@resolveio/server-lib 22.3.23 → 22.3.24

package/src/http/auth.ts

@@ -1,764 +0,0 @@
-import * as express from 'express';
-import * as handlebars from 'handlebars';
-import * as jwt from 'jsonwebtoken';
-import { jwtDecode } from 'jwt-decode';
-import SimpleSchema from 'simpl-schema';
-import { Users } from '../collections/user.collection';
-import { ResolveIOServer } from '../resolveio-server-app';
-import { ResolveIOMainServer } from '../server-app';
-import { isAllowedOrigin, objectIdHexString } from '../util/common';
-import { ErrorReporter } from '../util/error-reporter';
-
-async function reportHttpValidationError(route: string, body: any, errors: any) {
-	const correlationId = objectIdHexString();
-	const config = ResolveIOServer.getServerConfig();
-	await ErrorReporter.report({
-		sourceApp: 'http-auth',
-		message: 'HTTP Validation Error - ' + route,
-		environment: config?.ROOT_URL,
-		clientSlug: ResolveIOServer.getClientName(),
-		clientName: config?.CLIENT_NAME,
-		context: {
-			route,
-			body,
-			errors
-		},
-		metadata: {
-			context: 'http-validation',
-			route,
-			correlationId
-		},
-		correlationId
-	});
-}
-
-export function setupAuthRoutes(mainServer: ResolveIOMainServer, app, serverConfig) {
-	app.post('/login365', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				id_token: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/login)', errors);
-
-					await reportHttpValidationError('/login365', body, errors);
-
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			let tokenData = body.id_token.split('&');
-			let token = tokenData[0].split('=')[1];
-			let decodedJWT = jwtDecode(token);
-
-			if (decodedJWT && decodedJWT['name'] && decodedJWT['preferred_username'] && decodedJWT['oid']) {
-				let user = await Users.findOne({'other.ms_oid': decodedJWT['oid']});
-
-				if (!user) {
-					user = await Users.findOne({email: decodedJWT['preferred_username'].toLowerCase()});
-
-					if (user) {
-						await Users.updateOne({_id: user._id}, {$set: {'other.ms_oid': decodedJWT['oid']}});
-					}
-				}
-
-				if (!user) {
-					user = {
-						_id: objectIdHexString(),
-						__v: 0,
-						roles: {
-							super_admin: false,
-							approvals: [],
-							groups: [],
-							notifications: [],
-							miscs: []
-						},
-						username: decodedJWT['preferred_username'].toLowerCase(),
-						email: decodedJWT['preferred_username'].toLowerCase(),
-						fullname: decodedJWT['name'],
-						active: true,
-						phonenumber: '',
-						readonly: false,
-						other: {
-							ms_oid: decodedJWT['oid']
-						},
-						attempts: 0,
-						salt: jwt.sign({now: (Date.now() - 1000).toString()}, serverConfig['JWT_SECRET'], {
-							expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
-						}),
-						hash: jwt.sign({now: (Date.now() + 1000).toString()}, serverConfig['JWT_SECRET'], {
-							expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
-						}),
-						last:  new Date(),
-						settings: null,
-						services: null,
-						is_customer: false
-					};
-					
-					await Users.create(user);
-				}
-				else {
-					let update = false;
-
-					if (user.email !== decodedJWT['preferred_username'].toLowerCase()) {
-						user.email = decodedJWT['preferred_username'].toLowerCase();
-						update = true;
-					}
-
-					if (user.fullname !== decodedJWT['name']) {
-						user.fullname = decodedJWT['name'];
-						update = true;
-					}
-
-					if (update) {
-						await Users.updateOne({_id: user._id}, {$set: {email: user.email, fullname: user.fullname}});
-					}
-				}
-
-				response.send(JSON.stringify({
-					error: false,
-					result: {
-						token: jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET'], {
-							expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
-						})
-					}
-				}));
-			}
-			else {
-				console.log('ERROR - 1', tokenData, token, decodedJWT);
-
-				response.send(JSON.stringify({
-					error: true,
-					result: 'Invalid Azure Token'
-				}));
-			}
-		}
-	});
-
-	// Login via HTTP, return refresh token if authenticated
-	app.post('/login', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				username: {
-					type: String
-				},
-				password: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/login)', errors);
-
-					await reportHttpValidationError('/login', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			let user = await Users.findOne({active: true, username: body.username});
-
-			if (!user) {
-				user = await Users.findOne({active: true, email: body.username});
-			}
-			
-			if (!user) {
-				response.send(JSON.stringify({
-					error: true,
-					result: 'Invalid Username And Password'
-				}));
-
-				return;
-			}
-
-			let resAuth = await Users.authenticate(user, body.password);
-
-			if (resAuth['error']) {
-				if (resAuth['error'] === 'Too Many Attempts') {
-					response.send(JSON.stringify({
-						error: true,
-						result: resAuth['error'] + '.  A password reset link has been sent to your email, please reset your password.'
-					}));
-
-					if (!user.services) {
-						user.services = {};
-					}
-
-					user.services['forgot_password'] = jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET']);
-
-					let emailData = {
-						userToChangePassword: user.fullname,
-						userWhoResetPassword: ResolveIOServer.getClientName() + ' System',
-						url: (serverConfig['ROOT_URL'] + '/forgot-password?' + encodeURIComponent(serverConfig['SERVER_URL']) + '&' + user.services['forgot_password'])
-					};
-
-					await Users.updateOne({_id: user._id}, {$set: {services: user.services}});
-					let html = mainServer.getMethodManager().readFile('email-templates/forgot-password.html');
-					let template = handlebars.compile(html);
-					handlebars.registerHelper('equals', (a, b) => {
-						return a === b;
-					});
-	
-					await mainServer.getMethodManager().sendEmail(user.email, 'ResolveIO (' + ResolveIOServer.getClientName() + ') - Forgot Password', '', template(emailData), null, null, '');
-				}
-				else if (resAuth['error'] === 'No Salt Value Stored') {
-					response.send(JSON.stringify({
-						error: true,
-						result: 'A password reset link has been sent to your email, please reset your password.'
-					}));
-
-					if (!user.services) {
-						user.services = {};
-					}
-
-					user.services['forgot_password'] = jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET']);
-
-					let emailData = {
-						userToChangePassword: user.fullname,
-						userWhoResetPassword: ResolveIOServer.getClientName() + ' System',
-						url: (serverConfig['ROOT_URL'] + '/forgot-password?' + encodeURIComponent(serverConfig['SERVER_URL']) + '&' + user.services['forgot_password'])
-					};
-
-					await Users.updateOne({_id: user._id}, {$set: {services: user.services}});
-					let html = mainServer.getMethodManager().readFile('email-templates/forgot-password.html');
-					let template = handlebars.compile(html);
-					handlebars.registerHelper('equals', (a, b) => {
-						return a === b;
-					});
-
-					await mainServer.getMethodManager().sendEmail(user.email, 'ResolveIO (' + ResolveIOServer.getClientName() + ') - Forgot Password', '', template(emailData), null, null, '');
-				}
-				else {
-					response.send(JSON.stringify({
-						error: true,
-						result: resAuth['error']
-					}));
-				}
-			}
-			else {
-				if (resAuth && resAuth['data'] && resAuth['data'].active) {
-					await Users.resetAttempts(resAuth['data']);
-					response.send(JSON.stringify({
-						error: false,
-						result: {
-							token: jwt.sign({id_user: resAuth['data']._id}, serverConfig['JWT_SECRET'], {
-								expiresIn : 90 * 24 * 60 * 60 * 1000 // 90 days
-							})
-						} 
-					}));
-				}
-			}
-		}
-	});
-
-	app.post('/accessToken', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				refreshToken: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/accessToken)', errors);
-
-					await reportHttpValidationError('/accessToken', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			jwt.verify(body.refreshToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
-				if (err) {
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Token'
-					}));
-				}
-				else {
-					try {
-						let user = await Users.findById(decoded['id_user']);
-						if (user) {
-							if (user.active) {
-								response.send(JSON.stringify({
-									error: false,
-									result: {
-										token: jwt.sign({id_user: user._id}, serverConfig['JWT_SECRET'], {
-											expiresIn : 3 * 24 * 60 * 60 * 1000 // 3 days
-										}),
-										user: user
-									}
-								}));
-							}
-							else {
-								response.send(JSON.stringify({
-									error: true,
-									result: 'Account is Disabled'
-								}));
-							}
-						}
-						else {
-							response.send(JSON.stringify({
-								error: true,
-								result: 'Invalid User'
-							}));
-						}
-					}
-					catch {
-						response.send(JSON.stringify({
-							error: true,
-							result: 'Invalid Mongo Get User'
-						}));
-					}
-				}
-			});
-		}
-	});
-
-	app.post('/userWithEnrollmentToken', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				enrollmentToken: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/userWithEnrollmentToken)', errors);
-
-					await reportHttpValidationError('/userWithEnrollmentToken', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			jwt.verify(body.enrollmentToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
-				if (err) {
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Token'
-					}));
-				}
-				else {
-					try {
-						let user = await Users.findOne({
-							$and: [
-								{_id: decoded['id_user']},
-								{'services.enrollment': body.enrollmentToken}
-							]
-						}, {projection: {_id: 1, __v: 1, username: 1, active: 1}});
-						if (user) {
-							if (user.active) {
-
-								response.send(JSON.stringify({
-									error: false,
-									result: {
-										user: user
-									}
-								}));
-							}
-							else {
-								response.send(JSON.stringify({
-									error: true,
-									result: 'Account is Disabled'
-								}));
-							}
-						}
-						else {
-							response.send(JSON.stringify({
-								error: true,
-								result: 'Invalid User'
-							}));
-						}
-					}
-					catch {
-						response.send(JSON.stringify({
-							error: true,
-							result: 'Invalid Mongo Get User'
-						}));
-					}
-				}
-			});
-		}
-	});
-
-	app.post('/setUserWithEnrollmentToken', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				enrollmentToken: {
-					type: String
-				},
-				password: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/setUserWithEnrollmentToken)', errors);
-
-					await reportHttpValidationError('/setUserWithEnrollmentToken', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			jwt.verify(body.enrollmentToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
-				if (err) {
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Token'
-					}));
-				}
-				else {
-					try {
-						let user = await Users.findOne({
-							$and: [
-								{_id: decoded['id_user']},
-								{'services.enrollment': body.enrollmentToken}
-							]
-						});
-						if (user) {
-							if (user.active) {
-								await Users.setPassword(user, body.password);
-
-								response.send(JSON.stringify({
-									error: false,
-									result: true
-								}));
-							}
-							else {
-								response.send(JSON.stringify({
-									error: true,
-									result: 'Account is Disabled'
-								}));
-							}
-						}
-						else {
-							response.send(JSON.stringify({
-								error: true,
-								result: 'Invalid User'
-							}));
-						}
-					}
-					catch {
-						response.send(JSON.stringify({
-							error: true,
-							result: 'Invalid Mongo Get User'
-						}));
-					}
-				}
-			});
-		}
-	});
-
-	app.post('/userWithForgotPasswordToken', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				forgotPasswordToken: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/userWithForgotPasswordToken)', errors);
-
-					await reportHttpValidationError('/userWithForgotPasswordToken', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			jwt.verify(body.forgotPasswordToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
-				if (err) {
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Token'
-					}));
-				}
-				else {
-					try {
-						let user = await Users.findOne({
-							$and: [
-								{_id: decoded['id_user']},
-								{'services.forgot_password': body.forgotPasswordToken}
-							]
-						}, {projection: {_id: 1, __v: 1, username: 1, active: 1}});
-							
-						if (user) {
-							if (user.active) {
-								response.send(JSON.stringify({
-									error: false,
-									result: {
-										user: user
-									}
-								}));
-							}
-							else {
-								response.send(JSON.stringify({
-									error: true,
-									result: 'Account is Disabled'
-								}));
-							}
-						}
-						else {
-							response.send(JSON.stringify({
-								error: true,
-								result: 'Invalid Token'
-							}));
-						}
-					}
-					catch {
-						response.send(JSON.stringify({
-							error: true,
-							result: 'Invalid Mongo Get User'
-						}));
-					}
-				}
-			});
-		}
-	});
-
-	app.post('/setUserWithForgotPasswordToken', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				forgotPasswordToken: {
-					type: String
-				},
-				password: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/setUserWithForgotPasswordToken)', errors);
-
-					await reportHttpValidationError('/setUserWithForgotPasswordToken', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			jwt.verify(body.forgotPasswordToken, serverConfig['JWT_SECRET'], async (err, decoded) => {
-				if (err) {
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Token'
-					}));
-				}
-				else {
-					try {
-						let user = await Users.findOne({
-							$and: [
-								{_id: decoded['id_user']},
-								{'services.forgot_password': body.forgotPasswordToken}
-							]
-						});
-							
-						if (user) {
-							if (user.active) {
-								await Users.setPassword(user, body.password);
-								
-								response.send(JSON.stringify({
-									error: false,
-									result: true
-								}));
-							}
-							else {
-								response.send(JSON.stringify({
-									error: true,
-									result: 'Account is Disabled'
-								}));
-							}
-						}
-						else {
-							response.send(JSON.stringify({
-								error: true,
-								result: 'Invalid User'
-							}));
-						}
-					}
-					catch {
-						response.send(JSON.stringify({
-							error: true,
-							result: 'Invalid Mongo Get User'
-						}));
-					}
-				}
-			});
-		}
-	});
-
-	app.post('/resetPassword', express.json(), async (request, response) => {
-		if (!isAllowedOrigin(request.headers.origin, serverConfig)) {
-			response.send(JSON.stringify({
-				error: true,
-				result: 'Invalid header'
-			}));
-		}
-		else {
-			let body = request.body;
-
-			let schema = new SimpleSchema({
-				username: {
-					type: String
-				}
-			});
-	
-			try {
-				schema.validate(body);
-			}
-			catch (errors) {
-				if (errors) {
-					console.error(new Date(), 'Error in HTTP Check (/resetPassword)', errors);
-
-					await reportHttpValidationError('/resetPassword', body, errors);
-	
-					response.send(JSON.stringify({
-						error: true,
-						result: 'Invalid Parameters'
-					}));
-		
-					return;
-				}
-			}
-
-			let user = await Users.findOne({active: true, username: body.username});
-
-			if (!user) {
-				user = await Users.findOne({active: true, email: body.username});
-			}
-			
-			if (user) {
-				await mainServer.getMethodManager().callMethod.call(mainServer.getMethodManager(), 'resetUserPassword', user._id);
-			}
-
-			response.send(JSON.stringify({
-				error: false,
-				result: ''
-			}));
-		}
-	});
-}