@opengis/fastify-table
Version:
core-plugins
117 lines (116 loc) • 4.23 kB
JavaScript
import config from "../../../../config.js";
import logger from "../../logger/getLogger.js";
import pgClients from "../../pg/pgClients.js";
import getRedis from "../../redis/funcs/getRedis.js";
import applyHook from "../../hook/applyHook.js";
import logAuth from "./logAuth.js";
const rclient = getRedis();
const rclient2 = getRedis({ db: 2 });
/*
session duration by default
* 10 hours = 600 minutes w/o keep (remember me checkbox)
* 30 days = 720 hours = 43200 minutes w/ keep
*/
const { sessionTimeout = 600, sessionTimeoutKeep = 43200 } = config.auth || {};
const getIp = (req) => (req.headers?.["x-real-ip"] ||
req.headers?.["x-forwarded-for"] ||
req.ip ||
req.connection?.remoteAddress ||
"")
.split(":")
.pop();
export default async function authorizeUser(user, req, authType = "creds-user", expire) {
if (!user?.uid)
return "/logout";
const { pg = pgClients.client } = req;
const ip = getIp(req);
Object.assign(user, { auth_type: authType, ip });
// fastify/passport
await req.login(user);
const st = (req.body?.keep || req.query?.keep) === "on"
? sessionTimeoutKeep
: sessionTimeout;
const maxAge = expire || st * 1000 * 60;
if (req.session?.cookie) {
req.session.cookie.maxAge = maxAge;
}
logger.file("auth", {
level: "DEBUG",
name: authType,
response: {
uid: user?.uid,
name: [user.sur_name, user.user_name, user.name]
.filter(Boolean)
.join(" "),
},
}, req);
if (authType && authType.startsWith("creds")) {
await logAuth({
uid: user?.uid,
type: authType,
ip,
});
}
const { href } = (await applyHook("afterAuth", {
ip,
user,
name: authType,
referer: req.headers?.referer,
})) ||
{};
await req.session?.save?.();
const redirectUrl = req.headers?.referer?.match?.(/[?&]redirect=([^&]+)/)?.[1] || "/";
const twofaEnabled = user?.twofa && user.uid && pg;
const registered = false; // ? check by created/updated date?
if (config.auth?.oneUser) {
const userSessionKey = `${config.pg?.database}:user:${user.uid}`;
const sessionID = await rclient.get(userSessionKey);
await rclient2.del(`session_auth:${config.pg?.database}:${sessionID}`);
await rclient?.set?.(userSessionKey, req.session.sessionId);
}
if (req.method === "POST" &&
(!twofaEnabled || req.session?.secondFactorPassed)) {
return {
redirectUrl: href ||
config.auth?.redirectAfter ||
(redirectUrl.startsWith("/") ? redirectUrl : "/"),
authType,
registered,
user: { ...user, password: undefined, salt: undefined },
};
}
if (req.method === "POST" &&
twofaEnabled &&
!req.session?.secondFactorPassed) {
const verified = await pg
.query(`select
enabled and social_auth_url is not null as verified
from admin.users_social_auth
where uid = $1
and social_auth_type = $2`, [user.uid, "TOTP"])
.then((el) => el.rows?.[0]?.verified || false);
const redirect2fa = `${config.auth?.link?.["2fa"]?.login || "/2factor"}?redirect=${redirectUrl.startsWith("/") ? redirectUrl : "/"}`;
return {
redirectUrl: redirect2fa,
authType,
registered,
"2factor": { verified, enabled: !!user?.twofa },
user: { ...user, password: undefined, salt: undefined },
};
}
// by default, disable 2factor for id.gov.ua auth
const check = authType === "govid" ? config.auth?.["2factor"]?.govid : true;
if (user?.twofa && check) {
return (`${config.auth?.link?.["2fa"]?.login || "/2factor"}?redirect=` +
(href ||
config.auth?.redirectAfter ||
(redirectUrl.startsWith("/") ? redirectUrl : "/")));
}
if (href) {
return href;
}
if (config.auth?.redirectAfter) {
return config.auth?.redirectAfter;
}
return redirectUrl.startsWith("/") ? redirectUrl : "/";
}