118 lines
4.5 KiB
JavaScript
118 lines
4.5 KiB
JavaScript
// Original file created by Prof.Dr. Matthias Hopf
|
|
|
|
/*
|
|
* Authorization
|
|
*/
|
|
var common, Users;
|
|
const ldap = require ('./ldap_ohm'),
|
|
crypto = require ('./crypto'),
|
|
dbs = require ('./dbs');
|
|
|
|
// deactivated is not used yet
|
|
const serverVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true, deactivated: true, host: true };
|
|
const clientVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true };
|
|
|
|
|
|
// Fill in session object
|
|
function fillSession (req, user, roles, cb) {
|
|
if (req.session === undefined)
|
|
next (common.genError (500, "Error"));
|
|
req.session.regenerate (function (err) {
|
|
if (user !== undefined && ! err) {
|
|
common.shallowCopy (user, serverVisibleSession, {roles: true}, req.session);
|
|
if (user._id) {
|
|
req.session.user = user._id;
|
|
}
|
|
req.session.roles = roles;
|
|
}
|
|
return cb (err);
|
|
});
|
|
}
|
|
|
|
const authorization = {
|
|
// Generate Error object suitible for throwing or next()ing
|
|
genCheckAuthorized: function (group) {
|
|
return function (req, res, next) {
|
|
if (req.session === undefined || req.session.user === undefined ||
|
|
req.session.roles === undefined)
|
|
return next (common.genError (403, "Unauthorized"));
|
|
if (req.session.roles[group] === undefined)
|
|
return next (common.genError (403, "Unauthorized"));
|
|
next ();
|
|
}
|
|
},
|
|
|
|
// Login route: requires .user and .pwd params
|
|
login: function (req, res, next) {
|
|
var user = req.body.user || '';
|
|
var pwd = req.body.pwd || '';
|
|
|
|
// Helper: Return valid session Object
|
|
function returnSession () {
|
|
// Only export client visible parts of session object
|
|
var copy = common.shallowCopy (req.session, clientVisibleSession);
|
|
return res.json (copy);
|
|
}
|
|
// Helper: Return error
|
|
function returnError () {
|
|
fillSession (req, undefined, undefined, function (err) {
|
|
next (common.genError (401, "Unauthorized"));
|
|
});
|
|
}
|
|
|
|
// Check whether to just validate current session ID
|
|
if (user === '' && pwd === '') {
|
|
console.log ("auth revalidate: " + req.session.user);
|
|
if (req.session.user === undefined)
|
|
return returnError();
|
|
return returnSession ();
|
|
}
|
|
|
|
// check local database, then ldap
|
|
Users.findById (req.body.user) .exec (function (err, entry) {
|
|
// If there is a local user AND it has a password associated, test against this, and only this
|
|
if (entry != null && entry.pwd) {
|
|
if (crypto.checkLocalAuth (entry, req.body.pwd)) {
|
|
return fillSession (req, entry, common.arrayToHash(entry.roles), returnSession);
|
|
}
|
|
return returnError ();
|
|
}
|
|
|
|
// check ldap
|
|
ldap.authorize (user.toLowerCase(), pwd, function (found) {
|
|
//console.log ("ldap authorize " + user + " returns " + JSON.stringify (found));
|
|
// No ldap entry either -> unauthorized
|
|
if (found == null) {
|
|
return returnError ();
|
|
}
|
|
// If there is an entry w/o password, use it for roles etc.
|
|
if (entry) {
|
|
if (! entry.name || entry.name === "")
|
|
entry.name = found.name;
|
|
if (! entry.mail || entry.mail === "")
|
|
entry.mail = found.mail;
|
|
if (! entry.type || entry.type === "")
|
|
entry.type = found.type;
|
|
if (! entry.orclgender || entry.orclgender === "")
|
|
entry.orclgender = found.orclgender;
|
|
return fillSession (req, entry, entry.roles.length > 0 ? common.arrayToHash(entry.roles) : {user:true}, returnSession);
|
|
}
|
|
// Otherwise create standard user entry
|
|
return fillSession (req, found, {user:true}, returnSession);
|
|
});
|
|
});
|
|
},
|
|
logout: function (req, res, next) {
|
|
fillSession (req, undefined, undefined, function (err) {
|
|
return res.json ({});
|
|
});
|
|
},
|
|
init: function (_common) {
|
|
common = _common;
|
|
ldap.init (_common);
|
|
Users = dbs.models.Users;
|
|
},
|
|
};
|
|
|
|
module.exports = authorization;
|