trilium/routes/api/login.js

"use strict";

const express = require('express');
const router = express.Router();
const options = require('../../services/options');
const utils = require('../../services/utils');
const sourceId = require('../../services/source_id');
const auth = require('../../services/auth');
const password_encryption = require('../../services/password_encryption');
const protected_session = require('../../services/protected_session');
const app_info = require('../../services/app_info');
const wrap = require('express-promise-wrap').wrap;

router.post('/sync', wrap(async (req, res, next) => {
    const timestampStr = req.body.timestamp;

    const timestamp = utils.parseDate(timestampStr);

    const now = new Date();

    if (Math.abs(timestamp.getTime() - now.getTime()) > 5000) {
        res.status(400);
        res.send({ message: 'Auth request time is out of sync' });
    }

    const dbVersion = req.body.dbVersion;

    if (dbVersion !== app_info.db_version) {
        res.status(400);
        res.send({ message: 'Non-matching db versions, local is version ' + app_info.db_version });
    }

    const documentSecret = await options.getOption('document_secret');
    const expectedHash = utils.hmac(documentSecret, timestampStr);

    const givenHash = req.body.hash;

    if (expectedHash !== givenHash) {
        res.status(400);
        res.send({ message: "Sync login hash doesn't match" });
    }

    req.session.loggedIn = true;

    res.send({
        sourceId: sourceId.getCurrentSourceId()
    });
}));

// this is for entering protected mode so user has to be already logged-in (that's the reason we don't require username)
router.post('/protected', auth.checkApiAuth, wrap(async (req, res, next) => {
    const password = req.body.password;

    if (!await password_encryption.verifyPassword(password)) {
        res.send({
            success: false,
            message: "Given current password doesn't match hash"
        });

        return;
    }

    const decryptedDataKey = await password_encryption.getDataKey(password);

    const protectedSessionId = protected_session.setDataKey(req, decryptedDataKey);

    res.send({
        success: true,
        protectedSessionId: protectedSessionId
    });
}));

module.exports = router;
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00			`"use strict";`

			`const express = require('express');`
			`const router = express.Router();`
sync of options 2017-11-03 08:48:02 +08:00			`const options = require('../../services/options');`
API auth (untested) 2017-10-29 10:17:00 +08:00			`const utils = require('../../services/utils');`
migration script to camel case 2018-01-29 09:52:05 +08:00			`const sourceId = require('../../services/source_id');`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`const auth = require('../../services/auth');`
			`const password_encryption = require('../../services/password_encryption');`
			`const protected_session = require('../../services/protected_session');`
implemented initial setup of the app 2017-12-04 11:29:23 +08:00			`const app_info = require('../../services/app_info');`
added express-promise-wrap to catch and respond to unhandled exceptions immediately, previously the requests just hanged 2018-01-07 22:35:44 +08:00			`const wrap = require('express-promise-wrap').wrap;`
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00
added express-promise-wrap to catch and respond to unhandled exceptions immediately, previously the requests just hanged 2018-01-07 22:35:44 +08:00			`router.post('/sync', wrap(async (req, res, next) => {`
fixes for dates in sync 2017-12-11 04:45:17 +08:00			`const timestampStr = req.body.timestamp;`
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00
fixes for dates in sync 2017-12-11 04:45:17 +08:00			`const timestamp = utils.parseDate(timestampStr);`

			`const now = new Date();`

			`if (Math.abs(timestamp.getTime() - now.getTime()) > 5000) {`
API auth (untested) 2017-10-29 10:17:00 +08:00			`res.status(400);`
			`res.send({ message: 'Auth request time is out of sync' });`
			`}`

fixes for sync 2017-10-30 02:55:48 +08:00			`const dbVersion = req.body.dbVersion;`
API auth (untested) 2017-10-29 10:17:00 +08:00
implemented initial setup of the app 2017-12-04 11:29:23 +08:00			`if (dbVersion !== app_info.db_version) {`
API auth (untested) 2017-10-29 10:17:00 +08:00			`res.status(400);`
implemented initial setup of the app 2017-12-04 11:29:23 +08:00			`res.send({ message: 'Non-matching db versions, local is version ' + app_info.db_version });`
API auth (untested) 2017-10-29 10:17:00 +08:00			`}`

sync of options 2017-11-03 08:48:02 +08:00			`const documentSecret = await options.getOption('document_secret');`
fixes for dates in sync 2017-12-11 04:45:17 +08:00			`const expectedHash = utils.hmac(documentSecret, timestampStr);`
API auth (untested) 2017-10-29 10:17:00 +08:00
			`const givenHash = req.body.hash;`

			`if (expectedHash !== givenHash) {`
			`res.status(400);`
fixes for dates in sync 2017-12-11 04:45:17 +08:00			`res.send({ message: "Sync login hash doesn't match" });`
API auth (untested) 2017-10-29 10:17:00 +08:00			`}`

			`req.session.loggedIn = true;`

don't push changes to server which have been pulled from it 2017-11-02 11:16:21 +08:00			`res.send({`
renamed db columns to camelCase 2018-01-29 08:30:14 +08:00			`sourceId: sourceId.getCurrentSourceId()`
don't push changes to server which have been pulled from it 2017-11-02 11:16:21 +08:00			`});`
added express-promise-wrap to catch and respond to unhandled exceptions immediately, previously the requests just hanged 2018-01-07 22:35:44 +08:00			`}));`
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`// this is for entering protected mode so user has to be already logged-in (that's the reason we don't require username)`
added express-promise-wrap to catch and respond to unhandled exceptions immediately, previously the requests just hanged 2018-01-07 22:35:44 +08:00			`router.post('/protected', auth.checkApiAuth, wrap(async (req, res, next) => {`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`const password = req.body.password;`

			`if (!await password_encryption.verifyPassword(password)) {`
server side encryption WIP 2017-11-11 11:55:19 +08:00			`res.send({`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`success: false,`
			`message: "Given current password doesn't match hash"`
server side encryption WIP 2017-11-11 11:55:19 +08:00			`});`

			`return;`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00			`}`

cleaned up "CBC" from methods since we don't have CTR 2017-11-19 01:53:17 +08:00			`const decryptedDataKey = await password_encryption.getDataKey(password);`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
			`const protectedSessionId = protected_session.setDataKey(req, decryptedDataKey);`

			`res.send({`
			`success: true,`
			`protectedSessionId: protectedSessionId`
			`});`
added express-promise-wrap to catch and respond to unhandled exceptions immediately, previously the requests just hanged 2018-01-07 22:35:44 +08:00			`}));`
refactoring of password change and preparations for server side encryption 2017-11-10 12:25:23 +08:00
added document_secret as basis for API authentication 2017-10-29 07:55:55 +08:00			`module.exports = router;`