uptime-kuma/server/auth.js

const basicAuth = require("express-basic-auth");
const passwordHash = require("./password-hash");
const { R } = require("redbean-node");
const { setting } = require("./util-server");
const { loginRateLimiter } = require("./rate-limiter");
const { Settings } = require("./settings");
const dayjs = require("dayjs");

/**
 * Login to web app
 * @param {string} username
 * @param {string} password
 * @returns {Promise<(Bean|null)>}
 */
exports.login = async function (username, password) {
    if (typeof username !== "string" || typeof password !== "string") {
        return null;
    }

    let user = await R.findOne("user", " username = ? AND active = 1 ", [
        username,
    ]);

    if (user && passwordHash.verify(password, user.password)) {
        // Upgrade the hash to bcrypt
        if (passwordHash.needRehash(user.password)) {
            await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
                passwordHash.generate(password),
                user.id,
            ]);
        }
        return user;
    }

    return null;
};

/**
 * Validate a provided API key
 * @param {string} key API Key passed by client
 * @returns {Promise<bool>}
 */
async function validateAPIKey(key) {
    if (typeof key !== "string") {
        return false;
    }

    let index = key.substring(0, key.indexOf("-"));
    let clear = key.substring(key.indexOf("-") + 1, key.length);
    console.log(index);
    console.log(clear);

    let hash = await R.findOne("api_key", " id=? ", [ index ]);

    let current = dayjs();
    let expiry = dayjs(hash.expires);
    if (expiry.diff(current) < 0, !hash.active) {
        return false;
    }

    return hash && passwordHash.verify(clear, hash.key);
}

/**
 * Callback for myAuthorizer
 * @callback myAuthorizerCB
 * @param {any} err Any error encountered
 * @param {boolean} authorized Is the client authorized?
 */

/**
 * Custom authorizer for express-basic-auth
 * @param {string} username
 * @param {string} password
 * @param {myAuthorizerCB} callback
 */
function myAuthorizer(username, password, callback) {
    // Login Rate Limit
    loginRateLimiter.pass(null, 0).then((pass) => {
        if (pass) {
            exports.login(username, password).then((user) => {
                callback(null, user != null);

                if (user == null) {
                    loginRateLimiter.removeTokens(1);
                }
            });
        } else {
            callback(null, false);
        }
    });
}

/**
 * Use basic auth if auth is not disabled
 * @param {express.Request} req Express request object
 * @param {express.Response} res Express response object
 * @param {express.NextFunction} next
 */
exports.basicAuth = async function (req, res, next) {
    const middleware = basicAuth({
        authorizer: myAuthorizer,
        authorizeAsync: true,
        challenge: true,
    });

    const disabledAuth = await setting("disableAuth");

    if (!disabledAuth) {
        middleware(req, res, next);
    } else {
        next();
    }
};

/**
 * Use X-API-Key header if API keys enabled, else use basic auth
 * @param {express.Request} req Express request object
 * @param {express.Response} res Express response object
 * @param {express.NextFunction} next
 */
exports.apiAuth = async function (req, res, next) {
    if (!await Settings.get("disableAuth")) {
        let usingAPIKeys = await Settings.get("apiKeysEnabled");

        loginRateLimiter.pass(null, 0).then((pass) => {
            if (usingAPIKeys) {
                let pwd = req.get("X-API-Key");
                if (pwd !== null && pwd !== undefined) {
                    validateAPIKey(pwd).then((valid) => {
                        if (valid) {
                            next();
                        } else {
                            res.status(401).send();
                        }
                    });
                } else {
                    res.status(401).send();
                }
            } else {
                exports.basicAuth(req, res, next);
            }
        });
    } else {
        next();
    }
};
add login rate limiter 2021-10-23 01:35:13 -07:00			`const basicAuth = require("express-basic-auth");`
Autofix on save 2021-07-27 10:47:13 -07:00			`const passwordHash = require("./password-hash");`
			`const { R } = require("redbean-node");`
requires empty username/password if set disableAuth for basic auth 2021-08-02 09:08:46 -07:00			`const { setting } = require("./util-server");`
add login rate limiter 2021-10-23 01:35:13 -07:00			`const { loginRateLimiter } = require("./rate-limiter");`
Added API key authentication handler API key authentication is now possible by making use of the X-API-Key header. API authentication will only be enabled when a user adds their first API key, up until this point, they can still use their username and password to authenticate with API endpoints. After the user adds their first API key, they may only use API keys in future to authenticate with the API. In this commit, the prometheus /metrics endpoint has been changed over to the new authentication system. Signed-off-by: Matthew Nickson <[email protected]> 2023-02-14 16:39:29 -08:00			`const { Settings } = require("./settings");`
			`const dayjs = require("dayjs");`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00
			`/**`
Add JSDoc to server/* Signed-off-by: Matthew Nickson <[email protected]> 2022-04-20 11:56:40 -07:00			`* Login to web app`
			`* @param {string} username`
			`* @param {string} password`
			`* @returns {Promise<(Bean\|null)>}`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00			`*/`
			`exports.login = async function (username, password) {`
Some improvements 2022-03-29 02:38:48 -07:00			`if (typeof username !== "string" \|\| typeof password !== "string") {`
			`return null;`
			`}`

Revert "Auth: Case insensitive login check on username" 2023-01-01 06:19:00 -08:00			`let user = await R.findOne("user", " username = ? AND active = 1 ", [`
Autofix on save 2021-07-27 10:47:13 -07:00			`username,`
add login rate limiter 2021-10-23 01:35:13 -07:00			`]);`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00
			`if (user && passwordHash.verify(password, user.password)) {`
			`// Upgrade the hash to bcrypt`
			`if (passwordHash.needRehash(user.password)) {`
			await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
			`passwordHash.generate(password),`
Autofix on save 2021-07-27 10:47:13 -07:00			`user.id,`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00			`]);`
			`}`
			`return user;`
			`}`
Autofix on save 2021-07-27 10:47:13 -07:00
			`return null;`
add login rate limiter 2021-10-23 01:35:13 -07:00			`};`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00
Added API key authentication handler API key authentication is now possible by making use of the X-API-Key header. API authentication will only be enabled when a user adds their first API key, up until this point, they can still use their username and password to authenticate with API endpoints. After the user adds their first API key, they may only use API keys in future to authenticate with the API. In this commit, the prometheus /metrics endpoint has been changed over to the new authentication system. Signed-off-by: Matthew Nickson <[email protected]> 2023-02-14 16:39:29 -08:00			`/**`
			`* Validate a provided API key`
			`* @param {string} key API Key passed by client`
			`* @returns {Promise<bool>}`
			`*/`
			`async function validateAPIKey(key) {`
			`if (typeof key !== "string") {`
			`return false;`
			`}`

			`let index = key.substring(0, key.indexOf("-"));`
			`let clear = key.substring(key.indexOf("-") + 1, key.length);`
			`console.log(index);`
			`console.log(clear);`

			`let hash = await R.findOne("api_key", " id=? ", [ index ]);`

			`let current = dayjs();`
			`let expiry = dayjs(hash.expires);`
			`if (expiry.diff(current) < 0, !hash.active) {`
			`return false;`
			`}`

			`return hash && passwordHash.verify(clear, hash.key);`
			`}`

Add JSDoc to server/* Signed-off-by: Matthew Nickson <[email protected]> 2022-04-20 11:56:40 -07:00			`/**`
			`* Callback for myAuthorizer`
			`* @callback myAuthorizerCB`
			`* @param {any} err Any error encountered`
			`* @param {boolean} authorized Is the client authorized?`
			`*/`

			`/**`
			`* Custom authorizer for express-basic-auth`
			`* @param {string} username`
			`* @param {string} password`
			`* @param {myAuthorizerCB} callback`
			`*/`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00			`function myAuthorizer(username, password, callback) {`
Fix #1318, basic auth is completely disabled if the auth is disabled 2022-03-24 03:02:34 -07:00			`// Login Rate Limit`
			`loginRateLimiter.pass(null, 0).then((pass) => {`
			`if (pass) {`
			`exports.login(username, password).then((user) => {`
			`callback(null, user != null);`
add login rate limiter 2021-10-23 01:35:13 -07:00
Fix #1318, basic auth is completely disabled if the auth is disabled 2022-03-24 03:02:34 -07:00			`if (user == null) {`
			`loginRateLimiter.removeTokens(1);`
add login rate limiter 2021-10-23 01:35:13 -07:00			`}`
			`});`
Fix #1318, basic auth is completely disabled if the auth is disabled 2022-03-24 03:02:34 -07:00			`} else {`
			`callback(null, false);`
add login rate limiter 2021-10-23 01:35:13 -07:00			`}`
			`});`
Add Basic Auth for /metrics 2021-07-27 09:52:31 -07:00			`}`

Added JSDoc for server/ Signed-off-by: Matthew Nickson <[email protected]> 2023-01-05 14:19:05 -08:00			`/**`
			`* Use basic auth if auth is not disabled`
			`* @param {express.Request} req Express request object`
			`* @param {express.Response} res Express response object`
			`* @param {express.NextFunction} next`
			`*/`
Fix #1318, basic auth is completely disabled if the auth is disabled 2022-03-24 03:02:34 -07:00			`exports.basicAuth = async function (req, res, next) {`
			`const middleware = basicAuth({`
			`authorizer: myAuthorizer,`
			`authorizeAsync: true,`
			`challenge: true,`
			`});`

			`const disabledAuth = await setting("disableAuth");`

			`if (!disabledAuth) {`
			`middleware(req, res, next);`
			`} else {`
			`next();`
			`}`
			`};`
Added API key authentication handler API key authentication is now possible by making use of the X-API-Key header. API authentication will only be enabled when a user adds their first API key, up until this point, they can still use their username and password to authenticate with API endpoints. After the user adds their first API key, they may only use API keys in future to authenticate with the API. In this commit, the prometheus /metrics endpoint has been changed over to the new authentication system. Signed-off-by: Matthew Nickson <[email protected]> 2023-02-14 16:39:29 -08:00
			`/**`
			`* Use X-API-Key header if API keys enabled, else use basic auth`
			`* @param {express.Request} req Express request object`
			`* @param {express.Response} res Express response object`
			`* @param {express.NextFunction} next`
			`*/`
			`exports.apiAuth = async function (req, res, next) {`
			`if (!await Settings.get("disableAuth")) {`
			`let usingAPIKeys = await Settings.get("apiKeysEnabled");`

			`loginRateLimiter.pass(null, 0).then((pass) => {`
			`if (usingAPIKeys) {`
			`let pwd = req.get("X-API-Key");`
			`if (pwd !== null && pwd !== undefined) {`
			`validateAPIKey(pwd).then((valid) => {`
			`if (valid) {`
			`next();`
			`} else {`
			`res.status(401).send();`
			`}`
			`});`
			`} else {`
			`res.status(401).send();`
			`}`
			`} else {`
			`exports.basicAuth(req, res, next);`
			`}`
			`});`
			`} else {`
			`next();`
			`}`
			`};`