drop.chapril.org-firefoxsend/server/middleware/auth.js

const assert = require('assert');
const crypto = require('crypto');
const storage = require('../storage');
const fxa = require('../fxa');

module.exports = {
  hmac: async function(req, res, next) {
    const id = req.params.id;
    const authHeader = req.header('Authorization');
    if (id && authHeader) {
      try {
        const auth = req.header('Authorization').split(' ')[1];
        const meta = await storage.metadata(id);
        if (!meta) {
          return res.sendStatus(404);
        }
        const hmac = crypto.createHmac(
          'sha256',
          Buffer.from(meta.auth, 'base64')
        );
        hmac.update(Buffer.from(meta.nonce, 'base64'));
        const verifyHash = hmac.digest();
        if (crypto.timingSafeEqual(verifyHash, Buffer.from(auth, 'base64'))) {
          req.nonce = crypto.randomBytes(16).toString('base64');
          storage.setField(id, 'nonce', req.nonce);
          res.set('WWW-Authenticate', `send-v1 ${req.nonce}`);
          req.authorized = true;
          req.meta = meta;
        } else {
          res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
          req.authorized = false;
        }
      } catch (e) {
        req.authorized = false;
      }
    }
    if (req.authorized) {
      next();
    } else {
      res.sendStatus(401);
    }
  },
  owner: async function(req, res, next) {
    const id = req.params.id;
    const ownerToken = req.body.owner_token;
    if (id && ownerToken) {
      try {
        req.meta = await storage.metadata(id);
        if (!req.meta) {
          return res.sendStatus(404);
        }
        const metaOwner = Buffer.from(req.meta.owner, 'utf8');
        const owner = Buffer.from(ownerToken, 'utf8');
        assert(metaOwner.length > 0);
        assert(metaOwner.length === owner.length);
        req.authorized = crypto.timingSafeEqual(metaOwner, owner);
      } catch (e) {
        req.authorized = false;
      }
    }
    if (req.authorized) {
      next();
    } else {
      res.sendStatus(401);
    }
  },
  fxa: async function(req, res, next) {
    const authHeader = req.header('Authorization');
    if (authHeader && /^Bearer\s/i.test(authHeader)) {
      const token = authHeader.split(' ')[1];
      req.user = await fxa.verify(token);
    }
    return next();
  }
};
use crypto.timingSafeEqual in hmac and ownerToken authentication 2019-03-15 05:33:18 +01:00			`const assert = require('assert');`
refactored server 2018-02-06 23:31:18 +01:00			`const crypto = require('crypto');`
			`const storage = require('../storage');`
implemented PKCE auth (#921) * implemented PKCE auth * removed node-jose * added PKCE tests 2018-09-14 17:00:33 +02:00			`const fxa = require('../fxa');`
refactored server 2018-02-06 23:31:18 +01:00
Implemented FxA 2018-08-08 00:40:17 +02:00			`module.exports = {`
			`hmac: async function(req, res, next) {`
			`const id = req.params.id;`
			`const authHeader = req.header('Authorization');`
			`if (id && authHeader) {`
			`try {`
			`const auth = req.header('Authorization').split(' ')[1];`
			`const meta = await storage.metadata(id);`
			`if (!meta) {`
			`return res.sendStatus(404);`
			`}`
			`const hmac = crypto.createHmac(`
			`'sha256',`
			`Buffer.from(meta.auth, 'base64')`
			`);`
			`hmac.update(Buffer.from(meta.nonce, 'base64'));`
			`const verifyHash = hmac.digest();`
use crypto.timingSafeEqual in hmac and ownerToken authentication 2019-03-15 05:33:18 +01:00			`if (crypto.timingSafeEqual(verifyHash, Buffer.from(auth, 'base64'))) {`
Implemented FxA 2018-08-08 00:40:17 +02:00			`req.nonce = crypto.randomBytes(16).toString('base64');`
			`storage.setField(id, 'nonce', req.nonce);`
			res.set('WWW-Authenticate', `send-v1 ${req.nonce}`);
			`req.authorized = true;`
			`req.meta = meta;`
			`} else {`
			res.set('WWW-Authenticate', `send-v1 ${meta.nonce}`);
			`req.authorized = false;`
			`}`
			`} catch (e) {`
			`req.authorized = false;`
refactored server 2018-02-06 23:31:18 +01:00			`}`
Implemented FxA 2018-08-08 00:40:17 +02:00			`}`
			`if (req.authorized) {`
			`next();`
			`} else {`
			`res.sendStatus(401);`
			`}`
			`},`
			`owner: async function(req, res, next) {`
			`const id = req.params.id;`
			`const ownerToken = req.body.owner_token;`
			`if (id && ownerToken) {`
			`try {`
			`req.meta = await storage.metadata(id);`
			`if (!req.meta) {`
			`return res.sendStatus(404);`
			`}`
use crypto.timingSafeEqual in hmac and ownerToken authentication 2019-03-15 05:33:18 +01:00			`const metaOwner = Buffer.from(req.meta.owner, 'utf8');`
			`const owner = Buffer.from(ownerToken, 'utf8');`
			`assert(metaOwner.length > 0);`
			`assert(metaOwner.length === owner.length);`
			`req.authorized = crypto.timingSafeEqual(metaOwner, owner);`
Implemented FxA 2018-08-08 00:40:17 +02:00			`} catch (e) {`
refactored server 2018-02-06 23:31:18 +01:00			`req.authorized = false;`
			`}`
			`}`
Implemented FxA 2018-08-08 00:40:17 +02:00			`if (req.authorized) {`
			`next();`
			`} else {`
			`res.sendStatus(401);`
			`}`
			`},`
			`fxa: async function(req, res, next) {`
			`const authHeader = req.header('Authorization');`
			`if (authHeader && /^Bearer\s/i.test(authHeader)) {`
			`const token = authHeader.split(' ')[1];`
			`req.user = await fxa.verify(token);`
			`}`
			`return next();`
refactored server 2018-02-06 23:31:18 +01:00			`}`
			`};`