2014-02-12 10:23:40 +00:00
|
|
|
AuthenticationManager = require ("./AuthenticationManager")
|
|
|
|
LoginRateLimiter = require("../Security/LoginRateLimiter")
|
|
|
|
UserUpdater = require "../User/UserUpdater"
|
2017-04-03 15:18:30 +00:00
|
|
|
Metrics = require('metrics-sharelatex')
|
2014-02-12 10:23:40 +00:00
|
|
|
logger = require("logger-sharelatex")
|
|
|
|
querystring = require('querystring')
|
|
|
|
Url = require("url")
|
2015-04-15 10:14:38 +00:00
|
|
|
Settings = require "settings-sharelatex"
|
2015-06-30 11:04:41 +00:00
|
|
|
basicAuth = require('basic-auth-connect')
|
2016-02-17 16:24:09 +00:00
|
|
|
UserHandler = require("../User/UserHandler")
|
2016-06-29 10:35:25 +00:00
|
|
|
UserSessionsManager = require("../User/UserSessionsManager")
|
2016-08-11 13:09:45 +00:00
|
|
|
Analytics = require "../Analytics/AnalyticsManager"
|
2016-09-15 13:36:11 +00:00
|
|
|
passport = require 'passport'
|
2018-09-04 16:26:15 +00:00
|
|
|
NotificationsBuilder = require("../Notifications/NotificationsBuilder")
|
2014-02-12 10:23:40 +00:00
|
|
|
|
|
|
|
module.exports = AuthenticationController =
|
2016-09-05 09:28:47 +00:00
|
|
|
|
2016-09-02 15:17:37 +00:00
|
|
|
serializeUser: (user, callback) ->
|
|
|
|
lightUser =
|
|
|
|
_id: user._id
|
|
|
|
first_name: user.first_name
|
|
|
|
last_name: user.last_name
|
|
|
|
isAdmin: user.isAdmin
|
|
|
|
email: user.email
|
|
|
|
referal_id: user.referal_id
|
|
|
|
session_created: (new Date()).toISOString()
|
|
|
|
ip_address: user._login_req_ip
|
|
|
|
callback(null, lightUser)
|
|
|
|
|
|
|
|
deserializeUser: (user, cb) ->
|
|
|
|
cb(null, user)
|
|
|
|
|
2016-11-01 14:06:54 +00:00
|
|
|
afterLoginSessionSetup: (req, user, callback=(err)->) ->
|
|
|
|
req.login user, (err) ->
|
2016-11-08 15:32:36 +00:00
|
|
|
if err?
|
|
|
|
logger.err {user_id: user._id, err}, "error from req.login"
|
|
|
|
return callback(err)
|
2016-11-01 14:06:54 +00:00
|
|
|
# Regenerate the session to get a new sessionID (cookie value) to
|
|
|
|
# protect against session fixation attacks
|
|
|
|
oldSession = req.session
|
2016-11-08 15:32:36 +00:00
|
|
|
req.session.destroy (err) ->
|
2016-11-01 14:06:54 +00:00
|
|
|
if err?
|
2016-11-08 15:32:36 +00:00
|
|
|
logger.err {user_id: user._id, err}, "error when trying to destroy old session"
|
2016-11-01 14:06:54 +00:00
|
|
|
return callback(err)
|
2016-11-08 15:32:36 +00:00
|
|
|
req.sessionStore.generate(req)
|
|
|
|
for key, value of oldSession
|
2018-09-13 11:31:59 +00:00
|
|
|
req.session[key] = value unless key == '__tmp'
|
2016-11-08 15:32:36 +00:00
|
|
|
# copy to the old `session.user` location, for backward-comptability
|
|
|
|
req.session.user = req.session.passport.user
|
|
|
|
req.session.save (err) ->
|
|
|
|
if err?
|
|
|
|
logger.err {user_id: user._id}, "error saving regenerated session after login"
|
|
|
|
return callback(err)
|
|
|
|
UserSessionsManager.trackSession(user, req.sessionID, () ->)
|
|
|
|
callback(null)
|
2016-11-01 14:06:54 +00:00
|
|
|
|
2016-09-15 13:36:11 +00:00
|
|
|
passportLogin: (req, res, next) ->
|
|
|
|
# This function is middleware which wraps the passport.authenticate middleware,
|
|
|
|
# so we can send back our custom `{message: {text: "", type: ""}}` responses on failure,
|
|
|
|
# and send a `{redir: ""}` response on success
|
|
|
|
passport.authenticate('local', (err, user, info) ->
|
|
|
|
if err?
|
|
|
|
return next(err)
|
2016-09-20 13:50:26 +00:00
|
|
|
if user # `user` is either a user object or false
|
2018-07-17 15:27:24 +00:00
|
|
|
AuthenticationController.finishLogin(user, req, res, next)
|
2016-09-15 13:36:11 +00:00
|
|
|
else
|
2018-07-31 14:53:05 +00:00
|
|
|
if info.redir?
|
|
|
|
res.json {redir: info.redir}
|
|
|
|
else
|
|
|
|
res.json message: info
|
2016-09-15 13:36:11 +00:00
|
|
|
)(req, res, next)
|
|
|
|
|
2018-07-17 15:27:24 +00:00
|
|
|
finishLogin: (user, req, res, next) ->
|
|
|
|
redir = AuthenticationController._getRedirectFromSession(req) || "/project"
|
|
|
|
AuthenticationController._loginAsyncHandlers(req, user)
|
|
|
|
AuthenticationController.afterLoginSessionSetup req, user, (err) ->
|
|
|
|
if err?
|
|
|
|
return next(err)
|
|
|
|
AuthenticationController._clearRedirectFromSession(req)
|
|
|
|
if req.headers?['accept']?.match(/^application\/json.*$/)
|
|
|
|
res.json {redir: redir}
|
|
|
|
else
|
|
|
|
res.redirect(redir)
|
|
|
|
|
2016-09-02 15:17:37 +00:00
|
|
|
doPassportLogin: (req, username, password, done) ->
|
|
|
|
email = username.toLowerCase()
|
2018-07-31 14:53:05 +00:00
|
|
|
Modules = require "../../infrastructure/Modules"
|
2018-08-17 11:04:05 +00:00
|
|
|
Modules.hooks.fire 'preDoPassportLogin', req, email, (err, infoList) ->
|
2018-07-31 14:53:05 +00:00
|
|
|
return next(err) if err?
|
|
|
|
info = infoList.find((i) => i?)
|
|
|
|
if info?
|
|
|
|
return done(null, false, info)
|
|
|
|
LoginRateLimiter.processLoginRequest email, (err, isAllowed)->
|
|
|
|
return done(err) if err?
|
|
|
|
if !isAllowed
|
|
|
|
logger.log email:email, "too many login requests"
|
|
|
|
return done(null, null, {text: req.i18n.translate("to_many_login_requests_2_mins"), type: 'error'})
|
|
|
|
AuthenticationManager.authenticate email: email, password, (error, user) ->
|
|
|
|
return done(error) if error?
|
|
|
|
if user?
|
|
|
|
# async actions
|
|
|
|
return done(null, user)
|
|
|
|
else
|
|
|
|
AuthenticationController._recordFailedLogin()
|
|
|
|
logger.log email: email, "failed log in"
|
|
|
|
return done(
|
|
|
|
null,
|
|
|
|
false,
|
|
|
|
{text: req.i18n.translate("email_or_password_wrong_try_again"), type: 'error'}
|
|
|
|
)
|
2016-09-02 15:17:37 +00:00
|
|
|
|
2018-07-17 15:27:24 +00:00
|
|
|
_loginAsyncHandlers: (req, user) ->
|
2018-07-13 10:51:11 +00:00
|
|
|
UserHandler.setupLoginData(user, ()->)
|
2018-07-17 15:27:24 +00:00
|
|
|
LoginRateLimiter.recordSuccessfulLogin(user.email)
|
2018-07-13 10:51:11 +00:00
|
|
|
AuthenticationController._recordSuccessfulLogin(user._id)
|
2018-09-05 14:28:26 +00:00
|
|
|
AuthenticationController.ipMatchCheck(req, user)
|
2018-07-13 10:51:11 +00:00
|
|
|
Analytics.recordEvent(user._id, "user-logged-in", {ip:req.ip})
|
|
|
|
Analytics.identifyUser(user._id, req.sessionID)
|
2018-07-17 15:27:24 +00:00
|
|
|
logger.log email: user.email, user_id: user._id.toString(), "successful log in"
|
2018-07-13 10:51:11 +00:00
|
|
|
req.session.justLoggedIn = true
|
|
|
|
# capture the request ip for use when creating the session
|
|
|
|
user._login_req_ip = req.ip
|
|
|
|
|
2018-09-04 16:26:15 +00:00
|
|
|
ipMatchCheck: (req, user) ->
|
|
|
|
if req.ip != user.lastLoginIp
|
2018-09-07 17:15:32 +00:00
|
|
|
NotificationsBuilder.ipMatcherAffiliation(user._id, req.ip).create()
|
2018-09-04 16:26:15 +00:00
|
|
|
UserUpdater.updateUser user._id.toString(), {
|
|
|
|
$set: { "lastLoginIp": req.ip }
|
|
|
|
}
|
|
|
|
|
2016-09-22 15:58:25 +00:00
|
|
|
setInSessionUser: (req, props) ->
|
|
|
|
for key, value of props
|
|
|
|
if req?.session?.passport?.user?
|
|
|
|
req.session.passport.user[key] = value
|
|
|
|
if req?.session?.user?
|
|
|
|
req.session.user[key] = value
|
|
|
|
|
2016-09-05 14:58:31 +00:00
|
|
|
isUserLoggedIn: (req) ->
|
|
|
|
user_id = AuthenticationController.getLoggedInUserId(req)
|
2016-09-23 15:53:07 +00:00
|
|
|
return (user_id not in [null, undefined, false])
|
2016-09-02 15:17:37 +00:00
|
|
|
|
2016-09-05 14:58:31 +00:00
|
|
|
# TODO: perhaps should produce an error if the current user is not present
|
|
|
|
getLoggedInUserId: (req) ->
|
2016-09-06 14:22:13 +00:00
|
|
|
user = AuthenticationController.getSessionUser(req)
|
2016-09-07 13:05:51 +00:00
|
|
|
if user
|
2016-09-06 14:22:13 +00:00
|
|
|
return user._id
|
|
|
|
else
|
|
|
|
return null
|
|
|
|
|
|
|
|
getSessionUser: (req) ->
|
2016-09-07 13:05:51 +00:00
|
|
|
if req?.session?.user?
|
2016-09-06 14:22:13 +00:00
|
|
|
return req.session.user
|
2016-09-07 13:05:51 +00:00
|
|
|
else if req?.session?.passport?.user
|
2016-09-06 14:22:13 +00:00
|
|
|
return req.session.passport.user
|
2014-04-02 14:56:54 +00:00
|
|
|
else
|
2016-09-05 14:58:31 +00:00
|
|
|
return null
|
2014-02-12 10:23:40 +00:00
|
|
|
|
2016-03-10 17:15:14 +00:00
|
|
|
requireLogin: () ->
|
2014-02-12 10:23:40 +00:00
|
|
|
doRequest = (req, res, next = (error) ->) ->
|
2016-09-06 12:21:22 +00:00
|
|
|
if !AuthenticationController.isUserLoggedIn(req)
|
2016-07-01 14:33:59 +00:00
|
|
|
AuthenticationController._redirectToLoginOrRegisterPage(req, res)
|
2014-02-12 10:23:40 +00:00
|
|
|
else
|
2016-09-22 12:54:13 +00:00
|
|
|
req.user = AuthenticationController.getSessionUser(req)
|
2016-09-06 12:21:22 +00:00
|
|
|
next()
|
2014-02-12 10:23:40 +00:00
|
|
|
|
|
|
|
return doRequest
|
|
|
|
|
2015-04-15 10:14:38 +00:00
|
|
|
_globalLoginWhitelist: []
|
|
|
|
addEndpointToLoginWhitelist: (endpoint) ->
|
|
|
|
AuthenticationController._globalLoginWhitelist.push endpoint
|
|
|
|
|
|
|
|
requireGlobalLogin: (req, res, next) ->
|
2015-04-30 10:57:40 +00:00
|
|
|
if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist
|
2015-04-15 10:14:38 +00:00
|
|
|
return next()
|
|
|
|
|
|
|
|
if req.headers['authorization']?
|
|
|
|
return AuthenticationController.httpAuth(req, res, next)
|
2016-09-07 13:05:51 +00:00
|
|
|
else if AuthenticationController.isUserLoggedIn(req)
|
2015-04-15 10:14:38 +00:00
|
|
|
return next()
|
|
|
|
else
|
2015-04-30 10:57:40 +00:00
|
|
|
logger.log url:req.url, "user trying to access endpoint not in global whitelist"
|
2017-01-10 15:42:36 +00:00
|
|
|
AuthenticationController._setRedirectInSession(req)
|
2015-04-15 10:14:38 +00:00
|
|
|
return res.redirect "/login"
|
|
|
|
|
2015-06-30 11:04:41 +00:00
|
|
|
httpAuth: basicAuth (user, pass)->
|
2015-04-15 10:14:38 +00:00
|
|
|
isValid = Settings.httpAuthUsers[user] == pass
|
|
|
|
if !isValid
|
|
|
|
logger.err user:user, pass:pass, "invalid login details"
|
|
|
|
return isValid
|
2014-11-13 17:12:39 +00:00
|
|
|
|
|
|
|
_redirectToLoginOrRegisterPage: (req, res)->
|
2018-06-25 23:27:47 +00:00
|
|
|
if (req.query.zipUrl? or req.query.project_name? or req.path == '/user/subscription/new')
|
2016-07-01 14:33:59 +00:00
|
|
|
return AuthenticationController._redirectToRegisterPage(req, res)
|
2014-11-13 17:12:39 +00:00
|
|
|
else
|
2016-07-01 14:33:59 +00:00
|
|
|
AuthenticationController._redirectToLoginPage(req, res)
|
2014-11-13 17:12:39 +00:00
|
|
|
|
|
|
|
_redirectToLoginPage: (req, res) ->
|
|
|
|
logger.log url: req.url, "user not logged in so redirecting to login page"
|
2016-11-22 14:24:36 +00:00
|
|
|
AuthenticationController._setRedirectInSession(req)
|
2014-11-13 17:12:39 +00:00
|
|
|
url = "/login?#{querystring.stringify(req.query)}"
|
|
|
|
res.redirect url
|
|
|
|
Metrics.inc "security.login-redirect"
|
|
|
|
|
2014-02-12 10:23:40 +00:00
|
|
|
_redirectToRegisterPage: (req, res) ->
|
|
|
|
logger.log url: req.url, "user not logged in so redirecting to register page"
|
2016-11-22 14:24:36 +00:00
|
|
|
AuthenticationController._setRedirectInSession(req)
|
2014-02-12 10:23:40 +00:00
|
|
|
url = "/register?#{querystring.stringify(req.query)}"
|
|
|
|
res.redirect url
|
|
|
|
Metrics.inc "security.login-redirect"
|
|
|
|
|
|
|
|
_recordSuccessfulLogin: (user_id, callback = (error) ->) ->
|
|
|
|
UserUpdater.updateUser user_id.toString(), {
|
|
|
|
$set: { "lastLoggedIn": new Date() },
|
|
|
|
$inc: { "loginCount": 1 }
|
|
|
|
}, (error) ->
|
|
|
|
callback(error) if error?
|
|
|
|
Metrics.inc "user.login.success"
|
|
|
|
callback()
|
|
|
|
|
|
|
|
_recordFailedLogin: (callback = (error) ->) ->
|
|
|
|
Metrics.inc "user.login.failed"
|
|
|
|
callback()
|
2016-11-22 14:24:36 +00:00
|
|
|
|
2016-11-22 16:54:03 +00:00
|
|
|
_setRedirectInSession: (req, value) ->
|
|
|
|
if !value?
|
2017-01-17 14:35:37 +00:00
|
|
|
value = if Object.keys(req.query).length > 0 then "#{req.path}?#{querystring.stringify(req.query)}" else "#{req.path}"
|
2017-05-12 14:46:16 +00:00
|
|
|
if (
|
|
|
|
req.session? &&
|
2018-08-27 18:25:01 +00:00
|
|
|
!/^\/(socket.io|js|stylesheets|img)\/.*$/.test(value) &&
|
|
|
|
!/^.*\.(png|jpeg|svg)$/.test(value)
|
2017-05-12 14:46:16 +00:00
|
|
|
)
|
2016-11-22 16:54:03 +00:00
|
|
|
req.session.postLoginRedirect = value
|
2016-11-22 14:24:36 +00:00
|
|
|
|
|
|
|
_getRedirectFromSession: (req) ->
|
|
|
|
return req?.session?.postLoginRedirect || null
|
|
|
|
|
|
|
|
_clearRedirectFromSession: (req) ->
|
|
|
|
if req.session?
|
|
|
|
delete req.session.postLoginRedirect
|