516 lines
16 KiB
TypeScript
516 lines
16 KiB
TypeScript
import * as plugins from '../../plugins.js';
|
|
import type { OpsServer } from '../classes.opsserver.js';
|
|
import * as interfaces from '../../../ts_interfaces/index.js';
|
|
|
|
export interface IJwtData {
|
|
userId: string;
|
|
status: 'loggedIn' | 'loggedOut';
|
|
expiresAt: number;
|
|
}
|
|
|
|
type TAdminUser = {
|
|
id: string;
|
|
username: string;
|
|
email?: string;
|
|
name?: string;
|
|
role: string;
|
|
status?: 'active' | 'disabled';
|
|
authSources?: Array<'local' | 'idp.global'>;
|
|
};
|
|
|
|
export class AdminHandler {
|
|
public typedrouter = new plugins.typedrequest.TypedRouter();
|
|
|
|
// JWT instance
|
|
public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
|
|
|
|
// Ephemeral bootstrap users. Persisted accounts take over once an active admin exists.
|
|
private users = new Map<string, {
|
|
id: string;
|
|
username: string;
|
|
password: string;
|
|
role: string;
|
|
}>();
|
|
|
|
private accountStore?: plugins.idpSdkServer.SmartdataAccountStore;
|
|
private idpClient?: plugins.idpSdkServer.IdpGlobalServerClient;
|
|
private ownsIdpClient = false;
|
|
|
|
constructor(private opsServerRef: OpsServer) {
|
|
// Add this handler's router to the parent
|
|
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
|
|
}
|
|
|
|
public async initialize(): Promise<void> {
|
|
await this.initializeJwt();
|
|
this.initializeDefaultUsers();
|
|
this.registerHandlers();
|
|
}
|
|
|
|
public async stop(): Promise<void> {
|
|
if (this.ownsIdpClient) {
|
|
await this.idpClient?.stop();
|
|
}
|
|
this.idpClient = undefined;
|
|
this.ownsIdpClient = false;
|
|
}
|
|
|
|
private async initializeJwt(): Promise<void> {
|
|
this.smartjwtInstance = new plugins.smartjwt.SmartJwt();
|
|
await this.smartjwtInstance.init();
|
|
|
|
// For development, create new keypair each time
|
|
// In production, load from storage like cloudly does
|
|
await this.smartjwtInstance.createNewKeyPair();
|
|
}
|
|
|
|
private initializeDefaultUsers(): void {
|
|
const username = process.env.DCROUTER_ADMIN_USERNAME || 'admin';
|
|
const configuredPassword = process.env.DCROUTER_ADMIN_PASSWORD;
|
|
const password = configuredPassword || plugins.crypto.randomBytes(24).toString('base64url');
|
|
|
|
const adminId = plugins.uuid.v4();
|
|
this.users.set(adminId, {
|
|
id: adminId,
|
|
username,
|
|
password,
|
|
role: 'admin',
|
|
});
|
|
|
|
if (!configuredPassword) {
|
|
console.warn(`DCRouter generated one-time admin password for ${username}: ${password}`);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Return a safe projection of the active user source — excludes password fields.
|
|
* Used by UsersHandler to serve the admin-only listUsers endpoint.
|
|
*/
|
|
public async listUsers(): Promise<interfaces.requests.IAdminUserProjection[]> {
|
|
if (await this.hasPersistentAdminAccount()) {
|
|
const store = this.getAccountStore();
|
|
const accounts = await store!.listAccounts();
|
|
return accounts.map((accountArg) => this.accountToUser(accountArg));
|
|
}
|
|
|
|
return Array.from(this.users.values()).map((user) => ({
|
|
id: user.id,
|
|
username: user.username,
|
|
role: user.role,
|
|
}));
|
|
}
|
|
|
|
public async getBootstrapStatus(): Promise<interfaces.requests.IReq_GetAdminBootstrapStatus['response']> {
|
|
const dbEnabled = this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
|
|
const store = this.getAccountStore();
|
|
const dbReady = !!store;
|
|
const hasPersistentAdmin = dbReady ? await store.hasActiveAdminAccount() : false;
|
|
return {
|
|
dbEnabled,
|
|
dbReady,
|
|
hasPersistentAdmin,
|
|
needsBootstrap: dbEnabled && dbReady && !hasPersistentAdmin,
|
|
ephemeralAdminAvailable: !hasPersistentAdmin,
|
|
idpGlobalConfigured: this.isIdpGlobalConfigured(),
|
|
};
|
|
}
|
|
|
|
public async createInitialAdminUser(optionsArg: {
|
|
email: string;
|
|
name?: string;
|
|
password: string;
|
|
enableIdpGlobalAuth?: boolean;
|
|
}): Promise<interfaces.requests.IReq_CreateInitialAdminUser['response']> {
|
|
const store = this.getAccountStore();
|
|
if (!store) {
|
|
throw new plugins.typedrequest.TypedResponseError('database is not ready');
|
|
}
|
|
|
|
if (await store.hasActiveAdminAccount()) {
|
|
throw new plugins.typedrequest.TypedResponseError('initial admin already exists');
|
|
}
|
|
|
|
const password = String(optionsArg.password || '');
|
|
if (!password) {
|
|
throw new plugins.typedrequest.TypedResponseError('password is required');
|
|
}
|
|
|
|
const email = String(optionsArg.email || '').trim();
|
|
const authSources: Array<'local' | 'idp.global'> = ['local'];
|
|
if (optionsArg.enableIdpGlobalAuth) {
|
|
authSources.push('idp.global');
|
|
}
|
|
|
|
try {
|
|
const account = await store.createAccount({
|
|
email,
|
|
name: String(optionsArg.name || '').trim() || email,
|
|
role: 'admin',
|
|
authSources,
|
|
password,
|
|
});
|
|
const user = this.accountToUser(account);
|
|
return {
|
|
success: true,
|
|
identity: await this.createIdentityForUser(user),
|
|
user,
|
|
};
|
|
} catch (error) {
|
|
throw new plugins.typedrequest.TypedResponseError((error as Error).message || 'failed to create initial admin');
|
|
}
|
|
}
|
|
|
|
public async createUser(optionsArg: {
|
|
email: string;
|
|
name?: string;
|
|
role: interfaces.requests.TUserManagementRole;
|
|
password: string;
|
|
enableIdpGlobalAuth?: boolean;
|
|
}): Promise<interfaces.requests.IReq_CreateUser['response']> {
|
|
const store = this.getAccountStore();
|
|
if (!store) {
|
|
return { success: false, message: 'database is not ready' };
|
|
}
|
|
if (!(await store.hasActiveAdminAccount())) {
|
|
return { success: false, message: 'initial admin bootstrap is required before creating users' };
|
|
}
|
|
|
|
const role = optionsArg.role;
|
|
if (role !== 'admin' && role !== 'user') {
|
|
return { success: false, message: 'role must be admin or user' };
|
|
}
|
|
|
|
const password = String(optionsArg.password || '');
|
|
if (!password) {
|
|
return { success: false, message: 'password is required' };
|
|
}
|
|
|
|
const authSources: Array<'local' | 'idp.global'> = ['local'];
|
|
if (optionsArg.enableIdpGlobalAuth) {
|
|
authSources.push('idp.global');
|
|
}
|
|
|
|
try {
|
|
const email = String(optionsArg.email || '').trim();
|
|
const account = await store.createAccount({
|
|
email,
|
|
name: String(optionsArg.name || '').trim() || email,
|
|
role,
|
|
authSources,
|
|
password,
|
|
});
|
|
return { success: true, user: this.accountToUser(account) };
|
|
} catch (error) {
|
|
return { success: false, message: (error as Error).message || 'failed to create user' };
|
|
}
|
|
}
|
|
|
|
public async deleteUser(optionsArg: {
|
|
id: string;
|
|
requestingUserId: string;
|
|
}): Promise<interfaces.requests.IReq_DeleteUser['response']> {
|
|
const store = this.getAccountStore();
|
|
if (!store) {
|
|
return { success: false, message: 'database is not ready' };
|
|
}
|
|
if (!(await store.hasActiveAdminAccount())) {
|
|
return { success: false, message: 'initial admin bootstrap is required before deleting users' };
|
|
}
|
|
|
|
const id = String(optionsArg.id || '').trim();
|
|
if (!id) {
|
|
return { success: false, message: 'user id is required' };
|
|
}
|
|
if (id === optionsArg.requestingUserId) {
|
|
return { success: false, message: 'cannot delete the current user' };
|
|
}
|
|
|
|
const account = await store.getAccountById(id);
|
|
if (!account) {
|
|
return { success: false, message: 'user not found' };
|
|
}
|
|
|
|
if (account.role === 'admin' && account.status === 'active') {
|
|
const activeAdmins = (await store.listAccounts()).filter(
|
|
(accountArg) => accountArg.role === 'admin' && accountArg.status === 'active',
|
|
);
|
|
if (activeAdmins.length <= 1) {
|
|
return { success: false, message: 'cannot delete the last active admin' };
|
|
}
|
|
}
|
|
|
|
const doc = await plugins.idpSdkServer.IdpSdkAccountDoc.findById(id);
|
|
if (!doc) {
|
|
return { success: false, message: 'user not found' };
|
|
}
|
|
await doc.delete();
|
|
return { success: true };
|
|
}
|
|
|
|
private registerHandlers(): void {
|
|
this.typedrouter.addTypedHandler(
|
|
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAdminBootstrapStatus>(
|
|
'getAdminBootstrapStatus',
|
|
async (_dataArg) => this.getBootstrapStatus()
|
|
)
|
|
);
|
|
|
|
this.opsServerRef.adminRouter.addTypedHandler(
|
|
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateInitialAdminUser>(
|
|
'createInitialAdminUser',
|
|
async (dataArg) => {
|
|
const isAdmin = await this.adminIdentityGuard.exec({ identity: dataArg.identity });
|
|
if (!isAdmin) {
|
|
throw new plugins.typedrequest.TypedResponseError('admin identity required');
|
|
}
|
|
return this.createInitialAdminUser({
|
|
email: dataArg.email,
|
|
name: dataArg.name,
|
|
password: dataArg.password,
|
|
enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
|
|
});
|
|
}
|
|
)
|
|
);
|
|
|
|
// Admin Login Handler
|
|
this.typedrouter.addTypedHandler(
|
|
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
|
|
'adminLoginWithUsernameAndPassword',
|
|
async (dataArg) => {
|
|
try {
|
|
const user = await this.authenticateUser({
|
|
username: dataArg.username,
|
|
password: dataArg.password,
|
|
authSource: dataArg.authSource,
|
|
});
|
|
if (!user) {
|
|
throw new plugins.typedrequest.TypedResponseError('login failed');
|
|
}
|
|
|
|
return {
|
|
identity: await this.createIdentityForUser(user),
|
|
};
|
|
} catch (error) {
|
|
if (error instanceof plugins.typedrequest.TypedResponseError) {
|
|
throw error;
|
|
}
|
|
throw new plugins.typedrequest.TypedResponseError('login failed');
|
|
}
|
|
}
|
|
)
|
|
);
|
|
|
|
// Admin Logout Handler
|
|
this.typedrouter.addTypedHandler(
|
|
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLogout>(
|
|
'adminLogout',
|
|
async (dataArg) => {
|
|
const identity = await this.validateIdentity(dataArg.identity);
|
|
if (!identity) {
|
|
throw new plugins.typedrequest.TypedResponseError('identity is not valid');
|
|
}
|
|
return {
|
|
success: true,
|
|
};
|
|
}
|
|
)
|
|
);
|
|
|
|
// Verify Identity Handler
|
|
this.typedrouter.addTypedHandler(
|
|
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_VerifyIdentity>(
|
|
'verifyIdentity',
|
|
async (dataArg) => {
|
|
const identity = await this.validateIdentity(dataArg.identity);
|
|
return identity ? { valid: true, identity } : { valid: false };
|
|
}
|
|
)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Create a guard for valid identity (matching cloudly pattern)
|
|
*/
|
|
public validIdentityGuard = new plugins.smartguard.Guard<{
|
|
identity: interfaces.data.IIdentity;
|
|
}>(
|
|
async (dataArg) => {
|
|
return Boolean(await this.validateIdentity(dataArg.identity));
|
|
},
|
|
{
|
|
failedHint: 'identity is not valid',
|
|
name: 'validIdentityGuard',
|
|
}
|
|
);
|
|
|
|
/**
|
|
* Create a guard for admin identity (matching cloudly pattern)
|
|
*/
|
|
public adminIdentityGuard = new plugins.smartguard.Guard<{
|
|
identity: interfaces.data.IIdentity;
|
|
}>(
|
|
async (dataArg) => {
|
|
const identity = await this.validateIdentity(dataArg.identity);
|
|
return identity?.role === 'admin';
|
|
},
|
|
{
|
|
failedHint: 'user is not admin',
|
|
name: 'adminIdentityGuard',
|
|
}
|
|
);
|
|
|
|
public async validateIdentity(
|
|
identityArg?: interfaces.data.IIdentity,
|
|
): Promise<interfaces.data.IIdentity | null> {
|
|
if (!identityArg?.jwt) {
|
|
return null;
|
|
}
|
|
|
|
try {
|
|
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(identityArg.jwt);
|
|
if (jwtData.expiresAt < Date.now()) {
|
|
return null;
|
|
}
|
|
if (jwtData.status !== 'loggedIn') {
|
|
return null;
|
|
}
|
|
if (identityArg.expiresAt !== jwtData.expiresAt) {
|
|
return null;
|
|
}
|
|
if (identityArg.userId !== jwtData.userId) {
|
|
return null;
|
|
}
|
|
|
|
const user = await this.resolveUser(jwtData.userId);
|
|
if (!user) {
|
|
return null;
|
|
}
|
|
if (identityArg.role && identityArg.role !== user.role) {
|
|
return null;
|
|
}
|
|
|
|
return {
|
|
jwt: identityArg.jwt,
|
|
userId: user.id,
|
|
name: user.name || user.username,
|
|
expiresAt: jwtData.expiresAt,
|
|
role: user.role,
|
|
type: 'user',
|
|
};
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private async authenticateUser(optionsArg: {
|
|
username: string;
|
|
password: string;
|
|
authSource?: interfaces.requests.TAdminLoginAuthSource;
|
|
}): Promise<TAdminUser | null> {
|
|
if (await this.hasPersistentAdminAccount()) {
|
|
const store = this.getAccountStore();
|
|
const authService = new plugins.idpSdkServer.AccountAuthService({
|
|
store: store!,
|
|
idpClient: this.getIdpClient() as plugins.idpSdkServer.IdpGlobalServerClient | undefined,
|
|
});
|
|
const result = await authService.authenticate({
|
|
email: optionsArg.username,
|
|
password: optionsArg.password,
|
|
authSource: optionsArg.authSource || 'auto',
|
|
});
|
|
return result ? this.accountToUser(result.account) : null;
|
|
}
|
|
|
|
for (const [_, userData] of this.users) {
|
|
if (userData.username === optionsArg.username && userData.password === optionsArg.password) {
|
|
return userData;
|
|
}
|
|
}
|
|
return null;
|
|
}
|
|
|
|
private async resolveUser(userIdArg: string): Promise<TAdminUser | null> {
|
|
if (await this.hasPersistentAdminAccount()) {
|
|
const account = await this.getAccountStore()!.getAccountById(userIdArg);
|
|
if (!account || account.status !== 'active') {
|
|
return null;
|
|
}
|
|
return this.accountToUser(account);
|
|
}
|
|
|
|
return this.users.get(userIdArg) || null;
|
|
}
|
|
|
|
private async hasPersistentAdminAccount(): Promise<boolean> {
|
|
const store = this.getAccountStore();
|
|
return store ? store.hasActiveAdminAccount() : false;
|
|
}
|
|
|
|
private getAccountStore(): plugins.idpSdkServer.SmartdataAccountStore | null {
|
|
if (this.opsServerRef.dcRouterRef.options.dbConfig?.enabled === false) {
|
|
return null;
|
|
}
|
|
const dcRouterDb = this.opsServerRef.dcRouterRef.dcRouterDb;
|
|
if (!dcRouterDb?.isReady()) {
|
|
return null;
|
|
}
|
|
if (!this.accountStore) {
|
|
this.accountStore = new plugins.idpSdkServer.SmartdataAccountStore({
|
|
smartdataDb: dcRouterDb.getDb(),
|
|
});
|
|
}
|
|
return this.accountStore;
|
|
}
|
|
|
|
private getIdpClient(): Pick<plugins.idpSdkServer.IdpGlobalServerClient, 'loginWithEmailAndPassword' | 'stop'> | undefined {
|
|
const configuredClient = this.opsServerRef.dcRouterRef.options.adminAuth?.idpClient;
|
|
if (configuredClient) {
|
|
return configuredClient;
|
|
}
|
|
|
|
const baseUrl = this.opsServerRef.dcRouterRef.options.adminAuth?.idpGlobalUrl || process.env.DCROUTER_IDP_GLOBAL_URL;
|
|
if (!this.idpClient) {
|
|
this.idpClient = baseUrl
|
|
? new plugins.idpSdkServer.IdpGlobalServerClient({ baseUrl })
|
|
: new plugins.idpSdkServer.IdpGlobalServerClient({} as plugins.idpSdkServer.IIdpGlobalServerClientOptions);
|
|
this.ownsIdpClient = true;
|
|
}
|
|
return this.idpClient;
|
|
}
|
|
|
|
private isIdpGlobalConfigured(): boolean {
|
|
return true;
|
|
}
|
|
|
|
private accountToUser(accountArg: plugins.idpSdkServer.IIdpSdkAccount): TAdminUser {
|
|
return {
|
|
id: accountArg.id,
|
|
username: accountArg.email,
|
|
email: accountArg.email,
|
|
name: accountArg.name,
|
|
role: accountArg.role,
|
|
status: accountArg.status,
|
|
authSources: accountArg.authSources,
|
|
};
|
|
}
|
|
|
|
private async createIdentityForUser(userArg: TAdminUser): Promise<interfaces.data.IIdentity> {
|
|
const expiresAtTimestamp = Date.now() + 3600 * 1000 * 24; // 24 hours
|
|
const jwt = await this.smartjwtInstance.createJWT({
|
|
userId: userArg.id,
|
|
status: 'loggedIn',
|
|
expiresAt: expiresAtTimestamp,
|
|
});
|
|
|
|
return {
|
|
jwt,
|
|
userId: userArg.id,
|
|
name: userArg.name || userArg.username,
|
|
expiresAt: expiresAtTimestamp,
|
|
role: userArg.role,
|
|
type: 'user',
|
|
};
|
|
}
|
|
}
|