mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 07:35:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 27
etherpad-lite/src/node/hooks/express/webaccess.js

208 lines
9 KiB
JavaScript
Raw Normal View History

webaccess: Remove user's password from session info This prevents the password from being logged or stored in the database.
2020-10-24 20:47:03 -04:00
/* global Buffer, exports, require, setTimeout */
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
const assert = require('assert').strict;
webaccess: Use `const` or `let` instead of `var`
2020-08-25 17:04:34 -04:00
const log4js = require('log4js');
const httpLogger = log4js.getLogger('http');
const settings = require('../../utils/Settings');
const hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
webaccess: Check for read-only pad ID in `userCanModify` This currently isn't absolutely necessary because all current callers of `userCanModify` already check for a read-only pad ID themselves. However: * This adds defense in depth. * This makes it possible to simply replace the import handler's `allowAnyoneToImport` check with a call to `userCanModify`.
2020-10-01 15:44:24 -04:00
const readOnlyManager = require('../../db/ReadOnlyManager');
Moved webaccess
2012-02-25 13:38:09 +01:00
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead';
webaccess: Exempt `/favicon.ico` and `/locales.json` from auth checks
2020-08-29 20:28:08 -04:00
const staticPathsRE = new RegExp('^/(' + [
'api/.*',
'favicon\\.ico',
'javascripts/.*',
'locales\\.json',
'pluginfw/.*',
'static/.*',
].join('|') + ')$');
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
exports.normalizeAuthzLevel = (level) => {
if (!level) return false;
switch (level) {
case true:
return 'create';
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
case 'readOnly':
security: Enable authorize plugins to grant modify-only access
2020-09-11 19:46:47 -04:00
case 'modify':
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
case 'create':
return level;
default:
httpLogger.warn(`Unknown authorization level '${level}', denying access`);
}
return false;
};
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
exports.userCanModify = (padId, req) => {
webaccess: Check for read-only pad ID in `userCanModify` This currently isn't absolutely necessary because all current callers of `userCanModify` already check for a read-only pad ID themselves. However: * This adds defense in depth. * This makes it possible to simply replace the import handler's `allowAnyoneToImport` check with a call to `userCanModify`.
2020-10-01 15:44:24 -04:00
if (readOnlyManager.isReadOnlyId(padId)) return false;
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
if (!settings.requireAuthentication) return true;
const {session: {user} = {}} = req;
assert(user); // If authn required and user == null, the request should have already been denied.
feature: New user-specific `readOnly` and `canCreate` settings (#4370) Also: * Group the tests for readability. * Factor out some common test setup.
2020-09-28 06:22:06 -04:00
if (user.readOnly) return false;
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
assert(level); // If !level, the request should have already been denied.
return level !== 'readOnly';
};
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// Exported so that tests can set this to 0 to avoid unnecessary test slowness.
exports.authnFailureDelayMs = 1000;
webaccess: Rename `basicAuth` to `checkAccess` Thanks to hooks, the function can do much more than just basic authentication.
2020-08-28 01:49:26 -04:00
exports.checkAccess = (req, res, next) => {
webaccess: Use `const` or `let` instead of `var`
2020-08-25 17:04:34 -04:00
const hookResultMangle = (cb) => {
webaccess: Use arrow functions instead of `function` keyword
2020-08-25 16:38:58 -04:00
return (err, data) => {
webaccess: Log hook errors
2020-08-29 00:24:58 -04:00
if (err != null) httpLogger.error(`Error during access check: ${err}`);
Changed the authentication mechanism to support hooks
2012-04-19 16:04:03 +02:00
return cb(!err && data.length && data[0]);
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
};
Changed the authentication mechanism to support hooks
2012-04-19 16:04:03 +02:00
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
const requireAdmin = req.path.toLowerCase().indexOf('/admin') === 0;
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
// This may be called twice per access: once before authentication is checked and once after (if
// settings.requireAuthorization is true).
webaccess: Factor out common code
2020-09-12 17:23:48 -04:00
const authorize = (fail) => {
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
const grant = (level) => {
level = exports.normalizeAuthzLevel(level);
if (!level) return fail();
const user = req.session.user;
if (user == null) return next(); // This will happen if authentication is not required.
webaccess: Fix pad ID extraction for import and export paths
2020-10-01 21:29:38 -04:00
const encodedPadId = (req.path.match(/^\/p\/([^/]*)/) || [])[1];
security: Fix authz check for pad names with encoded characters Also: * Minor test cleanups (`function` instead of arrow functions, etc.). * Add a test for a case that was previously not covered.
2020-09-24 13:59:07 -04:00
if (encodedPadId == null) return next();
const padId = decodeURIComponent(encodedPadId);
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
// The user was granted access to a pad. Remember the authorization level in the user's
// settings so that SecurityManager can approve or deny specific actions.
if (user.padAuthorizations == null) user.padAuthorizations = {};
security: Fix authz check for pad names with encoded characters Also: * Minor test cleanups (`function` instead of arrow functions, etc.). * Add a test for a case that was previously not covered.
2020-09-24 13:59:07 -04:00
user.padAuthorizations[padId] = level;
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
return next();
};
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
const isAuthenticated = req.session && req.session.user;
if (isAuthenticated && req.session.user.is_admin) return grant('create');
const requireAuthn = requireAdmin || settings.requireAuthentication;
if (!requireAuthn) return grant('create');
if (!isAuthenticated) return grant(false);
if (requireAdmin && !req.session.user.is_admin) return grant(false);
if (!settings.requireAuthorization) return grant('create');
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
hooks.aCallFirst('authorize', {req, res, next, resource: req.path}, hookResultMangle(grant));
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
More general basic auth
2012-04-19 14:25:12 +02:00
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// Access checking is done in four steps:
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
//
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// 1) Check the preAuthorize hook for early permit/deny (permit is only allowed for non-admin
// pages). If any plugin explicitly grants or denies access, skip the remaining steps.
// 2) Try to just access the thing. If access fails (perhaps authentication has not yet completed,
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
// or maybe different credentials are required), go to the next step.
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// 3) Try to authenticate. (Or, if already logged in, reauthenticate with different credentials if
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
// supported by the authn scheme.) If authentication fails, give the user a 401 error to
// request new credentials. Otherwise, go to the next step.
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// 4) Try to access the thing again. If this fails, give the user a 403 error.
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
//
// Plugins can use the 'next' callback (from the hook's context) to break out at any point (e.g.,
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// to process an OAuth callback). Plugins can use the preAuthzFailure, authnFailure, and
// authzFailure hooks to override the default error handling behavior (e.g., to redirect to a
// login page).
let step1PreAuthorize, step2PreAuthenticate, step3Authenticate, step4Authorize;
step1PreAuthorize = () => {
// This aCallFirst predicate will cause aCallFirst to call the hook functions one at a time
// until one of them returns a non-empty list, with an exception: If the request is for an
// /admin page, truthy entries are filtered out before checking to see whether the list is
// empty. This prevents plugin authors from accidentally granting admin privileges to the
// general public.
const predicate = (results) => (results != null &&
results.filter((x) => (!requireAdmin || !x)).length > 0);
hooks.aCallFirst('preAuthorize', {req, res, next}, (err, results) => {
if (err != null) {
httpLogger.error('Error in preAuthorize hook:', err);
return res.status(500).send('Internal Server Error');
}
webaccess: Exempt `/favicon.ico` and `/locales.json` from auth checks
2020-08-29 20:28:08 -04:00
if (req.path.match(staticPathsRE)) results.push(true);
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
if (requireAdmin) {
// Filter out all 'true' entries to prevent plugin authors from accidentally granting admin
// privileges to the general public.
results = results.filter((x) => !x);
}
if (results.length > 0) {
// Access was explicitly granted or denied. If any value is false then access is denied.
if (results.every((x) => x)) return next();
return hooks.aCallFirst('preAuthzFailure', {req, res}, hookResultMangle((ok) => {
if (ok) return;
// No plugin handled the pre-authentication authorization failure.
res.status(403).send('Forbidden');
}));
}
step2PreAuthenticate();
}, predicate);
};
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
step2PreAuthenticate = () => authorize(step3Authenticate);
More general basic auth
2012-04-19 14:25:12 +02:00
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
step3Authenticate = () => {
webaccess: Pass `settings.users` to the authenticate hook Authentication plugins almost always want to read and modify `settings.users`. The settings can already be accessed in a few other ways, but this is much more convenient.
2020-08-27 01:00:36 -04:00
if (settings.users == null) settings.users = {};
const ctx = {req, res, users: settings.users, next};
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
// If the HTTP basic auth header is present, extract the username and password so it can be
// given to authn plugins.
const httpBasicAuth =
req.headers.authorization && req.headers.authorization.search('Basic ') === 0;
if (httpBasicAuth) {
const userpass =
Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(':');
ctx.username = userpass.shift();
ctx.password = userpass.join(':');
}
hooks.aCallFirst('authenticate', ctx, hookResultMangle((ok) => {
if (!ok) {
webaccess: Log all authentication successes/failures This loses some of the granularity of the default HTTP basic auth (unknown username vs. bad password), but there is considerable value in having logging that is consistent no matter what authentication plugins are installed.
2020-08-27 21:41:31 -04:00
// Fall back to HTTP basic auth.
if (!httpBasicAuth || !(ctx.username in settings.users) ||
settings.users[ctx.username].password !== ctx.password) {
httpLogger.info(`Failed authentication from IP ${req.ip}`);
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
return hooks.aCallFirst('authnFailure', {req, res}, hookResultMangle((ok) => {
webaccess: Return 401 for authn failure, 403 for authz failure This makes it possible for reverse proxies to transform 403 errors into something like "upgrade to a premium account to access this pad". Also add some webaccess tests.
2020-08-26 22:08:07 -04:00
if (ok) return;
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => {
if (ok) return;
// No plugin handled the authentication failure. Fall back to basic authentication.
res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
// Delay the error response for 1s to slow down brute force attacks.
setTimeout(() => {
res.status(401).send('Authentication Required');
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
}, exports.authnFailureDelayMs);
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
}));
webaccess: Return 401 for authn failure, 403 for authz failure This makes it possible for reverse proxies to transform 403 errors into something like "upgrade to a premium account to access this pad". Also add some webaccess tests.
2020-08-26 22:08:07 -04:00
}));
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
}
settings.users[ctx.username].username = ctx.username;
webaccess: Remove user's password from session info This prevents the password from being logged or stored in the database.
2020-10-24 20:47:03 -04:00
// Make a shallow copy so that the password property can be deleted (to prevent it from
// appearing in logs or in the database) without breaking future authentication attempts.
req.session.user = {...settings.users[ctx.username]};
delete req.session.user.password;
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
}
webaccess: Enforce creation of `req.session.user` by authn plugins The authorization logic determines whether the user has already successfully authenticated by looking to see if `req.session.user` exists. If an authentication plugin says that it successfully authenticated the user but it did not create `req.session.user` then authentication will re-run for every access, and authorization plugins will be unable to determine whether the user has been authenticated. Return a 500 internal server error to prevent these problems.
2020-08-27 14:28:14 -04:00
if (req.session.user == null) {
httpLogger.error('authenticate hook failed to add user settings to session');
res.status(500).send('Internal Server Error');
return;
}
webaccess: Log all authentication successes/failures This loses some of the granularity of the default HTTP basic auth (unknown username vs. bad password), but there is considerable value in having logging that is consistent no matter what authentication plugins are installed.
2020-08-27 21:41:31 -04:00
let username = req.session.user.username;
username = (username != null) ? username : '<no username>';
httpLogger.info(`Successful authentication from IP ${req.ip} for username ${username}`);
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
step4Authorize();
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
}));
};
Use the cookie parser middleware
2015-05-07 18:14:55 +01:00
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
step4Authorize = () => authorize(() => {
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
return hooks.aCallFirst('authzFailure', {req, res}, hookResultMangle((ok) => {
webaccess: Return 401 for authn failure, 403 for authz failure This makes it possible for reverse proxies to transform 403 errors into something like "upgrade to a premium account to access this pad". Also add some webaccess tests.
2020-08-26 22:08:07 -04:00
if (ok) return;
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => {
if (ok) return;
// No plugin handled the authorization failure.
res.status(403).send('Forbidden');
}));
webaccess: Return 401 for authn failure, 403 for authz failure This makes it possible for reverse proxies to transform 403 errors into something like "upgrade to a premium account to access this pad". Also add some webaccess tests.
2020-08-26 22:08:07 -04:00
}));
});
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
step1PreAuthorize();
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
Moved webaccess
2012-02-25 13:38:09 +01:00
webaccess: Use arrow functions instead of `function` keyword
2020-08-25 16:38:58 -04:00
exports.expressConfigure = (hook_name, args, cb) => {
webaccess: Rename `basicAuth` to `checkAccess` Thanks to hooks, the function can do much more than just basic authentication.
2020-08-28 01:49:26 -04:00
args.app.use(exports.checkAccess);
hooks: Call the callback when done If a hook function neither calls the callback nor returns a (non-undefined) value then there's no way for the hook system to know if/when the hook function has finished.
2020-10-10 22:51:26 -04:00
return cb();
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
Reference in a new issue Copy permalink