mirror of https://github.com/xwiki-labs/cryptpad
lint compliance
This commit is contained in:
parent
c10fc37645
commit
b11333e7a0
|
@ -1,7 +1,6 @@
|
|||
/* globals Buffer */
|
||||
const B32 = require("thirty-two");
|
||||
const OTP = require("notp");
|
||||
const JWT = require("jsonwebtoken");
|
||||
const nThen = require("nthen");
|
||||
const Util = require("../common-util");
|
||||
|
||||
|
@ -62,43 +61,10 @@ var decode32 = S => {
|
|||
// Allow user settings?
|
||||
var EXPIRATION = 7 * 24 * 3600 * 1000; // Sessions are valid 7 days
|
||||
|
||||
var createJWT = function (Env, sessionId, publicKey, cb) {
|
||||
JWT.sign({
|
||||
// this is a custom JWT field (not a standard) - we include a reference to the session
|
||||
// which is used to look up whether it has been revoked.
|
||||
ref: sessionId,
|
||||
// we specify in the token for what resource the token should be valid (their block's public key)
|
||||
sub: Util.escapeKeyCharacters(publicKey),
|
||||
exp: (+new Date()) + EXPIRATION
|
||||
}, Env.bearerSecret, {
|
||||
// token integrity is ensured with HMAC SHA512 with the server's bearerSecret
|
||||
// clients can inspect token parameters, but cannot modify them
|
||||
algorithm: 'HS512',
|
||||
// if you want it to expire you can set this for an arbitrary number of seconds in the future, but I won't assume that for now
|
||||
//expiresIn: (60 * 60 * 24 * 7)),
|
||||
}, function (err, token) {
|
||||
if (err) { return void cb(err); }
|
||||
cb(void 0, token);
|
||||
});
|
||||
};
|
||||
|
||||
// Create a session with a token for the given public key
|
||||
const makeSession = (Env, publicKey, cb) => {
|
||||
const sessionId = Sessions.randomId();
|
||||
var token;
|
||||
nThen(function (w) {
|
||||
/*createJWT(Env, sessionId, publicKey, w(function (err, _token) {
|
||||
if (err) {
|
||||
Env.Log.error("TOTP_VALIDATE_JWT_SIGN_ERROR", {
|
||||
error: Util.serializeError(err),
|
||||
publicKey: publicKey,
|
||||
});
|
||||
w.abort();
|
||||
return void cb("TOKEN_ERROR");
|
||||
}
|
||||
token = _token;
|
||||
}));*/
|
||||
}).nThen(function (w) {
|
||||
// store the token
|
||||
Sessions.write(Env, publicKey, sessionId, JSON.stringify({
|
||||
mfa: {
|
||||
|
|
|
@ -7,7 +7,6 @@ const nThen = require("nthen");
|
|||
const Util = require("./common-util");
|
||||
const Logger = require("./log");
|
||||
const AuthCommands = require("./http-commands");
|
||||
const JWT = require("jsonwebtoken");
|
||||
const MFA = require("./storage/mfa");
|
||||
const Sessions = require("./storage/sessions");
|
||||
|
||||
|
@ -282,7 +281,7 @@ app.use('/block/', function (req, res, next) {
|
|||
|
||||
var authorization = req.headers.authorization;
|
||||
|
||||
var mfa_params, jwt_payload;
|
||||
var mfa_params;
|
||||
nThen(function (w) {
|
||||
// First, check whether the block id in question has any MFA settings stored
|
||||
MFA.read(Env, name, w(function (err, content) {
|
||||
|
@ -366,7 +365,7 @@ app.use('/block/', function (req, res, next) {
|
|||
let content = Util.tryParse(contentStr);
|
||||
|
||||
if (content.mfa && content.mfa.exp && ((+new Date()) > content.mfa.exp)) {
|
||||
Log.error("OTP_SESSION_EXPIRED", payload);
|
||||
Log.error("OTP_SESSION_EXPIRED", content.mfa);
|
||||
Sessions.delete(Env, name, token, function (err) {
|
||||
if (err) {
|
||||
Log.error('SESSION_DELETE_EXPIRED_ERROR', err);
|
||||
|
@ -387,96 +386,6 @@ app.use('/block/', function (req, res, next) {
|
|||
// handle the 404 or serving the file.
|
||||
next();
|
||||
});
|
||||
|
||||
// Otherwise we attempt to validate the token
|
||||
// Successful validation implies that the token was issued by the server
|
||||
// since only the server should possess the current bearer secret (unless it has leaked).
|
||||
|
||||
// It is still possible that the token is not valid for this particular resource,
|
||||
// so the algorithm (HMAC SHA512) only asserts its integrity, not its validity.
|
||||
/*
|
||||
JWT.verify(token, Env.bearerSecret, {
|
||||
algorithm: 'HS512',
|
||||
}, w(function (err, payload) {
|
||||
if (err) {
|
||||
// the token could not be validated for some reason.
|
||||
// it might have expired, the server might have rotated secrets,
|
||||
// it might not be well-formed, etc.
|
||||
// log and respond.
|
||||
Log.info('INVALID_JWT', {
|
||||
error: err,
|
||||
token: token,
|
||||
});
|
||||
return void no();
|
||||
}
|
||||
|
||||
// Now that we have the payload we can inspect its properties
|
||||
// and reject anything which is obviously wrong without requiring
|
||||
// any async I/O
|
||||
|
||||
// Tokens are issued with a "reference" - a random id which is
|
||||
// used alongside the block id to look up whether a given session
|
||||
// is still valid
|
||||
|
||||
// reject if it does not provide a lookup reference
|
||||
if (typeof(payload.ref) !== 'string') {
|
||||
Log.error("JWT_NO_REFERENCE", payload);
|
||||
return void no();
|
||||
}
|
||||
|
||||
// A JWT can optionally indicate a finite lifetime.
|
||||
// reject if it's too old
|
||||
if (payload.exp && ((+new Date()) > payload.exp)) {
|
||||
Log.error("JWT_EXPIRED", payload);
|
||||
Sessions.delete(Env, name, payload.ref, function (err) {
|
||||
if (err) {
|
||||
Log.error('JWT_SESSION_DELETE_EXPIRED_ERROR', err);
|
||||
return;
|
||||
}
|
||||
Log.info('JWT_SESSION_DELETE_EXPIRED', err);
|
||||
});
|
||||
return void no();
|
||||
}
|
||||
|
||||
// A JWT indicates the subject (the block id) for which it is valid
|
||||
// reject if it does not match the block the client is trying to access
|
||||
if (payload.sub !== name) {
|
||||
Log.error("JWT_SUBJECT_MISMATCH", payload);
|
||||
return void no();
|
||||
}
|
||||
|
||||
// otherwise, it seems basically correct.
|
||||
Log.verbose("VALID_JWT", payload);
|
||||
|
||||
// remember the payload for subsequent asynchronous checks
|
||||
jwt_payload = payload;
|
||||
}));
|
||||
*/
|
||||
}).nThen(function () {
|
||||
// Finally, even if the JWT itself seems valid, the database
|
||||
// is the final authority as to whether the session is still valid,
|
||||
// as it might have been revoked
|
||||
/*
|
||||
Sessions.read(Env, name, jwt_payload.ref, function (err) {
|
||||
if (err) {
|
||||
Log.error('JWT_SESSION_READ_ERROR', err);
|
||||
return res.status(401).json({
|
||||
method: mfa_params.method,
|
||||
code: 401,
|
||||
});
|
||||
}
|
||||
|
||||
// we could also check whether the content of the file matches the token,
|
||||
// but clients don't have any influence over the reference and can only
|
||||
// request to create tokens that are scoped to a public key they control.
|
||||
// I don' think there's any practical benefit to such a check.
|
||||
|
||||
// So, interpret the existence of a file in that location as the continued
|
||||
// validity of the session. Fall through and let the built-in webserver
|
||||
// handle the 404 or serving the file.
|
||||
next();
|
||||
});
|
||||
*/
|
||||
});
|
||||
});
|
||||
|
||||
|
|
Loading…
Reference in New Issue