013f57fe60
✅ Backend Implementation: - Add Azure AD JWT token validation middleware - Create hybrid authentication system supporting both Azure AD and password auth - Implement auto-provisioning for new Azure AD users - Add admin controls to toggle password authentication - Update all API routes to use hybrid authentication - Add database fields for authentication (password, lastLoginAt) - Create comprehensive auth routes with validation endpoints ✅ Frontend Implementation: - Install and configure Azure MSAL browser library - Create Azure AD authentication service with popup/redirect support - Build hybrid authentication service managing both auth methods - Update Login.vue with modern dual-authentication UI - Implement dynamic password auth toggle based on admin settings - Update App.vue for proper session management and validation - Modify API service to handle both token types ✅ Security Features: - Azure AD tenant validation (Oliver Agency) - Role-based access control with auto-admin assignment - JWT token validation for both auth methods - Automatic user provisioning with proper defaults - Session validation and automatic logout on token expiry ✅ Admin Features: - Toggle password authentication on/off - Manage users from both authentication methods - Full role and agent access control - Azure AD user auto-provisioning as regular users ✅ Configuration: - Azure AD: Tenant e519c2e6-bc6d-4fdf-8d9c-923c2f002385 - Client ID: 9079054c-9620-4757-a256-23413042f1ef - Development redirect URI support - Fallback password authentication for testing 🔧 Technical Stack: - Azure MSAL Browser & Node libraries - JWT token validation and hybrid middleware - Database schema updates with migrations - Vue.js integration with MSAL - Express.js hybrid authentication routes 🚀 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
230 lines
No EOL
7.1 KiB
JavaScript
230 lines
No EOL
7.1 KiB
JavaScript
const express = require('express');
|
|
const bcrypt = require('bcrypt');
|
|
const User = require('../models/User');
|
|
const { authenticateToken, generateToken } = require('../middleware/auth');
|
|
const { validateAzureToken, hybridAuthenticate } = require('../middleware/azureAuth');
|
|
|
|
const router = express.Router();
|
|
|
|
// Global setting for password authentication (stored in memory for now)
|
|
let passwordAuthEnabled = true;
|
|
|
|
// Login endpoint (password-based)
|
|
router.post('/login', async (req, res) => {
|
|
try {
|
|
// Check if password authentication is enabled
|
|
if (!passwordAuthEnabled) {
|
|
return res.status(403).json({ message: 'Password authentication is disabled. Please use Azure AD login.' });
|
|
}
|
|
|
|
const { email, password } = req.body;
|
|
|
|
if (!email || !password) {
|
|
return res.status(400).json({ message: 'Email and password are required' });
|
|
}
|
|
|
|
// Find user by email
|
|
const user = await User.findOne({ where: { email: email.toLowerCase() } });
|
|
|
|
if (!user) {
|
|
return res.status(401).json({ message: 'Invalid credentials' });
|
|
}
|
|
|
|
if (!user.isActive) {
|
|
return res.status(401).json({ message: 'Account is disabled' });
|
|
}
|
|
|
|
// Verify password
|
|
const validPassword = await bcrypt.compare(password, user.password);
|
|
if (!validPassword) {
|
|
return res.status(401).json({ message: 'Invalid credentials' });
|
|
}
|
|
|
|
// Update last login time
|
|
await user.update({ lastLoginAt: new Date() });
|
|
|
|
// Generate token
|
|
const token = generateToken(user);
|
|
|
|
res.json({
|
|
message: 'Login successful',
|
|
user: {
|
|
id: user.id,
|
|
email: user.email,
|
|
name: user.name,
|
|
role: user.preferences?.role || 'user',
|
|
allowedAgents: user.preferences?.allowedAgents || null
|
|
},
|
|
token
|
|
});
|
|
} catch (error) {
|
|
console.error('Login error:', error);
|
|
res.status(500).json({ message: 'Server error during login' });
|
|
}
|
|
});
|
|
|
|
// Token validation endpoint
|
|
router.get('/validate', authenticateToken, async (req, res) => {
|
|
try {
|
|
// User data is already validated and attached by middleware
|
|
res.json({
|
|
user: req.user,
|
|
valid: true
|
|
});
|
|
} catch (error) {
|
|
console.error('Token validation error:', error);
|
|
res.status(500).json({ message: 'Server error during validation' });
|
|
}
|
|
});
|
|
|
|
// Logout endpoint
|
|
router.post('/logout', authenticateToken, (req, res) => {
|
|
// In a real application with token blacklisting, you would add the token to a blacklist here
|
|
res.json({ message: 'Logged out successfully' });
|
|
});
|
|
|
|
// Change password endpoint
|
|
router.put('/change-password', authenticateToken, async (req, res) => {
|
|
try {
|
|
const { currentPassword, newPassword } = req.body;
|
|
|
|
if (!currentPassword || !newPassword) {
|
|
return res.status(400).json({ message: 'Current and new passwords are required' });
|
|
}
|
|
|
|
if (newPassword.length < 8) {
|
|
return res.status(400).json({ message: 'New password must be at least 8 characters' });
|
|
}
|
|
|
|
const user = await User.findByPk(req.user.id);
|
|
|
|
// Verify current password
|
|
const validPassword = await bcrypt.compare(currentPassword, user.password);
|
|
if (!validPassword) {
|
|
return res.status(401).json({ message: 'Current password is incorrect' });
|
|
}
|
|
|
|
// Hash new password
|
|
const hashedNewPassword = await bcrypt.hash(newPassword, 10);
|
|
|
|
// Update password
|
|
await user.update({ password: hashedNewPassword });
|
|
|
|
res.json({ message: 'Password changed successfully' });
|
|
} catch (error) {
|
|
console.error('Change password error:', error);
|
|
res.status(500).json({ message: 'Server error during password change' });
|
|
}
|
|
});
|
|
|
|
// Register new user (admin only for manual user creation)
|
|
router.post('/register', authenticateToken, async (req, res) => {
|
|
try {
|
|
const { email, name, password, role = 'user' } = req.body;
|
|
|
|
if (req.user.role !== 'admin') {
|
|
return res.status(403).json({ message: 'Admin privileges required to create users' });
|
|
}
|
|
|
|
if (!email || !name || !password) {
|
|
return res.status(400).json({ message: 'Email, name, and password are required' });
|
|
}
|
|
|
|
if (password.length < 8) {
|
|
return res.status(400).json({ message: 'Password must be at least 8 characters' });
|
|
}
|
|
|
|
// Check if user already exists
|
|
const existingUser = await User.findOne({ where: { email: email.toLowerCase() } });
|
|
if (existingUser) {
|
|
return res.status(409).json({ message: 'User with this email already exists' });
|
|
}
|
|
|
|
// Hash password
|
|
const hashedPassword = await bcrypt.hash(password, 10);
|
|
|
|
// Create new user with default settings
|
|
const newUser = await User.create({
|
|
email: email.toLowerCase(),
|
|
name,
|
|
password: hashedPassword,
|
|
preferences: {
|
|
theme: 'light',
|
|
notifications: true,
|
|
defaultAssistant: 'creator-bot-push-the-boundaries-of-technology',
|
|
role: role,
|
|
allowedAgents: role === 'admin' ? null : [] // Admin gets all agents, users get none by default
|
|
},
|
|
isActive: true
|
|
});
|
|
|
|
res.status(201).json({
|
|
message: 'User created successfully',
|
|
user: {
|
|
id: newUser.id,
|
|
email: newUser.email,
|
|
name: newUser.name,
|
|
role: newUser.preferences?.role || 'user'
|
|
}
|
|
});
|
|
} catch (error) {
|
|
console.error('Register user error:', error);
|
|
res.status(500).json({ message: 'Server error during user registration' });
|
|
}
|
|
});
|
|
|
|
// Azure AD token validation endpoint
|
|
router.post('/azure-validate', validateAzureToken, async (req, res) => {
|
|
try {
|
|
// User data is already validated and attached by middleware
|
|
res.json({
|
|
user: req.user,
|
|
valid: true
|
|
});
|
|
} catch (error) {
|
|
console.error('Azure token validation error:', error);
|
|
res.status(500).json({ message: 'Server error during Azure validation' });
|
|
}
|
|
});
|
|
|
|
// Get authentication settings
|
|
router.get('/settings', (req, res) => {
|
|
res.json({
|
|
passwordAuthEnabled,
|
|
azureAuthEnabled: true,
|
|
tenantId: 'e519c2e6-bc6d-4fdf-8d9c-923c2f002385',
|
|
clientId: '9079054c-9620-4757-a256-23413042f1ef'
|
|
});
|
|
});
|
|
|
|
// Toggle password authentication (admin only)
|
|
router.put('/settings/password-auth', hybridAuthenticate, async (req, res) => {
|
|
try {
|
|
if (req.user.role !== 'admin') {
|
|
return res.status(403).json({ message: 'Admin privileges required' });
|
|
}
|
|
|
|
const { enabled } = req.body;
|
|
|
|
if (typeof enabled !== 'boolean') {
|
|
return res.status(400).json({ message: 'Enabled must be a boolean value' });
|
|
}
|
|
|
|
passwordAuthEnabled = enabled;
|
|
|
|
res.json({
|
|
message: `Password authentication ${enabled ? 'enabled' : 'disabled'} successfully`,
|
|
passwordAuthEnabled
|
|
});
|
|
} catch (error) {
|
|
console.error('Toggle password auth error:', error);
|
|
res.status(500).json({ message: 'Server error during settings update' });
|
|
}
|
|
});
|
|
|
|
// Get current password auth status (public endpoint)
|
|
router.get('/password-enabled', (req, res) => {
|
|
res.json({ enabled: passwordAuthEnabled });
|
|
});
|
|
|
|
module.exports = router; |