"use strict"; const express = require("express"), config = require("config"), LdapAuth = require("ldapauth-fork"), crypto = require("crypto"); const router = express.Router(); let userDB; let ldap; if (config.has("ldap.url")) { ldap = new LdapAuth(config.get("ldap")); } else { ldap = null; } require("../db/users").then(function(db) { userDB = db; }); router.get("/", function(req, res/*, next*/) { if (req.session.user) { return res.status(200).send(req.session.user); } return res.status(200).send({}); }); function ldapPromise(username, password) { if (!ldap) { return Promise.reject("LDAP not being used"); } return new Promise(function(resolve, reject) { ldap.authenticate(username, password, function(error, user) { if (error) { return reject(error); } return resolve(user); }); }); } router.post("/create", function(req, res) { let username = req.query.u || req.body.u || "", password = req.query.p || req.body.p || "", name = req.query.n || req.body.n || username, mail = req.query.m || req.body.m; if (!username || !password || !mail || !name) { return res.status(400).send("Missing user id, name, password, and/or email"); } let query = "SELECT * FROM users WHERE uid=:username"; return userDB.sequelize.query(query, { replacements: { username: username }, type: userDB.Sequelize.QueryTypes.SELECT }).then(function(results) { if (results.length != 0) { return res.status(400).send("Username already exists."); } return userDB.sequelize.query("INSERT INTO users " + "(uid,displayName,password,mail,memberSince,authenticated) " + "VALUES(:username,:name,:password,:mail,CURRENT_TIMESTAMP,0)", { replacements: { username: username, name: name, password: crypto.createHash('sha256').update(password).digest('base64'), mail: mail } }).then(function(results) { /* req.session.user = { name: name, mail: mail, username: username, }; return res.status(200).send(req.session.user); */ req.session.user = {}; return res.status(401).send("Account has not been authenticated."); }); }); }); router.post("/login", function(req, res) { let username = req.query.u || req.body.u || "", password = req.query.p || req.body.p || ""; console.log("Login attempt"); if (!username || !password) { return res.status(400).send("Missing username and/or password"); } /* We use LDAP as the primary authenticator; if the user is not * found there, we look them up in the site-specific user database */ return ldapPromise(username, password).then(function(user) { user.authenticated = 1; return user; }).catch(function() { console.log("User not found in LDAP. Looking up in DB."); let query = "SELECT * FROM users WHERE uid=:username AND password=:password"; return userDB.sequelize.query(query, { replacements: { username: username, password: crypto.createHash('sha256').update(password).digest('base64') }, type: userDB.Sequelize.QueryTypes.SELECT }).then(function(users) { if (users.length != 1) { return null; } return users[0]; }); }).then(function(user) { if (!user) { console.log(username + " not found."); req.session.user = {}; return res.status(401).send("Invalid login credentials"); } if (!user.authenticated) { console.log(username + " not authenticated."); req.session.user = {}; return res.status(401).send("Account has not been authenticated."); } console.log("Logging in as " + user.displayName); req.session.user = { name: user.displayName, mail: user.mail, username: user.uid }; return res.status(200).send(req.session.user); }); }); router.get("/logout", function(req, res) { if (req.session && req.session.user) { req.session.user = {}; } res.status(200).send(req.session.user); }); module.exports = router;