solid-server 5.6.9-beta

package/lib/requests/password-reset-email-request.js

@@ -0,0 +1,199 @@
+'use strict'
+
+const AuthRequest = require('./auth-request')
+const debug = require('./../debug').accounts
+
+class PasswordResetEmailRequest extends AuthRequest {
+  /**
+   * @constructor
+   * @param options {Object}
+   * @param options.accountManager {AccountManager}
+   * @param options.response {ServerResponse} express response object
+   * @param [options.returnToUrl] {string}
+   * @param [options.username] {string} Username / account name (e.g. 'alice')
+   */
+  constructor (options) {
+    super(options)
+
+    this.returnToUrl = options.returnToUrl
+    this.username = options.username
+  }
+
+  /**
+   * Factory method, returns an initialized instance of PasswordResetEmailRequest
+   * from an incoming http request.
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   *
+   * @return {PasswordResetEmailRequest}
+   */
+  static fromParams (req, res) {
+    const locals = req.app.locals
+    const accountManager = locals.accountManager
+
+    const returnToUrl = this.parseParameter(req, 'returnToUrl')
+    const username = this.parseParameter(req, 'username')
+
+    const options = {
+      accountManager,
+      returnToUrl,
+      username,
+      response: res
+    }
+
+    return new PasswordResetEmailRequest(options)
+  }
+
+  /**
+   * Handles a Reset Password GET request on behalf of a middleware handler.
+   * Usage:
+   *
+   *   ```
+   *   app.get('/password/reset', PasswordResetEmailRequest.get)
+   *   ```
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   */
+  static get (req, res) {
+    const request = PasswordResetEmailRequest.fromParams(req, res)
+
+    request.renderForm()
+  }
+
+  /**
+   * Handles a Reset Password POST request on behalf of a middleware handler.
+   * Usage:
+   *
+   *   ```
+   *   app.get('/password/reset', PasswordResetEmailRequest.get)
+   *   ```
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   */
+  static post (req, res) {
+    const request = PasswordResetEmailRequest.fromParams(req, res)
+
+    debug(`User '${request.username}' requested to be sent a password reset email`)
+
+    return PasswordResetEmailRequest.handlePost(request)
+  }
+
+  /**
+   * Performs a 'send me a password reset email' request operation, after the
+   * user has entered an email into the reset form.
+   *
+   * @param request {PasswordResetEmailRequest}
+   *
+   * @return {Promise}
+   */
+  static handlePost (request) {
+    return Promise.resolve()
+      .then(() => request.validate())
+      .then(() => request.loadUser())
+      .then(userAccount => request.sendResetLink(userAccount))
+      .then(() => request.renderSuccess())
+      .catch(error => request.error(error))
+  }
+
+  /**
+   * Validates the request parameters, and throws an error if any
+   * validation fails.
+   *
+   * @throws {Error}
+   */
+  validate () {
+    if (this.accountManager.multiuser && !this.username) {
+      throw new Error('Username required')
+    }
+  }
+
+  /**
+   * Returns a user account instance for the submitted username.
+   *
+   * @throws {Error} Rejects if user account does not exist for the username
+   *
+   * @returns {Promise<UserAccount>}
+   */
+  loadUser () {
+    const username = this.username
+
+    return this.accountManager.accountExists(username)
+      .then(exists => {
+        if (!exists) {
+          throw new Error('Account not found for that username')
+        }
+
+        const userData = { username }
+
+        return this.accountManager.userAccountFrom(userData)
+      })
+  }
+
+  /**
+   * Loads the account recovery email for a given user and sends out a
+   * password request email.
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {Promise}
+   */
+  sendResetLink (userAccount) {
+    const accountManager = this.accountManager
+
+    return accountManager.loadAccountRecoveryEmail(userAccount)
+      .then(recoveryEmail => {
+        userAccount.email = recoveryEmail
+
+        debug('Sending recovery email to:', recoveryEmail)
+
+        return accountManager
+          .sendPasswordResetEmail(userAccount, this.returnToUrl)
+      })
+  }
+
+  /**
+   * Renders the 'send password reset link' form along with the provided error.
+   * Serves as an error handler for this request workflow.
+   *
+   * @param error {Error}
+   */
+  error (error) {
+    const res = this.response
+
+    debug(error)
+
+    const params = {
+      error: error.message,
+      returnToUrl: this.returnToUrl,
+      multiuser: this.accountManager.multiuser
+    }
+
+    res.status(error.statusCode || 400)
+
+    res.render('auth/reset-password', params)
+  }
+
+  /**
+   * Renders the 'send password reset link' form
+   */
+  renderForm () {
+    const params = {
+      returnToUrl: this.returnToUrl,
+      multiuser: this.accountManager.multiuser
+    }
+
+    this.response.render('auth/reset-password', params)
+  }
+
+  /**
+   * Displays the 'your reset link has been sent' success message view
+   */
+  renderSuccess () {
+    this.response.render('auth/reset-link-sent')
+  }
+}
+
+module.exports = PasswordResetEmailRequest

package/lib/requests/sharing-request.js

@@ -0,0 +1,259 @@
+'use strict'
+/* eslint-disable no-mixed-operators, no-async-promise-executor */
+
+const debug = require('./../debug').authentication
+
+const AuthRequest = require('./auth-request')
+
+const url = require('url')
+const intoStream = require('into-stream')
+
+const $rdf = require('rdflib')
+const ACL = $rdf.Namespace('http://www.w3.org/ns/auth/acl#')
+
+/**
+ * Models a local Login request
+ */
+class SharingRequest extends AuthRequest {
+  /**
+   * @constructor
+   * @param options {Object}
+   *
+   * @param [options.response] {ServerResponse} middleware `res` object
+   * @param [options.session] {Session} req.session
+   * @param [options.userStore] {UserStore}
+   * @param [options.accountManager] {AccountManager}
+   * @param [options.returnToUrl] {string}
+   * @param [options.authQueryParams] {Object} Key/value hashmap of parsed query
+   *   parameters that will be passed through to the /authorize endpoint.
+   * @param [options.authenticator] {Authenticator} Auth strategy by which to
+   *   log in
+   */
+  constructor (options) {
+    super(options)
+
+    this.authenticator = options.authenticator
+    this.authMethod = options.authMethod
+  }
+
+  /**
+   * Factory method, returns an initialized instance of LoginRequest
+   * from an incoming http request.
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   * @param authMethod {string}
+   *
+   * @return {LoginRequest}
+   */
+  static fromParams (req, res) {
+    const options = AuthRequest.requestOptions(req, res)
+
+    return new SharingRequest(options)
+  }
+
+  /**
+   * Handles a Login GET request on behalf of a middleware handler, displays
+   * the Login page.
+   * Usage:
+   *
+   *   ```
+   *   app.get('/login', LoginRequest.get)
+   *   ```
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   */
+  static async get (req, res) {
+    const request = SharingRequest.fromParams(req, res)
+
+    const appUrl = request.getAppUrl()
+    const appOrigin = appUrl.origin
+    const serverUrl = new url.URL(req.app.locals.ldp.serverUri)
+
+    // Check if is already registered or is data browser or the webId is not on this machine
+    if (request.isUserLoggedIn()) {
+      if (
+        !request.isSubdomain(serverUrl.host, new url.URL(request.session.subject._id).host) ||
+        (appUrl && request.isSubdomain(serverUrl.host, appUrl.host) && appUrl.protocol === serverUrl.protocol) ||
+        await request.isAppRegistered(req.app.locals.ldp, appOrigin, request.session.subject._id)
+      ) {
+        request.setUserShared(appOrigin)
+        request.redirectPostSharing()
+      } else {
+        request.renderForm(null, req, appOrigin)
+      }
+    } else {
+      request.redirectPostSharing()
+    }
+  }
+
+  /**
+   * Performs the login operation -- loads and validates the
+   * appropriate user, inits the session with credentials, and redirects the
+   * user to continue their auth flow.
+   *
+   * @param request {LoginRequest}
+   *
+   * @return {Promise}
+   */
+  static async share (req, res) {
+    let accessModes = []
+    let consented = false
+    if (req.body) {
+      accessModes = req.body.access_mode || []
+      if (!Array.isArray(accessModes)) {
+        accessModes = [accessModes]
+      }
+      consented = req.body.consent
+    }
+
+    const request = SharingRequest.fromParams(req, res)
+
+    if (request.isUserLoggedIn()) {
+      const appUrl = request.getAppUrl()
+      const appOrigin = `${appUrl.protocol}//${appUrl.host}`
+      debug('Sharing App')
+
+      if (consented) {
+        await request.registerApp(req.app.locals.ldp, appOrigin, accessModes, request.session.subject._id)
+        request.setUserShared(appOrigin)
+      }
+
+      // Redirect once that's all done
+      request.redirectPostSharing()
+    } else {
+      request.redirectPostSharing()
+    }
+  }
+
+  isSubdomain (domain, subdomain) {
+    const domainArr = domain.split('.')
+    const subdomainArr = subdomain.split('.')
+    for (let i = 1; i <= domainArr.length; i++) {
+      if (subdomainArr[subdomainArr.length - i] !== domainArr[domainArr.length - i]) {
+        return false
+      }
+    }
+    return true
+  }
+
+  setUserShared (appOrigin) {
+    if (!this.session.consentedOrigins) {
+      this.session.consentedOrigins = []
+    }
+    if (!this.session.consentedOrigins.includes(appOrigin)) {
+      this.session.consentedOrigins.push(appOrigin)
+    }
+  }
+
+  isUserLoggedIn () {
+    // Ensure the user arrived here by logging in
+    return !!(this.session.subject && this.session.subject._id)
+  }
+
+  getAppUrl () {
+    return new url.URL(this.authQueryParams.redirect_uri)
+  }
+
+  async getProfileGraph (ldp, webId) {
+    return await new Promise(async (resolve, reject) => {
+      const store = $rdf.graph()
+      const profileText = await ldp.readResource(webId)
+      $rdf.parse(profileText.toString(), store, this.getWebIdFile(webId), 'text/turtle', (error, kb) => {
+        if (error) {
+          reject(error)
+        } else {
+          resolve(kb)
+        }
+      })
+    })
+  }
+
+  async saveProfileGraph (ldp, store, webId) {
+    const text = $rdf.serialize(undefined, store, this.getWebIdFile(webId), 'text/turtle')
+    await ldp.put(webId, intoStream(text), 'text/turtle')
+  }
+
+  getWebIdFile (webId) {
+    const webIdurl = new url.URL(webId)
+    return `${webIdurl.origin}${webIdurl.pathname}`
+  }
+
+  async isAppRegistered (ldp, appOrigin, webId) {
+    const store = await this.getProfileGraph(ldp, webId)
+    return store.each($rdf.sym(webId), ACL('trustedApp')).find((app) => {
+      return store.each(app, ACL('origin')).find(rdfAppOrigin => rdfAppOrigin.value === appOrigin)
+    })
+  }
+
+  async registerApp (ldp, appOrigin, accessModes, webId) {
+    debug(`Registering app (${appOrigin}) with accessModes ${accessModes} for webId ${webId}`)
+    const store = await this.getProfileGraph(ldp, webId)
+    const origin = $rdf.sym(appOrigin)
+    // remove existing statements on same origin - if it exists
+    store.statementsMatching(null, ACL('origin'), origin).forEach(st => {
+      store.removeStatements([...store.statementsMatching(null, ACL('trustedApp'), st.subject)])
+      store.removeStatements([...store.statementsMatching(st.subject)])
+    })
+
+    // add new triples
+    const application = new $rdf.BlankNode()
+    store.add($rdf.sym(webId), ACL('trustedApp'), application, new $rdf.NamedNode(webId))
+    store.add(application, ACL('origin'), origin, new $rdf.NamedNode(webId))
+
+    accessModes.forEach(mode => {
+      store.add(application, ACL('mode'), ACL(mode))
+    })
+    await this.saveProfileGraph(ldp, store, webId)
+  }
+
+  /**
+   * Returns a URL to redirect the user to after login.
+   * Either uses the provided `redirect_uri` auth query param, or simply
+   * returns the user profile URI if none was provided.
+   *
+   * @param validUser {UserAccount}
+   *
+   * @return {string}
+   */
+  postSharingUrl () {
+    return this.authorizeUrl()
+  }
+
+  /**
+   * Redirects the Login request to continue on the OIDC auth workflow.
+   */
+  redirectPostSharing () {
+    const uri = this.postSharingUrl()
+    debug('Login successful, redirecting to ', uri)
+    this.response.redirect(uri)
+  }
+
+  /**
+   * Renders the login form
+   */
+  renderForm (error, req, appOrigin) {
+    const queryString = req && req.url && req.url.replace(/[^?]+\?/, '') || ''
+    const params = Object.assign({}, this.authQueryParams,
+      {
+        registerUrl: this.registerUrl(),
+        returnToUrl: this.returnToUrl,
+        enablePassword: this.localAuth.password,
+        enableTls: this.localAuth.tls,
+        tlsUrl: `/login/tls?${encodeURIComponent(queryString)}`,
+        app_origin: appOrigin
+      })
+
+    if (error) {
+      params.error = error.message
+      this.response.status(error.statusCode)
+    }
+
+    this.response.render('auth/sharing', params)
+  }
+}
+
+module.exports = {
+  SharingRequest
+}

package/lib/resource-mapper.js

@@ -0,0 +1,198 @@
+/* eslint-disable node/no-deprecated-api, no-mixed-operators */
+
+const fs = require('fs')
+const URL = require('url')
+const { promisify } = require('util')
+const { types, extensions } = require('mime-types')
+const readdir = promisify(fs.readdir)
+const HTTPError = require('./http-error')
+
+/*
+ * A ResourceMapper maintains the mapping between HTTP URLs and server filenames,
+ * following the principles of the "sweet spot" discussed in
+ * https://www.w3.org/DesignIssues/HTTPFilenameMapping.html
+ *
+ * This class implements this mapping in a single place
+ * such that all components use the exact same logic.
+ *
+ * There are few public methods, and we STRONGLY suggest not to create more.
+ * Exposing too much of the internals would likely give other components
+ * too much knowledge about the mapping, voiding the purpose of this class.
+ */
+class ResourceMapper {
+  constructor ({
+    rootUrl,
+    rootPath,
+    includeHost = false,
+    defaultContentType = 'application/octet-stream',
+    indexFilename = 'index.html',
+    overrideTypes = { acl: 'text/turtle', meta: 'text/turtle' }
+  }) {
+    this._rootUrl = this._removeTrailingSlash(rootUrl)
+    this._rootPath = this._removeTrailingSlash(rootPath).replace(/\\/g, '/')
+    this._includeHost = includeHost
+    this._readdir = readdir
+    this._defaultContentType = defaultContentType
+    this._types = { ...types, ...overrideTypes }
+    this._indexFilename = indexFilename
+    this._indexContentType = this._getContentTypeFromExtension(indexFilename)
+
+    // If the host needs to be replaced on every call, pre-split the root URL
+    if (includeHost) {
+      const { protocol, port, pathname } = URL.parse(rootUrl)
+      this._protocol = protocol
+      this._port = port === null ? '' : `:${port}`
+      this._rootUrl = this._removeTrailingSlash(pathname)
+    }
+  }
+
+  // Returns the URL of the given HTTP request
+  getRequestUrl (req) {
+    const { hostname, pathname } = this._parseUrl(req)
+    return this.resolveUrl(hostname, pathname)
+  }
+
+  // Returns the URL corresponding to the relative path on the pod
+  resolveUrl (hostname, pathname = '') {
+    return !this._includeHost
+      ? `${this._rootUrl}${pathname}`
+      : `${this._protocol}//${hostname}${this._port}${this._rootUrl}${pathname}`
+  }
+
+  // Returns the file path corresponding to the relative file path on the pod
+  resolveFilePath (hostname, filePath = '') {
+    return !this._includeHost
+      ? `${this._rootPath}${filePath}`
+      : `${this._rootPath}/${hostname}${filePath}`
+  }
+
+  // Maps a given server file to a URL
+  async mapFileToUrl ({ path, hostname }) {
+    // Remove the root path if specified
+    path = path.replace(/\\/g, '/')
+    if (path.startsWith(this._rootPath)) {
+      path = path.substring(this._rootPath.length)
+    }
+    if (this._includeHost) {
+      if (!path.startsWith(`/${hostname}/`)) {
+        throw new Error(`Path must start with hostname (/${hostname})`)
+      }
+      path = path.substring(hostname.length + 1)
+    }
+
+    // Determine the URL by chopping off everything after the dollar sign
+    const pathname = this._removeDollarExtension(path)
+    const url = `${this.resolveUrl(hostname)}${
+      pathname.split('/').map((component) => encodeURIComponent(component)).join('/')
+    }`
+    return { url, contentType: this._getContentTypeFromExtension(path) }
+  }
+
+  // Maps the request for a given resource and representation format to a server file
+  // Will look for an index file if a folder is given and searchIndex is true
+  async mapUrlToFile ({ url, contentType, createIfNotExists, searchIndex = true }) {
+    // map contentType to mimeType part
+    contentType = contentType ? contentType.replace(/\s*;.*/, '') : ''
+    // Parse the URL and find the base file path
+    const { pathname, hostname } = this._parseUrl(url)
+    const filePath = this.resolveFilePath(hostname, decodeURIComponent(pathname))
+    if (filePath.indexOf('/..') >= 0) {
+      throw new Error('Disallowed /.. segment in URL')
+    }
+    const isFolder = filePath.endsWith('/')
+    const isIndex = searchIndex && filePath.endsWith('/')
+
+    // Create the path for a new resource
+    let path
+    if (createIfNotExists) {
+      path = filePath
+      // Append index filename if needed
+      if (isIndex) {
+        if (contentType !== this._indexContentType) {
+          throw new Error(`Index file needs to have ${this._indexContentType} as content type`)
+        }
+        path += this._indexFilename
+      }
+      // If the extension is not correct for the content type, append the correct extension
+      if (!isFolder) {
+        path = this._addContentTypeExtension(path, contentType)
+      }
+    // Determine the path of an existing file
+    } else {
+      // Read all files in the corresponding folder
+      const filename = filePath.substr(filePath.lastIndexOf('/') + 1)
+      const folder = filePath.substr(0, filePath.length - filename.length)
+
+      // Find a file with the same name (minus the dollar extension)
+      let match = ''
+      if (match === '') { // always true to keep indentation
+        const files = await this._readdir(folder)
+        // Search for files with the same name (disregarding a dollar extension)
+        if (!isFolder) {
+          match = files.find(f => this._removeDollarExtension(f) === filename)
+        // Check if the index file exists
+        } else if (searchIndex && files.includes(this._indexFilename)) {
+          match = this._indexFilename
+        }
+      }
+      // Error if no match was found (unless URL ends with '/', then fall back to the folder)
+      if (match === undefined) {
+        if (isIndex) {
+          match = ''
+        } else {
+          throw new HTTPError(404, `Resource not found: ${pathname}`)
+        }
+      }
+      path = `${folder}${match}`
+      contentType = this._getContentTypeFromExtension(match)
+    }
+    return { path, contentType: contentType || this._defaultContentType }
+  }
+
+  // Parses a URL into hostname and pathname
+  _parseUrl (url) {
+    // URL specified as string
+    if (typeof url === 'string') {
+      return URL.parse(url)
+    }
+    // URL specified as Express request object
+    if (!url.pathname && url.path) {
+      const { hostname, path } = url
+      return { hostname, pathname: path.replace(/[?#].*/, '') }
+    }
+    // URL specified as object
+    return url
+  }
+
+  // Gets the expected content type based on the extension of the path
+  _getContentTypeFromExtension (path) {
+    const extension = /\.([^/.]+)$/.exec(path)
+    return extension && this._types[extension[1].toLowerCase()] || this._defaultContentType
+  }
+
+  // Appends an extension for the specific content type, if needed
+  _addContentTypeExtension (path, contentType) {
+    // If we would guess the wrong content type from the extension, try appending a better one
+    const contentTypeFromExtension = this._getContentTypeFromExtension(path)
+    if (contentTypeFromExtension !== contentType) {
+      // Some extensions fit multiple content types, so only switch if there's an improvement
+      const newExtension = contentType in extensions ? extensions[contentType][0] : 'unknown'
+      if (this._types[newExtension] !== contentTypeFromExtension) {
+        path += `$.${newExtension}`
+      }
+    }
+    return path
+  }
+
+  // Removes possible trailing slashes from a path
+  _removeTrailingSlash (path) {
+    return path.replace(/\/+$/, '')
+  }
+
+  // Removes dollar extensions from files (index$.html becomes index)
+  _removeDollarExtension (path) {
+    return path.replace(/\$\.[^$]*$/, '')
+  }
+}
+
+module.exports = ResourceMapper