OpenServer/OpenAuth_server
1
1
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Fixing wrong token order

Browse Source
This commit is contained in:
Fabian Stamm 2020-03-11 11:22:47 +01:00
parent d371ad5e70
commit c8550b517a
1 changed files with 49 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
src/api/middlewares/user.ts
View File

@ -16,22 +16,32 @@ class Invalid extends Error { }
* @param redirect_uri Default current uri. Sets the uri to redirect, if json is not set and user not logged in * @param redirect_uri Default current uri. Sets the uri to redirect, if json is not set and user not logged in
* @param validated Default true. If false, the token must not be validated * @param validated Default true. If false, the token must not be validated
*/ */
export function GetUserMiddleware(json = false, special_required: boolean = false, redirect_uri?: string, validated = true) { export function GetUserMiddleware(
return promiseMiddleware(async function (req: Request, res: Response, next?: NextFunction) { json = false,
special_required: boolean = false,
redirect_uri?: string,
validated = true
) {
return promiseMiddleware(async function(
req: Request,
res: Response,
next?: NextFunction
) {
const invalid = (message: string) => { const invalid = (message: string) => {
throw new Invalid(req.__(message)); throw new Invalid(req.__(message));
} };
try { try {
let { login, special } = req.cookies let { login, special } = req.query;
if (!login) { if (!login) {
login = req.query.login; login = req.cookies.login;
special = req.query.special; special = req.cookies.special;
} }
if (!login) invalid("No login token") if (!login) invalid("No login token");
if (!special && special_required) invalid("No special token") if (!special && special_required) invalid("No special token");
let token = await LoginToken.findOne({ token: login, valid: true }) let token = await LoginToken.findOne({ token: login, valid: true });
if (!await CheckToken(token, validated)) invalid("Login token invalid"); if (!(await CheckToken(token, validated)))
invalid("Login token invalid");
let user = await User.findById(token.user); let user = await User.findById(token.user);
if (!user) { if (!user) {
@ -42,30 +52,47 @@ export function GetUserMiddleware(json = false, special_required: boolean = fals
let special_token; let special_token;
if (special) { if (special) {
Logging.debug("Special found") Logging.debug("Special found");
special_token = await LoginToken.findOne({ token: special, special: true, valid: true, user: token.user }) special_token = await LoginToken.findOne({
if (!await CheckToken(special_token, validated)) token: special,
special: true,
valid: true,
user: token.user
});
if (!(await CheckToken(special_token, validated)))
invalid("Special token invalid"); invalid("Special token invalid");
req.special = true; req.special = true;
} }
req.user = user req.user = user;
req.isAdmin = user.admin; req.isAdmin = user.admin;
req.token = { req.token = {
login: token, login: token,
special: special_token special: special_token
} };
if (next) if (next) next();
next()
return true; return true;
} catch (e) { } catch (e) {
if (e instanceof Invalid) { if (e instanceof Invalid) {
if (req.method === "GET" && !json) { if (req.method === "GET" && !json) {
res.status(HttpStatusCode.UNAUTHORIZED) res.status(HttpStatusCode.UNAUTHORIZED);
res.redirect("/login?base64=true&state=" + Buffer.from(redirect_uri ? redirect_uri : req.originalUrl).toString("base64")) res.redirect(
"/login?base64=true&state=" +
Buffer.from(
redirect_uri ? redirect_uri : req.originalUrl
).toString("base64")
);
} else { } else {
throw new RequestError(req.__("You are not logged in or your login is expired" + ` (${e.message})`), HttpStatusCode.UNAUTHORIZED, undefined, { auth: true }) throw new RequestError(
req.__(
"You are not logged in or your login is expired" +
` (${e.message})`
),
HttpStatusCode.UNAUTHORIZED,
undefined,
{ auth: true }
);
} }
} else { } else {
if (next) next(e); if (next) next(e);