SAML; Dashboard

app/routing/middleware/auth/RequireTrust.middleware.js

@@ -0,0 +1,15 @@
+const { Middleware } = require('libflitter')
+
+class RequireTrustMiddleware extends Middleware {
+    async test(req, res, next, { scope, deplete = false }) {
+        if ( !req.trust.has(scope) ) {
+            req.trust.init_flow(scope, req.originalUrl)
+            return res.redirect('/auth/trust/token/issue')
+        }
+
+        if ( deplete ) req.trust.deplete(scope)
+        return next()
+    }
+}
+
+module.exports = exports = RequireTrustMiddleware

app/routing/middleware/auth/TrustTokenUtility.middleware.js

@@ -0,0 +1,99 @@
+const { Middleware } = require('libflitter')
+const moment = require('moment')
+const uuid = require('uuid/v4')
+
+class TrustManager {
+    constructor(request, response) {
+        this.request = request
+        this.response = response
+        this.init_store()
+    }
+
+    init_store() {
+        if ( !Array.isArray(this.request.session.trust_tokens) ) {
+            this.request.session.trust_tokens = []
+        }
+
+        const now = moment()
+        this.request.session.trust_tokens = this.request.session.trust_tokens.filter(x => {
+            return moment(new Date(x.expires)) > now
+        })
+    }
+
+    init_flow(scope, next) {
+        this.request.session.trust_flow = { scope, next, in_progress: false, requested: `${new Date}` }
+    }
+
+    has_flow() {
+        const flow = this.request.session?.trust_flow
+        return flow && flow.scope && flow.next && moment(new Date(flow.requested)) < moment(new Date(flow.requested)).add('20', 'minutes')
+    }
+
+    flow_scope() {
+        if ( this.has_flow() ) {
+            return this.request.session.trust_flow.scope
+        }
+    }
+
+    flow() {
+        if ( this.has_flow() ) {
+            return this.request.session.trust_flow.next
+        }
+    }
+
+    start() {
+        delete this.request.session.user_id
+        const grant_token = uuid()
+        this.request.session.trust_flow.grant_token = grant_token
+        this.request.session.trust_flow.in_progress = true
+        this.request.session.trust_flow.started = `${new Date}`
+        return grant_token
+    }
+
+    check_grant(grant_token) {
+        return grant_token === this.request.session?.trust_flow?.grant_token
+    }
+
+    end() {
+        const next = this.request.session.trust_flow.next
+        delete this.request.session.trust_flow
+        return next
+    }
+
+    in_progress() {
+        const flow = this.request.session.trust_flow
+        return flow && flow.in_progress && flow.started && moment(new Date(flow.started)) < moment(new Date(flow.started)).add('10', 'minutes')
+    }
+
+    has(scope) {
+        return this.request.session.trust_tokens.some(x => x.scope === scope)
+    }
+
+    grant(scope) {
+        this.request.session.trust_tokens.push({
+            scope,
+            expires: moment().add('1', 'hour').toDate().toString(),
+        })
+    }
+
+    deplete(scope) {
+        this.request.session.trust_tokens = this.request.session.trust_tokens.filter(x => x.scope !== scope)
+    }
+
+    purge() {
+        this.end()
+        this.request.session.trust_tokens = []
+    }
+}
+
+class TrustTokenUtilityMiddleware extends Middleware {
+    async test(req, res, next, args = {}) {
+        if ( req.session ) {
+            req.trust = new TrustManager(req, res)
+        }
+
+        return next()
+    }
+}
+
+module.exports = exports = TrustTokenUtilityMiddleware

app/routing/middleware/auth/UserOnly.middleware.js

@@ -12,7 +12,6 @@ class UserOnly extends Middleware {
     }
 
     async test(req, res, next, args = {}){
-
         if ( req.is_auth && !req.session.auth.in_dmz ) return next()
         else if ( req.is_auth ) { // Need an MFA challenge
             if ( !req.session.auth.flow ) req.session.auth.flow = req.originalUrl