|
|
|
import _ from 'lodash-es'
|
|
|
|
import { generateError, generateSuccess } from '../../helpers/graph.mjs'
|
|
|
|
import jwt from 'jsonwebtoken'
|
|
|
|
import ms from 'ms'
|
|
|
|
import { DateTime } from 'luxon'
|
|
|
|
import base64 from '@hexagon/base64'
|
|
|
|
import {
|
|
|
|
generateRegistrationOptions,
|
|
|
|
verifyRegistrationResponse,
|
|
|
|
generateAuthenticationOptions,
|
|
|
|
verifyAuthenticationResponse
|
|
|
|
} from '@simplewebauthn/server'
|
|
|
|
|
|
|
|
export default {
|
|
|
|
Query: {
|
|
|
|
/**
|
|
|
|
* List of API Keys
|
|
|
|
*/
|
|
|
|
async apiKeys (obj, args, context) {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['read:api', 'manage:api'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
const keys = await WIKI.db.apiKeys.query().orderBy(['isRevoked', 'name'])
|
|
|
|
return keys.map(k => ({
|
|
|
|
id: k.id,
|
|
|
|
name: k.name,
|
|
|
|
keyShort: '...' + k.key.substring(k.key.length - 20),
|
|
|
|
isRevoked: k.isRevoked,
|
|
|
|
expiration: k.expiration,
|
|
|
|
createdAt: k.createdAt,
|
|
|
|
updatedAt: k.updatedAt
|
|
|
|
}))
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Current API State
|
|
|
|
*/
|
|
|
|
apiState (obj, args, context) {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['read:api', 'manage:api', 'read:dashboard'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
return WIKI.config.api.isEnabled
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Fetch authentication strategies
|
|
|
|
*/
|
|
|
|
async authStrategies () {
|
|
|
|
return WIKI.data.authentication.map(stg => ({
|
|
|
|
...stg,
|
|
|
|
isAvailable: stg.isAvailable === true
|
|
|
|
}))
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Fetch active authentication strategies
|
|
|
|
*/
|
|
|
|
async authActiveStrategies (obj, args, context) {
|
|
|
|
const strategies = await WIKI.db.authentication.getStrategies({ enabledOnly: args.enabledOnly })
|
|
|
|
return strategies.map(a => {
|
|
|
|
const str = _.find(WIKI.data.authentication, ['key', a.module]) || {}
|
|
|
|
return {
|
|
|
|
...a,
|
|
|
|
config: _.transform(str.props, (r, v, k) => {
|
|
|
|
r[k] = v.sensitive ? '********' : a.config[k]
|
|
|
|
}, {})
|
|
|
|
}
|
|
|
|
})
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Fetch site authentication strategies
|
|
|
|
*/
|
|
|
|
async authSiteStrategies (obj, args, context, info) {
|
|
|
|
const site = await WIKI.db.sites.query().findById(args.siteId)
|
|
|
|
const activeStrategies = await WIKI.db.authentication.getStrategies({ enabledOnly: true })
|
|
|
|
const siteStrategies = _.sortBy(activeStrategies.map(str => {
|
|
|
|
const siteAuth = _.find(site.config.authStrategies, ['id', str.id]) || {}
|
|
|
|
return {
|
|
|
|
id: str.id,
|
|
|
|
activeStrategy: str,
|
|
|
|
order: siteAuth.order ?? 0,
|
|
|
|
isVisible: siteAuth.isVisible ?? false
|
|
|
|
}
|
|
|
|
}), ['order'])
|
|
|
|
return args.visibleOnly ? siteStrategies.filter(s => s.isVisible) : siteStrategies
|
|
|
|
}
|
|
|
|
},
|
|
|
|
Mutation: {
|
|
|
|
/**
|
|
|
|
* Create New API Key
|
|
|
|
*/
|
|
|
|
async createApiKey (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:api'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
const key = await WIKI.db.apiKeys.createNewKey(args)
|
|
|
|
await WIKI.auth.reloadApiKeys()
|
|
|
|
WIKI.events.outbound.emit('reloadApiKeys')
|
|
|
|
return {
|
|
|
|
key,
|
|
|
|
operation: generateSuccess('API Key created successfully')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
WIKI.logger.warn(err)
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Perform Login
|
|
|
|
*/
|
|
|
|
async login (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const authResult = await WIKI.db.users.login(args, context)
|
|
|
|
return {
|
|
|
|
...authResult,
|
|
|
|
operation: generateSuccess('Login success')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
// LDAP Debug Flag
|
|
|
|
if (args.strategy === 'ldap' && WIKI.config.flags.ldapdebug) {
|
|
|
|
WIKI.logger.warn('LDAP LOGIN ERROR (c1): ', err)
|
|
|
|
}
|
|
|
|
WIKI.logger.debug(err)
|
|
|
|
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Perform 2FA Login
|
|
|
|
*/
|
|
|
|
async loginTFA (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const authResult = await WIKI.db.users.loginTFA(args, context)
|
|
|
|
return {
|
|
|
|
...authResult,
|
|
|
|
operation: generateSuccess('TFA success')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
WIKI.logger.debug(err)
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Setup TFA
|
|
|
|
*/
|
|
|
|
async setupTFA (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const userId = context.req.user?.id
|
|
|
|
if (!userId) {
|
|
|
|
throw new Error('ERR_NOT_AUTHENTICATED')
|
|
|
|
}
|
|
|
|
|
|
|
|
const usr = await WIKI.db.users.query().findById(userId)
|
|
|
|
if (!usr) {
|
|
|
|
throw new Error('ERR_INVALID_USER')
|
|
|
|
}
|
|
|
|
|
|
|
|
const str = WIKI.auth.strategies[args.strategyId]
|
|
|
|
if (!str) {
|
|
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!usr.auth[args.strategyId]) {
|
|
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
|
|
}
|
|
|
|
|
|
|
|
if (usr.auth[args.strategyId].tfaIsActive) {
|
|
|
|
throw new Error('ERR_TFA_ALREADY_ACTIVE')
|
|
|
|
}
|
|
|
|
|
|
|
|
const tfaQRImage = await usr.generateTFA(args.strategyId, args.siteId)
|
|
|
|
const tfaToken = await WIKI.db.userKeys.generateToken({
|
|
|
|
kind: 'tfaSetup',
|
|
|
|
userId: usr.id,
|
|
|
|
meta: {
|
|
|
|
strategyId: args.strategyId
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('TFA setup started'),
|
|
|
|
continuationToken: tfaToken,
|
|
|
|
tfaQRImage
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Deactivate 2FA
|
|
|
|
*/
|
|
|
|
async deactivateTFA (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const userId = context.req.user?.id
|
|
|
|
if (!userId) {
|
|
|
|
throw new Error('ERR_NOT_AUTHENTICATED')
|
|
|
|
}
|
|
|
|
|
|
|
|
const usr = await WIKI.db.users.query().findById(userId)
|
|
|
|
if (!usr) {
|
|
|
|
throw new Error('ERR_INVALID_USER')
|
|
|
|
}
|
|
|
|
|
|
|
|
const str = WIKI.auth.strategies[args.strategyId]
|
|
|
|
if (!str) {
|
|
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!usr.auth[args.strategyId]) {
|
|
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!usr.auth[args.strategyId].tfaIsActive) {
|
|
|
|
throw new Error('ERR_TFA_NOT_ACTIVE')
|
|
|
|
}
|
|
|
|
|
|
|
|
usr.auth[args.strategyId].tfaIsActive = false
|
|
|
|
usr.auth[args.strategyId].tfaSecret = null
|
|
|
|
|
|
|
|
await usr.$query().patch({
|
|
|
|
auth: usr.auth
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('TFA deactivated successfully.')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Setup Passkey
|
|
|
|
*/
|
|
|
|
async setupPasskey (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const userId = context.req.user?.id
|
|
|
|
if (!userId) {
|
|
|
|
throw new Error('ERR_NOT_AUTHENTICATED')
|
|
|
|
}
|
|
|
|
|
|
|
|
const usr = await WIKI.db.users.query().findById(userId)
|
|
|
|
if (!usr) {
|
|
|
|
throw new Error('ERR_INVALID_USER')
|
|
|
|
}
|
|
|
|
|
|
|
|
const site = WIKI.sites[args.siteId]
|
|
|
|
if (!site) {
|
|
|
|
throw new Error('ERR_INVALID_SITE')
|
|
|
|
} else if (site.hostname === '*') {
|
|
|
|
WIKI.logger.warn('Cannot use passkeys with a wildcard site hostname. Enter a valid hostname under the Administration Area > General.')
|
|
|
|
throw new Error('ERR_PK_HOSTNAME_MISSING')
|
|
|
|
}
|
|
|
|
|
|
|
|
const options = await generateRegistrationOptions({
|
|
|
|
rpName: site.config.title,
|
|
|
|
rpId: site.hostname,
|
|
|
|
userID: usr.id,
|
|
|
|
userName: usr.email,
|
|
|
|
userDisplayName: usr.name,
|
|
|
|
attestationType: 'none',
|
|
|
|
authenticatorSelection: {
|
|
|
|
residentKey: 'required',
|
|
|
|
userVerification: 'preferred'
|
|
|
|
},
|
|
|
|
excludeCredentials: usr.passkeys.authenticators?.map(authenticator => ({
|
|
|
|
id: new Uint8Array(authenticator.credentialID),
|
|
|
|
type: 'public-key',
|
|
|
|
transports: authenticator.transports
|
|
|
|
})) ?? []
|
|
|
|
})
|
|
|
|
|
|
|
|
usr.passkeys.reg = {
|
|
|
|
challenge: options.challenge,
|
|
|
|
rpId: site.hostname,
|
|
|
|
siteId: site.id
|
|
|
|
}
|
|
|
|
|
|
|
|
await usr.$query().patch({
|
|
|
|
passkeys: usr.passkeys
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Passkey registration options generated successfully.'),
|
|
|
|
registrationOptions: options
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Finalize Passkey Registration
|
|
|
|
*/
|
|
|
|
async finalizePasskey (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const userId = context.req.user?.id
|
|
|
|
if (!userId) {
|
|
|
|
throw new Error('ERR_NOT_AUTHENTICATED')
|
|
|
|
}
|
|
|
|
|
|
|
|
const usr = await WIKI.db.users.query().findById(userId)
|
|
|
|
if (!usr) {
|
|
|
|
throw new Error('ERR_INVALID_USER')
|
|
|
|
} else if (!usr.passkeys?.reg) {
|
|
|
|
throw new Error('ERR_PASSKEY_NOT_SETUP')
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!args.name || args.name.trim().length < 1 || args.name.length > 255) {
|
|
|
|
throw new Error('ERR_PK_NAME_MISSING_OR_INVALID')
|
|
|
|
}
|
|
|
|
|
|
|
|
const verification = await verifyRegistrationResponse({
|
|
|
|
response: args.registrationResponse,
|
|
|
|
expectedChallenge: usr.passkeys.reg.challenge,
|
|
|
|
expectedOrigin: `https://${usr.passkeys.reg.rpId}`,
|
|
|
|
expectedRPID: usr.passkeys.reg.rpId,
|
|
|
|
requireUserVerification: true
|
|
|
|
})
|
|
|
|
|
|
|
|
if (!verification.verified) {
|
|
|
|
throw new Error('ERR_PK_VERIFICATION_FAILED')
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!usr.passkeys.authenticators) {
|
|
|
|
usr.passkeys.authenticators = []
|
|
|
|
}
|
|
|
|
usr.passkeys.authenticators.push({
|
|
|
|
...verification.registrationInfo,
|
|
|
|
id: base64.fromArrayBuffer(verification.registrationInfo.credentialID, true),
|
|
|
|
createdAt: new Date(),
|
|
|
|
name: args.name,
|
|
|
|
siteId: usr.passkeys.reg.siteId,
|
|
|
|
transports: args.registrationResponse.response.transports
|
|
|
|
})
|
|
|
|
|
|
|
|
delete usr.passkeys.reg
|
|
|
|
|
|
|
|
await usr.$query().patch({
|
|
|
|
passkeys: JSON.stringify(usr.passkeys, (k, v) => {
|
|
|
|
if (v instanceof Uint8Array) {
|
|
|
|
return Array.apply([], v)
|
|
|
|
}
|
|
|
|
return v
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Passkey registered successfully.')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Deactivate a passkey
|
|
|
|
*/
|
|
|
|
async deactivatePasskey (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const userId = context.req.user?.id
|
|
|
|
if (!userId) {
|
|
|
|
throw new Error('ERR_NOT_AUTHENTICATED')
|
|
|
|
}
|
|
|
|
|
|
|
|
const usr = await WIKI.db.users.query().findById(userId)
|
|
|
|
if (!usr) {
|
|
|
|
throw new Error('ERR_INVALID_USER')
|
|
|
|
} else if (!usr.passkeys?.authenticators) {
|
|
|
|
throw new Error('ERR_PASSKEY_NOT_SETUP')
|
|
|
|
}
|
|
|
|
|
|
|
|
usr.passkeys.authenticators = usr.passkeys.authenticators.filter(a => a.id !== args.id)
|
|
|
|
|
|
|
|
await usr.$query().patch({
|
|
|
|
passkeys: usr.passkeys
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Passkey deactivated successfully.')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Login via passkey - Generate challenge
|
|
|
|
*/
|
|
|
|
async authenticatePasskeyGenerate (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const site = WIKI.sites[args.siteId]
|
|
|
|
if (!site) {
|
|
|
|
throw new Error('ERR_INVALID_SITE')
|
|
|
|
} else if (site.hostname === '*') {
|
|
|
|
WIKI.logger.warn('Cannot use passkeys with a wildcard site hostname. Enter a valid hostname under the Administration Area > General.')
|
|
|
|
throw new Error('ERR_PK_HOSTNAME_MISSING')
|
|
|
|
}
|
|
|
|
|
|
|
|
const usr = await WIKI.db.users.query().findOne({ email: args.email })
|
|
|
|
if (!usr || !usr.passkeys?.authenticators) {
|
|
|
|
// Fake success response to prevent email leaking
|
|
|
|
WIKI.logger.debug(`Cannot generate passkey challenge for ${args.email}... (non-existing or missing passkeys setup)`)
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Passkey challenge generated.'),
|
|
|
|
authOptions: await generateAuthenticationOptions({
|
|
|
|
allowCredentials: [{
|
|
|
|
id: new Uint8Array(Array(30).map(v => _.random(0, 254))),
|
|
|
|
type: 'public-key',
|
|
|
|
transports: ['internal']
|
|
|
|
}],
|
|
|
|
userVerification: 'preferred',
|
|
|
|
rpId: site.hostname
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const options = await generateAuthenticationOptions({
|
|
|
|
allowCredentials: usr.passkeys.authenticators.map(authenticator => ({
|
|
|
|
id: new Uint8Array(authenticator.credentialID),
|
|
|
|
type: 'public-key',
|
|
|
|
transports: authenticator.transports
|
|
|
|
})),
|
|
|
|
userVerification: 'preferred',
|
|
|
|
rpId: site.hostname
|
|
|
|
})
|
|
|
|
|
|
|
|
usr.passkeys.login = {
|
|
|
|
challenge: options.challenge,
|
|
|
|
rpId: site.hostname,
|
|
|
|
siteId: site.id
|
|
|
|
}
|
|
|
|
|
|
|
|
await usr.$query().patch({
|
|
|
|
passkeys: usr.passkeys
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Passkey challenge generated.'),
|
|
|
|
authOptions: options
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Login via passkey - Verify challenge
|
|
|
|
*/
|
|
|
|
async authenticatePasskeyVerify (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!args.authResponse?.response?.userHandle) {
|
|
|
|
throw new Error('ERR_INVALID_PASSKEY_RESPONSE')
|
|
|
|
}
|
|
|
|
const usr = await WIKI.db.users.query().findById(args.authResponse.response.userHandle)
|
|
|
|
if (!usr) {
|
|
|
|
WIKI.logger.debug(`Passkey Login Failure: Cannot find user ${args.authResponse.response.userHandle}`)
|
|
|
|
throw new Error('ERR_LOGIN_FAILED')
|
|
|
|
} else if (!usr.passkeys?.login) {
|
|
|
|
WIKI.logger.debug(`Passkey Login Failure: Missing login auth generation step for user ${args.authResponse.response.userHandle}`)
|
|
|
|
throw new Error('ERR_LOGIN_FAILED')
|
|
|
|
} else if (!usr.passkeys.authenticators?.some(a => a.id === args.authResponse.id)) {
|
|
|
|
WIKI.logger.debug(`Passkey Login Failure: Authenticator provided is not registered for user ${args.authResponse.response.userHandle}`)
|
|
|
|
throw new Error('ERR_LOGIN_FAILED')
|
|
|
|
}
|
|
|
|
|
|
|
|
const verification = await verifyAuthenticationResponse({
|
|
|
|
response: args.authResponse,
|
|
|
|
expectedChallenge: usr.passkeys.login.challenge,
|
|
|
|
expectedOrigin: `https://${usr.passkeys.login.rpId}`,
|
|
|
|
expectedRPID: usr.passkeys.login.rpId,
|
|
|
|
requireUserVerification: true,
|
|
|
|
authenticator: _.find(usr.passkeys.authenticators, ['id', args.authResponse.id])
|
|
|
|
})
|
|
|
|
|
|
|
|
if (!verification.verified) {
|
|
|
|
WIKI.logger.debug(`Passkey Login Failure: Challenge verification failed for user ${args.authResponse.response.userHandle}`)
|
|
|
|
throw new Error('ERR_LOGIN_FAILED')
|
|
|
|
}
|
|
|
|
|
|
|
|
delete usr.passkeys.login
|
|
|
|
|
|
|
|
await usr.$query().patch({
|
|
|
|
passkeys: usr.passkeys
|
|
|
|
})
|
|
|
|
|
|
|
|
const jwtToken = await WIKI.db.users.refreshToken(usr)
|
|
|
|
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Passkey challenge accepted.'),
|
|
|
|
nextAction: 'redirect',
|
|
|
|
jwt: jwtToken.token,
|
|
|
|
redirect: '/'
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Perform Password Change
|
|
|
|
*/
|
|
|
|
async changePassword (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (args.continuationToken) {
|
|
|
|
const authResult = await WIKI.db.users.loginChangePassword(args, context)
|
|
|
|
return {
|
|
|
|
...authResult,
|
|
|
|
operation: generateSuccess('Password set successfully')
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
await WIKI.db.users.changePassword(args, context)
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Password changed successfully')
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
WIKI.logger.debug(err)
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Perform Forget Password
|
|
|
|
*/
|
|
|
|
async forgotPassword (obj, args, context) {
|
|
|
|
try {
|
|
|
|
await WIKI.db.users.loginForgotPassword(args, context)
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('Password reset request processed.')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Register a new account
|
|
|
|
*/
|
|
|
|
async register (obj, args, context) {
|
|
|
|
try {
|
|
|
|
const usr = await WIKI.db.users.createNewUser({ ...args, userInitiated: true })
|
|
|
|
const authResult = await WIKI.db.users.afterLoginChecks(usr, WIKI.data.systemIds.localAuthId, context)
|
|
|
|
return {
|
|
|
|
...authResult,
|
|
|
|
operation: generateSuccess('Registration success')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Refresh Token
|
|
|
|
*/
|
|
|
|
async refreshToken (obj, args, context) {
|
|
|
|
try {
|
|
|
|
let decoded = {}
|
|
|
|
if (!args.token) {
|
|
|
|
throw new Error('ERR_MISSING_TOKEN')
|
|
|
|
}
|
|
|
|
try {
|
|
|
|
decoded = jwt.verify(args.token, WIKI.config.auth.certs.public, {
|
|
|
|
audience: WIKI.config.auth.audience,
|
|
|
|
issuer: 'urn:wiki.js',
|
|
|
|
algorithms: ['RS256'],
|
|
|
|
ignoreExpiration: true
|
|
|
|
})
|
|
|
|
} catch (err) {
|
|
|
|
throw new Error('ERR_INVALID_TOKEN')
|
|
|
|
}
|
|
|
|
if (DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) > DateTime.fromSeconds(decoded.exp)) {
|
|
|
|
throw new Error('ERR_EXPIRED_TOKEN')
|
|
|
|
}
|
|
|
|
const newToken = await WIKI.db.users.refreshToken(decoded.id)
|
|
|
|
return {
|
|
|
|
jwt: newToken.token,
|
|
|
|
operation: generateSuccess('Token refreshed successfully')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Set API state
|
|
|
|
*/
|
|
|
|
async setApiState (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
WIKI.config.api.isEnabled = args.enabled
|
|
|
|
await WIKI.configSvc.saveToDb(['api'])
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('API State changed successfully')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Revoke an API key
|
|
|
|
*/
|
|
|
|
async revokeApiKey (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:api'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
await WIKI.db.apiKeys.query().findById(args.id).patch({
|
|
|
|
isRevoked: true
|
|
|
|
})
|
|
|
|
await WIKI.auth.reloadApiKeys()
|
|
|
|
WIKI.events.outbound.emit('reloadApiKeys')
|
|
|
|
return {
|
|
|
|
operation: generateSuccess('API Key revoked successfully')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Update Authentication Strategies
|
|
|
|
*/
|
|
|
|
async updateAuthStrategies (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
const previousStrategies = await WIKI.db.authentication.getStrategies()
|
|
|
|
for (const str of args.strategies) {
|
|
|
|
const newStr = {
|
|
|
|
displayName: str.displayName,
|
|
|
|
isEnabled: str.isEnabled,
|
|
|
|
config: _.reduce(str.config, (result, value, key) => {
|
|
|
|
_.set(result, `${value.key}`, _.get(JSON.parse(value.value), 'v', null))
|
|
|
|
return result
|
|
|
|
}, {}),
|
|
|
|
selfRegistration: str.selfRegistration,
|
|
|
|
domainWhitelist: { v: str.domainWhitelist },
|
|
|
|
autoEnrollGroups: { v: str.autoEnrollGroups }
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_.some(previousStrategies, ['key', str.key])) {
|
|
|
|
await WIKI.db.authentication.query().patch({
|
|
|
|
key: str.key,
|
|
|
|
strategyKey: str.strategyKey,
|
|
|
|
...newStr
|
|
|
|
}).where('key', str.key)
|
|
|
|
} else {
|
|
|
|
await WIKI.db.authentication.query().insert({
|
|
|
|
key: str.key,
|
|
|
|
strategyKey: str.strategyKey,
|
|
|
|
...newStr
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for (const str of _.differenceBy(previousStrategies, args.strategies, 'key')) {
|
|
|
|
const hasUsers = await WIKI.db.users.query().count('* as total').where({ providerKey: str.key }).first()
|
|
|
|
if (_.toSafeInteger(hasUsers.total) > 0) {
|
|
|
|
throw new Error(`Cannot delete ${str.displayName} as 1 or more users are still using it.`)
|
|
|
|
} else {
|
|
|
|
await WIKI.db.authentication.query().delete().where('key', str.key)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
await WIKI.auth.activateStrategies()
|
|
|
|
WIKI.events.outbound.emit('reloadAuthStrategies')
|
|
|
|
return {
|
|
|
|
responseResult: generateSuccess('Strategies updated successfully')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Generate New Authentication Public / Private Key Certificates
|
|
|
|
*/
|
|
|
|
async regenerateCertificates (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
await WIKI.auth.regenerateCertificates()
|
|
|
|
return {
|
|
|
|
responseResult: generateSuccess('Certificates have been regenerated successfully.')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Reset Guest User
|
|
|
|
*/
|
|
|
|
async resetGuestUser (obj, args, context) {
|
|
|
|
try {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
|
|
|
|
await WIKI.auth.resetGuestUser()
|
|
|
|
return {
|
|
|
|
responseResult: generateSuccess('Guest user has been reset successfully.')
|
|
|
|
}
|
|
|
|
} catch (err) {
|
|
|
|
return generateError(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
|
|
|
// ------------------------------------------------------------------
|
|
|
|
// TYPE: AuthenticationActiveStrategy
|
|
|
|
// ------------------------------------------------------------------
|
|
|
|
AuthenticationActiveStrategy: {
|
|
|
|
config (obj, args, context) {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
return obj.config ?? {}
|
|
|
|
},
|
|
|
|
allowedEmailRegex (obj, args, context) {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
return obj.allowedEmailRegex ?? ''
|
|
|
|
},
|
|
|
|
autoEnrollGroups (obj, args, context) {
|
|
|
|
if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
|
|
|
|
throw new Error('ERR_FORBIDDEN')
|
|
|
|
}
|
|
|
|
return obj.autoEnrollGroups ?? []
|
|
|
|
},
|
|
|
|
strategy (obj, args, context) {
|
|
|
|
return _.find(WIKI.data.authentication, ['key', obj.module])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|