openhim-core

Version:

The OpenHIM core application that provides logging and routing of http requests

60 lines (48 loc) • 1.91 kB

text/coffeescript

User = require('../model/users').User crypto = require 'crypto' logger = require 'winston' config = require "../config/config" config.api = config.get('api') isUndefOrEmpty = (string) -> return not string? or string is '' exports.authenticate = (next) -> header = this.request.header email = header['auth-username'] authTS = header['auth-ts'] authSalt = header['auth-salt'] authToken = header['auth-token'] # if any of the required headers aren't present if isUndefOrEmpty(email) or isUndefOrEmpty(authTS) or isUndefOrEmpty(authSalt) or isUndefOrEmpty(authToken) logger.info "API request made by #{email} from #{this.request.host} is missing required API authentication headers, denying access" this.status = 401 return # check if request is recent requestDate = new Date Date.parse authTS authWindowSeconds = config.api.authWindowSeconds ? 10 to = new Date() to.setSeconds(to.getSeconds() + authWindowSeconds) from = new Date() from.setSeconds(from.getSeconds() - authWindowSeconds) if requestDate < from or requestDate > to # request expired logger.info "API request made by #{email} from #{this.request.host} has expired, denying access" this.status = 401 return user = yield User.findOne(email: email).exec() this.authenticated = user if not user # not authenticated - user not found logger.info "No user exists for #{email}, denying access to API, request originated from #{this.request.host}" this.status = 401 return hash = crypto.createHash 'sha512' hash.update user.passwordHash hash.update authSalt hash.update authTS if authToken is hash.digest 'hex' # authenticated yield next else # not authenticated - token mismatch logger.info "API token did not match expected value, denying access to API, the request was made by #{email} from #{this.request.host}" this.status = 401