protonfile-auth 1.6.2 → 1.6.4

package/README.md

@@ -1 +1,18 @@
-protonfile-auth
+# protonfile-auth
+
+Authentication and authorization solution initially built for Protonfile but usable for any modern app. It was created as an Auth0 replacement for Protonfile.
+
+## How does it work?
+
+protonfile-auth works with the traditional JWT access and refresh token model, refresh tokens are long-lived (currently hard-coded to 7 days) and access tokens are short-lived and new ones can be obtained with the refresh token.
+
+An Express middleware is exposed, which can be used to verify the users' access token before allowing them to access a resource.
+
+Refresh token versions are stored in the database, which enables token rotation. It also allows for an instant session revocation by the user, which in turn blocks any access token issuing for that session.
+
+## Disadvantages
+
+protonfile-auth is in no means a perfect authentication solution, there are some known issues. This module was built to have a complete control over the authentication process but it surely can't compete with solutions like OAuth. **If you are building a professional application you should use more tested solutions than this**.
+
+- JWT is not advised as a session token because it's self contained with no central autority that can invalidate it. This is solved in protonfile-auth by saving those tokens in a database and removing them once a session is expired.
+- **Session/access token clutter**: there were some bad decisions during the developement which introduced the session tokens. Sessions are a nice way of knowing on which devices a user is authenticated, but it can be solved without having 2 tokens.

package/lib/Entities/OTP.d.ts

@@ -2,6 +2,7 @@ import { BaseEntity } from 'typeorm';
 import { User } from './User';
 export declare class OTP extends BaseEntity {
     code: string;
+    setCode(): void;
     scope: string;
     expiration: number;
     user_id: string;

package/lib/Entities/OTP.js

@@ -9,22 +9,30 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OTP = void 0;
 const typeorm_1 = require("typeorm");
 const User_1 = require("./User");
+const nanoid_1 = require("nanoid");
+const randomOtp = (0, nanoid_1.customAlphabet)('1234567890', 6);
 let OTP = class OTP extends typeorm_1.BaseEntity {
+    setCode() {
+        this.code = randomOtp();
+    }
 };
 __decorate([
     (0, typeorm_1.PrimaryColumn)({
         name: 'code',
-        type: 'text',
-        default: () => 'getNumericId(100000, 999999)',
+        type: 'varchar',
+        length: 6,
     })
 ], OTP.prototype, "code", void 0);
+__decorate([
+    (0, typeorm_1.BeforeInsert)()
+], OTP.prototype, "setCode", null);
 __decorate([
     (0, typeorm_1.Column)('text')
 ], OTP.prototype, "scope", void 0);
 __decorate([
     (0, typeorm_1.Column)({
         type: 'bigint',
-        default: () => 'extract(epoch from now())::int + 600',
+        default: () => Date.now().toFixed(0),
     })
 ], OTP.prototype, "expiration", void 0);
 __decorate([
@@ -38,10 +46,3 @@ OTP = __decorate([
     (0, typeorm_1.Entity)()
 ], OTP);
 exports.OTP = OTP;
-/*
-CREATE OR REPLACE FUNCTION getNumericId(integer, integer) RETURNS integer
-    AS 'SELECT floor(random() * ($2-$1+1) + $1)::int'
-    LANGUAGE SQL
-    IMMUTABLE
-    RETURNS NULL ON NULL INPUT;
-*/

package/lib/Entities/Session.d.ts

@@ -2,8 +2,9 @@ import { BaseEntity } from 'typeorm';
 import { User } from './User';
 export declare class Session extends BaseEntity {
     session_id: string;
-    token: string;
     user_id: string;
     user: User;
     user_agent: string;
+    version: number;
+    last_used: string;
 }

package/lib/Entities/Session.js

@@ -14,9 +14,6 @@ let Session = class Session extends typeorm_1.BaseEntity {
 __decorate([
     (0, typeorm_1.PrimaryGeneratedColumn)('uuid')
 ], Session.prototype, "session_id", void 0);
-__decorate([
-    (0, typeorm_1.Column)('text')
-], Session.prototype, "token", void 0);
 __decorate([
     (0, typeorm_1.Column)({ name: 'user_id', type: 'text' })
 ], Session.prototype, "user_id", void 0);
@@ -27,6 +24,12 @@ __decorate([
 __decorate([
     (0, typeorm_1.Column)('text')
 ], Session.prototype, "user_agent", void 0);
+__decorate([
+    (0, typeorm_1.Column)('int')
+], Session.prototype, "version", void 0);
+__decorate([
+    (0, typeorm_1.Column)('bigint')
+], Session.prototype, "last_used", void 0);
 Session = __decorate([
     (0, typeorm_1.Entity)()
 ], Session);

package/lib/controllers/logout.js

@@ -9,18 +9,17 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const auth_1 = require("../services/auth");
 const session_1 = require("../services/session");
 exports.default = (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-    yield (0, auth_1.clearRefreshTokenCookie)(res);
     yield (0, session_1.clearSessionCookie)(res);
     const sessionCache = req.sessionCache;
     try {
-        const session_id = JSON.parse(req.cookies.session_id).session_id;
-        sessionCache.set(session_id, 60 * 15);
-        yield (0, session_1.deleteSession)(session_id);
+        const session = (0, session_1.verifySessionToken)(req.cookies.pid);
+        sessionCache.set(session.session_id, 60 * 15);
+        yield (0, session_1.deleteSession)(session.session_id);
     }
     catch (err) {
+        console.log(err);
         return res.sendStatus(500);
     }
     res.sendStatus(200);

package/lib/controllers/refresh_token.js

@@ -8,45 +8,36 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const User_1 = require("../Entities/User");
 const auth_1 = require("../services/auth");
 const session_1 = require("../services/session");
 exports.default = (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-    const token = req.cookies.jid;
-    const session = req.cookies.session_id;
-    if (!token || !session) {
+    const session = req.cookies.pid;
+    if (!session) {
         return res.sendStatus(400);
     }
-    let payload = null;
     let decodedSession;
     try {
-        payload = jsonwebtoken_1.default.verify(token, process.env.REFRESH_TOKEN_KEY);
-        decodedSession = (0, session_1.verifySessionToken)(JSON.parse(session).token);
-        const parsedSession = JSON.parse(session);
-        yield (0, session_1.compareSessionTokenVersion)(parsedSession.session_id, parsedSession.token);
-        const newSession = yield (0, session_1.bumpSessionToken)(parsedSession.session_id);
-        (0, session_1.setSessionCookie)(res, JSON.stringify(newSession));
+        decodedSession = (0, session_1.verifySessionToken)(session);
+        yield (0, session_1.compareSessionTokenVersion)(decodedSession);
+        const newSession = yield (0, session_1.bumpSessionToken)(decodedSession);
+        (0, session_1.setSessionCookie)(res, newSession);
     }
     catch (err) {
         console.log(err);
         yield (0, session_1.clearSessionCookie)(res);
         return res.sendStatus(403);
     }
-    const user = yield User_1.User.findOne({ user_id: payload.user_id });
+    const user = yield User_1.User.findOne({ user_id: decodedSession.user_id });
     if (!user) {
         return res.sendStatus(404);
     }
-    (0, auth_1.setRefreshTokenCookie)(res, (0, auth_1.createRefreshToken)({ user_id: user.user_id }));
     return res.send({
         ok: true,
         accessToken: (0, auth_1.createAccessToken)({
             user_id: user.user_id,
-            session_id: JSON.parse(session).session_id,
+            session_id: decodedSession.session_id,
         }),
     });
 });

package/lib/controllers/register.js

@@ -37,11 +37,11 @@ exports.default = (req, res) => __awaiter(void 0, void 0, void 0, function* () {
         if (!user) {
             return;
         }
-        const queryRes = yield OTP_1.OTP.insert({
-            scope: 'registration',
-            user_id: user.user_id,
-        });
-        const otp = queryRes.identifiers[0];
+        const otpEnt = new OTP_1.OTP();
+        otpEnt.scope = 'registration';
+        otpEnt.user_id = user.user_id;
+        const queryRes = yield OTP_1.OTP.save(otpEnt);
+        const otp = queryRes;
         if (!otp || !otp.code) {
             return res.sendStatus(500);
         }

package/lib/index.js

@@ -47,7 +47,7 @@ exports.default = {
         router.post('/refresh_token', (0, cookie_parser_1.default)(), refresh_token_1.default);
         router.post('/logout', appendSessionCache_1.default.bind(null, sessionCache), (0, cookie_parser_1.default)(), logout_1.default);
         router.get('/qr', (0, cookie_parser_1.default)(), qr_1.get);
-        router.post('/qr', verifyToken_1.default, qr_1.post);
+        router.post('/qr', verifyToken_1.default.bind(null, sessionCache), qr_1.post);
         router.get('/change_password/:email', change_password_1.get);
         router.post('/change_password', change_password_1.post);
         return router;

package/lib/middlewares/appendUms.d.ts

@@ -0,0 +1,4 @@
+import { NextFunction, Request, Response } from 'express';
+import UMS from '../services/UMS';
+declare const appendUms: (ums: UMS, req: Request, _res: Response, next: NextFunction) => void;
+export default appendUms;

package/lib/middlewares/appendUms.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const appendUms = (ums, req, _res, next) => {
+    req.ums = ums;
+    next();
+};
+exports.default = appendUms;

package/lib/services/SessionCleaner.js

@@ -11,17 +11,13 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const Session_1 = require("../Entities/Session");
-const jsonwebtoken_1 = require("jsonwebtoken");
 class SessionCleaner {
     constructor() { }
     register(interval) {
         this.handle = setInterval(() => __awaiter(this, void 0, void 0, function* () {
             const sessions = yield Session_1.Session.find();
             for (const session of sessions) {
-                const decodedToken = (0, jsonwebtoken_1.decode)(session.token);
-                if (typeof decodedToken === 'string' || !decodedToken)
-                    return;
-                const { exp } = decodedToken;
+                const exp = parseInt(session.last_used);
                 const expiration = exp ? exp * 1000 : 0;
                 const now = Date.now();
                 const isExpired = now > expiration;

package/lib/services/UMS.d.ts

@@ -0,0 +1,12 @@
+import TypedEmitter from 'typed-emitter';
+declare type EmitterEvents = {
+    register: (payload: any) => void;
+    change_password: (payload: any) => void;
+};
+declare type Events = 'register' | 'change_password';
+declare const UMS_base: new () => TypedEmitter<EmitterEvents>;
+declare class UMS extends UMS_base {
+    constructor();
+    send(type: Events, payload: any): void;
+}
+export default UMS;

package/lib/services/UMS.js

@@ -0,0 +1,31 @@
+"use strict";
+// User Messaging Service
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_cache_1 = require("node-cache");
+const mail_1 = require("./mail");
+class UMS extends node_cache_1.EventEmitter {
+    constructor() {
+        super();
+    }
+    send(type, payload) {
+        let mail;
+        switch (type) {
+            case 'register':
+                const { user, otp } = payload;
+                mail = new mail_1.WelcomeMail(user, otp.code);
+                break;
+            case 'change_password':
+                mail = new mail_1.ChangePasswordMail(payload.user, (process.env.PROTONFILE_AUTH_APP_URL || '') +
+                    '/change_password/' +
+                    payload.token);
+                break;
+            default:
+                break;
+        }
+        if (!mail)
+            return;
+        mail.send();
+        this.emit(type, payload);
+    }
+}
+exports.default = UMS;

package/lib/services/auth.d.ts

@@ -1,9 +1,6 @@
 import { Response, Request } from 'express';
 import { User } from '../Entities/User';
 export declare const createAccessToken: (payload: any) => string;
-export declare const createRefreshToken: (payload: any) => string;
-export declare const setRefreshTokenCookie: (res: Response, value: string) => Promise<void>;
-export declare const clearRefreshTokenCookie: (res: Response) => Promise<Response<any, Record<string, any>>>;
 export declare const generateQrAuth: () => Promise<{
     request_id: string;
     token: string;

package/lib/services/auth.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.performLogin = exports.generateQrAuth = exports.clearRefreshTokenCookie = exports.setRefreshTokenCookie = exports.createRefreshToken = exports.createAccessToken = void 0;
+exports.performLogin = exports.generateQrAuth = exports.createAccessToken = void 0;
 const jsonwebtoken_1 = require("jsonwebtoken");
 const uuid_1 = require("uuid");
 const Session_1 = require("../Entities/Session");
@@ -20,27 +20,6 @@ const createAccessToken = (payload) => {
     });
 };
 exports.createAccessToken = createAccessToken;
-const createRefreshToken = (payload) => {
-    return (0, jsonwebtoken_1.sign)({ user_id: payload.user_id }, process.env.REFRESH_TOKEN_KEY, {
-        expiresIn: '7d',
-    });
-};
-exports.createRefreshToken = createRefreshToken;
-const setRefreshTokenCookie = (res, value) => __awaiter(void 0, void 0, void 0, function* () {
-    const currentTime = Math.floor(new Date().getTime() / 1000);
-    const weekExpiration = currentTime + 86400 * 7; // adds 7 days to timestamp
-    res.cookie('jid', value, {
-        sameSite: 'none',
-        expires: new Date(weekExpiration * 1000),
-        httpOnly: true,
-        secure: process.env.NODE_ENV === 'production' ? true : false,
-    });
-});
-exports.setRefreshTokenCookie = setRefreshTokenCookie;
-const clearRefreshTokenCookie = (res) => __awaiter(void 0, void 0, void 0, function* () {
-    return res.clearCookie('jid');
-});
-exports.clearRefreshTokenCookie = clearRefreshTokenCookie;
 const generateQrAuth = () => __awaiter(void 0, void 0, void 0, function* () {
     const id = (0, uuid_1.v4)();
     return {
@@ -53,52 +32,28 @@ const generateQrAuth = () => __awaiter(void 0, void 0, void 0, function* () {
 exports.generateQrAuth = generateQrAuth;
 const performLogin = (req, res, user) => {
     return new Promise((resolve, reject) => __awaiter(void 0, void 0, void 0, function* () {
-        let session_id;
-        (0, exports.setRefreshTokenCookie)(res, (0, exports.createRefreshToken)({
+        if (req.cookies.pid)
+            return res.redirect(307, 'refresh_token');
+        const insert = yield Session_1.Session.insert({
             user_id: user.user_id,
-        }));
-        if (req.cookies.session_id) {
-            const session = JSON.parse(req.cookies.session_id);
-            try {
-                (0, session_1.verifySessionToken)(session.token);
-                const newSession = yield (0, session_1.bumpSessionToken)(session.session_id);
-                session_id = newSession.session_id;
-                (0, session_1.setSessionCookie)(res, JSON.stringify(newSession));
-            }
-            catch (err) {
-                yield (0, session_1.clearSessionCookie)(res);
-                yield (0, exports.clearRefreshTokenCookie)(res);
-                const insert = yield Session_1.Session.insert({
-                    token: (0, session_1.createSessionToken)({ user_id: user.user_id }),
-                    user_id: user.user_id,
-                    user_agent: req.headers['user-agent'] || 'Unknown',
-                });
-                const session = yield Session_1.Session.findOne({
-                    session_id: insert.generatedMaps[0].session_id,
-                });
-                if (!session) {
-                    return;
-                }
-                session_id = session.session_id;
-                (0, session_1.setSessionCookie)(res, JSON.stringify(session));
-            }
-        }
-        else {
-            const insert = yield Session_1.Session.insert({
-                token: (0, session_1.createSessionToken)({ user_id: user.user_id }),
-                user_id: user.user_id,
-                user_agent: req.headers['user-agent'] || 'Unknown',
-            });
-            const session = yield Session_1.Session.findOne({
-                session_id: insert.generatedMaps[0].session_id,
-            });
-            if (!session) {
-                return;
-            }
-            session_id = session.session_id;
-            (0, session_1.setSessionCookie)(res, JSON.stringify(session));
+            user_agent: req.headers['user-agent'] || 'Unknown',
+            version: 0,
+            last_used: (Date.now() / 1000).toFixed(0).toString(),
+        });
+        const session = yield Session_1.Session.findOne({
+            session_id: insert.generatedMaps[0].session_id,
+        });
+        if (!session) {
+            return;
         }
-        const token = (0, exports.createAccessToken)({ user_id: user.user_id, session_id });
+        (0, session_1.setSessionCookie)(res, (0, session_1.createSessionToken)({
+            user_id: user.user_id,
+            session_id: session.session_id,
+        }));
+        const token = (0, exports.createAccessToken)({
+            user_id: user.user_id,
+            session_id: session.session_id,
+        });
         resolve(token);
     }));
 };

package/lib/services/session.d.ts

@@ -1,9 +1,10 @@
 import { Response } from 'express';
+import { JwtPayload } from 'jsonwebtoken';
 import { Session } from '../Entities/Session';
 export declare const createSessionToken: (payload: any, version?: number | undefined) => string;
-export declare const verifySessionToken: (token: string) => string | import("jsonwebtoken").JwtPayload;
-export declare const bumpSessionToken: (session_id: string) => Promise<Session>;
-export declare const compareSessionTokenVersion: (session_id: string, token: string) => Promise<import("jsonwebtoken").JwtPayload>;
+export declare const verifySessionToken: (token: string) => string | JwtPayload;
+export declare const bumpSessionToken: (jwtSession: JwtPayload) => Promise<string>;
+export declare const compareSessionTokenVersion: (jwtSession: JwtPayload) => Promise<void>;
 export declare const setSessionCookie: (res: Response, value: string) => Promise<void>;
 export declare const clearSessionCookie: (res: Response) => Promise<Response<any, Record<string, any>>>;
 export declare const deleteSession: (session_id: string) => Promise<Session>;

package/lib/services/session.js

@@ -13,7 +13,11 @@ exports.deleteSession = exports.clearSessionCookie = exports.setSessionCookie =
 const jsonwebtoken_1 = require("jsonwebtoken");
 const Session_1 = require("../Entities/Session");
 const createSessionToken = (payload, version) => {
-    return (0, jsonwebtoken_1.sign)({ user_id: payload.user_id, version: version || 0 }, process.env.SESSION_TOKEN_KEY, {
+    return (0, jsonwebtoken_1.sign)({
+        user_id: payload.user_id,
+        version: version || 0,
+        session_id: payload.session_id,
+    }, process.env.SESSION_TOKEN_KEY, {
         expiresIn: '7d',
     });
 };
@@ -22,21 +26,20 @@ const verifySessionToken = (token) => {
     return (0, jsonwebtoken_1.verify)(token, process.env.SESSION_TOKEN_KEY);
 };
 exports.verifySessionToken = verifySessionToken;
-const bumpSessionToken = (session_id) => {
+const bumpSessionToken = (jwtSession) => {
     return new Promise((resolve, reject) => __awaiter(void 0, void 0, void 0, function* () {
-        const session = yield Session_1.Session.findOne({ session_id });
-        if (!session) {
+        const session = yield Session_1.Session.findOne({
+            session_id: jwtSession.session_id,
+        });
+        if (!session)
             return reject('Token not found');
-        }
         try {
-            const token = (0, jsonwebtoken_1.verify)(session.token, process.env.SESSION_TOKEN_KEY);
-            if (typeof token === 'string') {
-                return reject('Error while verifying token');
-            }
-            const newToken = (0, exports.createSessionToken)({ user_id: session.user_id }, token.version + 1);
-            Session_1.Session.update({ session_id }, { token: newToken });
-            session.token = newToken;
-            resolve(session);
+            const newToken = (0, exports.createSessionToken)({ user_id: session.user_id, session_id: session.session_id }, session.version + 1);
+            Session_1.Session.update({ session_id: session.session_id }, {
+                version: session.version + 1,
+                last_used: (Date.now() / 1000).toFixed(0).toString(),
+            });
+            resolve(newToken);
         }
         catch (err) {
             reject(err);
@@ -44,31 +47,18 @@ const bumpSessionToken = (session_id) => {
     }));
 };
 exports.bumpSessionToken = bumpSessionToken;
-const compareSessionTokenVersion = (session_id, token) => __awaiter(void 0, void 0, void 0, function* () {
-    const session = yield Session_1.Session.findOne({ session_id });
-    if (!session) {
+const compareSessionTokenVersion = (jwtSession) => __awaiter(void 0, void 0, void 0, function* () {
+    const session = yield Session_1.Session.findOne({ session_id: jwtSession.session_id });
+    if (!session)
         throw 'Session not found';
-    }
-    try {
-        const decodedSessionToken = (0, jsonwebtoken_1.verify)(token, process.env.SESSION_TOKEN_KEY);
-        const decodedToken = (0, jsonwebtoken_1.verify)(token, process.env.SESSION_TOKEN_KEY);
-        if (typeof decodedToken === 'string' ||
-            typeof decodedSessionToken === 'string')
-            throw 'Invalid token';
-        if (decodedToken.version < decodedSessionToken.version) {
-            throw 'Token expired';
-        }
-        return decodedToken;
-    }
-    catch (err) {
-        throw 'Invalid token';
-    }
+    if (session.version > jwtSession.version)
+        throw 'Token expired';
 });
 exports.compareSessionTokenVersion = compareSessionTokenVersion;
 const setSessionCookie = (res, value) => __awaiter(void 0, void 0, void 0, function* () {
     const currentTime = Math.floor(new Date().getTime() / 1000);
     const weekExpiration = currentTime + 86400 * 7; // adds 7 days to timestamp
-    res.cookie('session_id', value, {
+    res.cookie('pid', value, {
         sameSite: 'none',
         expires: new Date(weekExpiration * 1000),
         httpOnly: true,
@@ -77,7 +67,7 @@ const setSessionCookie = (res, value) => __awaiter(void 0, void 0, void 0, funct
 });
 exports.setSessionCookie = setSessionCookie;
 const clearSessionCookie = (res) => __awaiter(void 0, void 0, void 0, function* () {
-    return res.clearCookie('session_id');
+    return res.clearCookie('pid');
 });
 exports.clearSessionCookie = clearSessionCookie;
 const deleteSession = (session_id) => __awaiter(void 0, void 0, void 0, function* () {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "protonfile-auth",
-	"version": "1.6.2",
+	"version": "1.6.4",
 	"description": "protonfile-auth",
 	"main": "lib/index.js",
 	"types": "lib/index.d.ts",
@@ -14,11 +14,13 @@
 	"license": "ISC",
 	"devDependencies": {
 		"@types/bcryptjs": "^2.4.2",
+		"@types/better-sqlite3": "^7.5.0",
 		"@types/express": "^4.17.13",
 		"@types/jsonwebtoken": "^8.5.5",
 		"@types/nodemailer": "^6.4.4",
 		"@types/pg": "^8.6.1",
 		"@types/uuid": "^8.3.1",
+		"better-sqlite3": "^7.6.2",
 		"typescript": "^4.4.4"
 	},
 	"files": [
@@ -34,6 +36,7 @@
 		"express": "^4.17.1",
 		"handlebars": "^4.7.7",
 		"jsonwebtoken": "^8.5.1",
+		"nanoid": "^3.3.4",
 		"node-cache": "^5.1.2",
 		"nodemailer": "^6.7.0",
 		"pg": "^8.7.1",