2024-07-18 21:35:17 +03:00
|
|
|
import utils from "../services/utils.js";
|
|
|
|
|
import optionService from "../services/options.js";
|
|
|
|
|
import myScryptService from "../services/encryption/my_scrypt.js";
|
|
|
|
|
import log from "../services/log.js";
|
|
|
|
|
import passwordService from "../services/encryption/password.js";
|
|
|
|
|
import assetPath from "../services/asset_path.js";
|
|
|
|
|
import appPath from "../services/app_path.js";
|
|
|
|
|
import ValidationError from "../errors/validation_error.js";
|
2025-03-22 12:35:00 +01:00
|
|
|
import type { Request, Response } from 'express';
|
2024-09-07 10:21:41 -07:00
|
|
|
import recoveryCodeService from '../services/encryption/recovery_codes.js';
|
|
|
|
|
import openIDService from '../services/open_id.js';
|
|
|
|
|
import openIDEncryption from '../services/encryption/open_id_encryption.js';
|
|
|
|
|
import totp from '../services/totp.js';
|
|
|
|
|
import open_id from '../services/open_id.js';
|
2024-04-07 14:22:01 +03:00
|
|
|
|
|
|
|
|
function loginPage(req: Request, res: Response) {
|
2024-09-07 10:21:41 -07:00
|
|
|
if (open_id.isOpenIDEnabled()) {
|
2025-03-22 12:35:00 +01:00
|
|
|
res.redirect('/authenticate');
|
2024-09-07 10:21:41 -07:00
|
|
|
} else {
|
2025-03-22 12:35:00 +01:00
|
|
|
res.render('login', {
|
|
|
|
|
failedAuth: false,
|
|
|
|
|
totpEnabled: totp.isTotpEnabled(),
|
|
|
|
|
assetPath: assetPath,
|
|
|
|
|
appPath: appPath,
|
|
|
|
|
});
|
2024-09-07 10:21:41 -07:00
|
|
|
}
|
2018-03-30 19:31:22 -04:00
|
|
|
}
|
2017-10-15 16:32:49 -04:00
|
|
|
|
2024-04-07 14:22:01 +03:00
|
|
|
function setPasswordPage(req: Request, res: Response) {
|
2025-01-09 18:07:02 +02:00
|
|
|
res.render("set_password", {
|
2022-10-26 23:50:54 +02:00
|
|
|
error: false,
|
2025-02-26 08:50:36 +01:00
|
|
|
assetPath,
|
|
|
|
|
appPath
|
2022-10-26 23:50:54 +02:00
|
|
|
});
|
2021-12-29 23:19:05 +01:00
|
|
|
}
|
|
|
|
|
|
2024-04-07 14:22:01 +03:00
|
|
|
function setPassword(req: Request, res: Response) {
|
2021-12-30 22:54:08 +01:00
|
|
|
if (passwordService.isPasswordSet()) {
|
2022-12-09 16:04:13 +01:00
|
|
|
throw new ValidationError("Password has been already set");
|
2021-12-29 23:37:12 +01:00
|
|
|
}
|
|
|
|
|
|
2025-01-09 18:07:02 +02:00
|
|
|
let { password1, password2 } = req.body;
|
2021-12-29 23:37:12 +01:00
|
|
|
password1 = password1.trim();
|
|
|
|
|
password2 = password2.trim();
|
|
|
|
|
|
|
|
|
|
let error;
|
|
|
|
|
|
|
|
|
|
if (password1 !== password2) {
|
|
|
|
|
error = "Entered passwords don't match.";
|
|
|
|
|
} else if (password1.length < 4) {
|
|
|
|
|
error = "Password must be at least 4 characters long.";
|
|
|
|
|
}
|
2017-10-15 16:32:49 -04:00
|
|
|
|
2021-12-29 23:37:12 +01:00
|
|
|
if (error) {
|
2025-01-09 18:07:02 +02:00
|
|
|
res.render("set_password", {
|
2022-10-26 23:50:54 +02:00
|
|
|
error,
|
2025-02-26 08:50:36 +01:00
|
|
|
assetPath,
|
|
|
|
|
appPath
|
2022-10-26 23:50:54 +02:00
|
|
|
});
|
2021-12-29 23:37:12 +01:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-30 22:54:08 +01:00
|
|
|
passwordService.setPassword(password1);
|
2021-12-29 23:37:12 +01:00
|
|
|
|
2025-01-09 18:07:02 +02:00
|
|
|
res.redirect("login");
|
2021-12-29 23:37:12 +01:00
|
|
|
}
|
|
|
|
|
|
2024-12-10 22:35:23 +02:00
|
|
|
function login(req: Request, res: Response) {
|
2025-03-25 23:53:49 +01:00
|
|
|
const submittedPassword = req.body.password;
|
|
|
|
|
const submittedTotp = req.body.token;
|
2017-10-15 16:32:49 -04:00
|
|
|
|
2025-03-25 23:53:49 +01:00
|
|
|
if (verifyPassword(submittedPassword)) {
|
2025-03-22 12:35:00 +01:00
|
|
|
if (totp.isTotpEnabled()) {
|
2025-03-25 23:53:49 +01:00
|
|
|
if (!verifyTOTP(submittedTotp)) {
|
2025-03-22 12:35:00 +01:00
|
|
|
sendLoginError(req, res);
|
|
|
|
|
return;
|
2024-09-07 11:51:29 -07:00
|
|
|
}
|
2024-09-07 11:41:54 -07:00
|
|
|
}
|
2024-12-24 13:26:02 +02:00
|
|
|
|
2023-06-29 23:32:19 +02:00
|
|
|
const rememberMe = req.body.rememberMe;
|
2017-10-15 16:32:49 -04:00
|
|
|
|
2017-10-15 20:16:30 -04:00
|
|
|
req.session.regenerate(() => {
|
2017-10-16 19:14:15 -04:00
|
|
|
if (rememberMe) {
|
|
|
|
|
req.session.cookie.maxAge = 21 * 24 * 3600000; // 3 weeks
|
|
|
|
|
} else {
|
2025-03-22 12:35:00 +01:00
|
|
|
// unset default maxAge set by sessionParser
|
|
|
|
|
// Cookie becomes non-persistent and expires after current browser session (e.g. when browser is closed)
|
|
|
|
|
req.session.cookie.maxAge = undefined;
|
2017-10-16 19:14:15 -04:00
|
|
|
}
|
|
|
|
|
|
2025-03-26 00:04:55 +01:00
|
|
|
// 记录当前的认证状态
|
|
|
|
|
req.session.lastAuthState = {
|
|
|
|
|
totpEnabled: totp.isTotpEnabled(),
|
|
|
|
|
ssoEnabled: open_id.isOpenIDEnabled()
|
|
|
|
|
};
|
|
|
|
|
|
2017-10-15 20:16:30 -04:00
|
|
|
req.session.loggedIn = true;
|
2019-05-22 21:25:13 +02:00
|
|
|
res.redirect('.');
|
2017-10-15 20:16:30 -04:00
|
|
|
});
|
2017-10-15 16:32:49 -04:00
|
|
|
}
|
|
|
|
|
else {
|
2024-09-07 11:41:54 -07:00
|
|
|
sendLoginError(req, res);
|
2017-10-15 16:32:49 -04:00
|
|
|
}
|
2018-03-30 19:31:22 -04:00
|
|
|
}
|
2017-10-15 16:32:49 -04:00
|
|
|
|
2025-03-25 23:53:49 +01:00
|
|
|
function verifyTOTP(submittedToken: string) {
|
|
|
|
|
if (totp.validateTOTP(submittedToken)) return true;
|
2024-12-24 13:26:02 +02:00
|
|
|
|
2025-03-25 23:53:49 +01:00
|
|
|
const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(submittedToken);
|
2024-12-24 13:26:02 +02:00
|
|
|
|
2024-09-07 10:21:41 -07:00
|
|
|
return recoveryCodeValidates;
|
|
|
|
|
}
|
|
|
|
|
|
2025-03-25 23:53:49 +01:00
|
|
|
function verifyPassword(submittedPassword: string) {
|
2025-01-09 18:07:02 +02:00
|
|
|
const hashed_password = utils.fromBase64(optionService.getOption("passwordVerificationHash"));
|
2017-10-15 16:32:49 -04:00
|
|
|
|
2025-03-25 23:53:49 +01:00
|
|
|
const guess_hashed = myScryptService.getVerificationHash(submittedPassword);
|
2017-10-15 16:32:49 -04:00
|
|
|
|
|
|
|
|
return guess_hashed.equals(hashed_password);
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-24 13:26:02 +02:00
|
|
|
function sendLoginError(req: Request, res: Response) {
|
2024-09-07 10:21:41 -07:00
|
|
|
// note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
|
2025-03-22 12:35:00 +01:00
|
|
|
if (totp.isTotpEnabled()) {
|
2024-09-07 11:41:54 -07:00
|
|
|
log.info(`WARNING: Wrong password or TOTP from ${req.ip}, rejecting.`);
|
2025-03-22 12:35:00 +01:00
|
|
|
} else {
|
2024-09-07 11:41:54 -07:00
|
|
|
log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
|
|
|
|
|
}
|
2024-12-24 13:26:02 +02:00
|
|
|
|
2024-09-07 10:21:41 -07:00
|
|
|
res.status(401).render('login', {
|
2025-03-22 12:35:00 +01:00
|
|
|
failedAuth: true,
|
|
|
|
|
totpEnabled: optionService.getOption('totpEnabled') && totp.checkForTotSecret(),
|
|
|
|
|
assetPath: assetPath,
|
2025-03-25 23:53:49 +01:00
|
|
|
appPath: appPath,
|
2024-09-07 10:21:41 -07:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-10 22:35:23 +02:00
|
|
|
function logout(req: Request, res: Response) {
|
2018-03-30 19:31:22 -04:00
|
|
|
req.session.regenerate(() => {
|
|
|
|
|
req.session.loggedIn = false;
|
2025-03-22 12:35:00 +01:00
|
|
|
|
2024-09-07 10:21:41 -07:00
|
|
|
if (openIDService.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {
|
|
|
|
|
res.oidc.logout({ returnTo: '/authenticate' });
|
|
|
|
|
} else res.redirect('login');
|
2018-03-30 19:31:22 -04:00
|
|
|
|
2025-01-12 13:13:59 +01:00
|
|
|
res.sendStatus(200);
|
2018-03-30 19:31:22 -04:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-18 21:47:30 +03:00
|
|
|
export default {
|
2018-03-30 19:31:22 -04:00
|
|
|
loginPage,
|
2021-12-29 23:19:05 +01:00
|
|
|
setPasswordPage,
|
2021-12-29 23:37:12 +01:00
|
|
|
setPassword,
|
2018-03-30 19:31:22 -04:00
|
|
|
login,
|
|
|
|
|
logout
|
|
|
|
|
};
|
