Notes/src/services/auth.js

"use strict";

const etapiTokenService = require("./etapi_tokens");
const log = require('./log');
const sqlInit = require('./sql_init');
const utils = require('./utils');
const passwordEncryptionService = require('./password_encryption');
const config = require('./config');
const passwordService = require("./password");

const noAuthentication = config.General && config.General.noAuthentication === true;

function checkAuth(req, res, next) {
    if (!sqlInit.isDbInitialized()) {
        res.redirect("setup");
    }
    else if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {
        res.redirect("login");
    }
    else {
        next();
    }
}

// for electron things which need network stuff
// currently we're doing that for file upload because handling form data seems to be difficult
function checkApiAuthOrElectron(req, res, next) {
    if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {
        reject(req, res, "Logged in session not found");
    }
    else {
        next();
    }
}

function checkApiAuth(req, res, next) {
    if (!req.session.loggedIn && !noAuthentication) {
        reject(req, res, "Logged in session not found");
    }
    else {
        next();
    }
}

function checkAppInitialized(req, res, next) {
    if (!sqlInit.isDbInitialized()) {
        res.redirect("setup");
    }
    else {
        next();
    }
}

function checkPasswordSet(req, res, next) {
    if (!utils.isElectron() && !passwordService.isPasswordSet()) {
        res.redirect("set-password");
    } else {
        next();
    }
}

function checkPasswordNotSet(req, res, next) {
    if (!utils.isElectron() && passwordService.isPasswordSet()) {
        res.redirect("login");
    } else {
        next();
    }
}

function checkAppNotInitialized(req, res, next) {
    if (sqlInit.isDbInitialized()) {
        reject(req, res, "App already initialized.");
    }
    else {
        next();
    }
}

function checkEtapiToken(req, res, next) {
    if (etapiTokenService.isValidAuthHeader(req.headers.authorization)) {
        next();
    }
    else {
        reject(req, res, "Token not found");
    }
}

function reject(req, res, message) {
    log.info(`${req.method} ${req.path} rejected with 401 ${message}`);

    res.setHeader("Content-Type", "text/plain")
        .status(401)
        .send(message);
}

function checkCredentials(req, res, next) {
    if (!sqlInit.isDbInitialized()) {
        res.setHeader("Content-Type", "text/plain")
            .status(400)
            .send('Database is not initialized yet.');
        return;
    }

    if (!passwordService.isPasswordSet()) {
        res.setHeader("Content-Type", "text/plain")
            .status(400)
            .send('Password has not been set yet. Please set a password and repeat the action');
        return;
    }

    const header = req.headers['trilium-cred'] || '';
    const auth = new Buffer.from(header, 'base64').toString();
    const [username, password] = auth.split(/:/);

    // username is ignored

    if (!passwordEncryptionService.verifyPassword(password)) {
        res.setHeader("Content-Type", "text/plain")
            .status(401)
            .send('Incorrect password');
    }
    else {
        next();
    }
}

module.exports = {
    checkAuth,
    checkApiAuth,
    checkAppInitialized,
    checkPasswordSet,
    checkPasswordNotSet,
    checkAppNotInitialized,
    checkApiAuthOrElectron,
    checkEtapiToken,
    checkCredentials
};
use strict in all JS files 2017-10-21 21:10:33 -04:00			`"use strict";`

ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`const etapiTokenService = require("./etapi_tokens");`
logging API auth rejections 2019-07-25 21:05:16 +02:00			`const log = require('./log');`
separated DB initialization methods into sql_init 2018-04-02 21:25:20 -04:00			`const sqlInit = require('./sql_init');`
some tweaks mainly for electron support 2017-11-05 17:58:55 -05:00			`const utils = require('./utils');`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-22 19:56:20 +02:00			`const passwordEncryptionService = require('./password_encryption');`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00			`const config = require('./config');`
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`const passwordService = require("./password");`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00
			`const noAuthentication = config.General && config.General.noAuthentication === true;`
sync WIP 2017-10-25 22:39:21 -04:00
syncification 2020-06-20 12:31:38 +02:00			`function checkAuth(req, res, next) {`
			`if (!sqlInit.isDbInitialized()) {`
implemented initial setup of the app 2017-12-03 22:29:23 -05:00			`res.redirect("setup");`
			`}`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00			`else if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {`
etapi improvements and more tests 2022-01-12 19:32:23 +01:00			`res.redirect("login");`
sync WIP 2017-10-25 22:39:21 -04:00			`}`
separate sync for pull (implemented) and push (not yet) 2017-10-26 20:31:31 -04:00			`else {`
			`next();`
			`}`
			`}`

auth exception for images in electron 2018-01-07 09:59:05 -05:00			`// for electron things which need network stuff`
			`// currently we're doing that for file upload because handling form data seems to be difficult`
syncification 2020-06-20 12:31:38 +02:00			`function checkApiAuthOrElectron(req, res, next) {`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00			`if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {`
updated render note help 2021-04-05 22:37:12 +02:00			`reject(req, res, "Logged in session not found");`
auth exception for images in electron 2018-01-07 09:59:05 -05:00			`}`
			`else {`
node authentication 2017-10-15 16:32:49 -04:00			`next();`
			`}`
			`}`

syncification 2020-06-20 12:31:38 +02:00			`function checkApiAuth(req, res, next) {`
allow disabling authentication for server version, closes #1132 2020-08-29 00:11:50 +02:00			`if (!req.session.loggedIn && !noAuthentication) {`
updated render note help 2021-04-05 22:37:12 +02:00			`reject(req, res, "Logged in session not found");`
separate sync for pull (implemented) and push (not yet) 2017-10-26 20:31:31 -04:00			`}`
			`else {`
			`next();`
			`}`
			`}`

syncification 2020-06-20 12:31:38 +02:00			`function checkAppInitialized(req, res, next) {`
			`if (!sqlInit.isDbInitialized()) {`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`res.redirect("setup");`
			`}`
			`else {`
			`next();`
			`}`
			`}`

set password WIP 2021-12-29 23:19:05 +01:00			`function checkPasswordSet(req, res, next) {`
resetting/setting password from options 2021-12-30 22:54:08 +01:00			`if (!utils.isElectron() && !passwordService.isPasswordSet()) {`
set password from web trilium 2021-12-29 23:37:12 +01:00			`res.redirect("set-password");`
set password WIP 2021-12-29 23:19:05 +01:00			`} else {`
			`next();`
			`}`
			`}`

etapi improvements and more tests 2022-01-12 19:32:23 +01:00			`function checkPasswordNotSet(req, res, next) {`
			`if (!utils.isElectron() && passwordService.isPasswordSet()) {`
			`res.redirect("login");`
			`} else {`
			`next();`
			`}`
			`}`

syncification 2020-06-20 12:31:38 +02:00			`function checkAppNotInitialized(req, res, next) {`
			`if (sqlInit.isDbInitialized()) {`
logging API auth rejections 2019-07-25 21:05:16 +02:00			`reject(req, res, "App already initialized.");`
implemented initial setup of the app 2017-12-03 22:29:23 -05:00			`}`
			`else {`
			`next();`
			`}`
			`}`

ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`function checkEtapiToken(req, res, next) {`
			`if (etapiTokenService.isValidAuthHeader(req.headers.authorization)) {`
			`next();`
converted file, script, search and sender routes 2018-03-30 17:29:13 -04:00			`}`
			`else {`
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`reject(req, res, "Token not found");`
converted file, script, search and sender routes 2018-03-30 17:29:13 -04:00			`}`
			`}`

logging API auth rejections 2019-07-25 21:05:16 +02:00			`function reject(req, res, message) {`
			log.info(`${req.method} ${req.path} rejected with 401 ${message}`);

set correct content type for error messages 2022-07-01 00:01:29 +02:00			`res.setHeader("Content-Type", "text/plain")`
			`.status(401)`
			`.send(message);`
logging API auth rejections 2019-07-25 21:05:16 +02:00			`}`

using custom header for sync authorization to avoid tripping security proxies 2021-02-05 21:59:56 +01:00			`function checkCredentials(req, res, next) {`
extra init check to provide better error response 2021-11-10 21:12:53 +01:00			`if (!sqlInit.isDbInitialized()) {`
set correct content type for error messages 2022-07-01 00:01:29 +02:00			`res.setHeader("Content-Type", "text/plain")`
			`.status(400)`
			`.send('Database is not initialized yet.');`
better error when password is not set, #2685 2022-02-24 23:22:20 +01:00			`return;`
			`}`

			`if (!passwordService.isPasswordSet()) {`
set correct content type for error messages 2022-07-01 00:01:29 +02:00			`res.setHeader("Content-Type", "text/plain")`
			`.status(400)`
			`.send('Password has not been set yet. Please set a password and repeat the action');`
better error when password is not set, #2685 2022-02-24 23:22:20 +01:00			`return;`
extra init check to provide better error response 2021-11-10 21:12:53 +01:00			`}`

using custom header for sync authorization to avoid tripping security proxies 2021-02-05 21:59:56 +01:00			`const header = req.headers['trilium-cred'] \|\| '';`
extra init check to provide better error response 2021-11-10 21:12:53 +01:00			`const auth = new Buffer.from(header, 'base64').toString();`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-22 19:56:20 +02:00			`const [username, password] = auth.split(/:/);`

set password from web trilium 2021-12-29 23:37:12 +01:00			`// username is ignored`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-22 19:56:20 +02:00
set password from web trilium 2021-12-29 23:37:12 +01:00			`if (!passwordEncryptionService.verifyPassword(password)) {`
set correct content type for error messages 2022-07-01 00:01:29 +02:00			`res.setHeader("Content-Type", "text/plain")`
			`.status(401)`
			`.send('Incorrect password');`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-22 19:56:20 +02:00			`}`
			`else {`
			`next();`
			`}`
			`}`

node authentication 2017-10-15 16:32:49 -04:00			`module.exports = {`
			`checkAuth,`
separate sync for pull (implemented) and push (not yet) 2017-10-26 20:31:31 -04:00			`checkApiAuth,`
#98, sync to server now works as well + a lot of related changes 2018-07-24 20:35:03 +02:00			`checkAppInitialized,`
set password WIP 2021-12-29 23:19:05 +01:00			`checkPasswordSet,`
etapi improvements and more tests 2022-01-12 19:32:23 +01:00			`checkPasswordNotSet,`
auth exception for images in electron 2018-01-07 09:59:05 -05:00			`checkAppNotInitialized,`
converted file, script, search and sender routes 2018-03-30 17:29:13 -04:00			`checkApiAuthOrElectron,`
ETAPI auth, spec improvements etc. 2022-01-10 17:09:20 +01:00			`checkEtapiToken,`
using custom header for sync authorization to avoid tripping security proxies 2021-02-05 21:59:56 +01:00			`checkCredentials`
syncification 2020-06-20 12:31:38 +02:00			`};`