update dependencies and devDependencies, fix breaking changes from mystery-box update

[squeep-authentication-module] / lib / authenticator.js

diff --git a/lib/authenticator.js b/lib/authenticator.js
index 1cff2108f309e2ac51245070281e0ec346f6168c..040834fd650cd46b4d61f6b03c1acf647721d0ff 100644 (file)
--- a/lib/authenticator.js
+++ b/lib/authenticator.js
@@ -20,6 +20,7 @@ class Authenticator {
    * @param {Boolean} options.authenticator.secureAuthOnly
    * @param {String[]} options.authenticator.forbiddenPAMIdentifiers
    * @param {String[]} options.authenticator.authnEnabled
+   * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds
    * @param {String[]=} options.authenticator.loginBlurb
    * @param {String[]=} options.authenticator.indieAuthBlurb
    * @param {String[]=} options.authenticator.userBlurb
@@ -50,7 +51,10 @@ class Authenticator {
       throw new Error('no authentication mechanisms available');
     }
 
-    this.mysteryBox = new MysteryBox(logger, options);
+    this.mysteryBox = new MysteryBox(options);
+    this.mysteryBox.on('statistics', common.mysteryBoxLogger(logger, _fileScope(this.constructor.name)));
+
+    this.cookieLifespan = options.authenticator.inactiveSessionLifespanSeconds || 60 * 60 * 24 * 32;
   }
 
 
@@ -63,10 +67,14 @@ class Authenticator {
    */
   async isValidIdentifierCredential(identifier, credential, ctx) {
     const _scope = _fileScope('isValidIdentifierCredential');
-    this.logger.debug(_scope, 'called', { identifier, credential: '*'.repeat(credential.length), ctx });
+    this.logger.debug(_scope, 'called', { identifier, credential: '*'.repeat((credential || '').length), ctx });
 
     let isValid = false;
 
+    if (typeof credential === 'undefined') {
+      return isValid;
+    }
+
     await this.db.context(async (dbCtx) => {
       const authData = await this.db.authenticationGet(dbCtx, identifier);
       if (!authData) {
@@ -79,7 +87,7 @@ class Authenticator {
         &&         this.authnEnabled.includes('pam')) {
           isValid = this._isValidPAMIdentifier(identifier, credential);
         } else {
-          this.logger.error(_scope, 'failed, unknown type of stored credential', { identifier, ctx });
+          this.logger.error(_scope, 'failed, unknown or unsupported type of stored credential', { identifier, ctx });
         }
       }
 
@@ -259,6 +267,18 @@ class Authenticator {
     &&  (ctx.session.authenticatedIdentifier
          || (profilesAllowed && ctx.session.authenticatedProfile))) {
       this.logger.debug(_scope, 'valid session cookie', { ctx });
+      // Refresh timeout on valid session.
+      const cookieParts = [
+        sessionCookie,
+        'HttpOnly',
+        `Max-Age=${this.cookieLifespan}`,
+        'SameSite=Lax',
+        `Path=${this.options.dingus.proxyPrefix}/`,
+      ];
+      if (this.secureAuthOnly) {
+        cookieParts.push('Secure');
+      }
+      res.setHeader(Enum.Header.SetCookie, cookieParts.join('; '));
       return true;
     }
 
@@ -268,6 +288,7 @@ class Authenticator {
         `${Enum.SessionCookie}=""`,
         'HttpOnly',
         'Max-Age=0',
+        'SameSite=Lax',
         `Path=${this.options.dingus.proxyPrefix}/`,
       ];
       if (this.options.authenticator.secureAuthOnly) {
@@ -371,4 +392,4 @@ class Authenticator {
 
 }
 
-module.exports = Authenticator;
\ No newline at end of file
+module.exports = Authenticator;