2019-05-29 05:21:06 -04:00
|
|
|
const { Project } = require('../../models/Project')
|
|
|
|
const PublicAccessLevels = require('../Authorization/PublicAccessLevels')
|
|
|
|
const PrivilegeLevels = require('../Authorization/PrivilegeLevels')
|
|
|
|
const UserGetter = require('../User/UserGetter')
|
|
|
|
const { ObjectId } = require('mongojs')
|
|
|
|
const Settings = require('settings-sharelatex')
|
|
|
|
const logger = require('logger-sharelatex')
|
|
|
|
const V1Api = require('../V1/V1Api')
|
|
|
|
const crypto = require('crypto')
|
2020-02-25 04:39:53 -05:00
|
|
|
const { promisifyAll } = require('../../util/promises')
|
|
|
|
|
|
|
|
const READ_AND_WRITE_TOKEN_PATTERN = '([0-9]+[a-z]{6,12})'
|
|
|
|
const READ_ONLY_TOKEN_PATTERN = '([a-z]{12})'
|
2019-05-29 05:21:06 -04:00
|
|
|
|
2019-07-11 09:00:54 -04:00
|
|
|
const TokenAccessHandler = {
|
2020-02-25 04:39:53 -05:00
|
|
|
TOKEN_TYPES: {
|
|
|
|
READ_ONLY: PrivilegeLevels.READ_ONLY,
|
|
|
|
READ_AND_WRITE: PrivilegeLevels.READ_AND_WRITE
|
|
|
|
},
|
|
|
|
|
2019-05-29 05:21:06 -04:00
|
|
|
ANONYMOUS_READ_AND_WRITE_ENABLED:
|
|
|
|
Settings.allowAnonymousReadAndWriteSharing === true,
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
READ_AND_WRITE_TOKEN_PATTERN,
|
|
|
|
READ_AND_WRITE_TOKEN_REGEX: new RegExp(`^${READ_AND_WRITE_TOKEN_PATTERN}$`),
|
|
|
|
READ_AND_WRITE_URL_REGEX: new RegExp(`^/${READ_AND_WRITE_TOKEN_PATTERN}$`),
|
|
|
|
|
|
|
|
READ_ONLY_TOKEN_PATTERN,
|
|
|
|
READ_ONLY_TOKEN_REGEX: new RegExp(`^${READ_ONLY_TOKEN_PATTERN}$`),
|
|
|
|
READ_ONLY_URL_REGEX: new RegExp(`^/read/${READ_ONLY_TOKEN_PATTERN}$`),
|
|
|
|
|
2020-02-25 08:52:02 -05:00
|
|
|
makeReadAndWriteTokenUrl(token) {
|
|
|
|
return `/${token}`
|
|
|
|
},
|
|
|
|
|
|
|
|
makeReadOnlyTokenUrl(token) {
|
|
|
|
return `/read/${token}`
|
|
|
|
},
|
|
|
|
|
|
|
|
makeTokenUrl(token) {
|
|
|
|
const tokenType = TokenAccessHandler.getTokenType(token)
|
|
|
|
if (tokenType === TokenAccessHandler.TOKEN_TYPES.READ_AND_WRITE) {
|
|
|
|
return TokenAccessHandler.makeReadAndWriteTokenUrl(token)
|
|
|
|
} else if (tokenType === TokenAccessHandler.TOKEN_TYPES.READ_ONLY) {
|
|
|
|
return TokenAccessHandler.makeReadOnlyTokenUrl(token)
|
|
|
|
} else {
|
|
|
|
throw new Error('invalid token type')
|
|
|
|
}
|
|
|
|
},
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
getTokenType(token) {
|
|
|
|
if (!token) {
|
|
|
|
return null
|
|
|
|
}
|
|
|
|
if (token.match(`^${TokenAccessHandler.READ_ONLY_TOKEN_PATTERN}$`)) {
|
|
|
|
return TokenAccessHandler.TOKEN_TYPES.READ_ONLY
|
|
|
|
} else if (
|
|
|
|
token.match(`^${TokenAccessHandler.READ_AND_WRITE_TOKEN_PATTERN}$`)
|
|
|
|
) {
|
|
|
|
return TokenAccessHandler.TOKEN_TYPES.READ_AND_WRITE
|
|
|
|
}
|
|
|
|
return null
|
|
|
|
},
|
|
|
|
|
|
|
|
isReadOnlyToken(token) {
|
|
|
|
return (
|
|
|
|
TokenAccessHandler.getTokenType(token) ===
|
|
|
|
TokenAccessHandler.TOKEN_TYPES.READ_ONLY
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
|
|
|
isReadAndWriteToken(token) {
|
|
|
|
return (
|
|
|
|
TokenAccessHandler.getTokenType(token) ===
|
|
|
|
TokenAccessHandler.TOKEN_TYPES.READ_AND_WRITE
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
|
|
|
isValidToken(token) {
|
|
|
|
return TokenAccessHandler.getTokenType(token) != null
|
|
|
|
},
|
|
|
|
|
|
|
|
tokenAccessEnabledForProject(project) {
|
|
|
|
return project.publicAccesLevel === PublicAccessLevels.TOKEN_BASED
|
2019-05-29 05:21:06 -04:00
|
|
|
},
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
_projectFindOne(query, callback) {
|
2019-07-11 09:00:54 -04:00
|
|
|
Project.findOne(
|
2020-02-25 04:39:53 -05:00
|
|
|
query,
|
2019-05-29 05:21:06 -04:00
|
|
|
{
|
2020-02-25 04:39:53 -05:00
|
|
|
_id: 1,
|
|
|
|
tokens: 1,
|
|
|
|
publicAccesLevel: 1,
|
|
|
|
owner_ref: 1,
|
|
|
|
name: 1
|
2019-05-29 05:21:06 -04:00
|
|
|
},
|
|
|
|
callback
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
getProjectByReadOnlyToken(token, callback) {
|
|
|
|
TokenAccessHandler._projectFindOne({ 'tokens.readOnly': token }, callback)
|
2019-05-29 05:21:06 -04:00
|
|
|
},
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
_extractNumericPrefix(token) {
|
|
|
|
return token.match(/^(\d+)\w+/)
|
|
|
|
},
|
|
|
|
|
|
|
|
_extractStringSuffix(token) {
|
|
|
|
return token.match(/^\d+(\w+)/)
|
|
|
|
},
|
|
|
|
|
|
|
|
getProjectByReadAndWriteToken(token, callback) {
|
2019-05-29 05:21:06 -04:00
|
|
|
const numericPrefixMatch = TokenAccessHandler._extractNumericPrefix(token)
|
|
|
|
if (!numericPrefixMatch) {
|
|
|
|
return callback(null, null)
|
|
|
|
}
|
|
|
|
const numerics = numericPrefixMatch[1]
|
2020-02-25 04:39:53 -05:00
|
|
|
TokenAccessHandler._projectFindOne(
|
2019-05-29 05:21:06 -04:00
|
|
|
{
|
|
|
|
'tokens.readAndWritePrefix': numerics
|
|
|
|
},
|
|
|
|
function(err, project) {
|
|
|
|
if (err != null) {
|
|
|
|
return callback(err)
|
|
|
|
}
|
|
|
|
if (project == null) {
|
|
|
|
return callback(null, null)
|
|
|
|
}
|
|
|
|
try {
|
|
|
|
if (
|
|
|
|
!crypto.timingSafeEqual(
|
2019-07-11 09:00:54 -04:00
|
|
|
Buffer.from(token),
|
|
|
|
Buffer.from(project.tokens.readAndWrite)
|
2019-05-29 05:21:06 -04:00
|
|
|
)
|
|
|
|
) {
|
|
|
|
logger.err(
|
|
|
|
{ token },
|
|
|
|
'read-and-write token match on numeric section, but not on full token'
|
|
|
|
)
|
|
|
|
return callback(null, null)
|
|
|
|
} else {
|
|
|
|
return callback(null, project)
|
|
|
|
}
|
|
|
|
} catch (error) {
|
|
|
|
err = error
|
|
|
|
logger.err({ token, cryptoErr: err }, 'error comparing tokens')
|
|
|
|
return callback(null, null)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
getProjectByToken(tokenType, token, callback) {
|
|
|
|
if (tokenType === TokenAccessHandler.TOKEN_TYPES.READ_ONLY) {
|
|
|
|
TokenAccessHandler.getProjectByReadOnlyToken(token, callback)
|
|
|
|
} else if (tokenType === TokenAccessHandler.TOKEN_TYPES.READ_AND_WRITE) {
|
|
|
|
TokenAccessHandler.getProjectByReadAndWriteToken(token, callback)
|
|
|
|
} else {
|
|
|
|
return callback(new Error('invalid token type'))
|
|
|
|
}
|
2019-05-29 05:21:06 -04:00
|
|
|
},
|
|
|
|
|
|
|
|
addReadOnlyUserToProject(userId, projectId, callback) {
|
|
|
|
userId = ObjectId(userId.toString())
|
|
|
|
projectId = ObjectId(projectId.toString())
|
2019-07-11 09:00:54 -04:00
|
|
|
Project.update(
|
2019-05-29 05:21:06 -04:00
|
|
|
{
|
|
|
|
_id: projectId
|
|
|
|
},
|
|
|
|
{
|
|
|
|
$addToSet: { tokenAccessReadOnly_refs: userId }
|
|
|
|
},
|
|
|
|
callback
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
|
|
|
addReadAndWriteUserToProject(userId, projectId, callback) {
|
|
|
|
userId = ObjectId(userId.toString())
|
|
|
|
projectId = ObjectId(projectId.toString())
|
2019-07-11 09:00:54 -04:00
|
|
|
Project.update(
|
2019-05-29 05:21:06 -04:00
|
|
|
{
|
|
|
|
_id: projectId
|
|
|
|
},
|
|
|
|
{
|
|
|
|
$addToSet: { tokenAccessReadAndWrite_refs: userId }
|
|
|
|
},
|
|
|
|
callback
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
|
|
|
grantSessionTokenAccess(req, projectId, token) {
|
2019-07-11 09:00:54 -04:00
|
|
|
if (!req.session) {
|
|
|
|
return
|
2019-05-29 05:21:06 -04:00
|
|
|
}
|
2019-07-11 09:00:54 -04:00
|
|
|
if (!req.session.anonTokenAccess) {
|
|
|
|
req.session.anonTokenAccess = {}
|
|
|
|
}
|
2020-02-25 04:39:53 -05:00
|
|
|
req.session.anonTokenAccess[projectId.toString()] = token
|
2019-05-29 05:21:06 -04:00
|
|
|
},
|
|
|
|
|
|
|
|
getRequestToken(req, projectId) {
|
2019-07-11 11:00:17 -04:00
|
|
|
const token =
|
|
|
|
(req.session &&
|
|
|
|
req.session.anonTokenAccess &&
|
|
|
|
req.session.anonTokenAccess[projectId.toString()]) ||
|
|
|
|
req.headers['x-sl-anonymous-access-token']
|
2019-05-29 05:21:06 -04:00
|
|
|
return token
|
|
|
|
},
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
validateTokenForAnonymousAccess(projectId, token, callback) {
|
2019-05-29 05:21:06 -04:00
|
|
|
if (!token) {
|
|
|
|
return callback(null, false, false)
|
|
|
|
}
|
2020-02-25 04:39:53 -05:00
|
|
|
const tokenType = TokenAccessHandler.getTokenType(token)
|
|
|
|
if (!tokenType) {
|
|
|
|
return callback(new Error('invalid token type'))
|
|
|
|
}
|
|
|
|
TokenAccessHandler.getProjectByToken(tokenType, token, (err, project) => {
|
|
|
|
if (err) {
|
2019-05-29 05:21:06 -04:00
|
|
|
return callback(err)
|
|
|
|
}
|
2020-02-25 04:39:53 -05:00
|
|
|
if (
|
|
|
|
!project ||
|
|
|
|
!TokenAccessHandler.tokenAccessEnabledForProject(project) ||
|
|
|
|
project._id.toString() !== projectId.toString()
|
2019-05-29 05:21:06 -04:00
|
|
|
) {
|
2020-02-25 04:39:53 -05:00
|
|
|
return callback(null, false, false)
|
|
|
|
}
|
|
|
|
// TODO: think about cleaning up this interface and its usage in AuthorizationManager
|
|
|
|
return callback(
|
|
|
|
null,
|
|
|
|
tokenType === TokenAccessHandler.TOKEN_TYPES.READ_AND_WRITE &&
|
|
|
|
TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED,
|
|
|
|
tokenType === TokenAccessHandler.TOKEN_TYPES.READ_ONLY
|
|
|
|
)
|
2019-05-29 05:21:06 -04:00
|
|
|
})
|
|
|
|
},
|
|
|
|
|
|
|
|
protectTokens(project, privilegeLevel) {
|
2019-07-11 09:00:54 -04:00
|
|
|
if (!project || !project.tokens) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if (privilegeLevel === PrivilegeLevels.OWNER) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if (privilegeLevel !== PrivilegeLevels.READ_AND_WRITE) {
|
|
|
|
project.tokens.readAndWrite = ''
|
|
|
|
project.tokens.readAndWritePrefix = ''
|
|
|
|
}
|
|
|
|
if (privilegeLevel !== PrivilegeLevels.READ_ONLY) {
|
|
|
|
project.tokens.readOnly = ''
|
2019-05-29 05:21:06 -04:00
|
|
|
}
|
|
|
|
},
|
|
|
|
|
|
|
|
getV1DocPublishedInfo(token, callback) {
|
|
|
|
// default to allowing access
|
2019-11-25 05:39:14 -05:00
|
|
|
if (!Settings.apis.v1 || !Settings.apis.v1.url) {
|
2019-07-11 09:00:54 -04:00
|
|
|
return callback(null, { allow: true })
|
2019-05-29 05:21:06 -04:00
|
|
|
}
|
2019-07-11 09:00:54 -04:00
|
|
|
V1Api.request(
|
2019-05-29 05:21:06 -04:00
|
|
|
{ url: `/api/v1/sharelatex/docs/${token}/is_published` },
|
|
|
|
function(err, response, body) {
|
|
|
|
if (err != null) {
|
|
|
|
return callback(err)
|
|
|
|
}
|
2019-07-11 09:00:54 -04:00
|
|
|
callback(null, body)
|
2019-05-29 05:21:06 -04:00
|
|
|
}
|
|
|
|
)
|
|
|
|
},
|
|
|
|
|
|
|
|
getV1DocInfo(token, v2UserId, callback) {
|
2019-07-11 09:00:54 -04:00
|
|
|
if (!Settings.apis || !Settings.apis.v1) {
|
2019-05-29 05:21:06 -04:00
|
|
|
return callback(null, {
|
|
|
|
exists: true,
|
|
|
|
exported: false
|
|
|
|
})
|
|
|
|
}
|
2019-07-11 09:00:54 -04:00
|
|
|
UserGetter.getUser(v2UserId, { overleaf: 1 }, function(err, user) {
|
2019-05-29 05:21:06 -04:00
|
|
|
if (err != null) {
|
|
|
|
return callback(err)
|
|
|
|
}
|
|
|
|
const v1UserId = user.overleaf != null ? user.overleaf.id : undefined
|
2019-07-11 11:00:17 -04:00
|
|
|
if (!v1UserId) {
|
|
|
|
return callback(null, null)
|
|
|
|
}
|
2019-07-11 09:00:54 -04:00
|
|
|
V1Api.request(
|
2019-05-29 05:21:06 -04:00
|
|
|
{ url: `/api/v1/sharelatex/users/${v1UserId}/docs/${token}/info` },
|
|
|
|
function(err, response, body) {
|
|
|
|
if (err != null) {
|
|
|
|
return callback(err)
|
|
|
|
}
|
2019-07-11 09:00:54 -04:00
|
|
|
callback(null, body)
|
2019-05-29 05:21:06 -04:00
|
|
|
}
|
|
|
|
)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-25 04:39:53 -05:00
|
|
|
TokenAccessHandler.promises = promisifyAll(TokenAccessHandler, {
|
|
|
|
without: [
|
|
|
|
'getTokenType',
|
|
|
|
'tokenAccessEnabledForProject',
|
|
|
|
'_extractNumericPrefix',
|
|
|
|
'_extractStringSuffix',
|
|
|
|
'_projectFindOne',
|
|
|
|
'grantSessionTokenAccess',
|
|
|
|
'getRequestToken',
|
|
|
|
'protectTokens',
|
|
|
|
'validateTokenForAnonymousAccess'
|
|
|
|
]
|
|
|
|
})
|
|
|
|
|
2019-07-11 09:00:54 -04:00
|
|
|
module.exports = TokenAccessHandler
|