diff --git a/package.json b/package.json
index ff34fff..a87e799 100644
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
"express": "^5.1.0",
"express-handlebars": "^8.0.3",
"express-list-endpoints": "^7.1.1",
+ "express-openid-connect": "^2.19.4",
"express-rate-limit": "^8.0.1",
"glob": "^11.0.3",
"gray-matter": "^4.0.3",
@@ -47,8 +48,10 @@
"hbs": "^4.2.0",
"helmet": "^8.1.0",
"hpp": "^0.2.3",
+ "jose": "^6.2.2",
"js-beautify": "^1.15.4",
"js-yaml": "^4.1.0",
+ "ldapts": "^8.1.7",
"marked": "^16.1.1",
"morgan": "^1.10.1",
"node-disk-info": "^1.3.0",
diff --git a/public/js/credentialManager.js b/public/js/credentialManager.js
index a068221..04ab38a 100644
--- a/public/js/credentialManager.js
+++ b/public/js/credentialManager.js
@@ -7,10 +7,14 @@
this.container = document.getElementById("manager-container");
this.token = this.container?.dataset.token || null;
+ this.isAuthenticated = this.container?.dataset.authenticated === "true";
+ this.username = this.container?.dataset.username || null;
+ this.groups = this.container?.dataset.groups || [];
+
// Capture redirect target from URL or default to root
const urlParams = new URLSearchParams(window.location.search);
this.hasRedirect = urlParams.has("rd");
- this.redirectUri = urlParams.get("rd") || "/";
+ this.redirectUri = urlParams.get("rd") || "/guest-access";
this.action = urlParams.get("action");
}
@@ -34,6 +38,7 @@
const returnLoginBtn = document.getElementById("return-to-login-btn");
const authForm = document.getElementById("auth-form");
const logoutBtn = document.getElementById("logout-btn");
+ const reLoginBtn = document.getElementById("re-login-btn");
if (showTokenBtn) {
showTokenBtn.addEventListener("click", () =>
@@ -82,6 +87,11 @@
if (logoutBtn) {
logoutBtn.addEventListener("click", () => this.handleLogout());
}
+ if (reLoginBtn) {
+ reLoginBtn.addEventListener("click", () => {
+ this._switchState("logout-success-section", "login-section");
+ });
+ }
}
_switchState(fromId, toId) {
@@ -197,30 +207,36 @@
btn.disabled = true;
btn.innerText = "AUTHENTICATING...";
- errorEl?.classList.add("hidden");
try {
+ // STEP 1: Satisfy Authelia's Identity Check via AJAX
+ // This puts the 'authelia_session' cookie in your browser.
const response = await fetch(
"https://auth.jasonpoage.com/api/firstfactor",
{
method: "POST",
- mode: "cors",
headers: { "Content-Type": "application/json" },
- body: JSON.stringify({
- username: username,
- password: password,
- keepMeLoggedIn: keepMeLoggedIn,
- }),
- credentials: "include", // Required for session cookie storage
+ body: JSON.stringify({ username, password, keepMeLoggedIn }),
+ credentials: "include", // CRITICAL: This allows the browser to save the cookie
},
);
- if (response.ok) {
- window.location.href = this.redirectUri;
- } else {
+ if (!response.ok) {
const data = await response.json();
throw new Error(data.message || "Invalid credentials.");
}
+
+ // STEP 2: Trigger the OIDC Handshake
+ // Now that Authelia has your session cookie, this redirect will
+ // "blip" through Authelia and back to your app instantly.
+ const loginUrl = "/auth/login";
+ const target = this.hasRedirect
+ ? `?returnTo=${encodeURIComponent(this.redirectUri)}`
+ : "";
+ const loginUri = `${loginUrl}${target}`;
+
+ console.log(loginUri);
+ window.location.href = loginUri;
} catch (err) {
if (errorEl) {
errorEl.innerText = err.message;
@@ -235,27 +251,23 @@
*/
async checkSession() {
try {
- // Authelia's internal identity endpoint
- const response = await fetch(
- "https://auth.jasonpoage.com/api/user/info",
- {
- method: "GET",
- credentials: "include",
- },
- );
+ // Query the Express App, not the Authelia Portal
+ const response = await fetch("/api/auth/status");
if (response.ok) {
- const user = await response.json();
+ const session = await response.json();
- if (this.hasRedirect && this.redirectUri !== "/") {
- // Rule: Logged in + Redirect set -> GO
- window.location.href = this.redirectUri;
- } else {
- this._displayLogoutState(user.data.display_name);
+ if (session.isAuthenticated) {
+ if (this.hasRedirect && this.redirectUri !== "/") {
+ window.location.href = this.redirectUri;
+ } else {
+ // Use the verified session username and groups
+ this._displayLogoutState(this.username);
+ }
}
}
} catch (err) {
- console.log("No active session detected.", err.stack);
+ console.log("No active application session detected.");
}
}
@@ -273,20 +285,31 @@
async handleLogout() {
const btn = document.getElementById("logout-btn");
- btn.disabled = true;
- btn.innerText = "SIGNING OUT...";
+ if (btn) {
+ btn.disabled = true;
+ btn.innerText = "SIGNING OUT...";
+ }
try {
- await fetch("https://auth.jasonpoage.com/api/logout", {
+ // 1. Terminate the Express App session
+ const appLogout = await fetch("/api/auth/logout", {
method: "POST",
- credentials: "include",
+ headers: { "Content-Type": "application/json" },
});
- // Refresh to reset the UI to the clean login state
- window.location.reload();
+
+ if (appLogout.ok) {
+ this.isAuthenticated = false;
+ this.container.dataset.authenticated = "false";
+ this._switchState("logout-section", "logout-success-section");
+ } else {
+ throw new Error("Logout failed");
+ }
} catch (err) {
- btn.disabled = false;
- btn.innerText = "SIGN OUT";
- console.error("Logout failed:", err);
+ console.error("Logout process failed:", err);
+ if (btn) {
+ btn.disabled = false;
+ btn.innerText = "SIGN OUT";
+ }
}
}
}
diff --git a/src/config/loader.js b/src/config/loader.js
index 11ffc69..7b7d107 100644
--- a/src/config/loader.js
+++ b/src/config/loader.js
@@ -48,6 +48,13 @@
120000,
timeout_ms: c?.auth?.timeout_ms || process.env.AUTH_TIMEOUT_MS || 5000,
},
+ session: {
+ cookie: {
+ secure: true, // Required since you are using HTTPS via Nginx
+ sameSite: "Lax", // Allows the cookie to be sent on the top-level redirect back
+ domain: ".jasonpoage.com", // Ensures the cookie is visible across subdomains
+ },
+ },
mail: {
secure: c?.mail?.secure || process.env.MAIL_SECURE || false,
auth: c?.mail?.auth || process.env.MAIL_AUTH || null,
diff --git a/src/controllers/accessController.js b/src/controllers/accessController.js
index 241e03a..d16833f 100644
--- a/src/controllers/accessController.js
+++ b/src/controllers/accessController.js
@@ -1,3 +1,6 @@
+const { session } = require("../config/loader.js");
+const { baseUrl } = require("../utils/baseUrl.js");
+
/**
* Handles the GET request from a recruiter clicking the unique link.
*/
@@ -20,3 +23,48 @@
// Base context handles user/session data
});
};
+
+exports.userInfoApiController = async (req, res) => {
+ const userInfo = await req.oidc.fetchUserInfo();
+
+ res.status(200).json(userInfo);
+};
+exports.logoutSuccessApiController = (req, res) => {
+ res.status(200).json({
+ success: true,
+ message: "Local application session cleared",
+ });
+};
+exports.logoutApiController = (req, res) => {
+ try {
+ res.oidc.logout({
+ returnTo: "/api/auth/logout/success",
+ });
+ } catch (e) {
+ res.send(e.message);
+ }
+};
+exports.logoutController = (req, res) => {
+ try {
+ res.oidc.logout({
+ returnTo: "/auth/logout/success",
+ });
+ } catch (e) {
+ res.send(e.message);
+ }
+};
+
+exports.loginController = (req, res) => {
+ const rd = req.query.rd;
+ const destination = rd
+ ? `/guest-access?rd=${encodeURIComponent(rd)}`
+ : "/guest-access";
+
+ try {
+ res.oidc.login({
+ returnTo: "/guest-access",
+ });
+ } catch (e) {
+ res.status(500).send(e.message);
+ }
+};
diff --git a/src/middleware/authCheck.js b/src/middleware/authCheck.js
index 780ec8a..68e9d63 100644
--- a/src/middleware/authCheck.js
+++ b/src/middleware/authCheck.js
@@ -1,104 +1,18 @@
// middleware/authCheck.js
-const fetch = require("node-fetch");
-const { auth } = require("../config/loader");
-const { verify: verify_url, cache_ttl, timeout_ms } = auth;
-const { LOG_MESSAGES } = require("../constants/authConstants");
-
-// Simple in-memory cache
-const authCache = new Map();
-
-function getCacheKey(cookie, authHeader) {
- return `${cookie}:${authHeader}`;
-}
-
-function isCacheValid(entry) {
- return entry && Date.now() - entry.timestamp < cache_ttl;
-}
-
-setInterval(() => {
- const now = Date.now();
- for (const [key, entry] of authCache.entries()) {
- if (now - entry.timestamp >= cache_ttl) {
- authCache.delete(key);
- }
- }
-}, cache_ttl);
-// const SAFE_IPS = ["192.168.1.200", "192.168.1.50"];
-const SAFE_IPS = [];
module.exports = async (req, res, next) => {
- // Determine the client IP address.
- // req.ip is often provided by Express and correctly handles X-Forwarded-For if Express is configured for it.
- // If not, you might need to manually check req.headers['x-forwarded-for']
- const clientIp = req.ip; // Or req.headers['x-forwarded-for']?.split(',')[0] || req.connection.remoteAddress;
- // --- Bypass Logic ---
- // Check if the client IP is in the list of safe IPs
- if (SAFE_IPS.includes(clientIp)) {
- // -- fixme; harden for production by disabling this
- res.locals.session = {
- isAuthenticated: true,
- user: "local-admin",
- groups: ["admin", "guests"], // Assign groups needed for menu visibility
- };
- if (req.log) {
- req.log.security(`Bypassing authentication for safe IP: ${clientIp}`);
- } else {
- console.security(`Bypassing authentication for safe IP: ${clientIp}`);
- }
- return next(); // Proceed to the next middleware/route handler
- }
- // --- End Bypass Logic ---
-
- const cookie = req.headers["cookie"] || "";
- const authHeader = req.headers["authorization"] || "";
- const cacheKey = getCacheKey(cookie, authHeader);
-
- const cached = authCache.get(cacheKey);
- if (isCacheValid(cached)) {
- res.locals.session = cached.session;
- return next();
- }
-
+ // Initialize default state
res.locals.session = { isAuthenticated: false, user: null, groups: [] };
- try {
- const controller = new AbortController();
- const timeout = setTimeout(() => controller.abort(), auth.timeout_ms);
+ if (req.oidc.isAuthenticated()) {
+ // Pull data directly from the encrypted session cookie
+ // No network calls, no Map lookups, no staleness
+ const user = await req.oidc.fetchUserInfo();
- const resVerify = await fetch(verify_url, {
- headers: { cookie, authorization: authHeader },
- credentials: "include",
- signal: controller.signal,
- });
-
- clearTimeout(timeout);
-
- if (resVerify.status === 200) {
- // Extract Authelia identity headers from the verification response
- const user = resVerify.headers.get("remote-user");
- const groupsHeader = resVerify.headers.get("remote-groups") || "";
- const groups = groupsHeader
- ? groupsHeader.split(",").map((g) => g.trim())
- : [];
-
- res.locals.session = {
- isAuthenticated: true,
- user: user,
- groups: groups,
- };
- }
-
- authCache.set(cacheKey, {
- session: res.locals.session,
- timestamp: Date.now(),
- });
- } catch (e) {
- req.isAuthenticated = false;
- if (req.log) {
- req.log.warn(LOG_MESSAGES.AUTH_SERVER_UNAVAILABLE, e.stack);
- } else {
- console.warn(LOG_MESSAGES.AUTH_SERVER_UNAVAILABLE, e.stack);
- }
+ res.locals.session = {
+ isAuthenticated: true,
+ ...user,
+ };
}
next();
diff --git a/src/middleware/authConfig.js b/src/middleware/authConfig.js
new file mode 100644
index 0000000..b883144
--- /dev/null
+++ b/src/middleware/authConfig.js
@@ -0,0 +1,68 @@
+// src/setupMiddleware.js
+const { TRUST_PROXY } = require("../constants/middlewareConstants");
+
+const { meta, session } = require("../config/loader");
+const { auth, requiresAuth } = require("express-openid-connect");
+const { baseUrl } = require("../utils/baseUrl.js");
+
+const authConfig = {
+ // idpLogout: true,
+ afterCallback: async (req, res, session, decodedToken) => {
+ req.log.warn(
+ "User Authenticated:" +
+ JSON.stringify(decodedToken) +
+ JSON.stringify(session),
+ );
+ // try {
+ const jose = require("jose");
+ const claims = jose.decodeJwt(session.id_token);
+ // const userInfo = await req.oidc.fetchUserInfo();
+ req.log.warn("claims: " + JSON.stringify(claims));
+ return {
+ ...session,
+ sub: claims.sub,
+ // userProfile: {
+ // username: userInfo.preferred_username || userInfo.name,
+ // groups: userInfo.groups || [],
+ // },
+ };
+ // } catch (err) {
+ // req.log.error(
+ // "Failed to fetch UserInfo during callback:" + JSON.stringify(err),
+ // );
+ // return session; // Fallback to basic session if fetch fails
+ // }
+ },
+ // afterCallback: async (req, res, session, decodedToken) => {
+ // // 1. Manually fetch the fresh user info (including groups) once
+ // // const userInfo = await req.oidc.fetchUserInfo();
+
+ // // 2. Attach it to the session object
+ // // This gets encrypted into the 'appSession' cookie
+ // return {
+ // ...session,
+ // // userinfo: userInfo,
+ // // groups: userInfo.groups || [],
+ // };
+ // },
+ session,
+ secret: "insecure_secret",
+ clientID: "express-blog",
+ clientSecret: "insecure_secret",
+ baseURL: baseUrl,
+ issuerBaseURL: "https://auth.jasonpoage.com",
+ authRequired: false,
+ authorizationParams: {
+ response_type: "code",
+ response_mode: "query",
+ scope: "openid profile email groups",
+ // audience: "express-blog",
+ },
+ routes: {
+ callback: "/auth/callback",
+ login: "/auth/_login",
+ logout: "/auth/logout",
+ },
+};
+
+module.exports = auth(authConfig);
diff --git a/src/middleware/debug.js b/src/middleware/debug.js
new file mode 100644
index 0000000..987b286
--- /dev/null
+++ b/src/middleware/debug.js
@@ -0,0 +1,67 @@
+// src/setupMiddleware.js
+
+const router = require("express").Router();
+const { TRUST_PROXY } = require("../constants/middlewareConstants");
+const { meta, session } = require("../config/loader");
+const { requiresAuth } = require("express-openid-connect");
+const { baseUrl } = require("../utils/baseUrl.js");
+
+const cookieParser = require("cookie-parser");
+router.use(cookieParser());
+
+const debug = async (req, res) => {
+ try {
+ const tokenSet = req.oidc.tokenSet;
+ const username = req.oidc?.user?.name ?? undefined;
+
+ let userinfo;
+ try {
+ userinfo = await req.oidc.fetchUserInfo();
+ } catch (e) {
+ userinfo = e.message;
+ }
+
+ const diagnostics = {
+ session,
+ "req.cookies": req.cookies,
+ "req.signedCookies": req.signedCookies,
+ "req.oidc.fetchUserInfo()": userinfo,
+ "req.locals.session": res.locals.session || "unset",
+ "req.oidc.user": req.oidc.user || "unset",
+
+ metadata: {
+ "trust-proxy": TRUST_PROXY,
+ baseUrl,
+ user: username,
+ // 1. Connection Security (Critical for Access Tokens)
+ protocol: req.protocol,
+ isSecure: req.secure, // If this is false, the SDK drops the access_token
+ // 2. Auth State
+ isAuthenticated: req.oidc.isAuthenticated(),
+
+ // 3. Token Inventory (What the library actually holds)
+ tokensInStore: tokenSet ? Object.keys(tokenSet) : "NONE",
+
+ // 4. Scopes (What was actually granted by Authelia)
+ grantedScopes: tokenSet?.scope,
+ "req.openidTokens": req.openidTokens ?? "not set",
+ },
+ };
+
+ // Log to console for persistent record
+ console.warn("--- DIAGNOSTIC DATA ---");
+ res.send("" + JSON.stringify(diagnostics, null, 2) + "
");
+
+ // res.json(diagnostics);
+ } catch (e) {
+ res.json(e.stack);
+ }
+};
+
+router.get("/debug", debug);
+
+const { claimIncludes } = require("express-openid-connect");
+
+router.get("/debug/claim", claimIncludes("groups", "guests"), debug);
+
+module.exports = router;
diff --git a/src/middleware/errorHandler.js b/src/middleware/errorHandler.js
index bee91cc..8c18a9e 100644
--- a/src/middleware/errorHandler.js
+++ b/src/middleware/errorHandler.js
@@ -11,6 +11,7 @@
ERROR_REDIRECT_PATH,
} = require("../constants/errorConstants");
const { winstonLogger } = require("../utils/logging");
+const { meta } = require("../config/loader");
module.exports = async (err, req, res, next) => {
const statusCode = err.statusCode ?? DEFAULT_STATUS_CODE;
@@ -75,15 +76,20 @@
metadata: err.metadata,
});
- const errorPageContext = await req.getBaseContext(
- req?.isAuthenticated,
- context,
- );
- res.status(errorContext.statusCode);
try {
+ const errorPageContext = await req.getBaseContext(
+ req?.isAuthenticated,
+ context,
+ );
+ res.status(errorContext.statusCode);
res.renderGenericMessage(errorPageContext);
} catch (e) {
winstonLogger.error(e, { context });
- res.send("Critical error.");
+ if (meta.node_env == "production") {
+ res.send("Critical error.");
+ } else {
+ const response = "" + JSON.stringify(context, null, 2) + "
";
+ res.send(response);
+ }
}
};
diff --git a/src/middleware/index.js b/src/middleware/index.js
index 4de2b80..8922f4c 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -23,8 +23,12 @@
const analytics = require("../controllers/analyticsControllers");
const httpLogger = require("../utils/structuredLogger");
const cacheUtils = require("./cacheUtils");
+const authConfig = require("./authConfig");
+const debugMiddleware = require("./debug");
const trace = require("./trace");
-const { meta } = require("../config/loader");
+const { meta, session } = require("../config/loader");
+const { auth, requiresAuth } = require("express-openid-connect");
+const { baseUrl } = require("../utils/baseUrl.js");
function setupApp(config) {
const app = express();
@@ -34,12 +38,14 @@
app.use(adaptiveBodyParser);
app.use(hbs);
-
// Setup logging
app.use(httpLogger, loggingMiddleware);
+ app.use(authConfig);
app.use(authCheck);
+ app.use(debugMiddleware);
+
// Setup handlebars
app.use(BaseContext);
// app.use(attachBaseContextGetter, buildBaseContext);
diff --git a/src/middleware/safeIpCheck.js b/src/middleware/safeIpCheck.js
new file mode 100644
index 0000000..8bc813e
--- /dev/null
+++ b/src/middleware/safeIpCheck.js
@@ -0,0 +1,32 @@
+// middleware/safeipCheck.js
+const use_ip_bypass = false;
+
+// const SAFE_IPS = ["192.168.1.200", "192.168.1.50"];
+const SAFE_IPS = [];
+
+module.exports = bypassSafeIp(req, res, next) => {
+ // Determine the client IP address.
+ // req.ip is often provided by Express and correctly handles X-Forwarded-For if Express is configured for it.
+ // If not, you might need to manually check req.headers['x-forwarded-for']
+ const clientIp = req.ip; // Or req.headers['x-forwarded-for']?.split(',')[0] || req.connection.remoteAddress;
+ // --- Bypass Logic ---
+ // Check if the client IP is in the list of safe IPs
+ if (use_ip_bypass && SAFE_IPS.includes(clientIp)) {
+ // -- fixme; harden for production by disabling this block
+ res.locals.session = {
+ isAuthenticated: true,
+ user: "local-admin",
+ groups: ["admin", "guests", "people"], // Assign groups needed for menu visibility
+ };
+ if (req.log) {
+ req.log.security(`Bypassing authentication for safe IP: ${clientIp}`);
+ } else {
+ console.security(`Bypassing authentication for safe IP: ${clientIp}`);
+ }
+ res.locals.isSafeIp = true;
+ } else {
+ res.locals.isSafeIp = false;
+ }
+ return next(); // Proceed to the next middleware/route handler
+}
+
diff --git a/src/middleware/setPolicy.js b/src/middleware/setPolicy.js
new file mode 100644
index 0000000..952e04e
--- /dev/null
+++ b/src/middleware/setPolicy.js
@@ -0,0 +1,54 @@
+const { evaluateRules } = require("../utils/evaluateRules.js");
+const { handleRedirect } = require("./redirect.js");
+
+/**
+ * Route-level policy enforcement middleware.
+ * @param {Object} config - { policy: "allow"|"deny"|"deny-children", rules: Array }
+ */
+function setPolicy(config) {
+ return (req, res, next) => {
+ const session = res.locals.session || {
+ isAuthenticated: false,
+ groups: [],
+ user: null,
+ };
+ // return res.json(session);
+ const policy = config.policy || "allow";
+ const rules = config.rules || [];
+ const redirectTarget = config.redirectOnFail || "/";
+
+ // 1. "allow" and "deny-children" permit access to the route itself
+ if (policy === "allow" || policy === "deny-children") {
+ return next();
+ }
+
+ // 2. "deny" requires authentication AND passing the rule set
+ if (policy === "deny") {
+ if (session.isAuthenticated && evaluateRules(rules, session)) {
+ return next();
+ }
+
+ // Log the rejection for audit trails
+ if (req.log) {
+ req.log.warn(
+ { user: session.user, policy, rules },
+ "Access Denied by Policy",
+ );
+ }
+
+ // CASE: User is not logged in - Redirect to OIDC Login
+ if (!session.isAuthenticated) {
+ req.log.warn("REDIRECT " + JSON.stringify(session));
+ return handleRedirect(req, res, "/guest-access", 302);
+ }
+
+ // CASE: User is logged in but lacks permissions - Redirect to target (or 403 page)
+ return handleRedirect(req, res, redirectTarget, 302);
+ }
+
+ // Default safety: Fail closed
+ res.status(403).send("Security Policy Violation");
+ };
+}
+
+module.exports = setPolicy;
diff --git a/src/routes/guestAccessRouter.js b/src/routes/guestAccessRouter.js
index e189886..7a84cae 100644
--- a/src/routes/guestAccessRouter.js
+++ b/src/routes/guestAccessRouter.js
@@ -2,21 +2,53 @@
const router = express.Router();
const logEvent = require("../middleware/analytics.js");
-const securedMiddleware = require("./secured");
+const { auth, requiresAuth } = require("express-openid-connect");
+const setPolicy = require("../middleware/setPolicy.js");
const {
handleAccessConsumption,
renderPortal,
+ loginController,
+ logoutApiController,
+ logoutSuccessApiController,
+ logoutController,
+ userInfoApiController,
} = require("../controllers/accessController");
+// -- Generate acccess token
router.get(
"/access/manager",
logEvent("admin"),
- securedMiddleware,
+ setPolicy({
+ policy: "deny",
+ rules: [["user:jason"], ["group:professors"]],
+ }),
renderPortal,
);
+// -- Logout
+router.post("/api/auth/logout", logoutApiController);
+// router.get("/auth/login", loginController);
+router.use("/auth/login", loginController);
+router.get("/api/auth/logout", logoutApiController);
+router.get("/api/auth/logout/success", logoutSuccessApiController);
+router.get("/guest-access/logout", logoutController);
+
+// -- User info
+router.get("/api/auth/userinfo", userInfoApiController);
+router.get("/api/auth/status", (req, res) => {
+ // res.locals.session is populated by your authCheck middleware
+ res.json(res.locals.session);
+});
+
+// -- Login
+router.get(
+ "/guest-access",
+ logEvent("admin"),
+ // requiresAuth(),
+ handleAccessConsumption,
+);
+// -- Login using access token
router.get("/guest-access/:token", logEvent("admin"), handleAccessConsumption);
-router.get("/guest-access", logEvent("admin"), handleAccessConsumption);
module.exports = router;
diff --git a/src/utils/baseContext.js b/src/utils/baseContext.js
index a4c80ea..212cb8c 100644
--- a/src/utils/baseContext.js
+++ b/src/utils/baseContext.js
@@ -27,8 +27,18 @@
}
async init() {
- console.log(this.res.locals);
- const session = this.res.locals.session;
+ this.req.log.info(
+ "baseContext res.locals" + JSON.stringify(this.res.locals),
+ );
+ const session = this.res.locals.session || {
+ isAuthenticated: false,
+ user: null,
+ groups: [],
+ };
+ this.req.log.warn(
+ "baseContext res.locals.session" +
+ JSON.stringify(this.res.locals.session),
+ );
session.token = generateToken();
this.baseContext = await this.getBaseContext(session, {});
this.next();
@@ -75,6 +85,10 @@
const siteOwner = meta.site_owner;
const context = {
+ session: {
+ ...session,
+ groups: session,
+ },
title: getSiteTitle(siteOwner),
siteOwner,
originCountry: meta.country,
diff --git a/src/utils/evaluateRules.js b/src/utils/evaluateRules.js
new file mode 100644
index 0000000..5dd8068
--- /dev/null
+++ b/src/utils/evaluateRules.js
@@ -0,0 +1,29 @@
+// src/utils/evaluateRules.js
+/**
+ * Evaluates access rules against the current identity context.
+ * * Rules:
+ * - Outer array: Logical OR (Success if any requirement block passes)
+ * - Inner array: Logical AND (Success if all rules in the block pass)
+ * * @param {Array>} rules - Nested rule set
+ * @param {Object} auth - { isAuthenticated, user, groups }
+ */
+function evaluateRules(rules, session) {
+ if (!rules || !rules.length) return true;
+
+ const { user, groups = [] } = session;
+
+ return rules.some((requirement) =>
+ requirement.every((rule) => {
+ const [type, value] = rule.split(":");
+ switch (type) {
+ case "group":
+ return groups.includes(value);
+ case "user":
+ return user === value;
+ default:
+ return false;
+ }
+ }),
+ );
+}
+module.exports = { evaluateRules };
diff --git a/src/utils/getGroups.js b/src/utils/getGroups.js
new file mode 100644
index 0000000..6c5ff8c
--- /dev/null
+++ b/src/utils/getGroups.js
@@ -0,0 +1,35 @@
+const { winstonLogger } = require("./logging");
+const { Client } = require("ldapts");
+
+module.exports.getGroups = async function getGroups(username) {
+ return [];
+ try {
+ const url = "ldap://10.8.0.1";
+ const bindDN = "cn=admin,dc=jasonpoage,dc=com";
+ const password = "9b4h655SrcIOLmK4u5Zldw";
+ const userDN = `uid=${username},ou=People,dc=jasonpoage,dc=com`;
+
+ const client = new Client({ url });
+
+ try {
+ await client.bind(bindDN, password);
+
+ const { searchEntries } = await client.search("dc=jasonpoage,dc=com", {
+ scope: "sub",
+ // Find groups where this user's full DN is listed in the 'member' attribute
+ filter: `(&(objectClass=groupOfNames)(member=${userDN}))`,
+ attributes: ["cn"],
+ });
+
+ // Extract the 'cn' from each group found
+ return searchEntries.map((entry) => entry.cn);
+ } catch (err) {
+ winstonLogger.warn("LDAP Search Error:" + err.message);
+ throw err;
+ } finally {
+ await client.unbind();
+ }
+ } catch (e) {
+ return e.stack;
+ }
+};
diff --git a/src/utils/processMenuLinks.js b/src/utils/processMenuLinks.js
index fecc1df..63482b3 100644
--- a/src/utils/processMenuLinks.js
+++ b/src/utils/processMenuLinks.js
@@ -1,65 +1,122 @@
// src/utils/processMenuLinks.js
+const { winstonLogger } = require("./logging/index.js");
+const { evaluateRules } = require("../utils/evaluateRules.js");
/**
- * Evaluates access rules against the current identity context.
- * * Rules:
- * - Outer array: Logical OR (Success if any requirement block passes)
- * - Inner array: Logical AND (Success if all rules in the block pass)
- * * @param {Array>} rules - Nested rule set
- * @param {Object} auth - { isAuthenticated, user, groups }
+ * Applies attribute promotion from a child to a parent.
*/
-function evaluateRules(rules, session) {
- if (!rules || !rules.length) return true;
+function promoteAttributes(parent, child) {
+ const promote = child.promote;
+ let keys = [];
- const { user, groups = [] } = session;
+ if (promote === "true" || promote === true) {
+ keys = Object.keys(child).filter((k) => k !== "submenu" && k !== "promote");
+ } else if (typeof promote === "string") {
+ keys = [promote];
+ } else if (Array.isArray(promote)) {
+ keys = promote;
+ }
- return rules.some((requirement) =>
- requirement.every((rule) => {
- const [type, value] = rule.split(":");
- switch (type) {
- case "group":
- return groups.includes(value);
- case "user":
- return user === value;
- default:
- return false;
- }
- }),
- );
+ keys.forEach((key) => {
+ parent[key] = child[key];
+ });
}
-function processMenuLinks(links, session, currentPath) {
+
+/**
+ * Processes menu links with policy inheritance and parent-override logic.
+ * @param {Array} links - The menu items to filter.
+ * @param {Object} session - The { isAuthenticated, user, groups } object.
+ * @param {string} currentPath - The active URL path.
+ * @param {string} inheritedPolicy - The policy passed down from the parent (default "allow").
+ */
+function processMenuLinks(
+ links,
+ session,
+ currentPath,
+ inheritedPolicy = "allow",
+) {
+ if (!links) return [];
+
return links
- .filter((link) => {
- const policy = link.policy || "allow";
-
- if (policy == "allow" || policy === "deny-children") {
- return true;
- }
-
- // 1. Check basic security requirement
- if (policy == "deny" && !session.isAuthenticated) return false;
-
- // 2. Check specific rules if they exist
- return evaluateRules(link.rules, session);
- })
.map((link) => {
const item = { ...link };
- if (item.appendCurrentPath && typeof item.href === "string") {
- if (currentPath !== "/" && !item.href.endsWith(currentPath)) {
- item.href = item.href + currentPath;
- }
- } else if (item.html) {
- item.href = `/docs/hexa/${item.html}`; // fixme
- } else if (item.frame) {
- item.href = `/docs/hexa/${item.frame}`; // fixme
- } else if (item.mermaid) {
- item.href = `/docs/hexa/${item.mermaid}`; // fixme
- }
+ const activePolicy = item.policy || inheritedPolicy;
+ // winstonLogger.info(
+ // JSON.stringify({ Label: item.label, Policy: activePolicy, session }),
+ // );
+
if (item.submenu) {
- item.submenu = processMenuLinks(item.submenu, session, currentPath);
- if (!item.submenu.length) delete item.submenu;
+ const nextPolicy =
+ activePolicy === "deny-children" ? "deny" : activePolicy;
+ const processedSub = processMenuLinks(
+ item.submenu,
+ session,
+ currentPath,
+ nextPolicy,
+ );
+
+ const primaryChild = item.submenu[0];
+ const isPrimaryVisible = processedSub.some(
+ (s) => s.label === primaryChild.label,
+ );
+
+ // Promotion Logic: Trigger if only the primary child remains or the menu is empty
+ if (
+ (processedSub.length === 0 ||
+ (processedSub.length === 1 && isPrimaryVisible)) &&
+ primaryChild?.promote
+ ) {
+ const childPolicy = primaryChild.policy || "allow"; // Requirement: Default to allow
+
+ const isChildAccessible =
+ childPolicy === "allow" ||
+ (childPolicy === "deny" &&
+ session.isAuthenticated &&
+ evaluateRules(primaryChild.rules, session));
+
+ if (isChildAccessible) {
+ promoteAttributes(item, primaryChild);
+
+ // Policy inheritance: Apply child policy only if the child has its own children
+ if (primaryChild.submenu && primaryChild.submenu.length > 0) {
+ item.policy = childPolicy;
+ item.submenu = processMenuLinks(
+ primaryChild.submenu,
+ session,
+ currentPath,
+ item.policy,
+ );
+ } else {
+ item.policy = childPolicy;
+ delete item.submenu;
+ }
+ }
+ } else {
+ // Standard Dropdown: Filter out any item with the 'promote' key from the list
+ item.submenu = processedSub.filter((s) => !s.promote);
+ if (item.submenu.length === 0) delete item.submenu;
+ }
}
+
+ // Path/Resource Normalization
+ if (item.appendCurrentPath && typeof item.href === "string") {
+ if (currentPath !== "/" && !item.href.endsWith(currentPath))
+ item.href += currentPath;
+ } else if (item.html || item.frame || item.mermaid) {
+ item.href = `/docs/hexa/${item.html || item.frame || item.mermaid}`;
+ }
+
return item;
+ })
+ .filter((item) => {
+ // Final Security Gate (Parent Wins)
+ const policy = item.policy || inheritedPolicy;
+ if (policy === "allow" || policy === "deny-children") return true;
+ if (policy === "deny") {
+ console.log(session);
+ return session.isAuthenticated && evaluateRules(item.rules, session);
+ }
+ return false;
});
}
module.exports = processMenuLinks;
diff --git a/src/views/pages/credentials.handlebars b/src/views/pages/credentials.handlebars
index e148219..3cfeee1 100644
--- a/src/views/pages/credentials.handlebars
+++ b/src/views/pages/credentials.handlebars
@@ -6,7 +6,13 @@
{{/section}}
-
+
{{!-- State 1: Standard Login (Default) --}}
@@ -83,4 +89,14 @@
+ {{!-- State 5: Logout Success --}}
+
+
Logout Successful
+
Your local session has been terminated and security headers cleared.
+
+
+