verdaccio/lib/auth.js

var Crypto       = require('crypto')
var jju          = require('jju')
var Error        = require('http-errors')
var Logger       = require('./logger')
var load_plugins = require('./plugin-loader').load_plugins

module.exports = Auth

function Auth(config) {
  var self = Object.create(Auth.prototype)
  self.config = config
  self.logger = Logger.logger.child({ sub: 'auth' })
  self.secret = config.secret

  var plugin_params = {
    config: config,
    logger: self.logger
  }

  if (config.users_file) {
    if (!config.auth || !config.auth.htpasswd) {
      // b/w compat
      config.auth = config.auth || {}
      config.auth.htpasswd = { file: config.users_file }
    }
  }

  self.plugins = load_plugins(config, config.auth, plugin_params, function (p) {
    return p.authenticate || p.allow_access || p.allow_publish
  })

  self.plugins.unshift({
    sinopia_version: '1.1.0',

    authenticate: function(user, password, cb) {
      if (config.users != null
       && config.users[user] != null
       && (Crypto.createHash('sha1').update(password).digest('hex')
            === config.users[user].password)
      ) {
        return cb(null, [ user ])
      }

      return cb()
    },

    adduser: function(user, password, cb) {
      if (config.users && config.users[user])
        return cb( Error[403]('this user already exists') )

      return cb()
    },
  })

  function allow_action(action) {
    return function(user, package, cb) {
      var ok = package[action].reduce(function(prev, curr) {
        if (user.groups.indexOf(curr) !== -1) return true
        return prev
      }, false)

      if (ok) return cb(null, true)

      if (user.name) {
        cb( Error[403]('user ' + user.name + ' is not allowed to ' + action + ' package ' + package.name) )
      } else {
        cb( Error[403]('unregistered users are not allowed to ' + action + ' package ' + package.name) )
      }
    }
  }

  self.plugins.push({
    authenticate: function(user, password, cb) {
      return cb( Error[403]('bad username/password, access denied') )
    },

    add_user: function(user, password, cb) {
      return cb( Error[409]('registration is disabled') )
    },

    allow_access: allow_action('access'),
    allow_publish: allow_action('publish'),
  })

  return self
}

Auth.prototype.authenticate = function(user, password, cb) {
  var plugins = this.plugins.slice(0)

  ;(function next() {
    var p = plugins.shift()

    if (typeof(p.authenticate) !== 'function') {
      return next()
    }

    p.authenticate(user, password, function(err, groups) {
      if (err) return cb(err)
      if (groups != null && groups != false)
        return cb(err, AuthenticatedUser(user, groups))
      next()
    })
  })()
}

Auth.prototype.add_user = function(user, password, cb) {
  var self = this
  var plugins = this.plugins.slice(0)

  ;(function next() {
    var p = plugins.shift()
    var n = 'adduser'
    if (typeof(p[n]) !== 'function') {
      n = 'add_user'
    }
    if (typeof(p[n]) !== 'function') {
      next()
    } else {
      p[n](user, password, function(err, ok) {
        if (err) return cb(err)
        if (ok) return self.authenticate(user, password, cb)
        next()
      })
    }
  })()
}

Auth.prototype.allow_access = function(package_name, user, callback) {
  var plugins = this.plugins.slice(0)
  var package = Object.assign({ name: package_name },
                              this.config.get_package_spec(package_name))

  ;(function next() {
    var p = plugins.shift()

    if (typeof(p.allow_access) !== 'function') {
      return next()
    }

    p.allow_access(user, package, function(err, ok) {
      if (err) return callback(err)
      if (ok) return callback(null, ok)
      next() // cb(null, false) causes next plugin to roll
    })
  })()
}

Auth.prototype.allow_publish = function(package_name, user, callback) {
  var plugins = this.plugins.slice(0)
  var package = Object.assign({ name: package_name },
                              this.config.get_package_spec(package_name))

  ;(function next() {
    var p = plugins.shift()

    if (typeof(p.allow_access) !== 'function') {
      return next()
    }

    p.allow_access(user, package, function(err, ok) {
      if (err) return callback(err)
      if (ok) return callback(null, ok)
      next() // cb(null, false) causes next plugin to roll
    })
  })()
}

Auth.prototype.basic_middleware = function() {
  var self = this
  return function(req, res, _next) {
    req.pause()
    function next(err) {
      req.resume()
      // uncomment this to reject users with bad auth headers
      //return _next.apply(null, arguments)

      // swallow error, user remains unauthorized
      // set remoteUserError to indicate that user was attempting authentication
      if (err) req.remote_user.error = err.message
      return _next()
    }

    if (req.remote_user != null && req.remote_user.name !== undefined)
      return next()
    req.remote_user = AnonymousUser()

    var authorization = req.headers.authorization
    if (authorization == null) return next()

    var parts = authorization.split(' ')

    if (parts.length !== 2)
      return next( Error[400]('bad authorization header') )

    var scheme = parts[0]
    if (scheme === 'Basic') {
      var credentials = Buffer(parts[1], 'base64').toString()
    } else if (scheme === 'Bearer') {
      var credentials = self.aes_decrypt(Buffer(parts[1], 'base64')).toString('utf8')
      if (!credentials) return next()
    } else {
      return next()
    }

    var index = credentials.indexOf(':')
    if (index < 0) return next()

    var user = credentials.slice(0, index)
    var pass = credentials.slice(index + 1)

    self.authenticate(user, pass, function(err, user) {
      if (!err) {
        req.remote_user = user
        next()
      } else {
        req.remote_user = AnonymousUser()
        next(err)
      }
    })
  }
}

Auth.prototype.bearer_middleware = function() {
  var self = this
  return function(req, res, _next) {
    req.pause()
    function next(_err) {
      req.resume()
      return _next.apply(null, arguments)
    }

    if (req.remote_user != null && req.remote_user.name !== undefined)
      return next()
    req.remote_user = AnonymousUser()

    var authorization = req.headers.authorization
    if (authorization == null) return next()

    var parts = authorization.split(' ')

    if (parts.length !== 2)
      return next( Error[400]('bad authorization header') )

    var scheme = parts[0]
    var token = parts[1]

    if (scheme !== 'Bearer')
      return next()

    try {
      var user = self.decode_token(token)
    } catch(err) {
      return next(err)
    }

    req.remote_user = AuthenticatedUser(user.u, user.g)
    req.remote_user.token = token
    next()
  }
}

Auth.prototype.cookie_middleware = function() {
  var self = this
  return function(req, res, _next) {
    req.pause()
    function next(_err) {
      req.resume()
      return _next()
    }

    if (req.remote_user != null && req.remote_user.name !== undefined)
      return next()

    req.remote_user = AnonymousUser()

    var token = req.cookies.get('token')
    if (token == null) return next()

    /*try {
      var user = self.decode_token(token, 60*60)
    } catch(err) {
      return next()
    }

    req.remote_user = AuthenticatedUser(user.u, user.g)
    req.remote_user.token = token
    next()*/
    var credentials = self.aes_decrypt(Buffer(token, 'base64')).toString('utf8')
    if (!credentials) return next()

    var index = credentials.indexOf(':')
    if (index < 0) return next()

    var user = credentials.slice(0, index)
    var pass = credentials.slice(index + 1)

    self.authenticate(user, pass, function(err, user) {
      if (!err) {
        req.remote_user = user
        next()
      } else {
        req.remote_user = AnonymousUser()
        next(err)
      }
    })
  }
}

Auth.prototype.issue_token = function(user) {
  var data = jju.stringify({
    u: user.name,
    g: user.real_groups && user.real_groups.length ? user.real_groups : undefined,
    t: ~~(Date.now()/1000),
  }, { indent: false })

  data = Buffer(data, 'utf8')
  var mac = Crypto.createHmac('sha256', this.secret).update(data).digest()
  return Buffer.concat([ data, mac ]).toString('base64')
}

Auth.prototype.decode_token = function(str, expire_time) {
  var buf = Buffer(str, 'base64')
  if (buf.length <= 32) throw Error[401]('invalid token')

  var data      = buf.slice(0, buf.length - 32)
  var their_mac = buf.slice(buf.length - 32)
  var good_mac  = Crypto.createHmac('sha256', this.secret).update(data).digest()

  their_mac = Crypto.createHash('sha512').update(their_mac).digest('hex')
  good_mac  = Crypto.createHash('sha512').update(good_mac).digest('hex')
  if (their_mac !== good_mac) throw Error[401]('bad signature')

  // make token expire in 24 hours
  // TODO: make configurable?
  expire_time = expire_time || 24*60*60

  data = jju.parse(data.toString('utf8'))
  if (Math.abs(data.t - ~~(Date.now()/1000)) > expire_time)
    throw Error[401]('token expired')

  return data
}

Auth.prototype.aes_encrypt = function(buf) {
  var c = Crypto.createCipher('aes192', this.secret)
  var b1 = c.update(buf)
  var b2 = c.final()
  return Buffer.concat([ b1, b2 ])
}

Auth.prototype.aes_decrypt = function(buf) {
  try {
    var c = Crypto.createDecipher('aes192', this.secret)
    var b1 = c.update(buf)
    var b2 = c.final()
  } catch(_) {
    return Buffer(0)
  }
  return Buffer.concat([ b1, b2 ])
}

function AnonymousUser() {
  return {
    name: undefined,
    // groups without '$' are going to be deprecated eventually
    groups: [ '$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous' ],
    real_groups: [],
  }
}

function AuthenticatedUser(name, groups) {
  var _groups = (groups || []).concat([ '$all', '$authenticated', '@all', '@authenticated', 'all' ])
  return {
    name: name,
    groups: _groups,
    real_groups: groups,
  }
}