صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
wxcz_admin
/
pilotdeck-cn-git
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: master
شاخه‌ها تگ‌ها
pilotdeck-cn-gi...
/
ui
/
server
/
middleware
/
auth.js

auth.js 4.3 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. import jwt from 'jsonwebtoken';
    2. 

  2. import { userDb, appConfigDb } from '../database/db.js';
    3. 

  3. import { IS_PLATFORM, DISABLE_LOCAL_AUTH } from '../constants/config.js';
    4. 

  4. 

  5. // Use env var if set, otherwise auto-generate a unique secret per installation
    6. 

  6. const JWT_SECRET = process.env.JWT_SECRET || appConfigDb.getOrCreateJwtSecret();
    7. 

  7. 

  8. // Optional API key middleware
    9. 

  9. const validateApiKey = (req, res, next) => {
    10. 

  10.   // Skip API key validation if not configured
    11. 

  11.   if (!process.env.API_KEY) {
    12. 

  12.     return next();
    13. 

  13.   }
    14. 

  14.   
    15. 

  15.   const apiKey = req.headers['x-api-key'];
    16. 

  16.   if (apiKey !== process.env.API_KEY) {
    17. 

  17.     return res.status(401).json({ error: 'Invalid API key' });
    18. 

  18.   }
    19. 

  19.   next();
    20. 

  20. };
    21. 

  21. 

  22. function extractDashboardRefererToken(req) {
    23. 

  23.   const refererHeader = req.headers.referer || req.headers.referrer;
    24. 

  24.   if (!refererHeader || Array.isArray(refererHeader)) {
    25. 

  25.     return null;
    26. 

  26.   }
    27. 

  27. 

  28.   try {
    29. 

  29.     const refererUrl = new URL(
    30. 

  30.       refererHeader,
    31. 

  31.       `${req.protocol}://${req.get('host')}`,
    32. 

  32.     );
    33. 

  33.     if (!refererUrl.pathname.startsWith('/memory-dashboard')) {
    34. 

  34.       return null;
    35. 

  35.     }
    36. 

  36.     return refererUrl.searchParams.get('token');
    37. 

  37.   } catch {
    38. 

  38.     return null;
    39. 

  39.   }
    40. 

  40. }
    41. 

  41. 

  42. // JWT authentication middleware
    43. 

  43. const authenticateToken = async (req, res, next) => {
    44. 

  44.   // Platform mode:  use single database user
    45. 

  45.   if (IS_PLATFORM || DISABLE_LOCAL_AUTH) {
    46. 

  46.     try {
    47. 

  47.       const user = userDb.getFirstUser();
    48. 

  48.       if (!user) {
    49. 

  49.         return res.status(500).json({ error: 'No user found in database (restart server after DB init)' });
    50. 

  50.       }
    51. 

  51.       req.user = user;
    52. 

  52.       return next();
    53. 

  53.     } catch (error) {
    54. 

  54.       console.error('Auth bypass mode error:', error);
    55. 

  55.       return res.status(500).json({ error: 'Failed to fetch user' });
    56. 

  56.     }
    57. 

  57.   }
    58. 

  58. 

  59.   // Normal OSS JWT validation
    60. 

  60.   const authHeader = req.headers['authorization'];
    61. 

  61.   let token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
    62. 

  62. 

  63.   // Also check query param for SSE endpoints (EventSource can't set headers)
    64. 

  64.   if (!token && req.query.token) {
    65. 

  65.     token = req.query.token;
    66. 

  66.   }
    67. 

  67.   // Memory dashboard static assets inherit the iframe document URL as Referer,
    68. 

  68.   // but do not inherit the query string onto app.js/app.css requests.
    69. 

  69.   if (!token) {
    70. 

  70.     token = extractDashboardRefererToken(req);
    71. 

  71.   }
    72. 

  72. 

  73.   if (!token) {
    74. 

  74.     return res.status(401).json({ error: 'Access denied. No token provided.' });
    75. 

  75.   }
    76. 

  76. 

  77.   try {
    78. 

  78.     const decoded = jwt.verify(token, JWT_SECRET);
    79. 

  79. 

  80.     // Verify user still exists and is active
    81. 

  81.     const user = userDb.getUserById(decoded.userId);
    82. 

  82.     if (!user) {
    83. 

  83.       return res.status(401).json({ error: 'Invalid token. User not found.' });
    84. 

  84.     }
    85. 

  85. 

  86.     // Auto-refresh: if token is past halfway through its lifetime, issue a new one
    87. 

  87.     if (decoded.exp && decoded.iat) {
    88. 

  88.       const now = Math.floor(Date.now() / 1000);
    89. 

  89.       const halfLife = (decoded.exp - decoded.iat) / 2;
    90. 

  90.       if (now > decoded.iat + halfLife) {
    91. 

  91.         const newToken = generateToken(user);
    92. 

  92.         res.setHeader('X-Refreshed-Token', newToken);
    93. 

  93.       }
    94. 

  94.     }
    95. 

  95. 

  96.     req.user = user;
    97. 

  97.     next();
    98. 

  98.   } catch (error) {
    99. 

  99.     console.error('Token verification error:', error);
    100. 

  100.     return res.status(403).json({ error: 'Invalid token' });
    101. 

  101.   }
    102. 

  102. };
    103. 

  103. 

  104. // Generate JWT token
    105. 

  105. const generateToken = (user) => {
    106. 

  106.   return jwt.sign(
    107. 

  107.     {
    108. 

  108.       userId: user.id,
    109. 

  109.       username: user.username
    110. 

  110.     },
    111. 

  111.     JWT_SECRET,
    112. 

  112.     { expiresIn: '7d' }
    113. 

  113.   );
    114. 

  114. };
    115. 

  115. 

  116. // WebSocket authentication function
    117. 

  117. const authenticateWebSocket = (token) => {
    118. 

  118.   // Platform mode: bypass token validation, return first user
    119. 

  119.   if (IS_PLATFORM || DISABLE_LOCAL_AUTH) {
    120. 

  120.     try {
    121. 

  121.       const user = userDb.getFirstUser();
    122. 

  122.       if (user) {
    123. 

  123.         return { id: user.id, userId: user.id, username: user.username };
    124. 

  124.       }
    125. 

  125.       return null;
    126. 

  126.     } catch (error) {
    127. 

  127.       console.error('Platform mode WebSocket error:', error);
    128. 

  128.       return null;
    129. 

  129.     }
    130. 

  130.   }
    131. 

  131. 

  132.   // Normal OSS JWT validation
    133. 

  133.   if (!token) {
    134. 

  134.     return null;
    135. 

  135.   }
    136. 

  136. 

  137.   try {
    138. 

  138.     const decoded = jwt.verify(token, JWT_SECRET);
    139. 

  139.     // Verify user actually exists in database (matches REST authenticateToken behavior)
    140. 

  140.     const user = userDb.getUserById(decoded.userId);
    141. 

  141.     if (!user) {
    142. 

  142.       return null;
    143. 

  143.     }
    144. 

  144.     return { userId: user.id, username: user.username };
    145. 

  145.   } catch (error) {
    146. 

  146.     console.error('WebSocket token verification error:', error);
    147. 

  147.     return null;
    148. 

  148.   }
    149. 

  149. };
    150. 

  150. 

  151. export {
    152. 

  152.   validateApiKey,
    153. 

  153.   authenticateToken,
    154. 

  154.   generateToken,
    155. 

  155.   authenticateWebSocket,
    156. 

  156.   JWT_SECRET
    157. 

  157. };
    158.