Merge pull request #1978 from NMDSdevopsServiceAdm/test

Merge Test to Live for Release 3.4

Author: paulcarvell

package-lock.json

@@ -43,6 +43,7 @@
     "axios": "^0.19.0",
     "bcrypt-nodejs": "0.0.3",
     "c8": "^3.2.1",
+    "cheerio": "^1.0.0-rc.3",
     "concurrently": "^4.1.2",
     "convict": "^4.4.1",
     "cookie-parser": "^1.4.3",
@@ -69,6 +70,7 @@
     "passport-jwt": "^4.0.0",
     "pg": "^7.12.1",
     "pg-hstore": "^2.3.2",
+    "rate-limiter-flexible": "^1.3.2",
     "rfr": "^1.2.3",
     "rxjs": "^6.5.2",
     "rxjs-compat": "^6.5.2",

package.json

@@ -421,7 +421,24 @@ const config = convict({
         env: 'TEST_ADMINPASSWORD'
       }
     }
-  }
+  },
+  rateLimiting: {
+    points: {
+      doc: 'How many times you want allow a user to visit sensitive endpoints',
+      format: 'int',
+      default: 60
+    },
+    duration: {
+      doc: 'How long a peroid you want to monitor a user visiting endpoints',
+      format: 'int',
+      default: 1 * 60 * 60 // 1 hour
+    },
+    table: {
+      doc: 'The table name you want to create/update to log user requests',
+      format: String,
+      default: 'SensitiveSessions'
+    }
+}
 });
 
 // Load environment dependent configuration

server/config/config.js

@@ -952,7 +952,7 @@ class User {
       include: [
         {
           model: models.login,
-          attributes: ['username', 'lastLogin'],
+          attributes: ['username', 'lastLogin', 'status'],
         },
       ],
       attributes: [
@@ -981,11 +981,12 @@ class User {
           updated: thisUser.updated.toJSON(),
           updatedBy: thisUser.updatedBy,
           isPrimary: thisUser.isPrimary ? true : false,
+          status: thisUser.login && thisUser.login.status ? thisUser.login.status : null
         });
       });
 
       allUsers = allUsers.map(user => {
-        return Object.assign(user, { status: user.username == null ? 'Pending' : 'Active' });
+        return Object.assign(user, { status: user.username == null ? 'Pending' : (user.status !== null)? user.status: 'Active' });
       });
 
       allUsers.sort((a, b) => {

server/models/classes/user.js

@@ -7,6 +7,7 @@ const search = require('./search');
 const recalcWdf = require('./recalcWdf');
 const registrations = require('./registrations');
 const approval = require('./approval');
+const unlockAccount = require('./unlock-account');
 
 // middleware authentication - only role=Admin from here on in
 router.use('/', isAdmin);
@@ -15,6 +16,7 @@ router.use('/search', search);
 router.use('/recalcWdf', recalcWdf);
 router.use('/registrations', registrations);
 router.use('/approval', approval);
+router.use('/unlock-account', unlockAccount);
 
 router.route('/').post(async function (req, res) {
   return res.status(200).send({success: "from admin"});

server/routes/admin/index.js

@@ -0,0 +1,59 @@
+// default route for admin/approval
+const express = require('express');
+const router = express.Router();
+const models = require('../../../models');
+
+const unlockAccount = async (req, res) => {
+    // parse input - escaped to prevent SQL injection
+
+  // Sanatize username
+  if(req.body.username){
+    const username = escape(req.body.username.toLowerCase());
+
+    try {
+      // Find the user matching the username
+      const login = await models.login.findOne({
+        where: {
+            username: username
+        },
+        attributes: ['id', 'username'],
+      });
+      // Make sure we have the matching user
+      if ((login && login.id) && (username === login.username)) {
+          try {
+            const updateduser = await login.update({
+                isActive: true,
+                invalidAttempt: 9,
+                status: null
+            });
+            if (updateduser) {
+              res.status(200);
+              return res.json({status: '0', message: 'User has been set as active'})
+            } else {
+              res.status(503)
+              return res.send();
+            }
+          } catch(error) {
+            console.error(error);
+            res.status(503)
+            return res.send();
+          }
+        } else {
+          res.status(400);
+          return res.send();
+        }
+    } catch (error) {
+      console.log(error);
+    }
+  } else {
+    res.status(400)
+    return res.send();
+  }
+};
+
+router.route('/').post(async (req, res) => {
+  await unlockAccount(req, res);
+});
+
+module.exports = router;
+module.exports.unlockAccount = unlockAccount;

server/routes/admin/unlock-account/index.js

@@ -38,10 +38,9 @@ router.post('/', async (req, res) => {
   try {
     let establishmentUser = givenEstablishmentUid === null ? await models.login.findOne({
       where: {
-        username: givenUsername,
-        isActive:true
+        username: givenUsername
       },
-      attributes: ['id', 'username', 'isActive', 'invalidAttempt', 'registrationId', 'firstLogin', 'Hash', 'lastLogin', 'tribalHash', 'tribalSalt', 'agreedUpdatedTerms'],
+      attributes: ['id', 'username', 'isActive', 'invalidAttempt', 'registrationId', 'firstLogin', 'Hash', 'lastLogin', 'tribalHash', 'tribalSalt', 'agreedUpdatedTerms', 'status'],
       include: [ {
         model: models.user,
         attributes: ['id', 'uid', 'FullNameValue', 'EmailValue', 'isPrimary', 'establishmentId', "UserRoleValue", 'tribalId'],
@@ -61,10 +60,9 @@ router.post('/', async (req, res) => {
       // before returning error, check to see if this is a superadmin user with a given establishment UID, to be assumed as their "logged in session" primary establishment
       establishmentUser = await models.login.findOne({
         where: {
-          username: givenUsername,
-          isActive:true,
+          username: givenUsername
         },
-        attributes: ['id', 'username', 'isActive', 'invalidAttempt', 'registrationId', 'firstLogin', 'Hash', 'lastLogin', 'tribalHash', 'tribalSalt', 'agreedUpdatedTerms'],
+        attributes: ['id', 'username', 'isActive', 'invalidAttempt', 'registrationId', 'firstLogin', 'Hash', 'lastLogin', 'tribalHash', 'tribalSalt', 'agreedUpdatedTerms', 'status'],
         include: [ {
           model: models.user,
           attributes: ['id', 'uid',  'FullNameValue', 'EmailValue', 'isPrimary', 'establishmentId', "UserRoleValue", 'tribalId'],
@@ -109,6 +107,23 @@ router.post('/', async (req, res) => {
       }
     }
 
+    //check weather posted user is locked or pending
+    if(establishmentUser){
+      if(!establishmentUser.isActive && establishmentUser.status === 'Locked'){
+        //check for locked status, if locked then return with 409 error
+        console.error(`POST .../login failed: User status is locked`);
+        return res.status(409).send({
+          message: 'Authentication failed.',
+        });
+      } else if(!establishmentUser.isActive && establishmentUser.status === 'PENDING'){
+        //check for Pending status, if Pending then return with 403 error
+        console.error(`POST .../login failed: User status is pending`);
+        return res.status(405).send({
+          message: 'Authentication failed.',
+        });
+      }
+    }
+
     // if this found login account is a migrated tribal account, and there is no current hash, then
     //  we need to first validate password using tribal hashing
     let tribalErr = null;
@@ -218,7 +233,8 @@ router.post('/', async (req, res) => {
           if (establishmentUser.invalidAttempt === (maxNumberOfFailedAttempts+1)) {
             // lock the account
             const loginUpdate = {
-              isActive: false
+              isActive: false,
+              status: 'Locked'
             };
             await establishmentUser.update(loginUpdate, {transaction: t});
 
@@ -238,9 +254,11 @@ router.post('/', async (req, res) => {
 
             const resetLink = `${req.protocol}://${req.get('host')}/api/registration/validateResetPassword?reset=${requestUuid}`;
 
-            // send email to recipient with the reset UUID
+            // send email to recipient with the reset UUID if user is not locked
             try {
-              await sendMail(establishmentUser.user.EmailValue, establishmentUser.user.FullNameValue, requestUuid);
+              if(establishmentUser.isActive && establishmentUser.status !== 'Locked'){
+                await sendMail(establishmentUser.user.EmailValue, establishmentUser.user.FullNameValue, requestUuid);
+              }
             } catch (err) {
               console.error(err);
             }

server/routes/login.js

@@ -22,6 +22,7 @@ const generateJWT = require('../utils/security/generateJWT');
 const passwordCheck = require('../utils/security/passwordValidation').isPasswordValid;
 const usernameCheck = require('../utils/security/usernameValidation').isUsernameValid;
 const sendMail = require('../utils/email/notify-email').sendPasswordReset;
+const rateLimiting = require('../utils/middleware/rateLimiting').rateLimiting;
 // const pCodeCheck = require('../utils/postcodeSanitizer');
 
 class RegistrationException {
@@ -73,6 +74,8 @@ router.get('/username', (req, res) => {
     message: 'Username not found',
   });
 });
+
+router.use('/username/:username', rateLimiting);
 router.get('/username/:username', async (req, res) => {
   const requestedUsername = req.params.username.toLowerCase();
   try {