From 3cb5cbd8d539a2d57d30b988e60f01f5bf4c124e Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Tue, 23 Jan 2018 23:08:11 +0000
Subject: [PATCH] Allow adminAuth.user to be a Function Fixes #1461

---
 red/api/auth/clients.js |   6 +--
 red/api/auth/index.js   | 115 +++++++++++++++++++++-------------------
 red/api/auth/tokens.js  |   8 ++-
 red/api/auth/users.js   |  59 +++++++++++----------
 4 files changed, 97 insertions(+), 91 deletions(-)

diff --git a/red/api/auth/clients.js b/red/api/auth/clients.js
index 4495efba0..63e59ccce 100644
--- a/red/api/auth/clients.js
+++ b/red/api/auth/clients.js
@@ -13,8 +13,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
- 
-var when = require("when");
 
 var clients = [
     {id:"node-red-editor",secret:"not_available"},
@@ -25,9 +23,9 @@ module.exports = {
     get: function(id) {
         for (var i=0;i<clients.length;i++) {
             if (clients[i].id == id) {
-                return when.resolve(clients[i]);
+                return Promise.resolve(clients[i]);
             }
         }
-        return when.resolve(null);
+        return Promise.resolve(null);
     }
 }
diff --git a/red/api/auth/index.js b/red/api/auth/index.js
index 787dbf604..fb481ef75 100644
--- a/red/api/auth/index.js
+++ b/red/api/auth/index.js
@@ -135,6 +135,66 @@ function completeVerify(profile,done) {
     });
 }
 
+
+function genericStrategy(adminApp,strategy) {
+    var crypto = require("crypto")
+    var session = require('express-session')
+    var MemoryStore = require('memorystore')(session)
+
+    adminApp.use(session({
+      // As the session is only used across the life-span of an auth
+      // hand-shake, we can use a instance specific random string
+      secret: crypto.randomBytes(20).toString('hex'),
+      resave: false,
+      saveUninitialized: false,
+      store: new MemoryStore({
+        checkPeriod: 86400000 // prune expired entries every 24h
+      })
+    }));
+    //TODO: all passport references ought to be in ./auth
+    adminApp.use(passport.initialize());
+    adminApp.use(passport.session());
+
+    var options = strategy.options;
+
+    passport.use(new strategy.strategy(options,
+        function() {
+            var originalDone = arguments[arguments.length-1];
+            if (options.verify) {
+                var args = Array.from(arguments);
+                args[args.length-1] = function(err,profile) {
+                    if (err) {
+                        return originalDone(err);
+                    } else {
+                        return completeVerify(profile,originalDone);
+                    }
+                };
+                options.verify.apply(null,args);
+            } else {
+                var profile = arguments[arguments.length - 2];
+                return completeVerify(profile,originalDone);
+            }
+
+        }
+    ));
+
+    adminApp.get('/auth/strategy',
+        passport.authenticate(strategy.name, {session:false, failureRedirect: settings.httpAdminRoot }),
+        completeGenerateStrategyAuth
+    );
+    adminApp.get('/auth/strategy/callback',
+        passport.authenticate(strategy.name, {session:false, failureRedirect: settings.httpAdminRoot }),
+        completeGenerateStrategyAuth
+    );
+
+}
+function completeGenerateStrategyAuth(req,res) {
+    var tokens = req.user.tokens;
+    delete req.user.tokens;
+    // Successful authentication, redirect home.
+    res.redirect(settings.httpAdminRoot + '?access_token='+tokens.accessToken);
+}
+
 module.exports = {
     init: init,
     needsPermission: needsPermission,
@@ -149,58 +209,5 @@ module.exports = {
     },
     login: login,
     revoke: revoke,
-    genericStrategy: function(adminApp,strategy) {
-        var crypto = require("crypto")
-        var session = require('express-session')
-        var MemoryStore = require('memorystore')(session)
-
-        adminApp.use(session({
-          // As the session is only used across the life-span of an auth
-          // hand-shake, we can use a instance specific random string
-          secret: crypto.randomBytes(20).toString('hex'),
-          resave: false,
-          saveUninitialized: false,
-          store: new MemoryStore({
-            checkPeriod: 86400000 // prune expired entries every 24h
-          })
-        }));
-        //TODO: all passport references ought to be in ./auth
-        adminApp.use(passport.initialize());
-        adminApp.use(passport.session());
-
-        var options = strategy.options;
-
-        passport.use(new strategy.strategy(options,
-            function() {
-                var originalDone = arguments[arguments.length-1];
-                if (options.verify) {
-                    var args = Array.prototype.slice.call(arguments);
-                    args[args.length-1] = function(err,profile) {
-                        if (err) {
-                            return originalDone(err);
-                        } else {
-                            return completeVerify(profile,originalDone);
-                        }
-                    };
-                    options.verify.apply(null,args);
-                } else {
-                    var profile = arguments[arguments.length - 2];
-                    return completeVerify(profile,originalDone);
-                }
-
-            }
-        ));
-
-        adminApp.get('/auth/strategy', passport.authenticate(strategy.name));
-        adminApp.get('/auth/strategy/callback',
-            passport.authenticate(strategy.name, {session:false, failureRedirect: settings.httpAdminRoot }),
-            function(req, res) {
-                var tokens = req.user.tokens;
-                delete req.user.tokens;
-                // Successful authentication, redirect home.
-                res.redirect(settings.httpAdminRoot + '?access_token='+tokens.accessToken);
-            }
-        );
-
-    }
+    genericStrategy: genericStrategy
 }
diff --git a/red/api/auth/tokens.js b/red/api/auth/tokens.js
index ae1e41eb3..620cd6a12 100644
--- a/red/api/auth/tokens.js
+++ b/red/api/auth/tokens.js
@@ -14,8 +14,6 @@
  * limitations under the License.
  **/
 
-var when = require("when");
-
 function generateToken(length) {
     var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
     var token = [];
@@ -49,7 +47,7 @@ function expireSessions() {
     if (modified) {
         return storage.saveSessions(sessions);
     } else {
-        return when.resolve();
+        return Promise.resolve();
     }
 }
 function loadSessions() {
@@ -69,7 +67,7 @@ module.exports = {
         // At this point, storage will not have been initialised, so defer loading
         // the sessions until there's a request for them.
         loadedSessions = null;
-        return when.resolve();
+        return Promise.resolve();
     },
     get: function(token) {
         return loadSessions().then(function() {
@@ -78,7 +76,7 @@ module.exports = {
                     return expireSessions().then(function() { return null });
                 }
             }
-            return when.resolve(sessions[token]);
+            return Promise.resolve(sessions[token]);
         });
     },
     create: function(user,client,scope) {
diff --git a/red/api/auth/users.js b/red/api/auth/users.js
index 64b603d83..92c4c9ce9 100644
--- a/red/api/auth/users.js
+++ b/red/api/auth/users.js
@@ -14,13 +14,12 @@
 * limitations under the License.
 **/
 
-var when = require("when");
 var util = require("util");
+var clone = require("clone");
 var bcrypt;
 try { bcrypt = require('bcrypt'); }
 catch(e) { bcrypt = require('bcryptjs'); }
 var users = {};
-var passwords = {};
 var defaultUser = null;
 
 function authenticate() {
@@ -28,31 +27,33 @@ function authenticate() {
     if (typeof username !== 'string') {
         username = username.username;
     }
-    var user = users[username];
-    if (user) {
-        if (arguments.length === 2) {
-            // Username/password authentication
-            var password = arguments[1];
-            return when.promise(function(resolve,reject) {
-                bcrypt.compare(password, passwords[username], function(err, res) {
-                    resolve(res?user:null);
+    const args = Array.from(arguments);
+    return api.get(username).then(function(user) {
+        if (user) {
+            if (args.length === 2) {
+                // Username/password authentication
+                var password = args[1];
+                return new Promise(function(resolve,reject) {
+                    bcrypt.compare(password, user.password, function(err, res) {
+                        resolve(res?cleanUser(user):null);
+                    });
                 });
-            });
-        } else {
-            // Try to extract common profile information
-            if (arguments[0].hasOwnProperty('photos') && arguments[0].photos.length > 0) {
-                user.image = arguments[0].photos[0].value;
+            } else {
+                // Try to extract common profile information
+                if (args[0].hasOwnProperty('photos') && args[0].photos.length > 0) {
+                    user.image = args[0].photos[0].value;
+                }
+                return cleanUser(user);
             }
-            return when.resolve(user);
         }
-    }
-    return when.resolve(null);
+        return null;
+    });
 }
 function get(username) {
-    return when.resolve(users[username]);
+    return Promise.resolve(users[username]);
 }
 function getDefaultUser() {
-    return when.resolve(null);
+    return Promise.resolve(null);
 }
 
 var api = {
@@ -63,7 +64,6 @@ var api = {
 
 function init(config) {
     users = {};
-    passwords = {};
     defaultUser = null;
     if (config.type == "credentials" || config.type == "strategy") {
         if (config.users) {
@@ -77,11 +77,7 @@ function init(config) {
                 }
                 for (var i=0;i<us.length;i++) {
                     var u = us[i];
-                    users[u.username] = {
-                        "username":u.username,
-                        "permissions":u.permissions
-                    };
-                    passwords[u.username] = u.password;
+                    users[u.username] = clone(u);
                 }
             }
         }
@@ -96,7 +92,7 @@ function init(config) {
             api.default = config.default;
         } else {
             api.default = function() {
-                return when.resolve({
+                return Promise.resolve({
                     "anonymous": true,
                     "permissions":config.default.permissions
                 });
@@ -106,10 +102,17 @@ function init(config) {
         api.default = getDefaultUser;
     }
 }
+function cleanUser(user) {
+    if (user && user.hasOwnProperty('password')) {
+        user = clone(user);
+        delete user.password;
+    }
+    return user;
+}
 
 module.exports = {
     init: init,
-    get: function(username) { return api.get(username) },
+    get: function(username) { return api.get(username).then(cleanUser)},
     authenticate: function() { return api.authenticate.apply(null, arguments) },
     default: function() { return api.default(); }
 };