2025-05-10 02:09:06 +02:00
|
|
|
/*!
|
|
|
|
|
* Copyright (c) 2024 PLANKA Software GmbH
|
|
|
|
|
* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
|
|
|
|
|
*/
|
|
|
|
|
|
2025-09-08 16:20:27 +02:00
|
|
|
/**
|
|
|
|
|
* @swagger
|
2025-09-08 18:25:26 +02:00
|
|
|
* /access-tokens:
|
2025-09-08 16:20:27 +02:00
|
|
|
* post:
|
|
|
|
|
* summary: User login
|
|
|
|
|
* description: Authenticates a user using email/username and password. Returns an access token for API authentication.
|
|
|
|
|
* tags:
|
|
|
|
|
* - Access Tokens
|
2025-09-12 12:17:01 +02:00
|
|
|
* operationId: createAccessToken
|
2025-09-08 16:20:27 +02:00
|
|
|
* requestBody:
|
|
|
|
|
* required: true
|
|
|
|
|
* content:
|
|
|
|
|
* application/json:
|
|
|
|
|
* schema:
|
|
|
|
|
* type: object
|
|
|
|
|
* required:
|
|
|
|
|
* - emailOrUsername
|
|
|
|
|
* - password
|
|
|
|
|
* properties:
|
|
|
|
|
* emailOrUsername:
|
|
|
|
|
* type: string
|
|
|
|
|
* maxLength: 256
|
|
|
|
|
* description: Email address or username of the user
|
|
|
|
|
* example: john.doe@example.com
|
|
|
|
|
* password:
|
|
|
|
|
* type: string
|
|
|
|
|
* maxLength: 256
|
|
|
|
|
* description: Password of the user
|
|
|
|
|
* example: SecurePassword123!
|
|
|
|
|
* withHttpOnlyToken:
|
|
|
|
|
* type: boolean
|
|
|
|
|
* description: Whether to include an HTTP-only authentication cookie
|
|
|
|
|
* example: true
|
|
|
|
|
* responses:
|
|
|
|
|
* 200:
|
|
|
|
|
* description: Login successful
|
|
|
|
|
* content:
|
|
|
|
|
* application/json:
|
|
|
|
|
* schema:
|
|
|
|
|
* type: object
|
|
|
|
|
* required:
|
|
|
|
|
* - item
|
|
|
|
|
* properties:
|
|
|
|
|
* item:
|
|
|
|
|
* type: string
|
|
|
|
|
* description: Access token for API authentication
|
|
|
|
|
* example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ4...
|
|
|
|
|
* headers:
|
|
|
|
|
* Set-Cookie:
|
|
|
|
|
* description: HTTP-only authentication cookie (if withHttpOnlyToken is true)
|
|
|
|
|
* schema:
|
|
|
|
|
* type: string
|
|
|
|
|
* example: httpOnlyToken=29aa3e38-8d24-4029-9743-9cbcf0a0dd5c; HttpOnly; Secure; SameSite=Strict
|
|
|
|
|
* 400:
|
|
|
|
|
* $ref: '#/components/responses/ValidationError'
|
|
|
|
|
* 401:
|
|
|
|
|
* description: Invalid credentials
|
|
|
|
|
* content:
|
|
|
|
|
* application/json:
|
|
|
|
|
* schema:
|
|
|
|
|
* type: object
|
|
|
|
|
* required:
|
|
|
|
|
* - code
|
|
|
|
|
* - message
|
|
|
|
|
* properties:
|
|
|
|
|
* code:
|
|
|
|
|
* type: string
|
|
|
|
|
* description: Error code
|
|
|
|
|
* example: E_UNAUTHORIZED
|
|
|
|
|
* message:
|
|
|
|
|
* type: string
|
|
|
|
|
* enum:
|
|
|
|
|
* - Invalid credentials
|
|
|
|
|
* - Invalid email or username
|
|
|
|
|
* - Invalid password
|
|
|
|
|
* description: Specific error message
|
|
|
|
|
* example: Invalid credentials
|
|
|
|
|
* 403:
|
|
|
|
|
* description: Authentication restriction
|
|
|
|
|
* content:
|
|
|
|
|
* application/json:
|
|
|
|
|
* schema:
|
|
|
|
|
* type: object
|
|
|
|
|
* required:
|
|
|
|
|
* - code
|
|
|
|
|
* - message
|
|
|
|
|
* properties:
|
|
|
|
|
* code:
|
|
|
|
|
* type: string
|
|
|
|
|
* description: Error code
|
|
|
|
|
* example: E_FORBIDDEN
|
|
|
|
|
* message:
|
|
|
|
|
* type: string
|
|
|
|
|
* enum:
|
|
|
|
|
* - Use single sign-on
|
|
|
|
|
* - Terms acceptance required
|
|
|
|
|
* - Admin login required to initialize instance
|
|
|
|
|
* description: Specific error message
|
|
|
|
|
* example: Use single sign-on
|
2025-09-12 12:17:01 +02:00
|
|
|
* security: []
|
2025-09-08 16:20:27 +02:00
|
|
|
*/
|
|
|
|
|
|
2019-08-31 04:07:25 +05:00
|
|
|
const bcrypt = require('bcrypt');
|
|
|
|
|
|
2025-05-10 02:09:06 +02:00
|
|
|
const { isEmailOrUsername } = require('../../../utils/validators');
|
|
|
|
|
const { getRemoteAddress } = require('../../../utils/remote-address');
|
2022-08-22 18:42:56 -04:00
|
|
|
|
2019-08-31 04:07:25 +05:00
|
|
|
const Errors = {
|
2024-08-30 11:47:29 +02:00
|
|
|
INVALID_CREDENTIALS: {
|
|
|
|
|
invalidCredentials: 'Invalid credentials',
|
|
|
|
|
},
|
2020-04-03 00:35:25 +05:00
|
|
|
INVALID_EMAIL_OR_USERNAME: {
|
|
|
|
|
invalidEmailOrUsername: 'Invalid email or username',
|
2019-08-31 04:07:25 +05:00
|
|
|
},
|
2020-04-03 00:35:25 +05:00
|
|
|
INVALID_PASSWORD: {
|
|
|
|
|
invalidPassword: 'Invalid password',
|
2019-11-05 18:01:42 +05:00
|
|
|
},
|
2023-10-17 19:18:19 +02:00
|
|
|
USE_SINGLE_SIGN_ON: {
|
|
|
|
|
useSingleSignOn: 'Use single sign-on',
|
|
|
|
|
},
|
2025-08-21 15:10:02 +02:00
|
|
|
TERMS_ACCEPTANCE_REQUIRED: {
|
|
|
|
|
termsAcceptanceRequired: 'Terms acceptance required',
|
|
|
|
|
},
|
2019-08-31 04:07:25 +05:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
|
inputs: {
|
2020-04-03 00:35:25 +05:00
|
|
|
emailOrUsername: {
|
2019-08-31 04:07:25 +05:00
|
|
|
type: 'string',
|
2025-05-10 02:09:06 +02:00
|
|
|
maxLength: 256,
|
|
|
|
|
custom: isEmailOrUsername,
|
2019-08-31 04:07:25 +05:00
|
|
|
required: true,
|
|
|
|
|
},
|
|
|
|
|
password: {
|
|
|
|
|
type: 'string',
|
2025-05-10 02:09:06 +02:00
|
|
|
maxLength: 256,
|
2019-11-05 18:01:42 +05:00
|
|
|
required: true,
|
|
|
|
|
},
|
2024-09-01 09:31:04 +02:00
|
|
|
withHttpOnlyToken: {
|
|
|
|
|
type: 'boolean',
|
|
|
|
|
},
|
2019-08-31 04:07:25 +05:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
exits: {
|
2024-08-30 11:47:29 +02:00
|
|
|
invalidCredentials: {
|
|
|
|
|
responseType: 'unauthorized',
|
|
|
|
|
},
|
2020-04-03 00:35:25 +05:00
|
|
|
invalidEmailOrUsername: {
|
|
|
|
|
responseType: 'unauthorized',
|
|
|
|
|
},
|
|
|
|
|
invalidPassword: {
|
2019-11-05 18:01:42 +05:00
|
|
|
responseType: 'unauthorized',
|
|
|
|
|
},
|
2023-10-17 19:18:19 +02:00
|
|
|
useSingleSignOn: {
|
|
|
|
|
responseType: 'forbidden',
|
|
|
|
|
},
|
2025-08-21 15:10:02 +02:00
|
|
|
termsAcceptanceRequired: {
|
|
|
|
|
responseType: 'forbidden',
|
|
|
|
|
},
|
|
|
|
|
adminLoginRequiredToInitializeInstance: {
|
|
|
|
|
responseType: 'forbidden',
|
|
|
|
|
},
|
2019-08-31 04:07:25 +05:00
|
|
|
},
|
|
|
|
|
|
2021-06-24 01:05:22 +05:00
|
|
|
async fn(inputs) {
|
2024-02-01 00:31:15 +01:00
|
|
|
if (sails.config.custom.oidcEnforced) {
|
|
|
|
|
throw Errors.USE_SINGLE_SIGN_ON;
|
|
|
|
|
}
|
2022-09-07 18:39:33 +05:00
|
|
|
|
2024-02-01 00:31:15 +01:00
|
|
|
const remoteAddress = getRemoteAddress(this.req);
|
2025-05-10 02:09:06 +02:00
|
|
|
const user = await User.qm.getOneActiveByEmailOrUsername(inputs.emailOrUsername);
|
2019-08-31 04:07:25 +05:00
|
|
|
|
|
|
|
|
if (!user) {
|
2022-08-22 18:42:56 -04:00
|
|
|
sails.log.warn(
|
2022-09-07 18:39:33 +05:00
|
|
|
`Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
|
2022-08-22 18:42:56 -04:00
|
|
|
);
|
2024-08-30 11:47:29 +02:00
|
|
|
|
|
|
|
|
throw sails.config.custom.showDetailedAuthErrors
|
|
|
|
|
? Errors.INVALID_EMAIL_OR_USERNAME
|
|
|
|
|
: Errors.INVALID_CREDENTIALS;
|
2019-08-31 04:07:25 +05:00
|
|
|
}
|
|
|
|
|
|
2025-05-10 02:09:06 +02:00
|
|
|
if (user.isSsoUser) {
|
2023-10-18 23:07:57 +02:00
|
|
|
throw Errors.USE_SINGLE_SIGN_ON;
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-10 02:09:06 +02:00
|
|
|
const isPasswordValid = await bcrypt.compare(inputs.password, user.password);
|
|
|
|
|
|
|
|
|
|
if (!isPasswordValid) {
|
2022-09-07 18:39:33 +05:00
|
|
|
sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
|
2024-08-30 11:47:29 +02:00
|
|
|
|
|
|
|
|
throw sails.config.custom.showDetailedAuthErrors
|
|
|
|
|
? Errors.INVALID_PASSWORD
|
|
|
|
|
: Errors.INVALID_CREDENTIALS;
|
2019-08-31 04:07:25 +05:00
|
|
|
}
|
|
|
|
|
|
2025-08-21 15:10:02 +02:00
|
|
|
return sails.helpers.accessTokens.handleSteps
|
|
|
|
|
.with({
|
|
|
|
|
user,
|
|
|
|
|
remoteAddress,
|
|
|
|
|
request: this.req,
|
|
|
|
|
response: this.res,
|
|
|
|
|
withHttpOnlyToken: inputs.withHttpOnlyToken,
|
|
|
|
|
})
|
|
|
|
|
.intercept('adminLoginRequiredToInitializeInstance', (error) => ({
|
|
|
|
|
adminLoginRequiredToInitializeInstance: error.raw,
|
|
|
|
|
}))
|
|
|
|
|
.intercept('termsAcceptanceRequired', (error) => ({
|
|
|
|
|
termsAcceptanceRequired: error.raw,
|
|
|
|
|
}));
|
2019-11-05 18:01:42 +05:00
|
|
|
},
|
2019-08-31 04:07:25 +05:00
|
|
|
};
|
