ep_comments_page/apiUtils.js at main · ether/ep_comments_page · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
'use strict';

const padManager = require('ep_etherpad-lite/node/db/PadManager');
const settings = require('ep_etherpad-lite/node/utils/Settings');

// Validate authorization - checks API key or JWT token depending on auth method
const validateAuth = async (req, res) => {
  try {
    // If API key auth is configured
    const apiKeyHandler = require('ep_etherpad-lite/node/handler/APIKeyHandler');
    const apikey = apiKeyHandler.apikey;
    if (apikey !== null && apikey.trim().length > 0) {
      const fields = Object.assign({}, req.query, req.body);
      const receivedKey = fields.apikey || fields.api_key || req.headers.authorization;
      if (receivedKey !== apikey.trim()) {
        res.statusCode = 401;
        res.json({code: 4, message: 'no or wrong API Key', data: null});
        return false;
      }
      return true;
    }

    // SSO/JWT auth
    if (!req.headers.authorization) {
      res.statusCode = 401;
      res.json({code: 4, message: 'no or wrong API Key', data: null});
      return false;
    }
    const {jwtVerify} = require('jose');
    const {jwtDecode} = require('jwt-decode');
    const {publicKeyExported} = require('ep_etherpad-lite/node/security/OAuth2Provider');
    const clientIds = settings.sso?.clients?.map((client) => client.client_id) ?? [];
    const jwtToCheck = req.headers.authorization.replace('Bearer ', '');
    const payload = jwtDecode(jwtToCheck);
    if (clientIds.includes(payload.sub)) {
      await jwtVerify(jwtToCheck, publicKeyExported, {algorithms: ['RS256']});
    } else {
      await jwtVerify(jwtToCheck, publicKeyExported, {algorithms: ['RS256'], requiredClaims: ['admin']});
    }
    return true;
  } catch (e) {
    res.statusCode = 401;
    res.json({code: 4, message: 'no or wrong API Key', data: null});
    return false;
  }
};

const validateRequiredField =
  (originalFields, fieldName) => typeof originalFields[fieldName] !== 'undefined';

// Checks if required fields are present, and prepare response if any of them
// is not. Returns true if valid, false otherwise.
const validateRequiredFields = (originalFields, requiredFields, res) => {
  for (const requiredField of requiredFields) {
    if (!validateRequiredField(originalFields, requiredField)) {
      const errorMessage = `${requiredField} is required`;
      res.json({code: 1, message: errorMessage, data: null});
      return false;
    }
  }
  return true;
};

// Sanitizes pad id and returns it:
const sanitizePadId = (req) => {
  let padIdReceived = req.params.pad;
  padManager.sanitizePadId(padIdReceived, (padId) => {
    padIdReceived = padId;
  });

  return padIdReceived;
};

// Builds url for message broadcasting, based on settings.json and on the
// given endPoint:
const broadcastUrlFor = (endPoint) => {
  let url = '';
  if (settings.ssl) {
    url += 'https://';
  } else {
    url += 'http://';
  }
  url += `${settings.ip}:${settings.port}${endPoint}`;

  return url;
};

/* ********** Available functions/values: ********** */

exports.validateAuth = validateAuth;
exports.validateRequiredFields = validateRequiredFields;
exports.sanitizePadId = sanitizePadId;
exports.broadcastUrlFor = broadcastUrlFor;