wip: try migrating to argon2

jsjoeio · jsjoeio · commit 886ed213608b · 2021-06-02T10:49:38.000-07:00
diff --git a/src/node/http.ts b/src/node/http.ts
@@ -45,8 +45,8 @@ export const replaceTemplates = <T extends object>(
 /**
  * Throw an error if not authorized. Call `next` if provided.
  */
-export const ensureAuthenticated = (req: express.Request, _?: express.Response, next?: express.NextFunction): void => {
-  if (!authenticated(req)) {
+export const ensureAuthenticated = async(req: express.Request, _?: express.Response, next?: express.NextFunction): Promise<void> => {
+  if (await !authenticated(req)) {
     throw new HttpError("Unauthorized", HttpCode.Unauthorized)
   }
   if (next) {
diff --git a/src/node/routes/domainProxy.ts b/src/node/routes/domainProxy.ts
@@ -32,14 +32,14 @@ const maybeProxy = (req: Request): string | undefined => {
   return port
 }
 
-router.all("*", (req, res, next) => {
+router.all("*", async (req, res, next) => {
   const port = maybeProxy(req)
   if (!port) {
     return next()
   }
 
   // Must be authenticated to use the proxy.
-  if (!authenticated(req)) {
+  if (await !authenticated(req)) {
     // Let the assets through since they're used on the login page.
     if (req.path.startsWith("/static/") && req.method === "GET") {
       return next()
@@ -73,14 +73,14 @@ router.all("*", (req, res, next) => {
 
 export const wsRouter = WsRouter()
 
-wsRouter.ws("*", (req, _, next) => {
+wsRouter.ws("*", async (req, _, next) => {
   const port = maybeProxy(req)
   if (!port) {
     return next()
   }
 
   // Must be authenticated to use the proxy.
-  ensureAuthenticated(req)
+  await ensureAuthenticated(req)
 
   proxy.ws(req, req.ws, req.head, {
     ignorePath: true,
diff --git a/src/node/routes/index.ts b/src/node/routes/index.ts
@@ -104,13 +104,13 @@ export const register = async (
   // These two routes pass through the path directly.
   // So the proxied app must be aware it is running
   // under /absproxy/<someport>/
-  app.all("/absproxy/(:port)(/*)?", (req, res) => {
-    pathProxy.proxy(req, res, {
+  app.all("/absproxy/(:port)(/*)?", async (req, res) => {
+    await pathProxy.proxy(req, res, {
       passthroughPath: true,
     })
   })
-  wsApp.get("/absproxy/(:port)(/*)?", (req) => {
-    pathProxy.wsProxy(req as pluginapi.WebsocketRequest, {
+  wsApp.get("/absproxy/(:port)(/*)?", async (req) => {
+    await pathProxy.wsProxy(req as pluginapi.WebsocketRequest, {
       passthroughPath: true,
     })
   })
@@ -120,7 +120,7 @@ export const register = async (
     const pluginApi = new PluginAPI(logger, process.env.CS_PLUGIN, process.env.CS_PLUGIN_PATH, workingDir)
     await pluginApi.loadPlugins()
     pluginApi.mount(app, wsApp)
-    app.use("/api/applications", ensureAuthenticated, apps.router(pluginApi))
+    app.use("/api/applications", await ensureAuthenticated, apps.router(pluginApi))
     wrapper.onDispose(() => pluginApi.dispose())
   }
 
diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
@@ -49,9 +49,9 @@ const limiter = new RateLimiter()
 
 export const router = Router()
 
-router.use((req, res, next) => {
+router.use(async(req, res, next) => {
   const to = (typeof req.query.to === "string" && req.query.to) || "/"
-  if (authenticated(req)) {
+  if (await authenticated(req)) {
     return redirect(req, res, to, { to: undefined })
   }
   next()
diff --git a/src/node/routes/pathProxy.ts b/src/node/routes/pathProxy.ts
@@ -15,14 +15,14 @@ const getProxyTarget = (req: Request, passthroughPath?: boolean): string => {
   return `http://0.0.0.0:${req.params.port}/${req.params[0] || ""}${query ? `?${query}` : ""}`
 }
 
-export function proxy(
+export async function proxy(
   req: Request,
   res: Response,
   opts?: {
     passthroughPath?: boolean
   },
-): void {
-  if (!authenticated(req)) {
+): Promise<void> {
+  if (await !authenticated(req)) {
     // If visiting the root (/:port only) redirect to the login page.
     if (!req.params[0] || req.params[0] === "/") {
       const to = normalize(`${req.baseUrl}${req.path}`)
@@ -45,13 +45,13 @@ export function proxy(
   })
 }
 
-export function wsProxy(
+export async function wsProxy(
   req: pluginapi.WebsocketRequest,
   opts?: {
     passthroughPath?: boolean
   },
-): void {
-  ensureAuthenticated(req)
+): Promise<void> {
+  await ensureAuthenticated(req)
   _proxy.ws(req, req.ws, req.head, {
     ignorePath: true,
     target: getProxyTarget(req, opts?.passthroughPath),
diff --git a/src/node/routes/static.ts b/src/node/routes/static.ts
@@ -18,7 +18,7 @@ router.get("/(:commit)(/*)?", async (req, res) => {
   // Used by VS Code to load extensions into the web worker.
   const tar = getFirstString(req.query.tar)
   if (tar) {
-    ensureAuthenticated(req)
+    await ensureAuthenticated(req)
     let stream: Readable = tarFs.pack(pathToFsPath(tar))
     if (req.headers["accept-encoding"] && req.headers["accept-encoding"].includes("gzip")) {
       logger.debug("gzipping tar", field("path", tar))
@@ -43,7 +43,7 @@ router.get("/(:commit)(/*)?", async (req, res) => {
 
   // Make sure it's in code-server if you aren't authenticated. This lets
   // unauthenticated users load the login assets.
-  if (!resourcePath.startsWith(rootPath) && !authenticated(req)) {
+  if (!resourcePath.startsWith(rootPath) && await !authenticated(req)) {
     throw new HttpError("Unauthorized", HttpCode.Unauthorized)
   }
 
diff --git a/src/node/routes/update.ts b/src/node/routes/update.ts
@@ -7,6 +7,7 @@ export const router = Router()
 
 const provider = new UpdateProvider()
 
+// TODO see if this breaks because we can't await ensureAuthenticated
 router.get("/check", ensureAuthenticated, async (req, res) => {
   const update = await provider.getUpdate(req.query.force === "true")
   res.json({
diff --git a/src/node/routes/vscode.ts b/src/node/routes/vscode.ts
@@ -19,7 +19,7 @@ export const router = Router()
 const vscode = new VscodeProvider()
 
 router.get("/", async (req, res) => {
-  if (!authenticated(req)) {
+  if (await !authenticated(req)) {
     return redirect(req, res, "login", {
       // req.baseUrl can be blank if already at the root.
       to: req.baseUrl && req.baseUrl !== "/" ? req.baseUrl : undefined,
@@ -61,6 +61,7 @@ router.get("/", async (req, res) => {
 
 /**
  * TODO: Might currently be unused.
+ * TODO@jsjoeio might break because ensureAuthenticated is async
  */
 router.get("/resource(/*)?", ensureAuthenticated, async (req, res) => {
   if (typeof req.query.path === "string") {
@@ -71,6 +72,7 @@ router.get("/resource(/*)?", ensureAuthenticated, async (req, res) => {
 
 /**
  * Used by VS Code to load files.
+ * TODO@jsjoeio might break because ensureAuthenticated is async
  */
 router.get("/vscode-remote-resource(/*)?", ensureAuthenticated, async (req, res) => {
   if (typeof req.query.path === "string") {
@@ -82,6 +84,7 @@ router.get("/vscode-remote-resource(/*)?", ensureAuthenticated, async (req, res)
 /**
  * VS Code webviews use these paths to load files and to load webview assets
  * like HTML and JavaScript.
+ * TODO@jsjoeio might break because ensureAuthenticated is async
  */
 router.get("/webview/*", ensureAuthenticated, async (req, res) => {
   res.set("Content-Type", getMediaMime(req.path))
@@ -128,6 +131,7 @@ const fetchTimeout = 5 * 60 * 1000
 // The callback endpoints are used during authentication. A URI is stored on
 // /callback and then fetched later on /fetch-callback.
 // See ../../../lib/vscode/resources/web/code-web.js
+//  TODO@jsjoeio might break because ensureAuthenticated is async
 router.get("/callback", ensureAuthenticated, async (req, res) => {
   const uriKeys = [
     "vscode-requestId",
@@ -167,6 +171,7 @@ router.get("/callback", ensureAuthenticated, async (req, res) => {
   res.sendFile(path.join(rootPath, "lib/vscode/resources/web/callback.html"))
 })
 
+// TODO@jsjoeio might break becasue ensureAuthenticated is async
 router.get("/fetch-callback", ensureAuthenticated, async (req, res) => {
   const id = getRequestId(req)
 
@@ -195,7 +200,7 @@ router.get("/fetch-callback", ensureAuthenticated, async (req, res) => {
 })
 
 export const wsRouter = WsRouter()
-
+// TODO@jsjoeio might break becasue ensureAuthenticated is async
 wsRouter.ws("/", ensureAuthenticated, async (req) => {
   const magic = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
   const reply = crypto
diff --git a/typings/pluginapi.d.ts b/typings/pluginapi.d.ts
@@ -145,12 +145,12 @@ export const proxy: ProxyServer
 /**
  * Middleware to ensure the user is authenticated. Throws if they are not.
  */
-export function ensureAuthenticated(req: express.Request, res?: express.Response, next?: express.NextFunction): void
+export function ensureAuthenticated(req: express.Request, res?: express.Response, next?: express.NextFunction): Promise<void>
 
 /**
  * Returns true if the user is authenticated.
  */
-export function authenticated(req: express.Request): boolean
+export function authenticated(req: express.Request): Promise<boolean>
 
 /**
  * Replace variables in HTML: TO, BASE, CS_STATIC_BASE, and OPTIONS.
