swaf/src/auth/AuthGuard.ts

import AuthProof from "./AuthProof";
import MysqlConnectionManager from "../db/MysqlConnectionManager";
import User from "./models/User";
import UserEmail from "./models/UserEmail";
import {Connection} from "mysql";
import {Request} from "express";
import {PENDING_ACCOUNT_REVIEW_MAIL_TEMPLATE} from "../Mails";
import Mail from "../Mail";
import Controller from "../Controller";
import config from "config";

export default abstract class AuthGuard<P extends AuthProof> {
    public abstract async getProofForSession(session: Express.Session): Promise<P | null>;

    public async getProofForRequest(req: Request): Promise<P | null> {
        return null;
    }

    public async getUserForSession(session: Express.Session): Promise<User | null> {
        if (!await this.isAuthenticated(session)) return null;
        return await User.getById<User>(session.auth_id);
    }

    public async authenticateOrRegister(session: Express.Session, proof: P, registerCallback?: (connection: Connection, userID: number) => Promise<(() => Promise<void>)[]>): Promise<void> {
        if (!await proof.isAuthorized()) {
            throw new AuthError('Invalid argument: cannot authenticate with an unauthorized proof.');
        }

        let user = await proof.getUser();
        if (!user) { // Register
            const callbacks: (() => Promise<void>)[] = [];

            await MysqlConnectionManager.wrapTransaction(async connection => {
                const email = await proof.getEmail();
                user = new User({
                    name: email.split('@')[0],
                });
                await user.save(connection, c => callbacks.push(c));

                const userEmail = new UserEmail({
                    user_id: user.id,
                    email: email,
                    main: true,
                });
                await userEmail.save(connection, c => callbacks.push(c));
                if (registerCallback) {
                    (await registerCallback(connection, user.id!)).forEach(c => callbacks.push(c));
                }
            });

            for (const callback of callbacks) {
                await callback();
            }

            if (user) {
                if (!user!.isApproved()) {
                    await new Mail(PENDING_ACCOUNT_REVIEW_MAIL_TEMPLATE, {
                        username: user!.name,
                        link: config.get<string>('base_url') + Controller.route('accounts-approval'),
                    }).send(config.get<string>('app.contact_email'));
                }
            } else {
                throw new Error('Unable to register user.');
            }
        } else if (registerCallback) {
            throw new UserAlreadyExistsAuthError(await proof.getEmail());
        }

        if (!user.isApproved()) {
            throw new PendingApprovalAuthError();
        }

        session.auth_id = user.id;
    }

    public async isAuthenticated(session: Express.Session): Promise<boolean> {
        return await this.checkCurrentSessionProofValidity(session);
    }

    public async logout(session: Express.Session): Promise<void> {
        const proof = await this.getProofForSession(session);
        if (proof) {
            await proof.revoke(session);
        }
        session.auth_id = undefined;
    }

    private async checkCurrentSessionProofValidity(session: Express.Session): Promise<boolean> {
        if (typeof session.auth_id !== 'number') return false;

        const proof = await this.getProofForSession(session);

        if (!proof || !await proof.isValid() || !await proof.isAuthorized() || !await proof.isOwnedBy(session.auth_id)) {
            await this.logout(session);
            return false;
        }

        return true;
    }

    public async isAuthenticatedViaRequest(req: Request): Promise<boolean> {
        const proof = await this.getProofForRequest(req);
        if (proof && await proof.isValid() && await proof.isAuthorized()) {
            return true;
        } else {
            return false;
        }
    }

    public async getUserForRequest(req: Request): Promise<User | null> {
        const proof = await this.getProofForRequest(req);
        return proof ? await proof.getUser() : null;
    }

}

export class AuthError extends Error {
    constructor(message: string) {
        super(message);
    }
}

export class UserAlreadyExistsAuthError extends AuthError {
    public readonly email: string;

    constructor(userEmail: string) {
        super(`User with email ${userEmail} already exists.`);
        this.email = userEmail;
    }
}

export class PendingApprovalAuthError extends AuthError {
    constructor() {
        super(`User is not approved.`);
    }
}
Add auth utils parts 2020-04-24 12:12:27 +02:00			`import AuthProof from "./AuthProof";`
			`import MysqlConnectionManager from "../db/MysqlConnectionManager";`
			`import User from "./models/User";`
			`import UserEmail from "./models/UserEmail";`
Pass session to auth methods 2020-04-25 09:35:49 +02:00			`import {Connection} from "mysql";`
Add support for authenticating user against custom request-proof matching 2020-06-14 11:59:02 +02:00			`import {Request} from "express";`
Finish promoting email views and add backend controller 2020-07-20 17:32:32 +02:00			`import {PENDING_ACCOUNT_REVIEW_MAIL_TEMPLATE} from "../Mails";`
			`import Mail from "../Mail";`
			`import Controller from "../Controller";`
			`import config from "config";`
Add auth utils parts 2020-04-24 12:12:27 +02:00
			`export default abstract class AuthGuard<P extends AuthProof> {`
Pass session to auth methods 2020-04-25 09:35:49 +02:00			`public abstract async getProofForSession(session: Express.Session): Promise<P \| null>;`
Add auth utils parts 2020-04-24 12:12:27 +02:00
Add support for authenticating user against custom request-proof matching 2020-06-14 11:59:02 +02:00			`public async getProofForRequest(req: Request): Promise<P \| null> {`
			`return null;`
			`}`

Add auth utils parts 2020-04-24 12:12:27 +02:00			`public async getUserForSession(session: Express.Session): Promise<User \| null> {`
			`if (!await this.isAuthenticated(session)) return null;`
Revamp model system - Add model relations - Get rid of SQL_CALC_FOUND_ROWS (deprecated) - Eager loading 2020-06-27 14:36:50 +02:00			`return await User.getById<User>(session.auth_id);`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`}`

Add register callback to optionally save more models 2020-04-25 09:36:20 +02:00			`public async authenticateOrRegister(session: Express.Session, proof: P, registerCallback?: (connection: Connection, userID: number) => Promise<(() => Promise<void>)[]>): Promise<void> {`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`if (!await proof.isAuthorized()) {`
			`throw new AuthError('Invalid argument: cannot authenticate with an unauthorized proof.');`
			`}`

			`let user = await proof.getUser();`
			`if (!user) { // Register`
			`const callbacks: (() => Promise<void>)[] = [];`

			`await MysqlConnectionManager.wrapTransaction(async connection => {`
			`const email = await proof.getEmail();`
			`user = new User({`
			`name: email.split('@')[0],`
			`});`
			`await user.save(connection, c => callbacks.push(c));`

			`const userEmail = new UserEmail({`
			`user_id: user.id,`
			`email: email,`
			`main: true,`
			`});`
			`await userEmail.save(connection, c => callbacks.push(c));`
Add register callback to optionally save more models 2020-04-25 09:36:20 +02:00			`if (registerCallback) {`
			`(await registerCallback(connection, user.id!)).forEach(c => callbacks.push(c));`
			`}`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`});`

			`for (const callback of callbacks) {`
			`await callback();`
			`}`

Finish promoting email views and add backend controller 2020-07-20 17:32:32 +02:00			`if (user) {`
Improve approval mode component security, reliability and usage 2020-07-24 13:00:20 +02:00			`if (!user!.isApproved()) {`
Finish promoting email views and add backend controller 2020-07-20 17:32:32 +02:00			`await new Mail(PENDING_ACCOUNT_REVIEW_MAIL_TEMPLATE, {`
			`username: user!.name,`
Change public_url config field name to base_url 2020-07-24 12:59:44 +02:00			`link: config.get<string>('base_url') + Controller.route('accounts-approval'),`
Finish promoting email views and add backend controller 2020-07-20 17:32:32 +02:00			`}).send(config.get<string>('app.contact_email'));`
			`}`
			`} else {`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`throw new Error('Unable to register user.');`
			`}`
Add register callback to optionally save more models 2020-04-25 09:36:20 +02:00			`} else if (registerCallback) {`
Improve verbosity of auth error 2020-04-25 16:08:20 +02:00			`throw new UserAlreadyExistsAuthError(await proof.getEmail());`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`}`

Improve approval mode component security, reliability and usage 2020-07-24 13:00:20 +02:00			`if (!user.isApproved()) {`
			`throw new PendingApprovalAuthError();`
			`}`
Add optional user approval mode 2020-06-16 11:12:58 +02:00
Add auth utils parts 2020-04-24 12:12:27 +02:00			`session.auth_id = user.id;`
			`}`

			`public async isAuthenticated(session: Express.Session): Promise<boolean> {`
			`return await this.checkCurrentSessionProofValidity(session);`
			`}`

			`public async logout(session: Express.Session): Promise<void> {`
Pass session to auth methods 2020-04-25 09:35:49 +02:00			`const proof = await this.getProofForSession(session);`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`if (proof) {`
Pass session to auth methods 2020-04-25 09:35:49 +02:00			`await proof.revoke(session);`
Add auth utils parts 2020-04-24 12:12:27 +02:00			`}`
			`session.auth_id = undefined;`
			`}`

			`private async checkCurrentSessionProofValidity(session: Express.Session): Promise<boolean> {`
			`if (typeof session.auth_id !== 'number') return false;`

Pass session to auth methods 2020-04-25 09:35:49 +02:00			`const proof = await this.getProofForSession(session);`
Add auth utils parts 2020-04-24 12:12:27 +02:00
			`if (!proof \|\| !await proof.isValid() \|\| !await proof.isAuthorized() \|\| !await proof.isOwnedBy(session.auth_id)) {`
			`await this.logout(session);`
			`return false;`
			`}`

			`return true;`
			`}`
Add support for authenticating user against custom request-proof matching 2020-06-14 11:59:02 +02:00
			`public async isAuthenticatedViaRequest(req: Request): Promise<boolean> {`
			`const proof = await this.getProofForRequest(req);`
			`if (proof && await proof.isValid() && await proof.isAuthorized()) {`
			`return true;`
			`} else {`
			`return false;`
			`}`
			`}`

			`public async getUserForRequest(req: Request): Promise<User \| null> {`
			`const proof = await this.getProofForRequest(req);`
			`return proof ? await proof.getUser() : null;`
			`}`

Add auth utils parts 2020-04-24 12:12:27 +02:00			`}`

			`export class AuthError extends Error {`
			`constructor(message: string) {`
			`super(message);`
			`}`
Improve verbosity of auth error 2020-04-25 16:08:20 +02:00			`}`

			`export class UserAlreadyExistsAuthError extends AuthError {`
			`public readonly email: string;`

			`constructor(userEmail: string) {`
			super(`User with email ${userEmail} already exists.`);
			`this.email = userEmail;`
			`}`
Add optional user approval mode 2020-06-16 11:12:58 +02:00			`}`

			`export class PendingApprovalAuthError extends AuthError {`
			`constructor() {`
			super(`User is not approved.`);
			`}`
Improve approval mode component security, reliability and usage 2020-07-24 13:00:20 +02:00			`}`