UNPKG

@nephele/authenticator-pam

Version:

PAM based authenticator (local system users) for the Nephele WebDAV server.

github.com/sciactive/nephele

sciactive/nephele

118 lines (103 loc) 3.37 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import type { Request } from 'express'; import basicAuth from 'basic-auth'; import type { Authenticator as AuthenticatorInterface, AuthResponse as NepheleAuthResponse, } from 'nephele'; import { UnauthorizedError } from 'nephele'; import User from './User.js'; export type AuthenticatorConfig = { /** * The realm is the name reported by the server when the user is prompted to * authenticate. * * It should be HTTP header safe (shouldn't include double quotes or * semicolon). */ realm?: string; /** * Allow the user to proceed, even if they are not authenticated. * * The authenticator will advertise that authentication is available, but the * user will have access to the server without providing authentication. * * In the unauthorized state, the `user` presented to the Nephele adapter will * have the username "nobody". * * WARNING: It is very dangerous to allow unauthorized access if write actions * are allowed! */ unauthorizedAccess?: boolean; /** * Comma separated UID ranges that are allowed to log in. * * You can set, for example, "0,1000-1999" to allow the first 1000 normal * users and root to log in. * * Root is always UID 0. On most systems, daemon users are assigned UIDs in * the range 2-999, normal users are assigned UIDs in the range 1000-65533, * and the "nobody" user is assigned UID 65534. On some systems (including * macOS), normal users are assigned IDs starting at 500, which is why the * default includes this range. */ allowedUIDs?: string; }; export type AuthResponse = NepheleAuthResponse<any, { user: User }>; /** * Nephele PAM authenticator. * * Read the details on https://www.npmjs.com/package/authenticate-pam, which is * required for PAM authentication. */ export default class Authenticator implements AuthenticatorInterface { realm: string; unauthorizedAccess: boolean; allowedUIDs: string[]; constructor({ realm = 'Nephele WebDAV Service', unauthorizedAccess = false, allowedUIDs = '500-59999', }: AuthenticatorConfig = {}) { this.realm = realm; this.unauthorizedAccess = unauthorizedAccess; this.allowedUIDs = allowedUIDs.split(',').map((range) => range.trim()); } async authenticate(request: Request, response: AuthResponse) { const authorization = request.get('Authorization'); let username = ''; let password = ''; if (authorization) { const auth = basicAuth.parse(authorization); if (auth) { username = auth.name; password = auth.pass; } } try { if (username.trim() === '') { throw new UnauthorizedError( 'Authentication is required to use this server.', ); } const user = new User({ username }); await user.authenticate(password, request.ip); await user.checkUID(this.allowedUIDs); return user; } catch (e: any) { if (e instanceof UnauthorizedError) { response.set( 'WWW-Authenticate', `Basic realm="${this.realm}", charset="UTF-8"`, ); } if (this.unauthorizedAccess) { return new User({ username: 'nobody' }); } throw e; } } async cleanAuthentication(_request: Request, _response: AuthResponse) { // Nothing is required for auth cleanup. return; } }