Notes/src/routes/api/login.ts

"use strict";

import options from "../../services/options.js";
import utils from "../../services/utils.js";
import dateUtils from "../../services/date_utils.js";
import instanceId from "../../services/instance_id.js";
import passwordEncryptionService from "../../services/encryption/password_encryption.js";
import protectedSessionService from "../../services/protected_session.js";
import appInfo from "../../services/app_info.js";
import eventService from "../../services/events.js";
import sqlInit from "../../services/sql_init.js";
import sql from "../../services/sql.js";
import ws from "../../services/ws.js";
import etapiTokenService from "../../services/etapi_tokens.js";
import { Request } from 'express';
import { AppRequest } from '../route-interface.js';

function loginSync(req: AppRequest) {
    if (!sqlInit.schemaExists()) {
        return [500, { message: "DB schema does not exist, can't sync." }];
    }

    const timestampStr = req.body.timestamp;

    const timestamp = dateUtils.parseDateTime(timestampStr);

    const now = new Date();

    // login token is valid for 5 minutes
    if (Math.abs(timestamp.getTime() - now.getTime()) > 5 * 60 * 1000) {
        return [401, { message: 'Auth request time is out of sync, please check that both client and server have correct time. The difference between clocks has to be smaller than 5 minutes.' }];
    }

    const syncVersion = req.body.syncVersion;

    if (syncVersion !== appInfo.syncVersion) {
        return [400, { message: `Non-matching sync versions, local is version ${appInfo.syncVersion}, remote is ${syncVersion}. It is recommended to run same version of Trilium on both sides of sync.` }];
    }

    const documentSecret = options.getOption('documentSecret');
    const expectedHash = utils.hmac(documentSecret, timestampStr);

    const givenHash = req.body.hash;

    if (expectedHash !== givenHash) {
        return [400, { message: "Sync login credentials are incorrect. It looks like you're trying to sync two different initialized documents which is not possible." }];
    }

    req.session.loggedIn = true;

    return {
        instanceId: instanceId,
        maxEntityChangeId: sql.getValue("SELECT COALESCE(MAX(id), 0) FROM entity_changes WHERE isSynced = 1")
    };
}

function loginToProtectedSession(req: Request) {
    const password = req.body.password;

    if (!passwordEncryptionService.verifyPassword(password)) {
        return {
            success: false,
            message: "Given current password doesn't match hash"
        };
    }

    const decryptedDataKey = passwordEncryptionService.getDataKey(password);
    if (!decryptedDataKey) {
        return {
            success: false,
            message: "Unable to obtain data key."
        }
    }

    protectedSessionService.setDataKey(decryptedDataKey);

    eventService.emit(eventService.ENTER_PROTECTED_SESSION);

    ws.sendMessageToAllClients({ type: 'protectedSessionLogin' });

    return {
        success: true
    };
}

function logoutFromProtectedSession() {
    protectedSessionService.resetDataKey();

    eventService.emit(eventService.LEAVE_PROTECTED_SESSION);

    ws.sendMessageToAllClients({ type: 'protectedSessionLogout' });
}

function touchProtectedSession() {
    protectedSessionService.touchProtectedSession();
}

function token(req: Request) {
    const password = req.body.password;

    if (!passwordEncryptionService.verifyPassword(password)) {
        return [401, "Incorrect password"];
    }

    // for backwards compatibility with Sender which does not send the name
    const tokenName = req.body.tokenName || "Trilium Sender / Web Clipper";

    const {authToken} = etapiTokenService.createToken(tokenName);

    return { token: authToken };
}

export default {
    loginSync,
    loginToProtectedSession,
    logoutFromProtectedSession,
    touchProtectedSession,
    token
};
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00			`"use strict";`

server-esm: Change simple local import statements 2024-07-18 21:35:17 +03:00			`import options from "../../services/options.js";`
			`import utils from "../../services/utils.js";`
			`import dateUtils from "../../services/date_utils.js";`
			`import instanceId from "../../services/instance_id.js";`
			`import passwordEncryptionService from "../../services/encryption/password_encryption.js";`
			`import protectedSessionService from "../../services/protected_session.js";`
			`import appInfo from "../../services/app_info.js";`
			`import eventService from "../../services/events.js";`
			`import sqlInit from "../../services/sql_init.js";`
			`import sql from "../../services/sql.js";`
			`import ws from "../../services/ws.js";`
			`import etapiTokenService from "../../services/etapi_tokens.js";`
server-ts: Convert routes/api/login 2024-04-06 21:34:34 +03:00			`import { Request } from 'express';`
server: Fix missing .js import for route-interface 2024-07-24 20:23:05 +03:00			`import { AppRequest } from '../route-interface.js';`
server-ts: Convert routes/api/login 2024-04-06 21:34:34 +03:00
server-ts: Remove use of (req as any) 2024-04-07 14:29:08 +03:00			`function loginSync(req: AppRequest) {`
syncification 2020-06-20 12:31:38 +02:00			`if (!sqlInit.schemaExists()) {`
return 401 when auth request is out of sync, closes #1056 2020-05-29 22:06:36 +02:00			`return [500, { message: "DB schema does not exist, can't sync." }];`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`}`

fixes for dates in sync 2017-12-10 15:45:17 -05:00			`const timestampStr = req.body.timestamp;`
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00
split out dateUtils on the backend 2018-04-02 20:46:46 -04:00			`const timestamp = dateUtils.parseDateTime(timestampStr);`
fixes for dates in sync 2017-12-10 15:45:17 -05:00
			`const now = new Date();`

stretch sync login token validity to 5 minutes #277 2019-01-07 23:29:56 +01:00			`// login token is valid for 5 minutes`
			`if (Math.abs(timestamp.getTime() - now.getTime()) > 5 * 60 * 1000) {`
clarification on the 5 minute sync auth leeway 2022-12-02 22:12:07 +01:00			`return [401, { message: 'Auth request time is out of sync, please check that both client and server have correct time. The difference between clocks has to be smaller than 5 minutes.' }];`
API auth (untested) 2017-10-28 22:17:00 -04:00			`}`

Introduced separate sync version (previously DB version was used to check sync compatibility), closes #120 2018-06-10 15:55:29 -04:00			`const syncVersion = req.body.syncVersion;`
API auth (untested) 2017-10-28 22:17:00 -04:00
Introduced separate sync version (previously DB version was used to check sync compatibility), closes #120 2018-06-10 15:55:29 -04:00			`if (syncVersion !== appInfo.syncVersion) {`
sync changes for note content 2019-02-15 00:15:09 +01:00			return [400, { message: `Non-matching sync versions, local is version ${appInfo.syncVersion}, remote is ${syncVersion}. It is recommended to run same version of Trilium on both sides of sync.` }];
API auth (untested) 2017-10-28 22:17:00 -04:00			`}`

syncification 2020-06-20 12:31:38 +02:00			`const documentSecret = options.getOption('documentSecret');`
fixes for dates in sync 2017-12-10 15:45:17 -05:00			`const expectedHash = utils.hmac(documentSecret, timestampStr);`
API auth (untested) 2017-10-28 22:17:00 -04:00
			`const givenHash = req.body.hash;`

			`if (expectedHash !== givenHash) {`
tree settings popup fixes 2020-05-02 13:52:02 +02:00			`return [400, { message: "Sync login credentials are incorrect. It looks like you're trying to sync two different initialized documents which is not possible." }];`
API auth (untested) 2017-10-28 22:17:00 -04:00			`}`

server-ts: Remove use of (req as any) 2024-04-07 14:29:08 +03:00			`req.session.loggedIn = true;`
API auth (untested) 2017-10-28 22:17:00 -04:00
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`return {`
sync fixes 2022-01-09 21:25:15 +01:00			`instanceId: instanceId,`
refactored "sync" table to "entity_changes" 2020-08-02 23:27:48 +02:00			`maxEntityChangeId: sql.getValue("SELECT COALESCE(MAX(id), 0) FROM entity_changes WHERE isSynced = 1")`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`};`
			`}`
added document_secret as basis for API authentication 2017-10-28 19:55:55 -04:00
server-ts: Convert routes/api/login 2024-04-06 21:34:34 +03:00			`function loginToProtectedSession(req: Request) {`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`const password = req.body.password;`

syncification 2020-06-20 12:31:38 +02:00			`if (!passwordEncryptionService.verifyPassword(password)) {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`return {`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`success: false,`
			`message: "Given current password doesn't match hash"`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`};`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00			`}`

syncification 2020-06-20 12:31:38 +02:00			`const decryptedDataKey = passwordEncryptionService.getDataKey(password);`
server-ts: Convert routes/api/login 2024-04-06 21:34:34 +03:00			`if (!decryptedDataKey) {`
			`return {`
			`success: false,`
			`message: "Unable to obtain data key."`
			`}`
			`}`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00
protected session is now global application state to avoid weird issues with multiple tabs/windows/reloads 2021-05-07 22:23:49 +02:00			`protectedSessionService.setDataKey(decryptedDataKey);`
autocomplete supports encrypted notes now as well 2018-04-20 00:12:01 -04:00
syncification 2020-06-20 12:31:38 +02:00			`eventService.emit(eventService.ENTER_PROTECTED_SESSION);`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00
protected session is now global application state to avoid weird issues with multiple tabs/windows/reloads 2021-05-07 22:23:49 +02:00			`ws.sendMessageToAllClients({ type: 'protectedSessionLogin' });`

converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`return {`
protected session is now global application state to avoid weird issues with multiple tabs/windows/reloads 2021-05-07 22:23:49 +02:00			`success: true`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`};`
			`}`
refactoring of password change and preparations for server side encryption 2017-11-09 23:25:23 -05:00
when leaving protected session don't forget to reset note cache (titles), #1810 2021-04-03 22:02:25 +02:00			`function logoutFromProtectedSession() {`
			`protectedSessionService.resetDataKey();`

			`eventService.emit(eventService.LEAVE_PROTECTED_SESSION);`
protected session is now global application state to avoid weird issues with multiple tabs/windows/reloads 2021-05-07 22:23:49 +02:00
			`ws.sendMessageToAllClients({ type: 'protectedSessionLogout' });`
when leaving protected session don't forget to reset note cache (titles), #1810 2021-04-03 22:02:25 +02:00			`}`

protected session expiration timer moved to backend, closes #2847 2022-05-13 23:20:56 +02:00			`function touchProtectedSession() {`
			`protectedSessionService.touchProtectedSession();`
			`}`

server-ts: Convert routes/api/login 2024-04-06 21:34:34 +03:00			`function token(req: Request) {`
token auth to /login 2019-06-23 21:22:08 +02:00			`const password = req.body.password;`

set password from web trilium 2021-12-29 23:37:12 +01:00			`if (!passwordEncryptionService.verifyPassword(password)) {`
			`return [401, "Incorrect password"];`
token auth to /login 2019-06-23 21:22:08 +02:00			`}`

ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`// for backwards compatibility with Sender which does not send the name`
			`const tokenName = req.body.tokenName \|\| "Trilium Sender / Web Clipper";`
protected session expiration timer moved to backend, closes #2847 2022-05-13 23:20:56 +02:00
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`const {authToken} = etapiTokenService.createToken(tokenName);`
token auth to /login 2019-06-23 21:22:08 +02:00
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`return { token: authToken };`
token auth to /login 2019-06-23 21:22:08 +02:00			`}`

server-esm: Change some more export object to export default object 2024-07-18 21:47:30 +03:00			`export default {`
converted of web (non-api) routes, basic conversion completed 2018-03-30 19:31:22 -04:00			`loginSync,`
token auth to /login 2019-06-23 21:22:08 +02:00			`loginToProtectedSession,`
when leaving protected session don't forget to reset note cache (titles), #1810 2021-04-03 22:02:25 +02:00			`logoutFromProtectedSession,`
protected session expiration timer moved to backend, closes #2847 2022-05-13 23:20:56 +02:00			`touchProtectedSession,`
token auth to /login 2019-06-23 21:22:08 +02:00			`token`
return 401 when auth request is out of sync, closes #1056 2020-05-29 22:06:36 +02:00			`};`