Add support for session traps; make mfa challenge session trap; remove DMZ middleware
This commit is contained in:
garrettmills
@@ -10,9 +10,9 @@
|
||||
*/
|
||||
const Middleware = [
|
||||
"auth:Utility",
|
||||
"Traps",
|
||||
"auth:TrustTokenUtility",
|
||||
"SAMLUtility",
|
||||
"Traps",
|
||||
|
||||
// 'MiddlewareName',
|
||||
|
||||
|
||||
@@ -3,34 +3,49 @@ const { Middleware } = require('libflitter')
|
||||
class TrapUtility {
|
||||
constructor(req, res, configs) {
|
||||
this.request = req
|
||||
this.session = req.session
|
||||
this.response = res
|
||||
this.user = req.user
|
||||
this.configs = configs
|
||||
}
|
||||
|
||||
async begin(trap_name) {
|
||||
this.user.trap = trap_name
|
||||
this.request.trust.assume()
|
||||
await this.user.save()
|
||||
async begin(trap_name, { session_only = false }) {
|
||||
if ( session_only || !this.user ) {
|
||||
this.session.trap = trap_name
|
||||
} else {
|
||||
this.user.trap = trap_name
|
||||
await this.user.save()
|
||||
}
|
||||
|
||||
if ( this.config().assume_trust )
|
||||
this.request.trust.assume()
|
||||
}
|
||||
|
||||
redirect() {
|
||||
this.request.trust.assume()
|
||||
if ( this.config().assume_trust )
|
||||
this.request.trust.assume()
|
||||
return this.response.redirect(this.config().redirect_to)
|
||||
}
|
||||
|
||||
async end() {
|
||||
this.user.trap = ''
|
||||
this.request.trust.unassume()
|
||||
await this.user.save()
|
||||
if ( this.config().assume_trust )
|
||||
this.request.trust.unassume()
|
||||
if ( this.user ) {
|
||||
this.user.trap = ''
|
||||
await this.user.save()
|
||||
}
|
||||
this.session.trap = ''
|
||||
}
|
||||
|
||||
has_trap() {
|
||||
return !!this.user.trap
|
||||
has_trap(name = '') {
|
||||
if ( name )
|
||||
return (this.user && this.user.trap === name) || this.session.trap === name
|
||||
return (this.user && this.user.trap) || this.session.trap
|
||||
}
|
||||
|
||||
get_trap() {
|
||||
return this.user.trap
|
||||
if ( this.session.trap ) return this.session.trap
|
||||
else if ( this.user ) return this.user.trap
|
||||
}
|
||||
|
||||
config() {
|
||||
@@ -49,7 +64,6 @@ class TrapsMiddleware extends Middleware {
|
||||
}
|
||||
|
||||
async test(req, res, next, args = {}) {
|
||||
if ( !req?.user ) return next()
|
||||
req.trap = new TrapUtility(req, res, this.configs.get('traps.types'))
|
||||
|
||||
if ( !req.trap.has_trap() ) return next()
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
const Middleware = require('libflitter/middleware/Middleware')
|
||||
class DMZOnly extends Middleware {
|
||||
|
||||
async test(req, res, next, args = {}){
|
||||
|
||||
if ( req.is_auth ) return next()
|
||||
else {
|
||||
// If not signed in, save the target url so we can redirect back here after auth
|
||||
req.session.auth.flow = req.originalUrl
|
||||
return res.redirect('/auth/login')
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
module.exports = DMZOnly
|
||||
@@ -12,11 +12,7 @@ class UserOnly extends Middleware {
|
||||
}
|
||||
|
||||
async test(req, res, next, args = {}){
|
||||
if ( req.is_auth && !req.session.auth.in_dmz ) return next()
|
||||
else if ( req.is_auth ) { // Need an MFA challenge
|
||||
if ( !req.session.auth.flow ) req.session.auth.flow = req.originalUrl
|
||||
return res.redirect('/auth/mfa/challenge')
|
||||
}
|
||||
if ( req.is_auth ) return next()
|
||||
else {
|
||||
// If not signed in, save the target url so we can redirect back here after auth
|
||||
req.session.auth.flow = req.originalUrl
|
||||
|
||||
@@ -58,7 +58,7 @@ const auth_routes = {
|
||||
],
|
||||
|
||||
'/mfa/attempt': [
|
||||
'middleware::auth:DMZOnly',
|
||||
'middleware::auth:UserOnly',
|
||||
'controller::api:v1:Auth.attempt_mfa'
|
||||
],
|
||||
|
||||
|
||||
@@ -51,7 +51,7 @@ const index = {
|
||||
|
||||
'/:provider/logout': [
|
||||
'middleware::auth:ProviderRoute',
|
||||
'middleware::auth:DMZOnly',
|
||||
'middleware::auth:UserOnly',
|
||||
'controller::auth:Forms.logout_provider_clean_session',
|
||||
|
||||
// Note, this separation is between when the auth action has happened properly
|
||||
@@ -62,7 +62,7 @@ const index = {
|
||||
],
|
||||
'/logout': [
|
||||
'middleware::auth:ProviderRoute',
|
||||
'middleware::auth:DMZOnly',
|
||||
'middleware::auth:UserOnly',
|
||||
'controller::auth:Forms.logout_provider_clean_session',
|
||||
'controller::auth:Forms.logout_provider_present_success',
|
||||
],
|
||||
@@ -100,13 +100,13 @@ const index = {
|
||||
],
|
||||
'/:provider/logout': [
|
||||
'middleware::auth:ProviderRoute',
|
||||
'middleware::auth:DMZOnly',
|
||||
'middleware::auth:UserOnly',
|
||||
'controller::auth:Forms.logout_provider_clean_session',
|
||||
'controller::auth:Forms.logout_provider_present_success',
|
||||
],
|
||||
'/logout': [
|
||||
'middleware::auth:ProviderRoute',
|
||||
'middleware::auth:DMZOnly',
|
||||
'middleware::auth:UserOnly',
|
||||
'controller::auth:Forms.logout_provider_clean_session',
|
||||
'controller::auth:Forms.logout_provider_present_success',
|
||||
],
|
||||
|
||||
@@ -2,25 +2,21 @@ const mfa_routes = {
|
||||
prefix: '/auth/mfa',
|
||||
|
||||
middleware: [
|
||||
|
||||
'auth:UserOnly',
|
||||
],
|
||||
|
||||
get: {
|
||||
'/setup': [
|
||||
'middleware::auth:UserOnly',
|
||||
['middleware::auth:RequireTrust', { scope: 'mfa.enable' }],
|
||||
'controller::auth:MFA.setup',
|
||||
],
|
||||
'/challenge': [
|
||||
'middleware::auth:DMZOnly',
|
||||
'controller::auth:MFA.challenge',
|
||||
],
|
||||
'/disable': [
|
||||
'middleware::auth:UserOnly',
|
||||
'controller::auth:MFA.get_disable',
|
||||
],
|
||||
'/disable/process': [
|
||||
'middleware::auth:UserOnly',
|
||||
['middleware::auth:RequireTrust', { scope: 'mfa.disable' }],
|
||||
'controller::auth:MFA.do_disable',
|
||||
],
|
||||
|
||||
Reference in New Issue
Block a user