Auth rework #953

FancMa01 · 2024-11-22T17:00:00Z

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

Type of change

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
Vulnerability fix (package bumps or CodeQL adjustments to ensure code security)
This change requires a documentation update

Developer Checklist:

Reviewer Checklist

I have pulled the branch into my local environemtn and started the project succesfully
I have reviewed the code for proper comments and mispellings
All input boxes have sensible character limits applied
Refreshing related pages puts page in a workable and sensible state
Submitting any relevant Forms relays proper messaging to user
I have checked that all security checks have been passed
I have checked that all backend routes have proper validation

Yadhap/user roles

* Remove existing manual login/logout code for fresh start * save progress * introduce new login introduce login/register, basic layout component. Able to be accessed by /login and /register respectively. Will need to rework login and load order and such later * Max characters applied * update look and feel * Further css adjustments * give new-password so autocomplete doesn't happen * added autoComplete off in login page aswell --------- Co-authored-by: yadhap Dahal <yadhap.dahal@lexisnexisrisk.com>

…tiy functions. Modified RoleTypes, UserRoles model, added migration file and model for refresh_token

…ue for registrationStatus

…ch as read, update, delete

Added registration and login routes, middlewares, controlles and util…

…stead of bcrypt

* Remove existing manual login/logout code for fresh start * save progress * introduce new login introduce login/register, basic layout component. Able to be accessed by /login and /register respectively. Will need to rework login and load order and such later * Max characters applied * update look and feel * Further css adjustments * give new-password so autocomplete doesn't happen * added autoComplete off in login page aswell * add forgot password, password complexity validator, reset password --------- Co-authored-by: yadhap Dahal <yadhap.dahal@lexisnexisrisk.com>

Yadhap/user related actions

* Remove existing manual login/logout code for fresh start * save progress * introduce new login introduce login/register, basic layout component. Able to be accessed by /login and /register respectively. Will need to rework login and load order and such later * Max characters applied * update look and feel * Further css adjustments * give new-password so autocomplete doesn't happen * added autoComplete off in login page aswell * add forgot password, password complexity validator, reset password * remove i18n and language switcher * adjust footer * add comment * home css and structure adjustments * rename css class --------- Co-authored-by: yadhap Dahal <yadhap.dahal@lexisnexisrisk.com>

…ock data with a dedicated test database for more accurate unit tests. Implemented end-to-end route tests for authentication and user routes.

Refactored testing environment to mirror production setup.

* create my account page * Adjust look and feel Change password replaces logout in top left, one form for displaying and editing information.

* create my account page * Initial Framework Still need to add Modals and functionality, but waiting on wiring basic flow first so we can have real data to test with. * save

additional auth routes and session mgmt routes

…password and new password, added utility function that makes call to the server to update the password, added the new component to the browser router

… and adhere to the DRY principle

…function to use the new getAUser utility function

…ing password could be used

…registration-flow Yadhap/add verification to registration flow

…reated-users Merged authReworkBranch

…ner-admin-created-users Yadhap/password rest for owner admin created users

…not throw error if these items are undefined

Merged with authRework

* bug fixes for application creation/deletion/switching for left nav and application screens * remove console logs * remove unused functions from application screen * Save Progress * fixes * Update Backend.js * Fix Header for stability * save progress * Update to control reader disabled * Update to allow user to logout no matter what * Allow user to update their own account and create allowed resource list

…gistered-user Yadhap/verify email self registered user

* bug fixes for application creation/deletion/switching for left nav and application screens * remove console logs * remove unused functions from application screen * Save Progress * fixes * Update Backend.js * Fix Header for stability * save progress * Update to control reader disabled * Update to allow user to logout no matter what * Allow user to update their own account and create allowed resource list * Handle login invalid values * 403 fallback page * save * fix spelling error * fix spelling * Patch to not show owner/admin no route access and also fix authController to return user roles and applications on verify email login * Add more conditionals

* Model and Migration * Routes, Controllers, Middleware for instance settings

* bug fixes for application creation/deletion/switching for left nav and application screens * remove console logs * remove unused functions from application screen * Save Progress * fixes * Update Backend.js * Fix Header for stability * save progress * Update to control reader disabled * Update to allow user to logout no matter what * Allow user to update their own account and create allowed resource list * Handle login invalid values * 403 fallback page * save * save * Model and Migration * Routes, Controllers, Middleware for instance settings * save * save progresss * save * finish * Update error message * Changed Steps on Start up Wizard to horizontal --------- Co-authored-by: yadhap Dahal <yadhap.dahal@lexisnexisrisk.com>

* bug fixes for application creation/deletion/switching for left nav and application screens * remove console logs * remove unused functions from application screen * Save Progress * fixes * Update Backend.js * Fix Header for stability * save progress * Update to control reader disabled * Update to allow user to logout no matter what * Allow user to update their own account and create allowed resource list * Handle login invalid values * 403 fallback page * save * save * Model and Migration * Routes, Controllers, Middleware for instance settings * save * save progresss * save * finish * request access route * Only Owners or Admins should see tours * Finish notification * remove extra /

…es in front end so the front end gets right kind of code from Azure before sending to backend

Added login/register with azure option in the back end and made chang…

* Oauth2 front end * wire front and backend azure login * Show/hide traditional * small bug fix to prevent multiple logins from being fired * Fixed login loop that occured when MS login failed. Also fixed issue where the roles and applications for newly created azure user was coming back undefined --------- Co-authored-by: yadhap Dahal <yadhap.dahal@lexisnexisrisk.com>

* Remove unused packages * Bug Fixes for left nav, constraints, and consumers

* Remove unused packages * Bug Fixes for left nav, constraints, and consumers * updates * Users Page and various docs updates * adjustments

* Fix user registration to not show success unless error message is shown and remove duplicate create basic user route * Set width of all components to 40rem for login for consistency * hide change password method for microsoft accounts

Tombolo/client-reactjs/src/components/admin/apps/AddApplication.jsx

+      //add application to user object in local storage so user has immediate access to it
+      const { user_app_id, id, title, description } = responseData;
+      user.applications.push({ id: user_app_id, application: { id, title, description } });
+      await localStorage.setItem('user', JSON.stringify(user));


Tombolo/client-reactjs/src/components/admin/apps/Applications.js

+        //remove it from users applications
+        const user = JSON.parse(localStorage.getItem('user'));
+        user.applications = user.applications.filter((app) => app.application.id !== app_id);
+        localStorage.setItem('user', JSON.stringify(user));


To fix the problem, we need to ensure that any sensitive information stored in local storage is encrypted. We can use the crypto-js library to encrypt and decrypt the data. The encryption key should be securely managed and not hardcoded in the code.

Install the crypto-js library.

Import the necessary functions from crypto-js.

Encrypt the user object before storing it in local storage.

Decrypt the user object when retrieving it from local storage.

Tombolo/client-reactjs/src/components/application/myAccount/myAccountInfo.jsx

+          const oldUser = JSON.parse(localStorage.getItem('user'));
+          const newUser = { ...oldUser, firstName: response.data.firstName, lastName: response.data.lastName };
+
+          localStorage.setItem('user', JSON.stringify(newUser));


To fix the problem, we need to ensure that any sensitive information stored in localStorage is encrypted. We can use the crypto-js library to encrypt and decrypt the data before storing and retrieving it from localStorage.

Install the crypto-js library.

Import the necessary functions from crypto-js.

Encrypt the user data before storing it in localStorage.

Decrypt the user data when retrieving it from localStorage.

Tombolo/client-reactjs/src/components/common/AuthHeader.js

+      if (!user) return;
+      if (user?.token !== token) {
+        user.token = token;
+        await localStorage.setItem('user', JSON.stringify(user));


Tombolo/client-reactjs/src/components/login/ResetTempPw.jsx

+      const result = await resetTempPassword(values);
+
+      // Save user token to local storage
+      localStorage.setItem('user', JSON.stringify(result.data));


To fix the problem, we need to ensure that any sensitive information stored in local storage is encrypted. We can use the crypto-js library to encrypt the data before storing it and decrypt it when needed. This will protect the data from being easily accessed in plain text.

Install the crypto-js library.

Import the necessary functions from crypto-js.

Encrypt the data before storing it in local storage.

Decrypt the data when retrieving it from local storage.

ydahal1 and others added 30 commits September 16, 2024 16:51

added role types and user_roles table. modified users table

478235d

reverted model names to original to avoid conflict with existing code'

17c11ea

Kept same model name as it was breaking existing functionalities

207f1bb

reverted model name

cb313aa

Remove existing manual login/logout code for fresh start (#883)

c4e74ac

Removed extra blank line

522b4f8

Merge pull request #886 from hpcc-systems/yadhap/user_roles

a88f0d5

Yadhap/user roles

Added registration and login routes, middlewares, controlles and util…

af4919c

…tiy functions. Modified RoleTypes, UserRoles model, added migration file and model for refresh_token

Added hooks on user model so cascade works and also added default val…

fbef703

…ue for registrationStatus

Added routes, middlewares and controllers for user related actions su…

dc2c731

…ch as read, update, delete

Added user routes to sever.js file

0f5798a

Added alias for user role to role types relationship'

1f5a52f

Added alias for user role to role types relationship'

50c917a

removed bcrypt as bcryptjs was already installed

fd8b6f4

Merge pull request #889 from hpcc-systems/yadhap/register-login

07639f8

Added registration and login routes, middlewares, controlles and util…

removed bcrypt as bcryptjs was already installed

03a6bf5

merged with authRework branch

c695455

Used bcryptjs for comparing password hash on change password route in…

7de088a

…stead of bcrypt

Merge pull request #890 from hpcc-systems/yadhap/user-related-actions

4ef50b0

Yadhap/user related actions

Refactored testing environment to mirror production setup. Replaced m…

7bde5f9

…ock data with a dedicated test database for more accurate unit tests. Implemented end-to-end route tests for authentication and user routes.

Added tests for cluster module

2f33ae9

Merge pull request #894 from hpcc-systems/yadhap/backend-tests

fe42f39

Refactored testing environment to mirror production setup.

create my account page (#892)

e401913

* create my account page * Adjust look and feel Change password replaces logout in top left, one form for displaying and editing information.

Mfancher/user management (#893)

51faef0

* create my account page * Initial Framework Still need to add Modals and functionality, but waiting on wiring basic flow first so we can have real data to test with. * save

additional auth routes and session mgmt routes

ecbfbed

Merge pull request #896 from hpcc-systems/yadhap/auth-additional-routes

45f2b1c

additional auth routes and session mgmt routes

Wire Register User Functionality (#897)

94de21a

ydahal1 and others added 29 commits October 23, 2024 08:59

Added Reset temp password component in the front end to capture temp …

17d36da

…password and new password, added utility function that makes call to the server to update the password, added the new component to the browser router

Refactored getUser function into authUtil to improve code reusability…

0613a8d

… and adhere to the DRY principle

Added a controller for resetting password, refactored loginBasicUser …

bbfe1d7

…function to use the new getAUser utility function

Updated userController so it saves verification code

d959963

Changed payload for reset password, so existing middleware for resett…

f239229

…ing password could be used

Merge pull request #926 from hpcc-systems/yadhap/add-verification-to-…

973dd75

…registration-flow Yadhap/add verification to registration flow

Merge branch 'authRework' into yadhap/password-rest-for-owner-admin-c…

150160e

…reated-users Merged authReworkBranch

masked temp password, fixed issue of not updating verifiedUser flag

b8bef8c

Merge pull request #928 from hpcc-systems/yadhap/password-rest-for-ow…

284372a

…ner-admin-created-users Yadhap/password rest for owner admin created users

Added guards to applications and roles in my account page so it does …

974baff

…not throw error if these items are undefined

Registration confirmation / verification email template created

74e502d

Merge branch 'authRework' into yadhap/verify-email-self-registered-user

bf84bac

Merged with authRework

Added E-mail verification flow for self registered owners and users

37e9ef1

Merge pull request #931 from hpcc-systems/yadhap/verify-email-self-re…

390d3cf

…gistered-user Yadhap/verify email self registered user

Model and Migration (#934)

ee0e1ff

Mfancher/system settings routes (#935)

c23b463

* Model and Migration * Routes, Controllers, Middleware for instance settings

merge (#938)

ed6ef6d

Oauth2 front end (#942)

5cdc239

Added login/register with azure option in the back end and made chang…

e2e6cc8

…es in front end so the front end gets right kind of code from Azure before sending to backend

Merge pull request #943 from hpcc-systems/yadhap/oauth2.0-backend

905ed4a

Added login/register with azure option in the back end and made chang…

Mfancher/dependencies (#945)

b92ef7d

* Remove unused packages * Bug Fixes for left nav, constraints, and consumers

Mfancher/docs (#946)

f4310c3

* Remove unused packages * Bug Fixes for left nav, constraints, and consumers * updates * Users Page and various docs updates * adjustments

Mfancher/ms user no pw change (#950)

cc2916d

* Fix user registration to not show success unless error message is shown and remove duplicate create basic user route * Set width of all components to 40rem for login for consistency * hide change password method for microsoft accounts

Merge branch 'dev' into authRework

59216bc

github-advanced-security bot found potential problems Nov 22, 2024

View reviewed changes

@@ -9,3 +9,3 @@
             import AddApplication from './AddApplication';
+            import CryptoJS from 'crypto-js';
             import Text from '../../common/Text';
@@ -74,5 +74,5 @@
                     //remove it from users applications
-                    const user = JSON.parse(localStorage.getItem('user'));
+                    const user = JSON.parse(CryptoJS.AES.decrypt(localStorage.getItem('user'), 'encryption_key').toString(CryptoJS.enc.Utf8));
                     user.applications = user.applications.filter((app) => app.application.id !== app_id);
-                    localStorage.setItem('user', JSON.stringify(user));
+                    localStorage.setItem('user', CryptoJS.AES.encrypt(JSON.stringify(user), 'encryption_key').toString());

@@ -4,3 +4,3 @@
             import passwordComplexityValidator from '../common/passwordComplexityValidator';
+            import CryptoJS from 'crypto-js';
             function ResetTempPassword() {
@@ -38,3 +38,3 @@
                   // Save user token to local storage
-                  localStorage.setItem('user', JSON.stringify(result.data));
+                  localStorage.setItem('user', CryptoJS.AES.encrypt(JSON.stringify(result.data), 'encryption_key').toString());
                   window.location.href = '/';

@@ -30,3 +30,4 @@
                 "socket.io-client": "^4.1.3",
-                "validator": "^13.11.0"
+                "validator": "^13.11.0",
+                "crypto-js": "^4.2.0"
               },

Package	Version	Security advisories
crypto-js (npm)	4.2.0	None

@@ -1,2 +1,3 @@
             import React, { useState, useEffect } from 'react';
+            import CryptoJS from 'crypto-js';
             import { Card, Form, Row, Col, Input, Button, Spin, message } from 'antd';
@@ -44,6 +45,8 @@
-                      const oldUser = JSON.parse(localStorage.getItem('user'));
+                      const encryptedOldUser = localStorage.getItem('user');
+                      const oldUser = encryptedOldUser ? JSON.parse(CryptoJS.AES.decrypt(encryptedOldUser, 'secret-key').toString(CryptoJS.enc.Utf8)) : {};
                       const newUser = { ...oldUser, firstName: response.data.firstName, lastName: response.data.lastName };
-                      localStorage.setItem('user', JSON.stringify(newUser));
+                      const encryptedNewUser = CryptoJS.AES.encrypt(JSON.stringify(newUser), 'secret-key').toString();
+                      localStorage.setItem('user', encryptedNewUser);
                       window.dispatchEvent(new Event('userStorage'));

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth rework #953

Auth rework #953

FancMa01 commented Nov 22, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Auth rework #953

Are you sure you want to change the base?

Auth rework #953

Conversation

FancMa01 commented Nov 22, 2024

Description

Type of change

Developer Checklist:

Reviewer Checklist