(args, callback)
| 574 | } |
| 575 | |
| 576 | loadSession(args, callback) { |
| 577 | // Load user session or validate API Key |
| 578 | var self = this; |
| 579 | var now = Tools.timeNow(true); |
| 580 | var session_id = args.cookies['session_id'] || args.request.headers['x-session-id'] || args.params.session_id; |
| 581 | |
| 582 | if (session_id) { |
| 583 | this.storage.get('sessions/' + session_id, function(err, session) { |
| 584 | if (err) return callback(err, null, null); |
| 585 | |
| 586 | // csrf check |
| 587 | var csrf_token = args.request.headers['x-csrf-token'] || args.params.csrf_token || null; |
| 588 | if (self.usermgr.config.get('use_csrf') && !args.request.method.match(/^(GET|HEAD)$/) && session.csrf_token && (csrf_token != session.csrf_token)) { |
| 589 | self.logError('user', "Failed to validate session: Invalid CSRF Token", { username: session.username, ips: args.ips }); |
| 590 | return callback(new Error("Invalid session"), null, null); |
| 591 | } |
| 592 | |
| 593 | // also load user |
| 594 | self.storage.get('users/' + self.usermgr.normalizeUsername(session.username), function(err, user) { |
| 595 | if (err) return callback(err, null, null); |
| 596 | |
| 597 | // set type to discern this from API Key sessions |
| 598 | session.type = 'user'; |
| 599 | |
| 600 | // scrub session_id from common places, so it doesn't interfere with API calls and isn't logged |
| 601 | delete args.params.session_id; |
| 602 | delete args.cookies['session_id']; |
| 603 | delete args.request.headers['x-session-id']; |
| 604 | delete args.request.headers['cookie']; |
| 605 | |
| 606 | // cleanup csrf token mess as well |
| 607 | delete args.params.csrf_token; |
| 608 | delete args.request.headers['x-csrf-token']; |
| 609 | |
| 610 | // pass both session and user to callback |
| 611 | callback(null, session, user); |
| 612 | } ); |
| 613 | } ); |
| 614 | return; |
| 615 | } |
| 616 | |
| 617 | // no session found, look for API Key |
| 618 | var plain_key = args.request.headers['x-api-key'] || args.params.api_key || args.query.api_key; |
| 619 | if (!plain_key) return callback( new Error("No Session ID or API Key could be found"), null, null ); |
| 620 | |
| 621 | this.api.logDebug(9, "Client provided API key: " + plain_key.substring(0, 4) + '****'); |
| 622 | |
| 623 | // find active key with matching salted hash |
| 624 | var api_key = this.api_keys.find( function(api_key) { |
| 625 | if (!api_key.active) return false; |
| 626 | if (api_key.expires && (now >= api_key.expires)) return false; |
| 627 | return ( Tools.digestHex(plain_key + api_key.id, 'sha256') === api_key.key ); |
| 628 | } ); |
| 629 | |
| 630 | if (!api_key) return callback(new Error("Invalid API Key"), null, null); |
| 631 | |
| 632 | this.api.logDebug(9, "Matched server API Key: " + api_key.title + " (" + api_key.id + ")" ); |
| 633 |
no test coverage detected