mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 21:31:46 +00:00
Julien G.
905c7d460b
* add test suite, mostly covers integration testing, tests are only backend side * workflow runs the correct script * workflow runs the correct script * workflow runs the correct script * unit tests incoming * Fix multer silent rejections and error handler info leak - Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts, and files.ts so invalid uploads return an error instead of silently dropping the file - Error handler in app.ts now always returns 500 / "Internal server error" instead of forwarding err.message to the client * Use statusCode consistently for multer errors and error handler - Error handler in app.ts reads err.statusCode to forward the correct HTTP status while keeping the response body generic
99 lines
3.2 KiB
TypeScript
99 lines
3.2 KiB
TypeScript
import { Request, Response, NextFunction } from 'express';
|
|
import jwt from 'jsonwebtoken';
|
|
import { db } from '../db/database';
|
|
import { JWT_SECRET } from '../config';
|
|
|
|
/** Paths that never require MFA (public or pre-auth). */
|
|
export function isPublicApiPath(method: string, pathNoQuery: string): boolean {
|
|
if (method === 'GET' && pathNoQuery === '/api/health') return true;
|
|
if (method === 'GET' && pathNoQuery === '/api/auth/app-config') return true;
|
|
if (method === 'POST' && pathNoQuery === '/api/auth/login') return true;
|
|
if (method === 'POST' && pathNoQuery === '/api/auth/register') return true;
|
|
if (method === 'POST' && pathNoQuery === '/api/auth/demo-login') return true;
|
|
if (method === 'GET' && pathNoQuery.startsWith('/api/auth/invite/')) return true;
|
|
if (method === 'POST' && pathNoQuery === '/api/auth/mfa/verify-login') return true;
|
|
if (pathNoQuery.startsWith('/api/auth/oidc/')) return true;
|
|
return false;
|
|
}
|
|
|
|
/** Authenticated paths allowed while MFA is not yet enabled (setup + lockout recovery). */
|
|
export function isMfaSetupExemptPath(method: string, pathNoQuery: string): boolean {
|
|
if (method === 'GET' && pathNoQuery === '/api/auth/me') return true;
|
|
if (method === 'POST' && pathNoQuery === '/api/auth/mfa/setup') return true;
|
|
if (method === 'POST' && pathNoQuery === '/api/auth/mfa/enable') return true;
|
|
if ((method === 'GET' || method === 'PUT') && pathNoQuery === '/api/auth/app-settings') return true;
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* When app_settings.require_mfa is true, block API access for users without MFA enabled,
|
|
* except for public routes and MFA setup endpoints.
|
|
*/
|
|
export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFunction): void {
|
|
const pathNoQuery = (req.originalUrl || req.url || '').split('?')[0];
|
|
|
|
if (!pathNoQuery.startsWith('/api')) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
if (isPublicApiPath(req.method, pathNoQuery)) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
const authHeader = req.headers.authorization;
|
|
const token = authHeader && authHeader.split(' ')[1];
|
|
if (!token) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
let userId: number;
|
|
try {
|
|
const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
|
|
userId = decoded.id;
|
|
} catch {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
const requireRow = db.prepare("SELECT value FROM app_settings WHERE key = 'require_mfa'").get() as { value: string } | undefined;
|
|
if (requireRow?.value !== 'true') {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
if (process.env.DEMO_MODE === 'true') {
|
|
const demo = db.prepare('SELECT email FROM users WHERE id = ?').get(userId) as { email: string } | undefined;
|
|
if (demo?.email === 'demo@trek.app' || demo?.email === 'demo@nomad.app') {
|
|
next();
|
|
return;
|
|
}
|
|
}
|
|
|
|
const row = db.prepare('SELECT mfa_enabled, role FROM users WHERE id = ?').get(userId) as
|
|
| { mfa_enabled: number | boolean; role: string }
|
|
| undefined;
|
|
if (!row) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
const mfaOk = row.mfa_enabled === 1 || row.mfa_enabled === true;
|
|
if (mfaOk) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
if (isMfaSetupExemptPath(req.method, pathNoQuery)) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
res.status(403).json({
|
|
error: 'Two-factor authentication is required. Complete setup in Settings.',
|
|
code: 'MFA_REQUIRED',
|
|
});
|
|
}
|