CyTube/lib/web/auth.js

242 lines
6.3 KiB
JavaScript
Raw Normal View History

/**
* web/auth.js - Webserver functions for user authentication and registration
*
* @author Calvin Montgomery <cyzon@cyzon.us>
*/
2014-01-20 18:42:20 +00:00
var jade = require("jade");
var path = require("path");
var webserver = require("./webserver");
2014-02-25 00:25:49 +00:00
var cookieall = webserver.cookieall;
2014-01-20 18:42:20 +00:00
var sendJade = require("./jade").sendJade;
var Logger = require("../logger");
var $util = require("../utilities");
var db = require("../database");
2014-02-06 00:05:52 +00:00
var Config = require("../config");
var url = require("url");
2015-02-16 03:56:00 +00:00
var session = require("../session");
2015-02-23 00:15:22 +00:00
var csrf = require("./csrf");
/**
* Processes a login request. Sets a cookie upon successful authentication
*/
function handleLogin(req, res) {
2015-02-23 00:15:22 +00:00
csrf.verify(req);
var name = req.body.name;
var password = req.body.password;
var rememberMe = req.body.remember;
2015-02-16 03:56:00 +00:00
var dest = req.body.dest || req.header("referer") || null;
2015-02-21 05:23:10 +00:00
dest = dest && dest.match(/login|logout/) ? null : dest;
2014-01-20 18:42:20 +00:00
if (typeof name !== "string" || typeof password !== "string") {
2015-02-20 02:30:35 +00:00
res.sendStatus(400);
return;
}
2015-02-16 03:56:00 +00:00
var host = req.hostname;
if (host.indexOf(Config.get("http.root-domain")) === -1 &&
Config.get("http.alt-domains").indexOf(host) === -1) {
Logger.syslog.log("WARNING: Attempted login from non-approved domain " + host);
2015-02-20 02:30:35 +00:00
return res.sendStatus(403);
2015-02-16 03:56:00 +00:00
}
var expiration;
if (rememberMe) {
expiration = new Date("Fri, 31 Dec 9999 23:59:59 GMT");
} else {
expiration = new Date(Date.now() + 7*24*60*60*1000);
}
password = password.substring(0, 100);
2013-12-12 23:09:49 +00:00
db.users.verifyLogin(name, password, function (err, user) {
if (err) {
2014-01-20 18:42:20 +00:00
if (err === "Invalid username/password combination") {
2014-01-28 00:37:48 +00:00
Logger.eventlog.log("[loginfail] Login failed (bad password): " + name
2014-01-20 18:42:20 +00:00
+ "@" + webserver.ipForRequest(req));
}
2014-01-20 18:42:20 +00:00
sendJade(res, "login", {
loggedIn: false,
loginError: err
});
2015-02-16 03:56:00 +00:00
return;
}
2015-02-16 03:56:00 +00:00
session.genSession(user, expiration, function (err, auth) {
if (err) {
sendJade(res, "login", {
loggedIn: false,
loginError: err
});
return;
2014-01-20 18:42:20 +00:00
}
2015-02-16 03:56:00 +00:00
if (req.hostname.indexOf(Config.get("http.root-domain")) >= 0) {
2015-02-20 02:33:31 +00:00
// Prevent non-root cookie from screwing things up
res.clearCookie("auth");
2015-02-16 03:56:00 +00:00
res.cookie("auth", auth, {
domain: Config.get("http.root-domain-dotted"),
expires: expiration,
httpOnly: true,
signed: true
});
2014-01-20 18:42:20 +00:00
} else {
2015-02-16 03:56:00 +00:00
res.cookie("auth", auth, {
expires: expiration,
httpOnly: true,
signed: true
2014-01-20 18:42:20 +00:00
});
}
2015-02-16 03:56:00 +00:00
if (dest) {
res.redirect(dest);
} else {
res.user = user;
sendJade(res, "login", {});
}
});
2015-02-16 03:56:00 +00:00
});
}
/**
* Handles a GET request for /login
*/
function handleLoginPage(req, res) {
2014-01-23 03:12:43 +00:00
if (webserver.redirectHttps(req, res)) {
return;
}
2015-02-16 03:56:00 +00:00
if (req.user) {
return sendJade(res, "login", {
wasAlreadyLoggedIn: true
});
}
2015-02-16 03:56:00 +00:00
2014-01-20 18:42:20 +00:00
sendJade(res, "login", {
2015-02-16 03:56:00 +00:00
redirect: req.query.dest || req.header("referer")
});
}
/**
* Handles a request for /logout. Clears auth cookie
*/
function handleLogout(req, res) {
2015-02-23 00:15:22 +00:00
csrf.verify(req);
2014-01-20 18:42:20 +00:00
res.clearCookie("auth");
2015-02-23 00:15:22 +00:00
req.user = res.user = null;
2014-01-20 18:42:20 +00:00
// Try to find an appropriate redirect
2015-02-16 03:56:00 +00:00
var dest = req.query.dest || req.header("referer");
2015-02-21 05:23:10 +00:00
dest = dest && dest.match(/login|logout|account/) ? null : dest;
2014-01-20 18:42:20 +00:00
var host = req.hostname;
if (host.indexOf(Config.get("http.root-domain")) !== -1) {
2014-03-01 23:37:59 +00:00
res.clearCookie("auth", { domain: Config.get("http.root-domain-dotted") });
2014-01-20 18:42:20 +00:00
}
2015-02-16 03:56:00 +00:00
if (dest) {
res.redirect(dest);
2014-01-20 18:42:20 +00:00
} else {
sendJade(res, "logout", {});
}
}
/**
* Handles a GET request for /register
*/
function handleRegisterPage(req, res) {
2014-01-23 03:12:43 +00:00
if (webserver.redirectHttps(req, res)) {
return;
}
2015-02-16 03:56:00 +00:00
if (req.user) {
sendJade(res, "register", {});
return;
}
2014-02-10 01:52:24 +00:00
2014-01-20 18:42:20 +00:00
sendJade(res, "register", {
registered: false,
registerError: false
});
}
/**
* Processes a registration request.
*/
function handleRegister(req, res) {
2015-02-23 00:15:22 +00:00
csrf.verify(req);
var name = req.body.name;
var password = req.body.password;
var email = req.body.email;
2014-01-20 18:42:20 +00:00
if (typeof email !== "string") {
email = "";
}
var ip = webserver.ipForRequest(req);
2014-01-20 18:42:20 +00:00
if (typeof name !== "string" || typeof password !== "string") {
2015-02-20 02:30:35 +00:00
res.sendStatus(400);
return;
}
if (name.length === 0) {
2014-01-20 18:42:20 +00:00
sendJade(res, "register", {
registerError: "Username must not be empty"
});
return;
}
2014-02-06 00:05:52 +00:00
if (name.match(Config.get("reserved-names.usernames"))) {
sendJade(res, "register", {
registerError: "That username is reserved"
});
return;
}
if (password.length === 0) {
2014-01-20 18:42:20 +00:00
sendJade(res, "register", {
registerError: "Password must not be empty"
});
return;
}
password = password.substring(0, 100);
2013-12-27 03:15:54 +00:00
if (email.length > 0 && !$util.isValidEmail(email)) {
2014-01-20 18:42:20 +00:00
sendJade(res, "register", {
registerError: "Invalid email address"
});
return;
}
2013-12-26 03:30:24 +00:00
db.users.register(name, password, email, ip, function (err) {
if (err) {
2014-01-20 18:42:20 +00:00
sendJade(res, "register", {
registerError: err
});
} else {
2014-01-28 00:37:48 +00:00
Logger.eventlog.log("[register] " + ip + " registered account: " + name +
2014-01-20 18:42:20 +00:00
(email.length > 0 ? " <" + email + ">" : ""));
sendJade(res, "register", {
registered: true,
registerName: name,
redirect: req.body.redirect
});
}
});
}
module.exports = {
/**
* Initializes auth callbacks
*/
init: function (app) {
2014-01-20 18:42:20 +00:00
app.get("/login", handleLoginPage);
app.post("/login", handleLogin);
app.get("/logout", handleLogout);
app.get("/register", handleRegisterPage);
app.post("/register", handleRegister);
}
};