embark/lib/modules/authenticator/index.js

const uuid = require('uuid/v1');
const utils = require("../../utils/utils.js")
const keccak = require('keccakjs');

const ERROR_OBJ = {error: __('Wrong authentication token. Get your token from the Embark console by typing `token`')};

class Authenticator {
  constructor(embark, _options) {
    this.authToken = uuid();
    this.embark = embark;
    this.logger = embark.logger;
    this.events = embark.events;

    this.registerCalls();
    this.registerEvents();
  }

  generateRequestHash(req) {
    let cnonce = req.headers['x-embark-cnonce'];
    let hash = new keccak();
    hash.update(cnonce);
    hash.update(this.authToken);
    hash.update(req.method);
    hash.update(req.url);
    return hash.digest('hex');
  }

  registerCalls() {
    let self = this;

    this.embark.registerAPICall(
      'post',
      '/embark-api/authenticate',
      (req, res) => {
        let hash = self.generateRequestHash(req);
        if(hash !== req.headers['x-embark-request-hash']) {
          this.logger.warn(__('Someone tried and failed to authenticate to the backend'));
          this.logger.warn(__('- User-Agent: %s', req.headers['user-agent']));
          this.logger.warn(__('- Referer: %s', req.headers.referer));
          return res.send(ERROR_OBJ);
        }
        res.send();
      }
    );

    this.embark.registerConsoleCommand((cmd, _options) => {
      return {
        match: () => cmd === "token",
        process: (callback) => {
          callback(null, __('Your authentication token: %s \nYou can use the command `copytoken` to copy the authentication token to your clipboard', this.authToken));
        }
      };
    });

    this.embark.registerConsoleCommand((cmd, _options) => {
      return {
        match: () => cmd === "copytoken",
        process: (callback) => {
          utils.copyToClipboard(this.authToken)
          callback(null, __('Token copied to clipboard: %s', this.authToken));
        }
      };
    });

  }

  registerEvents() {
    let self = this;

    this.events.once('outputDone', () => {
      const {port, host} = this.embark.config.webServerConfig;
      this.logger.info(__('Access the web backend with the following url: %s',
        (`http://${host}:${port}/embark?token=${this.authToken}`.underline)));
    });

    this.events.setCommandHandler('authenticator:authorize', (req, res, cb) => {
      let authenticated = false;
      if(!res.send) {
        authenticated = (this.authToken === req.protocol);
      } else {
        let hash = self.generateRequestHash(req);
        authenticated = (hash === req.headers['x-embark-request-hash']);
      }

      if(authenticated) return cb();
      cb(ERROR_OBJ);
    });
  }
}

module.exports = Authenticator;
add basic authentication 2018-09-06 15:30:06 +00:00			`const uuid = require('uuid/v1');`
add copytoken command 2018-10-13 00:46:53 +00:00			`const utils = require("../../utils/utils.js")`
Don't send token in request body. Instead, we want to hash a header to sign a request with a client nonce, http method and URL. This is a first step towards protecting the backend against eavesdropping. Please note that this will still be susceptible to replay attacks. 2018-10-16 16:48:51 +00:00			`const keccak = require('keccakjs');`
add basic authentication 2018-09-06 15:30:06 +00:00
authorize each request through header 2018-09-06 20:06:07 +00:00			const ERROR_OBJ = {error: __('Wrong authentication token. Get your token from the Embark console by typing `token`')};
add basic authentication 2018-09-06 15:30:06 +00:00
authorize each request through header 2018-09-06 20:06:07 +00:00			`class Authenticator {`
add basic authentication 2018-09-06 15:30:06 +00:00			`constructor(embark, _options) {`
			`this.authToken = uuid();`
add console command to get token 2018-09-06 17:33:15 +00:00			`this.embark = embark;`
			`this.logger = embark.logger;`
authorize each request through header 2018-09-06 20:06:07 +00:00			`this.events = embark.events;`
add basic authentication 2018-09-06 15:30:06 +00:00
add console command to get token 2018-09-06 17:33:15 +00:00			`this.registerCalls();`
authorize each request through header 2018-09-06 20:06:07 +00:00			`this.registerEvents();`
add console command to get token 2018-09-06 17:33:15 +00:00			`}`
add basic authentication 2018-09-06 15:30:06 +00:00
Don't send token in request body. Instead, we want to hash a header to sign a request with a client nonce, http method and URL. This is a first step towards protecting the backend against eavesdropping. Please note that this will still be susceptible to replay attacks. 2018-10-16 16:48:51 +00:00			`generateRequestHash(req) {`
			`let cnonce = req.headers['x-embark-cnonce'];`
			`let hash = new keccak();`
			`hash.update(cnonce);`
			`hash.update(this.authToken);`
			`hash.update(req.method);`
			`hash.update(req.url);`
			`return hash.digest('hex');`
			`}`

add console command to get token 2018-09-06 17:33:15 +00:00			`registerCalls() {`
Don't send token in request body. Instead, we want to hash a header to sign a request with a client nonce, http method and URL. This is a first step towards protecting the backend against eavesdropping. Please note that this will still be susceptible to replay attacks. 2018-10-16 16:48:51 +00:00			`let self = this;`

add console command to get token 2018-09-06 17:33:15 +00:00			`this.embark.registerAPICall(`
add basic authentication 2018-09-06 15:30:06 +00:00			`'post',`
Add ability to logout 2018-09-19 14:59:01 +00:00			`'/embark-api/authenticate',`
add basic authentication 2018-09-06 15:30:06 +00:00			`(req, res) => {`
Don't send token in request body. Instead, we want to hash a header to sign a request with a client nonce, http method and URL. This is a first step towards protecting the backend against eavesdropping. Please note that this will still be susceptible to replay attacks. 2018-10-16 16:48:51 +00:00			`let hash = self.generateRequestHash(req);`
			`if(hash !== req.headers['x-embark-request-hash']) {`
Add ability to logout 2018-09-19 14:59:01 +00:00			`this.logger.warn(__('Someone tried and failed to authenticate to the backend'));`
add console command to get token 2018-09-06 17:33:15 +00:00			`this.logger.warn(__('- User-Agent: %s', req.headers['user-agent']));`
			`this.logger.warn(__('- Referer: %s', req.headers.referer));`
authorize each request through header 2018-09-06 20:06:07 +00:00			`return res.send(ERROR_OBJ);`
add basic authentication 2018-09-06 15:30:06 +00:00			`}`
			`res.send();`
			`}`
			`);`
add console command to get token 2018-09-06 17:33:15 +00:00
			`this.embark.registerConsoleCommand((cmd, _options) => {`
			`return {`
			`match: () => cmd === "token",`
			`process: (callback) => {`
fix wording 2018-10-13 00:50:56 +00:00			callback(null, __('Your authentication token: %s \nYou can use the command `copytoken` to copy the authentication token to your clipboard', this.authToken));
add console command to get token 2018-09-06 17:33:15 +00:00			`}`
			`};`
			`});`
add copytoken command 2018-10-13 00:46:53 +00:00
			`this.embark.registerConsoleCommand((cmd, _options) => {`
			`return {`
			`match: () => cmd === "copytoken",`
			`process: (callback) => {`
			`utils.copyToClipboard(this.authToken)`
			`callback(null, __('Token copied to clipboard: %s', this.authToken));`
			`}`
			`};`
			`});`

add basic authentication 2018-09-06 15:30:06 +00:00			`}`
authorize each request through header 2018-09-06 20:06:07 +00:00
			`registerEvents() {`
Don't send token in request body. Instead, we want to hash a header to sign a request with a client nonce, http method and URL. This is a first step towards protecting the backend against eavesdropping. Please note that this will still be susceptible to replay attacks. 2018-10-16 16:48:51 +00:00			`let self = this;`

authorize each request through header 2018-09-06 20:06:07 +00:00			`this.events.once('outputDone', () => {`
use port and host from config 2018-09-07 14:46:51 +00:00			`const {port, host} = this.embark.config.webServerConfig;`
authorize each request through header 2018-09-06 20:06:07 +00:00			`this.logger.info(__('Access the web backend with the following url: %s',`
use port and host from config 2018-09-07 14:46:51 +00:00			(`http://${host}:${port}/embark?token=${this.authToken}`.underline)));
authorize each request through header 2018-09-06 20:06:07 +00:00			`});`

Change back how auth works for websockets. As it turns out, a websocket request doesn't contain some of the hashable properties in order to be validated. Because of that, we'll still use tokens here until we find a better way to do it. 2018-10-17 16:26:53 +00:00			`this.events.setCommandHandler('authenticator:authorize', (req, res, cb) => {`
			`let authenticated = false;`
			`if(!res.send) {`
			`authenticated = (this.authToken === req.protocol);`
			`} else {`
			`let hash = self.generateRequestHash(req);`
			`authenticated = (hash === req.headers['x-embark-request-hash']);`
authorize each request through header 2018-09-06 20:06:07 +00:00			`}`
Change back how auth works for websockets. As it turns out, a websocket request doesn't contain some of the hashable properties in order to be validated. Because of that, we'll still use tokens here until we find a better way to do it. 2018-10-17 16:26:53 +00:00
			`if(authenticated) return cb();`
			`cb(ERROR_OBJ);`
authorize each request through header 2018-09-06 20:06:07 +00:00			`});`
			`}`
add basic authentication 2018-09-06 15:30:06 +00:00			`}`

			`module.exports = Authenticator;`