git.squeep.com Git - squeep-authentication-module/blob - lib/session-manager.js

   1 'use strict';
   2
   3 /**
   4  * Here we process activities which support login sessions.
   5  */
   6
   7 const { Communication: IndieAuthCommunication } = require('@squeep/indieauth-helper');
   8 const { MysteryBox } = require('@squeep/mystery-box');
   9 const common = require('./common');
  10 const Enum = require('./enum');
  11 const Template = require('./template');
  12
  13 const _fileScope = common.fileScope(__filename);
  14
  15 class SessionManager {
  16   /**
  17    * @param {Console} logger
  18    * @param {Authenticator} authenticator
  19    * @param {Object} options
  20    * @param {Object} options.authenticator
  21    * @param {String[]} options.authenticator.authnEnabled
  22    * @param {Object} options.authenticator.secureAuthOnly
  23    * @param {Object} options.dingus
  24    * @param {Object} options.dingus.proxyPrefix
  25    * @param {Object} options.dingus.selfBaseUrl
  26    */
  27   constructor(logger, authenticator, options) {
  28     this.logger = logger;
  29     this.authenticator = authenticator;
  30     this.options = options;
  31     this.indieAuthCommunication = new IndieAuthCommunication(logger, options);
  32     this.mysteryBox = new MysteryBox(logger, options);
  33
  34     this.cookieLifespan = 60 * 60 * 24 * 32;
  35   }
  36
  37
  38   /**
  39    * Set or update our session cookie.
  40    * @param {http.ServerResponse} res
  41    * @param {Object} session
  42    * @param {Number} maxAge
  43    * @param {String} path
  44    */
  45   async _sessionCookieSet(res, session, maxAge, path = '/') {
  46     const _scope = _fileScope('_sessionCookieSet');
  47
  48     const cookieName = Enum.SessionCookie;
  49     const secureSession = session && await this.mysteryBox.pack(session) || '';
  50     const cookieParts = [
  51       `${cookieName}=${secureSession}`,
  52       'HttpOnly',
  53     ];
  54     if (this.options.authenticator.secureAuthOnly) {
  55       cookieParts.push('Secure');
  56     }
  57     if (typeof(maxAge) === 'number') {
  58       cookieParts.push(`Max-Age=${maxAge}`);
  59     }
  60     if (path) {
  61       cookieParts.push(`Path=${this.options.dingus.proxyPrefix}${path}`);
  62     }
  63     const cookie = cookieParts.join('; ');
  64     this.logger.debug(_scope, 'session cookie', { cookie, session })
  65     res.setHeader(Enum.Header.SetCookie, cookie);
  66   }
  67
  68
  69   /**
  70    * GET request for establishing admin session.
  71    * @param {http.ServerResponse} res
  72    * @param {Object} ctx
  73    */
  74   async getAdminLogin(res, ctx) {
  75     const _scope = _fileScope('getAdminLogin');
  76     this.logger.debug(_scope, 'called', { ctx });
  77
  78     res.end(Template.LoginHTML(ctx, this.options));
  79     this.logger.info(_scope, 'finished', { ctx })
  80   }
  81
  82
  83   /**
  84    * POST request for taking form data to establish admin session.
  85    * @param {http.ServerResponse} res
  86    * @param {Object} ctx
  87    */
  88   async postAdminLogin(res, ctx) {
  89     const _scope = _fileScope('postAdminLogin');
  90     this.logger.debug(_scope, 'called', { ctx });
  91
  92     ctx.errors = [];
  93
  94     const redirect = ctx.queryParams['r'] || './';
  95
  96     // Only attempt user login if no IndieAuth profile is set
  97     if (!this.options.authenticator.authnEnabled.includes('indieAuth') || !ctx.parsedBody['me']) {
  98
  99       const identifier = ctx.parsedBody['identifier'];
 100       const credential = ctx.parsedBody['credential']; // N.B. Logger must specifically mask this field from ctx.
 101
 102       const isValidLocalIdentifier = await this.authenticator.isValidIdentifierCredential(identifier, credential, ctx);
 103       if (!isValidLocalIdentifier) {
 104         ctx.errors.push('Invalid username or password');
 105       }
 106
 107       if (ctx.errors.length) {
 108         res.end(Template.LoginHTML(ctx, this.options));
 109         return;
 110       }
 111
 112       // Valid auth, persist the authenticated session
 113       ctx.session = {
 114         authenticatedIdentifier: ctx.authenticationId,
 115       };
 116       await this._sessionCookieSet(res, ctx.session, this.cookieLifespan);
 117       res.statusCode = 302;
 118       res.setHeader(Enum.Header.Location, redirect);
 119       res.end();
 120       this.logger.info(_scope, 'finished local', { ctx });
 121       return;
 122     }
 123
 124     let me, session, authorizationEndpoint;
 125     try {
 126       me = new URL(ctx.parsedBody['me']);
 127     } catch (e) {
 128       this.logger.debug(_scope, 'failed to parse supplied profile url', { ctx });
 129       ctx.errors.push(`Unable to understand '${ctx.parsedBody['me']}' as a profile URL.`);
 130     }
 131
 132     if (this.options.authenticator.authnEnabled.includes('indieAuth')
 133     &&  me) {
 134       const profile = await this.indieAuthCommunication.fetchProfile(me);
 135       if (!profile || !profile.authorizationEndpoint) {
 136         this.logger.debug(_scope, 'failed to find any profile information at url', { ctx });
 137         ctx.errors.push(`No profile information was found at '${me}'.`);
 138       } else {
 139         // fetch and parse me for 'authorization_endpoint' relation links
 140         try {
 141           authorizationEndpoint = new URL(profile.authorizationEndpoint);
 142         } catch (e) {
 143           ctx.errors.push(`Unable to understand the authorization endpoint ('${profile.authorizationEndpoint}') indicated by that profile ('${me}') as a URL.`);
 144         }
 145       }
 146
 147       if (authorizationEndpoint) {
 148         const pkce = await IndieAuthCommunication.generatePKCE();
 149         session = {
 150           authorizationEndpoint: authorizationEndpoint.href,
 151           state: ctx.requestId,
 152           codeVerifier: pkce.codeVerifier,
 153           me,
 154           redirect,
 155         };
 156
 157         Object.entries({
 158           'response_type': 'code',
 159           'client_id': this.options.dingus.selfBaseUrl,
 160           'redirect_uri': `${this.options.dingus.selfBaseUrl}admin/_ia`,
 161           'state': session.state,
 162           'code_challenge': pkce.codeChallenge,
 163           'code_challenge_method': pkce.codeChallengeMethod,
 164           'me': me,
 165         }).forEach(([name, value]) => authorizationEndpoint.searchParams.set(name, value));
 166       }
 167     }
 168
 169     if (ctx.errors.length) {
 170       res.end(Template.LoginHTML(ctx, this.options));
 171       return;
 172     }
 173
 174     await this._sessionCookieSet(res, session, this.cookieLifespan);
 175     res.setHeader(Enum.Header.Location, authorizationEndpoint.href);
 176     res.statusCode = 302; // Found
 177     res.end();
 178
 179     this.logger.info(_scope, 'finished indieauth', { ctx })
 180   }
 181
 182
 183   /**
 184    * GET request to remove current credentials.
 185    * @param {http.ServerResponse} res
 186    * @param {Object} ctx
 187    */
 188   async getAdminLogout(res, ctx) {
 189     const _scope = _fileScope('getAdminLogout');
 190     this.logger.debug(_scope, 'called', { ctx });
 191
 192     this._sessionCookieSet(res, '', 0);
 193
 194     const redirect = ctx.queryParams['r'] || './';
 195
 196     res.statusCode = 302;
 197     res.setHeader(Enum.Header.Location, redirect);
 198     res.end();
 199
 200     this.logger.info(_scope, 'finished', { ctx });
 201   }
 202
 203
 204   /**
 205    * GET request for returning IndieAuth redirect.
 206    * @param {http.ServerResponse} res
 207    * @param {Object} ctx
 208    */
 209   async getAdminIA(res, ctx) {
 210     const _scope = _fileScope('getAdminIA');
 211     this.logger.debug(_scope, 'called', { ctx });
 212
 213     ctx.errors = [];
 214     ctx.session = {};
 215
 216     // Unpack cookie to restore session data
 217
 218     const [ cookieName, cookieValue ] = common.splitFirst((ctx.cookie || ''), '=', '');
 219     if (cookieName !== Enum.SessionCookie) {
 220       this.logger.debug(_scope, 'no cookie', { ctx });
 221       ctx.errors.push('missing required cookie');
 222     } else {
 223       try {
 224         ctx.session = await this.mysteryBox.unpack(cookieValue);
 225         this.logger.debug(_scope, 'restored session from cookie', { ctx });
 226       } catch (e) {
 227         this.logger.debug(_scope, 'could not unpack cookie');
 228         ctx.errors.push('invalid cookie');
 229       }
 230     }
 231
 232     // Validate unpacked session values
 233
 234     // Add any auth errors
 235     if (ctx.queryParams['error']) {
 236       ctx.errors.push(ctx.queryParams['error']);
 237       if (ctx.queryParams['error_description']) {
 238         ctx.errors.push(ctx.queryParams['error_description']);
 239       }
 240     }
 241
 242     // check stuff
 243     if (ctx.queryParams['state'] !== ctx.session.state) {
 244       this.logger.debug(_scope, 'state mismatch', { ctx });
 245       ctx.errors.push('invalid state');
 246     }
 247
 248     const code = ctx.queryParams['code'];
 249     if (!code) {
 250       this.logger.debug(_scope, 'missing code', { ctx });
 251       ctx.errors.push('invalid code');
 252     }
 253
 254     let redeemProfileUrl;
 255     try {
 256       redeemProfileUrl = new URL(ctx.session.authorizationEndpoint);
 257     } catch (e) {
 258       this.logger.debug(_scope, 'failed to parse restored session authorization endpoint as url', { ctx });
 259       ctx.errors.push('invalid cookie');
 260     }
 261     let profile;
 262     if (redeemProfileUrl) {
 263       profile = await this.indieAuthCommunication.redeemProfileCode(redeemProfileUrl, code, ctx.session.codeVerifier, this.options.dingus.selfBaseUrl, `${this.options.dingus.selfBaseUrl}admin/_ia`);
 264       if (!profile) {
 265         this.logger.debug(_scope, 'no profile from code redemption', { ctx });
 266         ctx.errors.push('did not get a profile response from authorization endpoint code redemption');
 267       } else if (!profile.me) {
 268         this.logger.debug(_scope, 'no profile me identifier from code redemption', { ctx });
 269         ctx.errors.push('did not get \'me\' value from authorization endpoint code redemption');
 270       } else if (profile.me !== ctx.session.me) {
 271         this.logger.debug(_scope, 'mis-matched canonical me from redeemed profile', { ctx, profile });
 272         const newProfileUrl = new URL(profile.me);
 273         // Rediscover auth endpoint for the new returned profile.
 274         const newProfile = await this.indieAuthCommunication.fetchProfile(newProfileUrl);
 275         if (newProfile.authorizationEndpoint !== ctx.session.authorizationEndpoint) {
 276           this.logger.debug(_scope, 'mis-matched auth endpoints between provided me and canonical me', { ctx, profile, newProfile });
 277           ctx.errors.push('canonical profile url provided by authorization endpoint is not handled by that endpoint, cannot continue');
 278         } else {
 279           // The endpoints match, all is okay, update our records.
 280           ctx.session.me = profile.me;
 281         }
 282       }
 283     }
 284
 285     if (ctx.errors.length) {
 286       await this._sessionCookieSet(res, '', 0);
 287       res.end(Template.IAHTML(ctx, this.options));
 288       return;
 289     }
 290
 291     const redirect = ctx.session.redirect || './';
 292
 293     // Set cookie as auth valid, redirect to original location.
 294     ctx.session = {
 295       authenticatedProfile: ctx.session.me,
 296     };
 297
 298     await this._sessionCookieSet(res, ctx.session, this.cookieLifespan);
 299     res.statusCode = 302;
 300     res.setHeader(Enum.Header.Location, redirect);
 301     res.end();
 302
 303     this.logger.info(_scope, 'finished', { ctx })
 304   }
 305
 306
 307 }
 308
 309 module.exports = SessionManager;