overleaf/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee

AuthenticationManager = require ("./AuthenticationManager")
LoginRateLimiter = require("../Security/LoginRateLimiter")
UserGetter = require "../User/UserGetter"
UserUpdater = require "../User/UserUpdater"
Metrics = require('../../infrastructure/Metrics')
logger = require("logger-sharelatex")
querystring = require('querystring')
Url = require("url")
Settings = require "settings-sharelatex"
basicAuth = require('basic-auth-connect')
UserHandler = require("../User/UserHandler")
UserSessionsManager = require("../User/UserSessionsManager")

module.exports = AuthenticationController =
	login: (req, res, next = (error) ->) ->
		AuthenticationController.doLogin req.body, req, res, next
	
	doLogin: (options, req, res, next) ->
		email = options.email?.toLowerCase()
		password = options.password
		redir = Url.parse(options.redir or "/project").path
		LoginRateLimiter.processLoginRequest email, (err, isAllowed)->
			if !isAllowed
				logger.log email:email, "too many login requests"
				res.statusCode = 429
				return res.send
					message:
						text: req.i18n.translate("to_many_login_requests_2_mins"),
						type: 'error'
			AuthenticationManager.authenticate email: email, password, (error, user) ->
				return next(error) if error?
				if user?
					UserHandler.setupLoginData user, ->
					LoginRateLimiter.recordSuccessfulLogin email
					AuthenticationController._recordSuccessfulLogin user._id
					AuthenticationController.establishUserSession req, user, (error) ->
						return next(error) if error?
						req.session.justLoggedIn = true
						logger.log email: email, user_id: user._id.toString(), "successful log in"
						res.json redir: redir
				else
					AuthenticationController._recordFailedLogin()
					logger.log email: email, "failed log in"
					res.json message:
						text: req.i18n.translate("email_or_password_wrong_try_again"),
						type: 'error'

	getLoggedInUserId: (req, callback = (error, user_id) ->) ->
		if req?.session?.user?._id?
			callback null, req.session.user._id.toString()
		else
			callback null, null

	getLoggedInUser: (req, callback = (error, user) ->) ->
		if req.session?.user?._id?
			query = req.session.user._id
		else
			return callback null, null

		UserGetter.getUser query, callback

	requireLogin: () ->
		doRequest = (req, res, next = (error) ->) ->
			if !req.session.user?
				AuthenticationController._redirectToLoginOrRegisterPage(req, res) 
			else
				req.user = req.session.user
				return next()

		return doRequest

	_globalLoginWhitelist: []
	addEndpointToLoginWhitelist: (endpoint) ->
		AuthenticationController._globalLoginWhitelist.push endpoint

	requireGlobalLogin: (req, res, next) ->
		if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist
			return next()

		if req.headers['authorization']?
			return AuthenticationController.httpAuth(req, res, next)
		else if req.session.user?
			return next()
		else
			logger.log url:req.url, "user trying to access endpoint not in global whitelist"
			return res.redirect "/login"

	httpAuth: basicAuth (user, pass)->
		isValid = Settings.httpAuthUsers[user] == pass
		if !isValid
			logger.err user:user, pass:pass, "invalid login details"
		return isValid

	_redirectToLoginOrRegisterPage: (req, res)->
		if req.query.zipUrl? or req.query.project_name?
			return AuthenticationController._redirectToRegisterPage(req, res) 
		else
			AuthenticationController._redirectToLoginPage(req, res) 


	_redirectToLoginPage: (req, res) ->
		logger.log url: req.url, "user not logged in so redirecting to login page"
		req.query.redir = req.path
		url = "/login?#{querystring.stringify(req.query)}"
		res.redirect url
		Metrics.inc "security.login-redirect"

	_redirectToRegisterPage: (req, res) ->
		logger.log url: req.url, "user not logged in so redirecting to register page"
		req.query.redir = req.path
		url = "/register?#{querystring.stringify(req.query)}"
		res.redirect url
		Metrics.inc "security.login-redirect"

	_recordSuccessfulLogin: (user_id, callback = (error) ->) ->
		UserUpdater.updateUser user_id.toString(), {
			$set: { "lastLoggedIn": new Date() },
			$inc: { "loginCount": 1 }
		}, (error) ->
			callback(error) if error?
			Metrics.inc "user.login.success"
			callback()

	_recordFailedLogin: (callback = (error) ->) ->
		Metrics.inc "user.login.failed"
		callback()

	establishUserSession: (req, user, callback = (error) ->) ->
		lightUser =
			_id: user._id
			first_name: user.first_name
			last_name: user.last_name
			isAdmin: user.isAdmin
			email: user.email
			referal_id: user.referal_id
		# Regenerate the session to get a new sessionID (cookie value) to
		# protect against session fixation attacks
		oldSession = req.session
		req.session.destroy()
		req.sessionStore.generate(req)
		for key, value of oldSession
			req.session[key] = value

		req.session.user = lightUser

		UserSessionsManager.onLogin(user, req.sessionID, () ->)
		callback()
Intial open source comment 2014-02-12 05:23:40 -05:00			`AuthenticationManager = require ("./AuthenticationManager")`
			`LoginRateLimiter = require("../Security/LoginRateLimiter")`
			`UserGetter = require "../User/UserGetter"`
			`UserUpdater = require "../User/UserUpdater"`
			`Metrics = require('../../infrastructure/Metrics')`
			`logger = require("logger-sharelatex")`
			`querystring = require('querystring')`
			`Url = require("url")`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`Settings = require "settings-sharelatex"`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`basicAuth = require('basic-auth-connect')`
user notifications auto created on login for joinging groups 2016-02-17 11:24:09 -05:00			`UserHandler = require("../User/UserHandler")`
Begin keeping record of user sessions in reds. 2016-06-29 06:35:25 -04:00			`UserSessionsManager = require("../User/UserSessionsManager")`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`module.exports = AuthenticationController =`
			`login: (req, res, next = (error) ->) ->`
Improve pre-registered account activation process 2015-12-11 06:30:06 -05:00			`AuthenticationController.doLogin req.body, req, res, next`

			`doLogin: (options, req, res, next) ->`
			`email = options.email?.toLowerCase()`
			`password = options.password`
			`redir = Url.parse(options.redir or "/project").path`
Intial open source comment 2014-02-12 05:23:40 -05:00			`LoginRateLimiter.processLoginRequest email, (err, isAllowed)->`
			`if !isAllowed`
			`logger.log email:email, "too many login requests"`
			`res.statusCode = 429`
Improve feedback on login/register forms 2014-07-11 12:08:19 -04:00			`return res.send`
Intial open source comment 2014-02-12 05:23:40 -05:00			`message:`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`text: req.i18n.translate("to_many_login_requests_2_mins"),`
Intial open source comment 2014-02-12 05:23:40 -05:00			`type: 'error'`
			`AuthenticationManager.authenticate email: email, password, (error, user) ->`
			`return next(error) if error?`
			`if user?`
user notifications auto created on login for joinging groups 2016-02-17 11:24:09 -05:00			`UserHandler.setupLoginData user, ->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`LoginRateLimiter.recordSuccessfulLogin email`
			`AuthenticationController._recordSuccessfulLogin user._id`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`AuthenticationController.establishUserSession req, user, (error) ->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`return next(error) if error?`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`req.session.justLoggedIn = true`
Intial open source comment 2014-02-12 05:23:40 -05:00			`logger.log email: email, user_id: user._id.toString(), "successful log in"`
move login success to .json as it sends json over 2016-01-25 12:35:57 -05:00			`res.json redir: redir`
Intial open source comment 2014-02-12 05:23:40 -05:00			`else`
			`AuthenticationController._recordFailedLogin()`
			`logger.log email: email, "failed log in"`
move login success to .json as it sends json over 2016-01-25 12:35:57 -05:00			`res.json message:`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`text: req.i18n.translate("email_or_password_wrong_try_again"),`
Intial open source comment 2014-02-12 05:23:40 -05:00			`type: 'error'`

			`getLoggedInUserId: (req, callback = (error, user_id) ->) ->`
null check user when getting user id from session 2014-04-02 10:56:54 -04:00			`if req?.session?.user?._id?`
			`callback null, req.session.user._id.toString()`
			`else`
Don't error if user is not logged in when compiling 2014-05-27 07:33:56 -04:00			`callback null, null`
Intial open source comment 2014-02-12 05:23:40 -05:00
Remove dead auth_token code 2016-03-10 12:15:14 -05:00			`getLoggedInUser: (req, callback = (error, user) ->) ->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`if req.session?.user?._id?`
			`query = req.session.user._id`
			`else`
			`return callback null, null`

			`UserGetter.getUser query, callback`

Remove dead auth_token code 2016-03-10 12:15:14 -05:00			`requireLogin: () ->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`doRequest = (req, res, next = (error) ->) ->`
Remove dead auth_token code 2016-03-10 12:15:14 -05:00			`if !req.session.user?`
			`AuthenticationController._redirectToLoginOrRegisterPage(req, res)`
Intial open source comment 2014-02-12 05:23:40 -05:00			`else`
Remove dead auth_token code 2016-03-10 12:15:14 -05:00			`req.user = req.session.user`
			`return next()`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`return doRequest`

Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`_globalLoginWhitelist: []`
			`addEndpointToLoginWhitelist: (endpoint) ->`
			`AuthenticationController._globalLoginWhitelist.push endpoint`

			`requireGlobalLogin: (req, res, next) ->`
changed authentication controller to use req.parsedUrl.pathname as query strings on req.url were breaking the whitelist 2015-04-30 06:57:40 -04:00			`if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`return next()`

			`if req.headers['authorization']?`
			`return AuthenticationController.httpAuth(req, res, next)`
			`else if req.session.user?`
			`return next()`
			`else`
changed authentication controller to use req.parsedUrl.pathname as query strings on req.url were breaking the whitelist 2015-04-30 06:57:40 -04:00			`logger.log url:req.url, "user trying to access endpoint not in global whitelist"`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`return res.redirect "/login"`

v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`httpAuth: basicAuth (user, pass)->`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`isValid = Settings.httpAuthUsers[user] == pass`
			`if !isValid`
			`logger.err user:user, pass:pass, "invalid login details"`
			`return isValid`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00
			`_redirectToLoginOrRegisterPage: (req, res)->`
			`if req.query.zipUrl? or req.query.project_name?`
			`return AuthenticationController._redirectToRegisterPage(req, res)`
			`else`
			`AuthenticationController._redirectToLoginPage(req, res)`


			`_redirectToLoginPage: (req, res) ->`
			`logger.log url: req.url, "user not logged in so redirecting to login page"`
			`req.query.redir = req.path`
			`url = "/login?#{querystring.stringify(req.query)}"`
			`res.redirect url`
			`Metrics.inc "security.login-redirect"`

Intial open source comment 2014-02-12 05:23:40 -05:00			`_redirectToRegisterPage: (req, res) ->`
			`logger.log url: req.url, "user not logged in so redirecting to register page"`
			`req.query.redir = req.path`
			`url = "/register?#{querystring.stringify(req.query)}"`
			`res.redirect url`
			`Metrics.inc "security.login-redirect"`

			`_recordSuccessfulLogin: (user_id, callback = (error) ->) ->`
			`UserUpdater.updateUser user_id.toString(), {`
			`$set: { "lastLoggedIn": new Date() },`
			`$inc: { "loginCount": 1 }`
			`}, (error) ->`
			`callback(error) if error?`
			`Metrics.inc "user.login.success"`
			`callback()`

			`_recordFailedLogin: (callback = (error) ->) ->`
			`Metrics.inc "user.login.failed"`
			`callback()`

Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`establishUserSession: (req, user, callback = (error) ->) ->`
Improve feedback on login/register forms 2014-07-11 12:08:19 -04:00			`lightUser =`
Intial open source comment 2014-02-12 05:23:40 -05:00			`_id: user._id`
			`first_name: user.first_name`
			`last_name: user.last_name`
			`isAdmin: user.isAdmin`
			`email: user.email`
			`referal_id: user.referal_id`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`# Regenerate the session to get a new sessionID (cookie value) to`
			`# protect against session fixation attacks`
			`oldSession = req.session`
destroy users session before creating a new one for them after login session changed to prevent against fixation attacks 2015-07-01 07:08:57 -04:00			`req.session.destroy()`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`req.sessionStore.generate(req)`
			`for key, value of oldSession`
			`req.session[key] = value`

Intial open source comment 2014-02-12 05:23:40 -05:00			`req.session.user = lightUser`
Begin keeping record of user sessions in reds. 2016-06-29 06:35:25 -04:00
			`UserSessionsManager.onLogin(user, req.sessionID, () ->)`
Regenerate the session id after logging in or registering 2015-02-13 06:18:17 -05:00			`callback()`