om/server/authorization.js

// Original file created by Prof.Dr. Matthias Hopf

/*
 * Authorization
 */
var   common, Users;
const ldap   = require ('./ldap_ohm'),
      crypto = require ('./crypto'),
      dbs    = require ('./dbs');

// deactivated is not used yet
const serverVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true, deactivated: true, host: true };
const clientVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true };


// Fill in session object
function fillSession (req, user, roles, cb) {
    if (req.session === undefined)
        next (common.genError (500, "Error"));
    req.session.regenerate (function (err) {
        if (user !== undefined && ! err) {
            common.shallowCopy (user, serverVisibleSession, {roles: true}, req.session);
            if (user._id) {
                req.session.user = user._id;
            }
            req.session.roles = roles;
        }
        return cb (err);
    });
}

const authorization = {
    // Generate Error object suitible for throwing or next()ing
    genCheckAuthorized: function (group) {
        return function (req, res, next) {
            if (req.session === undefined || req.session.user === undefined ||
                req.session.roles === undefined)
                return next (common.genError (403, "Unauthorized"));
            if (req.session.roles[group] === undefined)
                return next (common.genError (403, "Unauthorized"));
            next ();
        }
    },

    // Login route: requires .user and .pwd params
    login: function (req, res, next) {
        var user = req.body.user || '';
        var pwd = req.body.pwd || '';

        // Helper: Return valid session Object
        function returnSession () {
            // Only export client visible parts of session object
            var copy = common.shallowCopy (req.session, clientVisibleSession);
            return res.json (copy);
        }
        // Helper: Return error
        function returnError () {
            fillSession (req, undefined, undefined, function (err) {
                next (common.genError (401, "Unauthorized"));
            });
        }

        // Check whether to just validate current session ID
        if (user === '' && pwd === '') {
            console.log ("auth revalidate: " + req.session.user);
            if (req.session.user === undefined)
                return returnError();
            return returnSession ();
        }

        // check local database, then ldap
        Users.findById (req.body.user) .exec (function (err, entry) {
            // If there is a local user AND it has a password associated, test against this, and only this
            if (entry != null && entry.pwd) {
                if (crypto.checkLocalAuth (entry, req.body.pwd)) {
                    return fillSession (req, entry, common.arrayToHash(entry.roles), returnSession);
                }
                return returnError ();
            }

            // check ldap
            ldap.authorize (user.toLowerCase(), pwd, function (found) {
                //console.log ("ldap authorize " + user + " returns " + JSON.stringify (found));
                // No ldap entry either -> unauthorized
                if (found == null) {
                    return returnError ();
                }
                // If there is an entry w/o password, use it for roles etc.
                if (entry) {
                    if (! entry.name || entry.name === "")
                        entry.name = found.name;
                    if (! entry.mail || entry.mail === "")
                        entry.mail = found.mail;
                    if (! entry.type || entry.type === "")
                        entry.type = found.type;
                    if (! entry.orclgender || entry.orclgender === "")
                        entry.orclgender = found.orclgender;
                    return fillSession (req, entry, entry.roles.length > 0 ? common.arrayToHash(entry.roles) : {user:true}, returnSession);
                }
                // Otherwise create standard user entry
                return fillSession (req, found, {user:true}, returnSession);
            });
        });
    },
    logout: function (req, res, next) {
        fillSession (req, undefined, undefined, function (err) {
            return res.json ({});
        });
    },
    init: function (_common) {
        common = _common;
        ldap.init (_common);
        Users = dbs.models.Users;
    },
};

module.exports = authorization;
outsource db routes, schemata and logic into dbs.js 2019-06-20 15:17:45 +00:00			`// Original file created by Prof.Dr. Matthias Hopf`

restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00			`/*`
			`* Authorization`
			`*/`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`var common, Users;`
outsource db routes, schemata and logic into dbs.js 2019-06-20 15:17:45 +00:00			`const ldap = require ('./ldap_ohm'),`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`crypto = require ('./crypto'),`
			`dbs = require ('./dbs');`
restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00
			`// deactivated is not used yet`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`const serverVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true, deactivated: true, host: true };`
			`const clientVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true };`
restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00

			`// Fill in session object`
			`function fillSession (req, user, roles, cb) {`
			`if (req.session === undefined)`
			`next (common.genError (500, "Error"));`
			`req.session.regenerate (function (err) {`
			`if (user !== undefined && ! err) {`
			`common.shallowCopy (user, serverVisibleSession, {roles: true}, req.session);`
			`if (user._id) {`
			`req.session.user = user._id;`
			`}`
			`req.session.roles = roles;`
			`}`
			`return cb (err);`
			`});`
			`}`

			`const authorization = {`
			`// Generate Error object suitible for throwing or next()ing`
			`genCheckAuthorized: function (group) {`
			`return function (req, res, next) {`
			`if (req.session === undefined \|\| req.session.user === undefined \|\|`
			`req.session.roles === undefined)`
			`return next (common.genError (403, "Unauthorized"));`
			`if (req.session.roles[group] === undefined)`
			`return next (common.genError (403, "Unauthorized"));`
			`next ();`
			`}`
			`},`

			`// Login route: requires .user and .pwd params`
			`login: function (req, res, next) {`
			`var user = req.body.user \|\| '';`
			`var pwd = req.body.pwd \|\| '';`

			`// Helper: Return valid session Object`
			`function returnSession () {`
			`// Only export client visible parts of session object`
			`var copy = common.shallowCopy (req.session, clientVisibleSession);`
			`return res.json (copy);`
			`}`
			`// Helper: Return error`
			`function returnError () {`
			`fillSession (req, undefined, undefined, function (err) {`
			`next (common.genError (401, "Unauthorized"));`
			`});`
			`}`

			`// Check whether to just validate current session ID`
			`if (user === '' && pwd === '') {`
			`console.log ("auth revalidate: " + req.session.user);`
			`if (req.session.user === undefined)`
			`return returnError();`
			`return returnSession ();`
			`}`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00
outsource db routes, schemata and logic into dbs.js 2019-06-20 15:17:45 +00:00			`// check local database, then ldap`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`Users.findById (req.body.user) .exec (function (err, entry) {`
restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00			`// If there is a local user AND it has a password associated, test against this, and only this`
			`if (entry != null && entry.pwd) {`
			`if (crypto.checkLocalAuth (entry, req.body.pwd)) {`
			`return fillSession (req, entry, common.arrayToHash(entry.roles), returnSession);`
			`}`
			`return returnError ();`
			`}`

			`// check ldap`
			`ldap.authorize (user.toLowerCase(), pwd, function (found) {`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`//console.log ("ldap authorize " + user + " returns " + JSON.stringify (found));`
restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00			`// No ldap entry either -> unauthorized`
			`if (found == null) {`
			`return returnError ();`
			`}`
			`// If there is an entry w/o password, use it for roles etc.`
			`if (entry) {`
			`if (! entry.name \|\| entry.name === "")`
			`entry.name = found.name;`
			`if (! entry.mail \|\| entry.mail === "")`
			`entry.mail = found.mail;`
			`if (! entry.type \|\| entry.type === "")`
			`entry.type = found.type;`
			`if (! entry.orclgender \|\| entry.orclgender === "")`
			`entry.orclgender = found.orclgender;`
			`return fillSession (req, entry, entry.roles.length > 0 ? common.arrayToHash(entry.roles) : {user:true}, returnSession);`
			`}`
			`// Otherwise create standard user entry`
			`return fillSession (req, found, {user:true}, returnSession);`
			`});`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`});`
restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00			`},`
			`logout: function (req, res, next) {`
			`fillSession (req, undefined, undefined, function (err) {`
			`return res.json ({});`
			`});`
			`},`
			`init: function (_common) {`
			`common = _common;`
			`ldap.init (_common);`
Login + Logout implemented; ProfilCard v1 implemented; 2019-07-19 21:12:38 +00:00			`Users = dbs.models.Users;`
restructure server.js, adding ldap access, part 1/2 role authorization 2019-06-18 13:54:07 +00:00			`},`
			`};`

			`module.exports = authorization;`