MWS authentication (#8596)

* mws authentication

* add more tests and permission checkers

* add logic to ensure that only authenticated users' requests are handled

* add custom login page

* Implement user authentication as well as session handling

* work on user operations authorization

* add middleware to route handlers for bags & tiddlers routes

* add feature that only returns the tiddlers and bags which the user has permission to access on index page

* refactor auth routes & added user management page

* fix Ci Test failure issue

* fix users list page, add manage roles page

* add commands and scripts to create new user & assign roles and permissions

* resolved ci-test failure

* add ACL permissions to bags & tiddlers on creation

* fix comments and access control list bug

* fix indentation issues

* working on user profile edit

* remove list users command & added support for database in server options

* implement user profile update and password change feature

* update plugin readme

* implement command which triggers protected mode on the server

* revert server-wide auth flag. Implement selective authorization

* ACL management feature

* Complete Access control list implementation

* Added support to manage users' assigned role by admin

* fix comments

* fix comment

plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js

@@ -0,0 +1,79 @@
+/*\
+title: $:/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
+type: application/javascript
+module-type: library
+
+Middleware to handle ACL permissions
+
+\*/
+
+(function () {
+
+/*jslint node: true, browser: true */
+/*global $tw: false */
+"use strict";
+
+/*
+ACL Middleware factory function
+*/
+function redirectToLogin(response, returnUrl) {
+	if(!response.headersSent) {
+		var validReturnUrlRegex = /^\/(?!.*\.(ico|png|jpg|jpeg|gif|svg|css|js|woff|woff2|ttf|eot|json)$).*$/;
+		var sanitizedReturnUrl = '/';  // Default to home page
+
+		if(validReturnUrlRegex.test(returnUrl)) {
+			sanitizedReturnUrl = returnUrl;
+			response.setHeader('Set-Cookie', `returnUrl=${encodeURIComponent(sanitizedReturnUrl)}; HttpOnly; Secure; SameSite=Strict; Path=/`);			
+		} else{
+			console.log(`Invalid return URL detected: ${returnUrl}. Redirecting to home page.`);
+		}
+		const loginUrl = '/login';
+		response.writeHead(302, {
+			'Location': loginUrl
+		});
+		response.end();
+	}
+};
+
+exports.middleware = function (request, response, state, entityType, permissionName) {
+
+	var server = state.server,
+		sqlTiddlerDatabase = server.sqlTiddlerDatabase,
+		entityName = state.data ? (state.data[entityType+"_name"] || state.params[0]) : state.params[0];
+
+	// First, replace '%3A' with ':' to handle TiddlyWiki's system tiddlers
+	var partiallyDecoded = entityName.replace(/%3A/g, ":");
+	// Then use decodeURIComponent for the rest
+	var decodedEntityName = decodeURIComponent(partiallyDecoded);
+	var aclRecord = sqlTiddlerDatabase.getACLByName(entityType, decodedEntityName);
+	// Get permission record
+	const permission = sqlTiddlerDatabase.getPermissionByName(permissionName);
+	// ACL Middleware will only apply if the entity has a middleware record
+	if(aclRecord && aclRecord?.permission_id === permission?.permission_id) {
+		// If not authenticated and anonymous access is not allowed, request authentication
+		if(!state.authenticatedUsername && !state.allowAnon) {
+			if(state.urlInfo.pathname !== '/login') {
+				redirectToLogin(response, request.url);
+				return;
+			}
+		}
+		// Check if user is authenticated
+		if(!state.authenticatedUser && !response.headersSent) {
+			response.writeHead(401, "Unauthorized");
+			response.end();
+			return;
+		}
+
+		// Check ACL permission
+		var hasPermission = request.method === "POST" || sqlTiddlerDatabase.checkACLPermission(state.authenticatedUser.user_id, entityType, decodedEntityName, permissionName)
+		if(!hasPermission) {
+			if(!response.headersSent) {
+				response.writeHead(403, "Forbidden");
+				response.end();
+			}
+			return;
+		}
+	}
+};
+
+})();