Issam E. Maghni | 0ef4a36 | 2022-10-05 23:20:16 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2022 Savoir-faire Linux Inc. |
| 3 | * |
| 4 | * This program is free software; you can redistribute it and/or modify |
| 5 | * it under the terms of the GNU Affero General Public License as |
| 6 | * published by the Free Software Foundation; either version 3 of the |
| 7 | * License, or (at your option) any later version. |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU Affero General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU Affero General Public |
| 15 | * License along with this program. If not, see |
| 16 | * <https://www.gnu.org/licenses/>. |
| 17 | */ |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 18 | import argon2 from 'argon2'; |
Misha Krieger-Raynauld | 708a963 | 2022-10-14 22:55:59 -0400 | [diff] [blame] | 19 | import { Router } from 'express'; |
Issam E. Maghni | 0ef4a36 | 2022-10-05 23:20:16 +0000 | [diff] [blame] | 20 | import asyncHandler from 'express-async-handler'; |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 21 | import { ParamsDictionary, Request } from 'express-serve-static-core'; |
Misha Krieger-Raynauld | 2f5d1ce | 2022-10-23 21:13:33 -0400 | [diff] [blame] | 22 | import { HttpStatusCode } from 'jami-web-common'; |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 23 | import { SignJWT } from 'jose'; |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 24 | import { Container } from 'typedi'; |
Issam E. Maghni | 0ef4a36 | 2022-10-05 23:20:16 +0000 | [diff] [blame] | 25 | |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 26 | import { Creds } from '../creds.js'; |
Misha Krieger-Raynauld | addd6fe | 2022-10-22 12:46:04 -0400 | [diff] [blame] | 27 | import { Jamid } from '../jamid/jamid.js'; |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 28 | import { Vault } from '../vault.js'; |
| 29 | |
| 30 | interface Credentials { |
| 31 | username?: string; |
| 32 | password?: string; |
| 33 | } |
Issam E. Maghni | 0ef4a36 | 2022-10-05 23:20:16 +0000 | [diff] [blame] | 34 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 35 | const jamid = Container.get(Jamid); |
| 36 | const creds = Container.get(Creds); |
| 37 | const vault = Container.get(Vault); |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 38 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 39 | export const authRouter = Router(); |
Issam E. Maghni | 0ef4a36 | 2022-10-05 23:20:16 +0000 | [diff] [blame] | 40 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 41 | authRouter.post( |
| 42 | '/new-account', |
Misha Krieger-Raynauld | 8a381da | 2022-11-03 17:37:51 -0400 | [diff] [blame] | 43 | asyncHandler(async (req: Request<ParamsDictionary, string, Credentials>, res, _next) => { |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 44 | const { username, password } = req.body; |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 45 | if (username === undefined || password === undefined) { |
| 46 | res.status(HttpStatusCode.BadRequest).send('Missing username or password in body'); |
| 47 | return; |
| 48 | } |
| 49 | |
| 50 | if (password === '') { |
| 51 | res.status(HttpStatusCode.BadRequest).send('Password may not be empty'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 52 | return; |
| 53 | } |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 54 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 55 | const hashedPassword = await argon2.hash(password, { type: argon2.argon2id }); |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 56 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 57 | // TODO: add JAMS support |
| 58 | // managerUri: 'https://jams.savoirfairelinux.com', |
| 59 | // managerUsername: data.username, |
| 60 | // TODO: find a way to store the password directly in Jami |
| 61 | // Maybe by using the "password" field? But as I tested, it's not |
| 62 | // returned when getting user infos. |
Misha Krieger-Raynauld | 8a381da | 2022-11-03 17:37:51 -0400 | [diff] [blame] | 63 | const accountId = await jamid.addAccount(new Map()); |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 64 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 65 | // TODO: understand why the password arg in this call must be empty |
Misha Krieger-Raynauld | 8a381da | 2022-11-03 17:37:51 -0400 | [diff] [blame] | 66 | const state = await jamid.registerUsername(accountId, username, ''); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 67 | if (state !== 0) { |
Misha Krieger-Raynauld | b6f1c32 | 2022-10-23 20:42:57 -0400 | [diff] [blame] | 68 | jamid.removeAccount(accountId); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 69 | if (state === 2) { |
Misha Krieger-Raynauld | 2f5d1ce | 2022-10-23 21:13:33 -0400 | [diff] [blame] | 70 | res.status(HttpStatusCode.BadRequest).send('Invalid username or password'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 71 | } else if (state === 3) { |
Misha Krieger-Raynauld | 2f5d1ce | 2022-10-23 21:13:33 -0400 | [diff] [blame] | 72 | res.status(HttpStatusCode.Conflict).send('Username already exists'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 73 | } else { |
| 74 | throw new Error(`Unhandled state ${state}`); |
| 75 | } |
| 76 | return; |
| 77 | } |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 78 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 79 | creds.set(username, hashedPassword); |
| 80 | await creds.save(); |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 81 | |
Misha Krieger-Raynauld | 2f5d1ce | 2022-10-23 21:13:33 -0400 | [diff] [blame] | 82 | res.sendStatus(HttpStatusCode.Created); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 83 | }) |
| 84 | ); |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 85 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 86 | authRouter.post( |
| 87 | '/login', |
Misha Krieger-Raynauld | 8a381da | 2022-11-03 17:37:51 -0400 | [diff] [blame] | 88 | asyncHandler(async (req: Request<ParamsDictionary, { accessToken: string } | string, Credentials>, res, _next) => { |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 89 | const { username, password } = req.body; |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 90 | if (username === undefined || password === undefined) { |
| 91 | res.status(HttpStatusCode.BadRequest).send('Missing username or password in body'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 92 | return; |
| 93 | } |
Issam E. Maghni | 0ef4a36 | 2022-10-05 23:20:16 +0000 | [diff] [blame] | 94 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 95 | // The account may either be: |
| 96 | // 1. not found |
| 97 | // 2. found but not on this instance (but I'm not sure about this) |
Misha Krieger-Raynauld | b6f1c32 | 2022-10-23 20:42:57 -0400 | [diff] [blame] | 98 | const accountId = jamid.getAccountIdFromUsername(username); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 99 | if (accountId === undefined) { |
Misha Krieger-Raynauld | 2f5d1ce | 2022-10-23 21:13:33 -0400 | [diff] [blame] | 100 | res.status(HttpStatusCode.NotFound).send('Username not found'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 101 | return; |
| 102 | } |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 103 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 104 | // TODO: load the password from Jami |
| 105 | const hashedPassword = creds.get(username); |
| 106 | if (!hashedPassword) { |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 107 | res |
| 108 | .status(HttpStatusCode.NotFound) |
| 109 | .send('Password not found (the account does not have a password set on the server)'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 110 | return; |
| 111 | } |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 112 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 113 | const isPasswordVerified = await argon2.verify(hashedPassword, password); |
| 114 | if (!isPasswordVerified) { |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 115 | res.status(HttpStatusCode.Unauthorized).send('Incorrect password'); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 116 | return; |
| 117 | } |
Issam E. Maghni | f796a09 | 2022-10-09 20:25:26 +0000 | [diff] [blame] | 118 | |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 119 | const jwt = await new SignJWT({ id: accountId }) |
| 120 | .setProtectedHeader({ alg: 'EdDSA' }) |
| 121 | .setIssuedAt() |
| 122 | // TODO: use valid issuer and audience |
| 123 | .setIssuer('urn:example:issuer') |
| 124 | .setAudience('urn:example:audience') |
| 125 | .setExpirationTime('2h') |
| 126 | .sign(vault.privateKey); |
Misha Krieger-Raynauld | 8a381da | 2022-11-03 17:37:51 -0400 | [diff] [blame] | 127 | res.send({ accessToken: jwt }); |
Misha Krieger-Raynauld | 242560f | 2022-10-16 19:59:58 -0400 | [diff] [blame] | 128 | }) |
| 129 | ); |