@nephele/authenticator-custom

import crypto from 'node:crypto'; import type { Request } from 'express'; import { parseAuthorizationHeader, BASIC, DIGEST, } from 'http-auth-utils-hperrin'; import { v4 as uuid } from 'uuid'; import type { Authenticator as AuthenticatorInterface, AuthResponse as NepheleAuthResponse, } from 'nephele'; import { UnauthorizedError } from 'nephele'; import User from './User.js'; export type AuthenticatorConfig = { /** * The realm is the name reported by the server when the user is prompted to * authenticate. * * It should be HTTP header safe (shouldn't include double quotes or * semicolon). */ realm?: string; /** * Allow the user to proceed, even if they are not authenticated. * * The authenticator will advertise that authentication is available, but the * user will have access to the server without providing authentication. * * In the unauthorized state, the `user` presented to the Nephele adapter will * have the username "nobody". * * WARNING: It is very dangerous to allow unauthorized access if write actions * are allowed! */ unauthorizedAccess?: boolean; /** * A function that takes a username and returns a promise that resolves to a * user if the user exists or it's not possible to tell whether they exist, or * null otherwise. */ getUser: (username: string) => Promise<User | null>; /** * A private key used to calculate nonce values for Digest authentication. * * If you do not provide one, one will be generated, but this does mean that * with Digest authentication, clients will only be able to authenticate to * _that_ particular server. If you have multiple servers or multiple * instances of Nephele that serve the same source data, you should provide * the same key to all of them in order to use Digest authentication * correctly. */ key?: string; /** * The number of milliseconds for which a nonce is valid once issued. Defaults * to 6 hours. */ nonceTimeout?: number; } & ( | { /** * Authorize a User returned by `getUser` with a password. * * The returned promise should resolve to true if the user is successfully * authenticated, false otherwise. * * The Basic mechanism requires the user to submit their username and * password in plain text with the request, so only use this if the * connection is secured through some means like TLS. If you provide * `authBasic`, the server will advertise support for the Basic mechanism. */ authBasic: (user: User, password: string) => Promise<boolean>; } | { /** * Retrieve a User's password or hash for Digest authentication. * * The returned promise should resolve to the password or hash if the user * exists, or null otherwise. If the password is returned, it will be * hashed, however, you can also return a prehashed string of * SHA256(username:realm:password) or MD5(username:realm:password), * depending on the requested algorithm. * * The Digest mechansism requires the user to cryptographically hash their * password with the request, so it will not divulge their password to * eaves droppers. However, it is still less safe than using TLS and Basic * authentication. If you provide `authDigest`, the server will advertise * support for the Digest mechanism. */ authDigest: ( user: User, realm: string, algorithm: 'sha256' | 'md5', ) => Promise<{ password: string } | { hash: string } | null>; } ); export type AuthResponse = NepheleAuthResponse<any, { user: User }>; class StaleUnauthorizedError extends UnauthorizedError {} function hash(input: string, algorithm: 'md5' | 'sha256') { return crypto.createHash(algorithm).update(input).digest('hex').toLowerCase(); } /** * Nephele custom authenticator. */ export default class Authenticator implements AuthenticatorInterface { getUser: (username: string) => Promise<User | null>; authBasic?: (user: User, password: string) => Promise<boolean>; authDigest?: ( user: User, realm: string, algorithm: 'sha256' | 'md5', ) => Promise<{ password: string } | { hash: string } | null>; realm: string; unauthorizedAccess: boolean; key: string; nonceTimeout: number; constructor(config: AuthenticatorConfig) { this.getUser = config.getUser; if ('authBasic' in config) { this.authBasic = config.authBasic; } if ('authDigest' in config) { this.authDigest = config.authDigest; } if (this.authBasic == null && this.authDigest == null) { throw new Error( 'You must provide at least one auth function to authenticator-custom.', ); } this.realm = config.realm || 'Nephele WebDAV Service'; this.unauthorizedAccess = config.unauthorizedAccess || false; this.key = config.key || uuid(); // Nonce is valid for 6 hours by default. this.nonceTimeout = config.nonceTimeout || 1000 * 60 * 60 * 6; } async authenticate(request: Request, response: AuthResponse) { const authorization = request.get('Authorization'); try { if (authorization) { const auth = parseAuthorizationHeader(authorization); if (auth.type === 'Basic' && 'password' in auth.data) { let { username, password } = auth.data; if (this.authBasic == null) { throw new UnauthorizedError( 'Basic authentication is not supported on this server.', ); } if (!username && !password) { throw new UnauthorizedError( 'You must provide a username and password to access this server.', ); } const user = await this.getUser(username); if (user == null) { throw new UnauthorizedError( 'The provided credentials are not correct.', ); } if (!(await this.authBasic(user, password))) { throw new UnauthorizedError( 'The provided credentials are not correct.', ); } return user; } else if (auth.type === 'Digest' && 'response' in auth.data) { let { username, realm, nonce, uri, algorithm, response, cnonce, nc, qop, opaque, } = auth.data; if (this.authDigest == null) { throw new UnauthorizedError( 'Digest authentication is not supported on this server.', ); } if (!username) { throw new UnauthorizedError( 'You must provide a username to access this server.', ); } if (opaque == null) { throw new UnauthorizedError( 'You must provide an opaque value to access this server.', ); } if (realm !== this.realm) { throw new UnauthorizedError( 'The provided realm does not match this server.', ); } if ( uri !== request.url && uri !== `${request.protocol}://${request.headers.host}${request.url}` ) { throw new UnauthorizedError( 'The provided auth URI does not match this request.', ); } const timestamp = parseInt(opaque, 16); if ( isNaN(timestamp) || timestamp < new Date().getTime() - this.nonceTimeout ) { throw new StaleUnauthorizedError('The provided nonce has expired.'); } const checkNonce = hash( `${request.ip}:${opaque}:${this.key}`, 'sha256', ); if (checkNonce !== nonce) { throw new StaleUnauthorizedError( 'The provided nonce was not issued to this client by this server.', ); } const user = await this.getUser(username); if (user == null) { throw new UnauthorizedError( 'The provided credentials are not correct.', ); } if ( (algorithm != null && algorithm !== 'SHA256-sess' && algorithm !== 'MD5-sess') || cnonce == null || qop === 'auth-int' ) { throw new UnauthorizedError( 'The provided credentials are not in a supported format.', ); } const digestInfo = await this.authDigest( user, this.realm, algorithm === 'MD5-sess' ? 'md5' : 'sha256', ); if (digestInfo == null) { throw new UnauthorizedError( 'The provided credentials are not correct.', ); } const hashAlg = algorithm === 'MD5-sess' ? 'md5' : 'sha256'; let HA1: string; if ('hash' in digestInfo) { HA1 = hash(`${digestInfo.hash}:${nonce}:${cnonce}`, hashAlg); } else { const { password } = digestInfo; HA1 = hash( `${hash( `${username}:${this.realm}:${password}`, hashAlg, )}:${nonce}:${cnonce}`, hashAlg, ); } let HA2 = hash(`${request.method}:${uri}`, hashAlg); let check: string; if (qop === 'auth') { check = hash( `${HA1}:${nonce}:${nc}:${cnonce}:${qop}:${HA2}`, hashAlg, ); } else { check = hash(`${HA1}:${nonce}:${HA2}`, hashAlg); } if (check !== response) { throw new UnauthorizedError( 'The provided credentials are not correct.', ); } return user; } } throw new UnauthorizedError( 'You must authenticate to access this server.', ); } catch (e: any) { if (e instanceof UnauthorizedError) { const auths: string[] = []; if (this.authBasic != null) { auths.push( `Basic ${BASIC.buildWWWAuthenticateRest({ realm: this.realm, })}, charset="UTF-8"`, ); } if (this.authDigest != null) { const opaque = new Date().getTime().toString(16); const nonce = hash(`${request.ip}:${opaque}:${this.key}`, 'sha256'); auths.push( `Digest ${DIGEST.buildWWWAuthenticateRest({ nonce, opaque, qop: 'auth', algorithm: 'SHA256-sess' as 'MD5-sess', realm: this.realm, stale: e instanceof StaleUnauthorizedError ? 'true' : 'false', })}, charset="UTF-8"`, ); auths.push( `Digest ${DIGEST.buildWWWAuthenticateRest({ nonce, opaque, qop: 'auth', algorithm: 'MD5-sess', realm: this.realm, stale: e instanceof StaleUnauthorizedError ? 'true' : 'false', })}, charset="UTF-8"`, ); } response.set('WWW-Authenticate', auths); } if (this.unauthorizedAccess) { return new User({ username: 'nobody' }); } throw e; } } async cleanAuthentication(_request: Request, _response: AuthResponse) { // Nothing is required for auth cleanup. return; } }