mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326
							/* eslint-disable no-underscore-dangle */

import { Meteor } from 'meteor/meteor';
import { Accounts } from 'meteor/accounts-base';

class KnownUser {
  constructor(settings) {
    this.unchangedSettings = settings;
    this.settings = settings;
  }

  startup() {
    if (!(this.unchangedSettings instanceof Function)) {
      this.updateSettings();
    }
    this.scheduleUnlocksForLockedAccounts();
    KnownUser.unlockAccountsIfLockoutAlreadyExpired();
    this.hookIntoAccounts();
  }

  updateSettings() {
    const settings = KnownUser.knownUsers();
    if (settings) {
      settings.forEach(function updateSetting({ key, value }) {
        this.settings[key] = value;
      });
    }
    this.validateSettings();
  }

  validateSettings() {
    if (
      !this.settings.failuresBeforeLockout ||
      this.settings.failuresBeforeLockout < 0
    ) {
      throw new Error('"failuresBeforeLockout" is not positive integer');
    }
    if (
      !this.settings.lockoutPeriod ||
      this.settings.lockoutPeriod < 0
    ) {
      throw new Error('"lockoutPeriod" is not positive integer');
    }
    if (
      !this.settings.failureWindow ||
      this.settings.failureWindow < 0
    ) {
      throw new Error('"failureWindow" is not positive integer');
    }
  }

  scheduleUnlocksForLockedAccounts() {
    const lockedAccountsCursor = Meteor.users.find(
      {
        'services.accounts-lockout.unlockTime': {
          $gt: Number(new Date()),
        },
      },
      {
        fields: {
          'services.accounts-lockout.unlockTime': 1,
        },
      },
    );
    const currentTime = Number(new Date());
    lockedAccountsCursor.forEach((user) => {
      let lockDuration = KnownUser.unlockTime(user) - currentTime;
      if (lockDuration >= this.settings.lockoutPeriod) {
        lockDuration = this.settings.lockoutPeriod * 1000;
      }
      if (lockDuration <= 1) {
        lockDuration = 1;
      }
      Meteor.setTimeout(
        KnownUser.unlockAccount.bind(null, user._id),
        lockDuration,
      );
    });
  }

  static unlockAccountsIfLockoutAlreadyExpired() {
    const currentTime = Number(new Date());
    const query = {
      'services.accounts-lockout.unlockTime': {
        $lt: currentTime,
      },
    };
    const data = {
      $unset: {
        'services.accounts-lockout.unlockTime': 0,
        'services.accounts-lockout.failedAttempts': 0,
      },
    };
    Meteor.users.update(query, data);
  }

  hookIntoAccounts() {
    Accounts.validateLoginAttempt(this.validateLoginAttempt.bind(this));
    Accounts.onLogin(KnownUser.onLogin);
  }


  validateLoginAttempt(loginInfo) {
    if (
      // don't interrupt non-password logins
      loginInfo.type !== 'password' ||
      loginInfo.user === undefined ||
      // Don't handle errors unless they are due to incorrect password
      (loginInfo.error !== undefined && loginInfo.error.reason !== 'Incorrect password')
    ) {
      return loginInfo.allowed;
    }

    // If there was no login error and the account is NOT locked, don't interrupt
    const unlockTime = KnownUser.unlockTime(loginInfo.user);
    if (loginInfo.error === undefined && unlockTime === 0) {
      return loginInfo.allowed;
    }

    if (this.unchangedSettings instanceof Function) {
      this.settings = this.unchangedSettings(loginInfo.user);
      this.validateSettings();
    }

    const userId = loginInfo.user._id;
    let failedAttempts = 1 + KnownUser.failedAttempts(loginInfo.user);
    const firstFailedAttempt = KnownUser.firstFailedAttempt(loginInfo.user);
    const currentTime = Number(new Date());

    const canReset = (currentTime - firstFailedAttempt) > (1000 * this.settings.failureWindow);
    if (canReset) {
      failedAttempts = 1;
      KnownUser.resetAttempts(failedAttempts, userId);
    }

    const canIncrement = failedAttempts < this.settings.failuresBeforeLockout;
    if (canIncrement) {
      KnownUser.incrementAttempts(failedAttempts, userId);
    }

    const maxAttemptsAllowed = this.settings.failuresBeforeLockout;
    const attemptsRemaining = maxAttemptsAllowed - failedAttempts;
    if (unlockTime > currentTime) {
      let duration = unlockTime - currentTime;
      duration = Math.ceil(duration / 1000);
      duration = duration > 1 ? duration : 1;
      KnownUser.tooManyAttempts(duration);
    }
    if (failedAttempts === maxAttemptsAllowed) {
      this.setNewUnlockTime(failedAttempts, userId);

      let duration = this.settings.lockoutPeriod;
      duration = Math.ceil(duration);
      duration = duration > 1 ? duration : 1;
      return KnownUser.tooManyAttempts(duration);
    }
    return KnownUser.incorrectPassword(
      failedAttempts,
      maxAttemptsAllowed,
      attemptsRemaining,
    );
  }

  static resetAttempts(
    failedAttempts,
    userId,
  ) {
    const currentTime = Number(new Date());
    const query = { _id: userId };
    const data = {
      $set: {
        'services.accounts-lockout.failedAttempts': failedAttempts,
        'services.accounts-lockout.lastFailedAttempt': currentTime,
        'services.accounts-lockout.firstFailedAttempt': currentTime,
      },
    };
    Meteor.users.update(query, data);
  }

  static incrementAttempts(
    failedAttempts,
    userId,
  ) {
    const currentTime = Number(new Date());
    const query = { _id: userId };
    const data = {
      $set: {
        'services.accounts-lockout.failedAttempts': failedAttempts,
        'services.accounts-lockout.lastFailedAttempt': currentTime,
      },
    };
    Meteor.users.update(query, data);
  }

  setNewUnlockTime(
    failedAttempts,
    userId,
  ) {
    const currentTime = Number(new Date());
    const newUnlockTime = (1000 * this.settings.lockoutPeriod) + currentTime;
    const query = { _id: userId };
    const data = {
      $set: {
        'services.accounts-lockout.failedAttempts': failedAttempts,
        'services.accounts-lockout.lastFailedAttempt': currentTime,
        'services.accounts-lockout.unlockTime': newUnlockTime,
      },
    };
    Meteor.users.update(query, data);
    Meteor.setTimeout(
      KnownUser.unlockAccount.bind(null, userId),
      this.settings.lockoutPeriod * 1000,
    );
  }

  static onLogin(loginInfo) {
    //get the data from oidc login and remove again?
    if(loginInfo.type ==='oidc'){
      Meteor.call('groupRoutineOnLogin', loginInfo.user.services.oidc, loginInfo.user._id);
      return;
    }
    if (loginInfo.type !== 'password') {
      return;
    }
    const userId = loginInfo.user._id;
    const query = { _id: userId };
    const data = {
      $unset: {
        'services.accounts-lockout.unlockTime': 0,
        'services.accounts-lockout.failedAttempts': 0,
      },
    };
    Meteor.users.update(query, data);
  }

  static incorrectPassword(
    failedAttempts,
    maxAttemptsAllowed,
    attemptsRemaining,
  ) {
    throw new Meteor.Error(
      403,
      'Incorrect password',
      JSON.stringify({
        message: 'Incorrect password',
        failedAttempts,
        maxAttemptsAllowed,
        attemptsRemaining,
      }),
    );
  }

  static tooManyAttempts(duration) {
    throw new Meteor.Error(
      403,
      'Too many attempts',
      JSON.stringify({
        message: 'Wrong passwords were submitted too many times. Account is locked for a while.',
        duration,
      }),
    );
  }

  static knownUsers() {
    let knownUsers;
    try {
      knownUsers = Meteor.settings['accounts-lockout'].knownUsers;
    } catch (e) {
      knownUsers = false;
    }
    return knownUsers || false;
  }

  static unlockTime(user) {
    let unlockTime;
    try {
      unlockTime = user.services['accounts-lockout'].unlockTime;
    } catch (e) {
      unlockTime = 0;
    }
    return unlockTime || 0;
  }

  static failedAttempts(user) {
    let failedAttempts;
    try {
      failedAttempts = user.services['accounts-lockout'].failedAttempts;
    } catch (e) {
      failedAttempts = 0;
    }
    return failedAttempts || 0;
  }

  static lastFailedAttempt(user) {
    let lastFailedAttempt;
    try {
      lastFailedAttempt = user.services['accounts-lockout'].lastFailedAttempt;
    } catch (e) {
      lastFailedAttempt = 0;
    }
    return lastFailedAttempt || 0;
  }

  static firstFailedAttempt(user) {
    let firstFailedAttempt;
    try {
      firstFailedAttempt = user.services['accounts-lockout'].firstFailedAttempt;
    } catch (e) {
      firstFailedAttempt = 0;
    }
    return firstFailedAttempt || 0;
  }

  static unlockAccount(userId) {
    const query = { _id: userId };
    const data = {
      $unset: {
        'services.accounts-lockout.unlockTime': 0,
        'services.accounts-lockout.failedAttempts': 0,
      },
    };
    Meteor.users.update(query, data);
  }
}

export default KnownUser;