195 lines
5 KiB
TypeScript
195 lines
5 KiB
TypeScript
import { PASSWORD_ENTRIES } from '../../../models/password_entry.ts';
|
|
import { USER, USERS } from '../../../models/user.ts';
|
|
import { encodeBase32 } from 'jsr:@std/encoding';
|
|
import lurid from 'jsr:@andyburke/lurid';
|
|
import { SESSION, SESSIONS } from '../../../models/session.ts';
|
|
import { TOTP_ENTRIES } from '../../../models/totp_entry.ts';
|
|
import { encodeBase64 } from 'jsr:@std/encoding/base64';
|
|
import parse_body from '../../../utils/bodyparser.ts';
|
|
import { SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
|
|
import * as bcrypt from 'jsr:@da/bcrypt';
|
|
import { verifyTotp } from '../../../utils/totp.ts';
|
|
|
|
const DEFAULT_SESSION_TIME: number = 60 * 60 * 1_000; // 1 Hour
|
|
|
|
// POST /api/auth - Authenticate
|
|
export async function POST(req: Request, meta: Record<string, any>): Promise<Response> {
|
|
try {
|
|
const body = await parse_body(req);
|
|
|
|
const username: string = body.username?.toLowerCase() ?? '';
|
|
const password: string | undefined = body.password;
|
|
const password_hash: string | undefined = body.password_hash ?? (typeof password === 'string'
|
|
? encodeBase64(
|
|
await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password ?? ''))
|
|
)
|
|
: undefined);
|
|
const totp: string | undefined = body.totp;
|
|
|
|
if (!username.length) {
|
|
return Response.json({
|
|
error: {
|
|
message: 'You must specify a username to log in.',
|
|
cause: 'username_required'
|
|
}
|
|
}, {
|
|
status: 400
|
|
});
|
|
}
|
|
|
|
// password has should be a base64-encoded SHA-256 hash
|
|
if (typeof password_hash !== 'string') {
|
|
return Response.json({
|
|
error: {
|
|
message: 'invalid password hash',
|
|
cause: 'invalid_password_hash'
|
|
}
|
|
}, {
|
|
status: 400
|
|
});
|
|
}
|
|
|
|
let user: USER | undefined = undefined;
|
|
user = (await USERS.find({
|
|
username
|
|
})).shift()?.load();
|
|
|
|
if (!user) {
|
|
return Response.json({
|
|
error: {
|
|
message: `Could not locate an account with username: ${username}`,
|
|
cause: 'missing_account'
|
|
}
|
|
}, {
|
|
status: 400
|
|
});
|
|
}
|
|
|
|
const password_entry = await PASSWORD_ENTRIES.get(user.id);
|
|
if (!password_entry) {
|
|
return Response.json({
|
|
error: {
|
|
message: 'Missing password entry for this account, please contact support.',
|
|
cause: 'missing_password_entry'
|
|
}
|
|
}, {
|
|
status: 500
|
|
});
|
|
}
|
|
|
|
const verified = await bcrypt.compare(`${password_hash}${password_entry.salt}`, password_entry.hash);
|
|
|
|
if (!verified) {
|
|
return Response.json({
|
|
error: {
|
|
message: 'Incorrect password.',
|
|
cause: 'incorrect_password'
|
|
}
|
|
}, {
|
|
status: 400
|
|
});
|
|
}
|
|
|
|
const totp_entry = await TOTP_ENTRIES.get(user.id);
|
|
if (totp_entry) {
|
|
if (typeof totp !== 'string' || !totp.length) {
|
|
return Response.json({
|
|
two_factor: true,
|
|
totp: true
|
|
}, {
|
|
status: 202,
|
|
headers: {
|
|
'Set-Cookie': `totp_user_id=${user.id}; Path=/; Max-Age=300`
|
|
}
|
|
});
|
|
}
|
|
|
|
const valid_totp: boolean = await verifyTotp(totp, totp_entry.secret);
|
|
if (!valid_totp) {
|
|
return Response.json({
|
|
error: {
|
|
message: 'Incorrect TOTP.',
|
|
cause: 'incorrect_totp'
|
|
}
|
|
}, {
|
|
status: 400
|
|
});
|
|
}
|
|
}
|
|
|
|
const session_result: SESSION_RESULT = await create_new_session({
|
|
user,
|
|
expires: body.session?.expires
|
|
});
|
|
|
|
// TODO: verify this redirect is relative?
|
|
const headers = session_result.headers;
|
|
let status = 201;
|
|
if (typeof meta?.query?.redirect === 'string') {
|
|
const url = new URL(req.url);
|
|
session_result.headers.append('location', `${url.origin}${meta.query.redirect}`);
|
|
status = 302;
|
|
}
|
|
|
|
return Response.json({
|
|
user,
|
|
session: session_result.session
|
|
}, {
|
|
status,
|
|
headers
|
|
});
|
|
} catch (error) {
|
|
return Response.json({
|
|
error: {
|
|
message: (error as Error).message ?? 'Unknown Error!',
|
|
cause: (error as Error).cause ?? 'unknown'
|
|
}
|
|
}, { status: 400 });
|
|
}
|
|
}
|
|
|
|
export type SESSION_RESULT = {
|
|
session: SESSION;
|
|
headers: Headers;
|
|
};
|
|
|
|
export type SESSION_INFO = {
|
|
user: USER;
|
|
expires: string | undefined;
|
|
};
|
|
|
|
const session_secret_buffer = new Uint8Array(20);
|
|
export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
|
|
const now = new Date().toISOString();
|
|
const expires: string = session_settings.expires ??
|
|
new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();
|
|
|
|
crypto.getRandomValues(session_secret_buffer);
|
|
|
|
const session: SESSION = {
|
|
id: lurid(),
|
|
user_id: session_settings.user.id,
|
|
secret: encodeBase32(session_secret_buffer),
|
|
timestamps: {
|
|
created: now,
|
|
expires,
|
|
ended: ''
|
|
}
|
|
};
|
|
|
|
await SESSIONS.create(session);
|
|
|
|
const headers = new Headers();
|
|
|
|
headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/; Expires=${expires}`);
|
|
headers.append(`x-${SESSION_ID_TOKEN}`, session.id);
|
|
|
|
// TODO: this wasn't really intended to be persisted in a cookie, but we are using it to
|
|
// generate the TOTP for the call to /api/users/me
|
|
headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/; Expires=${expires}`);
|
|
|
|
return {
|
|
session,
|
|
headers
|
|
};
|
|
}
|