Ohm-Management - Projektarbeit B-ME
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

authorization.js 4.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
  1. // Original file created by Prof.Dr. Matthias Hopf
  2. /*
  3. * Authorization
  4. */
  5. var common, Users;
  6. const ldap = require ('./ldap_ohm'),
  7. crypto = require ('./crypto'),
  8. dbs = require ('./dbs');
  9. // deactivated is not used yet
  10. const serverVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true, deactivated: true, host: true };
  11. const clientVisibleSession = { user: true, name: true, type: true, mail: true, roles: true, gender: true };
  12. // Fill in session object
  13. function fillSession (req, user, roles, cb) {
  14. if (req.session === undefined)
  15. next (common.genError (500, "Error"));
  16. req.session.regenerate (function (err) {
  17. if (user !== undefined && ! err) {
  18. common.shallowCopy (user, serverVisibleSession, {roles: true}, req.session);
  19. if (user._id) {
  20. req.session.user = user._id;
  21. }
  22. req.session.roles = roles;
  23. }
  24. return cb (err);
  25. });
  26. }
  27. const authorization = {
  28. // Generate Error object suitible for throwing or next()ing
  29. genCheckAuthorized: function (group) {
  30. return function (req, res, next) {
  31. if (req.session === undefined || req.session.user === undefined ||
  32. req.session.roles === undefined)
  33. return next (common.genError (403, "Unauthorized"));
  34. if (req.session.roles[group] === undefined)
  35. return next (common.genError (403, "Unauthorized"));
  36. next ();
  37. }
  38. },
  39. // Login route: requires .user and .pwd params
  40. login: function (req, res, next) {
  41. var user = req.body.user || '';
  42. var pwd = req.body.pwd || '';
  43. // Helper: Return valid session Object
  44. function returnSession () {
  45. // Only export client visible parts of session object
  46. var copy = common.shallowCopy (req.session, clientVisibleSession);
  47. return res.json (copy);
  48. }
  49. // Helper: Return error
  50. function returnError () {
  51. fillSession (req, undefined, undefined, function (err) {
  52. next (common.genError (401, "Unauthorized"));
  53. });
  54. }
  55. // Check whether to just validate current session ID
  56. if (user === '' && pwd === '') {
  57. console.log ("auth revalidate: " + req.session.user);
  58. if (req.session.user === undefined)
  59. return returnError();
  60. return returnSession ();
  61. }
  62. // check local database, then ldap
  63. Users.findById (req.body.user) .exec (function (err, entry) {
  64. // If there is a local user AND it has a password associated, test against this, and only this
  65. if (entry != null && entry.pwd) {
  66. if (crypto.checkLocalAuth (entry, req.body.pwd)) {
  67. return fillSession (req, entry, common.arrayToHash(entry.roles), returnSession);
  68. }
  69. return returnError ();
  70. }
  71. // check ldap
  72. ldap.authorize (user.toLowerCase(), pwd, function (found) {
  73. //console.log ("ldap authorize " + user + " returns " + JSON.stringify (found));
  74. // No ldap entry either -> unauthorized
  75. if (found == null) {
  76. return returnError ();
  77. }
  78. // If there is an entry w/o password, use it for roles etc.
  79. if (entry) {
  80. if (! entry.name || entry.name === "")
  81. entry.name = found.name;
  82. if (! entry.mail || entry.mail === "")
  83. entry.mail = found.mail;
  84. if (! entry.type || entry.type === "")
  85. entry.type = found.type;
  86. if (! entry.orclgender || entry.orclgender === "")
  87. entry.orclgender = found.orclgender;
  88. return fillSession (req, entry, entry.roles.length > 0 ? common.arrayToHash(entry.roles) : {user:true}, returnSession);
  89. }
  90. // Otherwise create standard user entry
  91. return fillSession (req, found, {user:true}, returnSession);
  92. });
  93. });
  94. },
  95. logout: function (req, res, next) {
  96. fillSession (req, undefined, undefined, function (err) {
  97. return res.json ({});
  98. });
  99. },
  100. init: function (_common) {
  101. common = _common;
  102. ldap.init (_common);
  103. Users = dbs.models.Users;
  104. },
  105. };
  106. module.exports = authorization;