trilium/src/services/auth.js

"use strict";

const sql = require('./sql');
const sqlInit = require('./sql_init');
const utils = require('./utils');
const passwordEncryptionService = require('./password_encryption');
const optionService = require('./options');

async function checkAuth(req, res, next) {
    if (!await sqlInit.isDbInitialized()) {
        res.redirect("setup");
    }
    else if (!req.session.loggedIn && !utils.isElectron()) {
        res.redirect("login");
    }
    else {
        next();
    }
}

// for electron things which need network stuff
// currently we're doing that for file upload because handling form data seems to be difficult
async function checkApiAuthOrElectron(req, res, next) {
    if (!req.session.loggedIn && !utils.isElectron()) {
        res.status(401).send("Not authorized");
    }
    else {
        next();
    }
}

async function checkApiAuth(req, res, next) {
    if (!req.session.loggedIn) {
        res.status(401).send("Not authorized");
    }
    else {
        next();
    }
}

async function checkAppInitialized(req, res, next) {
    if (!await sqlInit.isDbInitialized()) {
        res.redirect("setup");
    }
    else {
        next();
    }
}

async function checkAppNotInitialized(req, res, next) {
    if (await sqlInit.isDbInitialized()) {
        res.status(400).send("App already initialized.");
    }
    else {
        next();
    }
}

async function checkSenderToken(req, res, next) {
    const token = req.headers.authorization;

    if (await sql.getValue("SELECT COUNT(*) FROM api_tokens WHERE isDeleted = 0 AND token = ?", [token]) === 0) {
        res.status(401).send("Not authorized");
    }
    else {
        next();
    }
}

async function checkBasicAuth(req, res, next) {
    const header = req.headers.authorization || '';
    const token = header.split(/\s+/).pop() || '';
    const auth = new Buffer.from(token, 'base64').toString();
    const [username, password] = auth.split(/:/);

    const dbUsername = await optionService.getOption('username');

    if (dbUsername !== username || !await passwordEncryptionService.verifyPassword(password)) {
        res.status(401).send("Not authorized");
    }
    else {
        next();
    }
}

module.exports = {
    checkAuth,
    checkApiAuth,
    checkAppInitialized,
    checkAppNotInitialized,
    checkApiAuthOrElectron,
    checkSenderToken,
    checkBasicAuth
};
use strict in all JS files 2017-10-22 09:10:33 +08:00			`"use strict";`

converted all timestamps to string representation 2017-12-11 01:56:59 +08:00			`const sql = require('./sql');`
separated DB initialization methods into sql_init 2018-04-03 09:25:20 +08:00			`const sqlInit = require('./sql_init');`
some tweaks mainly for electron support 2017-11-06 06:58:55 +08:00			`const utils = require('./utils');`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-23 01:56:20 +08:00			`const passwordEncryptionService = require('./password_encryption');`
			`const optionService = require('./options');`
sync WIP 2017-10-26 10:39:21 +08:00
			`async function checkAuth(req, res, next) {`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-23 01:56:20 +08:00			`if (!await sqlInit.isDbInitialized()) {`
implemented initial setup of the app 2017-12-04 11:29:23 +08:00			`res.redirect("setup");`
			`}`
			`else if (!req.session.loggedIn && !utils.isElectron()) {`
node authentication 2017-10-16 04:32:49 +08:00			`res.redirect("login");`
sync WIP 2017-10-26 10:39:21 +08:00			`}`
separate sync for pull (implemented) and push (not yet) 2017-10-27 08:31:31 +08:00			`else {`
			`next();`
			`}`
			`}`

auth exception for images in electron 2018-01-07 22:59:05 +08:00			`// for electron things which need network stuff`
			`// currently we're doing that for file upload because handling form data seems to be difficult`
			`async function checkApiAuthOrElectron(req, res, next) {`
			`if (!req.session.loggedIn && !utils.isElectron()) {`
			`res.status(401).send("Not authorized");`
			`}`
			`else {`
node authentication 2017-10-16 04:32:49 +08:00			`next();`
			`}`
			`}`

db upgrades are now handled transparently in the background without bothering the user, closes #119 2018-06-11 03:49:22 +08:00			`async function checkApiAuth(req, res, next) {`
even though trilium APIs are still exposed in electron, they require login if not called directly from electron 2017-12-01 12:29:21 +08:00			`if (!req.session.loggedIn) {`
sync fixes 2017-11-01 08:09:07 +08:00			`res.status(401).send("Not authorized");`
separate sync for pull (implemented) and push (not yet) 2017-10-27 08:31:31 +08:00			`}`
			`else {`
			`next();`
			`}`
			`}`

#98, sync to server now works as well + a lot of related changes 2018-07-25 02:35:03 +08:00			`async function checkAppInitialized(req, res, next) {`
			`if (!await sqlInit.isDbInitialized()) {`
			`res.redirect("setup");`
			`}`
			`else {`
			`next();`
			`}`
			`}`

implemented initial setup of the app 2017-12-04 11:29:23 +08:00			`async function checkAppNotInitialized(req, res, next) {`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-23 01:56:20 +08:00			`if (await sqlInit.isDbInitialized()) {`
implemented initial setup of the app 2017-12-04 11:29:23 +08:00			`res.status(400).send("App already initialized.");`
			`}`
			`else {`
			`next();`
			`}`
			`}`

converted file, script, search and sender routes 2018-03-31 05:29:13 +08:00			`async function checkSenderToken(req, res, next) {`
			`const token = req.headers.authorization;`

			`if (await sql.getValue("SELECT COUNT(*) FROM api_tokens WHERE isDeleted = 0 AND token = ?", [token]) === 0) {`
			`res.status(401).send("Not authorized");`
			`}`
			`else {`
db upgrades are now handled transparently in the background without bothering the user, closes #119 2018-06-11 03:49:22 +08:00			`next();`
converted file, script, search and sender routes 2018-03-31 05:29:13 +08:00			`}`
			`}`

#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-23 01:56:20 +08:00			`async function checkBasicAuth(req, res, next) {`
			`const header = req.headers.authorization \|\| '';`
			`const token = header.split(/\s+/).pop() \|\| '';`
			`const auth = new Buffer.from(token, 'base64').toString();`
			`const [username, password] = auth.split(/:/);`

			`const dbUsername = await optionService.getOption('username');`

			`if (dbUsername !== username \|\| !await passwordEncryptionService.verifyPassword(password)) {`
			`res.status(401).send("Not authorized");`
			`}`
			`else {`
			`next();`
			`}`
			`}`

node authentication 2017-10-16 04:32:49 +08:00			`module.exports = {`
			`checkAuth,`
separate sync for pull (implemented) and push (not yet) 2017-10-27 08:31:31 +08:00			`checkApiAuth,`
#98, sync to server now works as well + a lot of related changes 2018-07-25 02:35:03 +08:00			`checkAppInitialized,`
auth exception for images in electron 2018-01-07 22:59:05 +08:00			`checkAppNotInitialized,`
converted file, script, search and sender routes 2018-03-31 05:29:13 +08:00			`checkApiAuthOrElectron,`
#98, working sync setup from server to desktop instance + refactoring of DB initialization 2018-07-23 01:56:20 +08:00			`checkSenderToken,`
			`checkBasicAuth`
node authentication 2017-10-16 04:32:49 +08:00			`};`