Gitiles
Code Review Sign In
review.jami.net / jami-web / 4e7445c076adee2cb8d8953f4d16b3880b958beb / . / server / src / routers / auth-router.ts
blob: f04529ee9060059eda9175dd4074007f03c14c1b [file] [log] [blame]
Issam E. Maghni0ef4a362022-10-05 23:20:16 +0000[diff] [blame]1/*
2 * Copyright (C) 2022 Savoir-faire Linux Inc.
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU Affero General Public License as
6 * published by the Free Software Foundation; either version 3 of the
7 * License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU Affero General Public License for more details.
13 *
14 * You should have received a copy of the GNU Affero General Public
15 * License along with this program. If not, see
16 * <https://www.gnu.org/licenses/>.
17 */
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]18import argon2 from 'argon2';
Misha Krieger-Raynauld708a9632022-10-14 22:55:59 -0400[diff] [blame]19import { Router } from 'express';
Issam E. Maghni0ef4a362022-10-05 23:20:16 +0000[diff] [blame]20import asyncHandler from 'express-async-handler';
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]21import { ParamsDictionary, Request } from 'express-serve-static-core';
Misha Krieger-Raynauld2f5d1ce2022-10-23 21:13:33 -0400[diff] [blame]22import { HttpStatusCode } from 'jami-web-common';
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]23import { SignJWT } from 'jose';
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]24import { Container } from 'typedi';
Issam E. Maghni0ef4a362022-10-05 23:20:16 +0000[diff] [blame]25
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]26import { Creds } from '../creds.js';
Misha Krieger-Raynauldaddd6fe2022-10-22 12:46:04 -0400[diff] [blame]27import { Jamid } from '../jamid/jamid.js';
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]28import { Vault } from '../vault.js';
29
30interface Credentials {
31 username?: string;
32 password?: string;
33}
Issam E. Maghni0ef4a362022-10-05 23:20:16 +0000[diff] [blame]34
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]35const jamid = Container.get(Jamid);
36const creds = Container.get(Creds);
37const vault = Container.get(Vault);
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]38
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]39export const authRouter = Router();
Issam E. Maghni0ef4a362022-10-05 23:20:16 +0000[diff] [blame]40
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]41authRouter.post(
42 '/new-account',
Misha Krieger-Raynauld8a381da2022-11-03 17:37:51 -0400[diff] [blame]43 asyncHandler(async (req: Request<ParamsDictionary, string, Credentials>, res, _next) => {
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]44 const { username, password } = req.body;
Misha Krieger-Raynauldcb11bba2022-11-11 18:08:33 -0500[diff] [blame]45 if (username === undefined || password === undefined) {
46 res.status(HttpStatusCode.BadRequest).send('Missing username or password in body');
47 return;
48 }
49
50 if (password === '') {
51 res.status(HttpStatusCode.BadRequest).send('Password may not be empty');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]52 return;
53 }
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]54
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]55 const hashedPassword = await argon2.hash(password, { type: argon2.argon2id });
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]56
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]57 // TODO: add JAMS support
58 // managerUri: 'https://jams.savoirfairelinux.com',
59 // managerUsername: data.username,
60 // TODO: find a way to store the password directly in Jami
61 // Maybe by using the "password" field? But as I tested, it's not
62 // returned when getting user infos.
Misha Krieger-Raynauld8a381da2022-11-03 17:37:51 -0400[diff] [blame]63 const accountId = await jamid.addAccount(new Map());
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]64
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]65 // TODO: understand why the password arg in this call must be empty
Misha Krieger-Raynauld8a381da2022-11-03 17:37:51 -0400[diff] [blame]66 const state = await jamid.registerUsername(accountId, username, '');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]67 if (state !== 0) {
Misha Krieger-Raynauldb6f1c322022-10-23 20:42:57 -0400[diff] [blame]68 jamid.removeAccount(accountId);
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]69 if (state === 2) {
Misha Krieger-Raynauld2f5d1ce2022-10-23 21:13:33 -0400[diff] [blame]70 res.status(HttpStatusCode.BadRequest).send('Invalid username or password');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]71 } else if (state === 3) {
Misha Krieger-Raynauld2f5d1ce2022-10-23 21:13:33 -0400[diff] [blame]72 res.status(HttpStatusCode.Conflict).send('Username already exists');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]73 } else {
74 throw new Error(`Unhandled state ${state}`);
75 }
76 return;
77 }
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]78
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]79 creds.set(username, hashedPassword);
80 await creds.save();
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]81
Misha Krieger-Raynauld2f5d1ce2022-10-23 21:13:33 -0400[diff] [blame]82 res.sendStatus(HttpStatusCode.Created);
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]83 })
84);
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]85
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]86authRouter.post(
87 '/login',
Misha Krieger-Raynauld8a381da2022-11-03 17:37:51 -0400[diff] [blame]88 asyncHandler(async (req: Request<ParamsDictionary, { accessToken: string } | string, Credentials>, res, _next) => {
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]89 const { username, password } = req.body;
Misha Krieger-Raynauldcb11bba2022-11-11 18:08:33 -0500[diff] [blame]90 if (username === undefined || password === undefined) {
91 res.status(HttpStatusCode.BadRequest).send('Missing username or password in body');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]92 return;
93 }
Issam E. Maghni0ef4a362022-10-05 23:20:16 +0000[diff] [blame]94
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]95 // The account may either be:
96 // 1. not found
97 // 2. found but not on this instance (but I'm not sure about this)
Misha Krieger-Raynauldb6f1c322022-10-23 20:42:57 -0400[diff] [blame]98 const accountId = jamid.getAccountIdFromUsername(username);
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]99 if (accountId === undefined) {
Misha Krieger-Raynauld2f5d1ce2022-10-23 21:13:33 -0400[diff] [blame]100 res.status(HttpStatusCode.NotFound).send('Username not found');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]101 return;
102 }
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]103
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]104 // TODO: load the password from Jami
105 const hashedPassword = creds.get(username);
106 if (!hashedPassword) {
Misha Krieger-Raynauldcb11bba2022-11-11 18:08:33 -0500[diff] [blame]107 res
108 .status(HttpStatusCode.NotFound)
109 .send('Password not found (the account does not have a password set on the server)');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]110 return;
111 }
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]112
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]113 const isPasswordVerified = await argon2.verify(hashedPassword, password);
114 if (!isPasswordVerified) {
Misha Krieger-Raynauldcb11bba2022-11-11 18:08:33 -0500[diff] [blame]115 res.status(HttpStatusCode.Unauthorized).send('Incorrect password');
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]116 return;
117 }
Issam E. Maghnif796a092022-10-09 20:25:26 +0000[diff] [blame]118
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]119 const jwt = await new SignJWT({ id: accountId })
120 .setProtectedHeader({ alg: 'EdDSA' })
121 .setIssuedAt()
122 // TODO: use valid issuer and audience
123 .setIssuer('urn:example:issuer')
124 .setAudience('urn:example:audience')
125 .setExpirationTime('2h')
126 .sign(vault.privateKey);
Misha Krieger-Raynauld8a381da2022-11-03 17:37:51 -0400[diff] [blame]127 res.send({ accessToken: jwt });
Misha Krieger-Raynauld242560f2022-10-16 19:59:58 -0400[diff] [blame]128 })
129);