hostr/api/lib/auth.js

import passwords from 'passwords';
import auth from 'basic-auth';
import debugname from 'debug';

import models from '../../models';

const debug = debugname('hostr-api:auth');

const badLoginMsg = '{"error": {"message": "Incorrect login details.", "code": 607}}';

export default async (ctx, next) => {
  let user = false;
  const remoteIp = ctx.req.headers['x-forwarded-for'] || ctx.req.connection.remoteAddress;
  const login = await models.login.create({
    ip: remoteIp.split(',')[0],
    successful: false,
  });
  if (ctx.req.headers.authorization && ctx.req.headers.authorization[0] === ':') {
    debug('Logging in with token');
    const userToken = await ctx.redis.get(ctx.req.headers.authorization.substr(1));
    ctx.assert(userToken, 401, '{"error": {"message": "Invalid token.", "code": 606}}');
    debug('Token found');
    user = await models.user.findByPk(userToken);
    if (!user) {
      login.save();
      return;
    }
  } else {
    const authUser = auth(ctx);
    ctx.assert(authUser, 401, badLoginMsg);
    const count = await models.login.count({
      where: {
        ip: remoteIp.split(',')[0],
        successful: false,
        createdAt: {
          $gt: new Date(Date.now() - 600000),
        },
      },
    });

    ctx.assert(
      count < 25, 401,
      '{"error": {"message": "Too many incorrect logins.", "code": 608}}',
    );

    user = await models.user.findOne({
      where: {
        email: authUser.name,
        activated: true,
      },
    });

    if (!user || !(await passwords.match(authUser.pass, user.password))) {
      login.save();
      ctx.throw(401, badLoginMsg);
      return;
    }
  }
  debug('Checking user');
  ctx.assert(user, 401, badLoginMsg);
  debug('Checking user is activated');
  debug(user.activated);
  ctx.assert(
    user.activated === true, 401,
    '{"error": {"message": "Account has not been activated.", "code": 603}}',
  );

  login.successful = true;
  await login.save();

  const uploadedTotal = await models.file.count({
    where: {
      userId: user.id,
    },
  });
  const uploadedToday = await models.file.count({
    where: {
      userId: user.id,
      createdAt: {
        $gt: Date.now() - 86400000,
      },
    },
  });

  const normalisedUser = {
    id: user.id,
    email: user.email,
    daily_upload_allowance: user.plan === 'Pro' ? 'unlimited' : 15,
    file_count: uploadedTotal,
    max_filesize: user.plan === 'Pro' ? 524288000 : 20971520,
    plan: user.plan,
    uploads_today: uploadedToday,
  };
  ctx.response.set(
    'Daily-Uploads-Remaining',
    user.type === 'Pro' ? 'unlimited' : 15 - uploadedToday,
  );
  ctx.user = normalisedUser;
  debug('Authenticated user: ', ctx.user.email);
  await next();
};
Initial commit. 2015-07-09 23:01:43 +01:00			`import passwords from 'passwords';`
			`import auth from 'basic-auth';`
			`import debugname from 'debug';`
Fix linting 2018-06-02 18:07:00 +00:00
			`import models from '../../models';`

Initial commit. 2015-07-09 23:01:43 +01:00			`const debug = debugname('hostr-api:auth');`

			`const badLoginMsg = '{"error": {"message": "Incorrect login details.", "code": 607}}';`

Update stuff 2018-06-02 15:50:39 +00:00			`export default async (ctx, next) => {`
Initial commit. 2015-07-09 23:01:43 +01:00			`let user = false;`
Update stuff 2018-06-02 15:50:39 +00:00			`const remoteIp = ctx.req.headers['x-forwarded-for'] \|\| ctx.req.connection.remoteAddress;`
			`const login = await models.login.create({`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`ip: remoteIp.split(',')[0],`
Postgres. 2016-06-19 10:14:47 -07:00			`successful: false,`
			`});`
Update stuff 2018-06-02 15:50:39 +00:00			`if (ctx.req.headers.authorization && ctx.req.headers.authorization[0] === ':') {`
Initial commit. 2015-07-09 23:01:43 +01:00			`debug('Logging in with token');`
Update stuff 2018-06-02 15:50:39 +00:00			`const userToken = await ctx.redis.get(ctx.req.headers.authorization.substr(1));`
			`ctx.assert(userToken, 401, '{"error": {"message": "Invalid token.", "code": 606}}');`
Initial commit. 2015-07-09 23:01:43 +01:00			`debug('Token found');`
Update dependencies 2019-06-08 07:52:57 -07:00			`user = await models.user.findByPk(userToken);`
Postgres. 2016-06-19 10:14:47 -07:00			`if (!user) {`
			`login.save();`
			`return;`
			`}`
Initial commit. 2015-07-09 23:01:43 +01:00			`} else {`
Update stuff 2018-06-02 15:50:39 +00:00			`const authUser = auth(ctx);`
			`ctx.assert(authUser, 401, badLoginMsg);`
			`const count = await models.login.count({`
Postgres. 2016-06-19 10:14:47 -07:00			`where: {`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`ip: remoteIp.split(',')[0],`
Postgres. 2016-06-19 10:14:47 -07:00			`successful: false,`
			`createdAt: {`
More changes for db migration 2016-08-07 14:38:05 +01:00			`$gt: new Date(Date.now() - 600000),`
Postgres. 2016-06-19 10:14:47 -07:00			`},`
			`},`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
Postgres. 2016-06-19 10:14:47 -07:00
Fix linting 2018-06-02 18:07:00 +00:00			`ctx.assert(`
			`count < 25, 401,`
			`'{"error": {"message": "Too many incorrect logins.", "code": 608}}',`
			`);`
Initial commit. 2015-07-09 23:01:43 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`user = await models.user.findOne({`
Postgres. 2016-06-19 10:14:47 -07:00			`where: {`
			`email: authUser.name,`
			`activated: true,`
			`},`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
Postgres. 2016-06-19 10:14:47 -07:00
Update stuff 2018-06-02 15:50:39 +00:00			`if (!user \|\| !(await passwords.match(authUser.pass, user.password))) {`
Postgres. 2016-06-19 10:14:47 -07:00			`login.save();`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.throw(401, badLoginMsg);`
Postgres. 2016-06-19 10:14:47 -07:00			`return;`
			`}`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
			`debug('Checking user');`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.assert(user, 401, badLoginMsg);`
Initial commit. 2015-07-09 23:01:43 +01:00			`debug('Checking user is activated');`
Postgres. 2016-06-19 10:14:47 -07:00			`debug(user.activated);`
Fix linting 2018-06-02 18:07:00 +00:00			`ctx.assert(`
			`user.activated === true, 401,`
			`'{"error": {"message": "Account has not been activated.", "code": 603}}',`
			`);`
Initial commit. 2015-07-09 23:01:43 +01:00
Postgres. 2016-06-19 10:14:47 -07:00			`login.successful = true;`
Update stuff 2018-06-02 15:50:39 +00:00			`await login.save();`
Postgres. 2016-06-19 10:14:47 -07:00
Update stuff 2018-06-02 15:50:39 +00:00			`const uploadedTotal = await models.file.count({`
Postgres. 2016-06-19 10:14:47 -07:00			`where: {`
			`userId: user.id,`
			`},`
			`});`
Update stuff 2018-06-02 15:50:39 +00:00			`const uploadedToday = await models.file.count({`
Postgres. 2016-06-19 10:14:47 -07:00			`where: {`
			`userId: user.id,`
			`createdAt: {`
More changes for db migration 2016-08-07 14:38:05 +01:00			`$gt: Date.now() - 86400000,`
Postgres. 2016-06-19 10:14:47 -07:00			`},`
			`},`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
Initial commit. 2015-07-09 23:01:43 +01:00
			`const normalisedUser = {`
Postgres. 2016-06-19 10:14:47 -07:00			`id: user.id,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`email: user.email,`
Postgres. 2016-06-19 10:14:47 -07:00			`daily_upload_allowance: user.plan === 'Pro' ? 'unlimited' : 15,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`file_count: uploadedTotal,`
Postgres. 2016-06-19 10:14:47 -07:00			`max_filesize: user.plan === 'Pro' ? 524288000 : 20971520,`
			`plan: user.plan,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`uploads_today: uploadedToday,`
Initial commit. 2015-07-09 23:01:43 +01:00			`};`
Fix linting 2018-06-02 18:07:00 +00:00			`ctx.response.set(`
			`'Daily-Uploads-Remaining',`
			`user.type === 'Pro' ? 'unlimited' : 15 - uploadedToday,`
			`);`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.user = normalisedUser;`
			`debug('Authenticated user: ', ctx.user.email);`
			`await next();`
Fix linting 2018-06-02 18:07:00 +00:00			`};`