forked from movableink/doorman
/
app.js
106 lines (87 loc) · 2.88 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
try { var conf = require('./conf'); } catch(e) {
console.log("Missing conf.js. Please copy conf.example.js to conf.js and edit it.");
process.exit(1);
}
var http = require('http');
var https = require('https');
var express = require('express');
var session = require('cookie-session');
var everyauth = require('everyauth');
var Proxy = require('./lib/proxy');
var github = require('./lib/modules/github');
var google = require('./lib/modules/google');
var log = require('./lib/winston');
var proxy = new Proxy(conf.proxyTo.host, conf.proxyTo.port);
var proxyMiddleware = proxy.middleware();
// Set up our auth strategies
if (conf.modules.github) {
github.setup(everyauth);
}
if (conf.modules.google) {
google.setup(everyauth);
}
function userCanAccess(req) {
var auth = req.session && req.session.auth;
if(!auth) {
log.debug("User rejected because they haven't authenticated.");
return false;
}
for(var authType in req.session.auth) {
if(everyauth[authType] && everyauth[authType].authorize(auth)) {
return true;
}
}
// User had an auth, but it wasn't an acceptable one
req.session.auth = null;
log.debug("User rejected because their oauth was not in allowed group");
return false;
}
function checkUser(req, res, next) {
if(userCanAccess(req)) {
proxyMiddleware(req, res, next);
} else {
next();
}
}
function loginPage(req, res, next) {
if(req.query.error) {
res.render('error.jade', { pageTitle: "An error occurred.", error: "The authentication method reports: " + req.query.error_description });
return
}
req.session.redirectTo = req.originalUrl;
res.render('login.jade', { pageTitle: 'Login', providers: everyauth.enabled });
}
// Store the middleware since we use it in the websocket proxy
var sessionOptions = {
cookie: { maxAge: conf.sessionCookieMaxAge },
secret: conf.sessionSecret,
name: '__doorman',
};
var doormanSession = session(sessionOptions);
var app = express();
app.use(log.middleware());
app.use(doormanSession);
app.use(checkUser);
app.use(everyauth.middleware());
app.use(express.static(__dirname + "/public", {maxAge: 0 }));
app.use(loginPage);
// Uncaught error states
app.on('error', function(err) {
console.log(err);
});
everyauth.everymodule.moduleErrback(function(err, data) {
data.res.render('error.jade', { pageTitle: 'Sorry, there was an error.', error: "Perhaps something is misconfigured, or the provider is down." });
});
var server = http.createServer(app);
// WebSockets are also authenticated
server.on('upgrade', function(req, socket, head) {
doormanSession(req, new http.ServerResponse(req), function() {
if(userCanAccess(req)) {
proxy.proxyWebSocketRequest(req, socket, head);
} else {
socket.destroy();
}
});
});
server.listen(conf.port);
log.notice("Doorman on duty, listening on port " + conf.port + " and proxying to " + conf.proxyTo.host + ":" + conf.proxyTo.port + ".");