canopy/src/controllers/api/account/loginController.js

/*Canopy - The next generation of stoner streaming software
Copyright (C) 2024-2025 Rainbownapkin and the TTN Community

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.*/

//Config
const config = require('../../../../config.json');

//npm imports
const {validationResult, matchedData} = require('express-validator');

//local imports
const migrationModel = require('../../../schemas/user/migrationSchema.js');
const rememberMeModel = require('../../../schemas/user/rememberMeSchema.js');
const sessionUtils = require('../../../utils/sessionUtils');
const hashUtils = require('../../../utils/hashUtils.js');
const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');

//api account functions
module.exports.post = async function(req, res){
    try{
        //Check validation results
        const validResult = validationResult(req);

        //if we don't have errors
        if(validResult.isEmpty()){
            //Pull sanatzied/validated data
            const data = matchedData(req); 

            //try to authenticate the session, throwing an error and breaking the current code block if user is un-authorized
            const userDB = await sessionUtils.authenticateSession(data.user, data.pass, req);

            //If the user already has a remember me token
            if(data.rememberme != null && data.rememberme.id != null){
                //Fucking nuke the bitch
                await rememberMeModel.deleteOne({id: data.rememberme.id})

                //Tell the client to drop the token
                res.clearCookie("rememberme.id");
                res.clearCookie("rememberme.token");
            }

            //If the user requested a rememberMe token (I'm not validation checking a fucking boolean)
            if(req.body.rememberMe){
                //Gen user token
                //requires second DB call, but this enforces password requirement for toke generation while ensuring we only
                //need one function in the userModel for authentication, even if the second woulda just been a wrapper.
                //Less attack surface is less attack surface, and this isn't something thats going to be getting constantly called
                const authToken = await rememberMeModel.genToken(userDB, data.pass);

                //If we properly authed
                if(authToken != null){
                    //Check config for protocol
                    const secure = config.protocol.toLowerCase() == "https";

                    //Create expiration date for cookies (180 days)
                    const expires = new Date(Date.now() + (1000 * 60 * 60 * 24 * 180));

                    //Set remember me ID and token as browser-side cookies for safe-keeping
                    res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure, expires});
                    //This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
                    res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure, expires});
                }
            }

            //Tell the browser everything is dandy
            return res.sendStatus(200);
        }else{
            res.status(400);
            return res.send({errors: validResult.array()})
        }
    }catch(err){
        //Check validation results
        const validResult = validationResult(req);

        //if we don't have errors
        if(validResult.isEmpty()){
            //Get login attempts for current user
            const {user, pass} = matchedData(req);

            //Look for the username in the migration DB
            const migrationDB = await migrationModel.findOne({user});

            //If we found a migration profile
            if(migrationDB != null){
                //If the user has a good password
                if(hashUtils.compareLegacyPassword(pass, migrationDB.pass)){
                    //Redirect to migrate
                    return res.sendStatus(301);
                }
            }

            //Get login attempts
            const attempts = sessionUtils.getLoginAttempts(user)

            //if we've gone over max attempts 
            if(attempts != null && attempts.count > sessionUtils.throttleAttempts){
                //tell client it needs a captcha
                return res.sendStatus(429);
            }else{
                 //Scream about any un-caught errors
                return exceptionHandler(res, err);
            }
        }else{
            res.status(400);
            return res.send({errors: validResult.array()})
        }
    }
    
}