overleaf/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee

AuthenticationManager = require ("./AuthenticationManager")
LoginRateLimiter = require("../Security/LoginRateLimiter")
UserGetter = require "../User/UserGetter"
UserUpdater = require "../User/UserUpdater"
Metrics = require('../../infrastructure/Metrics')
logger = require("logger-sharelatex")
querystring = require('querystring')
Url = require("url")
Settings = require "settings-sharelatex"
basicAuth = require('basic-auth-connect')
UserHandler = require("../User/UserHandler")
UserSessionsManager = require("../User/UserSessionsManager")
Analytics = require "../Analytics/AnalyticsManager"
passport = require 'passport'

module.exports = AuthenticationController =

	serializeUser: (user, callback) ->
		lightUser =
			_id: user._id
			first_name: user.first_name
			last_name: user.last_name
			isAdmin: user.isAdmin
			email: user.email
			referal_id: user.referal_id
			session_created: (new Date()).toISOString()
			ip_address: user._login_req_ip
		callback(null, lightUser)

	deserializeUser: (user, cb) ->
		cb(null, user)

	passportLogin: (req, res, next) ->
		# This function is middleware which wraps the passport.authenticate middleware,
		# so we can send back our custom `{message: {text: "", type: ""}}` responses on failure,
		# and send a `{redir: ""}` response on success
		passport.authenticate('local', (err, user, info) ->
			if err?
				return next(err)
			if user # `user` is either a user object or false
				req.login user, (err) ->
					# Regenerate the session to get a new sessionID (cookie value) to
					# protect against session fixation attacks
					oldSession = req.session
					req.session.destroy()
					req.sessionStore.generate(req)
					for key, value of oldSession
						req.session[key] = value
					req.session.save (err) ->
						if err?
							logger.err {user_id: user._id}, "error saving regenerated session after login"
							return next(err)
						UserSessionsManager.trackSession(user, req.sessionID, () ->)
						res.json {redir: req._redir}
			else
				res.json message: info
		)(req, res, next)

	doPassportLogin: (req, username, password, done) ->
		email = username.toLowerCase()
		redir = Url.parse(req?.body?.redir or "/project").path
		LoginRateLimiter.processLoginRequest email, (err, isAllowed)->
			return done(err) if err?
			if !isAllowed
				logger.log email:email, "too many login requests"
				return done(null, null, {text: req.i18n.translate("to_many_login_requests_2_mins"), type: 'error'})
			AuthenticationManager.authenticate email: email, password, (error, user) ->
				return done(error) if error?
				if user?
					# async actions
					UserHandler.setupLoginData(user, ()->)
					LoginRateLimiter.recordSuccessfulLogin(email)
					AuthenticationController._recordSuccessfulLogin(user._id)
					Analytics.recordEvent(user._id, "user-logged-in")
					logger.log email: email, user_id: user._id.toString(), "successful log in"
					req.session.justLoggedIn = true
					# capture the request ip for use when creating the session
					user._login_req_ip = req.ip
					req._redir = redir
					return done(null, user)
				else
					AuthenticationController._recordFailedLogin()
					logger.log email: email, "failed log in"
					return done(null, false, {text: req.i18n.translate("email_or_password_wrong_try_again"), type: 'error'})

	isUserLoggedIn: (req) ->
		user_id = AuthenticationController.getLoggedInUserId(req)
		return user_id != null

	# TODO: perhaps should produce an error if the current user is not present
	getLoggedInUserId: (req) ->
		user = AuthenticationController.getSessionUser(req)
		if user
			return user._id
		else
			return null

	getSessionUser: (req) ->
		if req?.session?.user?
			return req.session.user
		else if req?.session?.passport?.user
			return req.session.passport.user
		else
			return null

	requireLogin: () ->
		doRequest = (req, res, next = (error) ->) ->
			if !AuthenticationController.isUserLoggedIn(req)
				AuthenticationController._redirectToLoginOrRegisterPage(req, res)
			else
				next()

		return doRequest

	_globalLoginWhitelist: []
	addEndpointToLoginWhitelist: (endpoint) ->
		AuthenticationController._globalLoginWhitelist.push endpoint

	requireGlobalLogin: (req, res, next) ->
		if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist
			return next()

		if req.headers['authorization']?
			return AuthenticationController.httpAuth(req, res, next)
		else if AuthenticationController.isUserLoggedIn(req)
			return next()
		else
			logger.log url:req.url, "user trying to access endpoint not in global whitelist"
			return res.redirect "/login"

	httpAuth: basicAuth (user, pass)->
		isValid = Settings.httpAuthUsers[user] == pass
		if !isValid
			logger.err user:user, pass:pass, "invalid login details"
		return isValid

	_redirectToLoginOrRegisterPage: (req, res)->
		if req.query.zipUrl? or req.query.project_name?
			return AuthenticationController._redirectToRegisterPage(req, res)
		else
			AuthenticationController._redirectToLoginPage(req, res)

	_redirectToLoginPage: (req, res) ->
		logger.log url: req.url, "user not logged in so redirecting to login page"
		req.query.redir = req.path
		url = "/login?#{querystring.stringify(req.query)}"
		res.redirect url
		Metrics.inc "security.login-redirect"

	_redirectToRegisterPage: (req, res) ->
		logger.log url: req.url, "user not logged in so redirecting to register page"
		req.query.redir = req.path
		url = "/register?#{querystring.stringify(req.query)}"
		res.redirect url
		Metrics.inc "security.login-redirect"

	_recordSuccessfulLogin: (user_id, callback = (error) ->) ->
		UserUpdater.updateUser user_id.toString(), {
			$set: { "lastLoggedIn": new Date() },
			$inc: { "loginCount": 1 }
		}, (error) ->
			callback(error) if error?
			Metrics.inc "user.login.success"
			callback()

	_recordFailedLogin: (callback = (error) ->) ->
		Metrics.inc "user.login.failed"
		callback()
Intial open source comment 2014-02-12 05:23:40 -05:00			`AuthenticationManager = require ("./AuthenticationManager")`
			`LoginRateLimiter = require("../Security/LoginRateLimiter")`
			`UserGetter = require "../User/UserGetter"`
			`UserUpdater = require "../User/UserUpdater"`
			`Metrics = require('../../infrastructure/Metrics')`
			`logger = require("logger-sharelatex")`
			`querystring = require('querystring')`
			`Url = require("url")`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`Settings = require "settings-sharelatex"`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`basicAuth = require('basic-auth-connect')`
user notifications auto created on login for joinging groups 2016-02-17 11:24:09 -05:00			`UserHandler = require("../User/UserHandler")`
Begin keeping record of user sessions in reds. 2016-06-29 06:35:25 -04:00			`UserSessionsManager = require("../User/UserSessionsManager")`
Track login events. 2016-08-11 09:09:45 -04:00			`Analytics = require "../Analytics/AnalyticsManager"`
Finalise login workflow, works with login form again. 2016-09-15 09:36:11 -04:00			`passport = require 'passport'`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`module.exports = AuthenticationController =`
barely functional login and logout 2016-09-05 05:28:47 -04:00
Basic passport integration 2016-09-02 11:17:37 -04:00			`serializeUser: (user, callback) ->`
			`lightUser =`
			`_id: user._id`
			`first_name: user.first_name`
			`last_name: user.last_name`
			`isAdmin: user.isAdmin`
			`email: user.email`
			`referal_id: user.referal_id`
			`session_created: (new Date()).toISOString()`
			`ip_address: user._login_req_ip`
			`callback(null, lightUser)`

			`deserializeUser: (user, cb) ->`
			`cb(null, user)`

Finalise login workflow, works with login form again. 2016-09-15 09:36:11 -04:00			`passportLogin: (req, res, next) ->`
			`# This function is middleware which wraps the passport.authenticate middleware,`
			# so we can send back our custom `{message: {text: "", type: ""}}` responses on failure,
			# and send a `{redir: ""}` response on success
			`passport.authenticate('local', (err, user, info) ->`
			`if err?`
			`return next(err)`
move comment for user is false next to if statment 2016-09-20 09:50:26 -04:00			if user # `user` is either a user object or false
Finalise login workflow, works with login form again. 2016-09-15 09:36:11 -04:00			`req.login user, (err) ->`
Regenerate session on login, protect against session-fixation attack. 2016-09-21 08:03:37 -04:00			`# Regenerate the session to get a new sessionID (cookie value) to`
			`# protect against session fixation attacks`
			`oldSession = req.session`
			`req.session.destroy()`
			`req.sessionStore.generate(req)`
			`for key, value of oldSession`
			`req.session[key] = value`
			`req.session.save (err) ->`
			`if err?`
			`logger.err {user_id: user._id}, "error saving regenerated session after login"`
			`return next(err)`
			`UserSessionsManager.trackSession(user, req.sessionID, () ->)`
			`res.json {redir: req._redir}`
Finalise login workflow, works with login form again. 2016-09-15 09:36:11 -04:00			`else`
			`res.json message: info`
			`)(req, res, next)`

Basic passport integration 2016-09-02 11:17:37 -04:00			`doPassportLogin: (req, username, password, done) ->`
			`email = username.toLowerCase()`
			`redir = Url.parse(req?.body?.redir or "/project").path`
			`LoginRateLimiter.processLoginRequest email, (err, isAllowed)->`
			`return done(err) if err?`
			`if !isAllowed`
			`logger.log email:email, "too many login requests"`
Finalise login workflow, works with login form again. 2016-09-15 09:36:11 -04:00			`return done(null, null, {text: req.i18n.translate("to_many_login_requests_2_mins"), type: 'error'})`
Basic passport integration 2016-09-02 11:17:37 -04:00			`AuthenticationManager.authenticate email: email, password, (error, user) ->`
			`return done(error) if error?`
			`if user?`
			`# async actions`
			`UserHandler.setupLoginData(user, ()->)`
			`LoginRateLimiter.recordSuccessfulLogin(email)`
			`AuthenticationController._recordSuccessfulLogin(user._id)`
			`Analytics.recordEvent(user._id, "user-logged-in")`
			`logger.log email: email, user_id: user._id.toString(), "successful log in"`
Regenerate session on login, protect against session-fixation attack. 2016-09-21 08:03:37 -04:00			`req.session.justLoggedIn = true`
Basic passport integration 2016-09-02 11:17:37 -04:00			`# capture the request ip for use when creating the session`
			`user._login_req_ip = req.ip`
			`req._redir = redir`
			`return done(null, user)`
			`else`
			`AuthenticationController._recordFailedLogin()`
			`logger.log email: email, "failed log in"`
Finalise login workflow, works with login form again. 2016-09-15 09:36:11 -04:00			`return done(null, false, {text: req.i18n.translate("email_or_password_wrong_try_again"), type: 'error'})`
Basic passport integration 2016-09-02 11:17:37 -04:00
WIP: refactor 2016-09-05 10:58:31 -04:00			`isUserLoggedIn: (req) ->`
			`user_id = AuthenticationController.getLoggedInUserId(req)`
wip: fix unit tests for AuthenticationController 2016-09-07 09:05:51 -04:00			`return user_id != null`
Basic passport integration 2016-09-02 11:17:37 -04:00
WIP: refactor 2016-09-05 10:58:31 -04:00			`# TODO: perhaps should produce an error if the current user is not present`
			`getLoggedInUserId: (req) ->`
wip refactor 2016-09-06 10:22:13 -04:00			`user = AuthenticationController.getSessionUser(req)`
wip: fix unit tests for AuthenticationController 2016-09-07 09:05:51 -04:00			`if user`
wip refactor 2016-09-06 10:22:13 -04:00			`return user._id`
			`else`
			`return null`

			`getSessionUser: (req) ->`
wip: fix unit tests for AuthenticationController 2016-09-07 09:05:51 -04:00			`if req?.session?.user?`
wip refactor 2016-09-06 10:22:13 -04:00			`return req.session.user`
wip: fix unit tests for AuthenticationController 2016-09-07 09:05:51 -04:00			`else if req?.session?.passport?.user`
wip refactor 2016-09-06 10:22:13 -04:00			`return req.session.passport.user`
null check user when getting user id from session 2014-04-02 10:56:54 -04:00			`else`
WIP: refactor 2016-09-05 10:58:31 -04:00			`return null`
Intial open source comment 2014-02-12 05:23:40 -05:00
Remove dead auth_token code 2016-03-10 12:15:14 -05:00			`requireLogin: () ->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`doRequest = (req, res, next = (error) ->) ->`
WIP: fixing acceptance tests 2016-09-06 08:21:22 -04:00			`if !AuthenticationController.isUserLoggedIn(req)`
Refactor method names in `UserSessionsManager` 2016-07-01 10:33:59 -04:00			`AuthenticationController._redirectToLoginOrRegisterPage(req, res)`
Intial open source comment 2014-02-12 05:23:40 -05:00			`else`
WIP: fixing acceptance tests 2016-09-06 08:21:22 -04:00			`next()`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`return doRequest`

Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`_globalLoginWhitelist: []`
			`addEndpointToLoginWhitelist: (endpoint) ->`
			`AuthenticationController._globalLoginWhitelist.push endpoint`

			`requireGlobalLogin: (req, res, next) ->`
changed authentication controller to use req.parsedUrl.pathname as query strings on req.url were breaking the whitelist 2015-04-30 06:57:40 -04:00			`if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`return next()`

			`if req.headers['authorization']?`
			`return AuthenticationController.httpAuth(req, res, next)`
wip: fix unit tests for AuthenticationController 2016-09-07 09:05:51 -04:00			`else if AuthenticationController.isUserLoggedIn(req)`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`return next()`
			`else`
changed authentication controller to use req.parsedUrl.pathname as query strings on req.url were breaking the whitelist 2015-04-30 06:57:40 -04:00			`logger.log url:req.url, "user trying to access endpoint not in global whitelist"`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`return res.redirect "/login"`

v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`httpAuth: basicAuth (user, pass)->`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`isValid = Settings.httpAuthUsers[user] == pass`
			`if !isValid`
			`logger.err user:user, pass:pass, "invalid login details"`
			`return isValid`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00
			`_redirectToLoginOrRegisterPage: (req, res)->`
			`if req.query.zipUrl? or req.query.project_name?`
Refactor method names in `UserSessionsManager` 2016-07-01 10:33:59 -04:00			`return AuthenticationController._redirectToRegisterPage(req, res)`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00			`else`
Refactor method names in `UserSessionsManager` 2016-07-01 10:33:59 -04:00			`AuthenticationController._redirectToLoginPage(req, res)`
redirect users to /register when coming from templates or share url redirect to /login when going anywhere else (/project /project/1234) 2014-11-13 12:12:39 -05:00
			`_redirectToLoginPage: (req, res) ->`
			`logger.log url: req.url, "user not logged in so redirecting to login page"`
			`req.query.redir = req.path`
			`url = "/login?#{querystring.stringify(req.query)}"`
			`res.redirect url`
			`Metrics.inc "security.login-redirect"`

Intial open source comment 2014-02-12 05:23:40 -05:00			`_redirectToRegisterPage: (req, res) ->`
			`logger.log url: req.url, "user not logged in so redirecting to register page"`
			`req.query.redir = req.path`
			`url = "/register?#{querystring.stringify(req.query)}"`
			`res.redirect url`
			`Metrics.inc "security.login-redirect"`

			`_recordSuccessfulLogin: (user_id, callback = (error) ->) ->`
			`UserUpdater.updateUser user_id.toString(), {`
			`$set: { "lastLoggedIn": new Date() },`
			`$inc: { "loginCount": 1 }`
			`}, (error) ->`
			`callback(error) if error?`
			`Metrics.inc "user.login.success"`
			`callback()`

			`_recordFailedLogin: (callback = (error) ->) ->`
			`Metrics.inc "user.login.failed"`
			`callback()`