2017-07-24 16:24:21 +01:00
|
|
|
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
|
|
|
|
|
//
|
|
|
|
|
// This software (Documize Community Edition) is licensed under
|
|
|
|
|
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
|
|
|
|
|
//
|
|
|
|
|
// You can operate outside the AGPL restrictions by purchasing
|
|
|
|
|
// Documize Enterprise Edition and obtaining a commercial license
|
|
|
|
|
// by contacting <sales@documize.com>.
|
|
|
|
|
//
|
|
|
|
|
// https://documize.com
|
|
|
|
|
|
|
|
|
|
package auth
|
|
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
import (
|
|
|
|
|
"database/sql"
|
|
|
|
|
"errors"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/documize/community/core/env"
|
|
|
|
|
"github.com/documize/community/core/response"
|
|
|
|
|
"github.com/documize/community/core/secrets"
|
|
|
|
|
"github.com/documize/community/domain"
|
|
|
|
|
"github.com/documize/community/domain/organization"
|
|
|
|
|
"github.com/documize/community/domain/section/provider"
|
2018-09-27 15:14:48 +01:00
|
|
|
"github.com/documize/community/domain/store"
|
2017-07-26 20:03:23 +01:00
|
|
|
"github.com/documize/community/domain/user"
|
|
|
|
|
"github.com/documize/community/model/auth"
|
|
|
|
|
"github.com/documize/community/model/org"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Handler contains the runtime information such as logging and database.
|
|
|
|
|
type Handler struct {
|
|
|
|
|
Runtime *env.Runtime
|
2018-09-27 15:14:48 +01:00
|
|
|
Store *store.Store
|
2017-07-26 20:03:23 +01:00
|
|
|
}
|
2017-07-24 16:24:21 +01:00
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
// Login user based up HTTP Authorization header.
|
|
|
|
|
// An encrypted authentication token is issued with an expiry date.
|
|
|
|
|
func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
method := "auth.Login"
|
|
|
|
|
ctx := domain.GetRequestContext(r)
|
2017-07-24 16:24:21 +01:00
|
|
|
|
|
|
|
|
// check for http header
|
|
|
|
|
authHeader := r.Header.Get("Authorization")
|
|
|
|
|
if len(authHeader) == 0 {
|
|
|
|
|
response.WriteBadRequestError(w, method, "Missing Authorization header")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// decode what we received
|
|
|
|
|
data := strings.Replace(authHeader, "Basic ", "", 1)
|
|
|
|
|
|
|
|
|
|
decodedBytes, err := secrets.DecodeBase64([]byte(data))
|
|
|
|
|
if err != nil {
|
|
|
|
|
response.WriteBadRequestError(w, method, "Unable to decode authentication token")
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("decode auth header", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
decoded := string(decodedBytes)
|
|
|
|
|
|
|
|
|
|
// check that we have domain:email:password (but allow for : in password field!)
|
|
|
|
|
credentials := strings.SplitN(decoded, ":", 3)
|
|
|
|
|
if len(credentials) != 3 {
|
|
|
|
|
response.WriteBadRequestError(w, method, "Bad authentication token, expecting domain:email:password")
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("bad auth token", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dom := strings.TrimSpace(strings.ToLower(credentials[0]))
|
|
|
|
|
email := strings.TrimSpace(strings.ToLower(credentials[1]))
|
|
|
|
|
password := credentials[2]
|
2017-08-27 16:39:09 +01:00
|
|
|
|
|
|
|
|
dom = h.Store.Organization.CheckDomain(ctx, dom) // TODO optimize by removing this once js allows empty domains
|
|
|
|
|
|
2017-07-24 16:24:21 +01:00
|
|
|
h.Runtime.Log.Info("logon attempt " + email + " @ " + dom)
|
|
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
u, err := h.Store.User.GetByDomain(ctx, dom, email)
|
2017-07-24 16:24:21 +01:00
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
|
response.WriteUnauthorizedError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-08-31 18:01:07 +01:00
|
|
|
if err != nil && err != sql.ErrNoRows {
|
2017-07-24 16:24:21 +01:00
|
|
|
response.WriteServerError(w, method, err)
|
2018-09-20 12:47:47 +01:00
|
|
|
h.Runtime.Log.Error("unable to fetch user", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if len(u.Reset) > 0 || len(u.Password) == 0 {
|
|
|
|
|
response.WriteUnauthorizedError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Password correct and active user
|
|
|
|
|
if email != strings.TrimSpace(strings.ToLower(u.Email)) || !secrets.MatchPassword(u.Password, password, u.Salt) {
|
|
|
|
|
response.WriteUnauthorizedError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-02 15:58:39 +01:00
|
|
|
org, err := h.Store.Organization.GetOrganizationByDomain(dom)
|
2017-07-24 16:24:21 +01:00
|
|
|
if err != nil {
|
|
|
|
|
response.WriteUnauthorizedError(w)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("bad auth organization", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Attach user accounts and work out permissions
|
2017-07-26 20:03:23 +01:00
|
|
|
user.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
|
2017-07-24 16:24:21 +01:00
|
|
|
if len(u.Accounts) == 0 {
|
|
|
|
|
response.WriteUnauthorizedError(w)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("bad auth accounts", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-04 12:27:56 -04:00
|
|
|
h.Runtime.Log.Info("logged in " + email + " @ " + dom)
|
2017-08-27 16:39:09 +01:00
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
authModel := auth.AuthenticationModel{}
|
2017-07-24 16:24:21 +01:00
|
|
|
authModel.Token = GenerateJWT(h.Runtime, u.RefID, org.RefID, dom)
|
|
|
|
|
authModel.User = u
|
|
|
|
|
|
|
|
|
|
response.WriteJSON(w, authModel)
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
// ValidateToken finds and validates authentication token.
|
2019-03-27 15:09:48 -04:00
|
|
|
// TODO: remove
|
2017-07-26 20:03:23 +01:00
|
|
|
func (h *Handler) ValidateToken(w http.ResponseWriter, r *http.Request) {
|
2017-07-24 16:24:21 +01:00
|
|
|
// TODO should this go after token validation?
|
|
|
|
|
if s := r.URL.Query().Get("section"); s != "" {
|
2017-08-02 15:26:31 +01:00
|
|
|
if err := provider.Callback(s, h.Runtime, h.Store, w, r); err != nil {
|
2017-07-24 16:24:21 +01:00
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("section validation failure", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token := FindJWT(r)
|
|
|
|
|
rc, _, tokenErr := DecodeJWT(h.Runtime, token)
|
|
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
var org = org.Organization{}
|
2017-07-24 16:24:21 +01:00
|
|
|
var err = errors.New("")
|
|
|
|
|
|
|
|
|
|
// We always grab the org record regardless of token status.
|
|
|
|
|
// Why? If bad token we might be OK to alow anonymous access
|
|
|
|
|
// depending upon the domain in question.
|
|
|
|
|
if len(rc.OrgID) == 0 {
|
2017-07-26 20:03:23 +01:00
|
|
|
dom := organization.GetRequestSubdomain(r)
|
2017-08-02 15:58:39 +01:00
|
|
|
org, err = h.Store.Organization.GetOrganizationByDomain(dom)
|
2017-07-24 16:24:21 +01:00
|
|
|
} else {
|
2017-07-26 20:03:23 +01:00
|
|
|
org, err = h.Store.Organization.GetOrganization(rc, rc.OrgID)
|
2017-07-24 16:24:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc.Subdomain = org.Domain
|
|
|
|
|
|
|
|
|
|
// Inability to find org record spells the end of this request.
|
|
|
|
|
if err != nil {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteUnauthorizedError(w)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If we have bad auth token and the domain does not allow anon access
|
|
|
|
|
if !org.AllowAnonymousAccess && tokenErr != nil {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteUnauthorizedError(w)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
dom := organization.GetSubdomainFromHost(r)
|
|
|
|
|
dom2 := organization.GetRequestSubdomain(r)
|
2017-07-24 16:24:21 +01:00
|
|
|
if org.Domain != dom && org.Domain != dom2 {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteUnauthorizedError(w)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If we have bad auth token and the domain allows anon access
|
|
|
|
|
// then we generate guest rc.
|
|
|
|
|
if org.AllowAnonymousAccess {
|
|
|
|
|
// So you have a bad token
|
|
|
|
|
if len(token) > 1 {
|
|
|
|
|
if tokenErr != nil {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteUnauthorizedError(w)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// Just grant anon user guest access
|
|
|
|
|
rc.UserID = "0"
|
|
|
|
|
rc.OrgID = org.RefID
|
|
|
|
|
rc.Authenticated = false
|
|
|
|
|
rc.Guest = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc.AllowAnonymousAccess = org.AllowAnonymousAccess
|
|
|
|
|
rc.OrgName = org.Title
|
|
|
|
|
rc.Administrator = false
|
|
|
|
|
rc.Editor = false
|
2018-09-19 16:03:29 +01:00
|
|
|
rc.GlobalAdmin = false
|
2017-07-24 16:24:21 +01:00
|
|
|
rc.AppURL = r.Host
|
2017-07-26 20:03:23 +01:00
|
|
|
rc.Subdomain = organization.GetSubdomainFromHost(r)
|
2017-07-24 16:24:21 +01:00
|
|
|
rc.SSL = r.TLS != nil
|
|
|
|
|
|
|
|
|
|
// Fetch user permissions for this org
|
|
|
|
|
if !rc.Authenticated {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteUnauthorizedError(w)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
u, err := user.GetSecuredUser(rc, *h.Store, org.RefID, rc.UserID)
|
2017-07-24 16:24:21 +01:00
|
|
|
if err != nil {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteUnauthorizedError(w)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("ValidateToken", err)
|
2017-07-24 16:24:21 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc.Administrator = u.Admin
|
|
|
|
|
rc.Editor = u.Editor
|
2018-09-19 16:03:29 +01:00
|
|
|
rc.GlobalAdmin = u.GlobalAdmin
|
2017-07-24 16:24:21 +01:00
|
|
|
|
|
|
|
|
response.WriteJSON(w, u)
|
|
|
|
|
}
|
