parse-dashboard 3.0.0

package/Parse-Dashboard/CLI/mfa.js

@@ -0,0 +1,225 @@
+const crypto = require('crypto');
+const inquirer = require('inquirer');
+const OTPAuth = require('otpauth');
+const { copy } = require('./utils.js');
+const phrases = {
+  enterPassword: 'Enter a password:',
+  enterUsername: 'Enter a username:',
+  enterAppName: 'Enter the app name:',
+}
+const getAlgorithm = async () => {
+  let { algorithm } = await inquirer.prompt([
+    {
+      type: 'list',
+      name: 'algorithm',
+      message: 'Which hashing algorithm do you want to use?',
+      default: 'SHA1',
+      choices: [
+        'SHA1',
+        'SHA224',
+        'SHA256',
+        'SHA384',
+        'SHA512',
+        'SHA3-224',
+        'SHA3-256',
+        'SHA3-384',
+        'SHA3-512',
+        'Other'
+      ]
+    }
+  ]);
+  if (algorithm === 'Other') {
+    const result = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'algorithm',
+        message: 'Enter the hashing algorithm you want to use:'
+      }
+    ]);
+    algorithm = result.algorithm;
+  }
+  const { digits, period } = await inquirer.prompt([
+    {
+      type: 'number',
+      name: 'digits',
+      default: 6,
+      message: 'Enter the number of digits the one-time password should have:'
+    },
+    {
+      type: 'number',
+      name: 'period',
+      default: 30,
+      message: 'Enter how long the one-time password should be valid (in seconds):'
+    }
+  ])
+  return { algorithm, digits, period};
+};
+const generateSecret = ({ app, username, algorithm, digits, period }) => {
+  const secret = new OTPAuth.Secret();
+  const totp = new OTPAuth.TOTP({
+    issuer: app,
+    label: username,
+    algorithm,
+    digits,
+    period,
+    secret
+  });
+  const url = totp.toString();
+  return { secret: secret.base32, url };
+};
+const showQR = text => {
+  const QRCode = require('qrcode');
+  QRCode.toString(text, { type: 'terminal' }, (err, url) => {
+    console.log(
+      '\n------------------------------------------------------------------------------' +
+      `\n\n${url}`
+    );
+  });
+};
+
+const showInstructions = ({ app, username, passwordCopied, secret, url, encrypt, config }) => {
+  let orderCounter = 0;
+  const getOrder = () => {
+    orderCounter++;
+    return orderCounter;
+  }
+  console.log(
+    '------------------------------------------------------------------------------' +
+    '\n\nFollow these steps to complete the set-up:'
+  );
+
+  console.log(
+    `\n${getOrder()}. Add the following settings for user "${username}" ${app ? `in app "${app}" ` : '' }to the Parse Dashboard configuration.` +
+    `\n\n   ${JSON.stringify(config)}`
+  );
+
+  if (passwordCopied) {
+    console.log(
+      `\n${getOrder()}. Securely store the generated login password that has been copied to your clipboard.`
+    );
+  }
+
+  if (secret) {
+    console.log(
+      `\n${getOrder()}. Open the authenticator app to scan the QR code above or enter this secret code:` + 
+      `\n\n   ${secret}` + 
+      '\n\n   If the secret code generates incorrect one-time passwords, try this alternative:' +
+      `\n\n   ${url}` + 
+      `\n\n${getOrder()}. Destroy any records of the QR code and the secret code to secure the account.`
+    );
+  }
+  
+  if (encrypt) {
+    console.log(
+      `\n${getOrder()}. Make sure that "useEncryptedPasswords" is set to "true" in your dashboard configuration.` +
+      '\n   You chose to generate an encrypted password for this user.' +
+      '\n   Any existing users with non-encrypted passwords will require newly created, encrypted passwords.'
+      );
+  }
+  console.log(
+    '\n------------------------------------------------------------------------------\n'
+  );
+}
+
+module.exports = {
+  async createUser() {
+    const data = {};
+
+    console.log('');
+    const { username, password } = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'username',
+        message: phrases.enterUsername
+      },
+      {
+        type: 'confirm',
+        name: 'password',
+        message: 'Do you want to auto-generate a password?'
+      }
+    ]);
+    data.user = username;
+    if (!password) {
+      const { password } = await inquirer.prompt([
+        {
+          type: 'password',
+          name: 'password',
+          message: phrases.enterPassword
+        }
+      ]);
+      data.pass = password;
+    } else {
+      const password = crypto.randomBytes(20).toString('base64');
+      data.pass = password;
+    }
+    const { mfa, encrypt } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'encrypt',
+        message: 'Should the password be encrypted? (strongly recommended, otherwise it is stored in clear-text)'
+      },
+      {
+        type: 'confirm',
+        name: 'mfa',
+        message: 'Do you want to enable multi-factor authentication?'
+      }
+    ]);
+    if (encrypt) {
+      // Copy the raw password to clipboard
+      copy(data.pass);
+
+      // Encrypt password
+      const bcrypt = require('bcryptjs');
+      const salt = bcrypt.genSaltSync(10);
+      data.pass = bcrypt.hashSync(data.pass, salt);
+    }
+    if (mfa) {
+      const { app } = await inquirer.prompt([
+        {
+          type: 'input',
+          name: 'app',
+          message: phrases.enterAppName
+        }
+      ]);
+      const { algorithm, digits, period } = await getAlgorithm();
+      const { secret, url } = generateSecret({ app, username, algorithm, digits, period });
+      data.mfa = secret;
+      data.app = app;
+      data.url = url;
+      if (algorithm !== 'SHA1') {
+        data.mfaAlgorithm = algorithm;
+      }
+      showQR(data.url);
+    }
+
+    const config = { mfa: data.mfa, user: data.user, pass: data.pass };
+    showInstructions({ app: data.app, username, passwordCopied: true, secret: data.mfa, url: data.url, encrypt, config });
+  },
+  async createMFA() {
+    console.log('');
+    const { username, app } = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'username',
+        message:
+          'Enter the username for which you want to enable multi-factor authentication:'
+      },
+      {
+        type: 'input',
+        name: 'app',
+        message: phrases.enterAppName
+      }
+    ]);
+    const { algorithm, digits, period } = await getAlgorithm();
+
+    const { url, secret } = generateSecret({ app, username, algorithm, digits, period });
+    showQR(url);
+    
+    // Compose config
+    const config = { mfa: secret };
+    if (algorithm !== 'SHA1') {
+      config.mfaAlgorithm = algorithm;
+    }
+    showInstructions({ app, username, secret, url, config });
+  }
+};

package/Parse-Dashboard/CLI/utils.js

@@ -0,0 +1,7 @@
+module.exports = {
+  copy(text) {
+    const proc = require('child_process').spawn('pbcopy');
+    proc.stdin.write(text);
+    proc.stdin.end();
+  }
+}

package/Parse-Dashboard/CLIHelper.js

@@ -0,0 +1,6 @@
+const { createUser, createMFA } = require('./CLI/mfa');
+
+module.exports = {
+  createUser,
+  createMFA
+};

package/Parse-Dashboard/app.js

@@ -0,0 +1,229 @@
+'use strict';
+const express = require('express');
+const path = require('path');
+const packageJson = require('package-json');
+const csrf = require('csurf');
+const Authentication = require('./Authentication.js');
+var fs = require('fs');
+
+const currentVersionFeatures = require('../package.json').parseDashboardFeatures;
+
+var newFeaturesInLatestVersion = [];
+packageJson('parse-dashboard', 'latest').then(latestPackage => {
+  if (latestPackage.parseDashboardFeatures instanceof Array) {
+    newFeaturesInLatestVersion = latestPackage.parseDashboardFeatures.filter(feature => {
+      return currentVersionFeatures.indexOf(feature) === -1;
+    });
+  }
+});
+
+function getMount(mountPath) {
+  mountPath = mountPath || '';
+  if (!mountPath.endsWith('/')) {
+    mountPath += '/';
+  }
+  return mountPath;
+}
+
+function checkIfIconsExistForApps(apps, iconsFolder) {
+  for (var i in apps) {
+    var currentApp = apps[i];
+    var iconName = currentApp.iconName;
+    var path = iconsFolder + '/' + iconName;
+
+    fs.stat(path, function(err) {
+      if (err) {
+          if ('ENOENT' == err.code) {// file does not exist
+              console.warn('Icon with file name: ' + iconName +' couldn\'t be found in icons folder!');
+          } else {
+            console.log(
+              'An error occurd while checking for icons, please check permission!');
+          }
+      } else {
+          //every thing was ok so for example you can read it and send it to client
+      }
+  } );
+  }
+}
+
+module.exports = function(config, options) {
+  options = options || {};
+  var app = express();
+  // Serve public files.
+  app.use(express.static(path.join(__dirname,'public')));
+
+  // Allow setting via middleware
+  if (config.trustProxy && app.disabled('trust proxy')) {
+    app.enable('trust proxy');
+  }
+
+  // wait for app to mount in order to get mountpath
+  app.on('mount', function() {
+    const mountPath = getMount(app.mountpath);
+    const users = config.users;
+    const useEncryptedPasswords = config.useEncryptedPasswords ? true : false;
+    const authInstance = new Authentication(users, useEncryptedPasswords, mountPath);
+    authInstance.initialize(app, { cookieSessionSecret: options.cookieSessionSecret });
+
+    // CSRF error handler
+    app.use(function (err, req, res, next) {
+      if (err.code !== 'EBADCSRFTOKEN') return next(err)
+
+      // handle CSRF token errors here
+      res.status(403)
+      res.send('form tampered with')
+    });
+
+    // Serve the configuration.
+    app.get('/parse-dashboard-config.json', function(req, res) {
+      let apps = config.apps.map((app) => Object.assign({}, app)); // make a copy
+      let response = {
+        apps: apps,
+        newFeaturesInLatestVersion: newFeaturesInLatestVersion,
+      };
+
+      //Based on advice from Doug Wilson here:
+      //https://github.com/expressjs/express/issues/2518
+      const requestIsLocal =
+        req.connection.remoteAddress === '127.0.0.1' ||
+        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
+        req.connection.remoteAddress === '::1';
+      if (!options.dev && !requestIsLocal) {
+        if (!req.secure && !options.allowInsecureHTTP) {
+          //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
+          return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
+        }
+
+        if (!users) {
+          //Accessing the dashboard over the internet can only be done with username and password
+          return res.send({ success: false, error: 'Configure a user to access Parse Dashboard remotely' });
+        }
+      }
+      const authentication = req.user;
+
+      const successfulAuth = authentication && authentication.isAuthenticated;
+      const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
+      const isReadOnly = authentication && authentication.isReadOnly;
+      // User is full read-only, replace the masterKey by the read-only one
+      if (isReadOnly) {
+        response.apps = response.apps.map((app) => {
+          app.masterKey = app.readOnlyMasterKey;
+          if (!app.masterKey) {
+            throw new Error('You need to provide a readOnlyMasterKey to use read-only features.');
+          }
+          return app;
+        });
+      }
+
+      if (successfulAuth) {
+        if (appsUserHasAccess) {
+          // Restric access to apps defined in user dictionary
+          // If they didn't supply any app id, user will access all apps
+          response.apps = response.apps.filter(function (app) {
+            return appsUserHasAccess.find(appUserHasAccess => {
+              const isSame = app.appId === appUserHasAccess.appId;
+              if (isSame && appUserHasAccess.readOnly) {
+                app.masterKey = app.readOnlyMasterKey;
+              }
+              return isSame;
+            })
+          });
+        }
+        // They provided correct auth
+        return res.json(response);
+      }
+
+      if (users) {
+        //They provided incorrect auth
+        return res.sendStatus(401);
+      }
+
+      //They didn't provide auth, and have configured the dashboard to not need auth
+      //(ie. didn't supply usernames and passwords)
+      if (requestIsLocal || options.dev) {
+        //Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
+        return res.json(response);
+      }
+      //We shouldn't get here. Fail closed.
+      res.send({ success: false, error: 'Something went wrong.' });
+    });
+
+    // Serve the app icons. Uses the optional `iconsFolder` parameter as
+    // directory name, that was setup in the config file.
+    // We are explicitly not using `__dirpath` here because one may be
+    // running parse-dashboard from globally installed npm.
+    if (config.iconsFolder) {
+      try {
+        var stat = fs.statSync(config.iconsFolder);
+        if (stat.isDirectory()) {
+          app.use('/appicons', express.static(config.iconsFolder));
+          //Check also if the icons really exist
+          checkIfIconsExistForApps(config.apps, config.iconsFolder);
+        }
+      } catch (e) {
+        // Directory doesn't exist or something.
+        console.warn('Iconsfolder at path: ' + config.iconsFolder +
+          ' not found!');
+      }
+    }
+
+    app.get('/login', csrf(), function(req, res) {
+      if (!users || (req.user && req.user.isAuthenticated)) {
+        return res.redirect(`${mountPath}apps`);
+      }
+
+      let errors = req.flash('error');
+      if (errors && errors.length) {
+        errors = `<div id="login_errors" style="display: none;">
+          ${errors.join(' ')}
+        </div>`
+      }
+      res.send(`<!DOCTYPE html>
+        <head>
+          <link rel="shortcut icon" type="image/x-icon" href="${mountPath}favicon.ico" />
+          <base href="${mountPath}"/>
+          <script>
+            PARSE_DASHBOARD_PATH = "${mountPath}";
+          </script>
+        </head>
+        <html>
+          <title>Parse Dashboard</title>
+          <body>
+            <div id="login_mount"></div>
+            ${errors}
+            <script id="csrf" type="application/json">"${req.csrfToken()}"</script>
+            <script src="${mountPath}bundles/login.bundle.js"></script>
+          </body>
+        </html>
+      `);
+    });
+
+    // For every other request, go to index.html. Let client-side handle the rest.
+    app.get('/*', function(req, res) {
+      if (users && (!req.user || !req.user.isAuthenticated)) {
+        return res.redirect(`${mountPath}login`);
+      }
+      if (users && req.user && req.user.matchingUsername ) {
+        res.append('username', req.user.matchingUsername);
+      }
+      res.send(`<!DOCTYPE html>
+        <head>
+          <link rel="shortcut icon" type="image/x-icon" href="${mountPath}favicon.ico" />
+          <base href="${mountPath}"/>
+          <script>
+            PARSE_DASHBOARD_PATH = "${mountPath}";
+          </script>
+        </head>
+        <html>
+          <title>Parse Dashboard</title>
+          <body>
+            <div id="browser_mount"></div>
+            <script src="${mountPath}bundles/dashboard.bundle.js"></script>
+          </body>
+        </html>
+      `);
+    });
+  });
+
+  return app;
+}

package/Parse-Dashboard/index.js

@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 2016-present, Parse, LLC
+ * All rights reserved.
+ *
+ * This source code is licensed under the license found in the LICENSE file in
+ * the root directory of this source tree.
+ */
+// Command line tool for npm start
+'use strict'
+const path = require('path');
+const jsonFile = require('json-file-plus');
+const express = require('express');
+const parseDashboard = require('./app');
+const CLIHelper = require('./CLIHelper.js');
+
+const program = require('commander');
+program.option('--appId [appId]', 'the app Id of the app you would like to manage.');
+program.option('--masterKey [masterKey]', 'the master key of the app you would like to manage.');
+program.option('--serverURL [serverURL]', 'the server url of the app you would like to manage.');
+program.option('--graphQLServerURL [graphQLServerURL]', 'the GraphQL server url of the app you would like to manage.');
+program.option('--dev', 'Enable development mode. This will disable authentication and allow non HTTPS connections. DO NOT ENABLE IN PRODUCTION SERVERS');
+program.option('--appName [appName]', 'the name of the app you would like to manage. Optional.');
+program.option('--config [config]', 'the path to the configuration file');
+program.option('--host [host]', 'the host to run parse-dashboard');
+program.option('--port [port]', 'the port to run parse-dashboard');
+program.option('--mountPath [mountPath]', 'the mount path to run parse-dashboard');
+program.option('--allowInsecureHTTP [allowInsecureHTTP]', 'set this flag when you are running the dashboard behind an HTTPS load balancer or proxy with early SSL termination.');
+program.option('--sslKey [sslKey]', 'the path to the SSL private key.');
+program.option('--sslCert [sslCert]', 'the path to the SSL certificate.');
+program.option('--trustProxy [trustProxy]', 'set this flag when you are behind a front-facing proxy, such as when hosting on Heroku.  Uses X-Forwarded-* headers to determine the client\'s connection and IP address.');
+program.option('--cookieSessionSecret [cookieSessionSecret]', 'set the cookie session secret, defaults to a random string. You should set that value if you want sessions to work across multiple server, or across restarts');
+program.option('--createUser', 'helper tool to allow you to generate secure user passwords and secrets. Use this on trusted devices only.');
+program.option('--createMFA', 'helper tool to allow you to generate multi-factor authentication secrets.');
+
+program.parse(process.argv);
+
+for (const key in program) {
+  const func = CLIHelper[key];
+  if (func && typeof func === 'function') {
+    func();
+    return;
+  }
+}
+
+const host = program.host || process.env.HOST || '0.0.0.0';
+const port = program.port || process.env.PORT || 4040;
+const mountPath = program.mountPath || process.env.MOUNT_PATH || '/';
+const allowInsecureHTTP = program.allowInsecureHTTP || process.env.PARSE_DASHBOARD_ALLOW_INSECURE_HTTP;
+const cookieSessionSecret = program.cookieSessionSecret || process.env.PARSE_DASHBOARD_COOKIE_SESSION_SECRET;
+const trustProxy = program.trustProxy || process.env.PARSE_DASHBOARD_TRUST_PROXY;
+const dev = program.dev;
+
+if (trustProxy && allowInsecureHTTP) {
+  console.log('Set only trustProxy *or* allowInsecureHTTP, not both.  Only one is needed to handle being behind a proxy.');
+  process.exit(-1);
+}
+
+let explicitConfigFileProvided = !!program.config;
+let configFile = null;
+let configFromCLI = null;
+let configServerURL = program.serverURL || process.env.PARSE_DASHBOARD_SERVER_URL;
+let configGraphQLServerURL = program.graphQLServerURL || process.env.PARSE_DASHBOARD_GRAPHQL_SERVER_URL;
+let configMasterKey = program.masterKey || process.env.PARSE_DASHBOARD_MASTER_KEY;
+let configAppId = program.appId || process.env.PARSE_DASHBOARD_APP_ID;
+let configAppName = program.appName || process.env.PARSE_DASHBOARD_APP_NAME;
+let configUserId = program.userId || process.env.PARSE_DASHBOARD_USER_ID;
+let configUserPassword = program.userPassword || process.env.PARSE_DASHBOARD_USER_PASSWORD;
+let configSSLKey = program.sslKey || process.env.PARSE_DASHBOARD_SSL_KEY;
+let configSSLCert = program.sslCert || process.env.PARSE_DASHBOARD_SSL_CERT;
+
+function handleSIGs(server) {
+  const signals = {
+    'SIGINT': 2,
+    'SIGTERM': 15
+  };
+  function shutdown(signal, value) {
+    server.close(function () {
+      console.log('server stopped by ' + signal);
+      process.exit(128 + value);
+    });
+  }
+  Object.keys(signals).forEach(function (signal) {
+    process.on(signal, function () {
+      shutdown(signal, signals[signal]);
+    });
+  });
+}
+
+if (!program.config && !process.env.PARSE_DASHBOARD_CONFIG) {
+  if (configServerURL && configMasterKey && configAppId) {
+    configFromCLI = {
+      data: {
+        apps: [
+          {
+            appId: configAppId,
+            serverURL: configServerURL,
+            masterKey: configMasterKey,
+            appName: configAppName,
+          },
+        ]
+      }
+    };
+    if (configGraphQLServerURL) {
+      configFromCLI.data.apps[0].graphQLServerURL = configGraphQLServerURL;
+    }
+    if (configUserId && configUserPassword) {
+      configFromCLI.data.users = [
+        {
+          user: configUserId,
+          pass: configUserPassword,
+        }
+      ];
+    }
+  } else if (!configServerURL && !configMasterKey && !configAppName) {
+    configFile = path.join(__dirname, 'parse-dashboard-config.json');
+  }
+} else if (!program.config && process.env.PARSE_DASHBOARD_CONFIG) {
+  configFromCLI = {
+    data: JSON.parse(process.env.PARSE_DASHBOARD_CONFIG)
+  };
+} else {
+  configFile = program.config;
+  if (program.appId || program.serverURL || program.masterKey || program.appName || program.graphQLServerURL) {
+    console.log('You must provide either a config file or other CLI options (appName, appId, masterKey, serverURL, and graphQLServerURL); not both.');
+    process.exit(3);
+  }
+}
+
+let p = null;
+let configFilePath = null;
+if (configFile) {
+  p = jsonFile(configFile);
+  configFilePath = path.dirname(configFile);
+} else if (configFromCLI) {
+  p = Promise.resolve(configFromCLI);
+} else {
+  //Failed to load default config file.
+  console.log('You must provide either a config file or an app ID, Master Key, and server URL. See parse-dashboard --help for details.');
+  process.exit(4);
+}
+p.then(config => {
+  config.data.apps.forEach(app => {
+    if (!app.appName) {
+      app.appName = app.appId;
+    }
+  });
+
+  if (config.data.iconsFolder && configFilePath) {
+    config.data.iconsFolder = path.join(configFilePath, config.data.iconsFolder);
+  }
+
+  const app = express();
+
+  if (allowInsecureHTTP || trustProxy || dev) app.enable('trust proxy');
+
+  config.data.trustProxy = trustProxy;
+  let dashboardOptions = { allowInsecureHTTP, cookieSessionSecret, dev };
+  app.use(mountPath, parseDashboard(config.data, dashboardOptions));
+  let server;
+  if(!configSSLKey || !configSSLCert){
+    // Start the server.
+    server = app.listen(port, host, function () {
+      console.log(`The dashboard is now available at http://${server.address().address}:${server.address().port}${mountPath}`);
+    });
+  } else {
+    // Start the server using SSL.
+    var fs = require('fs');
+    var privateKey = fs.readFileSync(configSSLKey);
+    var certificate = fs.readFileSync(configSSLCert);
+
+    server = require('https').createServer({
+      key: privateKey,
+      cert: certificate
+    }, app).listen(port, host, function () {
+      console.log(`The dashboard is now available at https://${server.address().address}:${server.address().port}${mountPath}`);
+    });
+  }
+  handleSIGs(server);
+}, error => {
+  if (error instanceof SyntaxError) {
+    console.log('Your config file contains invalid JSON. Exiting.');
+    process.exit(1);
+  } else if (error.code === 'ENOENT') {
+    if (explicitConfigFileProvided) {
+      console.log('Your config file is missing. Exiting.');
+      process.exit(2);
+    } else {
+      console.log('You must provide either a config file or required CLI options (app ID, Master Key, and server URL); not both.');
+      process.exit(3);
+    }
+  } else {
+    console.log('There was a problem with your config. Exiting.');
+    process.exit(-1);
+  }
+})
+.catch(error => {
+  console.log('There was a problem loading the dashboard. Exiting.', error);
+  process.exit(-1);
+});

package/Parse-Dashboard/parse-dashboard-config.json

@@ -0,0 +1,14 @@
+{
+  "apps": [
+    {
+      "serverURL": "http://localhost:1338/parse",
+      "appId": "hello",
+      "masterKey": "world",
+      "appName": "",
+      "iconName": "",
+      "primaryBackgroundColor": "",
+      "secondaryBackgroundColor": ""
+    }
+  ],
+  "iconsFolder": "icons"
+}