npm - @saltcorn/server - Versions diffs - 0.6.3-beta.2 → 0.6.3-beta.3 - Mend

@saltcorn/server 0.6.3-beta.2 → 0.6.3-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/app.js CHANGED Viewed

@@ -38,7 +38,7 @@ const { h1 } = require("@saltcorn/markup/tags");
 const is = require("contractis/is");
 const Trigger = require("@saltcorn/data/models/trigger");
 const s3storage = require("./s3storage");
+const TotpStrategy = require("passport-totp").Strategy;
 const locales = Object.keys(available_languages);
 // i18n configuration
 const i18n = new I18n({
@@ -148,7 +148,9 @@ const getApp = async (opts = {}) => {
             req.flash("danger", req.__("Incorrect user or password"))
           );
         const mu = await User.authenticate(userobj);
-        if (mu) return done(null, mu.session_object);
+        if (mu && mu._attributes.totp_enabled)
+          return done(null, { pending_user: mu.session_object });
+        else if (mu) return done(null, mu.session_object);
         else {
           const { password, ...nopw } = userobj;
           Trigger.emitEvent("LoginFailed", null, null, nopw);
@@ -188,6 +190,14 @@ const getApp = async (opts = {}) => {
       }
     })
   );
+  passport.use(
+    new TotpStrategy(function (user, done) {
+      // setup function, supply key and period to done callback
+      User.findOne({ id: user.pending_user.id }).then((u) => {
+        return done(null, u._attributes.totp_key, 30);
+      });
+    })
+  );
   passport.serializeUser(function (user, done) {
     done(null, user);
   });

package/auth/roleadmin.js CHANGED Viewed

@@ -85,6 +85,28 @@ const editRoleLayoutForm = (role, layouts, layout_by_role, req) =>
     )
   );
+/**
+ * @param {Role} role
+ * @param {Layout[]} layouts
+ * @param {*} layout_by_role
+ * @param {object} req
+ * @returns {Form}
+ */
+const editRole2FAPolicyForm = (role, twofa_policy_by_role, req) =>
+  form(
+    {
+      action: `/roleadmin/setrole2fapolicy/${role.id}`,
+      method: "post",
+    },
+    csrfField(req),
+    select(
+      { name: "policy", onchange: "form.submit()" },
+      ["Optional", "Disabled", "Mandatory"].map((p) =>
+        option({ selected: twofa_policy_by_role[role.id] === p }, p)
+      )
+    )
+  );
 /**
  * @param {object} req
  * @returns {Form}
@@ -125,6 +147,7 @@ router.get(
       (l) => l !== "emergency"
     );
     const layout_by_role = getState().getConfig("layout_by_role");
+    const twofa_policy_by_role = getState().getConfig("twofa_policy_by_role");
     send_users_page({
       res,
       req,
@@ -142,6 +165,13 @@ router.get(
                 key: (role) =>
                   editRoleLayoutForm(role, layouts, layout_by_role, req),
               },
+              {
+                label: req.__("2FA policy"),
+                key: (role) =>
+                  role.id === 10
+                    ? ""
+                    : editRole2FAPolicyForm(role, twofa_policy_by_role, req),
+              },
               {
                 label: req.__("Delete"),
                 key: (r) =>
@@ -240,6 +270,26 @@ router.post(
   })
 );
+/**
+ * @name post/setrolelayout/:id
+ * @function
+ * @memberof module:auth/roleadmin~roleadminRouter
+ */
+router.post(
+  "/setrole2fapolicy/:id",
+  isAdmin,
+  error_catcher(async (req, res) => {
+    const { id } = req.params;
+    const twofa_policy_by_role = getState().getConfigCopy(
+      "twofa_policy_by_role"
+    );
+    twofa_policy_by_role[+id] = req.body.policy;
+    await getState().setConfig("twofa_policy_by_role", twofa_policy_by_role);
+    req.flash("success", req.__(`Saved 2FA policy for role`));
+    res.redirect(`/roleadmin`);
+  })
+);
 const unDeletableRoles = [1, 8, 10];
 /**
  * @name post/delete/:id

package/auth/routes.js CHANGED Viewed

@@ -24,12 +24,14 @@ const { renderForm, post_btn } = require("@saltcorn/markup");
 const passport = require("passport");
 const {
   a,
+  img,
   text,
   table,
   tbody,
   th,
   td,
   tr,
+  h4,
   form,
   select,
   option,
@@ -37,6 +39,8 @@ const {
   i,
   div,
   code,
+  pre,
+  p,
 } = require("@saltcorn/markup/tags");
 const {
   available_languages,
@@ -52,7 +56,9 @@ const { restore_backup } = require("../markup/admin.js");
 const { restore } = require("@saltcorn/data/models/backup");
 const load_plugins = require("../load_plugins");
 const fs = require("fs");
+const base32 = require("thirty-two");
+const qrcode = require("qrcode");
+const totp = require("notp").totp;
 /**
  * @type {object}
  * @const
@@ -599,6 +605,8 @@ const signup_login_with_user = (u, req, res) =>
       if (!err) {
         Trigger.emitEvent("Login", null, u);
         if (getState().verifier) res.redirect("/auth/verification-flow");
+        else if (getState().get2FApolicy(u) === "Mandatory")
+          res.redirect("/auth/twofa/setup/totp");
         else res.redirect("/");
       } else {
         req.flash("danger", err);
@@ -920,6 +928,11 @@ router.post(
   error_catcher(async (req, res) => {
     ipLimiter.resetKey(req.ip);
     userLimiter.resetKey(userIdKey(req.body));
+    if (req.user.pending_user) {
+      res.redirect("/auth/twofa/login/totp");
+      return;
+    }
     if (req.session.cookie)
       if (req.body.remember) {
         const setDur = +getState().getConfig("cookie_duration_remember", 0);
@@ -932,7 +945,9 @@ router.post(
       }
     Trigger.emitEvent("Login", null, req.user);
     req.flash("success", req.__("Welcome, %s!", req.user.email));
-    res.redirect("/");
+    if (getState().get2FApolicy(req.user) === "Mandatory") {
+      res.redirect("/auth/twofa/setup/totp");
+    } else res.redirect("/");
   })
 );
@@ -1095,6 +1110,9 @@ const userSettings = async ({ req, res, pwform, user }) => {
   }
   let apikeycard;
   const min_role_apikeygen = +getState().getConfig("min_role_apikeygen", 1);
+  const twoFaPolicy = getState().get2FApolicy(user);
+  const show2FAPolicy =
+    twoFaPolicy !== "Disabled" || user._attributes.totp_enabled;
   if (user.role_id <= min_role_apikeygen)
     apikeycard = {
       type: "card",
@@ -1163,6 +1181,40 @@ const userSettings = async ({ req, res, pwform, user }) => {
         title: req.__("Change password"),
         contents: renderForm(pwform, req.csrfToken()),
       },
+      ...(show2FAPolicy
+        ? [
+            {
+              type: "card",
+              title: req.__("Two-factor authentication"),
+              contents: [
+                div(
+                  user._attributes.totp_enabled
+                    ? req.__("Two-factor authentication is enabled")
+                    : req.__("Two-factor authentication is disabled")
+                ),
+                div(
+                  user._attributes.totp_enabled
+                    ? post_btn(
+                        "/auth/twofa/disable/totp",
+                        "Disable",
+                        req.csrfToken(),
+                        {
+                          btnClass: "btn-danger mt-2",
+                          req,
+                        }
+                      )
+                    : a(
+                        {
+                          href: "/auth/twofa/setup/totp",
+                          class: "btn btn-primary mt-2",
+                        },
+                        "Enable"
+                      )
+                ),
+              ],
+            },
+          ]
+        : []),
       ...(apikeycard ? [apikeycard] : []),
     ],
   };
@@ -1253,6 +1305,12 @@ router.get(
   loggedIn,
   error_catcher(async (req, res) => {
     const user = await User.findOne({ id: req.user.id });
+    if (!user) {
+      req.logout();
+      req.flash("danger", req.__("Must be logged in first"));
+      res.redirect("/auth/login");
+      return;
+    }
     res.sendWrap(
       req.__("User settings"),
       await userSettings({ req, res, pwform: changPwForm(req), user })
@@ -1436,3 +1494,171 @@ router.all(
     res.redirect(wfres.redirect || "/");
   })
 );
+/**
+ * @name get/settings
+ * @function
+ * @memberof module:auth/routes~routesRouter
+ */
+router.get(
+  "/twofa/setup/totp",
+  loggedIn,
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.id });
+    let key;
+    if (user._attributes.totp_key) key = user._attributes.totp_key;
+    else {
+      key = randomKey(10);
+      user._attributes.totp_key = key;
+      await user.update({ _attributes: user._attributes });
+    }
+    const encodedKey = base32.encode(key);
+    // generate QR code for scanning into Google Authenticator
+    // reference: https://code.google.com/p/google-authenticator/wiki/KeyUriFormat
+    const site_name = getState().getConfig("site_name");
+    const otpUrl = `otpauth://totp/${
+      user.email
+    }?secret=${encodedKey}&period=30&issuer=${encodeURIComponent(site_name)}`;
+    const image = await qrcode.toDataURL(otpUrl);
+    res.sendWrap(req.__("Setup two-factor authentication"), {
+      type: "card",
+      title: req.__(
+        "Setup two-factor authentication with Time-based One-Time Password (TOTP)"
+      ),
+      contents: [
+        h4(req.__("1. Scan this QR code in your Authenticator app")),
+        img({ src: image }),
+        p("Or enter this code:"),
+        code(pre(encodedKey.toString())),
+        h4(
+          req.__(
+            "2. Enter the six-digit code generated in your Authenticator app"
+          )
+        ),
+        renderForm(totpForm(req), req.csrfToken()),
+      ],
+    });
+  })
+);
+router.post(
+  "/twofa/setup/totp",
+  loggedIn,
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.id });
+    if (!user._attributes.totp_key) {
+      //key not set
+      req.flash("danger", req.__("2FA TOTP Key not set"));
+      res.redirect("/auth/twofa/setup/totp");
+      return;
+    }
+    const form = totpForm(req);
+    form.validate(req.body);
+    if (form.hasErrors) {
+      req.flash("danger", req.__("Error processing form"));
+      res.redirect("/auth/twofa/setup/totp");
+      return;
+    }
+    const code = `${form.values.totpCode}`;
+    const rv = totp.verify(code, user._attributes.totp_key, {
+      time: 30,
+    });
+    if (!rv) {
+      req.flash("danger", req.__("Could not verify code"));
+      res.redirect("/auth/twofa/setup/totp");
+      return;
+    }
+    user._attributes.totp_enabled = true;
+    await user.update({ _attributes: user._attributes });
+    req.flash(
+      "success",
+      req.__(
+        "Two-factor authentication with Time-based One-Time Password enabled"
+      )
+    );
+    res.redirect("/auth/settings");
+  })
+);
+router.post(
+  "/twofa/disable/totp",
+  loggedIn,
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.id });
+    user._attributes.totp_enabled = false;
+    delete user._attributes.totp_key;
+    await user.update({ _attributes: user._attributes });
+    req.flash(
+      "success",
+      req.__(
+        "Two-factor authentication with Time-based One-Time Password disabled"
+      )
+    );
+    res.redirect("/auth/settings");
+  })
+);
+const totpForm = (req) =>
+  new Form({
+    action: "/auth/twofa/setup/totp",
+    fields: [
+      {
+        name: "totpCode",
+        label: req.__("Code"),
+        type: "Integer",
+        required: true,
+      },
+    ],
+  });
+const randomKey = function (len) {
+  function getRandomInt(min, max) {
+    return Math.floor(Math.random() * (max - min + 1)) + min;
+  }
+  var buf = [],
+    chars = "abcdefghijklmnopqrstuvwxyz0123456789",
+    charlen = chars.length;
+  for (var i = 0; i < len; ++i) {
+    buf.push(chars[getRandomInt(0, charlen - 1)]);
+  }
+  return buf.join("");
+};
+router.get(
+  "/twofa/login/totp",
+  error_catcher(async (req, res) => {
+    const form = new Form({
+      action: "/auth/twofa/login/totp",
+      submitLabel: "Verify",
+      fields: [
+        {
+          name: "code",
+          label: req.__("Code"),
+          type: "Integer",
+          required: true,
+        },
+      ],
+    });
+    res.sendAuthWrap(req.__(`Two-factor authentication`), form, {});
+  })
+);
+router.post(
+  "/twofa/login/totp",
+  passport.authenticate("totp", {
+    failureRedirect: "/auth/twofa/login/totp",
+    failureFlash: true,
+  }),
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.pending_user.id });
+    user.relogin(req);
+    Trigger.emitEvent("Login", null, user);
+    res.redirect("/");
+  })
+);