etherpad-lite/src/node/hooks/express/webaccess.js

var express = require('express');
var log4js = require('log4js');
var httpLogger = log4js.getLogger("http");
var settings = require('../../utils/Settings');
var hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
var ueberStore = require('../../db/SessionStore');
var stats = require('ep_etherpad-lite/node/stats');
var sessionModule = require('express-session');
var cookieParser = require('cookie-parser');

//checks for basic http auth
exports.basicAuth = function (req, res, next) {
  var hookResultMangle = function (cb) {
    return function (err, data) {
      return cb(!err && data.length && data[0]);
    }
  }

  var authorize = function (cb) {
    // Do not require auth for static paths and the API...this could be a bit brittle
    if (req.path.match(/^\/(static|javascripts|pluginfw|api)/)) return cb(true);

    if (req.path.toLowerCase().indexOf('/admin') != 0) {
      if (!settings.requireAuthentication) return cb(true);
      if (!settings.requireAuthorization && req.session && req.session.user) return cb(true);
    }

    if (req.session && req.session.user && req.session.user.is_admin) return cb(true);

    hooks.aCallFirst("authorize", {req: req, res:res, next:next, resource: req.path}, hookResultMangle(cb));
  }

  var authenticate = function (cb) {
    // If auth headers are present use them to authenticate...
    if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
      var userpass = Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(":")
      var username = userpass.shift();
      var password = userpass.join(':');
      var fallback = function(success) {
        if (success) return cb(true);
        if (!(username in settings.users)) {
          httpLogger.info(`Failed authentication from IP ${req.ip} - no such user`);
          return cb(false);
        }
        if (settings.users[username].password !== password) {
          httpLogger.info(`Failed authentication from IP ${req.ip} for user ${username} - incorrect password`);
          return cb(false);
        }
        httpLogger.info(`Successful authentication from IP ${req.ip} for user ${username}`);
        settings.users[username].username = username;
        req.session.user = settings.users[username];
        return cb(true);
      };
      return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(fallback));
    }
    hooks.aCallFirst("authenticate", {req: req, res:res, next:next}, hookResultMangle(cb));
  }


  /* Authentication OR authorization failed. */
  var failure = function () {
    return hooks.aCallFirst("authFailure", {req: req, res:res, next:next}, hookResultMangle(function (ok) {
    if (ok) return;
      /* No plugin handler for invalid auth. Return Auth required
       * Headers, delayed for 1 second, if authentication failed
       * before. */
      res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
      if (req.headers.authorization) {
        setTimeout(function () {
          res.status(401).send('Authentication required');
        }, 1000);
      } else {
        res.status(401).send('Authentication required');
      }
    }));
  }


  /* This is the actual authentication/authorization hoop. It is done in four steps:

     1) Try to just access the thing
     2) If not allowed using whatever creds are in the current session already, try to authenticate
     3) If authentication using already supplied credentials succeeds, try to access the thing again
     4) If all els fails, give the user a 401 to request new credentials

     Note that the process could stop already in step 3 with a redirect to login page.

  */

  authorize(function (ok) {
    if (ok) return next();
    authenticate(function (ok) {
      if (!ok) return failure();
      authorize(function (ok) {
        if (ok) return next();
        failure();
      });
    });
  });
}

exports.secret = null;

exports.expressConfigure = function (hook_name, args, cb) {
  // Measure response time
  args.app.use(function(req, res, next) {
    var stopWatch = stats.timer('httpRequests').start();
    var sendFn = res.send
    res.send = function() {
      stopWatch.end()
      sendFn.apply(res, arguments)
    }
    next()
  })

  // If the log level specified in the config file is WARN or ERROR the application server never starts listening to requests as reported in issue #158.
  // Not installing the log4js connect logger when the log level has a higher severity than INFO since it would not log at that level anyway.
  if (!(settings.loglevel === "WARN" || settings.loglevel == "ERROR"))
    args.app.use(log4js.connectLogger(httpLogger, { level: log4js.levels.DEBUG, format: ':status, :method :url'}));

  /* Do not let express create the session, so that we can retain a
   * reference to it for socket.io to use. Also, set the key (cookie
   * name) to a javascript identifier compatible string. Makes code
   * handling it cleaner :) */

  if (!exports.sessionStore) {
    exports.sessionStore = new ueberStore();
    exports.secret = settings.sessionKey;
  }

  args.app.sessionStore = exports.sessionStore;
  args.app.use(sessionModule({
    secret: exports.secret,
    store: args.app.sessionStore,
    resave: false,
    saveUninitialized: true,
    name: 'express_sid',
    proxy: true,
    cookie: {
      /*
       * The automatic express-session mechanism for determining if the
       * application is being served over ssl is similar to the one used for
       * setting the language cookie, which check if one of these conditions is
       * true:
       *
       * 1. we are directly serving the nodejs application over SSL, using the
       *    "ssl" options in settings.json
       *
       * 2. we are serving the nodejs application in plaintext, but we are using
       *    a reverse proxy that terminates SSL for us. In this case, the user
       *    has to set trustProxy = true in settings.json, and the information
       *    wheter the application is over SSL or not will be extracted from the
       *    X-Forwarded-Proto HTTP header
       *
       * Please note that this will not be compatible with applications being
       * served over http and https at the same time.
       *
       * reference: https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure
       */
      secure: 'auto',
    }
  }));

  args.app.use(cookieParser(settings.sessionKey, {}));

  args.app.use(exports.basicAuth);
}
Moved webaccess 2012-02-25 13:38:09 +01:00			`var express = require('express');`
			`var log4js = require('log4js');`
			`var httpLogger = log4js.getLogger("http");`
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var settings = require('../../utils/Settings');`
More general basic auth 2012-04-19 14:25:12 +02:00			`var hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');`
Begin supporting the database but still have a problem where it generates new key on restart... 2013-02-13 01:33:22 +00:00			`var ueberStore = require('../../db/SessionStore');`
update for express 4.x 2015-04-07 07:55:05 -05:00			`var stats = require('ep_etherpad-lite/node/stats');`
			`var sessionModule = require('express-session');`
Use the cookie parser middleware 2015-05-07 18:14:55 +01:00			`var cookieParser = require('cookie-parser');`
Moved webaccess 2012-02-25 13:38:09 +01:00
			`//checks for basic http auth`
			`exports.basicAuth = function (req, res, next) {`
Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`var hookResultMangle = function (cb) {`
			`return function (err, data) {`
			`return cb(!err && data.length && data[0]);`
			`}`
			`}`

			`var authorize = function (cb) {`
Fix #1219: Make api work if requireAuth is enabled 2012-12-05 14:04:48 +01:00			`// Do not require auth for static paths and the API...this could be a bit brittle`
			`if (req.path.match(/^\/(static\|javascripts\|pluginfw\|api)/)) return cb(true);`
More general basic auth 2012-04-19 14:25:12 +02:00
Update webaccess.js 2018-04-06 22:21:33 +02:00			`if (req.path.toLowerCase().indexOf('/admin') != 0) {`
More general basic auth 2012-04-19 14:25:12 +02:00			`if (!settings.requireAuthentication) return cb(true);`
			`if (!settings.requireAuthorization && req.session && req.session.user) return cb(true);`
Moved webaccess 2012-02-25 13:38:09 +01:00			`}`
More general basic auth 2012-04-19 14:25:12 +02:00
			`if (req.session && req.session.user && req.session.user.is_admin) return cb(true);`

Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`hooks.aCallFirst("authorize", {req: req, res:res, next:next, resource: req.path}, hookResultMangle(cb));`
Moved webaccess 2012-02-25 13:38:09 +01:00			`}`
More general basic auth 2012-04-19 14:25:12 +02:00
			`var authenticate = function (cb) {`
			`// If auth headers are present use them to authenticate...`
			`if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {`
deprecations: get rid of DEP0005 about Buffer() Similar code still lives in some dependent libraries. It will be updated when upgrading the dependencies. Fixes #3446 2018-08-14 19:45:03 +02:00			`var userpass = Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(":")`
allow users to have colons in password 2013-09-10 15:58:39 +02:00			`var username = userpass.shift();`
			`var password = userpass.join(':');`
Call authentication hooks before default basic authentication. This allows authenticators to do any extra session setup for a given user, even if their username/password happens to match settings.json. 2017-12-31 12:32:50 +00:00			`var fallback = function(success) {`
			`if (success) return cb(true);`
webaccess: Log authentication attempts (#4022) Addresses issue #4016. 2020-06-01 15:11:57 -04:00			`if (!(username in settings.users)) {`
			httpLogger.info(`Failed authentication from IP ${req.ip} - no such user`);
			`return cb(false);`
Call authentication hooks before default basic authentication. This allows authenticators to do any extra session setup for a given user, even if their username/password happens to match settings.json. 2017-12-31 12:32:50 +00:00			`}`
webaccess: Log authentication attempts (#4022) Addresses issue #4016. 2020-06-01 15:11:57 -04:00			`if (settings.users[username].password !== password) {`
			httpLogger.info(`Failed authentication from IP ${req.ip} for user ${username} - incorrect password`);
			`return cb(false);`
			`}`
			httpLogger.info(`Successful authentication from IP ${req.ip} for user ${username}`);
			`settings.users[username].username = username;`
			`req.session.user = settings.users[username];`
			`return cb(true);`
Call authentication hooks before default basic authentication. This allows authenticators to do any extra session setup for a given user, even if their username/password happens to match settings.json. 2017-12-31 12:32:50 +00:00			`};`
			`return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(fallback));`
More general basic auth 2012-04-19 14:25:12 +02:00			`}`
Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`hooks.aCallFirst("authenticate", {req: req, res:res, next:next}, hookResultMangle(cb));`
Don't block static paths with http auth 2012-04-13 05:17:48 -04:00			`}`

Moved webaccess 2012-02-25 13:38:09 +01:00
Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`/* Authentication OR authorization failed. */`
More general basic auth 2012-04-19 14:25:12 +02:00			`var failure = function () {`
Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`return hooks.aCallFirst("authFailure", {req: req, res:res, next:next}, hookResultMangle(function (ok) {`
			`if (ok) return;`
			`/* No plugin handler for invalid auth. Return Auth required`
			`* Headers, delayed for 1 second, if authentication failed`
			`* before. */`
			`res.header('WWW-Authenticate', 'Basic realm="Protected Area"');`
			`if (req.headers.authorization) {`
			`setTimeout(function () {`
fix minify route path; update deprecated calls 2015-04-10 05:52:58 -05:00			`res.status(401).send('Authentication required');`
Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`}, 1000);`
			`} else {`
fix minify route path; update deprecated calls 2015-04-10 05:52:58 -05:00			`res.status(401).send('Authentication required');`
Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00			`}`
			`}));`
Moved webaccess 2012-02-25 13:38:09 +01:00			`}`
More general basic auth 2012-04-19 14:25:12 +02:00

			`/* This is the actual authentication/authorization hoop. It is done in four steps:`

			`1) Try to just access the thing`
			`2) If not allowed using whatever creds are in the current session already, try to authenticate`
			`3) If authentication using already supplied credentials succeeds, try to access the thing again`
			`4) If all els fails, give the user a 401 to request new credentials`

			`Note that the process could stop already in step 3 with a redirect to login page.`

			`*/`
Use the cookie parser middleware 2015-05-07 18:14:55 +01:00
More general basic auth 2012-04-19 14:25:12 +02:00			`authorize(function (ok) {`
			`if (ok) return next();`
			`authenticate(function (ok) {`
			`if (!ok) return failure();`
			`authorize(function (ok) {`
			`if (ok) return next();`
			`failure();`
			`});`
			`});`
			`});`
Moved webaccess 2012-02-25 13:38:09 +01:00			`}`

Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3) 2012-09-22 16:03:40 +02:00			`exports.secret = null;`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00
Moved webaccess 2012-02-25 13:38:09 +01:00			`exports.expressConfigure = function (hook_name, args, cb) {`
Record metrics with 'measured' 2013-10-27 17:42:55 +01:00			`// Measure response time`
			`args.app.use(function(req, res, next) {`
			`var stopWatch = stats.timer('httpRequests').start();`
			`var sendFn = res.send`
			`res.send = function() {`
			`stopWatch.end()`
			`sendFn.apply(res, arguments)`
			`}`
			`next()`
			`})`

Moved webaccess 2012-02-25 13:38:09 +01:00			`// If the log level specified in the config file is WARN or ERROR the application server never starts listening to requests as reported in issue #158.`
			`// Not installing the log4js connect logger when the log level has a higher severity than INFO since it would not log at that level anyway.`
			`if (!(settings.loglevel === "WARN" \|\| settings.loglevel == "ERROR"))`
Record metrics with 'measured' 2013-10-27 17:42:55 +01:00			`args.app.use(log4js.connectLogger(httpLogger, { level: log4js.levels.DEBUG, format: ':status, :method :url'}));`
More general basic auth 2012-04-19 14:25:12 +02:00
			`/* Do not let express create the session, so that we can retain a`
			`* reference to it for socket.io to use. Also, set the key (cookie`
			`* name) to a javascript identifier compatible string. Makes code`
			`* handling it cleaner :) */`

Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`if (!exports.sessionStore) {`
Begin supporting the database but still have a problem where it generates new key on restart... 2013-02-13 01:33:22 +00:00			`exports.sessionStore = new ueberStore();`
Remove deprecated comment The session key is currently stored in SESSIONKEY.txt, so it is no longer reset every time the server starts. 2017-01-26 09:59:09 +01:00			`exports.secret = settings.sessionKey;`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`}`

			`args.app.sessionStore = exports.sessionStore;`
express: reformat session configuration in preparation for the next commit No functional changes. 2019-12-07 04:22:54 +01:00			`args.app.use(sessionModule({`
			`secret: exports.secret,`
			`store: args.app.sessionStore,`
webaccess: do not resave session Before this change, the database was spammed with session values. Modern express-session has this baked in. See https://www.npmjs.com/package/express-session#resave for docs. 2020-03-30 14:59:20 +00:00			`resave: false,`
express: reformat session configuration in preparation for the next commit No functional changes. 2019-12-07 04:22:54 +01:00			`saveUninitialized: true,`
			`name: 'express_sid',`
			`proxy: true,`
			`cookie: {`
security: when served over https, set the "secure" flag for "express_sid" and "language" cookie The mechanism used for determining if the application is being served over SSL is wrapped by the "express-session" library for "express_sid", and manual for the "language" cookie, but it's very similar in both cases. The "secure" flag is set if one of these is true: 1. we are directly serving Etherpad over SSL using the native nodejs functionality, via the "ssl" options in settings.json 2. Etherpad is being served in plaintext by nodejs, but we are using a reverse proxy for terminating the SSL for us; In this case, the user has to be instructed to properly set trustProxy: true in settings.json, and the information wheter the application is over SSL or not will be extracted from the X-Forwarded-Proto HTTP header. Please note that this will not be compatible with applications being served over http and https at the same time. The change on webaccess.js amends 009b61b33843, which did not work when the SSL termination was performed by a reverse proxy. Reference for automatic "express_sid" configuration: https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure Closes #3561. 2019-12-07 04:36:01 +01:00			`/*`
			`* The automatic express-session mechanism for determining if the`
			`* application is being served over ssl is similar to the one used for`
			`* setting the language cookie, which check if one of these conditions is`
			`* true:`
			`*`
			`* 1. we are directly serving the nodejs application over SSL, using the`
			`* "ssl" options in settings.json`
			`*`
			`* 2. we are serving the nodejs application in plaintext, but we are using`
			`* a reverse proxy that terminates SSL for us. In this case, the user`
			`* has to set trustProxy = true in settings.json, and the information`
			`* wheter the application is over SSL or not will be extracted from the`
			`* X-Forwarded-Proto HTTP header`
			`*`
			`* Please note that this will not be compatible with applications being`
			`* served over http and https at the same time.`
			`*`
			`* reference: https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure`
			`*/`
			`secure: 'auto',`
express: reformat session configuration in preparation for the next commit No functional changes. 2019-12-07 04:22:54 +01:00			`}`
			`}));`
More general basic auth 2012-04-19 14:25:12 +02:00
Use the cookie parser middleware 2015-05-07 18:14:55 +01:00			`args.app.use(cookieParser(settings.sessionKey, {}));`

More general basic auth 2012-04-19 14:25:12 +02:00			`args.app.use(exports.basicAuth);`
Moved webaccess 2012-02-25 13:38:09 +01:00			`}`