@resolveio/server-lib 22.3.22 → 22.3.23

package/src/http/auth.ts

@@ -0,0 +1,764 @@
+import * as express from 'express';
+import * as handlebars from 'handlebars';
+import * as jwt from 'jsonwebtoken';
+import { jwtDecode } from 'jwt-decode';
+import SimpleSchema from 'simpl-schema';
+import { Users } from '../collections/user.collection';
+import { ResolveIOServer } from '../resolveio-server-app';
+import { ResolveIOMainServer } from '../server-app';
+import { isAllowedOrigin, objectIdHexString } from '../util/common';
+import { ErrorReporter } from '../util/error-reporter';
+
+async function reportHttpValidationError(route: string, body: any, errors: any) {
+	const correlationId = objectIdHexString();
+	const config = ResolveIOServer.getServerConfig();
+	await ErrorReporter.report({
+		sourceApp: 'http-auth',
+		message: 'HTTP Validation Error - ' + route,
+		environment: config?.ROOT_URL,
+		clientSlug: ResolveIOServer.getClientName(),
+		clientName: config?.CLIENT_NAME,
+		context: {
+			route,
+			body,
+			errors
+		},
+		metadata: {
+			context: 'http-validation',
+			route,
+			correlationId
+		},
+		correlationId
+	});
+}
+
+export function setupAuthRoutes(mainServer: ResolveIOMainServer, app, serverConfig) {
+	app.post('/login365', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				id_token: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/login)', errors);
+
+					await reportHttpValidationError('/login365', body, errors);
+
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			let tokenData = body.id_token.split('&');
+			let token = tokenData[0].split('=')[1];
+			let decodedJWT = jwtDecode(token);
+
+			if (decodedJWT && decodedJWT['name'] && decodedJWT['preferred_username'] && decodedJWT['oid']) {
+				let user = await Users.findOne({'other.ms_oid': decodedJWT['oid']});
+
+				if (!user) {
+					user = await Users.findOne({email: decodedJWT['preferred_username'].toLowerCase()});
+
+					if (user) {
+						await Users.updateOne({_id: user._id}, {$set: {'other.ms_oid': decodedJWT['oid']}});
+					}
+				}
+
+				if (!user) {
+					user = {
+						_id: objectIdHexString(),
+						__v: 0,
+						roles: {
+							super_admin: false,
+							approvals: [],
+							groups: [],
+							notifications: [],
+							miscs: []
+						},
+						username: decodedJWT['preferred_username'].toLowerCase(),
+						email: decodedJWT['preferred_username'].toLowerCase(),
+						fullname: decodedJWT['name'],
+						active: true,
+						phonenumber: '',
+						readonly: false,
+						other: {
+							ms_oid: decodedJWT['oid']
+						},
+						attempts: 0,
+						salt: jwt.sign({now: (Date.now() - 1000).toString()}, serverConfig['JWT_SECRET'], {
+							expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
+						}),
+						hash: jwt.sign({now: (Date.now() + 1000).toString()}, serverConfig['JWT_SECRET'], {
+							expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
+						}),
+						last:  new Date(),
+						settings: null,
+						services: null,
+						is_customer: false
+					};
+					
+					await Users.create(user);
+				}
+				else {
+					let update = false;
+
+					if (user.email !== decodedJWT['preferred_username'].toLowerCase()) {
+						user.email = decodedJWT['preferred_username'].toLowerCase();
+						update = true;
+					}
+
+					if (user.fullname !== decodedJWT['name']) {
+						user.fullname = decodedJWT['name'];
+						update = true;
+					}
+
+					if (update) {
+						await Users.updateOne({_id: user._id}, {$set: {email: user.email, fullname: user.fullname}});
+					}
+				}
+
+				response.send(JSON.stringify({
+					error: false,
+					result: {
+						token: jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET'], {
+							expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
+						})
+					}
+				}));
+			}
+			else {
+				console.log('ERROR - 1', tokenData, token, decodedJWT);
+
+				response.send(JSON.stringify({
+					error: true,
+					result: 'Invalid Azure Token'
+				}));
+			}
+		}
+	});
+
+	// Login via HTTP, return refresh token if authenticated
+	app.post('/login', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				username: {
+					type: String
+				},
+				password: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/login)', errors);
+
+					await reportHttpValidationError('/login', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			let user = await Users.findOne({active: true, username: body.username});
+
+			if (!user) {
+				user = await Users.findOne({active: true, email: body.username});
+			}
+			
+			if (!user) {
+				response.send(JSON.stringify({
+					error: true,
+					result: 'Invalid Username And Password'
+				}));
+
+				return;
+			}
+
+			let resAuth = await Users.authenticate(user, body.password);
+
+			if (resAuth['error']) {
+				if (resAuth['error'] === 'Too Many Attempts') {
+					response.send(JSON.stringify({
+						error: true,
+						result: resAuth['error'] + '.  A password reset link has been sent to your email, please reset your password.'
+					}));
+
+					if (!user.services) {
+						user.services = {};
+					}
+
+					user.services['forgot_password'] = jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET']);
+
+					let emailData = {
+						userToChangePassword: user.fullname,
+						userWhoResetPassword: ResolveIOServer.getClientName() + ' System',
+						url: (serverConfig['ROOT_URL'] + '/forgot-password?' + encodeURIComponent(serverConfig['SERVER_URL']) + '&' + user.services['forgot_password'])
+					};
+
+					await Users.updateOne({_id: user._id}, {$set: {services: user.services}});
+					let html = mainServer.getMethodManager().readFile('email-templates/forgot-password.html');
+					let template = handlebars.compile(html);
+					handlebars.registerHelper('equals', (a, b) => {
+						return a === b;
+					});
+	
+					await mainServer.getMethodManager().sendEmail(user.email, 'ResolveIO (' + ResolveIOServer.getClientName() + ') - Forgot Password', '', template(emailData), null, null, '');
+				}
+				else if (resAuth['error'] === 'No Salt Value Stored') {
+					response.send(JSON.stringify({
+						error: true,
+						result: 'A password reset link has been sent to your email, please reset your password.'
+					}));
+
+					if (!user.services) {
+						user.services = {};
+					}
+
+					user.services['forgot_password'] = jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET']);
+
+					let emailData = {
+						userToChangePassword: user.fullname,
+						userWhoResetPassword: ResolveIOServer.getClientName() + ' System',
+						url: (serverConfig['ROOT_URL'] + '/forgot-password?' + encodeURIComponent(serverConfig['SERVER_URL']) + '&' + user.services['forgot_password'])
+					};
+
+					await Users.updateOne({_id: user._id}, {$set: {services: user.services}});
+					let html = mainServer.getMethodManager().readFile('email-templates/forgot-password.html');
+					let template = handlebars.compile(html);
+					handlebars.registerHelper('equals', (a, b) => {
+						return a === b;
+					});
+
+					await mainServer.getMethodManager().sendEmail(user.email, 'ResolveIO (' + ResolveIOServer.getClientName() + ') - Forgot Password', '', template(emailData), null, null, '');
+				}
+				else {
+					response.send(JSON.stringify({
+						error: true,
+						result: resAuth['error']
+					}));
+				}
+			}
+			else {
+				if (resAuth && resAuth['data'] && resAuth['data'].active) {
+					await Users.resetAttempts(resAuth['data']);
+					response.send(JSON.stringify({
+						error: false,
+						result: {
+							token: jwt.sign({id_user: resAuth['data']._id}, serverConfig['JWT_SECRET'], {
+								expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
+							})
+						} 
+					}));
+				}
+			}
+		}
+	});
+
+	app.post('/accessToken', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				refreshToken: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/accessToken)', errors);
+
+					await reportHttpValidationError('/accessToken', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			jwt.verify(body.refreshToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
+				if (err) {
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Token'
+					}));
+				}
+				else {
+					try {
+						let user = await Users.findById(decoded['id_user']);
+						if (user) {
+							if (user.active) {
+								response.send(JSON.stringify({
+									error: false,
+									result: {
+										token: jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET'], {
+											expiresIn : 3 * 24 * 60 * 60 * 1000 // 3 days
+										}),
+										user: user
+									}
+								}));
+							}
+							else {
+								response.send(JSON.stringify({
+									error: true,
+									result: 'Account is Disabled'
+								}));
+							}
+						}
+						else {
+							response.send(JSON.stringify({
+								error: true,
+								result: 'Invalid User'
+							}));
+						}
+					}
+					catch {
+						response.send(JSON.stringify({
+							error: true,
+							result: 'Invalid Mongo Get User'
+						}));
+					}
+				}
+			});
+		}
+	});
+
+	app.post('/userWithEnrollmentToken', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				enrollmentToken: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/userWithEnrollmentToken)', errors);
+
+					await reportHttpValidationError('/userWithEnrollmentToken', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			jwt.verify(body.enrollmentToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
+				if (err) {
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Token'
+					}));
+				}
+				else {
+					try {
+						let user = await Users.findOne({
+							$and: [
+								{_id: decoded['id_user']},
+								{'services.enrollment': body.enrollmentToken}
+							]
+						}, {projection: {_id: 1, __v: 1, username: 1, active: 1}});
+						if (user) {
+							if (user.active) {
+
+								response.send(JSON.stringify({
+									error: false,
+									result: {
+										user: user
+									}
+								}));
+							}
+							else {
+								response.send(JSON.stringify({
+									error: true,
+									result: 'Account is Disabled'
+								}));
+							}
+						}
+						else {
+							response.send(JSON.stringify({
+								error: true,
+								result: 'Invalid User'
+							}));
+						}
+					}
+					catch {
+						response.send(JSON.stringify({
+							error: true,
+							result: 'Invalid Mongo Get User'
+						}));
+					}
+				}
+			});
+		}
+	});
+
+	app.post('/setUserWithEnrollmentToken', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				enrollmentToken: {
+					type: String
+				},
+				password: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/setUserWithEnrollmentToken)', errors);
+
+					await reportHttpValidationError('/setUserWithEnrollmentToken', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			jwt.verify(body.enrollmentToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
+				if (err) {
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Token'
+					}));
+				}
+				else {
+					try {
+						let user = await Users.findOne({
+							$and: [
+								{_id: decoded['id_user']},
+								{'services.enrollment': body.enrollmentToken}
+							]
+						});
+						if (user) {
+							if (user.active) {
+								await Users.setPassword(user, body.password);
+
+								response.send(JSON.stringify({
+									error: false,
+									result: true
+								}));
+							}
+							else {
+								response.send(JSON.stringify({
+									error: true,
+									result: 'Account is Disabled'
+								}));
+							}
+						}
+						else {
+							response.send(JSON.stringify({
+								error: true,
+								result: 'Invalid User'
+							}));
+						}
+					}
+					catch {
+						response.send(JSON.stringify({
+							error: true,
+							result: 'Invalid Mongo Get User'
+						}));
+					}
+				}
+			});
+		}
+	});
+
+	app.post('/userWithForgotPasswordToken', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				forgotPasswordToken: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/userWithForgotPasswordToken)', errors);
+
+					await reportHttpValidationError('/userWithForgotPasswordToken', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			jwt.verify(body.forgotPasswordToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
+				if (err) {
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Token'
+					}));
+				}
+				else {
+					try {
+						let user = await Users.findOne({
+							$and: [
+								{_id: decoded['id_user']},
+								{'services.forgot_password': body.forgotPasswordToken}
+							]
+						}, {projection: {_id: 1, __v: 1, username: 1, active: 1}});
+							
+						if (user) {
+							if (user.active) {
+								response.send(JSON.stringify({
+									error: false,
+									result: {
+										user: user
+									}
+								}));
+							}
+							else {
+								response.send(JSON.stringify({
+									error: true,
+									result: 'Account is Disabled'
+								}));
+							}
+						}
+						else {
+							response.send(JSON.stringify({
+								error: true,
+								result: 'Invalid Token'
+							}));
+						}
+					}
+					catch {
+						response.send(JSON.stringify({
+							error: true,
+							result: 'Invalid Mongo Get User'
+						}));
+					}
+				}
+			});
+		}
+	});
+
+	app.post('/setUserWithForgotPasswordToken', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				forgotPasswordToken: {
+					type: String
+				},
+				password: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/setUserWithForgotPasswordToken)', errors);
+
+					await reportHttpValidationError('/setUserWithForgotPasswordToken', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			jwt.verify(body.forgotPasswordToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
+				if (err) {
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Token'
+					}));
+				}
+				else {
+					try {
+						let user = await Users.findOne({
+							$and: [
+								{_id: decoded['id_user']},
+								{'services.forgot_password': body.forgotPasswordToken}
+							]
+						});
+							
+						if (user) {
+							if (user.active) {
+								await Users.setPassword(user, body.password);
+								
+								response.send(JSON.stringify({
+									error: false,
+									result: true
+								}));
+							}
+							else {
+								response.send(JSON.stringify({
+									error: true,
+									result: 'Account is Disabled'
+								}));
+							}
+						}
+						else {
+							response.send(JSON.stringify({
+								error: true,
+								result: 'Invalid User'
+							}));
+						}
+					}
+					catch {
+						response.send(JSON.stringify({
+							error: true,
+							result: 'Invalid Mongo Get User'
+						}));
+					}
+				}
+			});
+		}
+	});
+
+	app.post('/resetPassword', express.json(), async (request, response) => {
+		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
+			response.send(JSON.stringify({
+				error: true,
+				result: 'Invalid header'
+			}));
+		}
+		else {
+			let body = request.body;
+
+			let schema = new SimpleSchema({
+				username: {
+					type: String
+				}
+			});
+	
+			try {
+				schema.validate(body);
+			}
+			catch (errors) {
+				if (errors) {
+					console.error(new Date(), 'Error in HTTP Check (/resetPassword)', errors);
+
+					await reportHttpValidationError('/resetPassword', body, errors);
+	
+					response.send(JSON.stringify({
+						error: true,
+						result: 'Invalid Parameters'
+					}));
+		
+					return;
+				}
+			}
+
+			let user = await Users.findOne({active: true, username: body.username});
+
+			if (!user) {
+				user = await Users.findOne({active: true, email: body.username});
+			}
+			
+			if (user) {
+				await mainServer.getMethodManager().callMethod.call(mainServer.getMethodManager(), 'resetUserPassword', user._id);
+			}
+
+			response.send(JSON.stringify({
+				error: false,
+				result: ''
+			}));
+		}
+	});
+}