richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1041 Commits
3 Branches
120 Tags
80 MiB
Tree: eb66ae6088
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'eb66ae6088'
${ noResults }
wiki/server/core/auth.js

240 lines
7.0 KiB
Raw Normal View History

feat: self-contained auth modules + login UI + icons
7 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: remove config namespaces
6 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
feat: guest + user permissions
5 years ago
feat: authentication improvements
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: remove config namespaces
6 years ago
Merged core back into main project
7 years ago
feat: queue handling
7 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
feat: page Rules access check
5 years ago
feat: login + TFA authentication
6 years ago
feat: queue handling
7 years ago
Merged core back into main project
7 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
Merged core back into main project
7 years ago
feat: page Rules access check
5 years ago
feat: self-contained auth modules + login UI + icons
7 years ago
refactor: remove config namespaces
6 years ago
feat: guest + user permissions
5 years ago
refactor: remove config namespaces
6 years ago
feat: locale namespacing save + auth fetch fix
6 years ago
refactor: remove config namespaces
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: user menu + jwt certs + UI fixes
6 years ago
feat: guest + user permissions
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: auth self-registration config + gql grouping
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: remove config namespaces
6 years ago
feat: auth self-registration config + gql grouping
6 years ago
feat: authentication module refactor + added CAS module
6 years ago
feat: auth self-registration config + gql grouping
6 years ago
feat: guest + user permissions
5 years ago
refactor: remove config namespaces
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: remove config namespaces
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
fix: code lint
5 years ago
feat: auth advanced settings UI + reload auth on save
6 years ago
refactor: remove config namespaces
6 years ago
feat: guest + user permissions
5 years ago
fix: auth token refresh missing permissions field
5 years ago
fix: root admin access deny bug + patreon link
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
fix: setup https support + various fixes
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
fix: root admin access deny bug + patreon link
5 years ago
feat: guest + user permissions
5 years ago
fix: root admin access deny bug + patreon link
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
fix: setup https support + various fixes
5 years ago
feat: page Rules access check
5 years ago
fix: setup https support + various fixes
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: queue handling
7 years ago
Merged core back into main project
7 years ago
  1. const passport = require('passport')
  2. const passportJWT = require('passport-jwt')
  3. const _ = require('lodash')
  4. const path = require('path')
  5. const jwt = require('jsonwebtoken')
  6. const moment = require('moment')
  8. const securityHelper = require('../helpers/security')
  10. /* global WIKI */
  12. module.exports = {
  13. strategies: {},
  14. guest: {
  15. cacheExpiration: moment.utc().subtract(1, 'd')
  16. },
  17. groups: {},
  19. /**
  20. * Initialize the authentication module
  21. */
  22. init() {
  23. this.passport = passport
  25. passport.serializeUser((user, done) => {
  26. done(null, user.id)
  27. })
  29. passport.deserializeUser(async (id, done) => {
  30. try {
  31. const user = await WIKI.models.users.query().findById(id).modifyEager('groups', builder => {
  32. builder.select('groups.id', 'permissions')
  33. })
  34. if (user) {
  35. done(null, user)
  36. } else {
  37. done(new Error(WIKI.lang.t('auth:errors:usernotfound')), null)
  38. }
  39. } catch (err) {
  40. done(err, null)
  41. }
  42. })
  44. this.reloadGroups()
  46. return this
  47. },
  49. /**
  50. * Load authentication strategies
  51. */
  52. async activateStrategies() {
  53. try {
  54. // Unload any active strategies
  55. WIKI.auth.strategies = {}
  56. const currentStrategies = _.keys(passport._strategies)
  57. _.pull(currentStrategies, 'session')
  58. _.forEach(currentStrategies, stg => { passport.unuse(stg) })
  60. // Load JWT
  61. passport.use('jwt', new passportJWT.Strategy({
  62. jwtFromRequest: securityHelper.extractJWT,
  63. secretOrKey: WIKI.config.certs.public,
  64. audience: WIKI.config.auth.audience,
  65. issuer: 'urn:wiki.js'
  66. }, (jwtPayload, cb) => {
  67. cb(null, jwtPayload)
  68. }))
  70. // Load enabled strategies
  71. const enabledStrategies = await WIKI.models.authentication.getStrategies()
  72. for (let idx in enabledStrategies) {
  73. const stg = enabledStrategies[idx]
  74. if (!stg.isEnabled) { continue }
  76. const strategy = require(`../modules/authentication/${stg.key}/authentication.js`)
  78. stg.config.callbackURL = `${WIKI.config.host}/login/${stg.key}/callback`
  79. strategy.init(passport, stg.config)
  80. strategy.config = stg.config
  82. WIKI.auth.strategies[stg.key] = {
  83. ...strategy,
  84. ...stg
  85. }
  86. WIKI.logger.info(`Authentication Strategy ${stg.key}: [ OK ]`)
  87. }
  88. } catch (err) {
  89. WIKI.logger.error(`Authentication Strategy: [ FAILED ]`)
  90. WIKI.logger.error(err)
  91. }
  92. },
  94. /**
  95. * Authenticate current request
  96. *
  97. * @param {Express Request} req
  98. * @param {Express Response} res
  99. * @param {Express Next Callback} next
  100. */
  101. authenticate(req, res, next) {
  102. WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
  103. if (err) { return next() }
  105. // Expired but still valid within N days, just renew
  106. if (info instanceof Error && info.name === 'TokenExpiredError' && moment().subtract(14, 'days').isBefore(info.expiredAt)) {
  107. const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
  108. try {
  109. const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
  110. user = newToken.user
  111. user.permissions = user.getGlobalPermissions()
  112. req.user = user
  114. // Try headers, otherwise cookies for response
  115. if (req.get('content-type') === 'application/json') {
  116. res.set('new-jwt', newToken.token)
  117. } else {
  118. res.cookie('jwt', newToken.token, { expires: moment().add(365, 'days').toDate() })
  119. }
  120. } catch (err) {
  121. WIKI.logger.warn(err)
  122. return next()
  123. }
  124. }
  126. // JWT is NOT valid, set as guest
  127. if (!user) {
  128. if (WIKI.auth.guest.cacheExpiration.isSameOrBefore(moment.utc())) {
  129. WIKI.auth.guest = await WIKI.models.users.getGuestUser()
  130. WIKI.auth.guest.cacheExpiration = moment.utc().add(1, 'm')
  131. }
  132. req.user = WIKI.auth.guest
  133. return next()
  134. }
  136. // JWT is valid
  137. req.logIn(user, { session: false }, (err) => {
  138. if (err) { return next(err) }
  139. next()
  140. })
  141. })(req, res, next)
  142. },
  144. /**
  145. * Check if user has access to resource
  146. *
  147. * @param {User} user
  148. * @param {Array<String>} permissions
  149. * @param {String|Boolean} path
  150. */
  151. checkAccess(user, permissions = [], page = false) {
  152. const userPermissions = user.permissions ? user.permissions : user.getGlobalPermissions()
  154. // System Admin
  155. if (_.includes(userPermissions, 'manage:system')) {
  156. return true
  157. }
  159. // Check Global Permissions
  160. if (_.intersection(userPermissions, permissions).length < 1) {
  161. return false
  162. }
  164. // Check Page Rules
  165. if (path && user.groups) {
  166. let checkState = {
  167. deny: false,
  168. match: false,
  169. specificity: ''
  170. }
  171. user.groups.forEach(grp => {
  172. const grpId = _.isObject(grp) ? _.get(grp, 'id', 0) : grp
  173. _.get(WIKI.auth.groups, `${grpId}.pageRules`, []).forEach(rule => {
  174. switch (rule.match) {
  175. case 'START':
  176. if (_.startsWith(`/${page.path}`, `/${rule.path}`)) {
  177. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: ['END', 'REGEX', 'EXACT'] })
  178. }
  179. break
  180. case 'END':
  181. if (_.endsWith(page.path, rule.path)) {
  182. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: ['REGEX', 'EXACT'] })
  183. }
  184. break
  185. case 'REGEX':
  186. const reg = new RegExp(rule.path)
  187. if (reg.test(page.path)) {
  188. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: ['EXACT'] })
  189. }
  190. break
  191. case 'EXACT':
  192. if (`/${page.path}` === `/${rule.path}`) {
  193. checkState = this._applyPageRuleSpecificity({ rule, checkState, higherPriority: [] })
  194. }
  195. break
  196. }
  197. })
  198. })
  200. return (checkState.match && !checkState.deny)
  201. }
  203. return false
  204. },
  206. /**
  207. * Check and apply Page Rule specificity
  208. *
  209. * @access private
  210. */
  211. _applyPageRuleSpecificity ({ rule, checkState, higherPriority = [] }) {
  212. if (rule.path.length === checkState.specificity.length) {
  213. // Do not override higher priority rules
  214. if (_.includes(higherPriority, checkState.match)) {
  215. return checkState
  216. }
  217. // Do not override a previous DENY rule with same match
  218. if (rule.match === checkState.match && checkState.deny && !rule.deny) {
  219. return checkState
  220. }
  221. } else if (rule.path.length < checkState.specificity.length) {
  222. // Do not override higher specificity rules
  223. return checkState
  224. }
  226. return {
  227. deny: rule.deny,
  228. match: rule.match,
  229. specificity: rule.path
  230. }
  231. },
  233. /**
  234. * Reload Groups from DB
  235. */
  236. async reloadGroups() {
  237. const groupsArray = await WIKI.models.groups.query()
  238. this.groups = _.keyBy(groupsArray, 'id')
  239. }
  240. }