richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
960 Commits
3 Branches
120 Tags
80 MiB
Tree: 75f2f16613
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '75f2f16613'
${ noResults }
wiki/server/core/auth.js

241 lines
7.0 KiB
Raw Normal View History

feat: self-contained auth modules + login UI + icons
7 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
refactor: remove config namespaces
6 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
feat: guest + user permissions
5 years ago
feat: authentication improvements
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: remove config namespaces
6 years ago
Merged core back into main project
7 years ago
feat: queue handling
7 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
feat: page Rules access check
5 years ago
feat: login + TFA authentication
6 years ago
feat: queue handling
7 years ago
Merged core back into main project
7 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
Merged core back into main project
7 years ago
feat: page Rules access check
5 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
refactor: remove config namespaces
6 years ago
feat: guest + user permissions
5 years ago
refactor: remove config namespaces
6 years ago
feat: locale namespacing save + auth fetch fix
6 years ago
refactor: remove config namespaces
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: user menu + jwt certs + UI fixes
6 years ago
feat: guest + user permissions
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: auth self-registration config + gql grouping
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: remove config namespaces
6 years ago
feat: auth self-registration config + gql grouping
6 years ago
feat: authentication module refactor + added CAS module
6 years ago
feat: auth self-registration config + gql grouping
6 years ago
feat: guest + user permissions
5 years ago
refactor: remove config namespaces
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: remove config namespaces
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
fix: code lint
5 years ago
feat: auth advanced settings UI + reload auth on save
6 years ago
refactor: remove config namespaces
6 years ago
feat: guest + user permissions
5 years ago
fix: auth token refresh missing permissions field
5 years ago
fix: root admin access deny bug + patreon link
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
fix: setup https support + various fixes
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
fix: root admin access deny bug + patreon link
5 years ago
feat: guest + user permissions
5 years ago
fix: root admin access deny bug + patreon link
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
fix: setup https support + various fixes
5 years ago
feat: page Rules access check
5 years ago
fix: setup https support + various fixes
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: queue handling
7 years ago
Merged core back into main project
7 years ago
  1. const passport = require('passport')
  2. const passportJWT = require('passport-jwt')
  3. const fs = require('fs-extra')
  4. const _ = require('lodash')
  5. const path = require('path')
  6. const jwt = require('jsonwebtoken')
  7. const moment = require('moment')
  9. const securityHelper = require('../helpers/security')
  11. /* global WIKI */
  13. module.exports = {
  14. strategies: {},
  15. guest: {
  16. cacheExpiration: moment.utc().subtract(1, 'd')
  17. },
  18. groups: {},
  20. /**
  21. * Initialize the authentication module
  22. */
  23. init() {
  24. this.passport = passport
  26. passport.serializeUser((user, done) => {
  27. done(null, user.id)
  28. })
  30. passport.deserializeUser(async (id, done) => {
  31. try {
  32. const user = await WIKI.models.users.query().findById(id).modifyEager('groups', builder => {
  33. builder.select('groups.id', 'permissions')
  34. })
  35. if (user) {
  36. done(null, user)
  37. } else {
  38. done(new Error(WIKI.lang.t('auth:errors:usernotfound')), null)
  39. }
  40. } catch (err) {
  41. done(err, null)
  42. }
  43. })
  45. this.reloadGroups()
  47. return this
  48. },
  50. /**
  51. * Load authentication strategies
  52. */
  53. async activateStrategies() {
  54. try {
  55. // Unload any active strategies
  56. WIKI.auth.strategies = {}
  57. const currentStrategies = _.keys(passport._strategies)
  58. _.pull(currentStrategies, 'session')
  59. _.forEach(currentStrategies, stg => { passport.unuse(stg) })
  61. // Load JWT
  62. passport.use('jwt', new passportJWT.Strategy({
  63. jwtFromRequest: securityHelper.extractJWT,
  64. secretOrKey: WIKI.config.certs.public,
  65. audience: WIKI.config.auth.audience,
  66. issuer: 'urn:wiki.js'
  67. }, (jwtPayload, cb) => {
  68. cb(null, jwtPayload)
  69. }))
  71. // Load enabled strategies
  72. const enabledStrategies = await WIKI.models.authentication.getStrategies()
  73. for (let idx in enabledStrategies) {
  74. const stg = enabledStrategies[idx]
  75. if (!stg.isEnabled) { continue }
  77. const strategy = require(`../modules/authentication/${stg.key}/authentication.js`)
  79. stg.config.callbackURL = `${WIKI.config.host}/login/${stg.key}/callback`
  80. strategy.init(passport, stg.config)
  81. strategy.config = stg.config
  83. WIKI.auth.strategies[stg.key] = {
  84. ...strategy,
  85. ...stg
  86. }
  87. WIKI.logger.info(`Authentication Strategy ${stg.key}: [ OK ]`)
  88. }
  89. } catch (err) {
  90. WIKI.logger.error(`Authentication Strategy: [ FAILED ]`)
  91. WIKI.logger.error(err)
  92. }
  93. },
  95. /**
  96. * Authenticate current request
  97. *
  98. * @param {Express Request} req
  99. * @param {Express Response} res
  100. * @param {Express Next Callback} next
  101. */
  102. authenticate(req, res, next) {
  103. WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
  104. if (err) { return next() }
  106. // Expired but still valid within N days, just renew
  107. if (info instanceof Error && info.name === 'TokenExpiredError' && moment().subtract(14, 'days').isBefore(info.expiredAt)) {
  108. const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
  109. try {
  110. const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
  111. user = newToken.user
  112. user.permissions = user.getGlobalPermissions()
  113. req.user = user
  115. // Try headers, otherwise cookies for response
  116. if (req.get('content-type') === 'application/json') {
  117. res.set('new-jwt', newToken.token)
  118. } else {
  119. res.cookie('jwt', newToken.token, { expires: moment().add(365, 'days').toDate() })
  120. }
  121. } catch (err) {
  122. WIKI.logger.warn(err)
  123. return next()
  124. }
  125. }
  127. // JWT is NOT valid, set as guest
  128. if (!user) {
  129. if (WIKI.auth.guest.cacheExpiration.isSameOrBefore(moment.utc())) {
  130. WIKI.auth.guest = await WIKI.models.users.getGuestUser()
  131. WIKI.auth.guest.cacheExpiration = moment.utc().add(1, 'm')
  132. }
  133. req.user = WIKI.auth.guest
  134. return next()
  135. }
  137. // JWT is valid
  138. req.logIn(user, { session: false }, (err) => {
  139. if (err) { return next(err) }
  140. next()
  141. })
  142. })(req, res, next)
  143. },
  145. /**
  146. * Check if user has access to resource
  147. *
  148. * @param {User} user
  149. * @param {Array<String>} permissions
  150. * @param {String|Boolean} path
  151. */
  152. checkAccess(user, permissions = [], page = false) {
  153. const userPermissions = user.permissions ? user.permissions : user.getGlobalPermissions()
  155. // System Admin
  156. if (_.includes(userPermissions, 'manage:system')) {
  157. return true
  158. }
  160. // Check Global Permissions
  161. if (_.intersection(userPermissions, permissions).length < 1) {
  162. return false
  163. }
  165. // Check Page Rules
  166. if (path && user.groups) {
  167. let checkState = {
  168. deny: false,
  169. match: false,
  170. specificity: ''
  171. }
  172. user.groups.forEach(grp => {
  173. const grpId = _.isObject(grp) ? _.get(grp, 'id', 0) : grp
  174. _.get(WIKI.auth.groups, `${grpId}.pageRules`, []).forEach(rule => {
  175. switch (rule.match) {
  176. case 'START':
  177. if (_.startsWith(`/${page.path}`, `/${rule.path}`)) {
  178. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: ['END', 'REGEX', 'EXACT'] })
  179. }
  180. break
  181. case 'END':
  182. if (_.endsWith(page.path, rule.path)) {
  183. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: ['REGEX', 'EXACT'] })
  184. }
  185. break
  186. case 'REGEX':
  187. const reg = new RegExp(rule.path)
  188. if (reg.test(page.path)) {
  189. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: ['EXACT'] })
  190. }
  191. break
  192. case 'EXACT':
  193. if (`/${page.path}` === `/${rule.path}`) {
  194. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: [] })
  195. }
  196. break
  197. }
  198. })
  199. })
  201. return (checkState.match && !checkState.deny)
  202. }
  204. return false
  205. },
  207. /**
  208. * Check and apply Page Rule specificity
  209. *
  210. * @access private
  211. */
  212. _applyPageRuleSpecificity ({ rule, checkState, higherPriority = [] }) {
  213. if (rule.path.length === checkState.specificity.length) {
  214. // Do not override higher priority rules
  215. if (_.includes(higherPriority, checkState.match)) {
  216. return checkState
  217. }
  218. // Do not override a previous DENY rule with same match
  219. if (rule.match === checkState.match && checkState.deny && !rule.deny) {
  220. return checkState
  221. }
  222. } else if (rule.path.length < checkState.specificity.length) {
  223. // Do not override higher specificity rules
  224. return checkState
  225. }
  227. return {
  228. deny: rule.deny,
  229. match: rule.match,
  230. specificity: rule.path
  231. }
  232. },
  234. /**
  235. * Reload Groups from DB
  236. */
  237. async reloadGroups() {
  238. const groupsArray = await WIKI.models.groups.query()
  239. this.groups = _.keyBy(groupsArray, 'id')
  240. }
  241. }