overleaf/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee

215 lines
7.3 KiB
CoffeeScript
Raw Normal View History

2014-02-12 05:23:40 -05:00
AuthenticationManager = require ("./AuthenticationManager")
LoginRateLimiter = require("../Security/LoginRateLimiter")
UserGetter = require "../User/UserGetter"
UserUpdater = require "../User/UserUpdater"
Metrics = require('../../infrastructure/Metrics')
logger = require("logger-sharelatex")
querystring = require('querystring')
Url = require("url")
Settings = require "settings-sharelatex"
2015-06-30 07:04:41 -04:00
basicAuth = require('basic-auth-connect')
UserHandler = require("../User/UserHandler")
UserSessionsManager = require("../User/UserSessionsManager")
2016-08-11 09:09:45 -04:00
Analytics = require "../Analytics/AnalyticsManager"
2014-02-12 05:23:40 -05:00
module.exports = AuthenticationController =
2016-09-05 05:28:47 -04:00
2016-09-05 10:58:31 -04:00
# login: (req, res, next = (error) ->) ->
# AuthenticationController.doLogin req.body, req, res, next
2016-09-02 11:17:37 -04:00
serializeUser: (user, callback) ->
lightUser =
_id: user._id
first_name: user.first_name
last_name: user.last_name
isAdmin: user.isAdmin
email: user.email
referal_id: user.referal_id
session_created: (new Date()).toISOString()
ip_address: user._login_req_ip
callback(null, lightUser)
deserializeUser: (user, cb) ->
cb(null, user)
doPassportLogin: (req, username, password, done) ->
email = username.toLowerCase()
redir = Url.parse(req?.body?.redir or "/project").path
LoginRateLimiter.processLoginRequest email, (err, isAllowed)->
return done(err) if err?
if !isAllowed
logger.log email:email, "too many login requests"
return done(null, null, {message: req.i18n.translate("to_many_login_requests_2_mins"), type: 'error'})
AuthenticationManager.authenticate email: email, password, (error, user) ->
return done(error) if error?
if user?
# async actions
UserHandler.setupLoginData(user, ()->)
LoginRateLimiter.recordSuccessfulLogin(email)
AuthenticationController._recordSuccessfulLogin(user._id)
Analytics.recordEvent(user._id, "user-logged-in")
UserSessionsManager.trackSession(user, req.sessionID, () ->)
req.session.justLoggedIn = true
logger.log email: email, user_id: user._id.toString(), "successful log in"
# capture the request ip for use when creating the session
user._login_req_ip = req.ip
req._redir = redir
return done(null, user)
else
AuthenticationController._recordFailedLogin()
logger.log email: email, "failed log in"
return done(null, false, {message: req.i18n.translate("email_or_password_wrong_try_again"), type: 'error'})
2016-09-05 10:58:31 -04:00
isUserLoggedIn: (req) ->
user_id = AuthenticationController.getLoggedInUserId(req)
return user_id?
2016-09-02 11:17:37 -04:00
2016-09-05 10:58:31 -04:00
# TODO: perhaps should produce an error if the current user is not present
getLoggedInUserId: (req) ->
2016-09-06 10:22:13 -04:00
user = AuthenticationController.getSessionUser(req)
if user?
return user._id
else
return null
getSessionUser: (req) ->
2016-09-05 10:58:31 -04:00
# old sessions
if req?.session?.user?._id?
2016-09-06 10:22:13 -04:00
return req.session.user
2016-09-05 10:58:31 -04:00
# new passport sessions
else if req?.session?.passport?.user?._id?
2016-09-06 10:22:13 -04:00
return req.session.passport.user
2016-09-05 10:58:31 -04:00
# neither
else
2016-09-05 10:58:31 -04:00
return null
2014-02-12 05:23:40 -05:00
2016-09-05 10:58:31 -04:00
# TODO: perhaps should produce an error if the current user is not present
2016-03-10 12:15:14 -05:00
getLoggedInUser: (req, callback = (error, user) ->) ->
2016-09-06 08:21:22 -04:00
user_id = AuthenticationController.getLoggedInUserId(req)
if !user_id?
return callback(null, null)
2016-09-05 10:58:31 -04:00
# omit sensitive information
2016-09-06 08:21:22 -04:00
UserGetter.getUser user_id, {hashedPassword: false, refProviders: false}, callback
2014-02-12 05:23:40 -05:00
2016-03-10 12:15:14 -05:00
requireLogin: () ->
2014-02-12 05:23:40 -05:00
doRequest = (req, res, next = (error) ->) ->
2016-09-06 08:21:22 -04:00
if !AuthenticationController.isUserLoggedIn(req)
AuthenticationController._redirectToLoginOrRegisterPage(req, res)
2014-02-12 05:23:40 -05:00
else
2016-09-06 08:21:22 -04:00
next()
2014-02-12 05:23:40 -05:00
return doRequest
_globalLoginWhitelist: []
addEndpointToLoginWhitelist: (endpoint) ->
AuthenticationController._globalLoginWhitelist.push endpoint
requireGlobalLogin: (req, res, next) ->
if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist
return next()
if req.headers['authorization']?
return AuthenticationController.httpAuth(req, res, next)
2016-09-05 10:58:31 -04:00
else if AuthenticationController.isUserLoggedIn()?
return next()
else
logger.log url:req.url, "user trying to access endpoint not in global whitelist"
return res.redirect "/login"
2015-06-30 07:04:41 -04:00
httpAuth: basicAuth (user, pass)->
isValid = Settings.httpAuthUsers[user] == pass
if !isValid
logger.err user:user, pass:pass, "invalid login details"
return isValid
_redirectToLoginOrRegisterPage: (req, res)->
if req.query.zipUrl? or req.query.project_name?
return AuthenticationController._redirectToRegisterPage(req, res)
else
AuthenticationController._redirectToLoginPage(req, res)
_redirectToLoginPage: (req, res) ->
logger.log url: req.url, "user not logged in so redirecting to login page"
req.query.redir = req.path
url = "/login?#{querystring.stringify(req.query)}"
res.redirect url
Metrics.inc "security.login-redirect"
2014-02-12 05:23:40 -05:00
_redirectToRegisterPage: (req, res) ->
logger.log url: req.url, "user not logged in so redirecting to register page"
req.query.redir = req.path
url = "/register?#{querystring.stringify(req.query)}"
res.redirect url
Metrics.inc "security.login-redirect"
_recordSuccessfulLogin: (user_id, callback = (error) ->) ->
UserUpdater.updateUser user_id.toString(), {
$set: { "lastLoggedIn": new Date() },
$inc: { "loginCount": 1 }
}, (error) ->
callback(error) if error?
Metrics.inc "user.login.success"
callback()
_recordFailedLogin: (callback = (error) ->) ->
Metrics.inc "user.login.failed"
callback()
2016-09-05 10:58:31 -04:00
# establishUserSession: (req, user, callback = (error) ->) ->
# dienow
# lightUser =
# _id: user._id
# first_name: user.first_name
# last_name: user.last_name
# isAdmin: user.isAdmin
# email: user.email
# referal_id: user.referal_id
# session_created: (new Date()).toISOString()
# ip_address: req.ip
# # Regenerate the session to get a new sessionID (cookie value) to
# # protect against session fixation attacks
# oldSession = req.session
# req.session.destroy()
# req.sessionStore.generate(req)
# for key, value of oldSession
# req.session[key] = value
# req.session.user = lightUser
# UserSessionsManager.trackSession(user, req.sessionID, () ->)
# callback()
# doLogin: (options, req, res, next) ->
# dienow
# email = options.email?.toLowerCase()
# password = options.password
# redir = Url.parse(options.redir or "/project").path
# LoginRateLimiter.processLoginRequest email, (err, isAllowed)->
# if !isAllowed
# logger.log email:email, "too many login requests"
# res.statusCode = 429
# return res.send
# message:
# text: req.i18n.translate("to_many_login_requests_2_mins"),
# type: 'error'
# AuthenticationManager.authenticate email: email, password, (error, user) ->
# return next(error) if error?
# if user?
# UserHandler.setupLoginData user, ->
# LoginRateLimiter.recordSuccessfulLogin email
# AuthenticationController._recordSuccessfulLogin user._id
# AuthenticationController.establishUserSession req, user, (error) ->
# return next(error) if error?
# req.session.justLoggedIn = true
# logger.log email: email, user_id: user._id.toString(), "successful log in"
# Analytics.recordEvent user._id, "user-logged-in"
# res.json redir: redir
# else
# AuthenticationController._recordFailedLogin()
# logger.log email: email, "failed log in"
# res.json message:
# text: req.i18n.translate("email_or_password_wrong_try_again"),
# type: 'error'