parse-dashboard = function (config, allowInsecureHTTP) {
var app = express();
// Serve public files.
app.use(express.static(path.join(__dirname,'public')));
// Allow setting via middleware
if (config.trustProxy && app.disabled('trust proxy')) {
app.enable('trust proxy');
}
// wait for app to mount in order to get mountpath
app.on('mount', function() {
const mountPath = getMount(app.mountpath);
const users = config.users;
const useEncryptedPasswords = config.useEncryptedPasswords ? true : false;
const authInstance = new Authentication(users, useEncryptedPasswords, mountPath);
authInstance.initialize(app);
// CSRF error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
res.send('form tampered with')
});
// Serve the configuration.
app.get('/parse-dashboard-config.json', function(req, res) {
let response = {
apps: config.apps,
newFeaturesInLatestVersion: newFeaturesInLatestVersion,
};
//Based on advice from Doug Wilson here:
//https://github.com/expressjs/express/issues/2518
const requestIsLocal =
req.connection.remoteAddress === '127.0.0.1' ||
req.connection.remoteAddress === '::ffff:127.0.0.1' ||
req.connection.remoteAddress === '::1';
if (!requestIsLocal && !req.secure && !allowInsecureHTTP) {
//Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
}
if (!requestIsLocal && !users) {
//Accessing the dashboard over the internet can only be done with username and password
return res.send({ success: false, error: 'Configure a user to access Parse Dashboard remotely' });
}
const authentication = req.user;
const successfulAuth = authentication && authentication.isAuthenticated;
const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
if (successfulAuth) {
if (appsUserHasAccess) {
// Restric access to apps defined in user dictionary
// If they didn't supply any app id, user will access all apps
response.apps = response.apps.filter(function (app) {
return appsUserHasAccess.find(appUserHasAccess => {
return app.appId == appUserHasAccess.appId
})
});
}
// They provided correct auth
return res.json(response);
}
if (users) {
//They provided incorrect auth
return res.sendStatus(401);
}
//They didn't provide auth, and have configured the dashboard to not need auth
//(ie. didn't supply usernames and passwords)
if (requestIsLocal) {
//Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
return res.json(response);
}
//We shouldn't get here. Fail closed.
res.send({ success: false, error: 'Something went wrong.' });
});
// Serve the app icons. Uses the optional `iconsFolder` parameter as
// directory name, that was setup in the config file.
// We are explicitly not using `__dirpath` here because one may be
// running parse-dashboard from globally installed npm.
if (config.iconsFolder) {
try {
var stat = fs.statSync(config.iconsFolder);
if (stat.isDirectory()) {
app.use('/appicons', express.static(config.iconsFolder));
//Check also if the icons really exist
checkIfIconsExistForApps(config.apps, config.iconsFolder);
}
} catch (e) {
// Directory doesn't exist or something.
console.warn("Iconsfolder at path: " + config.iconsFolder +
" not found!");
}
}
app.get('/login', csrf(), function(req, res) {
if (!users || (req.user && req.user.isAuthenticated)) {
return res.redirec ...n/a
function Authentication(validUsers, useEncryptedPasswords, mountPath) {
this.validUsers = validUsers;
this.useEncryptedPasswords = useEncryptedPasswords || false;
this.mountPath = mountPath;
}n/a
function Authentication(validUsers, useEncryptedPasswords, mountPath) {
this.validUsers = validUsers;
this.useEncryptedPasswords = useEncryptedPasswords || false;
this.mountPath = mountPath;
}n/a
function authenticate(userToTest, usernameOnly) {
var appsUserHasAccessTo = null;
var matchingUsername = null;
//they provided auth
let isAuthenticated = userToTest &&
//there are configured users
this.validUsers &&
//the provided auth matches one of the users
this.validUsers.find(user => {
let isAuthenticated = false;
let usernameMatches = userToTest.name == user.user;
let passwordMatches = this.useEncryptedPasswords && !usernameOnly ? bcrypt.compareSync(userToTest.pass, user.pass) : userToTest
.pass == user.pass;
if (usernameMatches && (usernameOnly || passwordMatches)) {
isAuthenticated = true;
matchingUsername = user.user;
// User restricted apps
appsUserHasAccessTo = user.apps || null;
}
return isAuthenticated;
}) ? true : false;
return {
isAuthenticated,
matchingUsername,
appsUserHasAccessTo
};
}...
this.mountPath = mountPath;
}
function initialize(app) {
var self = this;
passport.use('local', new LocalStrategy(
function(username, password, cb) {
var match = self.authenticate({
name: username,
pass: password
});
if (!match.matchingUsername) {
return cb(null, false, { message: 'Invalid username or password' });
}
cb(null, match.matchingUsername);
...function initialize(app) {
var self = this;
passport.use('local', new LocalStrategy(
function(username, password, cb) {
var match = self.authenticate({
name: username,
pass: password
});
if (!match.matchingUsername) {
return cb(null, false, { message: 'Invalid username or password' });
}
cb(null, match.matchingUsername);
})
);
passport.serializeUser(function(username, cb) {
cb(null, username);
});
passport.deserializeUser(function(username, cb) {
var user = self.authenticate({
name: username
}, true);
cb(null, user);
});
app.use(require('connect-flash')());
app.use(require('body-parser').urlencoded({ extended: true }));
app.use(require('cookie-session')({
key : 'parse_dash',
secret : 'magic',
cookie : {
maxAge: (2 * 7 * 24 * 60 * 60 * 1000) // 2 weeks
}
}));
app.use(passport.initialize());
app.use(passport.session());
app.post('/login',
csrf(),
passport.authenticate('local', {
successRedirect: `${self.mountPath}apps`,
failureRedirect: `${self.mountPath}login`,
failureFlash : true
})
);
app.get('/logout', function(req, res){
req.logout();
res.redirect(`${self.mountPath}login`);
});
}...
// wait for app to mount in order to get mountpath
app.on('mount', function() {
const mountPath = getMount(app.mountpath);
const users = config.users;
const useEncryptedPasswords = config.useEncryptedPasswords ? true : false;
const authInstance = new Authentication(users, useEncryptedPasswords, mountPath);
authInstance.initialize(app);
// CSRF error handler
app.use(function (err, req, res, next) {
if (err.code !== 'EBADCSRFTOKEN') return next(err)
// handle CSRF token errors here
res.status(403)
...