More work on OAuth support.

This commit is contained in:
Ylian Saint-Hilaire 2020-05-13 22:30:59 -07:00
parent 88a1edfdcc
commit 55f7ba89b1
2 changed files with 30 additions and 16 deletions

View File

@ -1562,7 +1562,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
for (var i in command.users) { for (var i in command.users) {
if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here. if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here.
if (common.validateUsername(command.users[i].user, 1, 256) == false) break; // Username is between 1 and 64 characters, no spaces if (common.validateUsername(command.users[i].user, 1, 256) == false) break; // Username is between 1 and 64 characters, no spaces
if ((command.users[i].user == '~') || (command.users[i].user.indexOf('/') >= 0)) break; // This is a reserved user name if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) break; // This is a reserved user name or invalid name
if (common.validateString(command.users[i].pass, 1, 256) == false) break; // Password is between 1 and 256 characters if (common.validateString(command.users[i].pass, 1, 256) == false) break; // Password is between 1 and 256 characters
if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) break; // Password does not meet requirements if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) break; // Password does not meet requirements
if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) break; // Check if this is a valid email address if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) break; // Check if this is a valid email address
@ -1635,15 +1635,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if ((user.siteadmin & 2) == 0) { err = 'Permission denied'; } if ((user.siteadmin & 2) == 0) { err = 'Permission denied'; }
else if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { err = 'Unable to add user in this mode'; } else if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { err = 'Unable to add user in this mode'; }
else if (common.validateUsername(command.username, 1, 256) == false) { err = 'Invalid username'; } // Username is between 1 and 64 characters, no spaces else if (common.validateUsername(command.username, 1, 256) == false) { err = 'Invalid username'; } // Username is between 1 and 64 characters, no spaces
else if ((command.username[0] == '~') || (command.username.indexOf('/') >= 0)) { err = 'Invalid username'; } // Usernames cant' start with ~ and can't have '/'
else if (common.validateString(command.pass, 1, 256) == false) { err = 'Invalid password'; } // Password is between 1 and 256 characters else if (common.validateString(command.pass, 1, 256) == false) { err = 'Invalid password'; } // Password is between 1 and 256 characters
else if (command.username.indexOf('/') >= 0) { err = 'Invalid username'; } // Usernames can't have '/'
else if ((command.randomPassword !== true) && (common.checkPasswordRequirements(command.pass, domain.passwordrequirements) == false)) { err = 'Invalid password'; } // Password does not meet requirements else if ((command.randomPassword !== true) && (common.checkPasswordRequirements(command.pass, domain.passwordrequirements) == false)) { err = 'Invalid password'; } // Password does not meet requirements
else if ((command.email != null) && (common.validateEmail(command.email, 1, 1024) == false)) { err = 'Invalid email'; } // Check if this is a valid email address else if ((command.email != null) && (common.validateEmail(command.email, 1, 1024) == false)) { err = 'Invalid email'; } // Check if this is a valid email address
else { else {
newusername = command.username; newusername = command.username;
newuserid = 'user/' + domain.id + '/' + command.username.toLowerCase(); newuserid = 'user/' + domain.id + '/' + command.username.toLowerCase();
if (newusername == '~') { err = 'Invalid username'; } // This is a reserved user name if (command.siteadmin != null) {
else if (command.siteadmin != null) {
if ((typeof command.siteadmin != 'number') || (Number.isInteger(command.siteadmin) == false)) { err = 'Invalid site permissions'; } // Check permissions if ((typeof command.siteadmin != 'number') || (Number.isInteger(command.siteadmin) == false)) { err = 'Invalid site permissions'; } // Check permissions
else if ((user.siteadmin != 0xFFFFFFFF) && ((command.siteadmin & (0xFFFFFFFF - 224)) != 0)) { err = 'Invalid site permissions'; } else if ((user.siteadmin != 0xFFFFFFFF) && ((command.siteadmin & (0xFFFFFFFF - 224)) != 0)) { err = 'Invalid site permissions'; }
} }

View File

@ -1007,6 +1007,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// If the email is the username, set this here. // If the email is the username, set this here.
if (domain.usernameisemail) { req.body.username = req.body.email; } if (domain.usernameisemail) { req.body.username = req.body.email; }
// Accounts that start with ~ are not allowed
if ((typeof req.body.username != 'string') || (req.body.username.length < 1) || (req.body.username[0] == '~')) {
parent.debug('web', 'handleCreateAccountRequest: unable to create account (0)');
req.session.loginmode = '2';
req.session.messageid = 100; // Unable to create account.
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
// Count the number of users in this domain // Count the number of users in this domain
var domainUserCount = 0; var domainUserCount = 0;
for (var i in obj.users) { if (obj.users[i].domain == domain.id) { domainUserCount++; } } for (var i in obj.users) { if (obj.users[i].domain == domain.id) { domainUserCount++; } }
@ -3991,6 +4000,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Setup passport if needed // Setup passport if needed
if (typeof domain.authstrategies == 'object') { if (typeof domain.authstrategies == 'object') {
const passport = domain.passport = require('passport'); const passport = domain.passport = require('passport');
passport.serializeUser(function (user, done) { done(null, user.id); });
passport.deserializeUser(function (id, done) { done(null, { id: id }); });
obj.app.use(passport.initialize());
if ((typeof domain.authstrategies.twitter == 'object') && (typeof domain.authstrategies.twitter.apikey == 'string') && (typeof domain.authstrategies.twitter.apisecret == 'string')) { if ((typeof domain.authstrategies.twitter == 'object') && (typeof domain.authstrategies.twitter.apikey == 'string') && (typeof domain.authstrategies.twitter.apisecret == 'string')) {
const TwitterStrategy = require('passport-twitter'); const TwitterStrategy = require('passport-twitter');
passport.use(new TwitterStrategy({ passport.use(new TwitterStrategy({
@ -3999,16 +4011,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
callbackURL: url + 'auth-twitter-callback' callbackURL: url + 'auth-twitter-callback'
}, },
function (token, tokenSecret, profile, cb) { function (token, tokenSecret, profile, cb) {
console.log('Twitter1', token, tokenSecret, profile); var user = { id: 'user/' + domain.id + '/~twitter:' + profile.id, name: profile.displayName };
//User.findOrCreate({ twitterId: profile.id }, function (err, user) { return cb(err, user); }); if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
return cb(null, user);
} }
)); ));
obj.app.get(url + 'auth-twitter', domain.passport.authenticate('twitter')); obj.app.get(url + 'auth-twitter', domain.passport.authenticate('twitter'));
obj.app.get(url + 'https://alt.meshcentral.com', obj.app.get(url + 'auth-twitter-callback',
domain.passport.authenticate('twitter', { failureRedirect: '/' }), domain.passport.authenticate('twitter', { failureRedirect: '/' }),
function (req, res) { function (req, res) {
// Successful authentication, redirect home. // Successful authentication, redirect home.
console.log('Twitter2'); console.log('Twitter', req.session, req.user);
res.redirect('/'); res.redirect('/');
}); });
} }
@ -4020,16 +4033,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
callbackURL: url + 'auth-google-callback' callbackURL: url + 'auth-google-callback'
}, },
function (token, tokenSecret, profile, cb) { function (token, tokenSecret, profile, cb) {
console.log('Google1', token, tokenSecret, profile); var user = { id: 'user/' + domain.id + '/~google:' + profile.id, name: profile.displayName };
//User.findOrCreate({ googleId: profile.id }, function (err, user) { return cb(err, user); }); if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string') && (profile.emails[0].verified == true)) { user.email = profile.emails[0].value; }
return cb(null, user);
} }
)); ));
obj.app.get(url + 'auth-google', domain.passport.authenticate('google')); obj.app.get(url + 'auth-google', domain.passport.authenticate('google', { scope: ['profile', 'email'] }));
obj.app.get(url + 'auth-google-callback', obj.app.get(url + 'auth-google-callback',
domain.passport.authenticate('google', { failureRedirect: '/' }), domain.passport.authenticate('google', { failureRedirect: '/' }),
function (req, res) { function (req, res) {
// Successful authentication, redirect home. // Successful authentication, redirect home.
console.log('Google2'); console.log('Google', req.session, req.user);
res.redirect('/'); res.redirect('/');
}); });
} }
@ -4041,16 +4055,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
callbackURL: url + 'auth-github-callback' callbackURL: url + 'auth-github-callback'
}, },
function (token, tokenSecret, profile, cb) { function (token, tokenSecret, profile, cb) {
console.log('GitHub1', token, tokenSecret, profile); var user = { id: 'user/' + domain.id + '/~github:' + profile.id, name: profile.displayName };
//User.findOrCreate({ githubId: profile.id }, function (err, user) { return cb(err, user); }); if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
return cb(null, user);
} }
)); ));
obj.app.get(url + 'auth-github', domain.passport.authenticate('github', { scope: ['user:email'] })); obj.app.get(url + 'auth-github', domain.passport.authenticate('github', { scope: ['user:email'] }));
obj.app.get(url + 'auth-github-callback', obj.app.get(url + 'auth-github-callback',
domain.passport.authenticate('google', { failureRedirect: '/' }), domain.passport.authenticate('github', { failureRedirect: '/' }),
function (req, res) { function (req, res) {
// Successful authentication, redirect home. // Successful authentication, redirect home.
console.log('GitHub2'); console.log('GitHub', req.session, req.user);
res.redirect('/'); res.redirect('/');
}); });
} }