34 lines
967 B
JavaScript
34 lines
967 B
JavaScript
const LDAPMiddleware = require('./LDAPMiddleware')
|
|
const LDAP = require('ldapjs')
|
|
|
|
class BindUserMiddleware extends LDAPMiddleware {
|
|
static get services() {
|
|
return [...super.services, 'canon', 'output', 'ldap_server']
|
|
}
|
|
|
|
async test(req, res, next) {
|
|
const bind_dn = req.connection.ldap.bindDN
|
|
|
|
if ( bind_dn.equals(this.ldap_server.anonymous()) ) {
|
|
this.output.warn(`Blocked anonymous LDAP request on user-protected route.`)
|
|
return next(new LDAP.InsufficientAccessRightsError())
|
|
}
|
|
|
|
const user = await this.user_controller().get_resource_from_dn(bind_dn)
|
|
if ( !user || !user.can('ldap:bind') ) {
|
|
return next(new LDAP.InvalidCredentialsError())
|
|
}
|
|
|
|
req.user = user
|
|
req.bindDN = bind_dn
|
|
|
|
return next()
|
|
}
|
|
|
|
user_controller() {
|
|
return this.canon.get('ldap_controller::Users')
|
|
}
|
|
}
|
|
|
|
module.exports = exports = BindUserMiddleware
|