Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2022 Savoir-faire Linux Inc. |
| 3 | * |
| 4 | * This program is free software; you can redistribute it and/or modify |
| 5 | * it under the terms of the GNU Affero General Public License as |
| 6 | * published by the Free Software Foundation; either version 3 of the |
| 7 | * License, or (at your option) any later version. |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU Affero General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU Affero General Public |
| 15 | * License along with this program. If not, see |
| 16 | * <https://www.gnu.org/licenses/>. |
| 17 | */ |
| 18 | import argon2 from 'argon2'; |
| 19 | import { Router } from 'express'; |
| 20 | import asyncHandler from 'express-async-handler'; |
| 21 | import { ParamsDictionary, Request } from 'express-serve-static-core'; |
| 22 | import { HttpStatusCode } from 'jami-web-common'; |
| 23 | import { SignJWT } from 'jose'; |
| 24 | import { Container } from 'typedi'; |
| 25 | |
| 26 | import { AdminConfig } from '../admin-config.js'; |
| 27 | import { checkAdminSetup } from '../middleware/setup.js'; |
| 28 | import { Vault } from '../vault.js'; |
| 29 | |
| 30 | export const setupRouter = Router(); |
| 31 | |
| 32 | const vault = Container.get(Vault); |
| 33 | const adminConfig = Container.get(AdminConfig); |
| 34 | |
| 35 | setupRouter.get('/check', (_req, res, _next) => { |
| 36 | const isSetupComplete = adminConfig.get() !== undefined; |
| 37 | res.send({ isSetupComplete }); |
| 38 | }); |
| 39 | |
| 40 | setupRouter.post( |
| 41 | '/admin/create', |
| 42 | asyncHandler(async (req: Request<ParamsDictionary, string, { password?: string }>, res, _next) => { |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 43 | const { password } = req.body; |
| 44 | if (password === undefined) { |
| 45 | res.status(HttpStatusCode.BadRequest).send('Missing password in body'); |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 46 | return; |
| 47 | } |
| 48 | |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 49 | if (password === '') { |
| 50 | res.status(HttpStatusCode.BadRequest).send('Password may not be empty'); |
| 51 | return; |
| 52 | } |
| 53 | |
| 54 | const isAdminCreated = adminConfig.get() !== undefined; |
| 55 | if (isAdminCreated) { |
| 56 | res.status(HttpStatusCode.Conflict).send('Admin already exists'); |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 57 | return; |
| 58 | } |
| 59 | |
| 60 | const hashedPassword = await argon2.hash(password, { type: argon2.argon2id }); |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 61 | |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 62 | adminConfig.set(hashedPassword); |
| 63 | await adminConfig.save(); |
| 64 | |
| 65 | res.sendStatus(HttpStatusCode.Created); |
| 66 | }) |
| 67 | ); |
| 68 | |
| 69 | // Every request handler after this line will be submitted to this middleware |
| 70 | // in order to ensure that the admin account is set up before proceeding with |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 71 | // setup related requests |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 72 | setupRouter.use(checkAdminSetup); |
| 73 | |
| 74 | setupRouter.post( |
| 75 | '/admin/login', |
| 76 | asyncHandler( |
| 77 | async (req: Request<ParamsDictionary, { accessToken: string } | string, { password: string }>, res, _next) => { |
| 78 | const { password } = req.body; |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 79 | if (password === undefined) { |
| 80 | res.status(HttpStatusCode.BadRequest).send('Missing password in body'); |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 81 | return; |
| 82 | } |
| 83 | |
| 84 | const hashedPassword = adminConfig.get(); |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 85 | |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 86 | const isPasswordVerified = await argon2.verify(hashedPassword, password); |
| 87 | if (!isPasswordVerified) { |
Misha Krieger-Raynauld | cb11bba | 2022-11-11 18:08:33 -0500 | [diff] [blame] | 88 | res.status(HttpStatusCode.Forbidden).send('Incorrect password'); |
Michelle Sepkap Sime | 6967fb9 | 2022-11-08 08:39:36 -0500 | [diff] [blame] | 89 | return; |
| 90 | } |
| 91 | |
| 92 | const jwt = await new SignJWT({ id: 'admin' }) |
| 93 | .setProtectedHeader({ alg: 'EdDSA' }) |
| 94 | .setIssuedAt() |
| 95 | // TODO: use valid issuer and audience |
| 96 | .setIssuer('urn:example:issuer') |
| 97 | .setAudience('urn:example:audience') |
| 98 | .setExpirationTime('2h') |
| 99 | .sign(vault.privateKey); |
| 100 | res.send({ accessToken: jwt }); |
| 101 | } |
| 102 | ) |
| 103 | ); |