github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-10-18 05:10:16 -04:00
Code Issues Projects Releases Packages Wiki Activity

tokens: Add token creation

Browse source 
Fix token deletion
Update plantuml docs
Add token validUntil and lastUsed fields

Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit is contained in:
Philip Molares 2021-01-21 19:37:43 +01:00 committed by David Mehren
parent cce1626c48
commit c9751404f7
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
9 changed files with 113 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docs/content/dev/db-schema.plantuml
View file

@ -28,9 +28,12 @@ entity "auth_token"{
*id : number <<generated>>
--
*userId : uuid
*keyId: text
*accessToken : text
*identifier: text
*createdAt: date
lastUsed: number
validUntil: number
}
entity "identity" {

3
src/api/private/private-api.module.ts
View file

@ -7,9 +7,10 @@
import { Module } from '@nestjs/common';
import { UsersModule } from '../../users/users.module';
import { TokensController } from './tokens/tokens.controller';
import { LoggerModule } from '../../logger/logger.module';
@Module({
imports: [UsersModule],
imports: [UsersModule, LoggerModule],
controllers: [TokensController],
})
export class PrivateApiModule {}

12
src/api/private/tokens/tokens.controller.ts
View file

@ -30,9 +30,9 @@ export class TokensController {
@Get()
async getUserTokens(): Promise<AuthTokenDto[]> {
// ToDo: Get real userName
return (await this.usersService.getTokensByUsername('molly')).map((token) =>
this.usersService.toAuthTokenDto(token),
);
return (
await this.usersService.getTokensByUsername('hardcoded')
).map((token) => this.usersService.toAuthTokenDto(token));
}
@Post()
@ -49,10 +49,10 @@ export class TokensController {
return this.usersService.toAuthTokenWithSecretDto(authToken);
}
@Delete('/:timestamp')
@Delete('/:keyId')
@HttpCode(204)
async deleteToken(@Param('timestamp') timestamp: number) {
async deleteToken(@Param('keyId') keyId: string) {
// ToDo: Get real userName
return this.usersService.removeToken('hardcoded', timestamp);
return this.usersService.removeToken('hardcoded', keyId);
}
}

2
src/app.module.ts
View file

@ -25,6 +25,7 @@ import hstsConfig from './config/hsts.config';
import cspConfig from './config/csp.config';
import databaseConfig from './config/database.config';
import authConfig from './config/auth.config';
import { PrivateApiModule } from './api/private/private-api.module';
@Module({
imports: [
@ -50,6 +51,7 @@ import authConfig from './config/auth.config';
RevisionsModule,
AuthorsModule,
PublicApiModule,
PrivateApiModule,
HistoryModule,
MonitoringModule,
PermissionsModule,

4
src/auth/auth.service.ts
View file

@ -7,8 +7,10 @@ export class AuthService {
constructor(private usersService: UsersService) {}
async validateToken(token: string): Promise<User> {
const user = await this.usersService.getUserByAuthToken(token);
const parts = token.split('.');
const user = await this.usersService.getUserByAuthToken(parts[0], parts[1]);
if (user) {
await this.usersService.setLastUsedToken(parts[0])
return user;
}
return null;

4
src/errors/errors.ts
View file

@ -15,3 +15,7 @@ export class ClientError extends Error {
export class PermissionError extends Error {
name = 'PermissionError';
}
export class TokenNotValid extends Error {
name = 'TokenNotValid';
}

4
src/users/auth-token.dto.ts
View file

@ -11,4 +11,8 @@ export class AuthTokenDto {
label: string;
@IsNumber()
created: number;
@IsNumber()
validUntil: number | null;
@IsNumber()
lastUsed: number | null;
}

30
src/users/auth-token.entity.ts
View file

@ -4,7 +4,13 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import { Column, CreateDateColumn, Entity, ManyToOne, PrimaryGeneratedColumn } from 'typeorm';
import {
Column,
CreateDateColumn,
Entity,
ManyToOne,
PrimaryGeneratedColumn,
} from 'typeorm';
import { User } from './user.entity';
@Entity()
@ -12,6 +18,9 @@ export class AuthToken {
@PrimaryGeneratedColumn()
id: number;
@Column({ unique: true })
keyId: string;
@ManyToOne((_) => User, (user) => user.authTokens)
user: User;
@ -24,21 +33,32 @@ export class AuthToken {
@Column({ unique: true })
accessToken: string;
@Column({ type: 'date' })
validUntil: Date;
@Column({
nullable: true,
})
validUntil: number;
@Column({
nullable: true,
})
lastUsed: number;
public static create(
user: User,
identifier: string,
keyId: string,
accessToken: string,
validUntil: Date,
validUntil?: number,
): Pick<AuthToken, 'user' | 'accessToken'> {
const newToken = new AuthToken();
newToken.user = user;
newToken.identifier = identifier;
newToken.keyId = keyId;
newToken.accessToken = accessToken;
newToken.createdAt = new Date();
newToken.validUntil = validUntil;
if (validUntil !== undefined) {
newToken.validUntil = validUntil;
}
return newToken;
}
}

86
src/users/users.service.ts
View file

@ -7,13 +7,13 @@
import { Injectable } from '@nestjs/common';
import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm';
import { NotInDBError } from '../errors/errors';
import { NotInDBError, TokenNotValid } from '../errors/errors';
import { ConsoleLoggerService } from '../logger/console-logger.service';
import { UserInfoDto } from './user-info.dto';
import { User } from './user.entity';
import { AuthToken } from './auth-token.entity';
import { hash, compare } from 'bcrypt'
import crypt from 'crypto';
import { hash, compare } from 'bcrypt';
import { randomBytes } from 'crypto';
import { AuthTokenDto } from './auth-token.dto';
import { AuthTokenWithSecretDto } from './auth-token-with-secret.dto';
@ -33,19 +33,36 @@ export class UsersService {
return this.userRepository.save(user);
}
randomBase64UrlString(): string {
// This is necessary as the is no base64url encoding in the toString method
// but as can be seen on https://tools.ietf.org/html/rfc4648#page-7
// base64url is quite easy buildable from base64
return randomBytes(64)
.toString('base64')
.replace('+', '-')
.replace('/', '_')
.replace(/=+$/, '');
}
async createTokenForUser(
userName: string,
identifier: string,
until: number,
): Promise<AuthToken> {
const user = await this.getUserByUsername(userName);
const randomString = crypt.randomBytes(64).toString('base64url');
const accessToken = await this.hashPassword(randomString);
const token = AuthToken.create(user, identifier, accessToken, new Date(until));
const secret = this.randomBase64UrlString();
const keyId = this.randomBase64UrlString();
const accessToken = await this.hashPassword(secret);
let token;
if (until === 0) {
token = AuthToken.create(user, identifier, keyId, accessToken);
} else {
token = AuthToken.create(user, identifier, keyId, accessToken, until);
}
const createdToken = await this.authTokenRepository.save(token);
return {
accessToken: randomString,
...createdToken,
accessToken: `${keyId}.${secret}`,
};
}
@ -57,9 +74,10 @@ export class UsersService {
await this.userRepository.delete(user);
}
async getUserByUsername(userName: string): Promise<User> {
async getUserByUsername(userName: string, withTokens = false): Promise<User> {
const user = await this.userRepository.findOne({
where: { userName: userName },
relations: withTokens ? ['authTokens'] : null,
});
if (user === undefined) {
throw new NotInDBError(`User with username '${userName}' not found`);
@ -69,22 +87,45 @@ export class UsersService {
async hashPassword(cleartext: string): Promise<string> {
// hash the password with bcrypt and 2^16 iterations
return hash(cleartext, 16)
return hash(cleartext, 16);
}
async checkPassword(cleartext: string, password: string): Promise<boolean> {
// hash the password with bcrypt and 2^16 iterations
return compare(cleartext, password)
return compare(cleartext, password);
}
async getUserByAuthToken(token: string): Promise<User> {
const hash = this.hashPassword(token);
async setLastUsedToken(keyId: string) {
const accessToken = await this.authTokenRepository.findOne({
where: { accessToken: hash },
where: { keyId: keyId },
});
accessToken.lastUsed = new Date().getTime();
await this.authTokenRepository.save(accessToken);
}
async getUserByAuthToken(keyId: string, token: string): Promise<User> {
const accessToken = await this.authTokenRepository.findOne({
where: { keyId: keyId },
relations: ['user'],
});
if (accessToken === undefined) {
throw new NotInDBError(`AuthToken '${token}' not found`);
}
if (!(await this.checkPassword(token, accessToken.accessToken))) {
// hashes are not the same
throw new TokenNotValid(`AuthToken '${token}' is not valid.`);
}
if (
accessToken.validUntil &&
accessToken.validUntil < new Date().getTime()
) {
// tokens validUntil Date lies in the past
throw new TokenNotValid(
`AuthToken '${token}' is not valid since ${new Date(
accessToken.validUntil,
)}.`,
);
}
return this.getUserByUsername(accessToken.user.userName);
}
@ -98,14 +139,17 @@ export class UsersService {
}
async getTokensByUsername(userName: string): Promise<AuthToken[]> {
const user = await this.getUserByUsername(userName);
const user = await this.getUserByUsername(userName, true);
if (user.authTokens === undefined) {
return [];
}
return user.authTokens;
}
async removeToken(userName: string, timestamp: number) {
async removeToken(userName: string, keyId: string) {
const user = await this.getUserByUsername(userName);
const token = await this.authTokenRepository.findOne({
where: { createdAt: new Date(timestamp), user: user },
where: { keyId: keyId, user: user },
});
await this.authTokenRepository.remove(token);
}
@ -118,19 +162,17 @@ export class UsersService {
return {
label: authToken.identifier,
created: authToken.createdAt.getTime(),
validUntil: authToken.validUntil,
lastUsed: authToken.lastUsed,
};
}
toAuthTokenWithSecretDto(
authToken: AuthToken | null | undefined,
): AuthTokenWithSecretDto | null {
if (!authToken) {
this.logger.warn(`Recieved ${authToken} argument!`, 'toAuthTokenDto');
return null;
}
const tokeDto = this.toAuthTokenDto(authToken)
return {
label: authToken.identifier,
created: authToken.createdAt.getTime(),
...tokeDto,
secret: authToken.accessToken,
};
}