dbgate-api-premium 6.5.4 → 6.5.6

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "dbgate-api-premium",
   "main": "src/index.js",
-  "version": "6.5.4",
+  "version": "6.5.6",
   "homepage": "https://dbgate.org/",
   "repository": {
     "type": "git",
@@ -30,10 +30,10 @@
     "compare-versions": "^3.6.0",
     "cors": "^2.8.5",
     "cross-env": "^6.0.3",
-    "dbgate-datalib": "^6.5.4",
+    "dbgate-datalib": "^6.5.6",
     "dbgate-query-splitter": "^4.11.5",
-    "dbgate-sqltree": "^6.5.4",
-    "dbgate-tools": "^6.5.4",
+    "dbgate-sqltree": "^6.5.6",
+    "dbgate-tools": "^6.5.6",
     "debug": "^4.3.4",
     "diff": "^5.0.0",
     "diff2html": "^3.4.13",
@@ -85,7 +85,7 @@
   "devDependencies": {
     "@types/fs-extra": "^9.0.11",
     "@types/lodash": "^4.14.149",
-    "dbgate-types": "^6.5.4",
+    "dbgate-types": "^6.5.6",
     "env-cmd": "^10.1.0",
     "jsdoc-to-markdown": "^9.0.5",
     "node-loader": "^1.0.2",

package/src/auth/authProvider.js

@@ -11,7 +11,7 @@ const logger = getLogger('authProvider');
 class AuthProviderBase {
   amoid = 'none';
 
-  async login(login, password, options = undefined) {
+  async login(login, password, options = undefined, req = undefined) {
     return {
       accessToken: jwt.sign(
         {
@@ -23,7 +23,7 @@ class AuthProviderBase {
     };
   }
 
-  oauthToken(params) {
+  oauthToken(params, req) {
     return {};
   }
 

package/src/auth/storageAuthProvider.js

@@ -21,6 +21,8 @@ const axios = require('axios');
 const _ = require('lodash');
 const { authProxyGetTokenFromCode, authProxyGetRedirectUrl } = require('../utility/authProxy');
 const { decryptUser } = require('../utility/crypting');
+const { sendToAuditLog } = require('../utility/auditlog');
+const { isLoginLicensed, LOGIN_LIMIT_ERROR, markTokenAsLoggedIn } = require('../utility/loginchecker');
 
 async function loadPermissionsForUserId(userId) {
   const rolePermissions = sortPermissionsFromTheSameLevel(await storageReadUserRolePermissions(userId));
@@ -50,21 +52,39 @@ class StorageProviderBase extends AuthProviderBase {
 }
 
 class AnonymousProvider extends StorageProviderBase {
-  async login(login, password, options = undefined) {
+  async login(login, password, options = undefined, req = undefined) {
     const permissions = await [
       ...getPredefinedPermissions('anonymous-user'),
       ...(await storageReadRolePermissions(-1)),
     ];
 
+    if (!(await isLoginLicensed(req, `anonymous`))) {
+      return { error: LOGIN_LIMIT_ERROR };
+    }
+
+    sendToAuditLog(req, {
+      category: 'auth',
+      component: 'AnonymousProvider',
+      action: 'login',
+      event: 'login.anonymous',
+      severity: 'info',
+      message: 'Anonymous login',
+    });
+
+    const licenseUid = 'anonymous';
+    const accessToken = jwt.sign(
+      {
+        amoid: this.amoid,
+        permissions,
+        licenseUid,
+      },
+      getTokenSecret(),
+      { expiresIn: getTokenLifetime() }
+    );
+    markTokenAsLoggedIn(licenseUid, accessToken);
+
     return {
-      accessToken: jwt.sign(
-        {
-          amoid: this.amoid,
-          permissions,
-        },
-        getTokenSecret(),
-        { expiresIn: getTokenLifetime() }
-      ),
+      accessToken,
     };
   }
 }
@@ -73,7 +93,7 @@ class LocalAuthProvider extends StorageProviderBase {
   constructor(config) {
     super(config);
   }
-  async login(login, password) {
+  async login(login, password, _options, req) {
     const rows = await storageSelectFmt('select * from ~users where login = %v', login);
     if (rows.length == 0) {
       return { error: 'Login not allowed' };
@@ -83,19 +103,49 @@ class LocalAuthProvider extends StorageProviderBase {
       const userId = row.id;
       const permissions = await loadPermissionsForUserId(userId);
 
+      if (!(await isLoginLicensed(req, `local:${login}`))) {
+        return { error: LOGIN_LIMIT_ERROR };
+      }
+
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'LocalAuthProvider',
+        action: 'login',
+        event: 'login.local',
+        severity: 'info',
+        detail: { login },
+        message: 'Local login successful',
+      });
+
+      const licenseUid = `local:${login}`;
+      const accessToken = jwt.sign(
+        {
+          amoid: this.amoid,
+          login,
+          permissions,
+          userId,
+          licenseUid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      );
+      markTokenAsLoggedIn(licenseUid, accessToken);
+
       return {
-        accessToken: jwt.sign(
-          {
-            amoid: this.amoid,
-            login,
-            permissions,
-            userId,
-          },
-          getTokenSecret(),
-          { expiresIn: getTokenLifetime() }
-        ),
+        accessToken,
       };
     }
+
+    sendToAuditLog(req, {
+      category: 'auth',
+      component: 'LocalAuthProvider',
+      action: 'loginFail',
+      event: 'login.localFailed',
+      severity: 'warn',
+      detail: { login },
+      message: 'Local login failed',
+    });
+
     return { error: 'Invalid credentials' };
   }
 
@@ -121,7 +171,7 @@ class OauthProvider extends StorageProviderBase {
     return this.config.oauthLogout;
   }
 
-  async oauthToken(params) {
+  async oauthToken(params, req) {
     const { redirectUri, code } = params;
 
     const scopeParam = this.config.oauthScope ? `&scope=${this.config.oauthScope}` : '';
@@ -151,6 +201,16 @@ class OauthProvider extends StorageProviderBase {
     const permissions = await loadPermissionsForUserId(loginRows[0]?.id ?? -1);
 
     if (this.config.oauthOnlyDefinedLogins == 1 && loginRows.length == 0) {
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'OauthProvider',
+        action: 'loginFail',
+        event: 'login.oauthNotAllowed',
+        severity: 'warn',
+        detail: { login },
+        message: `Username ${login} not allowed to log in`,
+      });
+
       return { error: `Username ${login} not allowed to log in` };
     }
 
@@ -171,21 +231,50 @@ class OauthProvider extends StorageProviderBase {
     if (this.config.oauthOnlyDefinedGroups == 1) {
       const roleRows = await storageSelectFmt('select * from ~roles where ~name in (%,v)', groups);
       if (roleRows.length == 0) {
+        sendToAuditLog(req, {
+          category: 'auth',
+          component: 'OauthProvider',
+          action: 'loginFail',
+          event: 'login.groupNotAllowed',
+          severity: 'warn',
+          detail: { login },
+          message: `Groups ${groups.join(', ')} not allowed to log in`,
+        });
+
         return { error: `Groups ${groups.join(', ')} not allowed to log in` };
       }
     }
 
+    if (!(await isLoginLicensed(req, `oauth:${login}`))) {
+      return { error: LOGIN_LIMIT_ERROR };
+    }
+
+    sendToAuditLog(req, {
+      category: 'auth',
+      component: 'OauthProvider',
+      action: 'login',
+      event: 'login.oauth',
+      severity: 'info',
+      detail: { login, userId: loginRows[0]?.id },
+      message: `User ${login} logged in via OAUTH`,
+    });
+
+    const licenseUid = `oauth:${login}`;
+    const accessToken = jwt.sign(
+      {
+        amoid: this.amoid,
+        login,
+        permissions,
+        userId: loginRows[0]?.id,
+        licenseUid,
+      },
+      getTokenSecret(),
+      { expiresIn: getTokenLifetime() }
+    );
+    markTokenAsLoggedIn(licenseUid, accessToken);
+
     return {
-      accessToken: jwt.sign(
-        {
-          amoid: this.amoid,
-          login,
-          permissions,
-          userId: loginRows[0]?.id,
-        },
-        getTokenSecret(),
-        { expiresIn: getTokenLifetime() }
-      ),
+      accessToken,
     };
   }
 
@@ -214,7 +303,7 @@ class ADProvider extends StorageProviderBase {
     super(config);
   }
 
-  async login(login, password) {
+  async login(login, password, _options, req) {
     const adConfig = {
       url: this.config.adUrl,
       baseDN: this.config.adBaseDN,
@@ -225,6 +314,16 @@ class ADProvider extends StorageProviderBase {
     try {
       const res = await ad.authenticate(login, password);
       if (!res) {
+        sendToAuditLog(req, {
+          category: 'auth',
+          component: 'OauthProvider',
+          action: 'loginFail',
+          event: 'login.adRejected',
+          severity: 'warn',
+          detail: { login },
+          message: `AD rejected login for ${login}`,
+        });
+
         return { error: `Login failed, AD rejected login ${login}` };
       }
 
@@ -237,18 +336,47 @@ class ADProvider extends StorageProviderBase {
         }
       }
 
+      if (!(await isLoginLicensed(req, `ad:${login}`))) {
+        return { error: LOGIN_LIMIT_ERROR };
+      }
+
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'ADProvider',
+        action: 'login',
+        event: 'login.ad',
+        severity: 'info',
+        detail: { login },
+        message: `User ${login} logged in via AD`,
+      });
+
+      const licenseUid = `ad:${login}`;
+      const accessToken = jwt.sign(
+        {
+          amoid: this.amoid,
+          login,
+          permissions,
+          licenseUid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      );
+      markTokenAsLoggedIn(licenseUid, accessToken);
+
       return {
-        accessToken: jwt.sign(
-          {
-            amoid: this.amoid,
-            login,
-            permissions,
-          },
-          getTokenSecret(),
-          { expiresIn: getTokenLifetime() }
-        ),
+        accessToken,
       };
     } catch (e) {
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'OauthProvider',
+        action: 'loginFail',
+        event: 'login.adError',
+        severity: 'warn',
+        detail: { login, error: e.message },
+        message: `AD login error for ${login}`,
+      });
+
       return { error: `Login failed: ${e.message}` };
     }
   }
@@ -276,26 +404,56 @@ class DatabaseProvider extends StorageProviderBase {
     }));
   }
 
-  async login(login, password, options) {
+  async login(login, password, options, req) {
     const { conid } = options;
     const rows = login ? await storageSelectFmt('select * from ~users where ~login = %v', login) : [];
     if (this.config.dbloginOnlyDefinedLogins == 1 && rows.length == 0) {
-      return { error: 'Login not allowed' };
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'DatabaseProvider',
+        action: 'loginFail',
+        event: 'login.dbLoginNotAllowed',
+        severity: 'warn',
+        detail: { login },
+        message: `Login ${login} not allowed to log in`,
+      });
+
+      return { error: 'Login not allowed', login };
     }
     const userId = rows[0]?.id;
     const permissions = await loadPermissionsForUserId(userId ?? -1);
+
+    if (!(await isLoginLicensed(req, `db:${login}`))) {
+      return { error: LOGIN_LIMIT_ERROR };
+    }
+
+    sendToAuditLog(req, {
+      category: 'auth',
+      component: 'DatabaseProvider',
+      action: 'login',
+      event: 'login.dbLogin',
+      severity: 'info',
+      detail: { login },
+      message: `User ${login} logged in via database`,
+    });
+
+    const licenseUid = `db:${login}`;
+    const accessToken = jwt.sign(
+      {
+        amoid: this.amoid,
+        login,
+        permissions,
+        userId,
+        conid,
+        licenseUid,
+      },
+      getTokenSecret(),
+      { expiresIn: getTokenLifetime() }
+    );
+    markTokenAsLoggedIn(licenseUid, accessToken);
+
     return {
-      accessToken: jwt.sign(
-        {
-          amoid: this.amoid,
-          login,
-          permissions,
-          userId,
-          conid,
-        },
-        getTokenSecret(),
-        { expiresIn: getTokenLifetime() }
-      ),
+      accessToken,
     };
   }
 
@@ -320,7 +478,7 @@ class MsEntraProvider extends StorageProviderBase {
     return null;
   }
 
-  async oauthToken(params) {
+  async oauthToken(params, req) {
     const { sid, code } = params;
 
     const token = await authProxyGetTokenFromCode({ sid, code });
@@ -336,26 +494,65 @@ class MsEntraProvider extends StorageProviderBase {
 
     if (this.config.msentraOnlyDefinedLogins == 1) {
       if (loginRows.length == 0) {
+        sendToAuditLog(req, {
+          category: 'auth',
+          component: 'MsEntraProvider',
+          action: 'loginFail',
+          event: 'login.msentraNotAllowed',
+          severity: 'warn',
+          detail: { email },
+          message: `Email ${email} not allowed to log in`,
+        });
+
         return { error: `Email ${email} not allowed to log in` };
       }
     }
 
     if (token) {
+      if (!(await isLoginLicensed(req, `msentra:${payload.unique_name}`))) {
+        return { error: LOGIN_LIMIT_ERROR };
+      }
+
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'MsEntraProvider',
+        action: 'login',
+        event: 'login.msentra',
+        severity: 'info',
+        detail: { login: payload.unique_name, userId: loginRows[0]?.id },
+        message: `User ${payload.unique_name} logged in via MS Entra`,
+      });
+
+      const licenseUid = `msentra:${payload.unique_name}`;
+      const accessToken = jwt.sign(
+        {
+          amoid: this.amoid,
+          permissions,
+          msentraToken: token,
+          userId: loginRows[0]?.id,
+          login: payload.unique_name,
+          licenseUid,
+        },
+        getTokenSecret(),
+        { expiresIn: getTokenLifetime() }
+      );
+      markTokenAsLoggedIn(licenseUid, accessToken);
+
       return {
-        accessToken: jwt.sign(
-          {
-            amoid: this.amoid,
-            permissions,
-            msentraToken: token,
-            userId: loginRows[0]?.id,
-            login: payload.unique_name,
-          },
-          getTokenSecret(),
-          { expiresIn: getTokenLifetime() }
-        ),
+        accessToken,
       };
     }
 
+    sendToAuditLog(req, {
+      category: 'auth',
+      component: 'MsEntraProvider',
+      action: 'loginFail',
+      event: 'login.msentraNotFound',
+      severity: 'warn',
+      detail: { email },
+      message: `Token not found for email ${email}`,
+    });
+
     return { error: 'Token not found' };
   }
 

package/src/controllers/auth.js

@@ -13,8 +13,21 @@ const {
 } = require('../auth/authProvider');
 const storage = require('./storage');
 const { decryptPasswordString } = require('../utility/crypting');
-const { createDbGateIdentitySession, startCloudTokenChecking } = require('../utility/cloudIntf');
+const {
+  createDbGateIdentitySession,
+  startCloudTokenChecking,
+  readCloudTokenHolder,
+  readCloudTestTokenHolder,
+} = require('../utility/cloudIntf');
 const socket = require('../utility/socket');
+const { sendToAuditLog } = require('../utility/auditlog');
+const {
+  isLoginLicensed,
+  LOGIN_LIMIT_ERROR,
+  markTokenAsLoggedIn,
+  markUserAsActive,
+  markLoginAsLoggedOut,
+} = require('../utility/loginchecker');
 
 const logger = getLogger('auth');
 
@@ -54,6 +67,11 @@ function authMiddleware(req, res, next) {
 
   // const isAdminPage = req.headers['x-is-admin-page'] == 'true';
 
+  if (process.env.SKIP_ALL_AUTH) {
+    // API is not authorized for basic auth
+    return next();
+  }
+
   if (process.env.BASIC_AUTH) {
     // API is not authorized for basic auth
     return next();
@@ -72,6 +90,8 @@ function authMiddleware(req, res, next) {
   try {
     const decoded = jwt.verify(token, getTokenSecret());
     req.user = decoded;
+    markUserAsActive(decoded.licenseUid, token);
+
     return next();
   } catch (err) {
     if (skipAuth) {
@@ -87,12 +107,12 @@ function authMiddleware(req, res, next) {
 
 module.exports = {
   oauthToken_meta: true,
-  async oauthToken(params) {
+  async oauthToken(params, req) {
     const { amoid } = params;
-    return getAuthProviderById(amoid).oauthToken(params);
+    return getAuthProviderById(amoid).oauthToken(params, req);
   },
   login_meta: true,
-  async login(params) {
+  async login(params, req) {
     const { amoid, login, password, isAdminPage } = params;
 
     if (isAdminPage) {
@@ -102,25 +122,52 @@ module.exports = {
         adminPassword = decryptPasswordString(adminConfig?.adminPassword);
       }
       if (adminPassword && adminPassword == password) {
+        if (!(await isLoginLicensed(req, `superadmin`))) {
+          return { error: LOGIN_LIMIT_ERROR };
+        }
+
+        sendToAuditLog(req, {
+          category: 'auth',
+          component: 'AuthController',
+          action: 'login',
+          event: 'login.admin',
+          severity: 'info',
+          message: 'Administration login successful',
+        });
+
+        const licenseUid = `superadmin`;
+        const accessToken = jwt.sign(
+          {
+            login: 'superadmin',
+            permissions: await storage.loadSuperadminPermissions(),
+            roleId: -3,
+            licenseUid,
+          },
+          getTokenSecret(),
+          {
+            expiresIn: getTokenLifetime(),
+          }
+        );
+        markTokenAsLoggedIn(licenseUid, accessToken);
+
         return {
-          accessToken: jwt.sign(
-            {
-              login: 'superadmin',
-              permissions: await storage.loadSuperadminPermissions(),
-              roleId: -3,
-            },
-            getTokenSecret(),
-            {
-              expiresIn: getTokenLifetime(),
-            }
-          ),
+          accessToken,
         };
       }
 
+      sendToAuditLog(req, {
+        category: 'auth',
+        component: 'AuthController',
+        action: 'loginFail',
+        event: 'login.adminFailed',
+        severity: 'warn',
+        message: 'Administraton login failed',
+      });
+
       return { error: 'Login failed' };
     }
 
-    return getAuthProviderById(amoid).login(login, password);
+    return getAuthProviderById(amoid).login(login, password, undefined, req);
   },
 
   getProviders_meta: true,
@@ -138,8 +185,8 @@ module.exports = {
   },
 
   createCloudLoginSession_meta: true,
-  async createCloudLoginSession({ client }) {
-    const res = await createDbGateIdentitySession(client);
+  async createCloudLoginSession({ client, redirectUri }) {
+    const res = await createDbGateIdentitySession(client, redirectUri);
     startCloudTokenChecking(res.sid, tokenHolder => {
       socket.emit('got-cloud-token', tokenHolder);
       socket.emitChanged('cloud-content-changed');
@@ -148,5 +195,29 @@ module.exports = {
     return res;
   },
 
+  cloudLoginRedirected_meta: true,
+  async cloudLoginRedirected({ sid }) {
+    const tokenHolder = await readCloudTokenHolder(sid);
+    return tokenHolder;
+  },
+
+  cloudTestLogin_meta: true,
+  async cloudTestLogin({ email }) {
+    const tokenHolder = await readCloudTestTokenHolder(email);
+    return tokenHolder;
+  },
+
+  logoutAdmin_meta: true,
+  async logoutAdmin() {
+    await markLoginAsLoggedOut('superadmin');
+    return true;
+  },
+
+  logoutUser_meta: true,
+  async logoutUser({}, req) {
+    await markLoginAsLoggedOut(req?.user?.licenseUid);
+    return true;
+  },
+
   authMiddleware,
 };

package/src/controllers/cloud.js

@@ -258,4 +258,22 @@ module.exports = {
     await fs.writeFile(filePath, content);
     return true;
   },
+
+  folderUsers_meta: true,
+  async folderUsers({ folid }) {
+    const resp = await callCloudApiGet(`content-folders/users/${folid}`);
+    return resp;
+  },
+
+  setFolderUserRole_meta: true,
+  async setFolderUserRole({ folid, email, role }) {
+    const resp = await callCloudApiPost(`content-folders/set-user-role/${folid}`, { email, role });
+    return resp;
+  },
+
+  removeFolderUser_meta: true,
+  async removeFolderUser({ folid, email }) {
+    const resp = await callCloudApiPost(`content-folders/remove-user/${folid}`, { email });
+    return resp;
+  },
 };