X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fauthenticator.js;h=4449a94b700889f5c2196b77c91872ed0b52d26d;hb=70645846baf3aa9ecb7f6f49de143a4282128a73;hp=efa3d844e7502cd024c6c99da830342dfe04954f;hpb=1e2d8a7bdb0df28d08258ee813ee6db77168d59e;p=squeep-authentication-module diff --git a/lib/authenticator.js b/lib/authenticator.js index efa3d84..4449a94 100644 --- a/lib/authenticator.js +++ b/lib/authenticator.js @@ -20,6 +20,7 @@ class Authenticator { * @param {Boolean} options.authenticator.secureAuthOnly * @param {String[]} options.authenticator.forbiddenPAMIdentifiers * @param {String[]} options.authenticator.authnEnabled + * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds * @param {String[]=} options.authenticator.loginBlurb * @param {String[]=} options.authenticator.indieAuthBlurb * @param {String[]=} options.authenticator.userBlurb @@ -51,6 +52,8 @@ class Authenticator { } this.mysteryBox = new MysteryBox(logger, options); + + this.cookieLifespan = options.authenticator.inactiveSessionLifespanSeconds || 60 * 60 * 24 * 32; } @@ -63,10 +66,14 @@ class Authenticator { */ async isValidIdentifierCredential(identifier, credential, ctx) { const _scope = _fileScope('isValidIdentifierCredential'); - this.logger.debug(_scope, 'called', { identifier, credential: '*'.repeat(credential.length), ctx }); + this.logger.debug(_scope, 'called', { identifier, credential: '*'.repeat((credential || '').length), ctx }); let isValid = false; + if (typeof credential === 'undefined') { + return isValid; + } + await this.db.context(async (dbCtx) => { const authData = await this.db.authenticationGet(dbCtx, identifier); if (!authData) { @@ -259,6 +266,18 @@ class Authenticator { && (ctx.session.authenticatedIdentifier || (profilesAllowed && ctx.session.authenticatedProfile))) { this.logger.debug(_scope, 'valid session cookie', { ctx }); + // Refresh timeout on valid session. + const cookieParts = [ + sessionCookie, + 'HttpOnly', + `Max-Age=${this.cookieLifespan}`, + 'SameSite=Lax', + `Path=${this.options.dingus.proxyPrefix}/`, + ]; + if (this.options.authenticator.secureAuthOnly) { + cookieParts.push('Secure'); + } + res.setHeader(Enum.Header.SetCookie, cookieParts.join('; ')); return true; } @@ -268,6 +287,7 @@ class Authenticator { `${Enum.SessionCookie}=""`, 'HttpOnly', 'Max-Age=0', + 'SameSite=Lax', `Path=${this.options.dingus.proxyPrefix}/`, ]; if (this.options.authenticator.secureAuthOnly) { @@ -338,7 +358,8 @@ class Authenticator { /** * Require auth for an API endpoint. - * Check for valid local identifier in session, or Authentication header. + * Check for valid local identifier in Authorization header; optionally + * fall back to session cookie if no header provided. * Prompts for Basic auth if not valid. * @param {http.ClientRequest} req * @param {http.ServerResponse} res @@ -346,15 +367,28 @@ class Authenticator { * @param {Boolean} sessionAlsoValid */ async apiRequiredLocal(req, res, ctx, sessionAlsoValid = true) { - const validSession = sessionAlsoValid && this.sessionCheck(req, res, ctx, undefined, false, false); + const _scope = _fileScope('apiRequiredLocal'); + this.logger.debug(_scope, 'called', { ctx, sessionAlsoValid }); + + // If a Authorization header was provided, never consider session as a fallback. const authorizationHeader = req.getHeader(Enum.Header.Authorization); - const validAuthorization = authorizationHeader && this.isValidAuthorization(authorizationHeader, ctx); - if (validSession || validAuthorization) { - return true; + if (authorizationHeader) { + if (await this.isValidAuthorization(authorizationHeader, ctx)) { + this.logger.debug(_scope, 'valid authorization', { ctx, sessionAlsoValid }); + return true; + } + } else { + if (sessionAlsoValid + && await this.sessionCheck(req, res, ctx, undefined, false, false)) { + this.logger.debug(_scope, 'valid session', { ctx, sessionAlsoValid }); + return true; + } } + + this.logger.debug(_scope, 'invalid authorization', { ctx, sessionAlsoValid }); this.requestBasic(res); } } -module.exports = Authenticator; \ No newline at end of file +module.exports = Authenticator;