rixty/SillyTavern
1
0
Fork 0
mirror of https://github.com/SillyTavern/SillyTavern.git synced 2025-02-22 23:18:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable CSRF for public endpoints. Split users module. Add rate limiter.

Browse Source
This commit is contained in:
Cohee 2024-04-09 21:58:16 +03:00
parent 497f38111f
commit 411a8ef8a7
12 changed files with 596 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
package-lock.json generated
View File

@ -39,6 +39,7 @@
"png-chunk-text": "^1.0.0",
"png-chunks-encode": "^1.0.0",
"png-chunks-extract": "^1.0.0",
"rate-limiter-flexible": "^5.0.0",
"response-time": "^2.3.2",
"sanitize-filename": "^1.6.3",
"sillytavern-transformers": "^2.14.6",
@ -57,6 +58,7 @@
"sillytavern": "server.js"
},
"devDependencies": {
"@types/jquery": "^3.5.29",
"eslint": "^8.55.0",
"jquery": "^3.6.4"
}
@ -731,6 +733,15 @@
"version": "4.0.2",
"license": "MIT"
},
"node_modules/@types/jquery": {
"version": "3.5.29",
"resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-3.5.29.tgz",
"integrity": "sha512-oXQQC9X9MOPRrMhPHHOsXqeQDnWeCDT3PelUIg/Oy8FAbzSZtFHRjc7IpbfFVmpLtJ+UOoywpRsuO5Jxjybyeg==",
"dev": true,
"dependencies": {
"@types/sizzle": "*"
}
},
"node_modules/@types/keyv": {
"version": "3.1.4",
"license": "MIT",
@ -761,6 +772,12 @@
"@types/node": "*"
}
},
"node_modules/@types/sizzle": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@types/sizzle/-/sizzle-2.3.8.tgz",
"integrity": "sha512-0vWLNK2D5MT9dg0iOo8GlKguPAU02QjmZitPEsXRuJXU/OGIOt9vT9Fc26wtYuavLxtO45v9PGleoL9Z0k1LHg==",
"dev": true
},
"node_modules/@ungap/structured-clone": {
"version": "1.2.0",
"dev": true,
@ -3288,6 +3305,11 @@
"node": ">= 0.6"
}
},
"node_modules/rate-limiter-flexible": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-5.0.0.tgz",
"integrity": "sha512-ivCyLBwPtR5IRrz+aZnztVwX16ZK3iAjdlW21I/vjHq56at5Zb8eIefDzODg8R7hwPOHpBtb6Pj9Zdmn0nRb8g=="
},
"node_modules/raw-body": {
"version": "2.5.2",
"license": "MIT",

2
package.json
View File

@ -29,6 +29,7 @@
"png-chunk-text": "^1.0.0",
"png-chunks-encode": "^1.0.0",
"png-chunks-extract": "^1.0.0",
"rate-limiter-flexible": "^5.0.0",
"response-time": "^2.3.2",
"sanitize-filename": "^1.6.3",
"sillytavern-transformers": "^2.14.6",
@ -81,6 +82,7 @@
},
"main": "server.js",
"devDependencies": {
"@types/jquery": "^3.5.29",
"eslint": "^8.55.0",
"jquery": "^3.6.4"
}

4
public/login.html
View File

@ -26,8 +26,8 @@
<title>SillyTavern</title>
</head>
<body class="login" style="display: none;">
<div id="shadow_popup">
<body class="login">
<div id="shadow_popup" style="opacity: 0;">
<div id="dialogue_popup">
<div id="dialogue_popup_holder">
<div id="dialogue_popup_text">

133
public/scripts/login.js
View File

@ -1,15 +1,46 @@
/**
* CRSF token for requests.
*/
let csrfToken = '';
/**
* Gets a CSRF token from the server.
* @returns {Promise<string>} CSRF token
*/
async function getCsrfToken() {
const response = await fetch('/csrf-token');
const data = await response.json();
return data.token;
}
/**
* Gets a list of users from the server.
* @returns {Promise<object>} List of users
*/
async function getUserList() {
const response = await fetch('/api/users/list');
const response = await fetch('/api/users/list', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': csrfToken,
},
});
const userListObj = await response.json();
console.log(userListObj);
return userListObj;
}
/**
* Requests a recovery code for the user.
* @param {string} handle User handle
* @returns {Promise<void>}
*/
async function sendRecoveryPart1(handle) {
const response = await fetch('/api/users/recover-step1', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': csrfToken,
},
body: JSON.stringify({ handle }),
});
@ -22,6 +53,13 @@ async function sendRecoveryPart1(handle) {
showRecoveryBlock();
}
/**
* Sets a new password for the user using the recovery code.
* @param {string} handle User handle
* @param {string} code Recovery code
* @param {string} newPassword New password
* @returns {Promise<void>}
*/
async function sendRecoveryPart2(handle, code, newPassword) {
const recoveryData = {
handle,
@ -33,6 +71,7 @@ async function sendRecoveryPart2(handle, code, newPassword) {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': csrfToken,
},
body: JSON.stringify(recoveryData),
});
@ -46,6 +85,50 @@ async function sendRecoveryPart2(handle, code, newPassword) {
await performLogin(handle, newPassword);
}
/**
* Attempts to log in the user.
* @param {string} handle User's handle
* @param {string} password User's password
* @returns {Promise<void>}
*/
async function performLogin(handle, password) {
const userInfo = {
handle: handle,
password: password,
};
try {
const response = await fetch('/api/users/login', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': csrfToken,
},
body: JSON.stringify(userInfo),
});
if (!response.ok) {
const errorData = await response.json();
return displayError(errorData.error || 'An error occurred');
}
const data = await response.json();
if (data.handle) {
console.log(`Successfully logged in as ${handle}!`);
redirectToHome();
}
} catch (error) {
console.error('Error logging in:', error);
displayError(String(error));
}
}
/**
* Handles the user selection event.
* @param {object} user User object
* @returns {Promise<void>}
*/
async function onUserSelected(user) {
// No password, just log in
if (!user.password) {
@ -72,52 +155,33 @@ async function onUserSelected(user) {
displayError('');
}
/**
* Displays an error message to the user.
* @param {string} message Error message
*/
function displayError(message) {
$('#errorMessage').text(message);
}
async function performLogin(handle, password) {
const userInfo = {
handle: handle,
password: password,
};
try {
const response = await fetch('/api/users/login', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(userInfo),
});
if (!response.ok) {
const errorData = await response.json();
return displayError(errorData.error || 'An error occurred');
}
const data = await response.json();
if (data.handle) {
console.log(`Successfully logged in as ${handle}!`);
redirectToHome();
}
} catch (error) {
console.error('Error logging in:', error);
displayError(String(error));
}
}
/**
* Redirects the user to the home page.
*/
function redirectToHome() {
window.location.href = '/';
}
/**
* Hides the password entry block and shows the password recovery block.
*/
function showRecoveryBlock() {
$('#passwordEntryBlock').hide();
$('#passwordRecoveryBlock').show();
displayError('');
}
/**
* Hides the password recovery block and shows the password entry block.
*/
function onCancelRecoveryClick() {
$('#passwordRecoveryBlock').hide();
$('#passwordEntryBlock').show();
@ -125,6 +189,7 @@ function onCancelRecoveryClick() {
}
(async function () {
csrfToken = await getCsrfToken();
const userList = await getUserList();
console.log(userList);
for (const user of userList) {
@ -137,6 +202,6 @@ function onCancelRecoveryClick() {
userBlock.on('click', () => onUserSelected(user));
$('#userList').append(userBlock);
}
document.body.style.display = '';
document.getElementById('shadow_popup').style.opacity = '';
$('#cancelRecovery').on('click', onCancelRecoveryClick);
})();

77
server.js
View File

@ -192,36 +192,6 @@ app.use(cookieSession({
app.use(userModule.setUserDataMiddleware);
// Static files
// Host index page
app.get('/', (request, response) => {
if (userModule.shouldRedirectToLogin(request)) {
return response.redirect('/login');
}
return response.sendFile('index.html', { root: path.join(process.cwd(), 'public') });
});
// Host login page
app.get('/login', async (request, response) => {
if (!enableAccounts) {
console.log('User accounts are disabled. Redirecting to index page.');
return response.redirect('/');
}
const autoLogin = await userModule.tryAutoLogin(request);
if (autoLogin) {
return response.redirect('/');
}
return response.sendFile('login.html', { root: path.join(process.cwd(), 'public') });
});
app.use(express.static(process.cwd() + '/public', {}));
app.use('/api/users', userModule.publicEndpoints);
app.use(userModule.requireLoginMiddleware);
// CSRF Protection //
if (!cliArguments.disableCsrf) {
const COOKIES_SECRET = userModule.getCookieSecret();
@ -255,12 +225,51 @@ if (!cliArguments.disableCsrf) {
});
}
// User management
app.use('/', userModule.router);
app.use('/api/users', userModule.authenticatedEndpoints);
app.use('/api/users', userModule.adminEndpoints);
// Static files
// Host index page
app.get('/', (request, response) => {
if (userModule.shouldRedirectToLogin(request)) {
return response.redirect('/login');
}
return response.sendFile('index.html', { root: path.join(process.cwd(), 'public') });
});
// Host login page
app.get('/login', async (request, response) => {
if (!enableAccounts) {
console.log('User accounts are disabled. Redirecting to index page.');
return response.redirect('/');
}
const autoLogin = await userModule.tryAutoLogin(request);
if (autoLogin) {
return response.redirect('/');
}
return response.sendFile('login.html', { root: path.join(process.cwd(), 'public') });
});
// Host frontend assets
app.use(express.static(process.cwd() + '/public', {}));
// Public API
app.use('/api/users', require('./src/endpoints/users-public').router);
// Everything below this line requires authentication
app.use(userModule.requireLoginMiddleware);
// File uploads
app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar'));
// User data mount
app.use('/', userModule.router);
// Private endpoints
app.use('/api/users', require('./src/endpoints/users-private').router);
// Admin endpoints
app.use('/api/users', require('./src/endpoints/users-admin').router);
app.get('/version', async function (_, response) {
const data = await getVersion();
response.send(data);

1
src/endpoints/stats.js
View File

@ -462,6 +462,7 @@ router.post('/update', jsonParser, function (request, response) {
module.exports = {
router,
recreateStats,
init,
onExit,
};

123
src/endpoints/users-admin.js Normal file
View File

@ -0,0 +1,123 @@
const storage = require('node-persist');
const express = require('express');
const slugify = require('slugify').default;
const uuid = require('uuid');
const { jsonParser } = require('../express-common');
const { checkForNewContent } = require('./content-manager');
const {
KEY_PREFIX,
toKey,
requireAdminMiddleware,
getUserAvatar,
getAllUserHandles,
getPasswordSalt,
getPasswordHash,
getUserDirectories,
ensurePublicDirectoriesExist,
} = require('../users');
const router = express.Router();
router.post('/get', requireAdminMiddleware, jsonParser, async (request, response) => {
/** @type {import('../users').User[]} */
const users = await storage.values(x => x.key.startsWith(KEY_PREFIX));
const viewModels = users
.sort((x, y) => x.created - y.created)
.map(user => ({
handle: user.handle,
name: user.name,
avatar: getUserAvatar(user.handle),
admin: user.admin,
enabled: user.enabled,
created: user.created,
password: !!user.password,
}));
return response.json(viewModels);
});
router.post('/disable', requireAdminMiddleware, jsonParser, async (request, response) => {
if (!request.body.handle) {
console.log('Disable user failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
if (request.body.handle === request.user.profile.handle) {
console.log('Disable user failed: Cannot disable yourself');
return response.status(400).json({ error: 'Cannot disable yourself' });
}
/** @type {import('../users').User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Disable user failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
user.enabled = false;
await storage.setItem(toKey(request.body.handle), user);
return response.sendStatus(204);
});
router.post('/enable', requireAdminMiddleware, jsonParser, async (request, response) => {
if (!request.body.handle) {
console.log('Enable user failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {import('../users').User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Enable user failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
user.enabled = true;
await storage.setItem(toKey(request.body.handle), user);
return response.sendStatus(204);
});
router.post('/create', requireAdminMiddleware, jsonParser, async (request, response) => {
if (!request.body.handle || !request.body.name) {
console.log('Create user failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
const handles = await getAllUserHandles();
const handle = slugify(request.body.handle, { lower: true, trim: true });
if (handles.some(x => x === handle)) {
console.log('Create user failed: User with that handle already exists');
return response.status(409).json({ error: 'User already exists' });
}
const salt = getPasswordSalt();
const password = request.body.password ? getPasswordHash(request.body.password, salt) : '';
const newUser = {
uuid: uuid.v4(),
handle: handle,
name: request.body.name || 'Anonymous',
created: Date.now(),
password: password,
salt: salt,
admin: !!request.body.admin,
enabled: true,
};
await storage.setItem(toKey(handle), newUser);
// Create user directories
console.log('Creating data directories for', newUser.handle);
await ensurePublicDirectoriesExist();
const directories = getUserDirectories(newUser.handle);
await checkForNewContent([directories]);
return response.json({ handle: newUser.handle });
});
module.exports = {
router,
};

83
src/endpoints/users-private.js Normal file
View File

@ -0,0 +1,83 @@
const storage = require('node-persist');
const express = require('express');
const { jsonParser } = require('../express-common');
const { getUserAvatar, toKey, getPasswordHash, getPasswordSalt } = require('../users');
const router = express.Router();
router.post('/logout', async (request, response) => {
try {
if (!request.session) {
console.error('Session not available');
return response.sendStatus(500);
}
request.session.handle = null;
return response.sendStatus(204);
} catch (error) {
console.error(error);
return response.sendStatus(500);
}
});
router.get('/me', async (request, response) => {
try {
if (!request.user) {
return response.sendStatus(401);
}
const user = request.user.profile;
const viewModel = {
handle: user.handle,
name: user.name,
avatar: getUserAvatar(user.handle),
admin: user.admin,
password: !!user.password,
};
return response.json(viewModel);
} catch (error) {
console.error(error);
return response.sendStatus(500);
}
});
router.post('/change-password', jsonParser, async (request, response) => {
try {
if (!request.body.handle || !request.body.oldPassword || !request.body.newPassword) {
console.log('Change password failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {import('../users').User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Change password failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Change password failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
if (user.password && user.password !== getPasswordHash(request.body.oldPassword, user.salt)) {
console.log('Change password failed: Incorrect password');
return response.status(401).json({ error: 'Incorrect password' });
}
const salt = getPasswordSalt();
user.password = getPasswordHash(request.body.newPassword, salt);
user.salt = salt;
await storage.setItem(toKey(request.body.handle), user);
return response.sendStatus(204);
} catch (error) {
console.error(error);
return response.sendStatus(500);
}
});
module.exports = {
router,
};

187
src/endpoints/users-public.js Normal file
View File

@ -0,0 +1,187 @@
const crypto = require('crypto');
const storage = require('node-persist');
const express = require('express');
const { RateLimiterMemory, RateLimiterRes } = require('rate-limiter-flexible');
const { jsonParser, getIpFromRequest } = require('../express-common');
const { color, Cache } = require('../util');
const { KEY_PREFIX, getUserAvatar, toKey, getPasswordHash, getPasswordSalt } = require('../users');
const MFA_CACHE = new Cache(5 * 60 * 1000);
const router = express.Router();
const loginLimiter = new RateLimiterMemory({
points: 5,
duration: 60,
});
const recoverLimiter = new RateLimiterMemory({
points: 5,
duration: 300,
});
router.post('/list', async (_request, response) => {
try {
/** @type {import('../users').User[]} */
const users = await storage.values(x => x.key.startsWith(KEY_PREFIX));
const viewModels = users
.filter(x => x.enabled)
.sort((x, y) => x.created - y.created)
.map(user => ({
handle: user.handle,
name: user.name,
avatar: getUserAvatar(user.handle),
password: !!user.password,
}));
return response.json(viewModels);
} catch (error) {
console.error('User list failed:', error);
return response.sendStatus(500);
}
});
router.post('/login', jsonParser, async (request, response) => {
try {
if (!request.body.handle) {
console.log('Login failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
const ip = getIpFromRequest(request);
await loginLimiter.consume(ip);
/** @type {import('../users').User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Login failed: User not found');
return response.status(401).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Login failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
if (user.password && user.password !== getPasswordHash(request.body.password, user.salt)) {
console.log('Login failed: Incorrect password');
return response.status(401).json({ error: 'Incorrect password' });
}
if (!request.session) {
console.error('Session not available');
return response.sendStatus(500);
}
await loginLimiter.delete(ip);
request.session.handle = user.handle;
console.log('Login successful:', user.handle, request.session);
return response.json({ handle: user.handle });
} catch (error) {
if (error instanceof RateLimiterRes) {
console.log('Login failed: Rate limited from', getIpFromRequest(request));
return response.status(429).send({ error: 'Too many attempts. Try again later or recover your password.' });
}
console.error('Login failed:', error);
return response.sendStatus(500);
}
});
router.post('/recover-step1', jsonParser, async (request, response) => {
try {
if (!request.body.handle) {
console.log('Recover step 1 failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
const ip = getIpFromRequest(request);
await recoverLimiter.consume(ip);
/** @type {import('../users').User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Recover step 1 failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Recover step 1 failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
const mfaCode = String(crypto.randomInt(1000, 9999));
console.log();
console.log(color.blue(`${user.name}, your password recovery code is: `) + color.magenta(mfaCode));
console.log();
MFA_CACHE.set(user.handle, mfaCode);
return response.sendStatus(204);
} catch (error) {
if (error instanceof RateLimiterRes) {
console.log('Recover step 1 failed: Rate limited from', getIpFromRequest(request));
return response.status(429).send({ error: 'Too many attempts. Try again later or contact your admin.' });
}
console.error('Recover step 1 failed:', error);
return response.sendStatus(500);
}
});
router.post('/recover-step2', jsonParser, async (request, response) => {
try {
if (!request.body.handle || !request.body.code) {
console.log('Recover step 2 failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {import('../users').User} */
const user = await storage.getItem(toKey(request.body.handle));
const ip = getIpFromRequest(request);
if (!user) {
console.log('Recover step 2 failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Recover step 2 failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
const mfaCode = MFA_CACHE.get(user.handle);
if (request.body.code !== mfaCode) {
await recoverLimiter.consume(ip);
console.log('Recover step 2 failed: Incorrect code');
return response.status(401).json({ error: 'Incorrect code' });
}
if (request.body.newPassword) {
const salt = getPasswordSalt();
user.password = getPasswordHash(request.body.newPassword, salt);
user.salt = salt;
await storage.setItem(toKey(user.handle), user);
} else {
user.password = '';
user.salt = '';
await storage.setItem(toKey(user.handle), user);
}
await recoverLimiter.delete(ip);
MFA_CACHE.remove(user.handle);
return response.sendStatus(204);
} catch (error) {
if (error instanceof RateLimiterRes) {
console.log('Recover step 2 failed: Rate limited from', getIpFromRequest(request));
return response.status(429).send({ error: 'Too many attempts. Try again later or contact your admin.' });
}
console.error('Recover step 2 failed:', error);
return response.sendStatus(500);
}
});
module.exports = {
router,
};

23
src/express-common.js
View File

@ -1,7 +1,28 @@
const express = require('express');
const ipaddr = require('ipaddr.js');
// Instantiate parser middleware here with application-level size limits
const jsonParser = express.json({ limit: '200mb' });
const urlencodedParser = express.urlencoded({ extended: true, limit: '200mb' });
module.exports = { jsonParser, urlencodedParser };
/**
* Gets the IP address of the client from the request object.
* @param {import('express'.Request)} req Request object
* @returns {string} IP address of the client
*/
function getIpFromRequest(req) {
let clientIp = req.connection.remoteAddress;
let ip = ipaddr.parse(clientIp);
// Check if the IP address is IPv4-mapped IPv6 address
if (ip.kind() === 'ipv6' && ip instanceof ipaddr.IPv6 && ip.isIPv4MappedAddress()) {
const ipv4 = ip.toIPv4Address().toString();
clientIp = ipv4;
} else {
clientIp = ip;
clientIp = clientIp.toString();
}
return clientIp;
}
module.exports = { jsonParser, urlencodedParser, getIpFromRequest };

16
src/middleware/whitelist.js
View File

@ -1,8 +1,8 @@
const path = require('path');
const fs = require('fs');
const ipaddr = require('ipaddr.js');
const ipMatching = require('ip-matching');
const { getIpFromRequest } = require('../express-common');
const { color, getConfigValue } = require('../util');
const whitelistPath = path.join(process.cwd(), './whitelist.txt');
@ -19,20 +19,6 @@ if (fs.existsSync(whitelistPath)) {
}
}
function getIpFromRequest(req) {
let clientIp = req.connection.remoteAddress;
let ip = ipaddr.parse(clientIp);
// Check if the IP address is IPv4-mapped IPv6 address
if (ip.kind() === 'ipv6' && ip instanceof ipaddr.IPv6 && ip.isIPv4MappedAddress()) {
const ipv4 = ip.toIPv4Address().toString();
clientIp = ipv4;
} else {
clientIp = ip;
clientIp = clientIp.toString();
}
return clientIp;
}
/**
* Returns a middleware function that checks if the client IP is in the whitelist.
* @param {boolean} listen If listen mode is enabled via config or command line

303
src/users.js
View File

@ -7,21 +7,17 @@ const os = require('os');
// Express and other dependencies
const storage = require('node-persist');
const express = require('express');
const uuid = require('uuid');
const mime = require('mime-types');
const slugify = require('slugify').default;
// Local imports
const { jsonParser } = require('./express-common');
const { USER_DIRECTORY_TEMPLATE, DEFAULT_USER, PUBLIC_DIRECTORIES, DEFAULT_AVATAR } = require('./constants');
const { getConfigValue, color, delay, setConfigValue, Cache } = require('./util');
const { getConfigValue, color, delay, setConfigValue } = require('./util');
const { readSecret, writeSecret } = require('./endpoints/secrets');
const { checkForNewContent } = require('./endpoints/content-manager');
const KEY_PREFIX = 'user:';
const DATA_ROOT = getConfigValue('dataRoot', './data');
const ENABLE_ACCOUNTS = getConfigValue('enableUserAccounts', false);
const MFA_CACHE = new Cache(5 * 60 * 1000);
const ANON_CSRF_SECRET = crypto.randomBytes(64).toString('base64');
/**
* Cache for user directories.
* @type {Map<string, UserDirectoryList>}
@ -381,7 +377,7 @@ function getPasswordHash(password, salt) {
*/
function getCsrfSecret(request) {
if (!request || !request.user) {
throw new Error('Request object is required to get the CSRF secret.');
return ANON_CSRF_SECRET;
}
let csrfSecret = readSecret(request.user.directories, STORAGE_KEYS.csrfSecret);
@ -600,301 +596,24 @@ router.use('/user/images/*', createRouteHandler(req => req.user.directories.user
router.use('/user/files/*', createRouteHandler(req => req.user.directories.files));
router.use('/scripts/extensions/third-party/*', createRouteHandler(req => req.user.directories.extensions));
const publicEndpoints = express.Router();
publicEndpoints.get('/list', async (_request, response) => {
/** @type {User[]} */
const users = await storage.values(x => x.key.startsWith(KEY_PREFIX));
const viewModels = users
.filter(x => x.enabled)
.sort((x, y) => x.created - y.created)
.map(user => ({
handle: user.handle,
name: user.name,
avatar: getUserAvatar(user.handle),
password: !!user.password,
}));
return response.json(viewModels);
});
publicEndpoints.post('/login', jsonParser, async (request, response) => {
if (!request.body.handle) {
console.log('Login failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Login failed: User not found');
return response.status(401).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Login failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
if (user.password && user.password !== getPasswordHash(request.body.password, user.salt)) {
console.log('Login failed: Incorrect password');
return response.status(401).json({ error: 'Incorrect password' });
}
if (!request.session) {
console.error('Session not available');
return response.sendStatus(500);
}
request.session.handle = user.handle;
console.log('Login successful:', user.handle, request.session);
return response.json({ handle: user.handle });
});
publicEndpoints.post('/recover-step1', jsonParser, async (request, response) => {
if (!request.body.handle) {
console.log('Recover step 1 failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Recover step 1 failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Recover step 1 failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
const mfaCode = String(crypto.randomInt(1000, 9999));
console.log();
console.log(color.blue(`${user.name}, your password recovery code is: `) + color.magenta(mfaCode));
console.log();
MFA_CACHE.set(user.handle, mfaCode);
return response.sendStatus(204);
});
publicEndpoints.post('/recover-step2', jsonParser, async (request, response) => {
if (!request.body.handle || !request.body.code) {
console.log('Recover step 2 failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Recover step 2 failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Recover step 2 failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
const mfaCode = MFA_CACHE.get(user.handle);
if (request.body.code !== mfaCode) {
console.log('Recover step 2 failed: Incorrect code');
return response.status(401).json({ error: 'Incorrect code' });
}
if (request.body.newPassword) {
const salt = getPasswordSalt();
user.password = getPasswordHash(request.body.newPassword, salt);
user.salt = salt;
await storage.setItem(toKey(user.handle), user);
} else {
user.password = '';
user.salt = '';
await storage.setItem(toKey(user.handle), user);
}
return response.sendStatus(204);
});
const authenticatedEndpoints = express.Router();
authenticatedEndpoints.post('/logout', async (request, response) => {
if (!request.session) {
console.error('Session not available');
return response.sendStatus(500);
}
request.session.handle = null;
return response.sendStatus(204);
});
authenticatedEndpoints.get('/me', async (request, response) => {
if (!request.user) {
return response.sendStatus(401);
}
const user = request.user.profile;
const viewModel = {
handle: user.handle,
name: user.name,
avatar: getUserAvatar(user.handle),
admin: user.admin,
password: !!user.password,
};
return response.json(viewModel);
});
authenticatedEndpoints.post('/change-password', jsonParser, async (request, response) => {
if (!request.body.handle || !request.body.oldPassword || !request.body.newPassword) {
console.log('Change password failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Change password failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
if (!user.enabled) {
console.log('Change password failed: User is disabled');
return response.status(403).json({ error: 'User is disabled' });
}
if (user.password && user.password !== getPasswordHash(request.body.oldPassword, user.salt)) {
console.log('Change password failed: Incorrect password');
return response.status(401).json({ error: 'Incorrect password' });
}
const salt = getPasswordSalt();
user.password = getPasswordHash(request.body.newPassword, salt);
user.salt = salt;
await storage.setItem(toKey(request.body.handle), user);
return response.sendStatus(204);
});
const adminEndpoints = express.Router();
adminEndpoints.post('/get', requireAdminMiddleware, jsonParser, async (request, response) => {
/** @type {User[]} */
const users = await storage.values(x => x.key.startsWith(KEY_PREFIX));
const viewModels = users
.sort((x, y) => x.created - y.created)
.map(user => ({
handle: user.handle,
name: user.name,
avatar: getUserAvatar(user.handle),
admin: user.admin,
enabled: user.enabled,
created: user.created,
password: !!user.password,
}));
return response.json(viewModels);
});
adminEndpoints.post('/disable', requireAdminMiddleware, jsonParser, async (request, response) => {
if (!request.body.handle) {
console.log('Disable user failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
if (request.body.handle === request.user.profile.handle) {
console.log('Disable user failed: Cannot disable yourself');
return response.status(400).json({ error: 'Cannot disable yourself' });
}
/** @type {User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Disable user failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
user.enabled = false;
await storage.setItem(toKey(request.body.handle), user);
return response.sendStatus(204);
});
adminEndpoints.post('/enable', requireAdminMiddleware, jsonParser, async (request, response) => {
if (!request.body.handle) {
console.log('Enable user failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
/** @type {User} */
const user = await storage.getItem(toKey(request.body.handle));
if (!user) {
console.log('Enable user failed: User not found');
return response.status(404).json({ error: 'User not found' });
}
user.enabled = true;
await storage.setItem(toKey(request.body.handle), user);
return response.sendStatus(204);
});
adminEndpoints.post('/create', requireAdminMiddleware, jsonParser, async (request, response) => {
if (!request.body.handle || !request.body.name) {
console.log('Create user failed: Missing required fields');
return response.status(400).json({ error: 'Missing required fields' });
}
const handles = await getAllUserHandles();
const handle = slugify(request.body.handle, { lower: true, trim: true });
if (handles.some(x => x === handle)) {
console.log('Create user failed: User with that handle already exists');
return response.status(409).json({ error: 'User already exists' });
}
const salt = getPasswordSalt();
const password = request.body.password ? getPasswordHash(request.body.password, salt) : '';
const newUser = {
uuid: uuid.v4(),
handle: handle,
name: request.body.name || 'Anonymous',
created: Date.now(),
password: password,
salt: salt,
admin: !!request.body.admin,
enabled: true,
};
await storage.setItem(toKey(handle), newUser);
// Create user directories
console.log('Creating data directories for', newUser.handle);
const directories = await ensurePublicDirectoriesExist();
await checkForNewContent(directories);
return response.json({ handle: newUser.handle });
});
module.exports = {
KEY_PREFIX,
toKey,
initUserStorage,
ensurePublicDirectoriesExist,
getAllUserHandles,
getUserDirectories,
setUserDataMiddleware,
requireLoginMiddleware,
requireAdminMiddleware,
migrateUserData,
getPasswordSalt,
getPasswordHash,
getCsrfSecret,
getCookieSecret,
getCookieSessionName,
router,
publicEndpoints,
authenticatedEndpoints,
adminEndpoints,
getUserAvatar,
shouldRedirectToLogin,
tryAutoLogin,
router,
};