server/src/routers/auth-router.ts - jami-web - Gitiles

 /*
  * Copyright (C) 2022 Savoir-faire Linux Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
  * published by the Free Software Foundation; either version 3 of the
  * License, or (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Affero General Public License for more details.
  *
  * You should have received a copy of the GNU Affero General Public
  * License along with this program.  If not, see
  * <https://www.gnu.org/licenses/>.
  */
 import argon2 from 'argon2';
 import { Router } from 'express';
 import asyncHandler from 'express-async-handler';
 import { ParamsDictionary, Request } from 'express-serve-static-core';
 import { AccessToken, AccountDetails, HttpStatusCode, UserCredentials } from 'jami-web-common';
 import { Container } from 'typedi';

 import { Jamid } from '../jamid/jamid.js';
 import { NameRegistrationEndedState, RegistrationState } from '../jamid/state-enums.js';
 import { Accounts } from '../storage/accounts.js';
 import { signJwt } from '../utils/jwt.js';

 const jamid = Container.get(Jamid);
 const accounts = Container.get(Accounts);

 export const authRouter = Router();

 authRouter.post(
   '/new-account',
   asyncHandler(async (req: Request<ParamsDictionary, string, Partial<UserCredentials>>, res) => {
     const { username, password, isJams } = req.body;
     if (username === undefined || password === undefined) {
       res.status(HttpStatusCode.BadRequest).send('Missing username or password in body');
       return;
     }

     const isAccountAlreadyCreated = accounts.get(username, isJams) !== undefined;
     if (isAccountAlreadyCreated) {
       res.status(HttpStatusCode.Conflict).send('Username already exists locally');
       return;
     }

     if (password === '') {
       res.status(HttpStatusCode.BadRequest).send('Password may not be empty');
       return;
     }

     const hashedPassword = await argon2.hash(password, { type: argon2.argon2id });

     const accountDetails: Partial<AccountDetails> = {
       // TODO: Enable encrypted archives
       // 'Account.archivePassword': password
     };
     if (isJams) {
       accountDetails['Account.managerUri'] = 'https://jams.savoirfairelinux.com/';
       accountDetails['Account.managerUsername'] = username;
     }
     const { accountId, state } = await jamid.addAccount(accountDetails);

     if (isJams) {
       if (state === RegistrationState.ErrorGeneric) {
         jamid.removeAccount(accountId);
         res.status(HttpStatusCode.Unauthorized).send('Invalid JAMS credentials');
         return;
       }
     } else {
       const state = await jamid.registerUsername(accountId, username, '');
       if (state !== NameRegistrationEndedState.Success) {
         jamid.removeAccount(accountId);
         switch (state) {
           case NameRegistrationEndedState.InvalidName:
             res.status(HttpStatusCode.BadRequest).send('Invalid username or password');
             break;
           case NameRegistrationEndedState.AlreadyTaken:
             res.status(HttpStatusCode.Conflict).send('Username already exists');
             break;
           default:
             throw new Error(`Unhandled state ${state}`);
         }
         return;
       }
     }

     accounts.set(username, hashedPassword, isJams);
     await accounts.save();

     res.sendStatus(HttpStatusCode.Created);
   })
 );

 authRouter.post(
   '/login',
   asyncHandler(async (req: Request<ParamsDictionary, AccessToken | string, Partial<UserCredentials>>, res) => {
     const { username, password, isJams } = req.body;
     if (username === undefined || password === undefined) {
       res.status(HttpStatusCode.BadRequest).send('Missing username or password in body');
       return;
     }

     // Check if the account is stored on this daemon instance
     const accountId = jamid.getAccountIdFromUsername(username);
     if (accountId === undefined) {
       res.status(HttpStatusCode.NotFound).send('Username not found');
       return;
     }

     const hashedPassword = accounts.get(username, isJams);
     if (hashedPassword === undefined) {
       res
         .status(HttpStatusCode.NotFound)
         .send('Password not found (the account does not have a password set on the server)');
       return;
     }

     const isPasswordVerified = await argon2.verify(hashedPassword, password);
     if (!isPasswordVerified) {
       res.status(HttpStatusCode.Unauthorized).send('Incorrect password');
       return;
     }

     const jwt = await signJwt(accountId);
     res.status(HttpStatusCode.Ok).send({ accessToken: jwt });
   })
 );
	/*
	* Copyright (C) 2022 Savoir-faire Linux Inc.
	*
	* This program is free software; you can redistribute it and/or modify
	* it under the terms of the GNU Affero General Public License as
	* published by the Free Software Foundation; either version 3 of the
	* License, or (at your option) any later version.
	*
	* This program is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU Affero General Public License for more details.
	*
	* You should have received a copy of the GNU Affero General Public
	* License along with this program. If not, see
	* <https://www.gnu.org/licenses/>.
	*/
	import argon2 from 'argon2';
	import { Router } from 'express';
	import asyncHandler from 'express-async-handler';
	import { ParamsDictionary, Request } from 'express-serve-static-core';
	import { AccessToken, AccountDetails, HttpStatusCode, UserCredentials } from 'jami-web-common';
	import { Container } from 'typedi';

	import { Jamid } from '../jamid/jamid.js';
	import { NameRegistrationEndedState, RegistrationState } from '../jamid/state-enums.js';
	import { Accounts } from '../storage/accounts.js';
	import { signJwt } from '../utils/jwt.js';

	const jamid = Container.get(Jamid);
	const accounts = Container.get(Accounts);

	export const authRouter = Router();

	authRouter.post(
	'/new-account',
	asyncHandler(async (req: Request<ParamsDictionary, string, Partial<UserCredentials>>, res) => {
	const { username, password, isJams } = req.body;
	if (username === undefined \|\| password === undefined) {
	res.status(HttpStatusCode.BadRequest).send('Missing username or password in body');
	return;
	}

	const isAccountAlreadyCreated = accounts.get(username, isJams) !== undefined;
	if (isAccountAlreadyCreated) {
	res.status(HttpStatusCode.Conflict).send('Username already exists locally');
	return;
	}

	if (password === '') {
	res.status(HttpStatusCode.BadRequest).send('Password may not be empty');
	return;
	}

	const hashedPassword = await argon2.hash(password, { type: argon2.argon2id });

	const accountDetails: Partial<AccountDetails> = {
	// TODO: Enable encrypted archives
	// 'Account.archivePassword': password
	};
	if (isJams) {
	accountDetails['Account.managerUri'] = 'https://jams.savoirfairelinux.com/';
	accountDetails['Account.managerUsername'] = username;
	}
	const { accountId, state } = await jamid.addAccount(accountDetails);

	if (isJams) {
	if (state === RegistrationState.ErrorGeneric) {
	jamid.removeAccount(accountId);
	res.status(HttpStatusCode.Unauthorized).send('Invalid JAMS credentials');
	return;
	}
	} else {
	const state = await jamid.registerUsername(accountId, username, '');
	if (state !== NameRegistrationEndedState.Success) {
	jamid.removeAccount(accountId);
	switch (state) {
	case NameRegistrationEndedState.InvalidName:
	res.status(HttpStatusCode.BadRequest).send('Invalid username or password');
	break;
	case NameRegistrationEndedState.AlreadyTaken:
	res.status(HttpStatusCode.Conflict).send('Username already exists');
	break;
	default:
	throw new Error(`Unhandled state ${state}`);
	}
	return;
	}
	}

	accounts.set(username, hashedPassword, isJams);
	await accounts.save();

	res.sendStatus(HttpStatusCode.Created);
	})
	);

	authRouter.post(
	'/login',
	asyncHandler(async (req: Request<ParamsDictionary, AccessToken \| string, Partial<UserCredentials>>, res) => {
	const { username, password, isJams } = req.body;
	if (username === undefined \|\| password === undefined) {
	res.status(HttpStatusCode.BadRequest).send('Missing username or password in body');
	return;
	}

	// Check if the account is stored on this daemon instance
	const accountId = jamid.getAccountIdFromUsername(username);
	if (accountId === undefined) {
	res.status(HttpStatusCode.NotFound).send('Username not found');
	return;
	}

	const hashedPassword = accounts.get(username, isJams);
	if (hashedPassword === undefined) {
	res
	.status(HttpStatusCode.NotFound)
	.send('Password not found (the account does not have a password set on the server)');
	return;
	}

	const isPasswordVerified = await argon2.verify(hashedPassword, password);
	if (!isPasswordVerified) {
	res.status(HttpStatusCode.Unauthorized).send('Incorrect password');
	return;
	}

	const jwt = await signJwt(accountId);
	res.status(HttpStatusCode.Ok).send({ accessToken: jwt });
	})
	);