planka/server/api/hooks/current-user/index.js

/*!
 * Copyright (c) 2024 PLANKA Software GmbH
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

/**
 * current-user hook
 *
 * @description :: A hook definition. Extends Sails by adding shadow routes, implicit actions,
 *                 and/or initialization logic.
 * @docs        :: https://sailsjs.com/docs/concepts/extending-sails/hooks
 */

module.exports = function defineCurrentUserHook(sails) {
  const TOKEN_PATTERN = /^Bearer /;

  const getSessionAndUser = async (accessToken, httpOnlyToken) => {
    let payload;
    try {
      payload = sails.helpers.utils.verifyJwtToken(accessToken);
    } catch (error) {
      return null;
    }

    const session = await Session.qm.getOneUndeletedByAccessToken(accessToken);

    if (!session) {
      return null;
    }

    if (session.httpOnlyToken && httpOnlyToken !== session.httpOnlyToken) {
      return null;
    }

    const user = await User.qm.getOneById(payload.subject, {
      withDeactivated: false,
    });

    if (!user) {
      return null;
    }

    if (user.passwordChangedAt > payload.issuedAt) {
      return null;
    }

    return {
      session,
      user,
    };
  };

  return {
    /**
     * Runs when this Sails app loads/lifts.
     */

    async initialize() {
      sails.log.info('Initializing custom hook (`current-user`)');
    },

    routes: {
      before: {
        '/api/*': {
          async fn(req, res, next) {
            const { authorization: authorizationHeader } = req.headers;

            if (authorizationHeader && TOKEN_PATTERN.test(authorizationHeader)) {
              const accessToken = authorizationHeader.replace(TOKEN_PATTERN, '');
              const { internalAccessToken } = sails.config.custom;

              if (internalAccessToken && accessToken === internalAccessToken) {
                req.currentUser = User.INTERNAL;
              } else {
                const { httpOnlyToken } = req.cookies;
                const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);

                if (sessionAndUser) {
                  const { session, user } = sessionAndUser;

                  if (user.language) {
                    req.setLocale(user.language);
                  }

                  Object.assign(req, {
                    currentSession: session,
                    currentUser: user,
                  });

                  if (req.isSocket) {
                    sails.sockets.join(req, `@accessToken:${session.accessToken}`);
                    sails.sockets.join(req, `@user:${user.id}`);
                  }
                }
              }
            }

            return next();
          },
        },
        '/attachments/*': {
          async fn(req, res, next) {
            const { accessToken, httpOnlyToken } = req.cookies;

            if (accessToken) {
              const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);

              if (sessionAndUser) {
                const { session, user } = sessionAndUser;

                Object.assign(req, {
                  currentSession: session,
                  currentUser: user,
                });
              }
            }

            return next();
          },
        },
      },
    },
  };
};
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`/*!`
			`* Copyright (c) 2024 PLANKA Software GmbH`
			`* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md`
			`*/`

Initial commit 2019-08-31 04:07:25 +05:00			`/**`
			`* current-user hook`
			`*`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`* @description :: A hook definition. Extends Sails by adding shadow routes, implicit actions,`
			`* and/or initialization logic.`
Initial commit 2019-08-31 04:07:25 +05:00			`* @docs :: https://sailsjs.com/docs/concepts/extending-sails/hooks`
			`*/`

			`module.exports = function defineCurrentUserHook(sails) {`
			`const TOKEN_PATTERN = /^Bearer /;`

feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`const getSessionAndUser = async (accessToken, httpOnlyToken) => {`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`let payload;`
Initial commit 2019-08-31 04:07:25 +05:00			`try {`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`payload = sails.helpers.utils.verifyJwtToken(accessToken);`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`} catch (error) {`
			`return null;`
Initial commit 2019-08-31 04:07:25 +05:00			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const session = await Session.qm.getOneUndeletedByAccessToken(accessToken);`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00
			`if (!session) {`
			`return null;`
			`}`

feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`if (session.httpOnlyToken && httpOnlyToken !== session.httpOnlyToken) {`
			`return null;`
			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const user = await User.qm.getOneById(payload.subject, {`
			`withDeactivated: false,`
			`});`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (!user) {`
			`return null;`
			`}`

			`if (user.passwordChangedAt > payload.issuedAt) {`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`return null;`
			`}`

feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`return {`
			`session,`
			`user,`
			`};`
Initial commit 2019-08-31 04:07:25 +05:00			`};`

			`return {`
			`/**`
			`* Runs when this Sails app loads/lifts.`
			`*/`

Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`async initialize() {`
Initial commit 2019-08-31 04:07:25 +05:00			sails.log.info('Initializing custom hook (`current-user`)');
			`},`

			`routes: {`
			`before: {`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`'/api/*': {`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`async fn(req, res, next) {`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`const { authorization: authorizationHeader } = req.headers;`

			`if (authorizationHeader && TOKEN_PATTERN.test(authorizationHeader)) {`
			`const accessToken = authorizationHeader.replace(TOKEN_PATTERN, '');`
feat: Add `INTERNAL_ACCESS_TOKEN` to support internal user configuration 2025-07-07 21:35:37 +02:00			`const { internalAccessToken } = sails.config.custom;`

			`if (internalAccessToken && accessToken === internalAccessToken) {`
			`req.currentUser = User.INTERNAL;`
			`} else {`
			`const { httpOnlyToken } = req.cookies;`
			`const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);`

			`if (sessionAndUser) {`
			`const { session, user } = sessionAndUser;`

			`if (user.language) {`
			`req.setLocale(user.language);`
			`}`

			`Object.assign(req, {`
			`currentSession: session,`
			`currentUser: user,`
			`});`

			`if (req.isSocket) {`
			sails.sockets.join(req, `@accessToken:${session.accessToken}`);
			sails.sockets.join(req, `@user:${user.id}`);
			`}`
fix: Socket bug fixes and improvements 2022-10-03 12:11:19 +02:00			`}`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00			`}`
Initial commit 2019-08-31 04:07:25 +05:00			`}`

feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`return next();`
			`},`
			`},`
			`'/attachments/*': {`
			`async fn(req, res, next) {`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`const { accessToken, httpOnlyToken } = req.cookies;`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00
			`if (accessToken) {`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);`

			`if (sessionAndUser) {`
			`const { session, user } = sessionAndUser;`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00
			`Object.assign(req, {`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`currentSession: session,`
			`currentUser: user,`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00			`});`
			`}`
feat: Improve security of access tokens (#279) Closes #275 2022-08-09 18:03:21 +02:00			`}`

Initial commit 2019-08-31 04:07:25 +05:00			`return next();`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`},`
			`},`
			`},`
			`},`
Initial commit 2019-08-31 04:07:25 +05:00			`};`
			`};`