sync/lib/web/auth.js

/**
 * web/auth.js - Webserver functions for user authentication and registration
 *
 * @author Calvin Montgomery <cyzon@cyzon.us>
 */

var jade = require("jade");
var path = require("path");
var webserver = require("./webserver");
var cookieall = webserver.cookieall;
var sendJade = require("./jade").sendJade;
var Logger = require("../logger");
var $util = require("../utilities");
var db = require("../database");
var Config = require("../config");
var url = require("url");
var session = require("../session");
var csrf = require("./csrf");

/**
 * Processes a login request.  Sets a cookie upon successful authentication
 */
function handleLogin(req, res) {
    csrf.verify(req);

    var name = req.body.name;
    var password = req.body.password;
    var rememberMe = req.body.remember;
    var dest = req.body.dest || req.header("referer") || null;
    dest = dest && dest.match(/login|logout/) ? null : dest;

    if (typeof name !== "string" || typeof password !== "string") {
        res.sendStatus(400);
        return;
    }

    var host = req.hostname;
    if (host.indexOf(Config.get("http.root-domain")) === -1 &&
            Config.get("http.alt-domains").indexOf(host) === -1) {
        Logger.syslog.log("WARNING: Attempted login from non-approved domain " + host);
        return res.sendStatus(403);
    }

    var expiration;
    if (rememberMe) {
        expiration = new Date("Fri, 31 Dec 9999 23:59:59 GMT");
    } else {
        expiration = new Date(Date.now() + 7*24*60*60*1000);
    }

    password = password.substring(0, 100);

    db.users.verifyLogin(name, password, function (err, user) {
        if (err) {
            if (err === "Invalid username/password combination") {
                Logger.eventlog.log("[loginfail] Login failed (bad password): " + name
                                  + "@" + webserver.ipForRequest(req));
            }
            sendJade(res, "login", {
                loggedIn: false,
                loginError: err
            });
            return;
        }

        session.genSession(user, expiration, function (err, auth) {
            if (err) {
                sendJade(res, "login", {
                    loggedIn: false,
                    loginError: err
                });
                return;
            }

            if (req.hostname.indexOf(Config.get("http.root-domain")) >= 0) {
                // Prevent non-root cookie from screwing things up
                res.clearCookie("auth");
                res.cookie("auth", auth, {
                    domain: Config.get("http.root-domain-dotted"),
                    expires: expiration,
                    httpOnly: true,
                    signed: true
                });
            } else {
                res.cookie("auth", auth, {
                    expires: expiration,
                    httpOnly: true,
                    signed: true
                });
            }

            if (dest) {
                res.redirect(dest);
            } else {
                res.user = user;
                sendJade(res, "login", {});
            }
        });
    });
}

/**
 * Handles a GET request for /login
 */
function handleLoginPage(req, res) {
    if (webserver.redirectHttps(req, res)) {
        return;
    }

    if (req.user) {
        return sendJade(res, "login", {
            wasAlreadyLoggedIn: true
        });
    }

    sendJade(res, "login", {
        redirect: req.query.dest || req.header("referer")
    });
}

/**
 * Handles a request for /logout.  Clears auth cookie
 */
function handleLogout(req, res) {
    csrf.verify(req);

    res.clearCookie("auth");
    req.user = res.user = null;
    // Try to find an appropriate redirect
    var dest = req.query.dest || req.header("referer");
    dest = dest && dest.match(/login|logout|account/) ? null : dest;

    var host = req.hostname;
    if (host.indexOf(Config.get("http.root-domain")) !== -1) {
        res.clearCookie("auth", { domain: Config.get("http.root-domain-dotted") });
    }

    if (dest) {
        res.redirect(dest);
    } else {
        sendJade(res, "logout", {});
    }
}

/**
 * Handles a GET request for /register
 */
function handleRegisterPage(req, res) {
    if (webserver.redirectHttps(req, res)) {
        return;
    }

    if (req.user) {
        sendJade(res, "register", {});
        return;
    }

    sendJade(res, "register", {
        registered: false,
        registerError: false
    });
}

/**
 * Processes a registration request.
 */
function handleRegister(req, res) {
    csrf.verify(req);

    var name = req.body.name;
    var password = req.body.password;
    var email = req.body.email;
    if (typeof email !== "string") {
        email = "";
    }
    var ip = webserver.ipForRequest(req);

    if (typeof name !== "string" || typeof password !== "string") {
        res.sendStatus(400);
        return;
    }

    if (name.length === 0) {
        sendJade(res, "register", {
            registerError: "Username must not be empty"
        });
        return;
    }

    if (name.match(Config.get("reserved-names.usernames"))) {
        sendJade(res, "register", {
            registerError: "That username is reserved"
        });
        return;
    }

    if (password.length === 0) {
        sendJade(res, "register", {
            registerError: "Password must not be empty"
        });
        return;
    }

    password = password.substring(0, 100);

    if (email.length > 0 && !$util.isValidEmail(email)) {
        sendJade(res, "register", {
            registerError: "Invalid email address"
        });
        return;
    }

    db.users.register(name, password, email, ip, function (err) {
        if (err) {
            sendJade(res, "register", {
                registerError: err
            });
        } else {
            Logger.eventlog.log("[register] " + ip + " registered account: " + name +
                             (email.length > 0 ? " <" + email + ">" : ""));
            sendJade(res, "register", {
                registered: true,
                registerName: name,
                redirect: req.body.redirect
            });
        }
    });
}

module.exports = {
    /**
     * Initializes auth callbacks
     */
    init: function (app) {
        app.get("/login", handleLoginPage);
        app.post("/login", handleLogin);
        app.get("/logout", handleLogout);
        app.get("/register", handleRegisterPage);
        app.post("/register", handleRegister);
    }
};
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`/**`
			`* web/auth.js - Webserver functions for user authentication and registration`
			`*`
			`* @author Calvin Montgomery <cyzon@cyzon.us>`
			`*/`

Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`var jade = require("jade");`
			`var path = require("path");`
			`var webserver = require("./webserver");`
Fixes 2014-02-25 00:25:49 +00:00			`var cookieall = webserver.cookieall;`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`var sendJade = require("./jade").sendJade;`
			`var Logger = require("../logger");`
			`var $util = require("../utilities");`
			`var db = require("../database");`
Add config keys for reserved names 2014-02-06 00:05:52 +00:00			`var Config = require("../config");`
Shitty hack for cross-domain login cookies 2014-02-28 02:50:47 +00:00			`var url = require("url");`
Change login sessions 2015-02-16 03:56:00 +00:00			`var session = require("../session");`
Add csrf prevention 2015-02-23 00:15:22 +00:00			`var csrf = require("./csrf");`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00
			`/**`
			`* Processes a login request. Sets a cookie upon successful authentication`
			`*/`
			`function handleLogin(req, res) {`
Add csrf prevention 2015-02-23 00:15:22 +00:00			`csrf.verify(req);`

Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`var name = req.body.name;`
			`var password = req.body.password;`
Initial 'remember me' support for logins 2015-02-07 21:13:28 +00:00			`var rememberMe = req.body.remember;`
Change login sessions 2015-02-16 03:56:00 +00:00			`var dest = req.body.dest \|\| req.header("referer") \|\| null;`
Fix improper null check 2015-02-21 05:23:10 +00:00			`dest = dest && dest.match(/login\|logout/) ? null : dest;`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`if (typeof name !== "string" \|\| typeof password !== "string") {`
Fixes 2015-02-20 02:30:35 +00:00			`res.sendStatus(400);`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`return;`
			`}`

Change login sessions 2015-02-16 03:56:00 +00:00			`var host = req.hostname;`
			`if (host.indexOf(Config.get("http.root-domain")) === -1 &&`
			`Config.get("http.alt-domains").indexOf(host) === -1) {`
			`Logger.syslog.log("WARNING: Attempted login from non-approved domain " + host);`
Fixes 2015-02-20 02:30:35 +00:00			`return res.sendStatus(403);`
Change login sessions 2015-02-16 03:56:00 +00:00			`}`

			`var expiration;`
			`if (rememberMe) {`
			`expiration = new Date("Fri, 31 Dec 9999 23:59:59 GMT");`
			`} else {`
			`expiration = new Date(Date.now() + 72460601000);`
			`}`

Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`password = password.substring(0, 100);`

More refactoring 2013-12-12 23:09:49 +00:00			`db.users.verifyLogin(name, password, function (err, user) {`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`if (err) {`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`if (err === "Invalid username/password combination") {`
Start working on event log 2014-01-28 00:37:48 +00:00			`Logger.eventlog.log("[loginfail] Login failed (bad password): " + name`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`+ "@" + webserver.ipForRequest(req));`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`}`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "login", {`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`loggedIn: false,`
			`loginError: err`
			`});`
Change login sessions 2015-02-16 03:56:00 +00:00			`return;`
			`}`
Shitty hack for cross-domain login cookies 2014-02-28 02:50:47 +00:00
Change login sessions 2015-02-16 03:56:00 +00:00			`session.genSession(user, expiration, function (err, auth) {`
			`if (err) {`
			`sendJade(res, "login", {`
			`loggedIn: false,`
			`loginError: err`
			`});`
			`return;`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`}`

Change login sessions 2015-02-16 03:56:00 +00:00			`if (req.hostname.indexOf(Config.get("http.root-domain")) >= 0) {`
Fix 2015-02-20 02:33:31 +00:00			`// Prevent non-root cookie from screwing things up`
			`res.clearCookie("auth");`
Change login sessions 2015-02-16 03:56:00 +00:00			`res.cookie("auth", auth, {`
			`domain: Config.get("http.root-domain-dotted"),`
			`expires: expiration,`
			`httpOnly: true,`
			`signed: true`
			`});`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`} else {`
Change login sessions 2015-02-16 03:56:00 +00:00			`res.cookie("auth", auth, {`
			`expires: expiration,`
			`httpOnly: true,`
			`signed: true`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`});`
			`}`
Shitty hack for cross-domain login cookies 2014-02-28 02:50:47 +00:00
Change login sessions 2015-02-16 03:56:00 +00:00			`if (dest) {`
			`res.redirect(dest);`
			`} else {`
			`res.user = user;`
			`sendJade(res, "login", {});`
			`}`
Shitty hack for cross-domain login cookies 2014-02-28 02:50:47 +00:00			`});`
Change login sessions 2015-02-16 03:56:00 +00:00			`});`
Shitty hack for cross-domain login cookies 2014-02-28 02:50:47 +00:00			`}`

Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`/**`
			`* Handles a GET request for /login`
			`*/`
			`function handleLoginPage(req, res) {`
Work on SIO and SSL 2014-01-23 03:12:43 +00:00			`if (webserver.redirectHttps(req, res)) {`
			`return;`
			`}`

Change login sessions 2015-02-16 03:56:00 +00:00			`if (req.user) {`
			`return sendJade(res, "login", {`
			`wasAlreadyLoggedIn: true`
			`});`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`}`
Change login sessions 2015-02-16 03:56:00 +00:00
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "login", {`
Change login sessions 2015-02-16 03:56:00 +00:00			`redirect: req.query.dest \|\| req.header("referer")`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`});`
			`}`

			`/**`
			`* Handles a request for /logout. Clears auth cookie`
			`*/`
			`function handleLogout(req, res) {`
Add csrf prevention 2015-02-23 00:15:22 +00:00			`csrf.verify(req);`

Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`res.clearCookie("auth");`
Add csrf prevention 2015-02-23 00:15:22 +00:00			`req.user = res.user = null;`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`// Try to find an appropriate redirect`
Change login sessions 2015-02-16 03:56:00 +00:00			`var dest = req.query.dest \|\| req.header("referer");`
Fix improper null check 2015-02-21 05:23:10 +00:00			`dest = dest && dest.match(/login\|logout\|account/) ? null : dest;`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00
Update bcrypt and fix a deprecated reference in auth 2014-08-19 05:25:36 +00:00			`var host = req.hostname;`
Shitty hack for cross-domain login cookies 2014-02-28 02:50:47 +00:00			`if (host.indexOf(Config.get("http.root-domain")) !== -1) {`
Fixes 2014-03-01 23:37:59 +00:00			`res.clearCookie("auth", { domain: Config.get("http.root-domain-dotted") });`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`}`

Change login sessions 2015-02-16 03:56:00 +00:00			`if (dest) {`
			`res.redirect(dest);`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`} else {`
			`sendJade(res, "logout", {});`
			`}`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`}`

			`/**`
			`* Handles a GET request for /register`
			`*/`
			`function handleRegisterPage(req, res) {`
Work on SIO and SSL 2014-01-23 03:12:43 +00:00			`if (webserver.redirectHttps(req, res)) {`
			`return;`
			`}`

Change login sessions 2015-02-16 03:56:00 +00:00			`if (req.user) {`
			`sendJade(res, "register", {});`
			`return;`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`}`
Limit user registrations 2014-02-10 01:52:24 +00:00
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "register", {`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`registered: false,`
			`registerError: false`
			`});`
			`}`

			`/**`
			`* Processes a registration request.`
			`*/`
			`function handleRegister(req, res) {`
Add csrf prevention 2015-02-23 00:15:22 +00:00			`csrf.verify(req);`

Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`var name = req.body.name;`
			`var password = req.body.password;`
			`var email = req.body.email;`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`if (typeof email !== "string") {`
			`email = "";`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`}`
			`var ip = webserver.ipForRequest(req);`

Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`if (typeof name !== "string" \|\| typeof password !== "string") {`
Fixes 2015-02-20 02:30:35 +00:00			`res.sendStatus(400);`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`return;`
			`}`

			`if (name.length === 0) {`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "register", {`
			`registerError: "Username must not be empty"`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`});`
			`return;`
			`}`

Add config keys for reserved names 2014-02-06 00:05:52 +00:00			`if (name.match(Config.get("reserved-names.usernames"))) {`
			`sendJade(res, "register", {`
			`registerError: "That username is reserved"`
			`});`
			`return;`
			`}`

Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`if (password.length === 0) {`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "register", {`
			`registerError: "Password must not be empty"`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`});`
			`return;`
			`}`

			`password = password.substring(0, 100);`

Initialize global database tables 2013-12-27 03:15:54 +00:00			`if (email.length > 0 && !$util.isValidEmail(email)) {`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "register", {`
			`registerError: "Invalid email address"`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`});`
			`return;`
			`}`

Fix registration 2013-12-26 03:30:24 +00:00			`db.users.register(name, password, email, ip, function (err) {`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`if (err) {`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`sendJade(res, "register", {`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`registerError: err`
			`});`
			`} else {`
Start working on event log 2014-01-28 00:37:48 +00:00			`Logger.eventlog.log("[register] " + ip + " registered account: " + name +`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`(email.length > 0 ? " <" + email + ">" : ""));`
			`sendJade(res, "register", {`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`registered: true,`
			`registerName: name,`
			`redirect: req.body.redirect`
			`});`
			`}`
			`});`
			`}`

			`module.exports = {`
			`/**`
			`* Initializes auth callbacks`
			`*/`
			`init: function (app) {`
Add profile page, fix some redirects 2014-01-20 18:42:20 +00:00			`app.get("/login", handleLoginPage);`
			`app.post("/login", handleLogin);`
			`app.get("/logout", handleLogout);`
			`app.get("/register", handleRegisterPage);`
			`app.post("/register", handleRegister);`
Start merging cytube3 account management 2013-12-12 20:48:23 +00:00			`}`
			`};`