[ENG-1037] - Token fixes and client_id with custom name

Phara0h · Sep 11, 2019 · 3188130 · 3188130
1 parent 91a1e6b
commit 3188130
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 23 deletions.
diff --git a/include/database/index.js b/include/database/index.js
@@ -195,22 +195,23 @@ class Database {
 
           await anon.save();
 
-          router.groups[anon.name] = this.groupInheritedMerge(anon, grps);
+          //router.groups[anon.name] = this.groupInheritedMerge(anon, grps);
 
           var admin = await Group.create({
             name: "superadmin",
             type: "group",
             allowed: [],
-            is_default: true
+            is_default: true,
+            inherited: [anon.id]
           })
 
           admin.addRoute({
             host: null,
             route: '/travelling/*'
           });
           await admin.save();
-
-          router.groups[admin.name] = this.groupInheritedMerge(admin, grps);
+          //console.log(admin)
+          //router.groups[admin.name] = this.groupInheritedMerge(admin, grps);
 
 
 

diff --git a/include/database/models/group.js b/include/database/models/group.js
@@ -35,7 +35,7 @@ class Group extends Base(BaseModel, 'groups', {
                   name character varying(350),
                   type character varying(350),
                   allowed json[],
-                  inherited character varying(350)[],
+                  inherited UUID[],
                   is_default boolean DEFAULT false,
                   eprofile character varying(350)
                 );`);

diff --git a/include/routes/v1/users.js b/include/routes/v1/users.js
@@ -91,7 +91,7 @@ module.exports = function(app, opts, done) {
     };
 
     var getUser = async (req, res) => {
-        
+
         if ((!req.params.id && !req.params.username )|| (req.params.username && !regex.safeName.exec(req.params.username)) || (req.params.id !== undefined && req.params.id !== null && req.params.id.length != 36)) {
             res.code(400);
             return {
@@ -212,8 +212,18 @@ module.exports = function(app, opts, done) {
     });
 
     app.post('/user/me/token', async (req, res) => {
-      var token = await TokenHandler.getOAuthToken(req.session.data.user.id, req.body.type || 'oauth', req.body.name || '')
-          res.code(200).send({client_id: token.id, client_secret: token.secret})
+      var token = null;
+      try {
+        token = await TokenHandler.getOAuthToken(req.session.data.user.id, req.body.type || 'oauth', req.body.name || null);
+      } catch (e) {
+        res.code(400).send({
+            type: 'token-error',
+            msg: 'Tokens name needs to have [A-Za-z0-9_@.] as the only vaild characters.',
+        });
+        return;
+      }
+
+      res.code(200).send({client_id: token.name || token.id, client_secret: token.secret})
     });
 
 

diff --git a/include/token/index.js b/include/token/index.js
@@ -2,6 +2,7 @@
 const crypto = require('crypto');
 const config = require('../utils/config');
 const cryptoInterface = require('../utils/cryptointerface');
+const regex = require('../utils/regex');
 
 const User = require('../database/models/user');
 const Token = require('../database/models/token');
@@ -57,12 +58,18 @@ class TokenHandler {
         });
     }
 
-    static getOAuthToken(user_id, type = 'oauth', name = '') {
+    static getOAuthToken(user_id, type = 'oauth', name = null) {
       return new Promise((resolve, reject)=>{
           crypto.randomBytes(64, async (err, secret) => {
 
               if (err) {
                   reject(err);
+                  return;
+              }
+
+              if(regex.username.exec(name) == null) {
+                reject(true);
+                return;
               }
 
               var token = await Token.create({
@@ -83,12 +90,14 @@ class TokenHandler {
 
               if (err) {
                   reject(err);
+                  return;
               }
 
               var secretb64 = secret.toString('base64');
-              
+
               var secret = await this._hashToken(secretb64,token.secret);
-              var nToken = await TokenStore.set(token.user_id, 'access', secret, config.token.access.expiration * 60000) // min to ms
+              console.log(token)
+              var nToken = await TokenStore.set(token.user_id, 'access', secret, config.token.access.expiration * 60000, token.name) // min to ms
               resolve({access_token: secret, expires_in: config.token.access.expiration*60, token_type:"bearer"});
           });
       });
@@ -97,6 +106,7 @@ class TokenHandler {
     static async checkAccessToken(token) {
         var token = await TokenStore.get(token);
 
+        console.log('CHECK ACCESS: ',token, TokenStore)
         if(!token) {
           return false;
         }
@@ -106,16 +116,17 @@ class TokenHandler {
     }
 
     static async checkOAuthToken(id, secret) {
-        var token = await Token.findById(id);
-        if(!token) {
-          return false;
-        }
 
-        if(token.secret != (await cryptoInterface.hash(secret))) {
+        var hashedSecret = await cryptoInterface.hash(secret);
+        //console.log("UUID CHECK : ",regex.uuidCheck(id) ? {id, hashedSecret} : {name:id, hashedSecret})
+        var token = await Token.findLimtedBy(regex.uuidCheck(id) ? {id, secret:hashedSecret} : {name:id, secret:hashedSecret}, 'AND', 1);
+        //console.log(token, secret)
+        if(!token || token.length <= 0) {
           return false;
         }
-        token.secret = secret;
-        return token;
+
+        token[0].secret = secret;
+        return token[0];
     }
 
 

diff --git a/include/token/tokenstore.js b/include/token/tokenstore.js
@@ -8,15 +8,15 @@ class TokenStore {
         this.tokens = {};
     }
 
-    async set(user_id, type, token, expiration) {
+    async set(user_id, type, token, expiration, name = '') {
 
         setTimeout(()=>{
           this.destroy(token);
         },expiration);
 
-        this.tokens[token] = {user_id,type,expires: new Date(expiration)};
+        this.tokens[token] = {user_id,type,expires: new Date(expiration), name};
 
-        return this.tokens[user_id];
+        return this.tokens[token];
     }
 
     async get(token, type) {

diff --git a/include/utils/auth.js b/include/utils/auth.js
@@ -7,7 +7,6 @@ var checkLoggedIn = async (req, res, router)=> {
     if(req.headers.authorization) {
       var user = await TokenHandler.checkAccessToken(req.headers.authorization.split('Bearer ')[1]);
       if(!user) {
-
         return {auth: false, route: req.headers.authorization.indexOf('Basic ') > -1 ? true : false}
       }
 

diff --git a/include/utils/regex.js b/include/utils/regex.js
@@ -17,6 +17,19 @@ const regex =  {
         + config.password.maxchar
         + '}$'),
     safeName: new RegExp(`^[A-Za-z0-9_\/\?\-\@\#\$\%\!\^\&\*\.]{1,350}$`),
-    base64Image: new RegExp('^(data:\\w+\\/[a-zA-Z\\+\\-\\.]+;base64,)(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+\/]{3}=)?$','gi')
+    base64Image: new RegExp('^(data:\\w+\\/[a-zA-Z\\+\\-\\.]+;base64,)(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+\/]{3}=)?$','gi'),
+    uuidv4: new RegExp(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}$/i),
+    uuidCheck: (uuid)=>{
+      if(typeof uuid != 'string') {
+        return false;
+      }
+
+      var id = uuid.toLowerCase();
+      if(regex.uuidv4.exec(id) == null) {
+        return false;
+      }
+
+      return ['8', '9', 'a', 'b'].indexOf(id.charAt(19)) !== -1;
+    }
 };
 module.exports = regex