Mil
/
doushio
forked from flanchan/doushio
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
doushio/server/auth.js

259 lines
7.2 KiB
Raw Permalink Blame History

var _ = require('../lib/underscore'),
common = require('../common'),
config = require('../config'),
crypto = require('crypto'),
formidable = require('formidable'),
querystring = require('querystring'),
RES = require('./state').resources,
request = require('request'),
winston = require('winston');
function connect() {
return global.redis;
}
exports.login = function (req, resp) {
var ip = req.ident.ip;
// if login cookie present, redirect to board (preferably, go back. but will that be easy?)
var r = connect();
function fail(error) {
respond_error(resp, error)
}
if (req.query.state) {
var state = req.query.state;
r.get('github:'+state, function (err, savedIP) {
if (err) {
winston.error("Couldn't read login: " + err);
fail("Couldn't read login attempt.");
return;
}
if (!savedIP) {
winston.info("Expired login attempt from " + ip);
fail("Login attempt expired. Please try again.");
return;
}
if (savedIP != ip) {
winston.warn("IP changed from " + savedIP + " to " + ip);
fail("Your IP changed during login. Please try again.");
return;
}
if (req.query.error == 'access_denied') {
fail("User did not approve GitHub app access.");
return;
}
if (req.query.error) {
// escaping out of paranoia (though respond_error emits JSON)
var err = common.escape_html(req.query.error);
winston.error("OAuth error: " + err);
if (req.query.error_description) {
err = common.escape_html(req.query.error_description);
winston.error("Desc: " + err);
}
fail("OAuth login failure: " + err);
return;
}
var code = req.query.code;
if (!code) {
fail("OAuth code missing!");
return;
}
request_access_token(req.query.code, state, function (err, token) {
if (err) {
winston.error("Github access token: " + err);
fail("Couldn't obtain token from GitHub. Try again.");
return;
}
request_username(token, function (err, username) {
if (err) {
winston.error("Username: " + err);
fail("Couldn't read username. Try again.");
return;
}
r.del('github:'+state, function (err) {});
if (/^popup:/.test(state))
req.popup_HACK = true;
verify_auth(req, resp, username);
});
});
});
return;
}
// new login attempt; TODO rate limit
var nonce = random_str();
if (req.query.popup !== undefined)
nonce = 'popup:' + nonce;
r.setex('github:'+nonce, 60, ip, function (err) {
if (err) {
winston.error("Couldn't save login: " + err);
fail("Couldn't persist login attempt.");
return;
}
var params = {
client_id: config.GITHUB_CLIENT_ID,
state: nonce,
allow_signup: 'false',
};
var url = 'https://github.com/login/oauth/authorize?' +
querystring.stringify(params);
resp.writeHead(303, {Location: url});
resp.end('Redirect to GitHub Login');
});
}
function request_access_token(code, state, cb) {
var payload = {
client_id: config.GITHUB_CLIENT_ID,
client_secret: config.GITHUB_CLIENT_SECRET,
code: code,
state: state,
};
var opts = {
url: 'https://github.com/login/oauth/access_token',
body: payload,
json: true,
};
request.post(opts, function (err, tokenResp, packet) {
if (err || !packet || typeof packet.access_token != 'string') {
cb(err || "No access token in response");
}
else {
cb(null, packet.access_token);
}
});
}
function request_username(token, cb) {
var opts = {
url: 'https://api.github.com/user',
headers: {Authorization: 'token ' + token, 'User-Agent': 'Doushio-Auth'},
json: true,
};
request.get(opts, function (err, usernameResp, packet) {
if (err || !packet || typeof packet.login != 'string') {
cb(err || "Invalid username response");
}
else {
cb(null, packet.login);
}
});
}
function verify_auth(req, resp, user) {
if (!user)
return respond_error(resp, 'Invalid username.');
var ip = req.ident.ip;
var packet = {ip: ip, user: user, date: Date.now()};
if (config.ADMIN_GITHUBS.indexOf(user) >= 0) {
winston.info("@" + user + " logging in as admin from " + ip);
packet.auth = 'Admin';
exports.set_cookie(req, resp, packet);
}
else if (config.MODERATOR_GITHUBS.indexOf(user) >= 0) {
winston.info("@" + user + " logging in as moderator from " + ip);
packet.auth = 'Moderator';
exports.set_cookie(req, resp, packet);
}
else {
winston.error("Login attempt by @" + user + " from " + ip);
return respond_error(resp, 'Check your privilege.');
}
};
exports.set_cookie = function (req, resp, info) {
var pass = random_str();
info.csrf = random_str();
var m = connect().multi();
m.hmset('session:'+pass, info);
m.expire('session:'+pass, config.LOGIN_SESSION_TIME);
m.exec(function (err) {
if (err)
return oauth_error(resp, err);
respond_ok(req, resp, make_cookie('a', pass, info.expires));
});
};
function extract_login_cookie(chunks) {
if (!chunks || !chunks.a)
return false;
return /^[a-zA-Z0-9+\/]{20}$/.test(chunks.a) ? chunks.a : false;
}
exports.extract_login_cookie = extract_login_cookie;
exports.check_cookie = function (cookie, callback) {
var r = connect();
r.hgetall('session:' + cookie, function (err, session) {
if (err)
return callback(err);
else if (_.isEmpty(session))
return callback('Not logged in.');
callback(null, session);
});
};
exports.logout = function (req, resp) {
if (req.method != 'POST') {
resp.writeHead(200, {'Content-Type': 'text/html'});
resp.end('<!doctype html><title>Logout</title><form method=post>' +
'<input type=submit value=Logout></form>');
return;
}
var r = connect();
var cookie = extract_login_cookie(req.cookies);
if (!cookie) {
console.log('no cookie');
return respond_error(resp, "No login cookie for logout.");
}
r.hgetall('session:' + cookie, function (err, session) {
if (err)
return respond_error(resp, "Logout error.");
r.del('session:' + cookie);
respond_ok(req, resp, 'a=; expires=Thu, 01 Jan 1970 00:00:00 GMT');
});
};
function respond_error(resp, message) {
resp.writeHead(200, {'Content-Type': 'application/json'});
resp.end(JSON.stringify({status: 'error', message: message}));
}
function respond_ok(req, resp, cookie) {
var headers = {'Set-Cookie': cookie};
if (/json/.test(req.headers.accept)) {
headers['Content-Type'] = 'application/json';
resp.writeHead(200, headers);
resp.end(JSON.stringify({status: 'okay'}));
}
else if (req.popup_HACK) {
headers['Content-Type'] = 'text/html';
resp.writeHead(200, headers);
resp.end('<!doctype html><title>OK</title>Logged in!' +
'<script>window.opener.location.reload(); window.close();</script>');
}
else {
headers.Location = config.DEFAULT_BOARD + '/';
resp.writeHead(303, headers);
resp.end("OK! Redirecting.");
}
}
function make_expiry() {
var expiry = new Date(Date.now()
+ config.LOGIN_SESSION_TIME*1000).toUTCString();
/* Change it to the expected dash-separated format */
var m = expiry.match(/^(\w+,\s+\d+)\s+(\w+)\s+(\d+\s+[\d:]+\s+\w+)$/);
return m ? m[1] + '-' + m[2] + '-' + m[3] : expiry;
}
function make_cookie(key, val) {
var header = key + '=' + val + '; Expires=' + make_expiry();
var domain = config.LOGIN_COOKIE_DOMAIN;
if (domain)
header += '; Domain=' + domain;
return header;
}
function random_str() {
return crypto.randomBytes(15).toString('base64');
}
Reference in new issue View Git Blame Copy Permalink