Changed the authentication mechanism to support hooks

settings.json.template

@@ -51,22 +51,23 @@
      Note: /admin always requires authentication. */
   "requireAuthentication": false,
 
-  /* Require authorization by a module, or a user with is_admin set,
+  /* Require authorization by a module, or a user with is_admin set, see below. */
-     see below. Access to /admin allways requires either, regardless
-     of this setting. */
   "requireAuthorization": false,
 
-  /* Users for basic authentication. is_admin = true gives access to /admin */
+  /* Users for basic authentication. is_admin = true gives access to /admin.
+     If you do not uncomment this, /admin will not be available! */
+  /*
   "users": {
     "admin": {
-      "password": "changeme",
+      "password": "changeme1",
       "is_admin": true
     },
     "user": {
-      "password": "changeme",
+      "password": "changeme1",
       "is_admin": false
     }
   },
+  */
 
   /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */
   "loglevel": "INFO"

src/node/hooks/express/adminplugins.js

@@ -21,7 +21,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
 exports.socketio = function (hook_name, args, cb) {
   var io = args.io.of("/pluginfw/installer");
   io.on('connection', function (socket) {
-    if (!socket.handshake.session.user.is_admin) return;
+    if (!socket.handshake.session.user || !socket.handshake.session.user.is_admin) return;
 
     socket.on("load", function (query) {
       socket.emit("installed-results", {results: plugins.plugins});

src/node/hooks/express/webaccess.js

@@ -8,7 +8,13 @@ var hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
 
 //checks for basic http auth
 exports.basicAuth = function (req, res, next) {
- var authorize = function (cb) {
+  var hookResultMangle = function (cb) {
+    return function (err, data) {
+      return cb(!err && data.length && data[0]);
+    }
+  }
+
+  var authorize = function (cb) {
     // Do not require auth for static paths...this could be a bit brittle
     if (req.path.match(/^\/(static|javascripts|pluginfw)/)) return cb(true);
 
@@ -19,8 +25,7 @@ exports.basicAuth = function (req, res, next) {
 
     if (req.session && req.session.user && req.session.user.is_admin) return cb(true);
 
-    // hooks.aCallFirst("authorize", {resource: req.path, req: req}, cb);
+    hooks.aCallFirst("authorize", {req: req, res:res, next:next, resource: req.path}, hookResultMangle(cb));
-    cb(false);
   }
 
   var authenticate = function (cb) {
@@ -35,24 +40,28 @@ exports.basicAuth = function (req, res, next) {
         req.session.user = settings.users[username];
         return cb(true);
       }
-      // return hooks.aCallFirst("authenticate", {req: req, username: username, password: password}, cb);
+        return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(cb));
     }
-    // hooks.aCallFirst("authenticate", {req: req}, cb);
+    hooks.aCallFirst("authenticate", {req: req, res:res, next:next}, hookResultMangle(cb));
-    cb(false);
   }
 
 
+  /* Authentication OR authorization failed. */
   var failure = function () {
-    /* Authentication OR authorization failed. Return Auth required
+    return hooks.aCallFirst("authFailure", {req: req, res:res, next:next}, hookResultMangle(function (ok) {
-     * Headers, delayed for 1 second, if authentication failed. */
+    if (ok) return;
-    res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
+      /* No plugin handler for invalid auth. Return Auth required
-    if (req.headers.authorization) {
+       * Headers, delayed for 1 second, if authentication failed
-      setTimeout(function () {
+       * before. */
+      res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
+      if (req.headers.authorization) {
+        setTimeout(function () {
+          res.send('Authentication required', 401);
+        }, 1000);
+      } else {
         res.send('Authentication required', 401);
-      }, 1000);
+      }
-    } else {
+    }));
-      res.send('Authentication required', 401);
-    }
   }
 
 

src/node/server.js

@@ -30,6 +30,7 @@ var path = require('path');
 var plugins = require("ep_etherpad-lite/static/js/pluginfw/plugins");
 var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
 var npm = require("npm/lib/npm.js");
+var  _ = require("underscore");
 
 //try to get the git version
 var version = "";
@@ -88,11 +89,11 @@ async.waterfall([
     //let the server listen
     app.listen(settings.port, settings.ip);
     console.log("Server is listening at " + settings.ip + ":" + settings.port);
-    if(settings.adminHttpAuth){
+    if(!_.isEmpty(settings.users)){
       console.log("Plugin admin page listening at " + settings.ip + ":" + settings.port + "/admin/plugins");
     }
     else{
-      console.log("Admin username and password not set in settings.json.  To access admin please uncomment and edit adminHttpAuth in settings.json");
+      console.log("Admin username and password not set in settings.json.  To access admin please uncomment and edit 'users' in settings.json");
     }
     callback(null);  
   }