hfs 0.26.8 → 0.27.2

package/src/misc.js

@@ -0,0 +1,160 @@
+"use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tryJson = exports.same = exports.isLocalHost = exports.with_ = exports.typedKeys = exports.objRenameKey = exports.onOff = exports.pendingPromise = exports.onlyTruthy = exports.truthy = exports.pattern2filter = exports.onFirstEvent = exports.onProcessExit = exports.randomId = exports.getOrSet = exports.wantArray = exports.wait = exports.objSameKeys = exports.setHidden = exports.prefix = exports.enforceFinal = exports.debounceAsync = void 0;
+const path_1 = require("path");
+const lodash_1 = __importDefault(require("lodash"));
+const assert_1 = __importDefault(require("assert"));
+__exportStar(require("./util-http"), exports);
+__exportStar(require("./util-generators"), exports);
+__exportStar(require("./util-files"), exports);
+const debounceAsync_1 = __importDefault(require("./debounceAsync"));
+exports.debounceAsync = debounceAsync_1.default;
+function enforceFinal(sub, s) {
+    return s.endsWith(sub) ? s : s + sub;
+}
+exports.enforceFinal = enforceFinal;
+function prefix(pre, v, post = '') {
+    return v ? pre + v + post : '';
+}
+exports.prefix = prefix;
+function setHidden(dest, src) {
+    return Object.defineProperties(dest, objSameKeys(src, value => ({
+        enumerable: false,
+        writable: true,
+        value,
+    })));
+}
+exports.setHidden = setHidden;
+function objSameKeys(src, newValue) {
+    return Object.fromEntries(Object.entries(src).map(([k, v]) => [k, newValue(v, k)]));
+}
+exports.objSameKeys = objSameKeys;
+function wait(ms) {
+    return new Promise(res => setTimeout(res, ms));
+}
+exports.wait = wait;
+function wantArray(x) {
+    return x == null ? [] : Array.isArray(x) ? x : [x];
+}
+exports.wantArray = wantArray;
+function getOrSet(o, k, creator) {
+    return k in o ? o[k]
+        : (o[k] = creator());
+}
+exports.getOrSet = getOrSet;
+// 10 chars is 51+bits, 8 is 41+bits
+function randomId(len = 10) {
+    if (len > 10)
+        return randomId(10) + randomId(len - 10);
+    return Math.random()
+        .toString(36)
+        .substring(2, 2 + len)
+        .replace(/l/g, 'L'); // avoid confusion reading l1
+}
+exports.randomId = randomId;
+const cbs = new Set();
+function onProcessExit(cb) {
+    cbs.add(cb);
+    return () => cbs.delete(cb);
+}
+exports.onProcessExit = onProcessExit;
+onFirstEvent(process, ['exit', 'SIGQUIT', 'SIGTERM', 'SIGINT', 'SIGHUP'], signal => Promise.allSettled(Array.from(cbs).map(cb => cb(signal))).then(() => process.exit(0)));
+function onFirstEvent(emitter, events, cb) {
+    let already = false;
+    for (const e of events)
+        emitter.on(e, (...args) => {
+            if (already)
+                return;
+            already = true;
+            cb(...args);
+        });
+}
+exports.onFirstEvent = onFirstEvent;
+function pattern2filter(pattern) {
+    const re = new RegExp(lodash_1.default.escapeRegExp(pattern), 'i');
+    return (s) => !s || !pattern || re.test((0, path_1.basename)(s));
+}
+exports.pattern2filter = pattern2filter;
+function truthy(value) {
+    return Boolean(value);
+}
+exports.truthy = truthy;
+function onlyTruthy(arr) {
+    return arr.filter(truthy);
+}
+exports.onlyTruthy = onlyTruthy;
+function pendingPromise() {
+    let takeOut;
+    const ret = new Promise((resolve, reject) => takeOut = { resolve, reject });
+    return Object.assign(ret, takeOut);
+}
+exports.pendingPromise = pendingPromise;
+// install multiple handlers and returns a handy 'uninstall' function which requires no parameter. Pass a map {event:handler}
+function onOff(em, events) {
+    events = { ...events }; // avoid later modifications, as we need this later for uninstallation
+    for (const [k, cb] of Object.entries(events))
+        for (const e of k.split(' '))
+            em.on(e, cb);
+    return () => {
+        for (const [k, cb] of Object.entries(events))
+            for (const e of k.split(' '))
+                em.off(e, cb);
+    };
+}
+exports.onOff = onOff;
+function objRenameKey(o, from, to) {
+    if (!o || !o.hasOwnProperty(from) || from === to)
+        return;
+    o[to] = o[from];
+    delete o[from];
+    return true;
+}
+exports.objRenameKey = objRenameKey;
+function typedKeys(o) {
+    return Object.keys(o);
+}
+exports.typedKeys = typedKeys;
+function with_(par, cb) {
+    return cb(par);
+}
+exports.with_ = with_;
+function isLocalHost(c) {
+    const ip = c.socket.remoteAddress; // don't use Context.ip as it is subject to proxied ips, and that's no use for localhost detection
+    return ip && (ip === '::1' || ip.endsWith('127.0.0.1'));
+}
+exports.isLocalHost = isLocalHost;
+function same(a, b) {
+    try {
+        assert_1.default.deepStrictEqual(a, b);
+        return true;
+    }
+    catch (_a) {
+        return false;
+    }
+}
+exports.same = same;
+function tryJson(s) {
+    try {
+        return s && JSON.parse(s);
+    }
+    catch (_a) { }
+}
+exports.tryJson = tryJson;

package/src/pbkdf2.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pbkdf2Verify = exports.pbkdf2 = void 0;
+// @ts-nocheck
+const node_crypto_1 = require("node:crypto");
+// FROM https://gist.github.com/chrisveness/770ee96945ec12ac84f134bf538d89fb
+/**
+ * Returns PBKDF2 derived key from supplied password.
+ *
+ * Stored key can subsequently be used to verify that a password matches the original password used
+ * to derive the key, using pbkdf2Verify().
+ *
+ * @param   {String} password - Password to be hashed using key derivation function.
+ * @param   {Number} [iterations=1e6] - Number of iterations of HMAC function to apply.
+ * @returns {String} Derived key as base64 string.
+ *
+ * @example
+ *   const key = await pbkdf2('pāşšŵōřđ'); // eg 'djAxBRKXWNWPyXgpKWHld8SWJA9CQFmLyMbNet7Rle5RLKJAkBCllLfM6tPFa7bAis0lSTiB'
+ */
+async function pbkdf2(password, iterations = 1e6) {
+    const pwUtf8 = new TextEncoder().encode(password); // encode pw as UTF-8
+    const pwKey = await node_crypto_1.webcrypto.subtle.importKey('raw', pwUtf8, 'PBKDF2', false, ['deriveBits']); // create pw key
+    const saltUint8 = node_crypto_1.webcrypto.getRandomValues(new Uint8Array(16)); // get random salt
+    const params = { name: 'PBKDF2', hash: 'SHA-256', salt: saltUint8, iterations: iterations }; // pbkdf2 params
+    const keyBuffer = await node_crypto_1.webcrypto.subtle.deriveBits(params, pwKey, 256); // derive key
+    const keyArray = Array.from(new Uint8Array(keyBuffer)); // key as byte array
+    const saltArray = Array.from(new Uint8Array(saltUint8)); // salt as byte array
+    const iterHex = ('000000' + iterations.toString(16)).slice(-6); // iter’n count as hex
+    const iterArray = iterHex.match(/.{2}/g).map(byte => parseInt(byte, 16)); // iter’ns as byte array
+    const compositeArray = [].concat(saltArray, iterArray, keyArray); // combined array
+    const compositeStr = compositeArray.map(byte => String.fromCharCode(byte)).join(''); // combined as string
+    // encode as base64
+    return btoa('v01' + compositeStr); // return composite key
+}
+exports.pbkdf2 = pbkdf2;
+/**
+ * Verifies whether the supplied password matches the password previously used to generate the key.
+ *
+ * @param   {String}  key - Key previously generated with pbkdf2().
+ * @param   {String}  password - Password to be matched against previously derived key.
+ * @returns {boolean} Whether password matches key.
+ *
+ * @example
+ *   const match = await pbkdf2Verify(key, 'pāşšŵōřđ'); // true
+ */
+async function pbkdf2Verify(key, password) {
+    let compositeStr = null; // composite key is salt, iteration count, and derived key
+    try {
+        compositeStr = atob(key);
+    }
+    catch (e) {
+        throw new Error('Invalid key');
+    } // decode from base64
+    const version = compositeStr.slice(0, 3); //  3 bytes
+    const saltStr = compositeStr.slice(3, 19); // 16 bytes (128 bits)
+    const iterStr = compositeStr.slice(19, 22); //  3 bytes
+    const keyStr = compositeStr.slice(22, 54); // 32 bytes (256 bits)
+    if (version !== 'v01')
+        throw new Error('Invalid key');
+    // -- recover salt & iterations from stored (composite) key
+    const saltUint8 = new Uint8Array(saltStr.match(/./g).map(ch => ch.charCodeAt(0))); // salt as Uint8Array
+    // note: cannot use TextEncoder().encode(saltStr) as it generates UTF-8
+    const iterHex = iterStr.match(/./g).map(ch => ch.charCodeAt(0).toString(16)).join(''); // iter’n count as hex
+    const iterations = parseInt(iterHex, 16); // iter’ns
+    // -- generate new key from stored salt & iterations and supplied password
+    const pwUtf8 = new TextEncoder().encode(password); // encode pw as UTF-8
+    const pwKey = await node_crypto_1.webcrypto.subtle.importKey('raw', pwUtf8, 'PBKDF2', false, ['deriveBits']); // create pw key
+    const params = { name: 'PBKDF2', hash: 'SHA-256', salt: saltUint8, iterations: iterations }; // pbkdf params
+    const keyBuffer = await node_crypto_1.webcrypto.subtle.deriveBits(params, pwKey, 256); // derive key
+    const keyArray = Array.from(new Uint8Array(keyBuffer)); // key as byte array
+    const keyStrNew = keyArray.map(byte => String.fromCharCode(byte)).join(''); // key as string
+    return keyStrNew === keyStr; // test if newly generated key matches stored key
+}
+exports.pbkdf2Verify = pbkdf2Verify;

package/src/perm.js

@@ -0,0 +1,183 @@
+"use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.anyAccountCanLoginAdmin = exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.normalizeUsername = exports.accountsConfig = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = void 0;
+const lodash_1 = __importDefault(require("lodash"));
+const crypt_1 = require("./crypt");
+const misc_1 = require("./misc");
+const config_1 = require("./config");
+const tssrp6a_1 = require("tssrp6a");
+const events_1 = __importDefault(require("./events"));
+let accounts = {};
+function getCurrentUsername(ctx) {
+    var _a;
+    return ((_a = ctx.state.account) === null || _a === void 0 ? void 0 : _a.username) || '';
+}
+exports.getCurrentUsername = getCurrentUsername;
+// provides the username and all other usernames it inherits based on the 'belongs' attribute. Useful to check permissions
+function getCurrentUsernameExpanded(ctx) {
+    const who = getCurrentUsername(ctx);
+    if (!who)
+        return [];
+    const ret = [who];
+    for (const u of ret) {
+        const a = getAccount(u);
+        if (a === null || a === void 0 ? void 0 : a.belongs)
+            ret.push(...a.belongs);
+    }
+    return ret;
+}
+exports.getCurrentUsernameExpanded = getCurrentUsernameExpanded;
+function getAccount(username, normalize = true) {
+    if (normalize)
+        username = normalizeUsername(username);
+    return username ? accounts[username] : undefined;
+}
+exports.getAccount = getAccount;
+function saveSrpInfo(account, salt, verifier) {
+    account.srp = String(salt) + '|' + String(verifier);
+}
+exports.saveSrpInfo = saveSrpInfo;
+exports.allowClearTextLogin = (0, config_1.defineConfig)('allow_clear_text_login');
+const srp6aNimbusRoutines = new tssrp6a_1.SRPRoutines(new tssrp6a_1.SRPParameters());
+async function updateAccount(account, changer) {
+    const was = JSON.stringify(account);
+    await (changer === null || changer === void 0 ? void 0 : changer(account));
+    const { username } = account;
+    if (account.password) {
+        console.debug('hashing password for', username);
+        if (exports.allowClearTextLogin.get())
+            account.hashed_password = await (0, crypt_1.hashPassword)(account.password);
+        const res = await (0, tssrp6a_1.createVerifierAndSalt)(srp6aNimbusRoutines, username, account.password);
+        saveSrpInfo(account, res.s, res.v);
+        delete account.password;
+    }
+    else if (!account.srp && account.hashed_password) {
+        console.log('please reset password for account', username);
+        process.exit(1);
+    }
+    if (account.belongs) {
+        account.belongs = (0, misc_1.wantArray)(account.belongs);
+        lodash_1.default.remove(account.belongs, b => {
+            if (b in accounts)
+                return;
+            console.error(`account ${username} belongs to non-existing ${b}`);
+            return true;
+        });
+    }
+    if (was !== JSON.stringify(account))
+        saveAccountsAsap();
+}
+exports.updateAccount = updateAccount;
+const saveAccountsAsap = () => { (0, config_1.saveConfigAsap)().then(); };
+exports.accountsConfig = (0, config_1.defineConfig)('accounts', {});
+exports.accountsConfig.sub(obj => {
+    // consider some validation here
+    lodash_1.default.each(accounts = obj, (rec, k) => {
+        const norm = normalizeUsername(k);
+        if ((rec === null || rec === void 0 ? void 0 : rec.username) !== norm) {
+            if (!rec) // an empty object in yaml is parsed as null
+                rec = obj[norm] = { username: norm };
+            else if ((0, misc_1.objRenameKey)(obj, k, norm))
+                saveAccountsAsap();
+            (0, misc_1.setHidden)(rec, { username: norm });
+        }
+        updateAccount(rec).then(); // work password fields
+    });
+});
+function normalizeUsername(username) {
+    return username.toLocaleLowerCase();
+}
+exports.normalizeUsername = normalizeUsername;
+function renameAccount(from, to) {
+    from = normalizeUsername(from);
+    to = normalizeUsername(to);
+    if (!to || !accounts[from] || accounts[to])
+        return false;
+    if (to === from)
+        return true;
+    (0, misc_1.objRenameKey)(accounts, from, to);
+    updateReferences();
+    saveAccountsAsap();
+    return true;
+    function updateReferences() {
+        var _a;
+        (0, misc_1.setHidden)(accounts[to], { username: to });
+        for (const a of Object.values(accounts)) {
+            const idx = (_a = a.belongs) === null || _a === void 0 ? void 0 : _a.indexOf(from);
+            if (idx !== undefined && idx >= 0)
+                a.belongs[idx] = to;
+        }
+        events_1.default.emit('accountRenamed', from, to); // everybody, take care of your stuff
+    }
+}
+exports.renameAccount = renameAccount;
+// we consider all the following fields, when falsy, as equivalent to be missing. If this changes in the future, please adjust addAccount and setAccount
+const assignableProps = ['redirect', 'ignore_limits', 'belongs', 'admin'];
+function addAccount(username, props) {
+    username = normalizeUsername(username);
+    if (!username || getAccount(username, false))
+        return;
+    const filteredProps = lodash_1.default.pickBy(lodash_1.default.pick(props, assignableProps), Boolean);
+    const copy = (0, misc_1.setHidden)(filteredProps, { username }); // have the field in the object but hidden so that stringification won't include it
+    exports.accountsConfig.set(accounts => Object.assign(accounts, { [username]: copy }));
+    return copy;
+}
+exports.addAccount = addAccount;
+function setAccount(username, changes) {
+    const acc = getAccount(username);
+    if (!acc)
+        return false;
+    const rest = lodash_1.default.pick(changes, assignableProps);
+    for (const [k, v] of Object.entries(rest))
+        if (!v)
+            rest[k] = undefined;
+    Object.assign(acc, rest);
+    if (changes.username)
+        renameAccount(username, changes.username);
+    saveAccountsAsap();
+    return acc;
+}
+exports.setAccount = setAccount;
+function delAccount(username) {
+    if (!getAccount(username))
+        return false;
+    exports.accountsConfig.set(accounts => Object.assign(accounts, { [normalizeUsername(username)]: undefined }));
+    saveAccountsAsap();
+    return true;
+}
+exports.delAccount = delAccount;
+// get some property from account, searching in its groups if necessary. Search is breadth-first, and this determines priority of inheritance.
+function getFromAccount(account, getter) {
+    const search = [account];
+    for (const accountOrUsername of search) {
+        const a = typeof accountOrUsername === 'string' ? getAccount(accountOrUsername) : accountOrUsername;
+        if (!a)
+            continue;
+        const res = getter(a);
+        if (res !== undefined)
+            return res;
+        if (a.belongs)
+            search.push(...a.belongs);
+    }
+}
+exports.getFromAccount = getFromAccount;
+function accountHasPassword(account) {
+    return Boolean(account.password || account.hashed_password || account.srp);
+}
+exports.accountHasPassword = accountHasPassword;
+function accountCanLogin(account) {
+    return accountHasPassword(account);
+}
+exports.accountCanLogin = accountCanLogin;
+function accountCanLoginAdmin(account) {
+    return accountCanLogin(account) && Boolean(getFromAccount(account, a => a.admin));
+}
+exports.accountCanLoginAdmin = accountCanLoginAdmin;
+function anyAccountCanLoginAdmin() {
+    return Boolean(lodash_1.default.find(exports.accountsConfig.get(), accountCanLoginAdmin));
+}
+exports.anyAccountCanLoginAdmin = anyAccountCanLoginAdmin;