Sravan
5448cf0614
When BIZGAZE_LOGIN_URL is configured, verify credentials ONLY against BizGaze (no local-password fallback) so stale in-app accounts can't shadow a BizGaze login. Everyone is then provisioned into the same tenant, restoring the admin's team-scoped "see all sessions" report. - login: BizGaze-only when the IdP is configured; local path kept for dev/tests - provisionFromBizgaze: keep role in sync with BizGaze (isAdmin) on every login; optional ADMIN_EMAILS allowlist as a lockout safety net - block POST /api/users (add local agent) when BizGaze is the IdP — this is what previously split tenants - scripts/migrate-bizgaze-only.js: one-time, dry-run-by-default cleanup that deletes pre-BizGaze local accounts (no sso_user_created audit entry) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
358 regels
19 KiB
JavaScript
358 regels
19 KiB
JavaScript
// HTTP JSON API routes (auth, MFA, users, machines, report, audit, media uploads, SSO).
|
|
// Returns a { "METHOD /path": handler } map consumed by server.js.
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
const R = require('./repos');
|
|
const A = require('./auth');
|
|
const BZ = require('./bizgaze');
|
|
const { now, json, readBody, parseCookies } = require('./lib');
|
|
const { audit, currentUser } = require('./session');
|
|
const { onlineAgents } = require('./presence');
|
|
const { REC_DIR, TRANS_DIR, SESSION_TTL } = require('./config');
|
|
|
|
const routes = {};
|
|
const route = (method, p, fn) => (routes[`${method} ${p}`] = fn);
|
|
|
|
// Register: creates a team + admin user. MFA must be set up before full access.
|
|
route('POST', '/api/register', async (req, res) => {
|
|
const anyUser = R.users.anyExists();
|
|
if (anyUser && process.env.ALLOW_REGISTRATION !== '1')
|
|
return json(res, 403, { error: 'Registration is closed. Contact your administrator.' });
|
|
const { email, password, teamName } = await readBody(req);
|
|
if (!email || !password) return json(res, 400, { error: 'email and password required' });
|
|
if (R.users.emailExists(email))
|
|
return json(res, 409, { error: 'email already registered' });
|
|
const { hash, salt } = A.hashPassword(password);
|
|
const team = R.teams.create(teamName || `${email}'s team`);
|
|
const userId = R.users.create({ tenantId: team.id, email, hash, salt, role: 'admin', name: null, mfaSecret: A.newMfaSecret() });
|
|
audit({ team_id: team.id, user_id: userId, user_email: email, action: 'user_registered' });
|
|
json(res, 200, { ok: true });
|
|
});
|
|
|
|
// Verify MFA enrollment (confirm the user scanned the QR / entered code)
|
|
route('POST', '/api/mfa/enable', async (req, res) => {
|
|
const { email, code } = await readBody(req);
|
|
const u = R.users.byEmail(email);
|
|
if (!u) return json(res, 404, { error: 'no such user' });
|
|
if (!A.verifyTotp(u.mfa_secret, code)) return json(res, 401, { error: 'invalid code' });
|
|
R.users.enableMfa(u.id);
|
|
json(res, 200, { ok: true });
|
|
});
|
|
|
|
// Provision (or refresh) a local user from a successful BizGaze identity check.
|
|
// The local row exists so sessions, audit, and team-scoped data work; BizGaze stays
|
|
// the source of truth for credentials (the local password is random + unused).
|
|
// Emails that must always be admins regardless of what BizGaze returns (safety net so an
|
|
// admin can't be locked out of the report if BizGaze doesn't flag them isAdmin). Optional.
|
|
const ADMIN_EMAILS = (process.env.ADMIN_EMAILS || '').split(',').map((s) => s.trim().toLowerCase()).filter(Boolean);
|
|
function provisionFromBizgaze(email, bz) {
|
|
const role = (bz.isAdmin || ADMIN_EMAILS.includes(String(email).toLowerCase())) ? 'admin' : 'technician';
|
|
const existing = R.users.byEmail(email);
|
|
if (!existing) {
|
|
const team = R.teams.first() || R.teams.create('BizGaze');
|
|
const { hash, salt } = A.hashPassword(A.token());
|
|
const id = R.users.create({ tenantId: team.id, email, hash, salt, role, name: bz.name || null, mfaSecret: A.newMfaSecret() });
|
|
audit({ team_id: team.id, user_id: id, user_email: email, action: 'sso_user_created', detail: 'via BizGaze' });
|
|
return R.users.byId(id);
|
|
}
|
|
// BizGaze is the source of truth: keep name + role in sync on each login.
|
|
if (bz.name && bz.name !== existing.name) R.users.setName(existing.id, bz.name);
|
|
if (existing.role !== role) R.users.setRole(existing.id, role);
|
|
return R.users.byId(existing.id);
|
|
}
|
|
|
|
// Login: when BizGaze (BIZGAZE_LOGIN_URL) is configured it is the ONLY authority — the
|
|
// credentials are verified against BizGaze and the user is provisioned/synced locally
|
|
// (local passwords are not accepted). Without it (dev/tests) the local password is
|
|
// checked. Sets a session cookie.
|
|
route('POST', '/api/login', async (req, res) => {
|
|
const { email, password, remember } = await readBody(req);
|
|
if (!email || !password) return json(res, 400, { error: 'email and password required' });
|
|
const existing = R.users.byEmail(email);
|
|
if (existing && existing.active === 0) return json(res, 403, { error: 'This account has been deactivated' });
|
|
|
|
let u = null;
|
|
if (BZ.isEnabled()) {
|
|
// BizGaze is the identity provider: credentials are ALWAYS verified against BizGaze.
|
|
// Local passwords are NOT accepted, so stale in-app accounts can't shadow a BizGaze
|
|
// login and everyone provisions into the same tenant (admins then see all sessions).
|
|
const bz = await BZ.validateLogin(email, password);
|
|
if (bz.error) return json(res, 503, { error: bz.error });
|
|
if (!bz.ok) return json(res, 401, { error: bz.message || 'Username or password do not match.' });
|
|
u = provisionFromBizgaze(email, bz);
|
|
if (u && u.active === 0) return json(res, 403, { error: 'This account has been deactivated' });
|
|
} else {
|
|
// No identity provider configured (local/dev/tests): verify the local password.
|
|
u = (existing && A.verifyPassword(password, existing.pw_salt, existing.pw_hash)) ? existing : null;
|
|
if (!u) return json(res, existing ? 401 : 404, { error: existing ? 'Incorrect password. Please try again.' : 'This email is not registered.' });
|
|
}
|
|
|
|
const tok = A.token();
|
|
const ttl = remember ? 1000 * 60 * 60 * 24 * 30 : SESSION_TTL; // 30 days if remembered, else 24h
|
|
R.authSessions.create({ token: tok, userId: u.id, mfaPassed: true, ttl });
|
|
res.setHeader('Set-Cookie', `sid=${tok}; HttpOnly; Path=/; Max-Age=${ttl / 1000}`);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'login' });
|
|
// Cookie for the web app; token in the body for native desktop/mobile clients
|
|
// (they send it back as `Authorization: Bearer <token>`).
|
|
json(res, 200, { ok: true, mfaRequired: false, token: tok, expiresAt: now() + ttl });
|
|
});
|
|
|
|
// Login step 2: TOTP code -> marks session mfa_passed
|
|
route('POST', '/api/login/mfa', async (req, res) => {
|
|
const { code } = await readBody(req);
|
|
const tok = parseCookies(req).sid;
|
|
const s = tok && R.authSessions.byToken(tok);
|
|
if (!s) return json(res, 401, { error: 'no session' });
|
|
const u = R.users.byId(s.user_id);
|
|
if (!A.verifyTotp(u.mfa_secret, code)) return json(res, 401, { error: 'invalid code' });
|
|
R.authSessions.markMfaPassed(tok);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'login' });
|
|
json(res, 200, { ok: true });
|
|
});
|
|
|
|
route('POST', '/api/logout', async (req, res) => {
|
|
const tok = parseCookies(req).sid;
|
|
if (tok) R.authSessions.deleteByToken(tok);
|
|
res.setHeader('Set-Cookie', 'sid=; HttpOnly; Path=/; Max-Age=0');
|
|
json(res, 200, { ok: true });
|
|
});
|
|
|
|
route('GET', '/api/setup-state', async (req, res) => {
|
|
const anyUser = R.users.anyExists();
|
|
json(res, 200, { registrationOpen: !anyUser || process.env.ALLOW_REGISTRATION === '1' });
|
|
});
|
|
|
|
// ICE servers for WebRTC. Always includes a public STUN; adds managed TURN if
|
|
// configured via env (TURN_URLS comma-separated, TURN_USERNAME, TURN_CREDENTIAL).
|
|
route('GET', '/api/ice', async (req, res) => {
|
|
const iceServers = [{ urls: 'stun:stun.l.google.com:19302' }];
|
|
if (process.env.TURN_URLS) {
|
|
iceServers.push({
|
|
urls: process.env.TURN_URLS.split(',').map((u) => u.trim()).filter(Boolean),
|
|
username: process.env.TURN_USERNAME || '',
|
|
credential: process.env.TURN_CREDENTIAL || '',
|
|
});
|
|
}
|
|
json(res, 200, { iceServers });
|
|
});
|
|
|
|
route('GET', '/api/me', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
json(res, 200, { id: u.id, email: u.email, role: u.role, teamId: u.team_id, name: u.name || null });
|
|
});
|
|
|
|
// ---------- BizGaze SSO: agent arrives already logged in ----------
|
|
route('GET', '/sso', async (req, res) => {
|
|
if (!process.env.SSO_SECRET) { res.writeHead(503); return res.end('SSO not configured'); }
|
|
const q = new URLSearchParams(req.url.split('?')[1] || '');
|
|
const token = q.get('token') || '';
|
|
const [payloadB64, sig] = token.split('.');
|
|
const fail = (msg) => { res.writeHead(403, { 'Content-Type': 'text/plain' }); res.end(msg); };
|
|
if (!payloadB64 || !sig) return fail('Invalid SSO token');
|
|
const crypto = require('crypto');
|
|
const expect = crypto.createHmac('sha256', process.env.SSO_SECRET).update(payloadB64).digest('base64url');
|
|
const sigBuf = Buffer.from(sig), expBuf = Buffer.from(expect);
|
|
if (sigBuf.length !== expBuf.length || !crypto.timingSafeEqual(sigBuf, expBuf)) return fail('Invalid SSO signature');
|
|
let p; try { p = JSON.parse(Buffer.from(payloadB64, 'base64url').toString()); } catch { return fail('Invalid SSO payload'); }
|
|
if (!p.email || !p.exp || p.exp < Math.floor(now() / 1000)) return fail('SSO token expired');
|
|
let u = R.users.byEmail(p.email);
|
|
if (!u) {
|
|
const team = R.teams.first();
|
|
if (!team) return fail('No team configured');
|
|
const { hash, salt } = A.hashPassword(A.token());
|
|
const role = (p.role === 'admin' || p.role === 'viewer') ? p.role : 'technician';
|
|
const userId = R.users.create({ tenantId: team.id, email: p.email, hash, salt, role, name: p.name || null, mfaSecret: A.newMfaSecret() });
|
|
u = R.users.byId(userId);
|
|
audit({ team_id: team.id, user_id: userId, user_email: p.email, action: 'sso_user_created', detail: p.name || '' });
|
|
} else if (p.name && p.name !== u.name) {
|
|
R.users.setName(u.id, p.name);
|
|
}
|
|
if (u.active === 0) return fail('Account deactivated');
|
|
const tok = A.token();
|
|
R.authSessions.create({ token: tok, userId: u.id, mfaPassed: true, ttl: SESSION_TTL });
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'login', detail: 'via BizGaze SSO' });
|
|
const dest = '/connect' + (p.ticket ? ('?ticket=' + encodeURIComponent(p.ticket)) : '');
|
|
res.writeHead(302, { 'Set-Cookie': `sid=${tok}; HttpOnly; Path=/; Max-Age=${SESSION_TTL / 1000}`, Location: dest });
|
|
res.end();
|
|
});
|
|
|
|
// Admin adds an agent login to their team
|
|
route('POST', '/api/users', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
if (u.role !== 'admin') return json(res, 403, { error: 'only admins can add agents' });
|
|
// With BizGaze as the identity provider, logins are created in BizGaze — not here.
|
|
// (Creating local accounts is what previously shadowed BizGaze and split tenants.)
|
|
if (BZ.isEnabled()) return json(res, 400, { error: 'Logins are managed in BizGaze. Add the user in BizGaze; they appear here on first sign-in.' });
|
|
const { email, password, name, role } = await readBody(req);
|
|
if (!email || !password) return json(res, 400, { error: 'email and temporary password required' });
|
|
if (R.users.emailExists(email))
|
|
return json(res, 409, { error: 'email already registered' });
|
|
const { hash, salt } = A.hashPassword(password);
|
|
const r = (role === 'admin' || role === 'viewer') ? role : 'technician';
|
|
const userId = R.users.create({ tenantId: u.team_id, email, hash, salt, role: r, name: name || null, mfaSecret: A.newMfaSecret() });
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'agent_added', detail: email + ' (' + r + ')' });
|
|
json(res, 200, { ok: true, id: userId, email, role: r });
|
|
});
|
|
|
|
// List the team's agents
|
|
route('GET', '/api/users', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
const rows = R.users.listByTenant(u.team_id);
|
|
json(res, 200, rows);
|
|
});
|
|
|
|
// First-login MFA self-setup: a logged-in (password ok) user who hasn't enabled MFA yet
|
|
route('GET', '/api/mfa/setup', async (req, res) => {
|
|
const u = currentUser(req, { requireMfa: false });
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
if (u.mfa_enabled) return json(res, 400, { error: 'MFA already enabled' });
|
|
json(res, 200, { secret: u.mfa_secret, otpauthUrl: A.otpauthUrl(u.mfa_secret, u.email) });
|
|
});
|
|
|
|
// Admin manages an agent: reset password, rename, deactivate/activate, delete.
|
|
route('POST', '/api/users/manage', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
if (u.role !== 'admin') return json(res, 403, { error: 'only admins can manage agents' });
|
|
const { id, action, password, name } = await readBody(req);
|
|
const target = R.users.inTenant(id, u.team_id);
|
|
if (!target) return json(res, 404, { error: 'no such agent' });
|
|
switch (action) {
|
|
case 'reset-password': {
|
|
if (!password || String(password).length < 8) return json(res, 400, { error: 'new password must be at least 8 characters' });
|
|
const { hash, salt } = A.hashPassword(password);
|
|
R.users.setPassword(target.id, hash, salt);
|
|
R.authSessions.deleteByUser(target.id); // force re-login
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'agent_password_reset', detail: target.email });
|
|
return json(res, 200, { ok: true });
|
|
}
|
|
case 'rename': {
|
|
const clean = String(name || '').trim().slice(0, 60);
|
|
if (!clean) return json(res, 400, { error: 'name required' });
|
|
R.users.setName(target.id, clean);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'agent_renamed', detail: target.email + ' -> ' + clean });
|
|
return json(res, 200, { ok: true, name: clean });
|
|
}
|
|
case 'deactivate': {
|
|
if (target.id === u.id) return json(res, 400, { error: 'you cannot deactivate your own account' });
|
|
R.users.setActive(target.id, false);
|
|
R.authSessions.deleteByUser(target.id);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'agent_deactivated', detail: target.email });
|
|
return json(res, 200, { ok: true });
|
|
}
|
|
case 'activate': {
|
|
R.users.setActive(target.id, true);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'agent_activated', detail: target.email });
|
|
return json(res, 200, { ok: true });
|
|
}
|
|
case 'delete': {
|
|
if (target.id === u.id) return json(res, 400, { error: 'you cannot delete your own account' });
|
|
R.authSessions.deleteByUser(target.id);
|
|
R.users.remove(target.id);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'agent_deleted', detail: target.email });
|
|
return json(res, 200, { ok: true });
|
|
}
|
|
default: return json(res, 400, { error: 'unknown action' });
|
|
}
|
|
});
|
|
|
|
// Session report: one row per session, filterable by agent and date period
|
|
route('GET', '/api/report', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
const q = new URLSearchParams(req.url.split('?')[1] || '');
|
|
// Admins see the whole team (and may filter by agent); everyone else sees only
|
|
// their own sessions, regardless of any agent filter passed.
|
|
const agentEmail = u.role !== 'admin' ? u.email : (q.get('agent') || null);
|
|
const from = q.get('from') ? new Date(q.get('from') + 'T00:00:00').getTime() : null;
|
|
const to = q.get('to') ? new Date(q.get('to') + 'T23:59:59').getTime() : null;
|
|
json(res, 200, R.sessionsLog.report({ tenantId: u.team_id, agentEmail, from, to }));
|
|
});
|
|
|
|
// List machines for the team (with live online status from signaling layer)
|
|
route('GET', '/api/machines', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
const rows = R.machines.listByTenant(u.team_id);
|
|
json(res, 200, rows.map((m) => ({ ...m, online: onlineAgents.has(m.id) })));
|
|
});
|
|
|
|
// Create a machine enrollment token (admin/technician). Agent uses it to come online.
|
|
route('POST', '/api/machines', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
if (u.role === 'viewer') return json(res, 403, { error: 'forbidden' });
|
|
const { name, unattended } = await readBody(req);
|
|
const enroll = A.token();
|
|
const mId = R.machines.create({ tenantId: u.team_id, name: name || 'Unnamed PC', enrollToken: enroll, unattended: !!unattended });
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, machine_id: mId, machine_name: name, action: 'machine_enrolled' });
|
|
json(res, 200, { id: mId, enrollToken: enroll });
|
|
});
|
|
|
|
route('GET', '/api/audit', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
const rows = R.audit.listByTenant(u.team_id);
|
|
json(res, 200, rows);
|
|
});
|
|
|
|
// ---------- session recording: upload (agent) ----------
|
|
const MAX_REC_BYTES = 500 * 1024 * 1024; // 500 MB safety cap
|
|
route('POST', '/api/recording', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
const params = new URLSearchParams(req.url.split('?')[1] || '');
|
|
const sid = params.get('sessionId');
|
|
const ext = params.get('ext') === 'mp4' ? 'mp4' : 'webm'; // container chosen by the recorder
|
|
if (!sid) return json(res, 400, { error: 'sessionId required' });
|
|
const row = R.sessionsLog.byIdInTenant(sid, u.team_id);
|
|
if (!row) return json(res, 404, { error: 'no such session' });
|
|
const chunks = []; let total = 0, aborted = false;
|
|
req.on('data', (c) => { total += c.length; if (total > MAX_REC_BYTES) { aborted = true; req.destroy(); return; } chunks.push(c); });
|
|
req.on('end', () => {
|
|
if (aborted) return json(res, 413, { error: 'recording too large' });
|
|
const fname = sid + '.' + ext;
|
|
try {
|
|
fs.writeFileSync(path.join(REC_DIR, fname), Buffer.concat(chunks));
|
|
R.sessionsLog.setRecording(sid, fname);
|
|
audit({ team_id: u.team_id, user_id: u.id, user_email: u.email, action: 'recording_saved', detail: 'session ' + sid });
|
|
json(res, 200, { ok: true });
|
|
} catch (e) { json(res, 500, { error: 'could not save recording' }); }
|
|
});
|
|
req.on('error', () => { try { res.end(); } catch (e) {} });
|
|
});
|
|
|
|
route('POST', '/api/transcript', async (req, res) => {
|
|
const u = currentUser(req);
|
|
if (!u) return json(res, 401, { error: 'unauthorized' });
|
|
const sid = new URLSearchParams(req.url.split('?')[1] || '').get('sessionId');
|
|
if (!sid) return json(res, 400, { error: 'sessionId required' });
|
|
const row = R.sessionsLog.byIdInTenant(sid, u.team_id);
|
|
if (!row) return json(res, 404, { error: 'no such session' });
|
|
const chunks = []; let total = 0, aborted = false;
|
|
req.on('data', (c) => { total += c.length; if (total > 5 * 1024 * 1024) { aborted = true; req.destroy(); return; } chunks.push(c); });
|
|
req.on('end', () => {
|
|
if (aborted) return json(res, 413, { error: 'transcript too large' });
|
|
const fname = sid + '.txt';
|
|
try {
|
|
fs.writeFileSync(path.join(TRANS_DIR, fname), Buffer.concat(chunks));
|
|
R.sessionsLog.setTranscript(sid, fname);
|
|
json(res, 200, { ok: true });
|
|
} catch (e) { json(res, 500, { error: 'could not save transcript' }); }
|
|
});
|
|
req.on('error', () => { try { res.end(); } catch (e) {} });
|
|
});
|
|
|
|
// API versioning: alias every /api/* route under /api/v1/* — a frozen contract for
|
|
// native desktop/mobile clients. The web app keeps using the unversioned paths, and
|
|
// both share the same handlers. (/sso is a browser redirect, intentionally unversioned.)
|
|
for (const key of Object.keys(routes)) {
|
|
const m = key.match(/^(\S+) \/api\/(.+)$/);
|
|
if (m) routes[`${m[1]} /api/v1/${m[2]}`] = routes[key];
|
|
}
|
|
|
|
module.exports = routes;
|