lint compliance

2023-07-11 10:35:44 +02:00 · 2023-07-11 10:35:44 +02:00 · b11333e7a0
parent c10fc37645
commit b11333e7a0
3 changed files with 3 additions and 128 deletions
--- a/customize.dist/src/less2/include/colortheme-dark.less
+++ b/customize.dist/src/less2/include/colortheme-dark.less
@ -12,7 +12,7 @@
    poll: #2c9e98;
    form: #2c9e98;
    whiteboard: #8f40f5;
-    diagram:  #ce3ad3;
+    diagram: #ce3ad3;
    kanban: #8C4;
    sheet: #40865c;
    doc: #5170B5;
--- a/lib/challenge-commands/totp.js
+++ b/lib/challenge-commands/totp.js
@ -1,7 +1,6 @@
 /* globals Buffer */
 const B32 = require("thirty-two");
 const OTP = require("notp");
-const JWT = require("jsonwebtoken");
 const nThen = require("nthen");
 const Util = require("../common-util");

@ -62,43 +61,10 @@ var decode32 = S => {
 // Allow user settings?
 var EXPIRATION = 7 * 24 * 3600 * 1000; // Sessions are valid 7 days

-var createJWT = function (Env, sessionId, publicKey, cb) {
-    JWT.sign({
-        // this is a custom JWT field (not a standard) - we include a reference to the session
-        // which is used to look up whether it has been revoked.
-        ref: sessionId,
-        // we specify in the token for what resource the token should be valid (their block's public key)
-        sub: Util.escapeKeyCharacters(publicKey),
-        exp: (+new Date()) + EXPIRATION
-    }, Env.bearerSecret, {
-        // token integrity is ensured with HMAC SHA512 with the server's bearerSecret
-        // clients can inspect token parameters, but cannot modify them
-        algorithm: 'HS512',
-        // if you want it to expire you can set this for an arbitrary number of seconds in the future, but I won't assume that for now
-        //expiresIn: (60 * 60 * 24 * 7)),
-    }, function (err, token) {
-        if (err) { return void cb(err); }
-        cb(void 0, token);
-    });
-};
-
 // Create a session with a token for the given public key
 const makeSession = (Env, publicKey, cb) => {
    const sessionId = Sessions.randomId();
-    var token;
    nThen(function (w) {
-        /*createJWT(Env, sessionId, publicKey, w(function (err, _token) {
-            if (err) {
-                Env.Log.error("TOTP_VALIDATE_JWT_SIGN_ERROR", {
-                    error: Util.serializeError(err),
-                    publicKey: publicKey,
-                });
-                w.abort();
-                return void cb("TOKEN_ERROR");
-            }
-            token = _token;
-        }));*/
-    }).nThen(function (w) {
        // store the token
        Sessions.write(Env, publicKey, sessionId, JSON.stringify({
            mfa: {
--- a/lib/http-worker.js
+++ b/lib/http-worker.js
@ -7,7 +7,6 @@ const nThen = require("nthen");
 const Util = require("./common-util");
 const Logger = require("./log");
 const AuthCommands = require("./http-commands");
-const JWT = require("jsonwebtoken");
 const MFA = require("./storage/mfa");
 const Sessions = require("./storage/sessions");

@ -282,7 +281,7 @@ app.use('/block/', function (req, res, next) {

    var authorization = req.headers.authorization;

-    var mfa_params, jwt_payload;
+    var mfa_params;
    nThen(function (w) {
        // First, check whether the block id in question has any MFA settings stored
        MFA.read(Env, name, w(function (err, content) {
@ -366,7 +365,7 @@ app.use('/block/', function (req, res, next) {
            let content = Util.tryParse(contentStr);

            if (content.mfa && content.mfa.exp && ((+new Date()) > content.mfa.exp)) {
-                Log.error("OTP_SESSION_EXPIRED", payload);
+                Log.error("OTP_SESSION_EXPIRED", content.mfa);
                Sessions.delete(Env, name, token, function (err) {
                    if (err) {
                        Log.error('SESSION_DELETE_EXPIRED_ERROR', err);
@ -387,96 +386,6 @@ app.use('/block/', function (req, res, next) {
            // handle the 404 or serving the file.
            next();
        });
-
-        // Otherwise we attempt to validate the token
-        // Successful validation implies that the token was issued by the server
-        // since only the server should possess the current bearer secret (unless it has leaked).
-
-        // It is still possible that the token is not valid for this particular resource,
-        // so the algorithm (HMAC SHA512) only asserts its integrity, not its validity.
-        /*
-        JWT.verify(token, Env.bearerSecret, {
-            algorithm: 'HS512',
-        }, w(function (err, payload) {
-            if (err) {
-                // the token could not be validated for some reason.
-                // it might have expired, the server might have rotated secrets,
-                // it might not be well-formed, etc.
-                // log and respond.
-                Log.info('INVALID_JWT', {
-                    error: err,
-                    token: token,
-                });
-                return void no();
-            }
-
-            // Now that we have the payload we can inspect its properties
-            // and reject anything which is obviously wrong without requiring
-            // any async I/O
-
-            // Tokens are issued with a "reference" - a random id which is
-            // used alongside the block id to look up whether a given session
-            // is still valid
-
-            // reject if it does not provide a lookup reference
-            if (typeof(payload.ref) !== 'string') {
-                Log.error("JWT_NO_REFERENCE", payload);
-                return void no();
-            }
-
-            // A JWT can optionally indicate a finite lifetime.
-            // reject if it's too old
-            if (payload.exp && ((+new Date()) > payload.exp)) {
-                Log.error("JWT_EXPIRED", payload);
-                Sessions.delete(Env, name, payload.ref, function (err) {
-                    if (err) {
-                        Log.error('JWT_SESSION_DELETE_EXPIRED_ERROR', err);
-                        return;
-                    }
-                    Log.info('JWT_SESSION_DELETE_EXPIRED', err);
-                });
-                return void no();
-            }
-
-            // A JWT indicates the subject (the block id) for which it is valid
-            // reject if it does not match the block the client is trying to access
-            if (payload.sub !== name) {
-                Log.error("JWT_SUBJECT_MISMATCH", payload);
-                return void no();
-            }
-
-            // otherwise, it seems basically correct.
-            Log.verbose("VALID_JWT", payload);
-
-            // remember the payload for subsequent asynchronous checks
-            jwt_payload = payload;
-        }));
-        */
-    }).nThen(function () {
-        // Finally, even if the JWT itself seems valid, the database
-        // is the final authority as to whether the session is still valid,
-        // as it might have been revoked
-        /*
-        Sessions.read(Env, name, jwt_payload.ref, function (err) {
-            if (err) {
-                Log.error('JWT_SESSION_READ_ERROR', err);
-                return res.status(401).json({
-                    method: mfa_params.method,
-                    code: 401,
-                });
-            }
-
-            // we could also check whether the content of the file matches the token,
-            // but clients don't have any influence over the reference and can only
-            // request to create tokens that are scoped to a public key they control.
-            // I don' think there's any practical benefit to such a check.
-
-            // So, interpret the existence of a file in that location as the continued
-            // validity of the session. Fall through and let the built-in webserver
-            // handle the 404 or serving the file.
-            next();
-        });
-        */
    });
 });