4 * Here we process activities which support login sessions.
7 const { Communication: IndieAuthCommunication
} = require('@squeep/indieauth-helper');
8 const { MysteryBox
} = require('@squeep/mystery-box');
9 const common
= require('./common');
10 const Enum
= require('./enum');
11 const Template
= require('./template');
13 const _fileScope
= common
.fileScope(__filename
);
15 class SessionManager
{
17 * @param {Console} logger
18 * @param {Authenticator} authenticator
19 * @param {Object} options
20 * @param {Object} options.authenticator
21 * @param {String[]} options.authenticator.authnEnabled
22 * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds
23 * @param {Boolean} options.authenticator.secureAuthOnly
24 * @param {Object} options.dingus
25 * @param {Object} options.dingus.proxyPrefix
26 * @param {Object} options.dingus.selfBaseUrl
28 constructor(logger
, authenticator
, options
) {
30 this.authenticator
= authenticator
;
31 this.options
= options
;
32 this.indieAuthCommunication
= new IndieAuthCommunication(logger
, options
);
33 this.mysteryBox
= new MysteryBox(logger
, options
);
35 this.cookieLifespan
= options
.authenticator
.inactiveSessionLifespanSeconds
|| 60 * 60 * 24 * 32;
40 * Set or update our session cookie.
41 * @param {http.ServerResponse} res
42 * @param {Object} session
43 * @param {Number} maxAge
44 * @param {String} path
46 async
_sessionCookieSet(res
, session
, maxAge
, path
= '/') {
47 const _scope
= _fileScope('_sessionCookieSet');
49 const cookieName
= Enum
.SessionCookie
;
50 const secureSession
= session
&& await
this.mysteryBox
.pack(session
) || '';
52 `${cookieName}=${secureSession}`,
55 if (this.options
.authenticator
.secureAuthOnly
) {
56 cookieParts
.push('Secure');
58 if (typeof(maxAge
) === 'number') {
59 cookieParts
.push(`Max-Age=${maxAge}`);
62 cookieParts
.push(`Path=${this.options.dingus.proxyPrefix}${path}`);
64 const cookie
= cookieParts
.join('; ');
65 this.logger
.debug(_scope
, 'session cookie', { cookie
, session
})
66 res
.setHeader(Enum
.Header
.SetCookie
, cookie
);
71 * GET request for establishing admin session.
72 * @param {http.ServerResponse} res
75 async
getAdminLogin(res
, ctx
) {
76 const _scope
= _fileScope('getAdminLogin');
77 this.logger
.debug(_scope
, 'called', { ctx
});
79 res
.end(Template
.LoginHTML(ctx
, this.options
));
80 this.logger
.info(_scope
, 'finished', { ctx
})
85 * POST request for taking form data to establish admin session.
86 * @param {http.ServerResponse} res
89 async
postAdminLogin(res
, ctx
) {
90 const _scope
= _fileScope('postAdminLogin');
91 this.logger
.debug(_scope
, 'called', { ctx
});
95 const redirect
= ctx
.queryParams
['r'] || './';
97 // Only attempt user login if no IndieAuth profile is set
98 if (!this.options
.authenticator
.authnEnabled
.includes('indieAuth') || !ctx
.parsedBody
['me']) {
100 const identifier
= ctx
.parsedBody
['identifier'];
101 const credential
= ctx
.parsedBody
['credential']; // N.B. Logger must specifically mask this field from ctx.
103 const isValidLocalIdentifier
= await
this.authenticator
.isValidIdentifierCredential(identifier
, credential
, ctx
);
104 if (!isValidLocalIdentifier
) {
105 ctx
.errors
.push('Invalid username or password');
108 if (ctx
.errors
.length
) {
109 res
.end(Template
.LoginHTML(ctx
, this.options
));
113 // Valid auth, persist the authenticated session
115 authenticatedIdentifier: ctx
.authenticationId
,
117 await
this._sessionCookieSet(res
, ctx
.session
, this.cookieLifespan
);
118 res
.statusCode
= 302;
119 res
.setHeader(Enum
.Header
.Location
, redirect
);
121 this.logger
.info(_scope
, 'finished local', { ctx
});
125 // Otherwise, carry on with IndieAuth handshake.
126 let me
, session
, authorizationEndpoint
;
128 me
= new URL(ctx
.parsedBody
['me']);
130 this.logger
.debug(_scope
, 'failed to parse supplied profile url', { ctx
});
131 ctx
.errors
.push(`Unable to understand '${ctx.parsedBody['me']}' as a profile URL.`);
134 if (this.options
.authenticator
.authnEnabled
.includes('indieAuth')
136 const profile
= await
this.indieAuthCommunication
.fetchProfile(me
);
137 if (!profile
|| !profile
.metadata
) {
138 this.logger
.debug(_scope
, 'failed to find any profile information at url', { ctx
});
139 ctx
.errors
.push(`No profile information was found at '${me}'.`);
141 // fetch and parse me for 'authorization_endpoint' relation links
143 authorizationEndpoint
= new URL(profile
.metadata
.authorizationEndpoint
);
145 ctx
.errors
.push(`Unable to understand the authorization endpoint ('${profile.metadata.authorizationEndpoint}') indicated by that profile ('${me}') as a URL.`);
148 if (profile
.metadata
.issuer
) {
151 const issuer
= new URL(profile
.metadata
.issuer
);
154 || issuer
.protocol
.toLowerCase() !== 'https:') { // stupid URL trailing colon thing
155 this.logger
.debug(_scope
, 'supplied issuer url invalid', { ctx
});
156 ctx
.errors
.push('Authorization server provided an invalid issuer field.');
159 this.logger
.debug(_scope
, 'failed to parse supplied issuer url', { ctx
});
160 ctx
.errors
.push('Authorization server provided an unparsable issuer field.');
163 this.logger
.debug(_scope
, 'no issuer in metadata, assuming legacy mode', { ctx
});
164 // Strict 20220212 compliance would error here.
165 // ctx.errors.push('Authorization server did not provide issuer field, as required by current specification.');
169 if (authorizationEndpoint
) {
170 const pkce
= await IndieAuthCommunication
.generatePKCE();
173 authorizationEndpoint: authorizationEndpoint
.href
,
174 state: ctx
.requestId
,
175 codeVerifier: pkce
.codeVerifier
,
178 issuer: profile
.metadata
.issuer
,
181 // Update auth endpoint parameters
183 'response_type': 'code',
184 'client_id': this.options
.dingus
.selfBaseUrl
,
185 'redirect_uri': `${this.options.dingus.selfBaseUrl}admin/_ia`,
186 'state': session
.state
,
187 'code_challenge': pkce
.codeChallenge
,
188 'code_challenge_method': pkce
.codeChallengeMethod
,
190 }).forEach(([name
, value
]) => authorizationEndpoint
.searchParams
.set(name
, value
));
194 if (ctx
.errors
.length
) {
195 res
.end(Template
.LoginHTML(ctx
, this.options
));
199 await
this._sessionCookieSet(res
, session
, this.cookieLifespan
);
200 res
.setHeader(Enum
.Header
.Location
, authorizationEndpoint
.href
);
201 res
.statusCode
= 302; // Found
204 this.logger
.info(_scope
, 'finished indieauth', { ctx
})
209 * GET request to remove current credentials.
210 * @param {http.ServerResponse} res
211 * @param {Object} ctx
213 async
getAdminLogout(res
, ctx
) {
214 const _scope
= _fileScope('getAdminLogout');
215 this.logger
.debug(_scope
, 'called', { ctx
});
217 this._sessionCookieSet(res
, '', 0);
219 const redirect
= ctx
.queryParams
['r'] || './';
221 res
.statusCode
= 302;
222 res
.setHeader(Enum
.Header
.Location
, redirect
);
225 this.logger
.info(_scope
, 'finished', { ctx
});
230 * GET request for returning IndieAuth redirect.
231 * This currently only redeems a scope-less profile.
232 * @param {http.ServerResponse} res
233 * @param {Object} ctx
235 async
getAdminIA(res
, ctx
) {
236 const _scope
= _fileScope('getAdminIA');
237 this.logger
.debug(_scope
, 'called', { ctx
});
242 // Unpack cookie to restore session data
244 const [ cookieName
, cookieValue
] = common
.splitFirst((ctx
.cookie
|| ''), '=', '');
245 if (cookieName
!== Enum
.SessionCookie
) {
246 this.logger
.debug(_scope
, 'no cookie', { ctx
});
247 ctx
.errors
.push('missing required cookie');
250 ctx
.session
= await
this.mysteryBox
.unpack(cookieValue
);
251 this.logger
.debug(_scope
, 'restored session from cookie', { ctx
});
253 this.logger
.debug(_scope
, 'could not unpack cookie');
254 ctx
.errors
.push('invalid cookie');
258 // Validate unpacked session values
261 // Add any auth errors
262 if (ctx
.queryParams
['error']) {
263 ctx
.errors
.push(ctx
.queryParams
['error']);
264 if (ctx
.queryParams
['error_description']) {
265 ctx
.errors
.push(ctx
.queryParams
['error_description']);
270 if (ctx
.queryParams
['state'] !== ctx
.session
.state
) {
271 this.logger
.debug(_scope
, 'state mismatch', { ctx
});
272 ctx
.errors
.push('invalid state');
275 const code
= ctx
.queryParams
['code'];
277 this.logger
.debug(_scope
, 'missing code', { ctx
});
278 ctx
.errors
.push('invalid code');
282 if (ctx
.session
.issuer
) {
283 if (ctx
.queryParams
['iss'] !== ctx
.session
.issuer
) {
284 this.logger
.debug(_scope
, 'issuer mismatch', { ctx
});
285 ctx
.errors
.push('invalid issuer');
288 this.logger
.debug(_scope
, 'no issuer in metadata, assuming legacy mode', { ctx
});
289 // Strict 20220212 compliance would error here. (Also earlier.)
290 // ctx.errors.push('invalid issuer');
293 let redeemProfileUrl
;
295 redeemProfileUrl
= new URL(ctx
.session
.authorizationEndpoint
);
297 this.logger
.debug(_scope
, 'failed to parse restored session authorization endpoint as url', { ctx
});
298 ctx
.errors
.push('invalid cookie');
301 if (redeemProfileUrl
) {
302 profile
= await
this.indieAuthCommunication
.redeemProfileCode(redeemProfileUrl
, code
, ctx
.session
.codeVerifier
, this.options
.dingus
.selfBaseUrl
, `${this.options.dingus.selfBaseUrl}admin/_ia`);
304 this.logger
.debug(_scope
, 'no profile from code redemption', { ctx
});
305 ctx
.errors
.push('did not get a profile response from authorization endpoint code redemption');
306 } else if (!profile
.me
) {
307 this.logger
.debug(_scope
, 'no profile me identifier from code redemption', { ctx
});
308 ctx
.errors
.push('did not get \'me\' value from authorization endpoint code redemption');
309 } else if (profile
.me
!== ctx
.session
.me
) {
310 this.logger
.debug(_scope
, 'mis-matched canonical me from redeemed profile', { ctx
, profile
});
311 const newProfileUrl
= new URL(profile
.me
);
312 // Rediscover auth endpoint for the new returned profile.
313 const newProfile
= await
this.indieAuthCommunication
.fetchProfile(newProfileUrl
);
314 if (newProfile
.metadata
.authorizationEndpoint
!== ctx
.session
.authorizationEndpoint
) {
315 this.logger
.debug(_scope
, 'mis-matched auth endpoints between provided me and canonical me', { ctx
, profile
, newProfile
});
316 ctx
.errors
.push('canonical profile url provided by authorization endpoint is not handled by that endpoint, cannot continue');
318 // The endpoints match, all is okay, update our records.
319 ctx
.session
.me
= profile
.me
;
324 if (ctx
.errors
.length
) {
325 await
this._sessionCookieSet(res
, '', 0);
326 res
.end(Template
.IAHTML(ctx
, this.options
));
330 const redirect
= ctx
.session
.redirect
|| './';
332 // Set cookie as auth valid, redirect to original location.
334 authenticatedProfile: ctx
.session
.me
,
337 await
this._sessionCookieSet(res
, ctx
.session
, this.cookieLifespan
);
338 res
.statusCode
= 302;
339 res
.setHeader(Enum
.Header
.Location
, redirect
);
342 this.logger
.info(_scope
, 'finished', { ctx
})
348 module
.exports
= SessionManager
;