session (e.g. when browser is closed)
            req.session.cookie.maxAge = undefined;
        }

        req.session.lastAuthState = {
            totpEnabled: totp.isTotpEnabled(),
            ssoEnabled: openID.isOpenIDEnabled()
        };

        req.session.loggedIn = true;
        res.redirect('.');
    });
}

function verifyTOTP(submittedTotpToken: string) {
    if (totp.validateTOTP(submittedTotpToken)) return true;

    const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(submittedTotpToken);

    return recoveryCodeValidates;
}

function verifyPassword(submittedPassword: string) {
    const hashed_password = utils.fromBase64(optionService.getOption("passwordVerificationHash"));

    const guess_hashed = myScryptService.getVerificationHash(submittedPassword);

    return guess_hashed.equals(hashed_password);
}

function sendLoginError(req: Request, res: Response, errorType: 'password' | 'totp' = 'password') {
    // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
    if (totp.isTotpEnabled()) {
        log.info(`WARNING: Wrong ${errorType} from ${req.ip}, rejecting.`);
    } else {
        log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
    }

    res.status(401).render('login', {
        wrongPassword: errorType === 'password',
        wrongTotp: errorType === 'totp',
        totpEnabled: totp.isTotpEnabled(),
        ssoEnabled: openID.isOpenIDEnabled(),
        assetPath: assetPath,
        appPath: appPath,
    });
}

function logout(req: Request, res: Response) {
    req.session.regenerate(() => {
        req.session.loggedIn = false;

        if (openID.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {
            res.oidc.logout({ returnTo: '/' });
        }

        res.redirect('login');
    });
}

export default {
    loginPage,
    setPasswordPage,
    setPassword,
    login,
    logout
};
server-esm: Change simple local import statements 2024-07-18 21:35:17 +03:00			`import utils from "../services/utils.js";`
			`import optionService from "../services/options.js";`
			`import myScryptService from "../services/encryption/my_scrypt.js";`
			`import log from "../services/log.js";`
			`import passwordService from "../services/encryption/password.js";`
			`import assetPath from "../services/asset_path.js";`
			`import appPath from "../services/app_path.js";`
			`import ValidationError from "../errors/validation_error.js";`
Merge branch 'develop' into feature/MFA 2025-03-22 12:35:00 +01:00			`import type { Request, Response } from 'express';`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`import totp from '../services/totp.js';`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`import recoveryCodeService from '../services/encryption/recovery_codes.js';`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`import openID from '../services/open_id.js';`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`import openIDEncryption from '../services/encryption/open_id_encryption.js';`
server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00
			`function loginPage(req: Request, res: Response) {`
feat: 🎸 Add SSO login button 2025-03-26 01:48:42 +01:00			`res.render('login', {`
			`wrongPassword: false,`
			`wrongTotp: false,`
			`totpEnabled: totp.isTotpEnabled(),`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`ssoEnabled: openID.isOpenIDEnabled(),`
feat: 🎸 Add SSO login button 2025-03-26 01:48:42 +01:00			`assetPath: assetPath,`
			`appPath: appPath,`
			`});`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`}`
node authentication 2017-10-15 16:32:49 -04:00
server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00			`function setPasswordPage(req: Request, res: Response) {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.render("set_password", {`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`error: false,`
refactor(routes/login): use "shorter" syntax for passing to ejs render 2025-02-26 08:50:36 +01:00			`assetPath,`
			`appPath`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`});`
set password WIP 2021-12-29 23:19:05 +01:00			`}`

server-ts: Convert routes/login 2024-04-07 14:22:01 +03:00			`function setPassword(req: Request, res: Response) {`
resetting/setting password from options 2021-12-30 22:54:08 +01:00			`if (passwordService.isPasswordSet()) {`
introduced new exception classes for structured error reporting 2022-12-09 16:04:13 +01:00			`throw new ValidationError("Password has been already set");`
set password from web trilium 2021-12-29 23:37:12 +01:00			`}`

chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`let { password1, password2 } = req.body;`
set password from web trilium 2021-12-29 23:37:12 +01:00			`password1 = password1.trim();`
			`password2 = password2.trim();`

			`let error;`

			`if (password1 !== password2) {`
			`error = "Entered passwords don't match.";`
			`} else if (password1.length < 4) {`
			`error = "Password must be at least 4 characters long.";`
			`}`
node authentication 2017-10-15 16:32:49 -04:00
set password from web trilium 2021-12-29 23:37:12 +01:00			`if (error) {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.render("set_password", {`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`error,`
refactor(routes/login): use "shorter" syntax for passing to ejs render 2025-02-26 08:50:36 +01:00			`assetPath,`
			`appPath`
use trilium version number in asset paths to avoid caching issues WIP 2022-10-26 23:50:54 +02:00			`});`
set password from web trilium 2021-12-29 23:37:12 +01:00			`return;`
			`}`

resetting/setting password from options 2021-12-30 22:54:08 +01:00			`passwordService.setPassword(password1);`
set password from web trilium 2021-12-29 23:37:12 +01:00
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.redirect("login");`
set password from web trilium 2021-12-29 23:37:12 +01:00			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function login(req: Request, res: Response) {`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`if (openID.isOpenIDEnabled()) {`
feat: 🎸 Fix SSO login 2025-03-26 02:39:29 +01:00			`res.oidc.login({`
			`returnTo: '/',`
			`authorizationParams: {`
			`prompt: 'consent',`
			`access_type: 'offline'`
			`}`
			`});`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`return;`
			`}`

feat: 🎸 Better naming for vars 2025-03-25 23:53:49 +01:00			`const submittedPassword = req.body.password;`
feat: 🎸 Fix TOTP not load correctly 2025-03-26 00:42:19 +01:00			`const submittedTotpToken = req.body.totpToken;`
node authentication 2017-10-15 16:32:49 -04:00
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`if (totp.isTotpEnabled()) {`
feat: 🎸 Fix TOTP not load correctly 2025-03-26 00:42:19 +01:00			`if (!verifyTOTP(submittedTotpToken)) {`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`sendLoginError(req, res, 'totp');`
			`return;`
			`}`
node authentication 2017-10-15 16:32:49 -04:00			`}`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00
hotfix(auth): fix TOTP validation bypass issue 2025-04-02 14:29:37 +08:00			`if (!verifyPassword(submittedPassword)) {`
			`sendLoginError(req, res, 'password');`
			`return;`
			`}`

feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`const rememberMe = req.body.rememberMe;`

			`req.session.regenerate(() => {`
fix(login): fix regression that removed support for setting custom cookieMaxAge regression introduced with #401 custom cookieMaxAge feature added with #1156 fixes #1709 2025-04-15 09:09:28 +02:00			`if (!rememberMe) {`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`// unset default maxAge set by sessionParser`
fix(login): fix regression that removed support for setting custom cookieMaxAge regression introduced with #401 custom cookieMaxAge feature added with #1156 fixes #1709 2025-04-15 09:09:28 +02:00			`// Cookie becomes non-persistent and expires`
			`// after current browser session (e.g. when browser is closed)`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`req.session.cookie.maxAge = undefined;`
			`}`

			`req.session.lastAuthState = {`
			`totpEnabled: totp.isTotpEnabled(),`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`ssoEnabled: openID.isOpenIDEnabled()`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`};`

			`req.session.loggedIn = true;`
			`res.redirect('.');`
			`});`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`}`
node authentication 2017-10-15 16:32:49 -04:00
feat: 🎸 Fix TOTP not load correctly 2025-03-26 00:42:19 +01:00			`function verifyTOTP(submittedTotpToken: string) {`
			`if (totp.validateTOTP(submittedTotpToken)) return true;`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
feat: 🎸 Fix TOTP not load correctly 2025-03-26 00:42:19 +01:00			`const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(submittedTotpToken);`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`return recoveryCodeValidates;`
			`}`

feat: 🎸 Better naming for vars 2025-03-25 23:53:49 +01:00			`function verifyPassword(submittedPassword: string) {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`const hashed_password = utils.fromBase64(optionService.getOption("passwordVerificationHash"));`
node authentication 2017-10-15 16:32:49 -04:00
feat: 🎸 Better naming for vars 2025-03-25 23:53:49 +01:00			`const guess_hashed = myScryptService.getVerificationHash(submittedPassword);`
node authentication 2017-10-15 16:32:49 -04:00
			`return guess_hashed.equals(hashed_password);`
			`}`

feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`function sendLoginError(req: Request, res: Response, errorType: 'password' \| 'totp' = 'password') {`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`// note that logged IP address is usually meaningless since the traffic should come from a reverse proxy`
Merge branch 'develop' into feature/MFA 2025-03-22 12:35:00 +01:00			`if (totp.isTotpEnabled()) {`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			log.info(`WARNING: Wrong ${errorType} from ${req.ip}, rejecting.`);
Merge branch 'develop' into feature/MFA 2025-03-22 12:35:00 +01:00			`} else {`
TOTP working 2024-09-07 11:41:54 -07:00			log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
			`}`
Merge remote-tracking branch 'origin/develop' into feature/MFA 2024-12-24 13:26:02 +02:00
fix(login): send back 401 Unauthorized on failed login attempt 2025-04-15 08:37:10 +02:00			`res.status(401).render('login', {`
feat: 🎸 Show correct login error to user 2025-03-26 00:13:56 +01:00			`wrongPassword: errorType === 'password',`
			`wrongTotp: errorType === 'totp',`
			`totpEnabled: totp.isTotpEnabled(),`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`ssoEnabled: openID.isOpenIDEnabled(),`
Merge branch 'develop' into feature/MFA 2025-03-22 12:35:00 +01:00			`assetPath: assetPath,`
feat: 🎸 Better naming for vars 2025-03-25 23:53:49 +01:00			`appPath: appPath,`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`});`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function logout(req: Request, res: Response) {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`req.session.regenerate(() => {`
			`req.session.loggedIn = false;`
Merge branch 'develop' into feature/MFA 2025-03-22 12:35:00 +01:00
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`if (openID.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {`
fix: 🐛 fix oauth logout error 2025-03-28 04:05:00 +01:00			`res.oidc.logout({ returnTo: '/' });`
Fix "Cannot set headers after they are sent" error in logout function 2025-04-02 14:13:38 +08:00			`}`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00
Fix "Cannot set headers after they are sent" error in logout function 2025-04-02 14:13:38 +08:00			`res.redirect('login');`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`});`
			`}`

server-esm: Change some more export object to export default object 2024-07-18 21:47:30 +03:00			`export default {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`loginPage,`
set password WIP 2021-12-29 23:19:05 +01:00			`setPasswordPage,`
set password from web trilium 2021-12-29 23:37:12 +01:00			`setPassword,`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`login,`
			`logout`
			`};`