From 4231f4071b5eddaed36bdab2b4491a172e2fda5e Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Fri, 16 Apr 2021 11:16:03 -0700
Subject: [PATCH] More work on login tokens.

---
 views/default.handlebars |  1 -
 webserver.js             | 25 +++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/views/default.handlebars b/views/default.handlebars
index 2c5c5fb7..908683ec 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -10444,7 +10444,6 @@
             QV('p2noMeshFound', count == 0);
         }
 
-
         function updateLoginTokens() {
             var x = '', count = 1;
             if ((loginTokens != null) && (loginTokens.length > 0)) {
diff --git a/webserver.js b/webserver.js
index 92f90b21..22e9b3be 100644
--- a/webserver.js
+++ b/webserver.js
@@ -570,6 +570,31 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     }
                 });
             }
+        } else if (name.startsWith('~t:')) {
+            // Login token, try to fetch the token from the database
+            obj.db.Get('logintoken-' + name, function (err, docs) {
+                if (err != null) { fn(err); return; }
+                if ((docs == null) || (docs.length != 1)) { fn(new Error('login token not found')); return; }
+                const loginToken = docs[0];
+                if ((loginToken.expire != 0) && (loginToken.expire < Date.now())) { fn(new Error('login token expired')); return; }
+
+                // Default strong password hashing (pbkdf2 SHA384)
+                require('./pass').hash(pass, loginToken.salt, function (err, hash, tag) {
+                    if (err) return fn(err);
+                    if (hash == loginToken.hash) {
+                        // Login username and password are valid.
+                        var user = obj.users[loginToken.userid];
+                        if (!user) { fn(new Error('cannot find user')); return; }
+                        if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
+
+                        // Succesful login token authentication
+                        var loginOptions = { logintoken: 1 };
+                        if (loginToken.expire != 0) { loginOptions.expire = loginToken.expire; }
+                        return fn(null, user._id, loginOptions);
+                    }
+                    fn(new Error('invalid password'));
+                }, 0);
+            });
         } else {
             // Regular login
             var user = obj.users['user/' + domain.id + '/' + name.toLowerCase()];