Notes/src/services/auth.ts

import etapiTokenService from "./etapi_tokens.js";
import log from "./log.js";
import sqlInit from "./sql_init.js";
import { isElectron } from "./utils.js";
import passwordEncryptionService from "./encryption/password_encryption.js";
import config from "./config.js";
import passwordService from "./encryption/password.js";
import totp from "./totp.js";
import openID from "./open_id.js";
import options from "./options.js";
import attributes from "./attributes.js";
import type { NextFunction, Request, Response } from "express";

const noAuthentication = config.General && config.General.noAuthentication === true;

function checkAuth(req: Request, res: Response, next: NextFunction) {
    if (!sqlInit.isDbInitialized()) {
        res.redirect('setup');
    }

    const currentTotpStatus = totp.isTotpEnabled();
    const currentSsoStatus = openID.isOpenIDEnabled();
    const lastAuthState = req.session.lastAuthState || { totpEnabled: false, ssoEnabled: false };

    if (isElectron) {
        next();
        return;
    } else if (currentTotpStatus !== lastAuthState.totpEnabled || currentSsoStatus !== lastAuthState.ssoEnabled) {
        req.session.destroy((err) => {
            if (err) console.error('Error destroying session:', err);
            res.redirect('login');
        });
        return;
    } else if (currentSsoStatus) {
        if (req.oidc?.isAuthenticated() && req.session.loggedIn) {
            next();
            return;
        }
        res.redirect('login');
        return;
    } else if (!req.session.loggedIn && !noAuthentication) {

        // cannot use options.getOptionBool currently => it will throw an error on new installations
        // TriliumNextTODO: look into potentially creating an getOptionBoolOrNull instead
        const hasRedirectBareDomain = options.getOptionOrNull("redirectBareDomain") === "true";

        if (hasRedirectBareDomain) {
            // Check if any note has the #shareRoot label
            const shareRootNotes = attributes.getNotesWithLabel("shareRoot");
            if (shareRootNotes.length === 0) {
                res.status(404).json({ message: "Share root not found. Please set up a note with #shareRoot label first." });
                return;
            }
        }
        res.redirect(hasRedirectBareDomain ? "share" : "login");
    } else {
        next();
    }
}


// for electron things which need network stuff
//  currently, we're doing that for file upload because handling form data seems to be difficult
function checkApiAuthOrElectron(req: Request, res: Response, next: NextFunction) {
    if (!req.session.loggedIn && !isElectron && !noAuthentication) {
        reject(req, res, "Logged in session not found");
    } else {
        next();
    }
}

function checkApiAuth(req: Request, res: Response, next: NextFunction) {
    if (!req.session.loggedIn && !noAuthentication) {
        reject(req, res, "Logged in session not found");
    } else {
        next();
    }
}

function checkAppInitialized(req: Request, res: Response, next: NextFunction) {
    if (!sqlInit.isDbInitialized()) {
        res.redirect("setup");
    } else {
        next();
    }
}

function checkPasswordSet(req: Request, res: Response, next: NextFunction) {
    if (!isElectron && !passwordService.isPasswordSet()) {
        res.redirect("set-password");
    } else {
        next();
    }
}

function checkPasswordNotSet(req: Request, res: Response, next: NextFunction) {
    if (!isElectron && passwordService.isPasswordSet()) {
        res.redirect("login");
    } else {
        next();
    }
}

function checkAppNotInitialized(req: Request, res: Response, next: NextFunction) {
    if (sqlInit.isDbInitialized()) {
        reject(req, res, "App already initialized.");
    } else {
        next();
    }
}

function checkEtapiToken(req: Request, res: Response, next: NextFunction) {
    if (etapiTokenService.isValidAuthHeader(req.headers.authorization)) {
        next();
    } else {
        reject(req, res, "Token not found");
    }
}

function reject(req: Request, res: Response, message: string) {
    log.info(`${req.method} ${req.path} rejected with 401 ${message}`);

    res.setHeader("Content-Type", "text/plain").status(401).send(message);
}

function checkCredentials(req: Request, res: Response, next: NextFunction) {
    if (!sqlInit.isDbInitialized()) {
        res.setHeader("Content-Type", "text/plain").status(400).send("Database is not initialized yet.");
        return;
    }

    if (!passwordService.isPasswordSet()) {
        res.setHeader("Content-Type", "text/plain").status(400).send("Password has not been set yet. Please set a password and repeat the action");
        return;
    }

    const header = req.headers["trilium-cred"] || "";
    if (typeof header !== "string") {
        res.setHeader("Content-Type", "text/plain").status(400).send("Invalid data type for trilium-cred.");
        return;
    }

    const auth = Buffer.from(header, "base64").toString();
    const colonIndex = auth.indexOf(":");
    const password = colonIndex === -1 ? "" : auth.substr(colonIndex + 1);
    // username is ignored

    if (!passwordEncryptionService.verifyPassword(password)) {
        res.setHeader("Content-Type", "text/plain").status(401).send("Incorrect password");
    } else {
        next();
    }
}

export default {
    checkAuth,
    checkApiAuth,
    checkAppInitialized,
    checkPasswordSet,
    checkPasswordNotSet,
    checkAppNotInitialized,
    checkApiAuthOrElectron,
    checkEtapiToken,
    checkCredentials
};
server-esm: Change simple local import statements 2024-07-18 21:35:17 +03:00			`import etapiTokenService from "./etapi_tokens.js";`
			`import log from "./log.js";`
			`import sqlInit from "./sql_init.js";`
refactor(services): use named imports from utils 2025-01-02 13:47:44 +01:00			`import { isElectron } from "./utils.js";`
server-esm: Change simple local import statements 2024-07-18 21:35:17 +03:00			`import passwordEncryptionService from "./encryption/password_encryption.js";`
			`import config from "./config.js";`
			`import passwordService from "./encryption/password.js";`
feat: 🎸 Remove redundant check auth 2025-03-26 01:36:48 +01:00			`import totp from "./totp.js";`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`import openID from "./open_id.js";`
feature complete; tested and working on local linux machine 2025-02-16 22:47:50 -07:00			`import options from "./options.js";`
WIP: 1st step at verifying shareRoot is set 2025-02-20 08:12:51 -07:00			`import attributes from "./attributes.js";`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`import type { NextFunction, Request, Response } from "express";`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00
			`const noAuthentication = config.General && config.General.noAuthentication === true;`
sync WIP 2017-10-25 22:39:21 -04:00
chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkAuth(req: Request, res: Response, next: NextFunction) {`
fix: 🐛 init error with totp 2025-03-28 02:37:12 +01:00			`if (!sqlInit.isDbInitialized()) {`
			`res.redirect('setup');`
			`}`

feat: 🎸 Remove redundant check auth 2025-03-26 01:36:48 +01:00			`const currentTotpStatus = totp.isTotpEnabled();`
feat: 🎸 Fix import naming 2025-03-26 02:04:24 +01:00			`const currentSsoStatus = openID.isOpenIDEnabled();`
feat: 🎸 Remove redundant check auth 2025-03-26 01:36:48 +01:00			`const lastAuthState = req.session.lastAuthState \|\| { totpEnabled: false, ssoEnabled: false };`

fix: 🐛 init error with totp 2025-03-28 02:37:12 +01:00			`if (isElectron) {`
feat: 🎸 fix electron login logic 2025-03-26 10:58:14 +01:00			`next();`
			`return;`
feat: 🎸 Remove redundant check auth 2025-03-26 01:36:48 +01:00			`} else if (currentTotpStatus !== lastAuthState.totpEnabled \|\| currentSsoStatus !== lastAuthState.ssoEnabled) {`
			`req.session.destroy((err) => {`
			`if (err) console.error('Error destroying session:', err);`
fix: 🐛 fix redirect url with reverse proxy 2025-03-31 21:08:22 +02:00			`res.redirect('login');`
feat: 🎸 Remove redundant check auth 2025-03-26 01:36:48 +01:00			`});`
			`return;`
feat: 🎸 returen missing vars for oauth 2025-03-28 03:43:44 +01:00			`} else if (currentSsoStatus) {`
feat: 🎸 Fix SSO login 2025-03-26 02:39:29 +01:00			`if (req.oidc?.isAuthenticated() && req.session.loggedIn) {`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`next();`
feat: 🎸 Fix SSO login 2025-03-26 02:39:29 +01:00			`return;`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`}`
fix: 🐛 fix redirect url with reverse proxy 2025-03-31 21:08:22 +02:00			`res.redirect('login');`
feat: 🎸 Fix SSO login 2025-03-26 02:39:29 +01:00			`return;`
feat: 🎸 fix electron login logic 2025-03-26 10:58:14 +01:00			`} else if (!req.session.loggedIn && !noAuthentication) {`
fix(auth): avoid "Error: Option 'redirectBareDomain' doesn't exist" on new installations fixes #1667 2025-04-10 09:56:54 +02:00
refactor(auth): simplify hasRedirectBareDomain following change suggestion requested here https://github.com/TriliumNext/Notes/pull/1668#pullrequestreview-2755816018 2025-04-10 19:48:13 +02:00			`// cannot use options.getOptionBool currently => it will throw an error on new installations`
			`// TriliumNextTODO: look into potentially creating an getOptionBoolOrNull instead`
			`const hasRedirectBareDomain = options.getOptionOrNull("redirectBareDomain") === "true";`
fix(auth): avoid "Error: Option 'redirectBareDomain' doesn't exist" on new installations fixes #1667 2025-04-10 09:56:54 +02:00
refactor(auth): simplify hasRedirectBareDomain following change suggestion requested here https://github.com/TriliumNext/Notes/pull/1668#pullrequestreview-2755816018 2025-04-10 19:48:13 +02:00			`if (hasRedirectBareDomain) {`
WIP: 1st step at verifying shareRoot is set 2025-02-20 08:12:51 -07:00			`// Check if any note has the #shareRoot label`
			`const shareRootNotes = attributes.getNotesWithLabel("shareRoot");`
			`if (shareRootNotes.length === 0) {`
			`res.status(404).json({ message: "Share root not found. Please set up a note with #shareRoot label first." });`
			`return;`
			`}`
			`}`
refactor(auth): simplify hasRedirectBareDomain following change suggestion requested here https://github.com/TriliumNext/Notes/pull/1668#pullrequestreview-2755816018 2025-04-10 19:48:13 +02:00			`res.redirect(hasRedirectBareDomain ? "share" : "login");`
Ported from branch OIDC 2024-09-07 10:21:41 -07:00			`} else {`
separate sync for pull (implemented) and push (not yet) 2017-10-26 20:31:31 -04:00			`next();`
			`}`
			`}`

fix(auth): avoid "Error: Option 'redirectBareDomain' doesn't exist" on new installations fixes #1667 2025-04-10 09:56:54 +02:00

auth exception for images in electron 2018-01-07 09:59:05 -05:00			`// for electron things which need network stuff`
typos 2023-06-30 11:18:34 +02:00			`// currently, we're doing that for file upload because handling form data seems to be difficult`
chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkApiAuthOrElectron(req: Request, res: Response, next: NextFunction) {`
refactor(server/utils): isElectron - replace fn with boolean this values cannot change during runtime, => there is no need to have these checks as dynamic function, instead just export the boolean value directly 2025-01-22 18:57:06 +01:00			`if (!req.session.loggedIn && !isElectron && !noAuthentication) {`
updated render note help 2021-04-05 22:37:12 +02:00			`reject(req, res, "Logged in session not found");`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`} else {`
node authentication 2017-10-15 16:32:49 -04:00			`next();`
			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkApiAuth(req: Request, res: Response, next: NextFunction) {`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00			`if (!req.session.loggedIn && !noAuthentication) {`
updated render note help 2021-04-05 22:37:12 +02:00			`reject(req, res, "Logged in session not found");`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`} else {`
separate sync for pull (implemented) and push (not yet) 2017-10-26 20:31:31 -04:00			`next();`
			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkAppInitialized(req: Request, res: Response, next: NextFunction) {`
syncification 2020-06-20 12:31:38 +02:00			`if (!sqlInit.isDbInitialized()) {`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`res.redirect("setup");`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`} else {`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`next();`
			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkPasswordSet(req: Request, res: Response, next: NextFunction) {`
refactor(server/utils): isElectron - replace fn with boolean this values cannot change during runtime, => there is no need to have these checks as dynamic function, instead just export the boolean value directly 2025-01-22 18:57:06 +01:00			`if (!isElectron && !passwordService.isPasswordSet()) {`
set password from web trilium 2021-12-29 23:37:12 +01:00			`res.redirect("set-password");`
set password WIP 2021-12-29 23:19:05 +01:00			`} else {`
			`next();`
			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkPasswordNotSet(req: Request, res: Response, next: NextFunction) {`
refactor(server/utils): isElectron - replace fn with boolean this values cannot change during runtime, => there is no need to have these checks as dynamic function, instead just export the boolean value directly 2025-01-22 18:57:06 +01:00			`if (!isElectron && passwordService.isPasswordSet()) {`
etapi improvements and more tests 2022-01-12 19:32:23 +01:00			`res.redirect("login");`
			`} else {`
			`next();`
			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkAppNotInitialized(req: Request, res: Response, next: NextFunction) {`
syncification 2020-06-20 12:31:38 +02:00			`if (sqlInit.isDbInitialized()) {`
logging API auth rejections 2019-07-25 21:05:16 +02:00			`reject(req, res, "App already initialized.");`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`} else {`
implemented initial setup of the app 2017-12-03 22:29:23 -05:00			`next();`
			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkEtapiToken(req: Request, res: Response, next: NextFunction) {`
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`if (etapiTokenService.isValidAuthHeader(req.headers.authorization)) {`
			`next();`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`} else {`
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`reject(req, res, "Token not found");`
converted file, script, search and sender routes 2018-03-30 17:29:13 -04:00			`}`
			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function reject(req: Request, res: Response, message: string) {`
logging API auth rejections 2019-07-25 21:05:16 +02:00			log.info(`${req.method} ${req.path} rejected with 401 ${message}`);

chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.setHeader("Content-Type", "text/plain").status(401).send(message);`
logging API auth rejections 2019-07-25 21:05:16 +02:00			`}`

chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`function checkCredentials(req: Request, res: Response, next: NextFunction) {`
extra init check to provide better error response 2021-11-10 21:12:53 +01:00			`if (!sqlInit.isDbInitialized()) {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.setHeader("Content-Type", "text/plain").status(400).send("Database is not initialized yet.");`
better error when password is not set, #2685 2022-02-24 23:22:20 +01:00			`return;`
			`}`

			`if (!passwordService.isPasswordSet()) {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.setHeader("Content-Type", "text/plain").status(400).send("Password has not been set yet. Please set a password and repeat the action");`
better error when password is not set, #2685 2022-02-24 23:22:20 +01:00			`return;`
extra init check to provide better error response 2021-11-10 21:12:53 +01:00			`}`

chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`const header = req.headers["trilium-cred"] \|\| "";`
chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`if (typeof header !== "string") {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.setHeader("Content-Type", "text/plain").status(400).send("Invalid data type for trilium-cred.");`
chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00			`return;`
			`}`

chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`const auth = Buffer.from(header, "base64").toString();`
			`const colonIndex = auth.indexOf(":");`
fix parsing the authentication header with password containing a colon, closes #3916 2023-05-09 23:44:43 +02:00			`const password = colonIndex === -1 ? "" : auth.substr(colonIndex + 1);`
set password from web trilium 2021-12-29 23:37:12 +01:00			`// username is ignored`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-22 19:56:20 +02:00
set password from web trilium 2021-12-29 23:37:12 +01:00			`if (!passwordEncryptionService.verifyPassword(password)) {`
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00			`res.setHeader("Content-Type", "text/plain").status(401).send("Incorrect password");`
			`} else {`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-22 19:56:20 +02:00			`next();`
			`}`
			`}`

server-esm: Change some more export object to export default object 2024-07-18 21:47:30 +03:00			`export default {`
node authentication 2017-10-15 16:32:49 -04:00			`checkAuth,`
separate sync for pull (implemented) and push (not yet) 2017-10-26 20:31:31 -04:00			`checkApiAuth,`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`checkAppInitialized,`
set password WIP 2021-12-29 23:19:05 +01:00			`checkPasswordSet,`
etapi improvements and more tests 2022-01-12 19:32:23 +01:00			`checkPasswordNotSet,`
auth exception for images in electron 2018-01-07 09:59:05 -05:00			`checkAppNotInitialized,`
converted file, script, search and sender routes 2018-03-30 17:29:13 -04:00			`checkApiAuthOrElectron,`
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`checkEtapiToken,`
using custom header for sync authorization to avoid tripping security proxies 2021-02-05 21:59:56 +01:00			`checkCredentials`
syncification 2020-06-20 12:31:38 +02:00			`};`