Mondei1
e12ed7775b
- Frontend shows heatmap of most visit places - Maximum accuracy can now be set - Fix bug where battery chart filtered values wrongly
226 lines
6.8 KiB
TypeScript
226 lines
6.8 KiB
TypeScript
import { Request, Response } from "express";
|
|
import { verifyPassword } from "../lib/crypto";
|
|
import { User } from "../models/user/user.model";
|
|
import { sign, decode, verify } from 'jsonwebtoken';
|
|
import { JWT_SECRET, logger, RABBITMQ_URI } from "../app";
|
|
import { LivebeatRequest } from '../lib/request';
|
|
import { SchemaTypes } from "mongoose";
|
|
import { Phone } from "../models/phone/phone.model";
|
|
import { UserType } from "../models/user/user.interface";
|
|
|
|
export async function GetUser(req: LivebeatRequest, res: Response) {
|
|
let user: any = req.user;
|
|
user.password = undefined;
|
|
user.salt = undefined;
|
|
user.__v = undefined;
|
|
|
|
res.status(200).send(user);
|
|
}
|
|
|
|
export async function DeleteUser(req: Request, res: Response) {
|
|
|
|
}
|
|
|
|
export async function PatchUser(req: Request, res: Response) {
|
|
|
|
}
|
|
|
|
export async function LoginUser(req: Request, res: Response) {
|
|
const username = req.body.username;
|
|
const password = req.body.password;
|
|
const twoFA = req.body.twoFA;
|
|
|
|
const user = await User.findOne({ name: username });
|
|
|
|
// Check if user exists
|
|
if (user == undefined) {
|
|
setTimeout(() => {
|
|
res.status(404).send({ message: "Either the username or password is wrong." });
|
|
}, Math.random() * 1500 + 400);
|
|
return;
|
|
}
|
|
|
|
// Check if 2FA is turned on (the attack doesn't know yet if the password is wrong)
|
|
if (user.twoFASecret != undefined) {
|
|
if (twoFA == undefined) {
|
|
res.status(401).send({ message: "2FA code is required." });
|
|
return;
|
|
}
|
|
// TODO: Implement 2FA logic here
|
|
}
|
|
|
|
// Check if password is wrong
|
|
if (!await verifyPassword(password + user.salt, user.password)) {
|
|
res.status(404).send({ message: 'Either the username or password is wrong.' });
|
|
return;
|
|
}
|
|
|
|
// We're good. Create JWT token.
|
|
const token = sign({ user: user._id }, JWT_SECRET, { expiresIn: '30d' });
|
|
|
|
user.lastLogin = new Date(Date.now());
|
|
await user.save();
|
|
|
|
logger.info(`User ${user.name} logged in.`)
|
|
res.status(200).send({ token });
|
|
}
|
|
|
|
/**
|
|
* This function handles all logins to RabbitMQ since they need a differnt type of response
|
|
* then requests from frontends (web and phone).
|
|
*/
|
|
export async function LoginRabbitUser(req: Request, res: Response) {
|
|
const username = req.query.username;
|
|
const password = req.query.password;
|
|
|
|
if (username === undefined || password === undefined) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
// Check if request comes from backend. Basicly, we permitting ourself to connect with RabbitMQ.
|
|
if (username === "backend" && password === RABBITMQ_URI.split(':')[2].split('@')[0]) {
|
|
res.status(200).send('allow administrator');
|
|
return;
|
|
}
|
|
|
|
// Get user from database
|
|
const user = await User.findOne({ name: username.toString() });
|
|
|
|
// If we are here, it means we have a non-admin user.
|
|
if (user === null) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
// Auth token for message broker is stored in plain text since it's randomly generated and only grants access to the broker.
|
|
if (user.brokerToken === password.toString()) {
|
|
if (user.type === UserType.ADMIN) {
|
|
res.status(200).send('allow administrator');
|
|
} else {
|
|
// Not an admin, grant user privilieges
|
|
res.status(200).send('allow user')
|
|
}
|
|
return;
|
|
}
|
|
|
|
res.status(200).send('deny');
|
|
}
|
|
|
|
/**
|
|
* This function basicly allows access to the root vhost if the user is known.
|
|
*/
|
|
export async function VHost(req: Request, res: Response) {
|
|
const vhost = req.query.vhost;
|
|
const username = req.query.username;
|
|
|
|
if (vhost === undefined || username === undefined) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
if (vhost != '/') {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
// Check if user is us
|
|
if (username === 'backend') {
|
|
res.status(200).send('allow');
|
|
return;
|
|
}
|
|
|
|
const user = await User.findOne({ name: username.toString() });
|
|
if (user === null) {
|
|
// Deny if user doesn't exist.
|
|
res.status(200).send('deny');
|
|
} else {
|
|
res.status(200).send('allow');
|
|
}
|
|
}
|
|
|
|
export async function Resource(req: Request, res: Response) {
|
|
const username = req.query.username;
|
|
const vhost = req.query.vhost;
|
|
const resource = req.query.resource;
|
|
const name = req.query.name;
|
|
const permission = req.query.permission;
|
|
const tags = req.query.tags;
|
|
|
|
if (username === undefined || vhost === undefined || resource === undefined || name === undefined || permission === undefined || tags === undefined) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
// Check if it's us
|
|
if (username.toString() == 'backend') {
|
|
res.status(200).send('allow');
|
|
return;
|
|
}
|
|
|
|
// Deny if not root vhost
|
|
if (vhost.toString() != '/') {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
// Check if user exists
|
|
const user = await User.findOne({ name: username.toString() });
|
|
if (user == null) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
if (tags.toString() == "administrator" && user.type != UserType.ADMIN) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
// TODO: This has to change if we want to allow users to see the realtime movement of others.
|
|
if (resource.toString().startsWith('tracker-') && resource != 'tracker-' + username) {
|
|
res.status(200).send('deny');
|
|
return;
|
|
}
|
|
|
|
res.status(200).send('allow');
|
|
}
|
|
|
|
export async function Topic(req: Request, res: Response) {
|
|
res.status(200).send('allow');
|
|
}
|
|
|
|
/**
|
|
* This middleware validates any tokens that are required to access most of the endpoints.
|
|
* Note: This validation doesn't contain any permission checking.
|
|
*/
|
|
export async function MW_User(req: LivebeatRequest, res: Response, next: () => void) {
|
|
if (req.headers.token === undefined) {
|
|
res.status(401).send({ message: "Token not specified" });
|
|
return;
|
|
}
|
|
const token = req.headers.token.toString();
|
|
|
|
try {
|
|
// Verify token
|
|
if(await verify(token, JWT_SECRET, { algorithms: ['HS256'] })) {
|
|
// Token is valid, now look if user is in db (in case he got deleted)
|
|
const id = decode(token, { json: true })!.user;
|
|
const db = await User.findById(id);
|
|
|
|
if (db !== undefined && db !== null) {
|
|
req.user = db
|
|
next();
|
|
return;
|
|
} else {
|
|
res.status(401).send({ message: "Token is not valid" });
|
|
}
|
|
} else {
|
|
res.status(401).send({ message: "Token is not valid" });
|
|
}
|
|
} catch (err) {
|
|
if (err) {
|
|
res.status(500).send({ message: "We failed validating your token for some reason." });
|
|
logger.error(err);
|
|
}
|
|
}
|
|
} |