@actual-app/sync-server 25.4.0-alpha.0

package/src/accounts/password.js

@@ -0,0 +1,149 @@
+import * as bcrypt from 'bcrypt';
+import { v4 as uuidv4 } from 'uuid';
+
+import { clearExpiredSessions, getAccountDb } from '../account-db.js';
+import { config } from '../load-config.js';
+import { TOKEN_EXPIRATION_NEVER } from '../util/validate-user.js';
+
+function isValidPassword(password) {
+  return password != null && password !== '';
+}
+
+function hashPassword(password) {
+  return bcrypt.hashSync(password, 12);
+}
+
+export function bootstrapPassword(password) {
+  if (!isValidPassword(password)) {
+    return { error: 'invalid-password' };
+  }
+
+  const hashed = hashPassword(password);
+  const accountDb = getAccountDb();
+  accountDb.transaction(() => {
+    accountDb.mutate('DELETE FROM auth WHERE method = ?', ['password']);
+    accountDb.mutate('UPDATE auth SET active = 0');
+    accountDb.mutate(
+      "INSERT INTO auth (method, display_name, extra_data, active) VALUES ('password', 'Password', ?, 1)",
+      [hashed],
+    );
+  });
+
+  return {};
+}
+
+export function loginWithPassword(password) {
+  if (!isValidPassword(password)) {
+    return { error: 'invalid-password' };
+  }
+
+  const accountDb = getAccountDb();
+  const { extra_data: passwordHash } =
+    accountDb.first('SELECT extra_data FROM auth WHERE method = ?', [
+      'password',
+    ]) || {};
+
+  if (!passwordHash) {
+    return { error: 'invalid-password' };
+  }
+
+  const confirmed = bcrypt.compareSync(password, passwordHash);
+
+  if (!confirmed) {
+    return { error: 'invalid-password' };
+  }
+
+  const sessionRow = accountDb.first(
+    'SELECT * FROM sessions WHERE auth_method = ?',
+    ['password'],
+  );
+
+  const token = sessionRow ? sessionRow.token : uuidv4();
+
+  const { totalOfUsers } = accountDb.first(
+    'SELECT count(*) as totalOfUsers FROM users',
+  );
+  let userId = null;
+  if (totalOfUsers === 0) {
+    userId = uuidv4();
+    accountDb.mutate(
+      'INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, 1, 1, ?)',
+      [userId, '', '', 'ADMIN'],
+    );
+  } else {
+    const { id: userIdFromDb } = accountDb.first(
+      'SELECT id FROM users WHERE user_name = ?',
+      [''],
+    );
+
+    userId = userIdFromDb;
+
+    if (!userId) {
+      return { error: 'user-not-found' };
+    }
+  }
+
+  let expiration = TOKEN_EXPIRATION_NEVER;
+  if (
+    config.get('token_expiration') !== 'never' &&
+    config.get('token_expiration') !== 'openid-provider' &&
+    typeof config.get('token_expiration') === 'number'
+  ) {
+    expiration =
+      Math.floor(Date.now() / 1000) + config.get('token_expiration') * 60;
+  }
+
+  if (!sessionRow) {
+    accountDb.mutate(
+      'INSERT INTO sessions (token, expires_at, user_id, auth_method) VALUES (?, ?, ?, ?)',
+      [token, expiration, userId, 'password'],
+    );
+  } else {
+    accountDb.mutate(
+      'UPDATE sessions SET user_id = ?, expires_at = ? WHERE token = ?',
+      [userId, expiration, token],
+    );
+  }
+
+  clearExpiredSessions();
+
+  return { token };
+}
+
+export function changePassword(newPassword) {
+  const accountDb = getAccountDb();
+
+  if (!isValidPassword(newPassword)) {
+    return { error: 'invalid-password' };
+  }
+
+  const hashed = hashPassword(newPassword);
+  accountDb.mutate("UPDATE auth SET extra_data = ? WHERE method = 'password'", [
+    hashed,
+  ]);
+  return {};
+}
+
+export function checkPassword(password) {
+  if (!isValidPassword(password)) {
+    return false;
+  }
+
+  const accountDb = getAccountDb();
+  const { extra_data: passwordHash } =
+    accountDb.first('SELECT extra_data FROM auth WHERE method = ?', [
+      'password',
+    ]) || {};
+
+  if (!passwordHash) {
+    return false;
+  }
+
+  const confirmed = bcrypt.compareSync(password, passwordHash);
+
+  if (!confirmed) {
+    return false;
+  }
+
+  return true;
+}

package/src/app-account.js

@@ -0,0 +1,155 @@
+import express from 'express';
+
+import {
+  bootstrap,
+  needsBootstrap,
+  getLoginMethod,
+  listLoginMethods,
+  getUserInfo,
+  getActiveLoginMethod,
+} from './account-db.js';
+import { isValidRedirectUrl, loginWithOpenIdSetup } from './accounts/openid.js';
+import { changePassword, loginWithPassword } from './accounts/password.js';
+import {
+  errorMiddleware,
+  requestLoggerMiddleware,
+} from './util/middlewares.js';
+import { validateAuthHeader, validateSession } from './util/validate-user.js';
+
+const app = express();
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+app.use(errorMiddleware);
+app.use(requestLoggerMiddleware);
+export { app as handlers };
+
+// Non-authenticated endpoints:
+//
+// /needs-bootstrap
+// /boostrap (special endpoint for setting up the instance, cant call again)
+// /login
+
+app.get('/needs-bootstrap', (req, res) => {
+  const availableLoginMethods = listLoginMethods();
+  res.send({
+    status: 'ok',
+    data: {
+      bootstrapped: !needsBootstrap(),
+      loginMethod:
+        availableLoginMethods.length === 1
+          ? availableLoginMethods[0].method
+          : getLoginMethod(),
+      availableLoginMethods,
+      multiuser: getActiveLoginMethod() === 'openid',
+    },
+  });
+});
+
+app.post('/bootstrap', async (req, res) => {
+  const boot = await bootstrap(req.body);
+
+  if (boot?.error) {
+    res.status(400).send({ status: 'error', reason: boot?.error });
+    return;
+  }
+  res.send({ status: 'ok', data: boot });
+});
+
+app.get('/login-methods', (req, res) => {
+  const methods = listLoginMethods();
+  res.send({ status: 'ok', methods });
+});
+
+app.post('/login', async (req, res) => {
+  const loginMethod = getLoginMethod(req);
+  console.log('Logging in via ' + loginMethod);
+  let tokenRes = null;
+  switch (loginMethod) {
+    case 'header': {
+      const headerVal = req.get('x-actual-password') || '';
+      const obfuscated =
+        '*'.repeat(headerVal.length) || 'No password provided.';
+      console.debug('HEADER VALUE: ' + obfuscated);
+      if (headerVal === '') {
+        res.send({ status: 'error', reason: 'invalid-header' });
+        return;
+      } else {
+        if (validateAuthHeader(req)) {
+          tokenRes = loginWithPassword(headerVal);
+        } else {
+          res.send({ status: 'error', reason: 'proxy-not-trusted' });
+          return;
+        }
+      }
+      break;
+    }
+    case 'openid': {
+      if (!isValidRedirectUrl(req.body.return_url)) {
+        res
+          .status(400)
+          .send({ status: 'error', reason: 'Invalid redirect URL' });
+        return;
+      }
+
+      const { error, url } = await loginWithOpenIdSetup(
+        req.body.return_url,
+        req.body.password,
+      );
+      if (error) {
+        res.status(400).send({ status: 'error', reason: error });
+        return;
+      }
+      res.send({ status: 'ok', data: { redirect_url: url } });
+      return;
+    }
+
+    default:
+      tokenRes = loginWithPassword(req.body.password);
+      break;
+  }
+  const { error, token } = tokenRes;
+
+  if (error) {
+    res.status(400).send({ status: 'error', reason: error });
+    return;
+  }
+
+  res.send({ status: 'ok', data: { token } });
+});
+
+app.post('/change-password', (req, res) => {
+  const session = validateSession(req, res);
+  if (!session) return;
+
+  const { error } = changePassword(req.body.password);
+
+  if (error) {
+    res.status(400).send({ status: 'error', reason: error });
+    return;
+  }
+
+  res.send({ status: 'ok', data: {} });
+});
+
+app.get('/validate', (req, res) => {
+  const session = validateSession(req, res);
+  if (session) {
+    const user = getUserInfo(session.user_id);
+    if (!user) {
+      res.status(400).send({ status: 'error', reason: 'User not found' });
+      return;
+    }
+
+    res.send({
+      status: 'ok',
+      data: {
+        validated: true,
+        userName: user?.user_name,
+        permission: user?.role,
+        userId: session?.user_id,
+        displayName: user?.display_name,
+        loginMethod: session?.auth_method,
+      },
+    });
+  }
+});

package/src/app-admin.js

@@ -0,0 +1,410 @@
+import express from 'express';
+import { v4 as uuidv4 } from 'uuid';
+
+import { isAdmin } from './account-db.js';
+import * as UserService from './services/user-service.js';
+import {
+  errorMiddleware,
+  requestLoggerMiddleware,
+  validateSessionMiddleware,
+} from './util/middlewares.js';
+import { validateSession } from './util/validate-user.js';
+
+const app = express();
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+app.use(requestLoggerMiddleware);
+
+export { app as handlers };
+
+app.get('/owner-created/', (req, res) => {
+  try {
+    const ownerCount = UserService.getOwnerCount();
+    res.json(ownerCount > 0);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to retrieve owner count' });
+  }
+});
+
+app.get('/users/', validateSessionMiddleware, (req, res) => {
+  const users = UserService.getAllUsers();
+  res.json(
+    users.map(u => ({
+      ...u,
+      owner: u.owner === 1,
+      enabled: u.enabled === 1,
+    })),
+  );
+});
+
+app.post('/users', validateSessionMiddleware, async (req, res) => {
+  if (!isAdmin(res.locals.user_id)) {
+    res.status(403).send({
+      status: 'error',
+      reason: 'forbidden',
+      details: 'permission-not-found',
+    });
+    return;
+  }
+
+  const { userName, role, displayName, enabled } = req.body;
+
+  if (!userName || !role) {
+    res.status(400).send({
+      status: 'error',
+      reason: `${!userName ? 'user-cant-be-empty' : 'role-cant-be-empty'}`,
+      details: `${!userName ? 'Username' : 'Role'} cannot be empty`,
+    });
+    return;
+  }
+
+  const roleIdFromDb = UserService.validateRole(role);
+  if (!roleIdFromDb) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'role-does-not-exists',
+      details: 'Selected role does not exist',
+    });
+    return;
+  }
+
+  const userIdInDb = UserService.getUserByUsername(userName);
+  if (userIdInDb) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'user-already-exists',
+      details: `User ${userName} already exists`,
+    });
+    return;
+  }
+
+  const userId = uuidv4();
+  UserService.insertUser(
+    userId,
+    userName,
+    displayName || null,
+    enabled ? 1 : 0,
+  );
+
+  res.status(200).send({ status: 'ok', data: { id: userId } });
+});
+
+app.patch('/users', validateSessionMiddleware, async (req, res) => {
+  if (!isAdmin(res.locals.user_id)) {
+    res.status(403).send({
+      status: 'error',
+      reason: 'forbidden',
+      details: 'permission-not-found',
+    });
+    return;
+  }
+
+  const { id, userName, role, displayName, enabled } = req.body;
+
+  if (!userName || !role) {
+    res.status(400).send({
+      status: 'error',
+      reason: `${!userName ? 'user-cant-be-empty' : 'role-cant-be-empty'}`,
+      details: `${!userName ? 'Username' : 'Role'} cannot be empty`,
+    });
+    return;
+  }
+
+  const roleIdFromDb = UserService.validateRole(role);
+  if (!roleIdFromDb) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'role-does-not-exists',
+      details: 'Selected role does not exist',
+    });
+    return;
+  }
+
+  const userIdInDb = UserService.getUserById(id);
+  if (!userIdInDb) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'cannot-find-user-to-update',
+      details: `Cannot find user ${userName} to update`,
+    });
+    return;
+  }
+
+  UserService.updateUserWithRole(
+    userIdInDb,
+    userName,
+    displayName || null,
+    enabled ? 1 : 0,
+    role,
+  );
+
+  res.status(200).send({ status: 'ok', data: { id: userIdInDb } });
+});
+
+app.delete('/users', validateSessionMiddleware, async (req, res) => {
+  if (!isAdmin(res.locals.user_id)) {
+    res.status(403).send({
+      status: 'error',
+      reason: 'forbidden',
+      details: 'permission-not-found',
+    });
+    return;
+  }
+
+  const ids = req.body.ids;
+  let totalDeleted = 0;
+  ids.forEach(item => {
+    const ownerId = UserService.getOwnerId();
+
+    if (item === ownerId) return;
+
+    UserService.deleteUserAccess(item);
+    UserService.transferAllFilesFromUser(ownerId, item);
+    const usersDeleted = UserService.deleteUser(item);
+    totalDeleted += usersDeleted;
+  });
+
+  if (ids.length === totalDeleted) {
+    res
+      .status(200)
+      .send({ status: 'ok', data: { someDeletionsFailed: false } });
+  } else {
+    res.status(400).send({
+      status: 'error',
+      reason: 'not-all-deleted',
+      details: '',
+    });
+  }
+});
+
+app.get('/access', validateSessionMiddleware, (req, res) => {
+  const fileId = req.query.fileId;
+
+  const { granted } = UserService.checkFilePermission(
+    fileId,
+    res.locals.user_id,
+  ) || {
+    granted: 0,
+  };
+
+  if (granted === 0 && !isAdmin(res.locals.user_id)) {
+    res.status(403).send({
+      status: 'error',
+      reason: 'forbidden',
+      details: 'permission-not-found',
+    });
+    return false;
+  }
+
+  const fileIdInDb = UserService.getFileById(fileId);
+  if (!fileIdInDb) {
+    res.status(404).send({
+      status: 'error',
+      reason: 'invalid-file-id',
+      details: 'File not found at server',
+    });
+    return false;
+  }
+
+  const accesses = UserService.getUserAccess(
+    fileId,
+    res.locals.user_id,
+    isAdmin(res.locals.user_id),
+  );
+
+  res.json(accesses);
+});
+
+app.post('/access', (req, res) => {
+  const userAccess = req.body || {};
+  const session = validateSession(req, res);
+
+  if (!session) return;
+
+  const { granted } = UserService.checkFilePermission(
+    userAccess.fileId,
+    session.user_id,
+  ) || {
+    granted: 0,
+  };
+
+  if (granted === 0 && !isAdmin(session.user_id)) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'file-denied',
+      details: "You don't have permissions over this file",
+    });
+    return;
+  }
+
+  const fileIdInDb = UserService.getFileById(userAccess.fileId);
+  if (!fileIdInDb) {
+    res.status(404).send({
+      status: 'error',
+      reason: 'invalid-file-id',
+      details: 'File not found at server',
+    });
+    return;
+  }
+
+  if (!userAccess.userId) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'user-cant-be-empty',
+      details: 'User cannot be empty',
+    });
+    return;
+  }
+
+  if (UserService.countUserAccess(userAccess.fileId, userAccess.userId) > 0) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'user-already-have-access',
+      details: 'User already have access',
+    });
+    return;
+  }
+
+  UserService.addUserAccess(userAccess.userId, userAccess.fileId);
+
+  res.status(200).send({ status: 'ok', data: {} });
+});
+
+app.delete('/access', (req, res) => {
+  const fileId = req.query.fileId;
+  const session = validateSession(req, res);
+  if (!session) return;
+
+  const { granted } = UserService.checkFilePermission(
+    fileId,
+    session.user_id,
+  ) || {
+    granted: 0,
+  };
+
+  if (granted === 0 && !isAdmin(session.user_id)) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'file-denied',
+      details: "You don't have permissions over this file",
+    });
+    return;
+  }
+
+  const fileIdInDb = UserService.getFileById(fileId);
+  if (!fileIdInDb) {
+    res.status(404).send({
+      status: 'error',
+      reason: 'invalid-file-id',
+      details: 'File not found at server',
+    });
+    return;
+  }
+
+  const ids = req.body.ids;
+  const totalDeleted = UserService.deleteUserAccessByFileId(ids, fileId);
+
+  if (ids.length === totalDeleted) {
+    res
+      .status(200)
+      .send({ status: 'ok', data: { someDeletionsFailed: false } });
+  } else {
+    res.status(400).send({
+      status: 'error',
+      reason: 'not-all-deleted',
+      details: '',
+    });
+  }
+});
+
+app.get('/access/users', validateSessionMiddleware, async (req, res) => {
+  const fileId = req.query.fileId;
+
+  const { granted } = UserService.checkFilePermission(
+    fileId,
+    res.locals.user_id,
+  ) || {
+    granted: 0,
+  };
+
+  if (granted === 0 && !isAdmin(res.locals.user_id)) {
+    res.status(400).send({
+      status: 'error',
+      reason: 'file-denied',
+      details: "You don't have permissions over this file",
+    });
+    return;
+  }
+
+  const fileIdInDb = UserService.getFileById(fileId);
+  if (!fileIdInDb) {
+    res.status(404).send({
+      status: 'error',
+      reason: 'invalid-file-id',
+      details: 'File not found at server',
+    });
+    return;
+  }
+
+  const users = UserService.getAllUserAccess(fileId);
+  res.json(users);
+});
+
+app.post(
+  '/access/transfer-ownership/',
+  validateSessionMiddleware,
+  (req, res) => {
+    const newUserOwner = req.body || {};
+
+    const { granted } = UserService.checkFilePermission(
+      newUserOwner.fileId,
+      res.locals.user_id,
+    ) || {
+      granted: 0,
+    };
+
+    if (granted === 0 && !isAdmin(res.locals.user_id)) {
+      res.status(400).send({
+        status: 'error',
+        reason: 'file-denied',
+        details: "You don't have permissions over this file",
+      });
+      return;
+    }
+
+    const fileIdInDb = UserService.getFileById(newUserOwner.fileId);
+    if (!fileIdInDb) {
+      res.status(404).send({
+        status: 'error',
+        reason: 'invalid-file-id',
+        details: 'File not found at server',
+      });
+      return;
+    }
+
+    if (!newUserOwner.newUserId) {
+      res.status(400).send({
+        status: 'error',
+        reason: 'user-cant-be-empty',
+        details: 'Username cannot be empty',
+      });
+      return;
+    }
+
+    const newUserIdFromDb = UserService.getUserById(newUserOwner.newUserId);
+    if (newUserIdFromDb === 0) {
+      res.status(400).send({
+        status: 'error',
+        reason: 'new-user-not-found',
+        details: 'New user not found',
+      });
+      return;
+    }
+
+    UserService.updateFileOwner(newUserOwner.newUserId, newUserOwner.fileId);
+
+    res.status(200).send({ status: 'ok', data: {} });
+  },
+);
+
+app.use(errorMiddleware);