From c5e28b3adea850aec771fda73498e61d1b6955a5 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Wed, 28 Nov 2018 16:12:41 +0100 Subject: [PATCH 01/10] Added new version of ldapauth-fork (lib used to ldap conn) Added new option to create a user in the data base if ldap is returned correctly. --- auth_graph/check.js | 64 +++++++++++++++++++++++---------------------- config.sample.yml | 1 + package.json | 2 +- 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index 2bebfba..e2aae72 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -1,20 +1,20 @@ // Copyright 2017 Telefónica Digital España S.L. -// +// // This file is part of UrboCore API. -// +// // UrboCore API is free software: you can redistribute it and/or // modify it under the terms of the GNU Affero General Public License as // published by the Free Software Foundation, either version 3 of the // License, or (at your option) any later version. -// +// // UrboCore API is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero // General Public License for more details. -// +// // You should have received a copy of the GNU Affero General Public License // along with UrboCore API. If not, see http://www.gnu.org/licenses/. -// +// // For those usages not covered by this license please contact with // iot_support at tid dot es @@ -60,31 +60,33 @@ module.exports.password = function (req, res, next) { return next(new Error(util.format('Cannot get user [%s] from DB nor LDAP',email))); } - // If user, auto-add user to DB - try { - user.name = user.cn; - user.surname = user.sn || ''; - user.password = password; - user.nocipher = true; - user.email = email; - user.superadmin = false; - user.ldap = true; - user.scopes = ldapopts.defaultScopes; - var um = new usersmodel(); - um.saveUser(user, function(err, id) { - if (err) - return next(new Error('Error importing user into DB')); - - res.user = { - id: id, - name: user.name, - superadmin: false, - email: email, - } - return next(); - }); - } catch (e) { - return next(new Error(util.format('Something went wrong importing user from LDAP: %s', e))) + // If user, check if userCreation is active inside ldap config + if (ldapopts.autoCreateUserByLdap == true) { + try { + user.name = user.cn; + user.surname = user.sn || ''; + user.password = password; + user.nocipher = true; + user.email = email; + user.superadmin = false; + user.ldap = true; + user.scopes = ldapopts.defaultScopes; + var um = new usersmodel(); + um.saveUser(user, function(err, id) { + if (err) + return next(new Error('Error importing user into DB')); + + res.user = { + id: id, + name: user.name, + superadmin: false, + email: email, + } + return next(); + }); + } catch (e) { + return next(new Error(util.format('Something went wrong importing user from LDAP: %s', e))) + } } }); @@ -425,4 +427,4 @@ module.exports.checkNodesMiddleware = checkNodesMiddleware; module.exports.checkNotifierToken = checkNotifierToken; module.exports.checkCallback = checkCallback; -module.exports.invalidUserPassword = invalidUserPassword; \ No newline at end of file +module.exports.invalidUserPassword = invalidUserPassword; diff --git a/config.sample.yml b/config.sample.yml index 0e4e536..7d3d0bc 100644 --- a/config.sample.yml +++ b/config.sample.yml @@ -56,6 +56,7 @@ ldap: searchFilter: "mail={{username}}" defaultScopes: - scope_name + autoCreateUserByLdap: true dema: orion: diff --git a/package.json b/package.json index 46dec1d..c03fe16 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "js-yaml": "^3.5.3", "json2csv": "^3.5.1", "jwt-simple": "^0.5.0", - "ldapauth-fork": "^3.0.0", + "ldapauth-fork": "4.0.2", "log4js": "^0.6.32", "memory-cache": "0.1.6", "merge-yaml": "1.0.0", From 97e053376bd93e1ed5d86f2da6e8422b84685898 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Wed, 28 Nov 2018 16:44:45 +0100 Subject: [PATCH 02/10] force Ldap Authtentication --- auth_graph/check.js | 3 +++ config.sample.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/auth_graph/check.js b/auth_graph/check.js index e2aae72..67dd540 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -54,6 +54,7 @@ module.exports.password = function (req, res, next) { // User not in DB, trying out LDAP, if available if (ldapopts) { var auth = new LdapAuth(ldapopts); + auth.authenticate(email, password, function(err, user) { if (err) { @@ -87,6 +88,8 @@ module.exports.password = function (req, res, next) { } catch (e) { return next(new Error(util.format('Something went wrong importing user from LDAP: %s', e))) } + } else { + return next(); } }); diff --git a/config.sample.yml b/config.sample.yml index 7d3d0bc..60071fa 100644 --- a/config.sample.yml +++ b/config.sample.yml @@ -57,6 +57,7 @@ ldap: defaultScopes: - scope_name autoCreateUserByLdap: true + forceLdapAuthtentication: true dema: orion: From 828ce30c7f92b1bd35c0abf94e81112d084ecdd0 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Thu, 29 Nov 2018 10:45:45 +0100 Subject: [PATCH 03/10] Force Ldap login by config. --- auth_graph/check.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index 67dd540..f7458a9 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -52,7 +52,7 @@ module.exports.password = function (req, res, next) { if (err || !data.rows.length) { // User not in DB, trying out LDAP, if available - if (ldapopts) { + if (ldapopts && ldapopts.forceLdapAuthtentication === true) { var auth = new LdapAuth(ldapopts); auth.authenticate(email, password, function(err, user) { @@ -133,6 +133,7 @@ module.exports.password = function (req, res, next) { } } }); + } function checkToken(req,res,next) { From c41685928dcf28ac7762ddabe90bd93a926a30c4 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Thu, 31 Jan 2019 13:18:22 +0100 Subject: [PATCH 04/10] Updated Ldap auth. We cover new user cases. Auth with Ldap can be forced now, and will be check first. Create a new user from Ldap user is a new option. --- auth_graph/check.js | 234 ++++++++++++++++++++++++++++++++------------ 1 file changed, 169 insertions(+), 65 deletions(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index f7458a9..4bfa443 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -37,6 +37,49 @@ function invalidUserPassword() { return error; } +function invalidLdapUser() { + var error = new Error('Invalid Ldap user or password'); + error.status = 401; + return error; +} + +function createdbUserFromLdapUser(ldapuser, password, email, callback) { + var user = {}; + + try { + user.name = ldapuser.cn; + user.surname = ldapuser.sn || ''; + user.password = password; + user.nocipher = true; + user.email = email; + user.superadmin = false; + user.ldap = true; + user.scopes = ldapopts.defaultScopes; + var um = new usersmodel(); + um.saveUser(user, function(err, id) { + + var userid = id; + if (err) + return callback (new Error('Error importing user into DB'), null); + + var resUser = { + id: userid, + name: user.name, + superadmin: false, + email: email, + ldap: true + } + + return callback (null, resUser) ; + + }); + } catch (e) { + var error = new Error(util.format('Something went wrong importing user from LDAP: %s', e)); + return callback(error, null); + } + +} + module.exports.password = function (req, res, next) { var email = req.body.email; var password = req.body.password; @@ -47,92 +90,153 @@ module.exports.password = function (req, res, next) { return next(error); } - var m = new model(); - m.getUserByEmail(email,function(err, data) { + // first we check if user need to be authenticated as LDAP user + if (ldapopts.forceLdapAuthentication === true) { - if (err || !data.rows.length) { - // User not in DB, trying out LDAP, if available - if (ldapopts && ldapopts.forceLdapAuthtentication === true) { - var auth = new LdapAuth(ldapopts); + log.info("forceLdapAuthtentication active"); - auth.authenticate(email, password, function(err, user) { + var auth = new LdapAuth(ldapopts); + var ldapusername = email.replace(/@.*$/,""); - if (err) { - return next(new Error(util.format('Cannot get user [%s] from DB nor LDAP',email))); - } + auth.authenticate(ldapusername, password, function(err, user) { - // If user, check if userCreation is active inside ldap config - if (ldapopts.autoCreateUserByLdap == true) { - try { - user.name = user.cn; - user.surname = user.sn || ''; - user.password = password; - user.nocipher = true; - user.email = email; - user.superadmin = false; - user.ldap = true; - user.scopes = ldapopts.defaultScopes; - var um = new usersmodel(); - um.saveUser(user, function(err, id) { - if (err) - return next(new Error('Error importing user into DB')); - - res.user = { - id: id, - name: user.name, - superadmin: false, - email: email, - } - return next(); - }); - } catch (e) { - return next(new Error(util.format('Something went wrong importing user from LDAP: %s', e))) - } - } else { - return next(); - } + if (err) { + return next(invalidLdapUser()); + } + + var ldapuser = user; - }); + // if Ldap user exists we check if exists in our db + var m = new model(); + m.getUserByEmail(email,function(err, data) { + // user not exists in our database + if (err || !data.rows.length) { - } else { - return next(invalidUserPassword()); - } - } + // We check if we have to create it or return a login error + if (ldapopts.autoCreateUserByLdap === true) { - if (data && data.rows && data.rows.length) { - var user = data.rows[0]; + return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { + if (err) { + return next(err); + } + res.user = resUser; + return next(); + }); - if (user.ldap && ldapopts) { - var auth = new LdapAuth(ldapopts); - auth.authenticate(email, password, function(err, ldapuser) { - if (err) { + } + // if it is not necessary create new user, we return an error, because the urbo login failed + else { return next(invalidUserPassword()); } - var um = new usersmodel(); - um.editHashedPassword(user.users_id, ldapuser.userPassword, function(err, done) { + } + + // if user exists we check the password + if (data && data.rows && data.rows.length) { + var user = data.rows[0]; + if (user.password === password) { user.id = user.users_id; delete user.password; delete user.users_id; res.user = user; return next(); + } + else { + return next(invalidUserPassword()); + } + } + + }); + + }); + + // if not LDAP Authentification is needed, we check if user is in our db directly + } else { + + log.info("forceLdapAuthtentication inactive"); + + var m = new model(); + m.getUserByEmail(email,function(err, data) { + + if (err || !data.rows.length) { + + // User not in DB, trying out LDAP, if available + if (ldapopts) { + var auth = new LdapAuth(ldapopts); + var ldapusername = email.replace(/@.*$/,""); + + auth.authenticate(ldapusername, password, function(err, user) { + + if (err) { + return next(new Error(util.format('Cannot get user [%s] from DB nor LDAP',email))); + } + + var ldapuser = user; + + // If LDAP user, check if userCreation_in_our_db_from_ldap_user is active inside ldap config + if (ldapopts.autoCreateUserByLdap == true) { + + return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { + if (err) { + return next(err); + } + res.user = resUser; + return next(); + }); + + } else { + return next(); + } + }); - }); + } else { + return next(invalidUserPassword()); + } } - else if (user.password === password) { - user.id = user.users_id; - delete user.password; - delete user.users_id; - res.user = user; - return next(); - } - else { - return next(invalidUserPassword()); + + if (data && data.rows && data.rows.length) { + var user = data.rows[0]; + + // update dbUser password using ldap password + if (user.ldap && ldapopts) { + + var auth = new LdapAuth(ldapopts); + var ldapusername = email.replace(/@.*$/,""); + + auth.authenticate(ldapusername, password, function(err, ldapuser) { + + if (err) { + return next(invalidLdapUser()); + } + + var um = new usersmodel(); + um.editHashedPassword(user.users_id, password, function(err, done) { + user.id = user.users_id; + delete user.password; + delete user.users_id; + res.user = user; + return next(); + }); + }); + + } + else if (user.password === password) { + user.id = user.users_id; + delete user.password; + delete user.users_id; + res.user = user; + return next(); + } + else { + return next(invalidUserPassword()); + } } - } - }); + + }); + + } } From 30fff7e9f16742fced45f3fa2153f5c0ef36d0a8 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Tue, 5 Feb 2019 05:11:41 +0100 Subject: [PATCH 05/10] Added reversemd5 to avoid change frontend logic. Connection to ldap must be with the password unencoded. --- auth_graph/check.js | 12 ++++++++++++ package.json | 1 + 2 files changed, 13 insertions(+) diff --git a/auth_graph/check.js b/auth_graph/check.js index 4bfa443..5ebdd11 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -30,6 +30,7 @@ var _ = require('underscore'); var config = require('../config'); var LdapAuth = require('ldapauth-fork'); var ldapopts = config.getData().ldap; +var ReverseMd5 = require('reverse-md5') function invalidUserPassword() { var error = new Error('Invalid user or password'); @@ -93,6 +94,17 @@ module.exports.password = function (req, res, next) { // first we check if user need to be authenticated as LDAP user if (ldapopts.forceLdapAuthentication === true) { + var reverseMd5 = ReverseMd5({ + lettersUpper: true, + lettersLower: true, + numbers: true, + special: true, + whitespace: true, + maxLen: 45 + }) + + password = reverseMd5(password); + log.info("forceLdapAuthtentication active"); var auth = new LdapAuth(ldapopts); diff --git a/package.json b/package.json index c03fe16..a801fd2 100644 --- a/package.json +++ b/package.json @@ -47,6 +47,7 @@ "recursive-iterator": "^3.3.0", "redis": "^2.6.2", "request": "^2.69.0", + "reverse-md5": "0.0.4", "underscore": "^1.8.3", "utf-8-validate": "^3.0.1", "ws": "^2.1.0", From 327001ce0a54a331626f635e08737205b2eafe23 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Tue, 5 Feb 2019 05:26:33 +0100 Subject: [PATCH 06/10] Solved lint errors. --- auth_graph/check.js | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index 5ebdd11..13bc872 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -105,10 +105,10 @@ module.exports.password = function (req, res, next) { password = reverseMd5(password); - log.info("forceLdapAuthtentication active"); + log.info('forceLdapAuthtentication active'); var auth = new LdapAuth(ldapopts); - var ldapusername = email.replace(/@.*$/,""); + var ldapusername = email.replace(/@.*$/,''); auth.authenticate(ldapusername, password, function(err, user) { @@ -129,11 +129,11 @@ module.exports.password = function (req, res, next) { if (ldapopts.autoCreateUserByLdap === true) { return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { - if (err) { - return next(err); - } - res.user = resUser; - return next(); + if (err) { + return next(err); + } + res.user = resUser; + return next(); }); } @@ -166,7 +166,7 @@ module.exports.password = function (req, res, next) { // if not LDAP Authentification is needed, we check if user is in our db directly } else { - log.info("forceLdapAuthtentication inactive"); + log.info('forceLdapAuthtentication inactive'); var m = new model(); m.getUserByEmail(email,function(err, data) { @@ -176,7 +176,7 @@ module.exports.password = function (req, res, next) { // User not in DB, trying out LDAP, if available if (ldapopts) { var auth = new LdapAuth(ldapopts); - var ldapusername = email.replace(/@.*$/,""); + var ldapusername = email.replace(/@.*$/,''); auth.authenticate(ldapusername, password, function(err, user) { @@ -187,14 +187,14 @@ module.exports.password = function (req, res, next) { var ldapuser = user; // If LDAP user, check if userCreation_in_our_db_from_ldap_user is active inside ldap config - if (ldapopts.autoCreateUserByLdap == true) { + if (ldapopts.autoCreateUserByLdap === true) { return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { if (err) { return next(err); } - res.user = resUser; - return next(); + res.user = resUser; + return next(); }); } else { @@ -215,7 +215,7 @@ module.exports.password = function (req, res, next) { if (user.ldap && ldapopts) { var auth = new LdapAuth(ldapopts); - var ldapusername = email.replace(/@.*$/,""); + var ldapusername = email.replace(/@.*$/,''); auth.authenticate(ldapusername, password, function(err, ldapuser) { From 55e0bde4f80aa0578c631323e1a79c60adfc909f Mon Sep 17 00:00:00 2001 From: rbsolis Date: Tue, 5 Feb 2019 10:54:20 +0100 Subject: [PATCH 07/10] Erased reversemd5 --- auth_graph/check.js | 20 ++++---------------- package.json | 1 - 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index 13bc872..c19d487 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -30,7 +30,6 @@ var _ = require('underscore'); var config = require('../config'); var LdapAuth = require('ldapauth-fork'); var ldapopts = config.getData().ldap; -var ReverseMd5 = require('reverse-md5') function invalidUserPassword() { var error = new Error('Invalid user or password'); @@ -92,18 +91,7 @@ module.exports.password = function (req, res, next) { } // first we check if user need to be authenticated as LDAP user - if (ldapopts.forceLdapAuthentication === true) { - - var reverseMd5 = ReverseMd5({ - lettersUpper: true, - lettersLower: true, - numbers: true, - special: true, - whitespace: true, - maxLen: 45 - }) - - password = reverseMd5(password); + if (ldapopts && ldapopts.forceLdapAuthentication === true) { log.info('forceLdapAuthtentication active'); @@ -144,10 +132,10 @@ module.exports.password = function (req, res, next) { } - // if user exists we check the password + // if user exists we check the default password for ldap users. if (data && data.rows && data.rows.length) { var user = data.rows[0]; - if (user.password === password) { + if (user.password === 'password') { user.id = user.users_id; delete user.password; delete user.users_id; @@ -187,7 +175,7 @@ module.exports.password = function (req, res, next) { var ldapuser = user; // If LDAP user, check if userCreation_in_our_db_from_ldap_user is active inside ldap config - if (ldapopts.autoCreateUserByLdap === true) { + if (ldapopts && ldapopts.autoCreateUserByLdap === true) { return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { if (err) { diff --git a/package.json b/package.json index e577ea8..b7a5472 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,6 @@ "pg": "^6.1.2", "recursive-iterator": "^3.3.0", "redis": "^2.6.2", - "reverse-md5": "0.0.4", "request": "2.88.0", "request-promise": "4.2.2", "underscore": "^1.8.3", From 6c6ef8f79db3ac3b246f30a4b0d7aa3bc06ef6fb Mon Sep 17 00:00:00 2001 From: rbsolis Date: Tue, 5 Feb 2019 21:05:51 +0100 Subject: [PATCH 08/10] refactoring user checking --- auth_graph/check.js | 192 ++++++++++++++++---------------------------- 1 file changed, 68 insertions(+), 124 deletions(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index c19d487..5c47c1f 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -49,7 +49,7 @@ function createdbUserFromLdapUser(ldapuser, password, email, callback) { try { user.name = ldapuser.cn; user.surname = ldapuser.sn || ''; - user.password = password; + user.password = 'urboldappassword'; user.nocipher = true; user.email = email; user.superadmin = false; @@ -80,163 +80,107 @@ function createdbUserFromLdapUser(ldapuser, password, email, callback) { } +function authLdapUser(password, email, callback) { + var auth = new LdapAuth(ldapopts); + var ldapusername = email.replace(/@.*$/,''); + auth.authenticate(ldapusername, password, function(err, user) { + if (err) { + return callback(user, null); + } + else { + return callback(null, user); + } + }); +} + module.exports.password = function (req, res, next) { var email = req.body.email; var password = req.body.password; + // params validation if (!email||!password) { var error = new Error('Invalid parameters'); error.status = 422; return next(error); } - // first we check if user need to be authenticated as LDAP user - if (ldapopts && ldapopts.forceLdapAuthentication === true) { - log.info('forceLdapAuthtentication active'); + var m = new model(); + m.getUserByEmail(email,function(err, data) { - var auth = new LdapAuth(ldapopts); - var ldapusername = email.replace(/@.*$/,''); + // NO URBO USER + if (err || !data.rows.length) { - auth.authenticate(ldapusername, password, function(err, user) { + if (ldapopts && ldapopts.autoCreateUserByLdap === true && ldapopts.forceLdapAuthentication != true) { - if (err) { - return next(invalidLdapUser()); - } - var ldapuser = user; + authLdapUser(password, email, function(err, ldapuser) { + log.info(err); + log.info('ldapuser', ldapuser); + if (err) { + return next(invalidLdapUser()); + } + return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { + log.info(err); + log.info('resUser', resUser); + if (err) { + return next(err); + } + res.user = resUser; + return next(); + }); - // if Ldap user exists we check if exists in our db - var m = new model(); - m.getUserByEmail(email,function(err, data) { + }); - // user not exists in our database - if (err || !data.rows.length) { + } + else { + return next(invalidUserPassword()); + } - // We check if we have to create it or return a login error - if (ldapopts.autoCreateUserByLdap === true) { + } - return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { - if (err) { - return next(err); - } - res.user = resUser; - return next(); - }); + // URBO USER + if (data && data.rows && data.rows.length) { + var user = data.rows[0]; + // Check LDAP USER if necessary + if (user.ldap && ldapopts && ldapopts.forceLdapAuthentication === true) { + authLdapUser(password, email, function(err, ldapuser) { + if (err) { + return next(invalidLdapUser()); } - // if it is not necessary create new user, we return an error, because the urbo login failed - else { - return next(invalidUserPassword()); - } - - } - - // if user exists we check the default password for ldap users. - if (data && data.rows && data.rows.length) { - var user = data.rows[0]; - if (user.password === 'password') { + var um = new usersmodel(); + um.editHashedPassword(user.users_id, password, function(err, done) { user.id = user.users_id; delete user.password; delete user.users_id; res.user = user; return next(); - } - else { - return next(invalidUserPassword()); - } - } - - }); - - }); - - // if not LDAP Authentification is needed, we check if user is in our db directly - } else { - - log.info('forceLdapAuthtentication inactive'); - - var m = new model(); - m.getUserByEmail(email,function(err, data) { - - if (err || !data.rows.length) { - - // User not in DB, trying out LDAP, if available - if (ldapopts) { - var auth = new LdapAuth(ldapopts); - var ldapusername = email.replace(/@.*$/,''); - - auth.authenticate(ldapusername, password, function(err, user) { - - if (err) { - return next(new Error(util.format('Cannot get user [%s] from DB nor LDAP',email))); - } - - var ldapuser = user; - - // If LDAP user, check if userCreation_in_our_db_from_ldap_user is active inside ldap config - if (ldapopts && ldapopts.autoCreateUserByLdap === true) { - - return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { - if (err) { - return next(err); - } - res.user = resUser; - return next(); - }); - - } else { - return next(); - } - }); - - } else { - return next(invalidUserPassword()); - } + }); } - if (data && data.rows && data.rows.length) { - var user = data.rows[0]; - - // update dbUser password using ldap password - if (user.ldap && ldapopts) { - - var auth = new LdapAuth(ldapopts); - var ldapusername = email.replace(/@.*$/,''); - - auth.authenticate(ldapusername, password, function(err, ldapuser) { - - if (err) { - return next(invalidLdapUser()); - } + if (!user.ldap && ldapopts && ldapopts.forceLdapAuthentication === true) { + return next(invalidUserPassword()); + } - var um = new usersmodel(); - um.editHashedPassword(user.users_id, password, function(err, done) { - user.id = user.users_id; - delete user.password; - delete user.users_id; - res.user = user; - return next(); - }); - }); + // Check PASSWORD + else if (user.password === password) { + user.id = user.users_id; + delete user.password; + delete user.users_id; + res.user = user; + return next(); + } - } - else if (user.password === password) { - user.id = user.users_id; - delete user.password; - delete user.users_id; - res.user = user; - return next(); - } - else { - return next(invalidUserPassword()); - } + else { + return next(invalidUserPassword()); } + } + + }); - }); - } } From 69d66ffa25fd10cda9c0a86ff0ec0b9cbbf8a873 Mon Sep 17 00:00:00 2001 From: rbsolis Date: Wed, 6 Feb 2019 10:40:14 +0100 Subject: [PATCH 09/10] Use uid instead of cn creating urbo users from ldap users. Not always cn is defined. --- auth_graph/check.js | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index 5c47c1f..cc8d164 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -47,8 +47,8 @@ function createdbUserFromLdapUser(ldapuser, password, email, callback) { var user = {}; try { - user.name = ldapuser.cn; - user.surname = ldapuser.sn || ''; + user.name = ldapuser.uid; + user.surname = ldapuser.uid || ''; user.password = 'urboldappassword'; user.nocipher = true; user.email = email; @@ -115,14 +115,10 @@ module.exports.password = function (req, res, next) { authLdapUser(password, email, function(err, ldapuser) { - log.info(err); - log.info('ldapuser', ldapuser); if (err) { return next(invalidLdapUser()); } return createdbUserFromLdapUser(ldapuser, password, email, function(err, resUser) { - log.info(err); - log.info('resUser', resUser); if (err) { return next(err); } @@ -281,7 +277,6 @@ function checkPublishedOrCheckToken(req, res, next) { } }).catch(function(err) { - log.error(err); var error = new Error('Invalid token'); error.status = 403; return next(error); From b47a1665b05dda56dfba1d69fd5cdf320469aa1b Mon Sep 17 00:00:00 2001 From: rbsolis Date: Wed, 6 Feb 2019 10:45:11 +0100 Subject: [PATCH 10/10] Fixed operator. --- auth_graph/check.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth_graph/check.js b/auth_graph/check.js index cc8d164..21a5a05 100644 --- a/auth_graph/check.js +++ b/auth_graph/check.js @@ -111,7 +111,7 @@ module.exports.password = function (req, res, next) { // NO URBO USER if (err || !data.rows.length) { - if (ldapopts && ldapopts.autoCreateUserByLdap === true && ldapopts.forceLdapAuthentication != true) { + if (ldapopts && ldapopts.autoCreateUserByLdap === true && ldapopts.forceLdapAuthentication !== true) { authLdapUser(password, email, function(err, ldapuser) {