Add support for session traps; make mfa challenge session trap; remove DMZ middleware

This commit is contained in:
garrettmills 2020-05-22 09:29:13 -05:00
parent 8701df1acc
commit 64356d42d0
No known key found for this signature in database
GPG Key ID: 6ACD58D6ADACFC6E
11 changed files with 49 additions and 51 deletions

View File

@ -2,6 +2,7 @@
- Forgot password handling
- Admin password reset mechanism -> flag users as needing PW resets
- OAuth2 -> support refresh tokens
- Traps -> support session traps; convert MFA challenge to use session trap
- Traps
- Allow setting user trap from web UI
- Don't allow external logins if trap is set
- Trust token page -> force username of current user

View File

@ -481,8 +481,7 @@ class AuthController extends Controller {
}
if ( user.mfa_enabled && !req.session.mfa_remember ) {
req.session.auth.in_dmz = true
destination = '/auth/mfa/challenge'
await req.trap.begin('mfa_challenge', { session_only: true })
}
if ( req.session?.auth?.message )
@ -496,7 +495,7 @@ class AuthController extends Controller {
// Trust re-verification is granted,
// but the user might still need to verify MFA
const next = req.trust.end()
if ( req.session.auth.in_dmz ) {
if ( req.trap.has_trap('mfa_challenge') ) {
req.session.auth.flow = next
} else {
destination = next
@ -550,7 +549,8 @@ class AuthController extends Controller {
let next_destination = undefined
if ( is_valid ) {
req.session.auth.in_dmz = false
if ( req.trap.has_trap('mfa_challenge') )
await req.trap.end()
next_destination = req.session.auth.flow || this.configs.get('auth.default_login_route')
delete req.session.auth.flow
}

View File

@ -30,7 +30,7 @@ class MFAController extends Controller {
})
}
if ( !req.session.auth.in_dmz ) {
if ( !req.trap.has_trap('mfa_challenge') ) {
return res.redirect(req.session.auth.flow)
}

View File

@ -10,9 +10,9 @@
*/
const Middleware = [
"auth:Utility",
"Traps",
"auth:TrustTokenUtility",
"SAMLUtility",
"Traps",
// 'MiddlewareName',

View File

@ -3,34 +3,49 @@ const { Middleware } = require('libflitter')
class TrapUtility {
constructor(req, res, configs) {
this.request = req
this.session = req.session
this.response = res
this.user = req.user
this.configs = configs
}
async begin(trap_name) {
this.user.trap = trap_name
this.request.trust.assume()
await this.user.save()
async begin(trap_name, { session_only = false }) {
if ( session_only || !this.user ) {
this.session.trap = trap_name
} else {
this.user.trap = trap_name
await this.user.save()
}
if ( this.config().assume_trust )
this.request.trust.assume()
}
redirect() {
this.request.trust.assume()
if ( this.config().assume_trust )
this.request.trust.assume()
return this.response.redirect(this.config().redirect_to)
}
async end() {
this.user.trap = ''
this.request.trust.unassume()
await this.user.save()
if ( this.config().assume_trust )
this.request.trust.unassume()
if ( this.user ) {
this.user.trap = ''
await this.user.save()
}
this.session.trap = ''
}
has_trap() {
return !!this.user.trap
has_trap(name = '') {
if ( name )
return (this.user && this.user.trap === name) || this.session.trap === name
return (this.user && this.user.trap) || this.session.trap
}
get_trap() {
return this.user.trap
if ( this.session.trap ) return this.session.trap
else if ( this.user ) return this.user.trap
}
config() {
@ -49,7 +64,6 @@ class TrapsMiddleware extends Middleware {
}
async test(req, res, next, args = {}) {
if ( !req?.user ) return next()
req.trap = new TrapUtility(req, res, this.configs.get('traps.types'))
if ( !req.trap.has_trap() ) return next()

View File

@ -1,17 +0,0 @@
const Middleware = require('libflitter/middleware/Middleware')
class DMZOnly extends Middleware {
async test(req, res, next, args = {}){
if ( req.is_auth ) return next()
else {
// If not signed in, save the target url so we can redirect back here after auth
req.session.auth.flow = req.originalUrl
return res.redirect('/auth/login')
}
}
}
module.exports = DMZOnly

View File

@ -12,11 +12,7 @@ class UserOnly extends Middleware {
}
async test(req, res, next, args = {}){
if ( req.is_auth && !req.session.auth.in_dmz ) return next()
else if ( req.is_auth ) { // Need an MFA challenge
if ( !req.session.auth.flow ) req.session.auth.flow = req.originalUrl
return res.redirect('/auth/mfa/challenge')
}
if ( req.is_auth ) return next()
else {
// If not signed in, save the target url so we can redirect back here after auth
req.session.auth.flow = req.originalUrl

View File

@ -58,7 +58,7 @@ const auth_routes = {
],
'/mfa/attempt': [
'middleware::auth:DMZOnly',
'middleware::auth:UserOnly',
'controller::api:v1:Auth.attempt_mfa'
],

View File

@ -51,7 +51,7 @@ const index = {
'/:provider/logout': [
'middleware::auth:ProviderRoute',
'middleware::auth:DMZOnly',
'middleware::auth:UserOnly',
'controller::auth:Forms.logout_provider_clean_session',
// Note, this separation is between when the auth action has happened properly
@ -62,7 +62,7 @@ const index = {
],
'/logout': [
'middleware::auth:ProviderRoute',
'middleware::auth:DMZOnly',
'middleware::auth:UserOnly',
'controller::auth:Forms.logout_provider_clean_session',
'controller::auth:Forms.logout_provider_present_success',
],
@ -100,13 +100,13 @@ const index = {
],
'/:provider/logout': [
'middleware::auth:ProviderRoute',
'middleware::auth:DMZOnly',
'middleware::auth:UserOnly',
'controller::auth:Forms.logout_provider_clean_session',
'controller::auth:Forms.logout_provider_present_success',
],
'/logout': [
'middleware::auth:ProviderRoute',
'middleware::auth:DMZOnly',
'middleware::auth:UserOnly',
'controller::auth:Forms.logout_provider_clean_session',
'controller::auth:Forms.logout_provider_present_success',
],

View File

@ -2,25 +2,21 @@ const mfa_routes = {
prefix: '/auth/mfa',
middleware: [
'auth:UserOnly',
],
get: {
'/setup': [
'middleware::auth:UserOnly',
['middleware::auth:RequireTrust', { scope: 'mfa.enable' }],
'controller::auth:MFA.setup',
],
'/challenge': [
'middleware::auth:DMZOnly',
'controller::auth:MFA.challenge',
],
'/disable': [
'middleware::auth:UserOnly',
'controller::auth:MFA.get_disable',
],
'/disable/process': [
'middleware::auth:UserOnly',
['middleware::auth:RequireTrust', { scope: 'mfa.disable' }],
'controller::auth:MFA.do_disable',
],

View File

@ -9,6 +9,14 @@ const traps_config = {
'/auth/logout',
],
},
mfa_challenge: {
redirect_to: '/auth/mfa/challenge',
allowed_routes: [
'/auth/mfa/challenge',
'/api/v1/auth/mfa/attempt',
'/auth/logout',
],
},
},
}