mailtrain/server/lib/passport.js

'use strict';

const config = require('config');
const log = require('./log');
const util = require('util');

const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;

const csrf = require('csurf');
const bodyParser = require('body-parser');

const users = require('../models/users');
const { nodeifyFunction, nodeifyPromise } = require('./nodeify');
const interoperableErrors = require('../../shared/interoperable-errors');
const contextHelpers = require('./context-helpers');

let authMode = 'local';

let LdapStrategy;
let ldapStrategyOpts;
if (config.ldap.enabled) {
    if (!config.ldap.method || config.ldap.method == 'ldapjs') {
        try {
            LdapStrategy = require('passport-ldapjs').Strategy; // eslint-disable-line global-require
            authMode = 'ldapjs';
            log.info('LDAP', 'Found module "passport-ldapjs". It will be used for LDAP auth.');

            ldapStrategyOpts = {
                server: {
                    url: 'ldap://' + config.ldap.host + ':' + config.ldap.port
                },
                base: config.ldap.baseDN,
                search: {
                    filter: config.ldap.filter,
                    attributes: [config.ldap.uidTag, config.ldap.nameTag, 'mail'],
                    scope: 'sub'
                },
                uidTag: config.ldap.uidTag,
                bindUser: config.ldap.bindUser,
                bindPassword: config.ldap.bindPassword
            };

        } catch (exc) {
            log.info('LDAP', 'Module "passport-ldapjs" not installed. It will not be used for LDAP auth.');
        }
    }

    if (!LdapStrategy && (!config.ldap.method || config.ldap.method == 'ldapauth')) {
        try {
            LdapStrategy = require('passport-ldapauth').Strategy; // eslint-disable-line global-require
            authMode = 'ldapauth';
            log.info('LDAP', 'Found module "passport-ldapauth". It will be used for LDAP auth.');

            ldapStrategyOpts = {
                server: {
                    url: 'ldap://' + config.ldap.host + ':' + config.ldap.port,
                    searchBase: config.ldap.baseDN,
                    searchFilter: config.ldap.filter,
                    searchAttributes: [config.ldap.uidTag, config.ldap.nameTag, 'mail'],
                    bindDN: config.ldap.bindUser,
                    bindCredentials: config.ldap.bindPassword
                },
            };
        } catch (exc) {
            log.info('LDAP', 'Module "passport-ldapauth" not installed. It will not be used for LDAP auth.');
        }
    }
}

module.exports.csrfProtection = csrf({
    cookie: true
});

module.exports.parseForm = bodyParser.urlencoded({
    extended: false,
    limit: config.www.postSize
});

module.exports.loggedIn = (req, res, next) => {
    if (!req.user) {
        next(new interoperableErrors.NotLoggedInError());
    } else {
        next();
    }
};

module.exports.authByAccessToken = (req, res, next) => {
    if (!req.query.access_token) {
        res.status(403);
        res.json({
            error: 'Missing access_token',
            data: []
        });
    }

    users.getByAccessToken(req.query.access_token).then(user => {
        req.user = user;
        next();
    }).catch(err => {
        if (err instanceof interoperableErrors.PermissionDeniedError) {
            res.status(403);
            res.json({
                error: 'Invalid or expired access_token',
                data: []
            });
        } else {
            res.status(500);
            res.json({
                error: err.message || err,
                data: []
            });
        }
    });
};

module.exports.tryAuthByRestrictedAccessToken = (req, res, next) => {
    const pathComps = req.url.split('/');

    pathComps.shift();
    const restrictedAccessToken = pathComps.shift();
    pathComps.unshift('');

    const url = pathComps.join('/');

    req.url = url;

    users.getByRestrictedAccessToken(restrictedAccessToken).then(user => {
        req.user = user;
        next();
    }).catch(err => {
        next();
    });
};


module.exports.setupRegularAuth = app => {
    app.use(passport.initialize());
    app.use(passport.session());
};

module.exports.restLogout = (req, res) => {
    req.logout();
    res.json();
};

module.exports.restLogin = (req, res, next) => {
    passport.authenticate(authMode, (err, user, info) => {
        if (err) {
            return next(err);
        }

        if (!user) {
            return next(new interoperableErrors.IncorrectPasswordError());
        }

        req.logIn(user, err => {
            if (err) {
                return next(err);
            }

            if (req.body.remember) {
                // Cookie expires after 30 days
                req.session.cookie.maxAge = 30 * 24 * 60 * 60 * 1000;
            } else {
                // Cookie expires at end of session
                req.session.cookie.expires = false;
            }

            return res.json();
        });
    })(req, res, next);
};

if (LdapStrategy) {
    log.info('Using LDAP auth (passport-' + authMode + ')');
    module.exports.authMethod = 'ldap';
    module.exports.isAuthMethodLocal = false;

    passport.use(new LdapStrategy(ldapStrategyOpts, nodeifyFunction(async (profile) => {
        try {
            const user = await users.getByUsername(profile[config.ldap.uidTag]);

            return {
                id: user.id,
                username: user.username,
                name: profile[config.ldap.nameTag],
                email: profile.mail,
                role: user.role
            };

        } catch (err) {
            if (err instanceof interoperableErrors.NotFoundError) {
                const userId = await users.create(null, {
                    username: profile[config.ldap.uidTag],
                    role: config.ldap.newUserRole,
                    namespace: config.ldap.newUserNamespaceId
                });

                return {
                    id: userId,
                    username: profile[config.ldap.uidTag],
                    name: profile[config.ldap.nameTag],
                    email: profile.mail,
                    role: config.ldap.newUserRole
                };
            } else {
                throw err;
            }
        }
    })));

    passport.serializeUser((user, done) => done(null, user));
    passport.deserializeUser((user, done) => done(null, user));

} else {
    log.info('Using local auth');
    module.exports.authMethod = 'local';
    module.exports.isAuthMethodLocal = true;

    passport.use(new LocalStrategy(nodeifyFunction(async (username, password) => {
        return await users.getByUsernameIfPasswordMatch(username, password);
    })));

    passport.serializeUser((user, done) => done(null, user.id));
    passport.deserializeUser((id, done) => nodeifyPromise(users.getById(contextHelpers.getAdminContext(), id), done));
}
Initial import 2016-04-04 12:36:30 +00:00			`'use strict';`

WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`const config = require('config');`
Bugfixes in sending campaigns 2018-09-27 19:32:35 +00:00			`const log = require('./log');`
WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`const util = require('util');`
Add ldap authentication 2016-08-11 11:21:48 +00:00
Extracted strings and fixes on localization support Language chooser in the UI 2018-11-18 20:31:22 +00:00			`const passport = require('passport');`
WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`const LocalStrategy = require('passport-local').Strategy;`
v1.16.0 2016-08-29 10:57:27 +00:00
WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`const csrf = require('csurf');`
			`const bodyParser = require('body-parser');`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00
			`const users = require('../models/users');`
			`const { nodeifyFunction, nodeifyPromise } = require('./nodeify');`
New project structure Beta of extract.js for extracting english locale 2018-11-18 14:38:52 +00:00			`const interoperableErrors = require('../../shared/interoperable-errors');`
Lists list and CUD Custom forms list Updated DB schema (not yet implemented in the server, which means that most of the server is not broken). - custom forms are independent of a list - order and visibility of fields is now in custom_fields - first_name and last_name has been turned to a regular custom field 2017-07-29 19:42:07 +00:00			`const contextHelpers = require('./context-helpers');`
Initial import 2016-04-04 12:36:30 +00:00
Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`let authMode = 'local';`
Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00
			`let LdapStrategy;`
			`let ldapStrategyOpts;`
Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`if (config.ldap.enabled) {`
Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00			`if (!config.ldap.method \|\| config.ldap.method == 'ldapjs') {`
Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`try {`
			`LdapStrategy = require('passport-ldapjs').Strategy; // eslint-disable-line global-require`
			`authMode = 'ldapjs';`
Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00			`log.info('LDAP', 'Found module "passport-ldapjs". It will be used for LDAP auth.');`

			`ldapStrategyOpts = {`
			`server: {`
			`url: 'ldap://' + config.ldap.host + ':' + config.ldap.port`
			`},`
			`base: config.ldap.baseDN,`
			`search: {`
			`filter: config.ldap.filter,`
			`attributes: [config.ldap.uidTag, config.ldap.nameTag, 'mail'],`
			`scope: 'sub'`
			`},`
			`uidTag: config.ldap.uidTag,`
			`bindUser: config.ldap.bindUser,`
			`bindPassword: config.ldap.bindPassword`
			`};`

Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`} catch (exc) {`
			`log.info('LDAP', 'Module "passport-ldapjs" not installed. It will not be used for LDAP auth.');`
			`}`
Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00			`}`

			`if (!LdapStrategy && (!config.ldap.method \|\| config.ldap.method == 'ldapauth')) {`
Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`try {`
			`LdapStrategy = require('passport-ldapauth').Strategy; // eslint-disable-line global-require`
			`authMode = 'ldapauth';`
Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00			`log.info('LDAP', 'Found module "passport-ldapauth". It will be used for LDAP auth.');`

			`ldapStrategyOpts = {`
			`server: {`
			`url: 'ldap://' + config.ldap.host + ':' + config.ldap.port,`
			`searchBase: config.ldap.baseDN,`
			`searchFilter: config.ldap.filter,`
			`searchAttributes: [config.ldap.uidTag, config.ldap.nameTag, 'mail'],`
			`bindDN: config.ldap.bindUser,`
			`bindCredentials: config.ldap.bindPassword`
			`},`
			`};`
Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`} catch (exc) {`
			`log.info('LDAP', 'Module "passport-ldapauth" not installed. It will not be used for LDAP auth.');`
			`}`
Fix logging for ldap module 2017-03-15 18:44:12 +00:00			`}`
v1.16.0 2016-08-29 10:57:27 +00:00			`}`

Initial import 2016-04-04 12:36:30 +00:00			`module.exports.csrfProtection = csrf({`
			`cookie: true`
			`});`

			`module.exports.parseForm = bodyParser.urlencoded({`
added max post size option 2016-04-13 05:36:55 +00:00			`extended: false,`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`limit: config.www.postSize`
Initial import 2016-04-04 12:36:30 +00:00			`});`

All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`module.exports.loggedIn = (req, res, next) => {`
			`if (!req.user) {`
			`next(new interoperableErrors.NotLoggedInError());`
			`} else {`
			`next();`
			`}`
			`};`

Work in progress on subscriptions 2017-12-10 20:44:35 +00:00			`module.exports.authByAccessToken = (req, res, next) => {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`if (!req.query.access_token) {`
			`res.status(403);`
			`res.json({`
			`error: 'Missing access_token',`
			`data: []`
			`});`
			`}`

			`users.getByAccessToken(req.query.access_token).then(user => {`
			`req.user = user;`
			`next();`
			`}).catch(err => {`
			`if (err instanceof interoperableErrors.PermissionDeniedError) {`
Work in progress on subscriptions 2017-12-10 20:44:35 +00:00			`res.status(403);`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`res.json({`
			`error: 'Invalid or expired access_token',`
			`data: []`
			`});`
			`} else {`
			`res.status(500);`
			`res.json({`
			`error: err.message \|\| err,`
Work in progress on subscriptions 2017-12-10 20:44:35 +00:00			`data: []`
			`});`
			`}`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`});`
			`};`
Work in progress on subscriptions 2017-12-10 20:44:35 +00:00
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`module.exports.tryAuthByRestrictedAccessToken = (req, res, next) => {`
Fixed sandbox. Multiple tabs work now. WiP on selectable mosaico templates. TODO: Make files always point to trusted URL, such that we don't have to rebase them. They are public anyway. The same goes for mosaico endpoints: /mosaico/templates and /mosaico/img 2018-05-09 02:07:01 +00:00			`const pathComps = req.url.split('/');`

			`pathComps.shift();`
			`const restrictedAccessToken = pathComps.shift();`
			`pathComps.unshift('');`

			`const url = pathComps.join('/');`

			`req.url = url;`

			`users.getByRestrictedAccessToken(restrictedAccessToken).then(user => {`
			`req.user = user;`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`next();`
Fixed sandbox. Multiple tabs work now. WiP on selectable mosaico templates. TODO: Make files always point to trusted URL, such that we don't have to rebase them. They are public anyway. The same goes for mosaico endpoints: /mosaico/templates and /mosaico/img 2018-05-09 02:07:01 +00:00			`}).catch(err => {`
			`next();`
			`});`
Work in progress on subscriptions 2017-12-10 20:44:35 +00:00			`};`

Some small updates coming from IVIS 2018-07-18 17:41:18 +00:00
			`module.exports.setupRegularAuth = app => {`
Initial import 2016-04-04 12:36:30 +00:00			`app.use(passport.initialize());`
			`app.use(passport.session());`
			`};`

All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`module.exports.restLogout = (req, res) => {`
			`req.logout();`
			`res.json();`
Initial import 2016-04-04 12:36:30 +00:00			`};`

All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`module.exports.restLogin = (req, res, next) => {`
Add support for passport-ldapauth 2017-11-08 10:47:46 +00:00			`passport.authenticate(authMode, (err, user, info) => {`
Local auth seems to work 2017-07-08 16:57:41 +00:00			`if (err) {`
			`return next(err);`
			`}`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00
Initial import 2016-04-04 12:36:30 +00:00			`if (!user) {`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`return next(new interoperableErrors.IncorrectPasswordError());`
Initial import 2016-04-04 12:36:30 +00:00			`}`
Local auth seems to work 2017-07-08 16:57:41 +00:00
Initial import 2016-04-04 12:36:30 +00:00			`req.logIn(user, err => {`
			`if (err) {`
			`return next(err);`
			`}`

			`if (req.body.remember) {`
			`// Cookie expires after 30 days`
			`req.session.cookie.maxAge = 30 * 24 * 60 * 60 * 1000;`
			`} else {`
			`// Cookie expires at end of session`
			`req.session.cookie.expires = false;`
			`}`

All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`return res.json();`
Initial import 2016-04-04 12:36:30 +00:00			`});`
			`})(req, res, next);`
			`};`

Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00			`if (LdapStrategy) {`
Merge remote-tracking branch 'upstream/master' into development 2018-02-24 22:05:01 +00:00			`log.info('Using LDAP auth (passport-' + authMode + ')');`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`module.exports.authMethod = 'ldap';`
LDAP auth seems to work too. Users completely refactored to ReactJS and Knex Initial draft of call context passing (for the time being only in users:remove 2017-07-08 18:32:04 +00:00			`module.exports.isAuthMethodLocal = false;`
Initial import 2016-04-04 12:36:30 +00:00
Obsoleting some old files Transition to SPA-style client Basis for Mosaico template editor 2018-02-25 19:54:15 +00:00			`passport.use(new LdapStrategy(ldapStrategyOpts, nodeifyFunction(async (profile) => {`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`try {`
			`const user = await users.getByUsername(profile[config.ldap.uidTag]);`

			`return {`
			`id: user.id,`
			`username: user.username,`
			`name: profile[config.ldap.nameTag],`
WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`email: profile.mail,`
			`role: user.role`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`};`

			`} catch (err) {`
			`if (err instanceof interoperableErrors.NotFoundError) {`
WiP on permissions Table of shares per user 2017-07-27 14:11:22 +00:00			`const userId = await users.create(null, {`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`username: profile[config.ldap.uidTag],`
WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`role: config.ldap.newUserRole,`
			`namespace: config.ldap.newUserNamespaceId`
Add ldap authentication 2016-08-11 11:21:48 +00:00			`});`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00
			`return {`
			`id: userId,`
			`username: profile[config.ldap.uidTag],`
			`name: profile[config.ldap.nameTag],`
WiP on permissions Doesn't run. This commit is just to backup the changes. 2017-07-26 19:42:05 +00:00			`email: profile.mail,`
			`role: config.ldap.newUserRole`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`};`
Add ldap authentication 2016-08-11 11:21:48 +00:00			`} else {`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`throw err;`
Add ldap authentication 2016-08-11 11:21:48 +00:00			`}`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`}`
			`})));`

Report templates ported to ReactJS and Knex. Does not run yet because reports have dependencies on the old report templates. 2017-07-09 13:41:53 +00:00			`passport.serializeUser((user, done) => done(null, user));`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`passport.deserializeUser((user, done) => done(null, user));`

Add ldap authentication 2016-08-11 11:21:48 +00:00			`} else {`
			`log.info('Using local auth');`
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`module.exports.authMethod = 'local';`
			`module.exports.isAuthMethodLocal = true;`
Initial import 2016-04-04 12:36:30 +00:00
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`passport.use(new LocalStrategy(nodeifyFunction(async (username, password) => {`
			`return await users.getByUsernameIfPasswordMatch(username, password);`
			`})));`
Add ldap authentication 2016-08-11 11:21:48 +00:00
All about user login Not runnable at the moment 2017-07-08 13:48:34 +00:00			`passport.serializeUser((user, done) => done(null, user.id));`
Lists list and CUD Custom forms list Updated DB schema (not yet implemented in the server, which means that most of the server is not broken). - custom forms are independent of a list - order and visibility of fields is now in custom_fields - first_name and last_name has been turned to a regular custom field 2017-07-29 19:42:07 +00:00			`passport.deserializeUser((id, done) => nodeifyPromise(users.getById(contextHelpers.getAdminContext(), id), done));`
Add ldap authentication 2016-08-11 11:21:48 +00:00			`}`
Initial import 2016-04-04 12:36:30 +00:00