trilium/src/routes/api/login.js

"use strict";

const options = require('../../services/options');
const utils = require('../../services/utils');
const sourceIdService = require('../../services/source_id');
const passwordEncryptionService = require('../../services/password_encryption');
const protectedSessionService = require('../../services/protected_session');
const appInfo = require('../../services/app_info');

async function loginSync(req) {
    const timestampStr = req.body.timestamp;

    const timestamp = utils.parseDateTime(timestampStr);

    const now = new Date();

    if (Math.abs(timestamp.getTime() - now.getTime()) > 5000) {
        return [400, { message: 'Auth request time is out of sync' }];
    }

    const dbVersion = req.body.dbVersion;

    if (dbVersion !== appInfo.db_version) {
        return [400, { message: 'Non-matching db versions, local is version ' + appInfo.db_version }];
    }

    const documentSecret = await options.getOption('document_secret');
    const expectedHash = utils.hmac(documentSecret, timestampStr);

    const givenHash = req.body.hash;

    if (expectedHash !== givenHash) {
        return [400, { message: "Sync login hash doesn't match" }];
    }

    req.session.loggedIn = true;

    return {
        sourceId: sourceIdService.getCurrentSourceId()
    };
}

async function loginToProtectedSession(req) {
    const password = req.body.password;

    if (!await passwordEncryptionService.verifyPassword(password)) {
        return {
            success: false,
            message: "Given current password doesn't match hash"
        };
    }

    const decryptedDataKey = await passwordEncryptionService.getDataKey(password);

    const protectedSessionId = protectedSessionService.setDataKey(req, decryptedDataKey);

    return {
        success: true,
        protectedSessionId: protectedSessionId
    };
}

module.exports = {
    loginSync,
    loginToProtectedSession
};
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00			`"use strict";`

sync of options 2017-11-03 08:48:02 +08:00			`const options = require('../../services/options');`
API auth (untested) 2017-10-29 10:17:00 +08:00			`const utils = require('../../services/utils');`
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`const sourceIdService = require('../../services/source_id');`
			`const passwordEncryptionService = require('../../services/password_encryption');`
			`const protectedSessionService = require('../../services/protected_session');`
			`const appInfo = require('../../services/app_info');`
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`async function loginSync(req) {`
fixes for dates in sync 2017-12-11 04:45:17 +08:00			`const timestampStr = req.body.timestamp;`
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00
create months and days with associated english names, closes #37 2018-02-11 02:53:35 +08:00			`const timestamp = utils.parseDateTime(timestampStr);`
fixes for dates in sync 2017-12-11 04:45:17 +08:00
			`const now = new Date();`

			`if (Math.abs(timestamp.getTime() - now.getTime()) > 5000) {`
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`return [400, { message: 'Auth request time is out of sync' }];`
API auth (untested) 2017-10-29 10:17:00 +08:00			`}`

fixes for sync 2017-10-30 02:55:48 +08:00			`const dbVersion = req.body.dbVersion;`
API auth (untested) 2017-10-29 10:17:00 +08:00
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`if (dbVersion !== appInfo.db_version) {`
			`return [400, { message: 'Non-matching db versions, local is version ' + appInfo.db_version }];`
API auth (untested) 2017-10-29 10:17:00 +08:00			`}`

sync of options 2017-11-03 08:48:02 +08:00			`const documentSecret = await options.getOption('document_secret');`
fixes for dates in sync 2017-12-11 04:45:17 +08:00			`const expectedHash = utils.hmac(documentSecret, timestampStr);`
API auth (untested) 2017-10-29 10:17:00 +08:00
			`const givenHash = req.body.hash;`

			`if (expectedHash !== givenHash) {`
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`return [400, { message: "Sync login hash doesn't match" }];`
API auth (untested) 2017-10-29 10:17:00 +08:00			`}`

			`req.session.loggedIn = true;`

converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`return {`
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`sourceId: sourceIdService.getCurrentSourceId()`
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`};`
			`}`
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`async function loginToProtectedSession(req) {`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`const password = req.body.password;`

refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`if (!await passwordEncryptionService.verifyPassword(password)) {`
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`return {`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`success: false,`
			`message: "Given current password doesn't match hash"`
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`};`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`}`

refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`const decryptedDataKey = await passwordEncryptionService.getDataKey(password);`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
refactored backend to use new naming convention for modules 2018-04-02 09:27:46 +08:00			`const protectedSessionId = protectedSessionService.setDataKey(req, decryptedDataKey);`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`return {`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`success: true,`
			`protectedSessionId: protectedSessionId`
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`};`
			`}`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
converted of web (non-api) routes, basic conversion completed 2018-03-31 07:31:22 +08:00			`module.exports = {`
			`loginSync,`
			`loginToProtectedSession`
			`};`