diff --git a/core/database.js b/core/database.js index eb00dc6f..4f1e4ccb 100644 --- a/core/database.js +++ b/core/database.js @@ -5,11 +5,12 @@ var conf = require('./config.js'); var sqlite3 = require('sqlite3'); var paths = require('path'); -exports.initializeDatabases = initializeDatabases; -exports.user = user; +// database handles +var dbs = {}; -// db handles -var user; +exports.initializeDatabases = initializeDatabases; + +exports.dbs = dbs; function getDatabasePath(name) { return paths.join(conf.config.paths.db, name + '.sqlite3'); @@ -17,15 +18,15 @@ function getDatabasePath(name) { function initializeDatabases() { // :TODO: this will need to change if more DB's are added - user = new sqlite3.Database(getDatabasePath('user')); + dbs.user = new sqlite3.Database(getDatabasePath('user')); - user.serialize(function onSerialized() { + dbs.user.serialize(function onSerialized() { createUserTables(); }); } function createUserTables() { - user.run( + dbs.user.run( 'CREATE TABLE IF NOT EXISTS user (' + ' id INTEGER PRIMARY KEY,' + ' user_name VARCHAR NOT NULL,' + @@ -33,7 +34,9 @@ function createUserTables() { ');' ); - user.run( + // :TODO: create FK on delete/etc. + + dbs.user.run( 'CREATE TABLE IF NOT EXISTS user_property (' + ' user_id INTEGER NOT NULL,' + ' prop_name VARCHAR NOT NULL,' + diff --git a/core/user.js b/core/user.js index 6e4b42b1..8959cc98 100644 --- a/core/user.js +++ b/core/user.js @@ -2,83 +2,204 @@ 'use strict'; var crypto = require('crypto'); -var database = require('./database.js'); +var assert = require('assert'); +//var database = require('./database.js'); + +var userDb = require('./database.js').dbs.user; exports.User = User; -var PBKDF2_OPTIONS = { +var PBKDF2 = { iterations : 1000, keyLen : 128, saltLen : 32, }; +var UserErrorCodes = Object.freeze({ + NONE : 'No error', + INVALID_USER : 'Invalid user', + INVALID_PASSWORD : 'Invalid password', +}); + function User() { var self = this; - + this.id = 0; this.userName = ''; this.groups = []; this.permissions = []; this.properties = {}; -/* - this.load = function(userName, cb) { - database.user.get('SELECT id FROM user WHERE user_name = $un LIMIT 1;', { un : userName }, function onUser(err, row) { - if(err) { - cb(err); - return; - } - var user = new User(); - user.id = row.id; - - // :TODO: load the rest. - - database.user.serialize(function loadUserSerialized() { - database.user.each('SELECT prop_name, prop_value FROM user_property WHERE user_id = $uid;', { uid : user.id }, function onUserPropRow(err, propRow) { - user.properties[propRow.prop_name] = propRow.prop_value; - }); - }); - - cb(null, user); - }); - };*/ } -User.load = function(userName, cb) { - database.user.get('SELECT id FROM user WHERE user_name = $un LIMIT 1;', { un : userName }, function onUser(err, row) { +User.generatePasswordDerivedKey = function(password, cb) { + crypto.randomBytes(PBKDF2.saltLen, function onRandomSalt(err, salt) { if(err) { cb(err); return; } - var user = new User(); - user.id = row.id; + salt = salt.toString('hex'); - // :TODO: load the rest. + password = new Buffer(password).toString('hex'); - database.user.serialize(function loadUserSerialized() { - database.user.each('SELECT prop_name, prop_value FROM user_property WHERE user_id = $uid;', { uid : user.id }, function onUserPropRow(err, propRow) { - user.properties[propRow.prop_name] = propRow.prop_value; - }); + crypto.pbkdf2(password, salt, PBKDF2.iterations, PBKDF2.keyLen, function onDerivedKey(err, dk) { + if(err) { + cb(err); + return; + } + + cb(null, { dk : dk.toString('hex'), salt : salt }); + }); + }); +}; + +// +// :TODO: createNewUser(userName, password, groups) + +User.addNew = function(user, cb) { + userDb.run('INSERT INTO user (user_name) VALUES(?);', [ user.userName ], function onUserInsert(err) { + if(err) { + cb(err); + return; + } + + user.id = this.lastID; + user.persist(cb); + }); +}; + +User.prototype.persist = function(cb) { + var self = this; + + if(0 === this.id || 0 === this.userName.length) { + cb(new Error(UserErrorCodes.INVALID_USER)); + return; + } + + userDb.serialize(function onSerialized() { + userDb.run('BEGIN;'); + + // :TODO: Create persistProperties(id, {props}) + var stmt = userDb.prepare('REPLACE INTO user_property (user_id, prop_name, prop_value) VALUES(?, ?, ?);'); + Object.keys(self.properties).forEach(function onPropName(propName) { + stmt.run(self.id, propName, self.properties[propName]); }); - cb(null, user); + stmt.finalize(function onFinalized() { + userDb.run('COMMIT;'); + cb(null, self.id); + }); + }); +}; + +// :TODO: make standalone function(password, dk, salt) +User.prototype.validatePassword = function(password, cb) { + assert(this.properties.pw_pbkdf2_salt); + assert(this.properties.pw_pbkdf2_dk); + + var self = this; + + password = new Buffer(password).toString('hex'); + + crypto.pbkdf2(password, this.properties.pw_pbkdf2_salt, PBKDF2.iterations, PBKDF2.keyLen, function onDerivedKey(err, dk) { + if(err) { + cb(err); + return; + } + + // Constant time compare + var propDk = new Buffer(self.properties.pw_pbkdf2_dk, 'hex'); + + console.log(propDk); + console.log(dk); + + if(propDk.length !== dk.length) { + cb(new Error('Unexpected buffer length')); + return; + } + + var c = 0; + for(var i = 0; i < dk.length; i++) { + c |= propDk[i] ^ dk[i]; + } + cb(null, c === 0); + }); +}; + +// :TODO: make this something like getUserProperties(id, [propNames], cb) +function getUserDerivedKeyAndSalt(id, cb) { + var properties = {}; + userDb.each( + 'SELECT prop_name, prop_value ' + + 'FROM user_property ' + + 'WHERE user_id = ? AND prop_name="pw_pbkdf2_salt" OR prop_name="pw_pbkdf2_dk";', + [ id ], + function onPwPropRow(err, propRow) { + if(err) { + cb(err); + } else { + properties[propRow.prop_name] = propRow.prop_value; + } + }, + function onComplete() { + cb(null, properties); + } + ); +} + +User.loadWithCredentials = function(userName, password, cb) { + userDb.get('SELECT id, user_name FROM user WHERE user_name LIKE ? LIMIT 1;"', [ userName ], function onUserIds(err, userRow) { + if(err) { + cb(err); + return; + } + + if(!userRow) { + cb(new Error(UserErrorCodes.INVALID_USER)); + return; + } + + // Load dk & salt properties for password validation + getUserDerivedKeyAndSalt(userRow.id, function onDkAndSalt(err, props) { + var user = new User(); + user.properties = props; + + user.validatePassword(password, function onValidatePw(err, isCorrect) { + if(err) { + cb(err); + return; + } + + if(!isCorrect) { + cb(new Error(UserErrorCodes.INVALID_PASSWORD)); + return; + } + + // userName and password OK -- load the rest. + + user.id = userRow.id; + user.userName = userRow.user_name; + + cb(null, user); + }); + }); }); }; User.prototype.setPassword = function(password, cb) { // :TODO: validate min len, etc. here? - crypto.randomBytes(PBKDF2_OPTIONS.saltLen, function onRandomSalt(err, salt) { + crypto.randomBytes(PBKDF2.saltLen, function onRandomSalt(err, salt) { if(err) { cb(err); return; } - password = Buffer.isBuffer(password) ? password : new Buffer(password, 'base64'); + password = Buffer.isBuffer(password) ? password : new Buffer(password, 'hex'); - crypto.pbkdf2(password, salt, PBKDF2_OPTIONS.iterations, PBKDF2_OPTIONS.keyLen, function onPbkdf2Generated(err, dk) { + crypto.pbkdf2(password, salt, PBKDF2.iterations, PBKDF2.keyLen, function onPbkdf2Generated(err, dk) { if(err) { cb(err); return; diff --git a/mods/matrix.js b/mods/matrix.js index d85187e9..aa0ef24f 100644 --- a/mods/matrix.js +++ b/mods/matrix.js @@ -41,10 +41,31 @@ function entryPoint(client) { vc.on('action', function onAction(act) { if('submit' === act.action) { - console.log('userName=' + vc.getView(1).value); - console.log('password: ' + act.view.value); + var un = vc.getView(1).value; + var pw = vc.getView(2).value; + console.log('userName: ' + un); + console.log('password: ' + pw); - user.User.load(vc.getView(1).value, function onUser(err, user) { + /* + var user1 = new user.User(); + user.User.generatePasswordDerivedKey('password', function onDk(err, dkInfo) { + user1.userName = 'NuSkooler'; + user1.properties = { + pw_pbkdf2_salt : dkInfo.salt, + pw_pbkdf2_dk : dkInfo.dk, + }; + user.User.addNew(user1, function onNewUser(err, id) { + if(err) { + console.log(err); + } else { + console.log('new user id: ' + id); + } + }); + });*/ + + + + user.User.loadWithCredentials(un, pw, function onUser(err, user) { if(err) { console.log(err); return;