fosrl.pangolin/server/routers/badger/verifySession.ts

import HttpCode from "@server/types/HttpCode";
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import { response } from "@server/utils/response";
import { validateSessionToken } from "@server/auth";
import db from "@server/db";
import {
    resourcePassword,
    resourcePincode,
    resources,
    User,
    userOrgs
} from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import config from "@server/config";
import { validateResourceSessionToken } from "@server/auth/resource";
import { Resource, roleResources, userResources } from "@server/db/schema";
import logger from "@server/logger";

const verifyResourceSessionSchema = z.object({
    sessions: z.record(z.string()).optional(),
    originalRequestURL: z.string().url(),
    scheme: z.string(),
    host: z.string(),
    path: z.string(),
    method: z.string(),
    tls: z.boolean()
});

export type VerifyResourceSessionSchema = z.infer<
    typeof verifyResourceSessionSchema
>;

export type VerifyUserResponse = {
    valid: boolean;
    redirectUrl?: string;
};

export async function verifyResourceSession(
    req: Request,
    res: Response,
    next: NextFunction
): Promise<any> {
    logger.debug("Badger sent", req.body); // remove when done testing

    const parsedBody = verifyResourceSessionSchema.safeParse(req.body);

    if (!parsedBody.success) {
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
                fromError(parsedBody.error).toString()
            )
        );
    }

    try {
        const { sessions, host, originalRequestURL } = parsedBody.data;

        const [result] = await db
            .select()
            .from(resources)
            .leftJoin(
                resourcePincode,
                eq(resourcePincode.resourceId, resources.resourceId)
            )
            .leftJoin(
                resourcePassword,
                eq(resourcePassword.resourceId, resources.resourceId)
            )
            .where(eq(resources.fullDomain, host))
            .limit(1);

        const resource = result?.resources;
        const pincode = result?.resourcePincode;
        const password = result?.resourcePassword;

        if (!resource) {
            logger.debug("Resource not found", host);
            return notAllowed(res);
        }

        const { sso, blockAccess } = resource;

        if (blockAccess) {
            logger.debug("Resource blocked", host);
            return notAllowed(res);
        }

        if (!resource.sso && !pincode && !password) {
            logger.debug("Resource allowed because no auth");
            return allowed(res);
        }

        const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;

        if (!sessions) {
            return notAllowed(res);
        }

        const sessionToken = sessions[config.server.session_cookie_name];

        // check for unified login
        if (sso && sessionToken && !resource.otpEnabled) {
            const { session, user } = await validateSessionToken(sessionToken);
            if (session && user) {
                const isAllowed = await isUserAllowedToAccessResource(
                    user,
                    resource
                );

                if (isAllowed) {
                    logger.debug(
                        "Resource allowed because user session is valid"
                    );
                    return allowed(res);
                }
            }
        }

        const resourceSessionToken =
            sessions[
                `${config.server.resource_session_cookie_name}_${resource.resourceId}`
            ];

        if (
            sso &&
            sessionToken &&
            resourceSessionToken &&
            resource.otpEnabled
        ) {
            const { session, user } = await validateSessionToken(sessionToken);
            const { resourceSession } = await validateResourceSessionToken(
                resourceSessionToken,
                resource.resourceId
            );

            if (session && user && resourceSession) {
                if (!resourceSession.usedOtp) {
                    logger.debug("Resource not allowed because OTP not used");
                    return notAllowed(res, redirectUrl);
                }

                const isAllowed = await isUserAllowedToAccessResource(
                    user,
                    resource
                );

                if (isAllowed) {
                    logger.debug(
                        "Resource allowed because user and resource session is valid"
                    );
                    return allowed(res);
                }
            }
        }

        if ((pincode || password) && resourceSessionToken) {
            const { resourceSession } = await validateResourceSessionToken(
                resourceSessionToken,
                resource.resourceId
            );

            if (resourceSession) {
                if (resource.otpEnabled && !resourceSession.usedOtp) {
                    logger.debug("Resource not allowed because OTP not used");
                    return notAllowed(res, redirectUrl);
                }

                if (
                    pincode &&
                    resourceSession.pincodeId === pincode.pincodeId
                ) {
                    logger.debug(
                        "Resource allowed because pincode session is valid"
                    );
                    return allowed(res);
                }

                if (
                    password &&
                    resourceSession.passwordId === password.passwordId
                ) {
                    logger.debug(
                        "Resource allowed because password session is valid"
                    );
                    return allowed(res);
                }
            }
        }

        logger.debug("No more auth to check, resource not allowed");
        return notAllowed(res, redirectUrl);
    } catch (e) {
        console.error(e);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Failed to verify session"
            )
        );
    }
}

function notAllowed(res: Response, redirectUrl?: string) {
    const data = {
        data: { valid: false, redirectUrl },
        success: true,
        error: false,
        message: "Access denied",
        status: HttpCode.OK
    };
    logger.debug(JSON.stringify(data));
    return response<VerifyUserResponse>(res, data);
}

function allowed(res: Response) {
    const data = {
        data: { valid: true },
        success: true,
        error: false,
        message: "Access allowed",
        status: HttpCode.OK
    };
    logger.debug(JSON.stringify(data));
    return response<VerifyUserResponse>(res, data);
}

async function isUserAllowedToAccessResource(
    user: User,
    resource: Resource
): Promise<boolean> {
    if (config.flags?.require_email_verification && !user.emailVerified) {
        return false;
    }

    const userOrgRole = await db
        .select()
        .from(userOrgs)
        .where(
            and(
                eq(userOrgs.userId, user.userId),
                eq(userOrgs.orgId, resource.orgId)
            )
        )
        .limit(1);

    if (userOrgRole.length === 0) {
        return false;
    }

    const roleResourceAccess = await db
        .select()
        .from(roleResources)
        .where(
            and(
                eq(roleResources.resourceId, resource.resourceId),
                eq(roleResources.roleId, userOrgRole[0].roleId)
            )
        )
        .limit(1);

    if (roleResourceAccess.length > 0) {
        return true;
    }

    const userResourceAccess = await db
        .select()
        .from(userResources)
        .where(
            and(
                eq(userResources.userId, user.userId),
                eq(userResources.resourceId, resource.resourceId)
            )
        )
        .limit(1);

    if (userResourceAccess.length > 0) {
        return true;
    }

    return false;
}
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import HttpCode from "@server/types/HttpCode";`
			`import { NextFunction, Request, Response } from "express";`
			`import createHttpError from "http-errors";`
			`import { z } from "zod";`
			`import { fromError } from "zod-validation-error";`
			`import { response } from "@server/utils/response";`
			`import { validateSessionToken } from "@server/auth";`
			`import db from "@server/db";`
			`import {`
			`resourcePassword,`
			`resourcePincode,`
			`resources,`
fix rendering issues on resource unauthorized 2024-11-29 21:48:48 -05:00			`User,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`userOrgs`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`} from "@server/db/schema";`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`import { and, eq } from "drizzle-orm";`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import config from "@server/config";`
			`import { validateResourceSessionToken } from "@server/auth/resource";`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`import { Resource, roleResources, userResources } from "@server/db/schema";`
added resource auth status cards and moved login to reusable login form 2024-11-23 17:56:21 -05:00			`import logger from "@server/logger";`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
			`const verifyResourceSessionSchema = z.object({`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`sessions: z.record(z.string()).optional(),`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`originalRequestURL: z.string().url(),`
			`scheme: z.string(),`
			`host: z.string(),`
			`path: z.string(),`
			`method: z.string(),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`tls: z.boolean()`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`});`

			`export type VerifyResourceSessionSchema = z.infer<`
			`typeof verifyResourceSessionSchema`
			`>;`

			`export type VerifyUserResponse = {`
			`valid: boolean;`
			`redirectUrl?: string;`
			`};`

			`export async function verifyResourceSession(`
			`req: Request,`
			`res: Response,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`next: NextFunction`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<any> {`
added resource auth status cards and moved login to reusable login form 2024-11-23 17:56:21 -05:00			`logger.debug("Badger sent", req.body); // remove when done testing`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`const parsedBody = verifyResourceSessionSchema.safeParse(req.body);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
			`if (!parsedBody.success) {`
			`return next(`
			`createHttpError(`
			`HttpCode.BAD_REQUEST,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`fromError(parsedBody.error).toString()`
			`)`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
			`}`

			`try {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`const { sessions, host, originalRequestURL } = parsedBody.data;`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
			`const [result] = await db`
			`.select()`
			`.from(resources)`
			`.leftJoin(`
			`resourcePincode,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(resourcePincode.resourceId, resources.resourceId)`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`)`
			`.leftJoin(`
			`resourcePassword,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(resourcePassword.resourceId, resources.resourceId)`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`)`
			`.where(eq(resources.fullDomain, host))`
			`.limit(1);`

			`const resource = result?.resources;`
			`const pincode = result?.resourcePincode;`
			`const password = result?.resourcePassword;`

			`if (!resource) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug("Resource not found", host);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`return notAllowed(res);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`const { sso, blockAccess } = resource;`

			`if (blockAccess) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug("Resource blocked", host);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`return notAllowed(res);`
			`}`

			`if (!resource.sso && !pincode && !password) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug("Resource allowed because no auth");`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return allowed(res);`
			`}`

add logging for verifySession 2024-11-24 14:28:23 -05:00			const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`if (!sessions) {`
			`return notAllowed(res);`
			`}`

			`const sessionToken = sessions[config.server.session_cookie_name];`

			`// check for unified login`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`if (sso && sessionToken && !resource.otpEnabled) {`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`const { session, user } = await validateSessionToken(sessionToken);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`if (session && user) {`
			`const isAllowed = await isUserAllowedToAccessResource(`
fix rendering issues on resource unauthorized 2024-11-29 21:48:48 -05:00			`user,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`resource`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`

			`if (isAllowed) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`"Resource allowed because user session is valid"`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`return allowed(res);`
			`}`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
			`}`

set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`const resourceSessionToken =`
			`sessions[`
fix minor auth issues and set NODE_ENV to solve react email bug 2024-11-27 14:35:38 -05:00			`${config.server.resource_session_cookie_name}_${resource.resourceId}`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`];`

add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`if (`
			`sso &&`
			`sessionToken &&`
			`resourceSessionToken &&`
			`resource.otpEnabled`
			`) {`
			`const { session, user } = await validateSessionToken(sessionToken);`
			`const { resourceSession } = await validateResourceSessionToken(`
			`resourceSessionToken,`
			`resource.resourceId`
			`);`

			`if (session && user && resourceSession) {`
			`if (!resourceSession.usedOtp) {`
			`logger.debug("Resource not allowed because OTP not used");`
			`return notAllowed(res, redirectUrl);`
			`}`

			`const isAllowed = await isUserAllowedToAccessResource(`
			`user,`
			`resource`
			`);`

			`if (isAllowed) {`
			`logger.debug(`
			`"Resource allowed because user and resource session is valid"`
			`);`
			`return allowed(res);`
			`}`
			`}`
			`}`

set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`if ((pincode \|\| password) && resourceSessionToken) {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`const { resourceSession } = await validateResourceSessionToken(`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`resourceSessionToken,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`resource.resourceId`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`if (resourceSession) {`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`if (resource.otpEnabled && !resourceSession.usedOtp) {`
			`logger.debug("Resource not allowed because OTP not used");`
			`return notAllowed(res, redirectUrl);`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`if (`
			`pincode &&`
			`resourceSession.pincodeId === pincode.pincodeId`
			`) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`"Resource allowed because pincode session is valid"`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return allowed(res);`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`if (`
			`password &&`
			`resourceSession.passwordId === password.passwordId`
			`) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`"Resource allowed because password session is valid"`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return allowed(res);`
			`}`
			`}`
			`}`

add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug("No more auth to check, resource not allowed");`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return notAllowed(res, redirectUrl);`
			`} catch (e) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`console.error(e);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`"Failed to verify session"`
			`)`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
			`}`
			`}`

			`function notAllowed(res: Response, redirectUrl?: string) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`const data = {`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`data: { valid: false, redirectUrl },`
			`success: true,`
			`error: false,`
			`message: "Access denied",`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`status: HttpCode.OK`
lighten dark background, add more info to resources table 2024-11-24 22:34:11 -05:00			`};`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug(JSON.stringify(data));`
			`return response<VerifyUserResponse>(res, data);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`

			`function allowed(res: Response) {`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`const data = {`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`data: { valid: true },`
			`success: true,`
			`error: false,`
			`message: "Access allowed",`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`status: HttpCode.OK`
lighten dark background, add more info to resources table 2024-11-24 22:34:11 -05:00			`};`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`logger.debug(JSON.stringify(data));`
			`return response<VerifyUserResponse>(res, data);`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
			`async function isUserAllowedToAccessResource(`
fix rendering issues on resource unauthorized 2024-11-29 21:48:48 -05:00			`user: User,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`resource: Resource`
fix rendering issues on resource unauthorized 2024-11-29 21:48:48 -05:00			`): Promise<boolean> {`
			`if (config.flags?.require_email_verification && !user.emailVerified) {`
			`return false;`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`const userOrgRole = await db`
			`.select()`
			`.from(userOrgs)`
			`.where(`
add logging for verifySession 2024-11-24 14:28:23 -05:00			`and(`
fix rendering issues on resource unauthorized 2024-11-29 21:48:48 -05:00			`eq(userOrgs.userId, user.userId),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(userOrgs.orgId, resource.orgId)`
			`)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`)`
			`.limit(1);`

			`if (userOrgRole.length === 0) {`
			`return false;`
			`}`

			`const roleResourceAccess = await db`
			`.select()`
			`.from(roleResources)`
			`.where(`
			`and(`
			`eq(roleResources.resourceId, resource.resourceId),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(roleResources.roleId, userOrgRole[0].roleId)`
			`)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`)`
			`.limit(1);`

			`if (roleResourceAccess.length > 0) {`
			`return true;`
			`}`

			`const userResourceAccess = await db`
			`.select()`
			`.from(userResources)`
			`.where(`
			`and(`
fix rendering issues on resource unauthorized 2024-11-29 21:48:48 -05:00			`eq(userResources.userId, user.userId),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(userResources.resourceId, resource.resourceId)`
			`)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`)`
			`.limit(1);`

			`if (userResourceAccess.length > 0) {`
			`return true;`
			`}`

			`return false;`
			`}`