214 lines
4.6 KiB
JavaScript
214 lines
4.6 KiB
JavaScript
/* jslint node: true */
|
|
'use strict';
|
|
|
|
var crypto = require('crypto');
|
|
var assert = require('assert');
|
|
//var database = require('./database.js');
|
|
|
|
var userDb = require('./database.js').dbs.user;
|
|
|
|
exports.User = User;
|
|
|
|
var PBKDF2 = {
|
|
iterations : 1000,
|
|
keyLen : 128,
|
|
saltLen : 32,
|
|
};
|
|
|
|
var UserErrorCodes = Object.freeze({
|
|
NONE : 'No error',
|
|
INVALID_USER : 'Invalid user',
|
|
INVALID_PASSWORD : 'Invalid password',
|
|
});
|
|
|
|
function User() {
|
|
var self = this;
|
|
|
|
this.id = 0;
|
|
this.userName = '';
|
|
this.groups = [];
|
|
this.permissions = [];
|
|
this.properties = {};
|
|
|
|
|
|
}
|
|
|
|
User.generatePasswordDerivedKey = function(password, cb) {
|
|
crypto.randomBytes(PBKDF2.saltLen, function onRandomSalt(err, salt) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
salt = salt.toString('hex');
|
|
|
|
password = new Buffer(password).toString('hex');
|
|
|
|
crypto.pbkdf2(password, salt, PBKDF2.iterations, PBKDF2.keyLen, function onDerivedKey(err, dk) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
cb(null, { dk : dk.toString('hex'), salt : salt });
|
|
});
|
|
});
|
|
};
|
|
|
|
//
|
|
// :TODO: createNewUser(userName, password, groups)
|
|
|
|
User.addNew = function(user, cb) {
|
|
userDb.run('INSERT INTO user (user_name) VALUES(?);', [ user.userName ], function onUserInsert(err) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
user.id = this.lastID;
|
|
user.persist(cb);
|
|
});
|
|
};
|
|
|
|
User.prototype.persist = function(cb) {
|
|
var self = this;
|
|
|
|
if(0 === this.id || 0 === this.userName.length) {
|
|
cb(new Error(UserErrorCodes.INVALID_USER));
|
|
return;
|
|
}
|
|
|
|
userDb.serialize(function onSerialized() {
|
|
userDb.run('BEGIN;');
|
|
|
|
// :TODO: Create persistProperties(id, {props})
|
|
var stmt = userDb.prepare('REPLACE INTO user_property (user_id, prop_name, prop_value) VALUES(?, ?, ?);');
|
|
Object.keys(self.properties).forEach(function onPropName(propName) {
|
|
stmt.run(self.id, propName, self.properties[propName]);
|
|
});
|
|
|
|
stmt.finalize(function onFinalized() {
|
|
userDb.run('COMMIT;');
|
|
cb(null, self.id);
|
|
});
|
|
});
|
|
};
|
|
|
|
// :TODO: make standalone function(password, dk, salt)
|
|
User.prototype.validatePassword = function(password, cb) {
|
|
assert(this.properties.pw_pbkdf2_salt);
|
|
assert(this.properties.pw_pbkdf2_dk);
|
|
|
|
var self = this;
|
|
|
|
password = new Buffer(password).toString('hex');
|
|
|
|
crypto.pbkdf2(password, this.properties.pw_pbkdf2_salt, PBKDF2.iterations, PBKDF2.keyLen, function onDerivedKey(err, dk) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
// Constant time compare
|
|
var propDk = new Buffer(self.properties.pw_pbkdf2_dk, 'hex');
|
|
|
|
console.log(propDk);
|
|
console.log(dk);
|
|
|
|
if(propDk.length !== dk.length) {
|
|
cb(new Error('Unexpected buffer length'));
|
|
return;
|
|
}
|
|
|
|
var c = 0;
|
|
for(var i = 0; i < dk.length; i++) {
|
|
c |= propDk[i] ^ dk[i];
|
|
}
|
|
cb(null, c === 0);
|
|
});
|
|
};
|
|
|
|
// :TODO: make this something like getUserProperties(id, [propNames], cb)
|
|
function getUserDerivedKeyAndSalt(id, cb) {
|
|
var properties = {};
|
|
userDb.each(
|
|
'SELECT prop_name, prop_value ' +
|
|
'FROM user_property ' +
|
|
'WHERE user_id = ? AND prop_name="pw_pbkdf2_salt" OR prop_name="pw_pbkdf2_dk";',
|
|
[ id ],
|
|
function onPwPropRow(err, propRow) {
|
|
if(err) {
|
|
cb(err);
|
|
} else {
|
|
properties[propRow.prop_name] = propRow.prop_value;
|
|
}
|
|
},
|
|
function onComplete() {
|
|
cb(null, properties);
|
|
}
|
|
);
|
|
}
|
|
|
|
User.loadWithCredentials = function(userName, password, cb) {
|
|
userDb.get('SELECT id, user_name FROM user WHERE user_name LIKE ? LIMIT 1;"', [ userName ], function onUserIds(err, userRow) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
if(!userRow) {
|
|
cb(new Error(UserErrorCodes.INVALID_USER));
|
|
return;
|
|
}
|
|
|
|
// Load dk & salt properties for password validation
|
|
getUserDerivedKeyAndSalt(userRow.id, function onDkAndSalt(err, props) {
|
|
var user = new User();
|
|
user.properties = props;
|
|
|
|
user.validatePassword(password, function onValidatePw(err, isCorrect) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
if(!isCorrect) {
|
|
cb(new Error(UserErrorCodes.INVALID_PASSWORD));
|
|
return;
|
|
}
|
|
|
|
// userName and password OK -- load the rest.
|
|
|
|
user.id = userRow.id;
|
|
user.userName = userRow.user_name;
|
|
|
|
cb(null, user);
|
|
});
|
|
});
|
|
});
|
|
};
|
|
|
|
User.prototype.setPassword = function(password, cb) {
|
|
// :TODO: validate min len, etc. here?
|
|
|
|
crypto.randomBytes(PBKDF2.saltLen, function onRandomSalt(err, salt) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
password = Buffer.isBuffer(password) ? password : new Buffer(password, 'hex');
|
|
|
|
crypto.pbkdf2(password, salt, PBKDF2.iterations, PBKDF2.keyLen, function onPbkdf2Generated(err, dk) {
|
|
if(err) {
|
|
cb(err);
|
|
return;
|
|
}
|
|
|
|
cb(null, dk);
|
|
|
|
this.properties['pw.pbkdf2.salt'] = salt;
|
|
this.properties['pw.pbkdf2.dk'] = dk;
|
|
});
|
|
});
|
|
}; |