server/api/controllers/access-tokens/create.js

/*!
 * Copyright (c) 2024 PLANKA Software GmbH
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

const bcrypt = require('bcrypt');

const { isEmailOrUsername } = require('../../../utils/validators');
const { getRemoteAddress } = require('../../../utils/remote-address');

const Errors = {
  INVALID_CREDENTIALS: {
    invalidCredentials: 'Invalid credentials',
  },
  INVALID_EMAIL_OR_USERNAME: {
    invalidEmailOrUsername: 'Invalid email or username',
  },
  INVALID_PASSWORD: {
    invalidPassword: 'Invalid password',
  },
  USE_SINGLE_SIGN_ON: {
    useSingleSignOn: 'Use single sign-on',
  },
  TERMS_ACCEPTANCE_REQUIRED: {
    termsAcceptanceRequired: 'Terms acceptance required',
  },
};

module.exports = {
  inputs: {
    emailOrUsername: {
      type: 'string',
      maxLength: 256,
      custom: isEmailOrUsername,
      required: true,
    },
    password: {
      type: 'string',
      maxLength: 256,
      required: true,
    },
    withHttpOnlyToken: {
      type: 'boolean',
    },
  },

  exits: {
    invalidCredentials: {
      responseType: 'unauthorized',
    },
    invalidEmailOrUsername: {
      responseType: 'unauthorized',
    },
    invalidPassword: {
      responseType: 'unauthorized',
    },
    useSingleSignOn: {
      responseType: 'forbidden',
    },
    termsAcceptanceRequired: {
      responseType: 'forbidden',
    },
    adminLoginRequiredToInitializeInstance: {
      responseType: 'forbidden',
    },
  },

  async fn(inputs) {
    if (sails.config.custom.oidcEnforced) {
      throw Errors.USE_SINGLE_SIGN_ON;
    }

    const remoteAddress = getRemoteAddress(this.req);
    const user = await User.qm.getOneActiveByEmailOrUsername(inputs.emailOrUsername);

    if (!user) {
      sails.log.warn(
        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
      );

      throw sails.config.custom.showDetailedAuthErrors
        ? Errors.INVALID_EMAIL_OR_USERNAME
        : Errors.INVALID_CREDENTIALS;
    }

    if (user.isSsoUser) {
      throw Errors.USE_SINGLE_SIGN_ON;
    }

    const isPasswordValid = await bcrypt.compare(inputs.password, user.password);

    if (!isPasswordValid) {
      sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);

      throw sails.config.custom.showDetailedAuthErrors
        ? Errors.INVALID_PASSWORD
        : Errors.INVALID_CREDENTIALS;
    }

    return sails.helpers.accessTokens.handleSteps
      .with({
        user,
        remoteAddress,
        request: this.req,
        response: this.res,
        withHttpOnlyToken: inputs.withHttpOnlyToken,
      })
      .intercept('adminLoginRequiredToInitializeInstance', (error) => ({
        adminLoginRequiredToInitializeInstance: error.raw,
      }))
      .intercept('termsAcceptanceRequired', (error) => ({
        termsAcceptanceRequired: error.raw,
      }));
  },
};
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`/*!`
			`* Copyright (c) 2024 PLANKA Software GmbH`
			`* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md`
			`*/`

Initial commit 2019-08-31 04:07:25 +05:00			`const bcrypt = require('bcrypt');`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const { isEmailOrUsername } = require('../../../utils/validators');`
			`const { getRemoteAddress } = require('../../../utils/remote-address');`
feat: Modify logger to log to file that supports fail2ban (#284) 2022-08-22 18:42:56 -04:00
Initial commit 2019-08-31 04:07:25 +05:00			`const Errors = {`
feat: Ability to show detailed auth errors, set to false by default (#860) 2024-08-30 11:47:29 +02:00			`INVALID_CREDENTIALS: {`
			`invalidCredentials: 'Invalid credentials',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`INVALID_EMAIL_OR_USERNAME: {`
			`invalidEmailOrUsername: 'Invalid email or username',`
Initial commit 2019-08-31 04:07:25 +05:00			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`INVALID_PASSWORD: {`
			`invalidPassword: 'Invalid password',`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`},`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`USE_SINGLE_SIGN_ON: {`
			`useSingleSignOn: 'Use single sign-on',`
			`},`
feat: Add legal requirements (#1306) 2025-08-21 15:10:02 +02:00			`TERMS_ACCEPTANCE_REQUIRED: {`
			`termsAcceptanceRequired: 'Terms acceptance required',`
			`},`
Initial commit 2019-08-31 04:07:25 +05:00			`};`

			`module.exports = {`
			`inputs: {`
Add username to user 2020-04-03 00:35:25 +05:00			`emailOrUsername: {`
Initial commit 2019-08-31 04:07:25 +05:00			`type: 'string',`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`maxLength: 256,`
			`custom: isEmailOrUsername,`
Initial commit 2019-08-31 04:07:25 +05:00			`required: true,`
			`},`
			`password: {`
			`type: 'string',`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`maxLength: 256,`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`required: true,`
			`},`
feat: Additional httpOnly token for enhanced security in browsers 2024-09-01 09:31:04 +02:00			`withHttpOnlyToken: {`
			`type: 'boolean',`
			`},`
Initial commit 2019-08-31 04:07:25 +05:00			`},`

			`exits: {`
feat: Ability to show detailed auth errors, set to false by default (#860) 2024-08-30 11:47:29 +02:00			`invalidCredentials: {`
			`responseType: 'unauthorized',`
			`},`
Add username to user 2020-04-03 00:35:25 +05:00			`invalidEmailOrUsername: {`
			`responseType: 'unauthorized',`
			`},`
			`invalidPassword: {`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`responseType: 'unauthorized',`
			`},`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`useSingleSignOn: {`
			`responseType: 'forbidden',`
			`},`
feat: Add legal requirements (#1306) 2025-08-21 15:10:02 +02:00			`termsAcceptanceRequired: {`
			`responseType: 'forbidden',`
			`},`
			`adminLoginRequiredToInitializeInstance: {`
			`responseType: 'forbidden',`
			`},`
Initial commit 2019-08-31 04:07:25 +05:00			`},`

Project managers, board members, auto-update after reconnection, refactoring 2021-06-24 01:05:22 +05:00			`async fn(inputs) {`
feat: Add ability to enforce SSO Closes #543, closes #545 2024-02-01 00:31:15 +01:00			`if (sails.config.custom.oidcEnforced) {`
			`throw Errors.USE_SINGLE_SIGN_ON;`
			`}`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00
feat: Add ability to enforce SSO Closes #543, closes #545 2024-02-01 00:31:15 +01:00			`const remoteAddress = getRemoteAddress(this.req);`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const user = await User.qm.getOneActiveByEmailOrUsername(inputs.emailOrUsername);`
Initial commit 2019-08-31 04:07:25 +05:00
			`if (!user) {`
feat: Modify logger to log to file that supports fail2ban (#284) 2022-08-22 18:42:56 -04:00			`sails.log.warn(`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00			`Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
feat: Modify logger to log to file that supports fail2ban (#284) 2022-08-22 18:42:56 -04:00			`);`
feat: Ability to show detailed auth errors, set to false by default (#860) 2024-08-30 11:47:29 +02:00
			`throw sails.config.custom.showDetailedAuthErrors`
			`? Errors.INVALID_EMAIL_OR_USERNAME`
			`: Errors.INVALID_CREDENTIALS;`
Initial commit 2019-08-31 04:07:25 +05:00			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`if (user.isSsoUser) {`
fix: Fix order of checks when logging in 2023-10-18 23:07:57 +02:00			`throw Errors.USE_SINGLE_SIGN_ON;`
			`}`

feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`const isPasswordValid = await bcrypt.compare(inputs.password, user.password);`

			`if (!isPasswordValid) {`
feat: Invalidate access token on logout 2022-09-07 18:39:33 +05:00			sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
feat: Ability to show detailed auth errors, set to false by default (#860) 2024-08-30 11:47:29 +02:00
			`throw sails.config.custom.showDetailedAuthErrors`
			`? Errors.INVALID_PASSWORD`
			`: Errors.INVALID_CREDENTIALS;`
Initial commit 2019-08-31 04:07:25 +05:00			`}`

feat: Add legal requirements (#1306) 2025-08-21 15:10:02 +02:00			`return sails.helpers.accessTokens.handleSteps`
			`.with({`
			`user,`
			`remoteAddress,`
			`request: this.req,`
			`response: this.res,`
			`withHttpOnlyToken: inputs.withHttpOnlyToken,`
			`})`
			`.intercept('adminLoginRequiredToInitializeInstance', (error) => ({`
			`adminLoginRequiredToInitializeInstance: error.raw,`
			`}))`
			`.intercept('termsAcceptanceRequired', (error) => ({`
			`termsAcceptanceRequired: error.raw,`
			`}));`
Code formatting with prettier, change eslint config for the server 2019-11-05 18:01:42 +05:00			`},`
Initial commit 2019-08-31 04:07:25 +05:00			`};`