260 lines
7.4 KiB
JavaScript
Executable File
260 lines
7.4 KiB
JavaScript
Executable File
"use strict";
|
|
|
|
const express = require("express"),
|
|
config = require("config"),
|
|
{ sendVerifyMail, sendPasswordChangedMail } = require("../lib/mail"),
|
|
crypto = require("crypto");
|
|
|
|
const router = express.Router();
|
|
|
|
let userDB;
|
|
|
|
require("../db/users.js").then(function(db) {
|
|
userDB = db;
|
|
});
|
|
|
|
router.get("/", function(req, res/*, next*/) {
|
|
console.log("/users/");
|
|
return getSessionUser(req).then((user) => {
|
|
return res.status(200).send(user);
|
|
}).catch((error) => {
|
|
console.log("User not logged in: " + error);
|
|
return res.status(200).send({});
|
|
});
|
|
});
|
|
|
|
router.put("/password", function(req, res) {
|
|
console.log("/users/password");
|
|
|
|
const changes = {
|
|
currentPassword: req.query.c || req.body.c,
|
|
newPassword: req.query.n || req.body.n
|
|
};
|
|
|
|
if (!changes.currentPassword || !changes.newPassword) {
|
|
return res.status(400).send("Missing current password and/or new password.");
|
|
}
|
|
|
|
if (changes.currentPassword == changes.newPassword) {
|
|
return res.status(400).send("Attempt to set new password to current password.");
|
|
}
|
|
|
|
return getSessionUser(req).then(function(user) {
|
|
return userDB.sequelize.query("SELECT id FROM users " +
|
|
"WHERE uid=:username AND password=:password", {
|
|
replacements: {
|
|
username: user.username,
|
|
password: crypto.createHash('sha256').update(changes.currentPassword).digest('base64')
|
|
},
|
|
type: userDB.Sequelize.QueryTypes.SELECT,
|
|
raw: true
|
|
}).then(function(users) {
|
|
if (users.length != 1) {
|
|
return null;
|
|
}
|
|
return user;
|
|
});
|
|
}).then(function(user) {
|
|
if (!user) {
|
|
console.log("Invalid password");
|
|
/* Invalid password */
|
|
res.status(401).send("Invalid password");
|
|
return null;
|
|
}
|
|
|
|
return userDB.sequelize.query("UPDATE users SET password=:password WHERE uid=:username", {
|
|
replacements: {
|
|
username: user.username,
|
|
password: crypto.createHash('sha256').update(changes.newPassword).digest('base64')
|
|
}
|
|
}).then(function() {
|
|
console.log("Password changed for user " + user.username + " to '" + changes.newPassword + "'.");
|
|
|
|
res.status(200).send(user);
|
|
user.id = req.session.userId;
|
|
return sendPasswordChangedMail(userDB, req, user);
|
|
});
|
|
});
|
|
});
|
|
|
|
router.get("/csrf", (req, res) => {
|
|
console.log("/users/csrf");
|
|
res.json({ csrfToken: req.csrfToken() });
|
|
});
|
|
|
|
router.post("/create", function(req, res) {
|
|
console.log("/users/create");
|
|
|
|
const user = {
|
|
uid: req.query.m || req.body.m,
|
|
displayName: req.query.n || req.body.n || "",
|
|
password: req.query.p || req.body.p || "",
|
|
mail: req.query.m || req.body.m,
|
|
notes: req.query.w || req.body.w || ""
|
|
};
|
|
|
|
if (!user.uid || !user.password || !user.displayName || !user.notes) {
|
|
return res.status(400).send("Missing email address, password, name, and/or who you know.");
|
|
}
|
|
|
|
user.password = crypto.createHash('sha256')
|
|
.update(user.password).digest('base64');
|
|
user.md5 = crypto.createHash('md5')
|
|
.update(data).digest('base64');
|
|
|
|
return userDB.sequelize.query("SELECT * FROM users WHERE uid=:uid", {
|
|
replacements: user,
|
|
type: userDB.Sequelize.QueryTypes.SELECT,
|
|
raw: true
|
|
}).then(function(results) {
|
|
if (results.length != 0) {
|
|
return res.status(400).send("Email address already used.");
|
|
}
|
|
|
|
let re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
|
|
if (!re.exec(user.mail)) {
|
|
console.log("Invalid email address: " + user.mail);
|
|
throw "Invalid email address.";
|
|
}
|
|
}).then(function() {
|
|
return userDB.sequelize.query("INSERT INTO users " +
|
|
"(uid,displayName,password,mail,memberSince,authenticated,notes,md5) " +
|
|
"VALUES(:uid,:displayName,:password,:mail,CURRENT_TIMESTAMP,0,:notes,:md5)", {
|
|
replacements: user
|
|
}).spread(function(results, metadata) {
|
|
req.session.userId = metadata.lastID;
|
|
}).then(function() {
|
|
return getSessionUser(req).then(function(user) {
|
|
res.status(200).send(user);
|
|
user.id = req.session.userId;
|
|
return sendVerifyMail(userDB, req, user);
|
|
});
|
|
}).catch(function(error) {
|
|
console.log("Error creating account: ", error);
|
|
return res.status(401).send(error);
|
|
});
|
|
});
|
|
});
|
|
|
|
const getSessionUser = function(req) {
|
|
return Promise.resolve().then(function() {
|
|
if (!req.session || !req.session.userId) {
|
|
throw "Unauthorized. You must be logged in.";
|
|
}
|
|
|
|
let query = "SELECT " +
|
|
"uid AS username,displayName,mailVerified,authenticated,memberSince AS name,mail " +
|
|
"FROM users WHERE id=:id";
|
|
return userDB.sequelize.query(query, {
|
|
replacements: {
|
|
id: req.session.userId
|
|
},
|
|
type: userDB.Sequelize.QueryTypes.SELECT,
|
|
raw: true
|
|
}).then(function(results) {
|
|
if (results.length != 1) {
|
|
throw "Invalid account.";
|
|
}
|
|
|
|
let user = results[0];
|
|
|
|
if (!user.mailVerified) {
|
|
user.restriction = user.restriction || "Email address not verified.";
|
|
return user;
|
|
}
|
|
|
|
if (!user.authenticated) {
|
|
user.restriction = user.restriction || "Accout not authorized.";
|
|
return user;
|
|
}
|
|
|
|
return user;
|
|
});
|
|
}).then(function(user) {
|
|
/* Strip out any fields that shouldn't be there. The allowed fields are: */
|
|
let allowed = [
|
|
"maintainer", "username", "displayName", "mailVerified", "authenticated", "name", "mail", "restriction"
|
|
];
|
|
for (let field in user) {
|
|
if (allowed.indexOf(field) == -1) {
|
|
delete user[field];
|
|
}
|
|
}
|
|
return user;
|
|
});
|
|
}
|
|
|
|
router.post("/login", function(req, res) {
|
|
console.log("/users/login");
|
|
|
|
let { email, password } = req.body;
|
|
|
|
console.log("Login attempt");
|
|
|
|
if (!email || !password) {
|
|
return res.status(400).send({
|
|
message: `Missing email and/or password`
|
|
});
|
|
}
|
|
|
|
console.log("Looking up user in DB.");
|
|
|
|
let query = "SELECT " +
|
|
"id,mailVerified,authenticated," +
|
|
"uid AS username," +
|
|
"displayName AS name,mail " +
|
|
"FROM users WHERE uid=:username AND password=:password";
|
|
return userDB.sequelize.query(query, {
|
|
replacements: {
|
|
username: email,
|
|
password: crypto.createHash('sha256').update(password).digest('base64')
|
|
},
|
|
type: userDB.Sequelize.QueryTypes.SELECT
|
|
})
|
|
.then(function(users) {
|
|
if (users.length != 1) {
|
|
return null;
|
|
}
|
|
let user = users[0];
|
|
req.session.userId = user.id;
|
|
return user;
|
|
})
|
|
.then(function(user) {
|
|
if (!user) {
|
|
console.log(email + " not found (or invalid password.)");
|
|
req.session.userId = null;
|
|
return res.status(401).send({
|
|
message: `Invalid login credentials`
|
|
});
|
|
}
|
|
|
|
let message = "Logged in as " + user.displayName + " (" + user.id + ")";
|
|
if (!user.mailVerified) {
|
|
console.log(message + ", who is not verified email.");
|
|
} else if (!user.authenticated) {
|
|
console.log(message + ", who is not authenticated.");
|
|
} else {
|
|
console.log(message);
|
|
}
|
|
|
|
return getSessionUser(req).then(function(user) {
|
|
return res.status(200).send(user);
|
|
});
|
|
})
|
|
.catch(function(error) {
|
|
console.log(error);
|
|
return res.status(403).send(error);
|
|
});
|
|
});
|
|
|
|
router.get("/logout", function(req, res) {
|
|
console.log("/users/logout");
|
|
|
|
if (req.session && req.session.userId) {
|
|
req.session.userId = null;
|
|
}
|
|
res.status(200).send({});
|
|
});
|
|
|
|
module.exports = router;
|