enigma-bbs/core/user.js

/* jslint node: true */
'use strict';

var userDb			= require('./database.js').dbs.user;
var crypto			= require('crypto');
var assert			= require('assert');
var async			= require('async');

exports.User						= User;
exports.getUserId					= getUserId;
exports.createNew					= createNew;
exports.persistAll					= persistAll;
exports.authenticate				= authenticate;

function User() {
	var self = this;

	this.id			= 0;
	this.userName	= '';
	this.properties	= {};

	this.isValid = function() {
		if(self.id <= 0 || self.userName.length < 2) {
			return false;
		}

		return this.hasValidPassword();
	};

	this.hasValidPassword = function() {
		if(!this.properties || !this.properties.pw_pbkdf2_salt || !this.properties.pw_pbkdf2_dk) {
			return false;
		}

		return this.properties.pw_pbkdf2_salt.length === User.PBKDF2.saltLen * 2 &&
			this.prop_name.pw_pbkdf2_dk.length === User.PBKDF2.keyLen * 2;
	};

	this.isRoot = function() {
		return 1 === this.id;
	};

	this.isSysOp = this.isRoot;	//	alias
}

User.PBKDF2 = {
	iterations	: 1000,
	keyLen		: 128,
	saltLen		: 32,
};

User.StandardPropertyGroups = {
	password	: [ 'pw_pbkdf2_salt', 'pw_pbkdf2_dk' ],
};

function getUserId(userName, cb) {
	userDb.get(
		'SELECT id ' +
		'FROM user ' +
		'WHERE user_name LIKE ?;',
		[ userName ],
		function onResults(err, row) {
			if(err) {
				cb(err);
			} else {
				if(row) {
					cb(null, row.id);
				} else {
					cb(new Error('No matching user name'));
				}
			}
		}
	);
}

function createNew(user, cb) {
	assert(user.userName && user.userName.length > 1, 'Invalid userName');

	async.series(
		[
			function beginTransaction(callback) {
				userDb.run('BEGIN;', function onBegin(err) {
					callback(err);
				});
			},
			function createUserRec(callback) {
				userDb.run(
					'INSERT INTO user (user_name) ' +
					'VALUES (?);',
					[ user.userName ],
					function onUserInsert(err) {
						if(err) {
							callback(err);
						} else {
							user.id = this.lastID;
							callback(null);
						}
					}
				);
			},
			function genPasswordDkAndSaltIfRequired(callback) {
				if(user.password && user.password.length > 0) {
					generatePasswordDerivedKeyAndSalt(user.password, function onDkAndSalt(err, info) {
						if(err) {
							callback(err);
						} else {
							user.properties = user.properties || {};
							user.properties.pw_pbkdf2_salt	= info.salt;
							user.properties.pw_pbkdf2_dk	= info.dk;
							callback(null);
						}
					});					
				} else {
					callback(null);
				}
			},
			function saveAll(callback) {
				persistAll(user, false, function onPersisted(err) {
					callback(err);
				});				
			}
		],
		function onComplete(err) {								
			if(err) {
				var originalError = err;
				userDb.run('ROLLBACK;', function onRollback(err) {
					assert(!err);
					cb(originalError);
				});
			} else {
				userDb.run('COMMIT;', function onCommit(err) {
					if(err) {
						cb(err);
					} else {
						cb(null, user.id);
					}
				});
			}
		}
	);
}

function generatePasswordDerivedKeyAndSalt(password, cb) {
	async.waterfall(
		[
			function getSalt(callback) {
				generatePasswordDerivedKeySalt(function onSalt(err, salt) {
					callback(err, salt);
				});
			},
			function getDk(salt, callback) {
				generatePasswordDerivedKey(password, salt, function onDk(err, dk) {
					callback(err, salt, dk);
				});
			}
		],
		function onComplete(err, salt, dk) {
			cb(err, { salt : salt, dk : dk });
		}
	);
}

function generatePasswordDerivedKeySalt(cb) {
	crypto.randomBytes(User.PBKDF2.saltLen, function onRandSalt(err, salt) {
		if(err) {
			cb(err);
		} else {
			cb(null, salt.toString('hex'));
		}
	});
}

function generatePasswordDerivedKey(password, salt, cb) {
	password = new Buffer(password).toString('hex');
	crypto.pbkdf2(password, salt, User.PBKDF2.iterations, User.PBKDF2.keyLen, function onDerivedKey(err, dk) {
		if(err) {
			cb(err);
		} else {
			cb(null, dk.toString('hex'));
		}
	});
}

function persistProperties(user, cb) {
	assert(user.id > 0);

	var stmt = userDb.prepare(
		'REPLACE INTO user_property (user_id, prop_name, prop_value) ' + 
		'VALUES (?, ?, ?);');

	async.each(Object.keys(user.properties), function onProp(propName, callback) {
		stmt.run(user.id, propName, user.properties[propName], function onRun(err) {
			callback(err);
		});
	}, function onComplete(err) {
		if(err) {
			cb(err);
		} else {
			stmt.finalize(function onFinalized() {
				cb(null);
			});
		}
	});
}

function getProperties(userId, propNames, cb) {
	var properties = {};

	async.each(propNames, function onPropName(propName, next) {
		userDb.get(
			'SELECT prop_value ' +
			'FROM user_property ' + 
			'WHERE user_id = ? AND prop_name = ?;',
			[ userId, propName ], 
			function onRow(err, row) {
				if(err) {
					next(err);
				} else {
					if(row) {
						properties[propName] = row.prop_value;
						next();
					} else {
						next(new Error('No property "' + propName + '" for user ' + userId));
					}
				}
			}
		);
	}, function onCompleteOrError(err) {
		if(err) {
			cb(err);
		} else {
			cb(null, properties);
		}
	});
}

function persistAll(user, useTransaction, cb) {
	assert(user.id > 0);

	async.series(
		[
			function beginTransaction(callback) {
				if(useTransaction) {
					userDb.run('BEGIN;', function onBegin(err) {
						callback(err);
					});
				} else {
					callback(null);
				}
			},
			function saveProps(callback) {
				persistProperties(user, function onPropPersist(err) {
					callback(err);
				});
			}
		],
		function onComplete(err) {
			if(err) {
				if(useTransaction) {
					userDb.run('ROLLBACK;', function onRollback(err) {
						cb(err);
					});
				} else {
					cb(err);
				}
			} else {
				if(useTransaction) {
					userDb.run('COMMIT;', function onCommit(err) {
						cb(err);
					});
				} else {
					cb(null);
				}
			}
		}
	);
}

function authenticate(userName, password, client, cb) {
	assert(client);

	async.waterfall(
		[
			function fetchUserId(callback) {
				//	get user ID
				getUserId(userName, function onUserId(err, userId) {
					callback(err, userId);
				});
			},

			function getRequiredAuthProperties(userId, callback) {
				//	fetch properties required for authentication
				getProperties(userId, User.StandardPropertyGroups.password, function onProps(err, props) {
					callback(err, props);
				});
			},
			function getDkWithSalt(props, callback) {
				//	get DK from stored salt and password provided
				generatePasswordDerivedKey(password, props.pw_pbkdf2_salt, function onDk(err, dk) {
					callback(err, dk, props.pw_pbkdf2_dk);
				});
			}		
		],
		function validateAuth(err, passDk, propsDk) {
			if(err) {
				cb(false);
			} else {
				//
				//	Use constant time comparison here for security feel-goods
				//
				var passDkBuf	= new Buffer(passDk, 'hex');
				var propsDkBuf	= new Buffer(propsDk, 'hex');

				if(passDkBuf.length !== propsDkBuf.length) {
					cb(false);
					return;
				}

				var c = 0;
				for(var i = 0; i < passDkBuf.length; i++) {
					c |= passDkBuf[i] ^ propsDkBuf[i];
				}

				cb(0 === c);
			}
		}
	);
}
* Start work on database & users 2014-10-20 05:30:44 +00:00			`/* jslint node: true */`
			`'use strict';`

* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`var userDb = require('./database.js').dbs.user;`
* Start work on database & users 2014-10-20 05:30:44 +00:00			`var crypto = require('crypto');`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`var assert = require('assert');`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`var async = require('async');`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`exports.User = User;`
			`exports.getUserId = getUserId;`
			`exports.createNew = createNew;`
			`exports.persistAll = persistAll;`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`exports.authenticate = authenticate;`
* Work on User & user db 2014-10-21 04:47:13 +00:00
* Start work on database & users 2014-10-20 05:30:44 +00:00			`function User() {`
			`var self = this;`

* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`this.id = 0;`
			`this.userName = '';`
* Code cleanup. WIP theme stuff. Better CPR handling, etc. 2014-10-30 04:23:44 +00:00			`this.properties = {};`
* Work on User & user db 2014-10-21 04:47:13 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`this.isValid = function() {`
			`if(self.id <= 0 \|\| self.userName.length < 2) {`
			`return false;`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`}`

* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`return this.hasValidPassword();`
			`};`
* Work on User & user db 2014-10-21 04:47:13 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`this.hasValidPassword = function() {`
			`if(!this.properties \|\| !this.properties.pw_pbkdf2_salt \|\| !this.properties.pw_pbkdf2_dk) {`
			`return false;`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`return this.properties.pw_pbkdf2_salt.length === User.PBKDF2.saltLen * 2 &&`
			`this.prop_name.pw_pbkdf2_dk.length === User.PBKDF2.keyLen * 2;`
			`};`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`this.isRoot = function() {`
			`return 1 === this.id;`
			`};`
* Work on User & user db 2014-10-21 04:47:13 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`this.isSysOp = this.isRoot; // alias`
			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`User.PBKDF2 = {`
			`iterations : 1000,`
			`keyLen : 128,`
			`saltLen : 32,`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`};`

* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`User.StandardPropertyGroups = {`
			`password : [ 'pw_pbkdf2_salt', 'pw_pbkdf2_dk' ],`
			`};`

* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`function getUserId(userName, cb) {`
			`userDb.get(`
			`'SELECT id ' +`
			`'FROM user ' +`
			`'WHERE user_name LIKE ?;',`
			`[ userName ],`
			`function onResults(err, row) {`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`if(err) {`
			`cb(err);`
			`} else {`
			`if(row) {`
			`cb(null, row.id);`
			`} else {`
			`cb(new Error('No matching user name'));`
			`}`
			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00			`}`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`);`
			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`function createNew(user, cb) {`
			`assert(user.userName && user.userName.length > 1, 'Invalid userName');`
* Work on User & user db 2014-10-21 04:47:13 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`async.series(`
			`[`
			`function beginTransaction(callback) {`
			`userDb.run('BEGIN;', function onBegin(err) {`
			`callback(err);`
			`});`
			`},`
			`function createUserRec(callback) {`
			`userDb.run(`
			`'INSERT INTO user (user_name) ' +`
			`'VALUES (?);',`
			`[ user.userName ],`
			`function onUserInsert(err) {`
			`if(err) {`
			`callback(err);`
			`} else {`
			`user.id = this.lastID;`
			`callback(null);`
			`}`
			`}`
			`);`
			`},`
			`function genPasswordDkAndSaltIfRequired(callback) {`
			`if(user.password && user.password.length > 0) {`
			`generatePasswordDerivedKeyAndSalt(user.password, function onDkAndSalt(err, info) {`
			`if(err) {`
			`callback(err);`
			`} else {`
			`user.properties = user.properties \|\| {};`
			`user.properties.pw_pbkdf2_salt = info.salt;`
			`user.properties.pw_pbkdf2_dk = info.dk;`
			`callback(null);`
			`}`
			`});`
			`} else {`
			`callback(null);`
			`}`
			`},`
			`function saveAll(callback) {`
			`persistAll(user, false, function onPersisted(err) {`
			`callback(err);`
			`});`
			`}`
			`],`
			`function onComplete(err) {`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`if(err) {`
+ Very start of theme support. Various changes 2014-10-27 04:06:41 +00:00			`var originalError = err;`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`userDb.run('ROLLBACK;', function onRollback(err) {`
+ Very start of theme support. Various changes 2014-10-27 04:06:41 +00:00			`assert(!err);`
			`cb(originalError);`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`});`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`} else {`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`userDb.run('COMMIT;', function onCommit(err) {`
			`if(err) {`
			`cb(err);`
			`} else {`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`cb(null, user.id);`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`}`
			`});`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`}`
			`}`
			`);`
			`}`

* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`function generatePasswordDerivedKeyAndSalt(password, cb) {`
			`async.waterfall(`
			`[`
			`function getSalt(callback) {`
			`generatePasswordDerivedKeySalt(function onSalt(err, salt) {`
			`callback(err, salt);`
			`});`
			`},`
			`function getDk(salt, callback) {`
			`generatePasswordDerivedKey(password, salt, function onDk(err, dk) {`
			`callback(err, salt, dk);`
			`});`
			`}`
			`],`
			`function onComplete(err, salt, dk) {`
			`cb(err, { salt : salt, dk : dk });`
			`}`
			`);`
			`}`

			`function generatePasswordDerivedKeySalt(cb) {`
			`crypto.randomBytes(User.PBKDF2.saltLen, function onRandSalt(err, salt) {`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`if(err) {`
			`cb(err);`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`} else {`
			`cb(null, salt.toString('hex'));`
* Work on User & user db 2014-10-21 04:47:13 +00:00			`}`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`});`
			`}`
* Work on User & user db 2014-10-21 04:47:13 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`function generatePasswordDerivedKey(password, salt, cb) {`
			`password = new Buffer(password).toString('hex');`
			`crypto.pbkdf2(password, salt, User.PBKDF2.iterations, User.PBKDF2.keyLen, function onDerivedKey(err, dk) {`
			`if(err) {`
			`cb(err);`
			`} else {`
			`cb(null, dk.toString('hex'));`
			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00			`});`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`function persistProperties(user, cb) {`
			`assert(user.id > 0);`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`var stmt = userDb.prepare(`
			`'REPLACE INTO user_property (user_id, prop_name, prop_value) ' +`
			`'VALUES (?, ?, ?);');`

* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`async.each(Object.keys(user.properties), function onProp(propName, callback) {`
			`stmt.run(user.id, propName, user.properties[propName], function onRun(err) {`
			`callback(err);`
			`});`
			`}, function onComplete(err) {`
			`if(err) {`
			`cb(err);`
			`} else {`
			`stmt.finalize(function onFinalized() {`
			`cb(null);`
			`});`
			`}`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`});`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`}`

			`function getProperties(userId, propNames, cb) {`
			`var properties = {};`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`async.each(propNames, function onPropName(propName, next) {`
			`userDb.get(`
			`'SELECT prop_value ' +`
			`'FROM user_property ' +`
			`'WHERE user_id = ? AND prop_name = ?;',`
			`[ userId, propName ],`
			`function onRow(err, row) {`
			`if(err) {`
			`next(err);`
			`} else {`
			`if(row) {`
			`properties[propName] = row.prop_value;`
			`next();`
			`} else {`
			`next(new Error('No property "' + propName + '" for user ' + userId));`
			`}`
			`}`
			`}`
			`);`
			`}, function onCompleteOrError(err) {`
			`if(err) {`
			`cb(err);`
			`} else {`
			`cb(null, properties);`
* Start work on database & users 2014-10-20 05:30:44 +00:00			`}`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`});`
			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`function persistAll(user, useTransaction, cb) {`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`assert(user.id > 0);`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`async.series(`
			`[`
			`function beginTransaction(callback) {`
			`if(useTransaction) {`
			`userDb.run('BEGIN;', function onBegin(err) {`
			`callback(err);`
			`});`
			`} else {`
			`callback(null);`
			`}`
			`},`
			`function saveProps(callback) {`
			`persistProperties(user, function onPropPersist(err) {`
			`callback(err);`
			`});`
			`}`
			`],`
			`function onComplete(err) {`
			`if(err) {`
			`if(useTransaction) {`
			`userDb.run('ROLLBACK;', function onRollback(err) {`
			`cb(err);`
			`});`
			`} else {`
			`cb(err);`
			`}`
			`} else {`
			`if(useTransaction) {`
			`userDb.run('COMMIT;', function onCommit(err) {`
			`cb(err);`
			`});`
			`} else {`
			`cb(null);`
			`}`
			`}`
			`}`
			`);`
			`}`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`function authenticate(userName, password, client, cb) {`
			`assert(client);`
* Start work on database & users 2014-10-20 05:30:44 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`async.waterfall(`
			`[`
			`function fetchUserId(callback) {`
			`// get user ID`
			`getUserId(userName, function onUserId(err, userId) {`
			`callback(err, userId);`
			`});`
			`},`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`function getRequiredAuthProperties(userId, callback) {`
			`// fetch properties required for authentication`
			`getProperties(userId, User.StandardPropertyGroups.password, function onProps(err, props) {`
			`callback(err, props);`
			`});`
			`},`
			`function getDkWithSalt(props, callback) {`
			`// get DK from stored salt and password provided`
			`generatePasswordDerivedKey(password, props.pw_pbkdf2_salt, function onDk(err, dk) {`
			`callback(err, dk, props.pw_pbkdf2_dk);`
			`});`
			`}`
			`],`
			`function validateAuth(err, passDk, propsDk) {`
			`if(err) {`
			`cb(false);`
			`} else {`
* Constant time password DK compare * Minor View update * Test module. Start work on module switching functionality. NYW! 2014-11-04 05:53:01 +00:00			`//`
			`// Use constant time comparison here for security feel-goods`
			`//`
			`var passDkBuf = new Buffer(passDk, 'hex');`
			`var propsDkBuf = new Buffer(propsDk, 'hex');`

			`if(passDkBuf.length !== propsDkBuf.length) {`
			`cb(false);`
			`return;`
			`}`

			`var c = 0;`
			`for(var i = 0; i < passDkBuf.length; i++) {`
			`c \|= passDkBuf[i] ^ propsDkBuf[i];`
			`}`

			`cb(0 === c);`
* User stuff converted to use Async.js. More to come 2014-10-26 03:35:42 +00:00			`}`
			`}`
			`);`
* Better view inheritance. Experimental ButtonView. User stuff 2014-10-24 04:18:38 +00:00			`}`