solid-server 5.6.9-beta

package/lib/requests/auth-request.js

@@ -0,0 +1,234 @@
+'use strict'
+/* eslint-disable node/no-deprecated-api */
+
+const url = require('url')
+const debug = require('./../debug').authentication
+
+const IDToken = require('@solid/oidc-op/src/IDToken')
+
+/**
+ * Hidden form fields from the login page that must be passed through to the
+ * Authentication request.
+ *
+ * @type {Array<string>}
+ */
+const AUTH_QUERY_PARAMS = ['response_type', 'display', 'scope',
+  'client_id', 'redirect_uri', 'state', 'nonce', 'request']
+
+/**
+ * Base authentication request (used for login and password reset workflows).
+ */
+class AuthRequest {
+  /**
+   * @constructor
+   * @param [options.response] {ServerResponse} middleware `res` object
+   * @param [options.session] {Session} req.session
+   * @param [options.userStore] {UserStore}
+   * @param [options.accountManager] {AccountManager}
+   * @param [options.returnToUrl] {string}
+   * @param [options.authQueryParams] {Object} Key/value hashmap of parsed query
+   *   parameters that will be passed through to the /authorize endpoint.
+   * @param [options.enforceToc] {boolean} Whether or not to enforce the service provider's T&C
+   * @param [options.tocUri] {string} URI to the service provider's T&C
+   */
+  constructor (options) {
+    this.response = options.response
+    this.session = options.session || {}
+    this.userStore = options.userStore
+    this.accountManager = options.accountManager
+    this.returnToUrl = options.returnToUrl
+    this.authQueryParams = options.authQueryParams || {}
+    this.localAuth = options.localAuth
+    this.enforceToc = options.enforceToc
+    this.tocUri = options.tocUri
+  }
+
+  /**
+   * Extracts a given parameter from the request - either from a GET query param,
+   * a POST body param, or an express registered `/:param`.
+   * Usage:
+   *
+   *   ```
+   *   AuthRequest.parseParameter(req, 'client_id')
+   *   // -> 'client123'
+   *   ```
+   *
+   * @param req {IncomingRequest}
+   * @param parameter {string} Parameter key
+   *
+   * @return {string|null}
+   */
+  static parseParameter (req, parameter) {
+    const query = req.query || {}
+    const body = req.body || {}
+    const params = req.params || {}
+
+    return query[parameter] || body[parameter] || params[parameter] || null
+  }
+
+  /**
+   * Extracts the options in common to most auth-related requests.
+   *
+   * @param req
+   * @param res
+   *
+   * @return {Object}
+   */
+  static requestOptions (req, res) {
+    let userStore, accountManager, localAuth
+
+    if (req.app && req.app.locals) {
+      const locals = req.app.locals
+
+      if (locals.oidc) {
+        userStore = locals.oidc.users
+      }
+
+      accountManager = locals.accountManager
+
+      localAuth = locals.localAuth
+    }
+
+    const authQueryParams = AuthRequest.extractAuthParams(req)
+    const returnToUrl = AuthRequest.parseParameter(req, 'returnToUrl')
+    const acceptToc = AuthRequest.parseParameter(req, 'acceptToc') === 'true'
+
+    const options = {
+      response: res,
+      session: req.session,
+      userStore,
+      accountManager,
+      returnToUrl,
+      authQueryParams,
+      localAuth,
+      acceptToc
+    }
+
+    return options
+  }
+
+  /**
+   * Initializes query params required by Oauth2/OIDC type work flow from the
+   * request body.
+   * Only authorized params are loaded, all others are discarded.
+   *
+   * @param req {IncomingRequest}
+   *
+   * @return {Object}
+   */
+  static extractAuthParams (req) {
+    let params
+    if (req.method === 'POST') {
+      params = req.body
+    } else {
+      params = req.query
+    }
+
+    if (!params) { return {} }
+
+    const extracted = {}
+
+    const paramKeys = AUTH_QUERY_PARAMS
+    let value
+
+    for (const p of paramKeys) {
+      value = params[p]
+      // value = value === 'undefined' ? undefined : value
+      extracted[p] = value
+    }
+
+    // Special case because solid-auth-client does not include redirect in params
+    if (!extracted.redirect_uri && params.request) {
+      extracted.redirect_uri = IDToken.decode(params.request).payload.redirect_uri
+    }
+
+    return extracted
+  }
+
+  /**
+   * Calls the appropriate form to display to the user.
+   * Serves as an error handler for this request workflow.
+   *
+   * @param error {Error}
+   */
+  error (error, body) {
+    error.statusCode = error.statusCode || 400
+
+    this.renderForm(error, body)
+  }
+
+  /**
+   * Initializes a session (for subsequent authentication/authorization) with
+   * a given user's credentials.
+   *
+   * @param userAccount {UserAccount}
+   */
+  initUserSession (userAccount) {
+    const session = this.session
+
+    debug('Initializing user session with webId: ', userAccount.webId)
+
+    session.userId = userAccount.webId
+    session.subject = {
+      _id: userAccount.webId
+    }
+
+    return userAccount
+  }
+
+  /**
+   * Returns this installation's /authorize url. Used for redirecting post-login
+   * and post-signup.
+   *
+   * @return {string}
+   */
+  authorizeUrl () {
+    const host = this.accountManager.host
+    const authUrl = host.authEndpoint
+
+    authUrl.query = this.authQueryParams
+
+    return url.format(authUrl)
+  }
+
+  /**
+   * Returns this installation's /register url. Used for redirecting post-signup.
+   *
+   * @return {string}
+   */
+  registerUrl () {
+    const host = this.accountManager.host
+    const signupUrl = url.parse(url.resolve(host.serverUri, '/register'))
+
+    signupUrl.query = this.authQueryParams
+
+    return url.format(signupUrl)
+  }
+
+  /**
+   * Returns this installation's /login url.
+   *
+   * @return {string}
+   */
+  loginUrl () {
+    const host = this.accountManager.host
+    const signupUrl = url.parse(url.resolve(host.serverUri, '/login'))
+
+    signupUrl.query = this.authQueryParams
+
+    return url.format(signupUrl)
+  }
+
+  sharingUrl () {
+    const host = this.accountManager.host
+    const sharingUrl = url.parse(url.resolve(host.serverUri, '/sharing'))
+
+    sharingUrl.query = this.authQueryParams
+
+    return url.format(sharingUrl)
+  }
+}
+
+AuthRequest.AUTH_QUERY_PARAMS = AUTH_QUERY_PARAMS
+
+module.exports = AuthRequest

package/lib/requests/create-account-request.js

@@ -0,0 +1,468 @@
+'use strict'
+
+const AuthRequest = require('./auth-request')
+const WebIdTlsCertificate = require('../models/webid-tls-certificate')
+const debug = require('../debug').accounts
+const blacklistService = require('../services/blacklist-service')
+const { isValidUsername } = require('../common/user-utils')
+
+/**
+ * Represents a 'create new user account' http request (either a POST to the
+ * `/accounts/api/new` endpoint, or a GET to `/register`).
+ *
+ * Intended just for browser-based requests; to create new user accounts from
+ * a command line, use the `AccountManager` class directly.
+ *
+ * This is an abstract class, subclasses are created (for example
+ * `CreateOidcAccountRequest`) depending on which Authentication mode the server
+ * is running in.
+ *
+ * @class CreateAccountRequest
+ */
+class CreateAccountRequest extends AuthRequest {
+  /**
+   * @param [options={}] {Object}
+   * @param [options.accountManager] {AccountManager}
+   * @param [options.userAccount] {UserAccount}
+   * @param [options.session] {Session} e.g. req.session
+   * @param [options.response] {HttpResponse}
+   * @param [options.returnToUrl] {string} If present, redirect the agent to
+   *   this url on successful account creation
+   * @param [options.enforceToc] {boolean} Whether or not to enforce the service provider's T&C
+   * @param [options.tocUri] {string} URI to the service provider's T&C
+   * @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
+   */
+  constructor (options) {
+    super(options)
+
+    this.username = options.username
+    this.userAccount = options.userAccount
+    this.acceptToc = options.acceptToc
+    this.disablePasswordChecks = options.disablePasswordChecks
+  }
+
+  /**
+   * Factory method, creates an appropriate CreateAccountRequest subclass from
+   * an HTTP request (browser form submit), depending on the authn method.
+   *
+   * @param req
+   * @param res
+   *
+   * @throws {Error} If required parameters are missing (via
+   *   `userAccountFrom()`), or it encounters an unsupported authentication
+   *   scheme.
+   *
+   * @return {CreateOidcAccountRequest|CreateTlsAccountRequest}
+   */
+  static fromParams (req, res) {
+    const options = AuthRequest.requestOptions(req, res)
+
+    const locals = req.app.locals
+    const authMethod = locals.authMethod
+    const accountManager = locals.accountManager
+
+    const body = req.body || {}
+
+    if (body.username) {
+      options.username = body.username.toLowerCase()
+      options.userAccount = accountManager.userAccountFrom(body)
+    }
+
+    options.enforceToc = locals.enforceToc
+    options.tocUri = locals.tocUri
+    options.disablePasswordChecks = locals.disablePasswordChecks
+
+    switch (authMethod) {
+      case 'oidc':
+        options.password = body.password
+        return new CreateOidcAccountRequest(options)
+      case 'tls':
+        options.spkac = body.spkac
+        return new CreateTlsAccountRequest(options)
+      default:
+        throw new TypeError('Unsupported authentication scheme')
+    }
+  }
+
+  static async post (req, res) {
+    const request = CreateAccountRequest.fromParams(req, res)
+
+    try {
+      request.validate()
+      await request.createAccount()
+    } catch (error) {
+      request.error(error, req.body)
+    }
+  }
+
+  static get (req, res) {
+    const request = CreateAccountRequest.fromParams(req, res)
+
+    return Promise.resolve()
+      .then(() => request.renderForm())
+      .catch(error => request.error(error))
+  }
+
+  /**
+   * Renders the Register form
+   */
+  renderForm (error, data = {}) {
+    const authMethod = this.accountManager.authMethod
+
+    const params = Object.assign({}, this.authQueryParams, {
+      enforceToc: this.enforceToc,
+      loginUrl: this.loginUrl(),
+      multiuser: this.accountManager.multiuser,
+      registerDisabled: authMethod === 'tls',
+      returnToUrl: this.returnToUrl,
+      tocUri: this.tocUri,
+      disablePasswordChecks: this.disablePasswordChecks,
+      username: data.username,
+      name: data.name,
+      email: data.email,
+      acceptToc: data.acceptToc
+    })
+
+    if (error) {
+      params.error = error.message
+      this.response.status(error.statusCode)
+    }
+
+    this.response.render('account/register', params)
+  }
+
+  /**
+   * Creates an account for a given user (from a POST to `/api/accounts/new`)
+   *
+   * @throws {Error} If errors were encountering while validating the username.
+   *
+   * @return {Promise<UserAccount>} Resolves with newly created account instance
+   */
+  async createAccount () {
+    const userAccount = this.userAccount
+    const accountManager = this.accountManager
+
+    if (userAccount.externalWebId) {
+      const error = new Error('Linked users not currently supported, sorry (external WebID without TLS?)')
+      error.statusCode = 400
+      throw error
+    }
+    this.cancelIfUsernameInvalid(userAccount)
+    this.cancelIfBlacklistedUsername(userAccount)
+    await this.cancelIfAccountExists(userAccount)
+    await this.createAccountStorage(userAccount)
+    await this.saveCredentialsFor(userAccount)
+    await this.sendResponse(userAccount)
+
+    // 'return' not used deliberately, no need to block and wait for email
+    if (userAccount && userAccount.email) {
+      debug('Sending Welcome email')
+      accountManager.sendWelcomeEmail(userAccount)
+    }
+
+    return userAccount
+  }
+
+  /**
+   * Rejects with an error if an account already exists, otherwise simply
+   * resolves with the account.
+   *
+   * @param userAccount {UserAccount} Instance of the account to be created
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  cancelIfAccountExists (userAccount) {
+    const accountManager = this.accountManager
+
+    return accountManager.accountExists(userAccount.username)
+      .then(exists => {
+        if (exists) {
+          debug(`Canceling account creation, ${userAccount.webId} already exists`)
+          const error = new Error('Account already exists')
+          error.status = 400
+          throw error
+        }
+        // Account does not exist, proceed
+        return userAccount
+      })
+  }
+
+  /**
+   * Creates the root storage folder, initializes default containers and
+   * resources for the new account.
+   *
+   * @param userAccount {UserAccount} Instance of the account to be created
+   *
+   * @throws {Error} If errors were encountering while creating new account
+   *   resources.
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  createAccountStorage (userAccount) {
+    return this.accountManager.createAccountFor(userAccount)
+      .catch(error => {
+        error.message = 'Error creating account storage: ' + error.message
+        throw error
+      })
+      .then(() => {
+        debug('Account storage resources created')
+        return userAccount
+      })
+  }
+
+  /**
+   * Check if a username is a valid slug.
+   *
+   * @param userAccount {UserAccount} Instance of the account to be created
+   *
+   * @throws {Error} If errors were encountering while validating the
+   *   username.
+   *
+   * @return {UserAccount} Chainable
+   */
+  cancelIfUsernameInvalid (userAccount) {
+    if (!userAccount.username || !isValidUsername(userAccount.username)) {
+      debug('Invalid username ' + userAccount.username)
+      const error = new Error('Invalid username (contains invalid characters)')
+      error.status = 400
+      throw error
+    }
+
+    return userAccount
+  }
+
+  /**
+   * Check if a username is a valid slug.
+   *
+   * @param userAccount {UserAccount} Instance of the account to be created
+   *
+   * @throws {Error} If username is blacklisted
+   *
+   * @return {UserAccount} Chainable
+   */
+  cancelIfBlacklistedUsername (userAccount) {
+    const validUsername = blacklistService.validate(userAccount.username)
+    if (!validUsername) {
+      debug('Invalid username ' + userAccount.username)
+      const error = new Error('Invalid username (username is blacklisted)')
+      error.status = 400
+      throw error
+    }
+
+    return userAccount
+  }
+}
+
+/**
+ * Models a Create Account request for a server using WebID-OIDC (OpenID Connect)
+ * as a primary authentication mode. Handles saving user credentials to the
+ * `UserStore`, etc.
+ *
+ * @class CreateOidcAccountRequest
+ * @extends CreateAccountRequest
+ */
+class CreateOidcAccountRequest extends CreateAccountRequest {
+  /**
+   * @constructor
+   *
+   * @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
+   * @param [options.password] {string} Password, as entered by the user at signup
+   * @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
+   */
+  constructor (options) {
+    super(options)
+
+    this.password = options.password
+  }
+
+  /**
+   * Validates the Login request (makes sure required parameters are present),
+   * and throws an error if not.
+   *
+   * @throws {Error} If missing required params
+   */
+  validate () {
+    let error
+
+    if (!this.username) {
+      error = new Error('Username required')
+      error.statusCode = 400
+      throw error
+    }
+
+    if (!this.password) {
+      error = new Error('Password required')
+      error.statusCode = 400
+      throw error
+    }
+
+    if (this.enforceToc && !this.acceptToc) {
+      error = new Error('Accepting Terms & Conditions is required for this service')
+      error.statusCode = 400
+      throw error
+    }
+  }
+
+  /**
+   * Generate salted password hash, etc.
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {Promise<null|Graph>}
+   */
+  saveCredentialsFor (userAccount) {
+    return this.userStore.createUser(userAccount, this.password)
+      .then(() => {
+        debug('User credentials stored')
+        return userAccount
+      })
+  }
+
+  /**
+   * Generate the response for the account creation
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {UserAccount}
+   */
+  sendResponse (userAccount) {
+    const redirectUrl = this.returnToUrl || userAccount.podUri
+    this.response.redirect(redirectUrl)
+
+    return userAccount
+  }
+}
+
+/**
+ * Models a Create Account request for a server using WebID-TLS as primary
+ * authentication mode. Handles generating and saving a TLS certificate, etc.
+ *
+ * @class CreateTlsAccountRequest
+ * @extends CreateAccountRequest
+ */
+class CreateTlsAccountRequest extends CreateAccountRequest {
+  /**
+   * @constructor
+   *
+   * @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
+   * @param [options.spkac] {string}
+   * @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
+   */
+  constructor (options) {
+    super(options)
+
+    this.spkac = options.spkac
+    this.certificate = null
+  }
+
+  /**
+   * Validates the Signup request (makes sure required parameters are present),
+   * and throws an error if not.
+   *
+   * @throws {Error} If missing required params
+   */
+  validate () {
+    let error
+
+    if (!this.username) {
+      error = new Error('Username required')
+      error.statusCode = 400
+      throw error
+    }
+
+    if (this.enforceToc && !this.acceptToc) {
+      error = new Error('Accepting Terms & Conditions is required for this service')
+      error.statusCode = 400
+      throw error
+    }
+  }
+
+  /**
+   * Generates a new X.509v3 RSA certificate (if `spkac` was passed in) and
+   * adds it to the user account. Used for storage in an agent's WebID
+   * Profile, for WebID-TLS authentication.
+   *
+   * @param userAccount {UserAccount}
+   * @param userAccount.webId {string} An agent's WebID URI
+   *
+   * @throws {Error} HTTP 400 error if errors were encountering during
+   *   certificate generation.
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  generateTlsCertificate (userAccount) {
+    if (!this.spkac) {
+      debug('Missing spkac param, not generating cert during account creation')
+      return Promise.resolve(userAccount)
+    }
+
+    return Promise.resolve()
+      .then(() => {
+        const host = this.accountManager.host
+        return WebIdTlsCertificate.fromSpkacPost(this.spkac, userAccount, host)
+          .generateCertificate()
+      })
+      .catch(err => {
+        err.status = 400
+        err.message = 'Error generating a certificate: ' + err.message
+        throw err
+      })
+      .then(certificate => {
+        debug('Generated a WebID-TLS certificate as part of account creation')
+        this.certificate = certificate
+        return userAccount
+      })
+  }
+
+  /**
+   * Generates a WebID-TLS certificate and saves it to the user's profile
+   * graph.
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  saveCredentialsFor (userAccount) {
+    return this.generateTlsCertificate(userAccount)
+      .then(userAccount => {
+        if (this.certificate) {
+          return this.accountManager
+            .addCertKeyToProfile(this.certificate, userAccount)
+            .then(() => {
+              debug('Saved generated WebID-TLS certificate to profile')
+            })
+        } else {
+          debug('No certificate generated, no need to save to profile')
+        }
+      })
+      .then(() => {
+        return userAccount
+      })
+  }
+
+  /**
+   * Writes the generated TLS certificate to the http Response object.
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {UserAccount} Chainable
+   */
+  sendResponse (userAccount) {
+    const res = this.response
+    res.set('User', userAccount.webId)
+    res.status(200)
+
+    if (this.certificate) {
+      res.set('Content-Type', 'application/x-x509-user-cert')
+      res.send(this.certificate.toDER())
+    } else {
+      res.end()
+    }
+
+    return userAccount
+  }
+}
+
+module.exports = CreateAccountRequest
+module.exports.CreateAccountRequest = CreateAccountRequest
+module.exports.CreateTlsAccountRequest = CreateTlsAccountRequest