overleaf/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee

AuthenticationManager = require ("./AuthenticationManager")
LoginRateLimiter = require("../Security/LoginRateLimiter")
UserGetter = require "../User/UserGetter"
UserUpdater = require "../User/UserUpdater"
Metrics = require('../../infrastructure/Metrics')
logger = require("logger-sharelatex")
querystring = require('querystring')
Url = require("url")
Settings = require "settings-sharelatex"

module.exports = AuthenticationController =
	login: (req, res, next = (error) ->) ->
		email = req.body?.email?.toLowerCase()
		password = req.body?.password
		redir = Url.parse(req.body?.redir or "/project").path
		LoginRateLimiter.processLoginRequest email, (err, isAllowed)->
			if !isAllowed
				logger.log email:email, "too many login requests"
				res.statusCode = 429
				return res.send
					message:
						text: req.i18n.translate("to_many_login_requests_2_mins"),
						type: 'error'
			AuthenticationManager.authenticate email: email, password, (error, user) ->
				return next(error) if error?
				if user?
					LoginRateLimiter.recordSuccessfulLogin email
					AuthenticationController._recordSuccessfulLogin user._id
					AuthenticationController.establishUserSession req, user, (error) ->
						return next(error) if error?
						req.session.justLoggedIn = true
						logger.log email: email, user_id: user._id.toString(), "successful log in"
						res.send redir: redir
				else
					AuthenticationController._recordFailedLogin()
					logger.log email: email, "failed log in"
					res.send message:
						text: req.i18n.translate("email_or_password_wrong_try_again"),
						type: 'error'

	getAuthToken: (req, res, next = (error) ->) ->
		AuthenticationController.getLoggedInUserId req, (error, user_id) ->
			return next(error) if error?
			AuthenticationManager.getAuthToken user_id, (error, auth_token) ->
				return next(error) if error?
				res.send(auth_token)

	getLoggedInUserId: (req, callback = (error, user_id) ->) ->
		if req?.session?.user?._id?
			callback null, req.session.user._id.toString()
		else
			callback null, null

	getLoggedInUser: (req, options = {allow_auth_token: false}, callback = (error, user) ->) ->
		if typeof(options) == "function"
			callback = options
			options = {allow_auth_token: false}

		if req.session?.user?._id?
			query = req.session.user._id
		else if req.query?.auth_token? and options.allow_auth_token
			query = { auth_token: req.query.auth_token }
		else
			return callback null, null

		UserGetter.getUser query, callback

	requireLogin: (options = {allow_auth_token: false, load_from_db: false}) ->
		doRequest = (req, res, next = (error) ->) ->
			load_from_db = options.load_from_db
			if req.query?.auth_token? and options.allow_auth_token
				load_from_db = true
			if load_from_db
				AuthenticationController.getLoggedInUser req, { allow_auth_token: options.allow_auth_token }, (error, user) ->
					return next(error) if error?
					return AuthenticationController._redirectToLoginOrRegisterPage(req, res) if !user?
					req.user = user
					return next()
			else
				if !req.session.user?
					AuthenticationController._redirectToLoginOrRegisterPage(req, res) 
				else
					req.user = req.session.user
					return next()

		return doRequest

	_globalLoginWhitelist: []
	addEndpointToLoginWhitelist: (endpoint) ->
		AuthenticationController._globalLoginWhitelist.push endpoint

	requireGlobalLogin: (req, res, next) ->
		if req.url in AuthenticationController._globalLoginWhitelist
			return next()

		if req.headers['authorization']?
			return AuthenticationController.httpAuth(req, res, next)
		else if req.session.user?
			return next()
		else
			return res.redirect "/login"

	httpAuth: require('express').basicAuth (user, pass)->
		isValid = Settings.httpAuthUsers[user] == pass
		if !isValid
			logger.err user:user, pass:pass, "invalid login details"
		return isValid

	_redirectToLoginOrRegisterPage: (req, res)->
		if req.query.zipUrl? or req.query.project_name?
			return AuthenticationController._redirectToRegisterPage(req, res) 
		else
			AuthenticationController._redirectToLoginPage(req, res) 


	_redirectToLoginPage: (req, res) ->
		logger.log url: req.url, "user not logged in so redirecting to login page"
		req.query.redir = req.path
		url = "/login?#{querystring.stringify(req.query)}"
		res.redirect url
		Metrics.inc "security.login-redirect"

	_redirectToRegisterPage: (req, res) ->
		logger.log url: req.url, "user not logged in so redirecting to register page"
		req.query.redir = req.path
		url = "/register?#{querystring.stringify(req.query)}"
		res.redirect url
		Metrics.inc "security.login-redirect"

	_recordSuccessfulLogin: (user_id, callback = (error) ->) ->
		UserUpdater.updateUser user_id.toString(), {
			$set: { "lastLoggedIn": new Date() },
			$inc: { "loginCount": 1 }
		}, (error) ->
			callback(error) if error?
			Metrics.inc "user.login.success"
			callback()

	_recordFailedLogin: (callback = (error) ->) ->
		Metrics.inc "user.login.failed"
		callback()

	establishUserSession: (req, user, callback = (error) ->) ->
		lightUser =
			_id: user._id
			first_name: user.first_name
			last_name: user.last_name
			isAdmin: user.isAdmin
			email: user.email
			referal_id: user.referal_id
		# Regenerate the session to get a new sessionID (cookie value) to
		# protect against session fixation attacks
		oldSession = req.session
		req.sessionStore.generate(req)
		for key, value of oldSession
			req.session[key] = value

		req.session.user = lightUser
		callback()
Intial open source comment 2014-02-12 05:23:40 -05:00			`AuthenticationManager = require ("./AuthenticationManager")`
			`LoginRateLimiter = require("../Security/LoginRateLimiter")`
			`UserGetter = require "../User/UserGetter"`
			`UserUpdater = require "../User/UserUpdater"`
			`Metrics = require('../../infrastructure/Metrics')`
			`logger = require("logger-sharelatex")`
			`querystring = require('querystring')`
			`Url = require("url")`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`Settings = require "settings-sharelatex"`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`module.exports = AuthenticationController =`
			`login: (req, res, next = (error) ->) ->`
			`email = req.body?.email?.toLowerCase()`
			`password = req.body?.password`
			`redir = Url.parse(req.body?.redir or "/project").path`
			`LoginRateLimiter.processLoginRequest email, (err, isAllowed)->`
			`if !isAllowed`
			`logger.log email:email, "too many login requests"`
			`res.statusCode = 429`
Improve feedback on login/register forms 2014-07-11 12:08:19 -04:00			`return res.send`
Intial open source comment 2014-02-12 05:23:40 -05:00			`message:`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`text: req.i18n.translate("to_many_login_requests_2_mins"),`
Intial open source comment 2014-02-12 05:23:40 -05:00			`type: 'error'`
			`AuthenticationManager.authenticate email: email, password, (error, user) ->`
			`return next(error) if error?`
			`if user?`
			`LoginRateLimiter.recordSuccessfulLogin email`
			`AuthenticationController._recordSuccessfulLogin user._id`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`AuthenticationController.establishUserSession req, user, (error) ->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`return next(error) if error?`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`req.session.justLoggedIn = true`
Intial open source comment 2014-02-12 05:23:40 -05:00			`logger.log email: email, user_id: user._id.toString(), "successful log in"`
			`res.send redir: redir`
			`else`
			`AuthenticationController._recordFailedLogin()`
			`logger.log email: email, "failed log in"`
Revert "send 401 when login fails" This reverts commit fb901c6365d37654ba9058f57a71a4e60366688e. 2014-08-08 05:21:17 -04:00			`res.send message:`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`text: req.i18n.translate("email_or_password_wrong_try_again"),`
Intial open source comment 2014-02-12 05:23:40 -05:00			`type: 'error'`

			`getAuthToken: (req, res, next = (error) ->) ->`
			`AuthenticationController.getLoggedInUserId req, (error, user_id) ->`
			`return next(error) if error?`
			`AuthenticationManager.getAuthToken user_id, (error, auth_token) ->`
			`return next(error) if error?`
			`res.send(auth_token)`

			`getLoggedInUserId: (req, callback = (error, user_id) ->) ->`
null check user when getting user id from session 2014-04-02 10:56:54 -04:00			`if req?.session?.user?._id?`
			`callback null, req.session.user._id.toString()`
			`else`
Don't error if user is not logged in when compiling 2014-05-27 07:33:56 -04:00			`callback null, null`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`getLoggedInUser: (req, options = {allow_auth_token: false}, callback = (error, user) ->) ->`
Send user features and features switches to views where needed 2014-10-07 08:31:13 -04:00			`if typeof(options) == "function"`
			`callback = options`
			`options = {allow_auth_token: false}`

Intial open source comment 2014-02-12 05:23:40 -05:00			`if req.session?.user?._id?`
			`query = req.session.user._id`
			`else if req.query?.auth_token? and options.allow_auth_token`
			`query = { auth_token: req.query.auth_token }`
			`else`
			`return callback null, null`

			`UserGetter.getUser query, callback`

			`requireLogin: (options = {allow_auth_token: false, load_from_db: false}) ->`
			`doRequest = (req, res, next = (error) ->) ->`
			`load_from_db = options.load_from_db`
			`if req.query?.auth_token? and options.allow_auth_token`
			`load_from_db = true`
			`if load_from_db`
			`AuthenticationController.getLoggedInUser req, { allow_auth_token: options.allow_auth_token }, (error, user) ->`
			`return next(error) if error?`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00			`return AuthenticationController._redirectToLoginOrRegisterPage(req, res) if !user?`
Intial open source comment 2014-02-12 05:23:40 -05:00			`req.user = user`
			`return next()`
			`else`
			`if !req.session.user?`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00			`AuthenticationController._redirectToLoginOrRegisterPage(req, res)`
Intial open source comment 2014-02-12 05:23:40 -05:00			`else`
			`req.user = req.session.user`
			`return next()`

			`return doRequest`

Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`_globalLoginWhitelist: []`
			`addEndpointToLoginWhitelist: (endpoint) ->`
			`AuthenticationController._globalLoginWhitelist.push endpoint`

			`requireGlobalLogin: (req, res, next) ->`
			`if req.url in AuthenticationController._globalLoginWhitelist`
			`return next()`

			`if req.headers['authorization']?`
			`return AuthenticationController.httpAuth(req, res, next)`
			`else if req.session.user?`
			`return next()`
			`else`
			`return res.redirect "/login"`

			`httpAuth: require('express').basicAuth (user, pass)->`
			`isValid = Settings.httpAuthUsers[user] == pass`
			`if !isValid`
			`logger.err user:user, pass:pass, "invalid login details"`
			`return isValid`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00
			`_redirectToLoginOrRegisterPage: (req, res)->`
			`if req.query.zipUrl? or req.query.project_name?`
			`return AuthenticationController._redirectToRegisterPage(req, res)`
			`else`
			`AuthenticationController._redirectToLoginPage(req, res)`


			`_redirectToLoginPage: (req, res) ->`
			`logger.log url: req.url, "user not logged in so redirecting to login page"`
			`req.query.redir = req.path`
			`url = "/login?#{querystring.stringify(req.query)}"`
			`res.redirect url`
			`Metrics.inc "security.login-redirect"`

Intial open source comment 2014-02-12 05:23:40 -05:00			`_redirectToRegisterPage: (req, res) ->`
			`logger.log url: req.url, "user not logged in so redirecting to register page"`
			`req.query.redir = req.path`
			`url = "/register?#{querystring.stringify(req.query)}"`
			`res.redirect url`
			`Metrics.inc "security.login-redirect"`

			`_recordSuccessfulLogin: (user_id, callback = (error) ->) ->`
			`UserUpdater.updateUser user_id.toString(), {`
			`$set: { "lastLoggedIn": new Date() },`
			`$inc: { "loginCount": 1 }`
			`}, (error) ->`
			`callback(error) if error?`
			`Metrics.inc "user.login.success"`
			`callback()`

			`_recordFailedLogin: (callback = (error) ->) ->`
			`Metrics.inc "user.login.failed"`
			`callback()`

Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`establishUserSession: (req, user, callback = (error) ->) ->`
Improve feedback on login/register forms 2014-07-11 12:08:19 -04:00			`lightUser =`
Intial open source comment 2014-02-12 05:23:40 -05:00			`_id: user._id`
			`first_name: user.first_name`
			`last_name: user.last_name`
			`isAdmin: user.isAdmin`
			`email: user.email`
			`referal_id: user.referal_id`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`# Regenerate the session to get a new sessionID (cookie value) to`
			`# protect against session fixation attacks`
			`oldSession = req.session`
			`req.sessionStore.generate(req)`
			`for key, value of oldSession`
			`req.session[key] = value`

Intial open source comment 2014-02-12 05:23:40 -05:00			`req.session.user = lightUser`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`callback()`