CHAI
/
chtech-anythingllm
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
235 MiB
Tree: 07a3eafb13
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07a3eafb13'
${ noResults }
chtech-anythingllm/server/utils/middleware/validatedRequest.js

111 lines
2.9 KiB
Raw Normal View History

first commit
11 months ago
  1. const { SystemSettings } = require("../../models/systemSettings");
  2. const { User } = require("../../models/user");
  3. const { EncryptionManager } = require("../EncryptionManager");
  4. const { decodeJWT } = require("../http");
  5. const EncryptionMgr = new EncryptionManager();
  7. async function validatedRequest(request, response, next) {
  8. const multiUserMode = await SystemSettings.isMultiUserMode();
  9. response.locals.multiUserMode = multiUserMode;
  10. if (multiUserMode)
  11. return await validateMultiUserRequest(request, response, next);
  13. // When in development passthrough auth token for ease of development.
  14. // Or if the user simply did not set an Auth token or JWT Secret
  15. if (
  16. process.env.NODE_ENV === "development" ||
  17. !process.env.AUTH_TOKEN ||
  18. !process.env.JWT_SECRET
  19. ) {
  20. next();
  21. return;
  22. }
  24. if (!process.env.AUTH_TOKEN) {
  25. response.status(401).json({
  26. error: "You need to set an AUTH_TOKEN environment variable.",
  27. });
  28. return;
  29. }
  31. const auth = request.header("Authorization");
  32. const token = auth ? auth.split(" ")[1] : null;
  34. if (!token) {
  35. response.status(401).json({
  36. error: "No auth token found.",
  37. });
  38. return;
  39. }
  41. const bcrypt = require("bcrypt");
  42. const { p } = decodeJWT(token);
  44. if (p === null || !/\w{32}:\w{32}/.test(p)) {
  45. response.status(401).json({
  46. error: "Token expired or failed validation.",
  47. });
  48. return;
  49. }
  51. // Since the blame of this comment we have been encrypting the `p` property of JWTs with the persistent
  52. // encryptionManager PEM's. This prevents us from storing the `p` unencrypted in the JWT itself, which could
  53. // be unsafe. As a consequence, existing JWTs with invalid `p` values that do not match the regex
  54. // in ln:44 will be marked invalid so they can be logged out and forced to log back in and obtain an encrypted token.
  55. // This kind of methodology only applies to single-user password mode.
  56. if (
  57. !bcrypt.compareSync(
  58. EncryptionMgr.decrypt(p),
  59. bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
  60. )
  61. ) {
  62. response.status(401).json({
  63. error: "Invalid auth credentials.",
  64. });
  65. return;
  66. }
  68. next();
  69. }
  71. async function validateMultiUserRequest(request, response, next) {
  72. const auth = request.header("Authorization");
  73. const token = auth ? auth.split(" ")[1] : null;
  75. if (!token) {
  76. response.status(401).json({
  77. error: "No auth token found.",
  78. });
  79. return;
  80. }
  82. const valid = decodeJWT(token);
  83. if (!valid || !valid.id) {
  84. response.status(401).json({
  85. error: "Invalid auth token.",
  86. });
  87. return;
  88. }
  90. const user = await User.get({ id: valid.id });
  91. if (!user) {
  92. response.status(401).json({
  93. error: "Invalid auth for user.",
  94. });
  95. return;
  96. }
  98. if (user.suspended) {
  99. response.status(401).json({
  100. error: "User is suspended from system",
  101. });
  102. return;
  103. }
  105. response.locals.user = user;
  106. next();
  107. }
  109. module.exports = {
  110. validatedRequest,
  111. };