| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355 |
- import _ from 'lodash-es'
- import { generateError, generateSuccess } from '../../helpers/graph.mjs'
- import jwt from 'jsonwebtoken'
- import ms from 'ms'
- import { DateTime } from 'luxon'
- export default {
- Query: {
- /**
- * List of API Keys
- */
- async apiKeys (obj, args, context) {
- const keys = await WIKI.db.apiKeys.query().orderBy(['isRevoked', 'name'])
- return keys.map(k => ({
- id: k.id,
- name: k.name,
- keyShort: '...' + k.key.substring(k.key.length - 20),
- isRevoked: k.isRevoked,
- expiration: k.expiration,
- createdAt: k.createdAt,
- updatedAt: k.updatedAt
- }))
- },
- /**
- * Current API State
- */
- apiState () {
- return WIKI.config.api.isEnabled
- },
- /**
- * Fetch authentication strategies
- */
- async authStrategies () {
- return WIKI.data.authentication.map(stg => ({
- ...stg,
- isAvailable: stg.isAvailable === true
- }))
- },
- /**
- * Fetch active authentication strategies
- */
- async authActiveStrategies (obj, args, context) {
- const strategies = await WIKI.db.authentication.getStrategies({ enabledOnly: args.enabledOnly })
- return strategies.map(a => {
- const str = _.find(WIKI.data.authentication, ['key', a.module]) || {}
- return {
- ...a,
- config: _.transform(str.props, (r, v, k) => {
- r[k] = v.sensitive ? '********' : a.config[k]
- }, {})
- }
- })
- },
- /**
- * Fetch site authentication strategies
- */
- async authSiteStrategies (obj, args, context, info) {
- const site = await WIKI.db.sites.query().findById(args.siteId)
- const activeStrategies = await WIKI.db.authentication.getStrategies({ enabledOnly: true })
- const siteStrategies = _.sortBy(activeStrategies.map(str => {
- const siteAuth = _.find(site.config.authStrategies, ['id', str.id]) || {}
- return {
- id: str.id,
- activeStrategy: str,
- order: siteAuth.order ?? 0,
- isVisible: siteAuth.isVisible ?? false
- }
- }), ['order'])
- return args.visibleOnly ? siteStrategies.filter(s => s.isVisible) : siteStrategies
- }
- },
- Mutation: {
- /**
- * Create New API Key
- */
- async createApiKey (obj, args, context) {
- try {
- const key = await WIKI.db.apiKeys.createNewKey(args)
- await WIKI.auth.reloadApiKeys()
- WIKI.events.outbound.emit('reloadApiKeys')
- return {
- key,
- operation: generateSuccess('API Key created successfully')
- }
- } catch (err) {
- WIKI.logger.warn(err)
- return generateError(err)
- }
- },
- /**
- * Perform Login
- */
- async login (obj, args, context) {
- try {
- const authResult = await WIKI.db.users.login(args, context)
- return {
- ...authResult,
- operation: generateSuccess('Login success')
- }
- } catch (err) {
- // LDAP Debug Flag
- if (args.strategy === 'ldap' && WIKI.config.flags.ldapdebug) {
- WIKI.logger.warn('LDAP LOGIN ERROR (c1): ', err)
- }
- WIKI.logger.debug(err)
- return generateError(err)
- }
- },
- /**
- * Perform 2FA Login
- */
- async loginTFA (obj, args, context) {
- try {
- const authResult = await WIKI.db.users.loginTFA(args, context)
- return {
- ...authResult,
- operation: generateSuccess('TFA success')
- }
- } catch (err) {
- WIKI.logger.debug(err)
- return generateError(err)
- }
- },
- /**
- * Perform Password Change
- */
- async changePassword (obj, args, context) {
- try {
- const authResult = await WIKI.db.users.loginChangePassword(args, context)
- return {
- ...authResult,
- operation: generateSuccess('Password changed successfully')
- }
- } catch (err) {
- WIKI.logger.debug(err)
- return generateError(err)
- }
- },
- /**
- * Perform Forget Password
- */
- async forgotPassword (obj, args, context) {
- try {
- await WIKI.db.users.loginForgotPassword(args, context)
- return {
- operation: generateSuccess('Password reset request processed.')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Register a new account
- */
- async register (obj, args, context) {
- try {
- const usr = await WIKI.db.users.createNewUser({ ...args, userInitiated: true })
- const authResult = await WIKI.db.users.afterLoginChecks(usr, WIKI.data.systemIds.localAuthId, context)
- return {
- ...authResult,
- operation: generateSuccess('Registration success')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Refresh Token
- */
- async refreshToken (obj, args, context) {
- try {
- let decoded = {}
- if (!args.token) {
- throw new Error('ERR_MISSING_TOKEN')
- }
- try {
- decoded = jwt.verify(args.token, WIKI.config.auth.certs.public, {
- audience: WIKI.config.auth.audience,
- issuer: 'urn:wiki.js',
- algorithms: ['RS256'],
- ignoreExpiration: true
- })
- } catch (err) {
- throw new Error('ERR_INVALID_TOKEN')
- }
- if (DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) > DateTime.fromSeconds(decoded.exp)) {
- throw new Error('ERR_EXPIRED_TOKEN')
- }
- const newToken = await WIKI.db.users.refreshToken(decoded.id)
- return {
- jwt: newToken.token,
- operation: generateSuccess('Token refreshed successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Set API state
- */
- async setApiState (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- WIKI.config.api.isEnabled = args.enabled
- await WIKI.configSvc.saveToDb(['api'])
- return {
- operation: generateSuccess('API State changed successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Revoke an API key
- */
- async revokeApiKey (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.apiKeys.query().findById(args.id).patch({
- isRevoked: true
- })
- await WIKI.auth.reloadApiKeys()
- WIKI.events.outbound.emit('reloadApiKeys')
- return {
- operation: generateSuccess('API Key revoked successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Update Authentication Strategies
- */
- async updateAuthStrategies (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- const previousStrategies = await WIKI.db.authentication.getStrategies()
- for (const str of args.strategies) {
- const newStr = {
- displayName: str.displayName,
- isEnabled: str.isEnabled,
- config: _.reduce(str.config, (result, value, key) => {
- _.set(result, `${value.key}`, _.get(JSON.parse(value.value), 'v', null))
- return result
- }, {}),
- selfRegistration: str.selfRegistration,
- domainWhitelist: { v: str.domainWhitelist },
- autoEnrollGroups: { v: str.autoEnrollGroups }
- }
- if (_.some(previousStrategies, ['key', str.key])) {
- await WIKI.db.authentication.query().patch({
- key: str.key,
- strategyKey: str.strategyKey,
- ...newStr
- }).where('key', str.key)
- } else {
- await WIKI.db.authentication.query().insert({
- key: str.key,
- strategyKey: str.strategyKey,
- ...newStr
- })
- }
- }
- for (const str of _.differenceBy(previousStrategies, args.strategies, 'key')) {
- const hasUsers = await WIKI.db.users.query().count('* as total').where({ providerKey: str.key }).first()
- if (_.toSafeInteger(hasUsers.total) > 0) {
- throw new Error(`Cannot delete ${str.displayName} as 1 or more users are still using it.`)
- } else {
- await WIKI.db.authentication.query().delete().where('key', str.key)
- }
- }
- await WIKI.auth.activateStrategies()
- WIKI.events.outbound.emit('reloadAuthStrategies')
- return {
- responseResult: generateSuccess('Strategies updated successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Generate New Authentication Public / Private Key Certificates
- */
- async regenerateCertificates (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.auth.regenerateCertificates()
- return {
- responseResult: generateSuccess('Certificates have been regenerated successfully.')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * Reset Guest User
- */
- async resetGuestUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.auth.resetGuestUser()
- return {
- responseResult: generateSuccess('Guest user has been reset successfully.')
- }
- } catch (err) {
- return generateError(err)
- }
- }
- },
- // ------------------------------------------------------------------
- // TYPE: AuthenticationActiveStrategy
- // ------------------------------------------------------------------
- AuthenticationActiveStrategy: {
- config (obj, args, context) {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- return obj.config ?? {}
- },
- allowedEmailRegex (obj, args, context) {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- return obj.allowedEmailRegex ?? ''
- },
- autoEnrollGroups (obj, args, context) {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- return obj.autoEnrollGroups ?? []
- },
- strategy (obj, args, context) {
- return _.find(WIKI.data.authentication, ['key', obj.module])
- }
- }
- }
|
