165 lines
5.1 KiB
JavaScript
165 lines
5.1 KiB
JavaScript
import express from 'express'
|
|
import bcrypt from 'bcrypt'
|
|
import { PromiseOAuth2 } from 'oauth-libre'
|
|
import crypto from 'crypto'
|
|
import { dbPromise } from './database'
|
|
|
|
const router = express.Router()
|
|
|
|
async function userInfoPublic (id) {
|
|
const db = await dbPromise
|
|
const u = await db.get('SELECT id, username, image FROM User WHERE id = ?', id)
|
|
if (!u) return {}
|
|
return {
|
|
id: u.id,
|
|
username: u.username,
|
|
image: u.image
|
|
}
|
|
}
|
|
|
|
export async function userInfo (id) {
|
|
const db = await dbPromise
|
|
return db.get('SELECT * FROM User WHERE id = ?', id)
|
|
}
|
|
|
|
export function userMiddleware (req, res, next) {
|
|
if (!req.session || !req.session.user) return res.status(401).jsonp({ error: 'Unauthorized' })
|
|
next()
|
|
}
|
|
|
|
export function user (oauth, registrations) {
|
|
router.get('/info', userMiddleware, async (req, res) => {
|
|
res.jsonp(await userInfoPublic(req.session.user))
|
|
})
|
|
|
|
router.get('/info/:id', userMiddleware, async (req, res) => {
|
|
if (isNaN(parseInt(req.params.id))) throw new Error('Invalid user ID!')
|
|
res.jsonp(await userInfoPublic(parseInt(req.params.id)))
|
|
})
|
|
|
|
if (!oauth) return router
|
|
|
|
const oauth2 = new PromiseOAuth2(oauth.clientId, oauth.clientSecret, oauth.baseUrl, oauth.authorizePath, oauth.tokenPath)
|
|
|
|
router.get('/login/oauth/_redirect', async (req, res) => {
|
|
const code = req.query.code
|
|
const state = req.query.state
|
|
if (!code || !state) throw new Error('Something went wrong!')
|
|
if (!req.session || !req.session.oauthState || req.session.oauthState !== state) throw new Error('Possible request forgery detected! Try again.')
|
|
|
|
delete req.session.oauthState
|
|
|
|
let tokens
|
|
try {
|
|
tokens = await oauth2.getOAuthAccessToken(code, { grant_type: 'authorization_code', redirect_uri: oauth.redirectUri })
|
|
} catch (e) {
|
|
throw new Error('No authorization!')
|
|
}
|
|
|
|
const accessToken = tokens[2].access_token
|
|
|
|
// Get user information on remote
|
|
let userInfo
|
|
try {
|
|
userInfo = await oauth2.get(oauth.baseUrl + oauth.userPath, accessToken)
|
|
userInfo = JSON.parse(userInfo)
|
|
} catch (e) {
|
|
userInfo = null
|
|
}
|
|
|
|
if (!userInfo) throw new Error('Couldn\'t get user information!')
|
|
|
|
// Let's see if there's a link for this user already..
|
|
const db = await dbPromise
|
|
const userLocal = await db.get('SELECT * FROM OAuth WHERE remoteId = ?', userInfo.id)
|
|
|
|
// User and link both exist
|
|
if (userLocal) {
|
|
if (req.session.user) throw new Error('You are already logged in!')
|
|
|
|
req.session.user = userLocal.userId
|
|
return res.redirect('/')
|
|
}
|
|
|
|
// If we're logged in, create a link
|
|
if (req.session.user) {
|
|
await db.run('INSERT INTO OAuth (userId,remoteId,created) VALUES (?,?,?)', req.session.user, userInfo.id, new Date())
|
|
return res.redirect('/')
|
|
}
|
|
|
|
if (!registrations) throw new Error('Registrations are currently closed!')
|
|
|
|
// Create a new user and log in
|
|
await db.run('INSERT INTO User (username,email,image,created) VALUES (?,?,?,?)', userInfo.username, userInfo.email, userInfo.image, new Date())
|
|
|
|
const newU = await db.get('SELECT * FROM User WHERE username = ?', userInfo.username)
|
|
|
|
if (!newU) throw new Error('Something went wrong!')
|
|
|
|
await db.run('INSERT INTO OAuth (userId,remoteId,created) VALUES (?,?,?)', newU.id, userInfo.id, new Date())
|
|
|
|
req.session.user = newU.id
|
|
res.redirect('/')
|
|
})
|
|
|
|
router.get('/login/oauth', async (req, res) => {
|
|
const state = crypto.randomBytes(16).toString('hex')
|
|
req.session.oauthState = state
|
|
|
|
return res.redirect(oauth2.getAuthorizeUrl({
|
|
redirect_uri: oauth.redirectUri,
|
|
scope: oauth.scope,
|
|
response_type: 'code',
|
|
state: state
|
|
}))
|
|
})
|
|
|
|
router.use('/login', async (req, res, next) => {
|
|
if (req.session && req.session.user) return res.redirect('/')
|
|
const header = req.get('authorization') || ''
|
|
const token = header.split(/\s+/).pop() || ''
|
|
const auth = Buffer.from(token, 'base64').toString()
|
|
const parts = auth.split(/:/)
|
|
const username = parts[0]
|
|
const password = parts[1]
|
|
|
|
const message = oauth != null ? 'Enter \'oauth\' to log in remotely.' : 'Log in'
|
|
req.message = message
|
|
|
|
if ((!username || !password) && (username !== 'oauth' && oauth)) {
|
|
return next()
|
|
}
|
|
|
|
if ((username === 'oauth' || username === 'oa') && oauth) {
|
|
return res.redirect('/user/login/oauth')
|
|
}
|
|
|
|
const db = await dbPromise
|
|
const user = await db.get('SELECT * FROM User WHERE username = ?', username)
|
|
if (!user) return next()
|
|
|
|
if (!user.password && oauth) {
|
|
return res.redirect('/user/login/oauth')
|
|
}
|
|
|
|
// Compare passwords
|
|
const ures = await bcrypt.compare(password, user.password)
|
|
if (!ures) return next()
|
|
|
|
// Set login success
|
|
req.message = ''
|
|
req.session.user = user.id
|
|
res.redirect('/')
|
|
}, function (req, res, next) {
|
|
if (!req.message) return next()
|
|
res.status(401).set('WWW-Authenticate', 'Basic realm="' + req.message + '", charset="UTF-8"').end()
|
|
})
|
|
|
|
router.use('/logout', function (req, res) {
|
|
delete req.session.user
|
|
res.redirect('/')
|
|
})
|
|
|
|
return router
|
|
}
|