feat(auth): implement Android refresh token handling and session management
- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints. - Implemented new tests for login, logout, and refresh functionalities specific to Android clients. - Enhanced password reset logging with normalization and masking of email addresses. - Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs. - Introduced a new utility for managing password reset logs with retention policies. - Added tests for password reset log utilities to ensure proper functionality and privacy compliance. - Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.
This commit is contained in:
Torsten Schulz (local)
@@ -1,5 +1,6 @@
|
||||
import bcrypt from 'bcryptjs'
|
||||
import jwt from 'jsonwebtoken'
|
||||
import crypto from 'crypto'
|
||||
import { promises as fs } from 'fs'
|
||||
import path from 'path'
|
||||
import { encryptObject, decryptObject } from './encryption.js'
|
||||
@@ -46,6 +47,10 @@ const getDataPath = (filename) => {
|
||||
|
||||
const USERS_FILE = getDataPath('users.json')
|
||||
const SESSIONS_FILE = getDataPath('sessions.json')
|
||||
const ANDROID_ACCESS_TOKEN_TTL = '15m'
|
||||
const REFRESH_SESSION_TTL_MS = 90 * 24 * 60 * 60 * 1000
|
||||
const refreshMutationState = globalThis.__HTC_REFRESH_MUTATION_STATE__ || { tail: Promise.resolve() }
|
||||
globalThis.__HTC_REFRESH_MUTATION_STATE__ = refreshMutationState
|
||||
|
||||
// Get encryption key from environment
|
||||
function getEncryptionKey() {
|
||||
@@ -146,7 +151,7 @@ export async function readUsers() {
|
||||
try {
|
||||
users = JSON.parse(data)
|
||||
console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
|
||||
} catch (_parseError) {
|
||||
} catch {
|
||||
console.error('Konnte Benutzerdaten weder entschlüsseln noch als JSON lesen')
|
||||
return []
|
||||
}
|
||||
@@ -210,7 +215,7 @@ function isSessionsEncrypted(data) {
|
||||
return false
|
||||
}
|
||||
return false
|
||||
} catch (e) {
|
||||
} catch {
|
||||
return true
|
||||
}
|
||||
}
|
||||
@@ -231,7 +236,7 @@ export async function readSessions() {
|
||||
const plainData = JSON.parse(data)
|
||||
console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
|
||||
return plainData
|
||||
} catch (_parseError) {
|
||||
} catch {
|
||||
console.error('Konnte Sessions weder entschlüsseln noch als JSON lesen')
|
||||
return []
|
||||
}
|
||||
@@ -277,27 +282,36 @@ export async function verifyPassword(password, hash) {
|
||||
}
|
||||
|
||||
// Generate JWT token
|
||||
export function generateToken(user) {
|
||||
export function generateToken(user, { expiresIn = '7d', sessionId = null } = {}) {
|
||||
// Stelle sicher, dass Rollen migriert sind
|
||||
const migratedUser = migrateUserRoles({ ...user })
|
||||
const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
|
||||
|
||||
const claims = {
|
||||
id: user.id,
|
||||
email: user.email,
|
||||
roles: roles
|
||||
}
|
||||
if (sessionId) {
|
||||
claims.sid = sessionId
|
||||
}
|
||||
|
||||
return jwt.sign(
|
||||
{
|
||||
id: user.id,
|
||||
email: user.email,
|
||||
roles: roles
|
||||
},
|
||||
claims,
|
||||
JWT_SECRET,
|
||||
{ expiresIn: '7d' }
|
||||
{ expiresIn }
|
||||
)
|
||||
}
|
||||
|
||||
export function generateAndroidAccessToken(user, sessionId) {
|
||||
return generateToken(user, { expiresIn: ANDROID_ACCESS_TOKEN_TTL, sessionId })
|
||||
}
|
||||
|
||||
// Verify JWT token
|
||||
export function verifyToken(token) {
|
||||
try {
|
||||
return jwt.verify(token, JWT_SECRET)
|
||||
} catch (_error) {
|
||||
} catch {
|
||||
return null
|
||||
}
|
||||
}
|
||||
@@ -343,6 +357,14 @@ export async function getUserFromToken(token) {
|
||||
const decoded = verifyToken(token)
|
||||
if (!decoded) return null
|
||||
|
||||
if (decoded.sid) {
|
||||
const sessions = await readSessions()
|
||||
const session = sessions.find(s => s.id === decoded.sid && s.userId === decoded.id)
|
||||
if (!session || session.revokedAt || new Date(session.expiresAt).getTime() <= Date.now()) {
|
||||
return null
|
||||
}
|
||||
}
|
||||
|
||||
const users = await readUsers()
|
||||
const user = users.find(u => u.id === decoded.id)
|
||||
|
||||
@@ -376,6 +398,130 @@ export async function deleteSession(token) {
|
||||
await writeSessions(filtered)
|
||||
}
|
||||
|
||||
function hashRefreshToken(token) {
|
||||
return crypto.createHash('sha256').update(String(token), 'utf8').digest('hex')
|
||||
}
|
||||
|
||||
function issueRefreshToken() {
|
||||
return crypto.randomBytes(48).toString('base64url')
|
||||
}
|
||||
|
||||
function serializeRefreshMutation(operation) {
|
||||
const result = refreshMutationState.tail.then(operation, operation)
|
||||
refreshMutationState.tail = result.then(() => undefined, () => undefined)
|
||||
return result
|
||||
}
|
||||
|
||||
export async function createRefreshSession(userId, deviceName = 'Android') {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const refreshToken = issueRefreshToken()
|
||||
const createdAt = new Date().toISOString()
|
||||
const session = {
|
||||
id: crypto.randomUUID(),
|
||||
familyId: crypto.randomUUID(),
|
||||
type: 'android_refresh',
|
||||
userId,
|
||||
deviceName: String(deviceName || 'Android').slice(0, 100),
|
||||
refreshTokenHash: hashRefreshToken(refreshToken),
|
||||
createdAt,
|
||||
lastUsedAt: createdAt,
|
||||
expiresAt: new Date(Date.now() + REFRESH_SESSION_TTL_MS).toISOString(),
|
||||
revokedAt: null
|
||||
}
|
||||
sessions.push(session)
|
||||
await writeSessions(sessions)
|
||||
return { session, refreshToken }
|
||||
})
|
||||
}
|
||||
|
||||
export async function rotateRefreshSession(refreshToken) {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const tokenHash = hashRefreshToken(refreshToken)
|
||||
const session = sessions.find(s => s.type === 'android_refresh' && s.refreshTokenHash === tokenHash)
|
||||
const now = new Date()
|
||||
const nowIso = now.toISOString()
|
||||
|
||||
if (!session) return { status: 'invalid' }
|
||||
|
||||
if (session.revokedAt) {
|
||||
if (session.rotatedAt) {
|
||||
for (const related of sessions) {
|
||||
if (related.familyId === session.familyId && !related.revokedAt) {
|
||||
related.revokedAt = nowIso
|
||||
related.revokeReason = 'refresh_token_reuse'
|
||||
}
|
||||
}
|
||||
await writeSessions(sessions)
|
||||
return { status: 'reused', session }
|
||||
}
|
||||
return { status: 'revoked', session }
|
||||
}
|
||||
|
||||
if (new Date(session.expiresAt).getTime() <= now.getTime()) {
|
||||
session.revokedAt = nowIso
|
||||
session.revokeReason = 'expired'
|
||||
await writeSessions(sessions)
|
||||
return { status: 'expired', session }
|
||||
}
|
||||
|
||||
const nextRefreshToken = issueRefreshToken()
|
||||
const nextSession = {
|
||||
...session,
|
||||
id: crypto.randomUUID(),
|
||||
refreshTokenHash: hashRefreshToken(nextRefreshToken),
|
||||
createdAt: nowIso,
|
||||
lastUsedAt: nowIso,
|
||||
expiresAt: new Date(Date.now() + REFRESH_SESSION_TTL_MS).toISOString(),
|
||||
revokedAt: null
|
||||
}
|
||||
session.lastUsedAt = nowIso
|
||||
session.revokedAt = nowIso
|
||||
session.rotatedAt = nowIso
|
||||
session.replacedBy = nextSession.id
|
||||
session.revokeReason = 'rotated'
|
||||
sessions.push(nextSession)
|
||||
await writeSessions(sessions)
|
||||
return { status: 'rotated', session: nextSession, refreshToken: nextRefreshToken }
|
||||
})
|
||||
}
|
||||
|
||||
export async function revokeRefreshSession(refreshToken, reason = 'logout') {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const tokenHash = hashRefreshToken(refreshToken)
|
||||
const session = sessions.find(s => s.type === 'android_refresh' && s.refreshTokenHash === tokenHash)
|
||||
if (!session) return false
|
||||
|
||||
const revokedAt = new Date().toISOString()
|
||||
for (const related of sessions) {
|
||||
if (related.familyId === session.familyId && !related.revokedAt) {
|
||||
related.revokedAt = revokedAt
|
||||
related.revokeReason = reason
|
||||
}
|
||||
}
|
||||
await writeSessions(sessions)
|
||||
return true
|
||||
})
|
||||
}
|
||||
|
||||
export async function revokeRefreshSessionsForUser(userId, reason) {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const revokedAt = new Date().toISOString()
|
||||
let changed = false
|
||||
for (const session of sessions) {
|
||||
if (session.type === 'android_refresh' && session.userId === userId && !session.revokedAt) {
|
||||
session.revokedAt = revokedAt
|
||||
session.revokeReason = reason
|
||||
changed = true
|
||||
}
|
||||
}
|
||||
if (changed) await writeSessions(sessions)
|
||||
})
|
||||
}
|
||||
|
||||
// Clean expired sessions
|
||||
export async function cleanExpiredSessions() {
|
||||
const sessions = await readSessions()
|
||||
@@ -383,4 +529,3 @@ export async function cleanExpiredSessions() {
|
||||
const valid = sessions.filter(s => new Date(s.expiresAt) > now)
|
||||
await writeSessions(valid)
|
||||
}
|
||||
|
||||
|
||||
136
server/utils/password-reset-log.js
Normal file
136
server/utils/password-reset-log.js
Normal file
@@ -0,0 +1,136 @@
|
||||
import crypto from 'crypto'
|
||||
import fs from 'fs/promises'
|
||||
import path from 'path'
|
||||
|
||||
const RETENTION_MS = 72 * 60 * 60 * 1000
|
||||
|
||||
function getDataPath(filename) {
|
||||
const cwd = process.cwd()
|
||||
if (cwd.endsWith('.output')) {
|
||||
return path.join(cwd, '../server/data', filename)
|
||||
}
|
||||
return path.join(cwd, 'server/data', filename)
|
||||
}
|
||||
|
||||
const LOG_FILE = getDataPath('password-reset.log.jsonl')
|
||||
|
||||
export function normalizeResetEmail(email) {
|
||||
return String(email || '').trim().toLowerCase()
|
||||
}
|
||||
|
||||
export function maskResetEmail(email) {
|
||||
const normalized = normalizeResetEmail(email)
|
||||
const [localPart = '', domain = ''] = normalized.split('@')
|
||||
if (!domain) return normalized ? `${localPart.slice(0, 2)}***` : ''
|
||||
|
||||
const localVisible = localPart.slice(0, Math.min(2, localPart.length))
|
||||
const domainParts = domain.split('.')
|
||||
const domainName = domainParts.shift() || ''
|
||||
const suffix = domainParts.length ? `.${domainParts.join('.')}` : ''
|
||||
return `${localVisible}***@${domainName.slice(0, 2)}***${suffix}`
|
||||
}
|
||||
|
||||
export function fingerprintResetEmail(email) {
|
||||
return crypto.createHash('sha256').update(normalizeResetEmail(email)).digest('hex')
|
||||
}
|
||||
|
||||
function safeText(value, max = 160) {
|
||||
return String(value == null ? '' : value).slice(0, max)
|
||||
}
|
||||
|
||||
function errorLabel(error) {
|
||||
return safeText(error?.code || error?.name || 'Error', 80)
|
||||
}
|
||||
|
||||
function sanitizedErrorMessage(error) {
|
||||
return safeText(error?.message || error || '')
|
||||
.replace(/[^\s<>"']+@[^\s<>"']+/gi, email => maskResetEmail(email))
|
||||
.replace(/((?:pass(?:word)?|token|secret|authorization|auth)\s*[=:]\s*)[^\s,;]+/gi, '$1[redacted]')
|
||||
.replace(/(smtp:\/\/[^:\s/]+:)[^@\s/]+@/gi, '$1[redacted]@')
|
||||
}
|
||||
|
||||
export async function writePasswordResetLog({
|
||||
requestId,
|
||||
email,
|
||||
ip,
|
||||
step,
|
||||
status,
|
||||
userId,
|
||||
reason,
|
||||
error
|
||||
}) {
|
||||
const normalizedEmail = normalizeResetEmail(email)
|
||||
const entry = {
|
||||
ts: new Date().toISOString(),
|
||||
requestId: safeText(requestId, 80),
|
||||
emailMasked: maskResetEmail(normalizedEmail),
|
||||
emailFingerprint: fingerprintResetEmail(normalizedEmail),
|
||||
ip: safeText(ip, 80),
|
||||
step: safeText(step, 80),
|
||||
status: safeText(status, 40)
|
||||
}
|
||||
|
||||
if (userId) entry.userId = safeText(userId, 80)
|
||||
if (reason) entry.reason = safeText(reason, 100)
|
||||
if (error) {
|
||||
entry.errorCode = errorLabel(error)
|
||||
entry.errorMessage = sanitizedErrorMessage(error)
|
||||
}
|
||||
|
||||
await fs.mkdir(path.dirname(LOG_FILE), { recursive: true })
|
||||
await fs.appendFile(LOG_FILE, `${JSON.stringify(entry)}\n`, 'utf8')
|
||||
}
|
||||
|
||||
export async function cleanupPasswordResetLogs(now = Date.now()) {
|
||||
let contents
|
||||
try {
|
||||
contents = await fs.readFile(LOG_FILE, 'utf8')
|
||||
} catch (error) {
|
||||
if (error.code === 'ENOENT') return { retained: 0, removed: 0 }
|
||||
throw error
|
||||
}
|
||||
|
||||
const threshold = now - RETENTION_MS
|
||||
const entries = contents
|
||||
.split('\n')
|
||||
.filter(Boolean)
|
||||
.flatMap(line => {
|
||||
try {
|
||||
return [JSON.parse(line)]
|
||||
} catch {
|
||||
return []
|
||||
}
|
||||
})
|
||||
const retained = entries.filter(entry => new Date(entry.ts).getTime() >= threshold)
|
||||
const removed = entries.length - retained.length
|
||||
|
||||
if (removed > 0) {
|
||||
const serialized = retained.map(entry => JSON.stringify(entry)).join('\n')
|
||||
await fs.writeFile(LOG_FILE, serialized ? `${serialized}\n` : '', 'utf8')
|
||||
}
|
||||
|
||||
return { retained: retained.length, removed }
|
||||
}
|
||||
|
||||
export async function readPasswordResetLogs() {
|
||||
await cleanupPasswordResetLogs()
|
||||
try {
|
||||
const contents = await fs.readFile(LOG_FILE, 'utf8')
|
||||
return contents
|
||||
.split('\n')
|
||||
.filter(Boolean)
|
||||
.flatMap(line => {
|
||||
try {
|
||||
return [JSON.parse(line)]
|
||||
} catch {
|
||||
return []
|
||||
}
|
||||
})
|
||||
.sort((a, b) => String(b.ts).localeCompare(String(a.ts)))
|
||||
} catch (error) {
|
||||
if (error.code === 'ENOENT') return []
|
||||
throw error
|
||||
}
|
||||
}
|
||||
|
||||
export const PASSWORD_RESET_LOG_RETENTION_HOURS = RETENTION_MS / (60 * 60 * 1000)
|
||||
@@ -26,6 +26,36 @@ function deriveFromBaseUrl() {
|
||||
}
|
||||
}
|
||||
|
||||
function normalizeOrigin(value) {
|
||||
try {
|
||||
const u = new URL(value)
|
||||
if (u.protocol === 'https:') {
|
||||
return `https://${u.hostname}`
|
||||
}
|
||||
if (u.protocol === 'http:' && u.hostname === 'localhost') {
|
||||
return `${u.protocol}//${u.host}`
|
||||
}
|
||||
return u.port === '80' ? `http://${u.hostname}` : `${u.protocol}//${u.host}`
|
||||
} catch {
|
||||
return value
|
||||
}
|
||||
}
|
||||
|
||||
function getAllowedOrigins(origin) {
|
||||
const configured = String(process.env.WEBAUTHN_ALLOWED_ORIGINS || '')
|
||||
.split(',')
|
||||
.map(candidate => normalizeOrigin(candidate.trim()))
|
||||
.filter(Boolean)
|
||||
const origins = [origin, ...configured]
|
||||
|
||||
// Beide produktiven Hostnamen werden im Browser verwendet und gehoeren zur selben RP-ID.
|
||||
if (origin === 'https://harheimertc.de' || origin === 'https://www.harheimertc.de') {
|
||||
origins.push('https://harheimertc.de', 'https://www.harheimertc.de')
|
||||
}
|
||||
|
||||
return [...new Set(origins)]
|
||||
}
|
||||
|
||||
export function getWebAuthnConfig() {
|
||||
const derived = deriveFromBaseUrl()
|
||||
|
||||
@@ -33,23 +63,8 @@ export function getWebAuthnConfig() {
|
||||
const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
|
||||
|
||||
// WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
|
||||
let origin = process.env.WEBAUTHN_ORIGIN || derived.origin
|
||||
|
||||
// Sicherstellen, dass HTTPS-Origins KEINEN Port haben (auch wenn in ENV gesetzt)
|
||||
if (origin.startsWith('https://')) {
|
||||
try {
|
||||
const u = new URL(origin)
|
||||
// Port 443 oder kein Port = Standard, also Port weglassen
|
||||
if (u.port === '443' || !u.port) {
|
||||
origin = `https://${u.hostname}`
|
||||
} else {
|
||||
// Auch andere Ports bei HTTPS entfernen (nicht Standard für WebAuthn)
|
||||
origin = `https://${u.hostname}`
|
||||
}
|
||||
} catch {
|
||||
// Ignore
|
||||
}
|
||||
}
|
||||
const origin = normalizeOrigin(process.env.WEBAUTHN_ORIGIN || derived.origin)
|
||||
const origins = getAllowedOrigins(origin)
|
||||
|
||||
const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
|
||||
|
||||
@@ -57,13 +72,14 @@ export function getWebAuthnConfig() {
|
||||
rpId,
|
||||
rpName,
|
||||
origin,
|
||||
origins,
|
||||
requireUV,
|
||||
webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
|
||||
webauthnAllowedOriginsEnv: process.env.WEBAUTHN_ALLOWED_ORIGINS,
|
||||
baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL,
|
||||
derivedOrigin: derived.origin
|
||||
})
|
||||
|
||||
return { rpId, rpName, origin, requireUV }
|
||||
return { rpId, rpName, origin, origins, requireUV }
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user