@semapps/auth 1.1.3 → 1.2.0

package/services/account.js

@@ -1,315 +0,0 @@
-const bcrypt = require('bcrypt');
-const createSlug = require('speakingurl');
-const DbService = require('moleculer-db');
-const { TripleStoreAdapter } = require('@semapps/triplestore');
-const crypto = require('crypto');
-
-// Taken from https://stackoverflow.com/a/9204568/7900695
-const emailRegexp = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-
-module.exports = {
-  name: 'auth.account',
-  mixins: [DbService],
-  adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: 'settings' }),
-  settings: {
-    idField: '@id',
-    reservedUsernames: ['relay'],
-    minPasswordLength: 1,
-    minUsernameLength: 1
-  },
-  dependencies: ['triplestore'],
-  actions: {
-    async create(ctx) {
-      let { uuid, username, password, email, webId, ...rest } = ctx.params;
-
-      // FORMAT AND VERIFY PASSWORD
-
-      if (password) {
-        if (password.length < this.settings.minPasswordLength) {
-          throw new Error('password.too-short');
-        }
-
-        password = await this.hashPassword(password);
-      }
-
-      // FORMAT AND VERIFY EMAIL
-
-      if (email) {
-        email = email.toLowerCase();
-
-        const emailExists = await ctx.call('auth.account.emailExists', { email });
-        if (emailExists) {
-          throw new Error('email.already.exists');
-        }
-
-        if (!emailRegexp.test(email)) {
-          throw new Error('email.invalid');
-        }
-      }
-
-      // FORMAT AND VERIFY USERNAME
-
-      if (username) {
-        if (!ctx.meta.isSystemCall) {
-          const { isValid, error } = await this.isValidUsername(ctx, username);
-          if (!isValid) throw new Error(error);
-        }
-      } else if (email) {
-        // If username is not provided, find one automatically from the email (without errors)
-        username = createSlug(email.split('@')[0].toLowerCase());
-
-        let { isValid, error } = await this.isValidUsername(ctx, username);
-
-        if (!isValid) {
-          if (error === 'username.invalid' || error === 'username.too-short') {
-            // If username generated from email is invalid, use a generic name
-            username = 'user';
-          }
-
-          // If necessary, add a number after the username
-          let i = 0;
-          do {
-            username = i === 0 ? username : username + i;
-            ({ isValid } = await this.isValidUsername(ctx, username));
-          } while (!isValid);
-        }
-      } else {
-        throw new Error('You must provide at least a username or an email address');
-      }
-
-      return await this._create(ctx, {
-        ...rest,
-        uuid,
-        username,
-        email,
-        hashedPassword: password,
-        webId
-      });
-    },
-    async attachWebId(ctx) {
-      const { accountUri, webId } = ctx.params;
-
-      return await this._update(ctx, {
-        '@id': accountUri,
-        webId
-      });
-    },
-    async verify(ctx) {
-      const { username, password } = ctx.params;
-
-      // If the username includes a @, assume it is an email
-      const query = username.includes('@') ? { email: username } : { username };
-
-      const accounts = await this._find(ctx, { query });
-
-      if (accounts.length > 0) {
-        const passwordMatch = await this.comparePassword(password, accounts[0].hashedPassword);
-        if (passwordMatch) {
-          return accounts[0];
-        }
-        throw new Error('account.not-found');
-      } else {
-        throw new Error('account.not-found');
-      }
-    },
-    async usernameExists(ctx) {
-      const { username } = ctx.params;
-      const accounts = await this._find(ctx, { query: { username } });
-      return accounts.length > 0;
-    },
-    async emailExists(ctx) {
-      const { email } = ctx.params;
-      const accounts = await this._find(ctx, { query: { email } });
-      return accounts.length > 0;
-    },
-    /** Overwrite find method, to filter accounts with tombstone. */
-    async find(ctx) {
-      /** @type {object[]} */
-      const accounts = await this._find(ctx, ctx.params);
-      return accounts.filter(account => !account.deletedAt);
-    },
-    async findByUsername(ctx) {
-      const { username } = ctx.params;
-      const accounts = await this._find(ctx, { query: { username } });
-      return accounts.length > 0 ? accounts[0] : null;
-    },
-    async findByWebId(ctx) {
-      const { webId } = ctx.params;
-      const accounts = await this._find(ctx, { query: { webId } });
-      return accounts.length > 0 ? accounts[0] : null;
-    },
-    async findByEmail(ctx) {
-      const { email } = ctx.params;
-      const accounts = await this._find(ctx, { query: { email } });
-      return accounts.length > 0 ? accounts[0] : null;
-    },
-    async setPassword(ctx) {
-      const { webId, password } = ctx.params;
-      const hashedPassword = await this.hashPassword(password);
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-
-      return await this._update(ctx, {
-        '@id': account['@id'],
-        hashedPassword
-      });
-    },
-    async setNewPassword(ctx) {
-      const { webId, token, password } = ctx.params;
-      const hashedPassword = await this.hashPassword(password);
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-
-      if (account.resetPasswordToken !== token) {
-        throw new Error('auth.password.invalid_reset_token');
-      }
-
-      return await this._update(ctx, {
-        '@id': account['@id'],
-        hashedPassword,
-        resetPasswordToken: undefined
-      });
-    },
-    async generateResetPasswordToken(ctx) {
-      const { webId } = ctx.params;
-      const resetPasswordToken = await this.generateResetPasswordToken();
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-
-      await this._update(ctx, {
-        '@id': account['@id'],
-        resetPasswordToken
-      });
-
-      return resetPasswordToken;
-    },
-    async findDatasetByWebId(ctx) {
-      const webId = ctx.params.webId || ctx.meta.webId;
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-      return account?.username;
-    },
-    async findSettingsByWebId(ctx) {
-      const webId = ctx.meta.webId;
-
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-
-      return {
-        email: account.email,
-        preferredLocale: account.preferredLocale
-      };
-    },
-    async updateAccountSettings(ctx) {
-      const { currentPassword, email, newPassword } = ctx.params;
-      const { webId } = ctx.meta;
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-      const passwordMatch = await this.comparePassword(currentPassword, account.hashedPassword);
-      let params = {};
-
-      if (!passwordMatch) {
-        throw new Error('auth.account.invalid_password');
-      }
-
-      if (newPassword) {
-        const hashedPassword = await this.hashPassword(newPassword);
-        params = { ...params, hashedPassword };
-      }
-
-      if (email !== account.email) {
-        const existing = await ctx.call('auth.account.findByEmail', { email });
-        if (existing) {
-          throw new Error('email.already.exists');
-        }
-
-        params = { ...params, email };
-      }
-
-      return await this._update(ctx, {
-        '@id': account['@id'],
-        ...params
-      });
-    },
-    async deleteByWebId(ctx) {
-      const { webId } = ctx.params;
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-
-      if (account) {
-        await this._remove(ctx, { id: account['@id'] });
-        return true;
-      }
-
-      return false;
-    },
-    // Remove email and password from an account, set deletedAt timestamp.
-    async setTombstone(ctx) {
-      const { webId } = ctx.params;
-      const account = await ctx.call('auth.account.findByWebId', { webId });
-
-      return await this._update(ctx, {
-        // Set all values to undefined...
-        ...Object.fromEntries(Object.keys(account).map(key => [key, null])),
-        '@id': account['@id'],
-        // ...except for
-        webId: account.webId,
-        username: account.username,
-        // And add a deletedAt date.
-        deletedAt: new Date().toISOString()
-      });
-    }
-  },
-  methods: {
-    async isValidUsername(ctx, username) {
-      let error;
-
-      // Ensure the username has no space or special characters
-      if (!/^[a-z0-9\-+_.]+$/.exec(username)) {
-        error = 'username.invalid';
-      }
-
-      if (username.length < this.settings.minUsernameLength) {
-        error = 'username.too-short';
-      }
-
-      // Ensure we don't use reservedUsernames
-      if (this.settings.reservedUsernames.includes(username)) {
-        error = 'username.reserved';
-      }
-
-      // Ensure username doesn't already exist
-      const usernameExists = await ctx.call('auth.account.usernameExists', { username });
-      if (usernameExists) {
-        error = 'username.already.exists';
-      }
-
-      return { isValid: !error, error };
-    },
-    async hashPassword(password) {
-      return new Promise((resolve, reject) => {
-        bcrypt.hash(password, 10, (err, hash) => {
-          if (err) {
-            reject(err);
-          } else {
-            resolve(hash);
-          }
-        });
-      });
-    },
-    async comparePassword(password, hash) {
-      return new Promise(resolve => {
-        bcrypt.compare(password, hash, (err, res) => {
-          if (res === true) {
-            resolve(true);
-          } else {
-            resolve(false);
-          }
-        });
-      });
-    },
-    async generateResetPasswordToken() {
-      return new Promise((resolve, reject) => {
-        crypto.randomBytes(32, (ex, buf) => {
-          if (ex) {
-            reject(ex);
-          }
-          resolve(buf.toString('hex'));
-        });
-      });
-    }
-  }
-};

package/services/auth.cas.js

@@ -1,45 +0,0 @@
-const { Strategy } = require('passport-cas2');
-const { Errors: E } = require('moleculer-web');
-const AuthSSOMixin = require('../mixins/auth.sso');
-
-const AuthCASService = {
-  name: 'auth',
-  mixins: [AuthSSOMixin],
-  settings: {
-    baseUrl: null,
-    jwtPath: null,
-    registrationAllowed: true,
-    reservedUsernames: [],
-    webIdSelection: [],
-    // SSO-specific settings
-    sessionSecret: 's€m@pps',
-    selectSsoData: null,
-    // Cas-specific settings
-    casUrl: null
-  },
-  async created() {
-    this.passportId = 'cas';
-  },
-  methods: {
-    getStrategy() {
-      return new Strategy(
-        {
-          casURL: this.settings.casUrl,
-          passReqToCallback: true
-        },
-        (req, username, profile, done) => {
-          req.$ctx
-            .call('auth.loginOrSignup', { ssoData: { username, ...profile } })
-            .then(loginData => {
-              done(null, loginData);
-            })
-            .catch(e => {
-              done(new E.UnAuthorizedError(e.message), false);
-            });
-        }
-      );
-    }
-  }
-};
-
-module.exports = AuthCASService;

package/services/auth.local.js

@@ -1,238 +0,0 @@
-const path = require('path');
-const { Strategy } = require('passport-local');
-const AuthMixin = require('../mixins/auth');
-const sendToken = require('../middlewares/sendToken');
-const { MoleculerError } = require('moleculer').Errors;
-const AuthMailService = require('./mail');
-
-/** @type {import('moleculer').ServiceSchema} */
-const AuthLocalService = {
-  name: 'auth',
-  mixins: [AuthMixin],
-  settings: {
-    baseUrl: null,
-    jwtPath: null,
-    registrationAllowed: true,
-    reservedUsernames: [],
-    minPasswordLength: 1,
-    minUsernameLength: 1,
-    webIdSelection: [],
-    accountSelection: [],
-    formUrl: null,
-    mail: {
-      from: null,
-      transport: {
-        host: null,
-        port: null
-      },
-      defaults: {
-        locale: null,
-        frontUrl: null
-      }
-    }
-  },
-  dependencies: ['webid'],
-  async created() {
-    const { mail } = this.settings;
-
-    this.passportId = 'local';
-
-    if (mail !== false) {
-      this.broker.createService({
-        mixins: [AuthMailService],
-        settings: {
-          ...mail
-        }
-      });
-    }
-  },
-  actions: {
-    async signup(ctx) {
-      const { username, email, password, ...rest } = ctx.params;
-
-      // This is going to get in our way otherwise when waiting for completions.
-      ctx.meta.skipObjectsWatcher = true;
-
-      let accountData = await ctx.call('auth.account.create', {
-        username,
-        email,
-        password,
-        ...this.pickAccountData(rest)
-      });
-
-      try {
-        const profileData = { nick: accountData.username, email: accountData.email, ...rest };
-        const webId = await ctx.call('webid.createWebId', this.pickWebIdData(profileData), {
-          meta: {
-            isSignup: true // Allow services to handle directly the webId creation if it is generated by the AuthService
-          }
-        });
-
-        // Link the webId with the account
-        accountData = await ctx.call('auth.account.attachWebId', { accountUri: accountData['@id'], webId });
-
-        ctx.emit('auth.registered', { webId, profileData, accountData });
-
-        const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
-
-        return { token, webId, newUser: true };
-      } catch (e) {
-        // Delete account if resource creation failed, or it may cause problems when retrying
-        await ctx.call('auth.account.remove', { id: accountData['@id'] });
-        throw e;
-      }
-    },
-    async login(ctx) {
-      const { username, password } = ctx.params;
-
-      const accountData = await ctx.call('auth.account.verify', { username, password });
-
-      ctx.emit('auth.connected', { webId: accountData.webId, accountData }, { meta: { webId: null, dataset: null } });
-
-      const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId: accountData.webId } });
-
-      return { token, webId: accountData.webId, newUser: false };
-    },
-    async logout(ctx) {
-      ctx.meta.$statusCode = 302;
-      ctx.meta.$location = ctx.params.redirectUrl || this.settings.formUrl;
-      ctx.emit('auth.disconnected', { webId: ctx.meta.webId });
-    },
-    async redirectToForm(ctx) {
-      if (this.settings.formUrl) {
-        const formUrl = new URL(this.settings.formUrl);
-        if (ctx.params) {
-          for (const [key, value] of Object.entries(ctx.params)) {
-            formUrl.searchParams.set(key, value);
-          }
-        }
-        ctx.meta.$statusCode = 302;
-        ctx.meta.$location = formUrl.toString();
-      } else {
-        throw new Error('No formUrl defined in auth.local settings');
-      }
-    },
-    async resetPassword(ctx) {
-      const { email } = ctx.params;
-
-      const account = await ctx.call('auth.account.findByEmail', { email });
-
-      if (!account) {
-        throw new MoleculerError('email.not.exists', 400, 'BAD_REQUEST');
-      }
-
-      const token = await ctx.call('auth.account.generateResetPasswordToken', { webId: account.webId });
-
-      await ctx.call('auth.mail.sendResetPasswordEmail', {
-        account,
-        token
-      });
-    },
-    async setNewPassword(ctx) {
-      const { email, token, password } = ctx.params;
-
-      const account = await ctx.call('auth.account.findByEmail', { email });
-
-      if (!account) {
-        throw new MoleculerError('email.not.exists', 400, 'BAD_REQUEST');
-      }
-
-      await ctx.call('auth.account.setNewPassword', { webId: account.webId, token, password });
-    }
-  },
-  methods: {
-    getStrategy() {
-      return new Strategy(
-        {
-          passReqToCallback: true // We want to have access to req below
-        },
-        (req, username, password, done) => {
-          req.$ctx
-            .call('auth.login', req.$params)
-            .then(returnedData => {
-              done(null, returnedData);
-            })
-            .catch(e => {
-              done(new MoleculerError(e.message, 401), false);
-            });
-        }
-      );
-    },
-    getApiRoutes(basePath) {
-      const loginRoute = {
-        path: path.join(basePath, '/auth/login'),
-        name: 'auth-login',
-        use: [this.passport.initialize()],
-        aliases: {
-          'POST /': [this.passport.authenticate(this.passportId, { session: false }), sendToken]
-        }
-      };
-
-      const logoutRoute = {
-        path: path.join(basePath, '/auth/logout'),
-        name: 'auth-logout',
-        aliases: {
-          'GET /': 'auth.logout'
-        }
-      };
-
-      const signupRoute = {
-        path: path.join(basePath, '/auth/signup'),
-        name: 'auth-signup',
-        aliases: {
-          'POST /': 'auth.signup'
-        }
-      };
-
-      const formRoute = {
-        path: path.join(basePath, '/auth'),
-        name: 'auth',
-        aliases: {
-          'GET /': 'auth.redirectToForm'
-        }
-      };
-
-      const resetPasswordRoute = {
-        path: path.join(basePath, '/auth/reset_password'),
-        name: 'auth-reset-password',
-        aliases: {
-          'POST /': 'auth.resetPassword'
-        }
-      };
-      const setNewPasswordRoute = {
-        path: path.join(basePath, '/auth/new_password'),
-        name: 'auth-new-password',
-        aliases: {
-          'POST /': 'auth.setNewPassword'
-        }
-      };
-
-      const accountSettingsRoute = {
-        path: path.join(basePath, '/auth/account'),
-        name: 'auth-account',
-        aliases: {
-          'GET /': 'auth.account.findSettingsByWebId',
-          'POST /': 'auth.account.updateAccountSettings'
-        },
-        authorization: true
-      };
-
-      const routes = [
-        loginRoute,
-        logoutRoute,
-        formRoute,
-        resetPasswordRoute,
-        setNewPasswordRoute,
-        accountSettingsRoute
-      ];
-
-      if (this.settings.registrationAllowed) {
-        return [...routes, signupRoute];
-      }
-
-      return routes;
-    }
-  }
-};
-
-module.exports = AuthLocalService;

package/services/jwt.js

@@ -1,101 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const jwt = require('jsonwebtoken');
-const crypto = require('crypto');
-
-/**
- * Service that creates and validates JSON web tokens(JWT).
- * Tokens are signed against this server's keys.
- * This is useful for generating/validating authentication tokens.
- *
- * TODO: Tokens do not expire.
- */
-module.exports = {
-  name: 'auth.jwt',
-  settings: {
-    jwtPath: null
-  },
-  async created() {
-    const privateKeyPath = path.resolve(this.settings.jwtPath, 'jwtRS256.key');
-    const publicKeyPath = path.resolve(this.settings.jwtPath, 'jwtRS256.key.pub');
-
-    if (!fs.existsSync(privateKeyPath) && !fs.existsSync(publicKeyPath)) {
-      this.logger.info('JWT keypair not found, generating...');
-      if (!fs.existsSync(this.settings.jwtPath)) {
-        fs.mkdirSync(this.settings.jwtPath);
-      }
-      await this.actions.generateKeyPair({ privateKeyPath, publicKeyPath });
-    }
-
-    this.privateKey = fs.readFileSync(privateKeyPath);
-    this.publicKey = fs.readFileSync(publicKeyPath);
-  },
-  actions: {
-    generateKeyPair(ctx) {
-      const { privateKeyPath, publicKeyPath } = ctx.params;
-
-      return new Promise((resolve, reject) => {
-        crypto.generateKeyPair(
-          'rsa',
-          {
-            modulusLength: 4096,
-            publicKeyEncoding: {
-              type: 'spki',
-              format: 'pem'
-            },
-            privateKeyEncoding: {
-              type: 'pkcs8',
-              format: 'pem'
-            }
-          },
-          (err, publicKey, privateKey) => {
-            if (err) {
-              reject(err);
-            } else {
-              fs.writeFile(privateKeyPath, privateKey, err => {
-                if (err) {
-                  reject(err);
-                } else {
-                  fs.writeFile(publicKeyPath, publicKey, err => {
-                    if (err) {
-                      reject(err);
-                    } else {
-                      resolve({ privateKey, publicKey });
-                    }
-                  });
-                }
-              });
-            }
-          }
-        );
-      });
-    },
-    async generateServerSignedToken(ctx) {
-      const { payload } = ctx.params;
-      return jwt.sign(payload, this.privateKey, { algorithm: 'RS256' });
-    },
-    /** Verifies that the token was signed by this server. */
-    async verifyServerSignedToken(ctx) {
-      const { token } = ctx.params;
-      try {
-        return jwt.verify(token, this.publicKey, { algorithms: ['RS256'] });
-      } catch (err) {
-        return false;
-      }
-    },
-    async generateUnsignedToken(ctx) {
-      const { payload } = ctx.params;
-      const token = jwt.sign(payload, null, { algorithm: 'none' });
-      return token;
-    },
-    // Warning, this does NOT verify if signature is valid
-    async decodeToken(ctx) {
-      const { token } = ctx.params;
-      try {
-        return jwt.decode(token);
-      } catch (err) {
-        return false;
-      }
-    }
-  }
-};