fix: revocation token list for users + groups
This commit is contained in:
parent
c9f3105997
commit
a690e5597f
@ -19,6 +19,7 @@ module.exports = {
|
|||||||
},
|
},
|
||||||
groups: {},
|
groups: {},
|
||||||
validApiKeys: [],
|
validApiKeys: [],
|
||||||
|
revokationList: require('./cache').init(),
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initialize the authentication module
|
* Initialize the authentication module
|
||||||
@ -111,10 +112,28 @@ module.exports = {
|
|||||||
authenticate(req, res, next) {
|
authenticate(req, res, next) {
|
||||||
WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
|
WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
|
||||||
if (err) { return next() }
|
if (err) { return next() }
|
||||||
|
let mustRevalidate = false
|
||||||
|
|
||||||
// Expired but still valid within N days, just renew
|
// Expired but still valid within N days, just renew
|
||||||
if (info instanceof Error && info.name === 'TokenExpiredError' &&
|
if (info instanceof Error && info.name === 'TokenExpiredError' && moment().subtract(ms(WIKI.config.auth.tokenRenewal), 'ms').isBefore(info.expiredAt)) {
|
||||||
moment().subtract(ms(WIKI.config.auth.tokenRenewal), 'ms').isBefore(info.expiredAt)) {
|
mustRevalidate = true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if user / group is in revokation list
|
||||||
|
if (user) {
|
||||||
|
if (WIKI.auth.revokationList.has(`u${_.toString(user.id)}`)) {
|
||||||
|
mustRevalidate = true
|
||||||
|
}
|
||||||
|
for (const gid of user.groups) {
|
||||||
|
if (WIKI.auth.revokationList.has(`g${_.toString(gid)}`)) {
|
||||||
|
mustRevalidate = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Revalidate and renew token
|
||||||
|
if (mustRevalidate) {
|
||||||
|
console.info('MUST REVALIDATE')
|
||||||
const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
|
const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
|
||||||
try {
|
try {
|
||||||
const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
|
const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
|
||||||
@ -380,6 +399,9 @@ module.exports = {
|
|||||||
WIKI.events.inbound.on('reloadAuthStrategies', () => {
|
WIKI.events.inbound.on('reloadAuthStrategies', () => {
|
||||||
WIKI.auth.activateStrategies()
|
WIKI.auth.activateStrategies()
|
||||||
})
|
})
|
||||||
|
WIKI.events.inbound.on('addAuthRevoke', (args) => {
|
||||||
|
WIKI.auth.revokeUserTokens(args)
|
||||||
|
})
|
||||||
},
|
},
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -410,5 +432,13 @@ module.exports = {
|
|||||||
manage: WIKI.auth.checkAccess(req.user, ['manage:system'], page)
|
manage: WIKI.auth.checkAccess(req.user, ['manage:system'], page)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add user / group ID to JWT revokation list, forcing all requests to be validated against the latest permissions
|
||||||
|
*/
|
||||||
|
revokeUserTokens ({ id, kind = 'u' }) {
|
||||||
|
console.info(Math.ceil(ms(WIKI.config.auth.tokenRenewal) / 1000))
|
||||||
|
WIKI.auth.revokationList.set(`${kind}${_.toString(id)}`, true, Math.ceil(ms(WIKI.config.auth.tokenRenewal) / 1000))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -42,6 +42,10 @@ module.exports = {
|
|||||||
throw new gql.GraphQLError('User is already assigned to group.')
|
throw new gql.GraphQLError('User is already assigned to group.')
|
||||||
}
|
}
|
||||||
await grp.$relatedQuery('users').relate(usr.id)
|
await grp.$relatedQuery('users').relate(usr.id)
|
||||||
|
|
||||||
|
WIKI.auth.revokeUserTokens({ id: usr.id, kind: 'u' })
|
||||||
|
WIKI.events.outbound.emit('addAuthRevoke', { id: usr.id, kind: 'u' })
|
||||||
|
|
||||||
return {
|
return {
|
||||||
responseResult: graphHelper.generateSuccess('User has been assigned to group.')
|
responseResult: graphHelper.generateSuccess('User has been assigned to group.')
|
||||||
}
|
}
|
||||||
@ -62,8 +66,13 @@ module.exports = {
|
|||||||
},
|
},
|
||||||
async delete(obj, args) {
|
async delete(obj, args) {
|
||||||
await WIKI.models.groups.query().deleteById(args.id)
|
await WIKI.models.groups.query().deleteById(args.id)
|
||||||
|
|
||||||
|
WIKI.auth.revokeUserTokens({ id: args.id, kind: 'g' })
|
||||||
|
WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'g' })
|
||||||
|
|
||||||
await WIKI.auth.reloadGroups()
|
await WIKI.auth.reloadGroups()
|
||||||
WIKI.events.outbound.emit('reloadGroups')
|
WIKI.events.outbound.emit('reloadGroups')
|
||||||
|
|
||||||
return {
|
return {
|
||||||
responseResult: graphHelper.generateSuccess('Group has been deleted.')
|
responseResult: graphHelper.generateSuccess('Group has been deleted.')
|
||||||
}
|
}
|
||||||
@ -78,6 +87,10 @@ module.exports = {
|
|||||||
throw new gql.GraphQLError('Invalid User ID')
|
throw new gql.GraphQLError('Invalid User ID')
|
||||||
}
|
}
|
||||||
await grp.$relatedQuery('users').unrelate().where('userId', usr.id)
|
await grp.$relatedQuery('users').unrelate().where('userId', usr.id)
|
||||||
|
|
||||||
|
WIKI.auth.revokeUserTokens({ id: usr.id, kind: 'u' })
|
||||||
|
WIKI.events.outbound.emit('addAuthRevoke', { id: usr.id, kind: 'u' })
|
||||||
|
|
||||||
return {
|
return {
|
||||||
responseResult: graphHelper.generateSuccess('User has been unassigned from group.')
|
responseResult: graphHelper.generateSuccess('User has been unassigned from group.')
|
||||||
}
|
}
|
||||||
@ -95,6 +108,9 @@ module.exports = {
|
|||||||
pageRules: JSON.stringify(args.pageRules)
|
pageRules: JSON.stringify(args.pageRules)
|
||||||
}).where('id', args.id)
|
}).where('id', args.id)
|
||||||
|
|
||||||
|
WIKI.auth.revokeUserTokens({ id: args.id, kind: 'g' })
|
||||||
|
WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'g' })
|
||||||
|
|
||||||
await WIKI.auth.reloadGroups()
|
await WIKI.auth.reloadGroups()
|
||||||
WIKI.events.outbound.emit('reloadGroups')
|
WIKI.events.outbound.emit('reloadGroups')
|
||||||
|
|
||||||
|
@ -73,6 +73,10 @@ module.exports = {
|
|||||||
throw new WIKI.Error.UserDeleteProtected()
|
throw new WIKI.Error.UserDeleteProtected()
|
||||||
}
|
}
|
||||||
await WIKI.models.users.deleteUser(args.id, args.replaceId)
|
await WIKI.models.users.deleteUser(args.id, args.replaceId)
|
||||||
|
|
||||||
|
WIKI.auth.revokeUserTokens({ id: args.id, kind: 'u' })
|
||||||
|
WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'u' })
|
||||||
|
|
||||||
return {
|
return {
|
||||||
responseResult: graphHelper.generateSuccess('User deleted successfully')
|
responseResult: graphHelper.generateSuccess('User deleted successfully')
|
||||||
}
|
}
|
||||||
@ -124,6 +128,9 @@ module.exports = {
|
|||||||
}
|
}
|
||||||
await WIKI.models.users.query().patch({ isActive: false }).findById(args.id)
|
await WIKI.models.users.query().patch({ isActive: false }).findById(args.id)
|
||||||
|
|
||||||
|
WIKI.auth.revokeUserTokens({ id: args.id, kind: 'u' })
|
||||||
|
WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'u' })
|
||||||
|
|
||||||
return {
|
return {
|
||||||
responseResult: graphHelper.generateSuccess('User deactivated successfully')
|
responseResult: graphHelper.generateSuccess('User deactivated successfully')
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user