2018-01-23 20:06:30 +00:00
|
|
|
const bcrypt = require('bcrypt')
|
2019-10-06 23:11:07 +00:00
|
|
|
const path = require('path')
|
2018-01-23 20:06:30 +00:00
|
|
|
const randomstring = require('randomstring')
|
2019-10-06 23:11:07 +00:00
|
|
|
const paths = require('./pathsController')
|
Updates (very important to read)
Client-side CSS & JS files will now be processed with Gulp.
Gulp tasks are configured in gulpfile.js file.
CSS files will be optimized with postcss-preset-env, which will
auto-add vendor prefixes and convert any parts necessary for browsers
compatibility.
Afterwards they will be minified with cssnano.
JS files will be optimized with bublé,
likewise for browsers compatibility.
Afterwards they will be minified with terser.
Unprocessed CSS & JS files will now be located at src directory, while
the processed results will be located at dist directory.
Due to bublé, the JS files should now be compatible up to IE 11
at the minimum.
Previously the safe would not work in IE 11 due to extensive usage of
template literals.
Due to that as well, JS files in src directory will now extensively use
arrow functions for my personal comfort (as they will be converted too).
The server will use the processed files at dist directory by default.
If you want to rebuild the files by your own, you can run "yarn build".
Gulp is a development dependency, so make sure you have installed all
development dependencies (e.i. NOT using "yarn install --production").
---
yarn lint -> gulp lint
yarn build -> gulp default
yarn watch -> gulp watch
yarn develop -> env NODE_ENV=development yarn watch
---
Fixed not being able to demote staff into normal users.
/api/token/verify will no longer respond with 401 HTTP error code,
unless an error occurred (which will be 500 HTTP error code).
Fixed /nojs route not displaying file's original name when a duplicate
is found on the server.
Removed is-breeze CSS class name, in favor of Bulma's is-info.
Removed custom styling from auth page, in favor of global styling.
Removed all usage of style HTML attribute in favor of CSS classes.
Renamed js/s/ to js/misc/.
Use loading spinners on dashboard's sidebar menus.
Disable all other sidebar menus when something is loading.
Changed title HTML attribute of disabled control buttons in
uploads & users list.
Hid checkboxes and WIP controls from users list.
Better error messages handling.
Especially homepage will now support CF's HTTP error codes.
Updated various icons.
Also, added fontello config file at public/libs/fontello/config.json.
This should let you edit them more easily with fontello.
Use Gatsby icon for my blog's link in homepage's footer.
A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
|
|
|
const perms = require('./permissionController')
|
2019-06-18 21:04:14 +00:00
|
|
|
const tokens = require('./tokenController')
|
2018-04-13 16:20:57 +00:00
|
|
|
const utils = require('./utilsController')
|
2021-01-08 03:11:56 +00:00
|
|
|
const ClientError = require('./utils/ClientError')
|
Updates (very important to read)
Client-side CSS & JS files will now be processed with Gulp.
Gulp tasks are configured in gulpfile.js file.
CSS files will be optimized with postcss-preset-env, which will
auto-add vendor prefixes and convert any parts necessary for browsers
compatibility.
Afterwards they will be minified with cssnano.
JS files will be optimized with bublé,
likewise for browsers compatibility.
Afterwards they will be minified with terser.
Unprocessed CSS & JS files will now be located at src directory, while
the processed results will be located at dist directory.
Due to bublé, the JS files should now be compatible up to IE 11
at the minimum.
Previously the safe would not work in IE 11 due to extensive usage of
template literals.
Due to that as well, JS files in src directory will now extensively use
arrow functions for my personal comfort (as they will be converted too).
The server will use the processed files at dist directory by default.
If you want to rebuild the files by your own, you can run "yarn build".
Gulp is a development dependency, so make sure you have installed all
development dependencies (e.i. NOT using "yarn install --production").
---
yarn lint -> gulp lint
yarn build -> gulp default
yarn watch -> gulp watch
yarn develop -> env NODE_ENV=development yarn watch
---
Fixed not being able to demote staff into normal users.
/api/token/verify will no longer respond with 401 HTTP error code,
unless an error occurred (which will be 500 HTTP error code).
Fixed /nojs route not displaying file's original name when a duplicate
is found on the server.
Removed is-breeze CSS class name, in favor of Bulma's is-info.
Removed custom styling from auth page, in favor of global styling.
Removed all usage of style HTML attribute in favor of CSS classes.
Renamed js/s/ to js/misc/.
Use loading spinners on dashboard's sidebar menus.
Disable all other sidebar menus when something is loading.
Changed title HTML attribute of disabled control buttons in
uploads & users list.
Hid checkboxes and WIP controls from users list.
Better error messages handling.
Especially homepage will now support CF's HTTP error codes.
Updated various icons.
Also, added fontello config file at public/libs/fontello/config.json.
This should let you edit them more easily with fontello.
Use Gatsby icon for my blog's link in homepage's footer.
A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
|
|
|
const config = require('./../config')
|
2017-10-04 00:13:38 +00:00
|
|
|
|
2019-09-17 04:13:41 +00:00
|
|
|
// Don't forget to update min/max length of text inputs in auth.njk
|
|
|
|
// when changing these values.
|
2019-09-08 01:56:29 +00:00
|
|
|
const self = {
|
2019-09-17 04:13:41 +00:00
|
|
|
user: {
|
|
|
|
min: 4,
|
|
|
|
max: 32
|
|
|
|
},
|
|
|
|
pass: {
|
|
|
|
min: 6,
|
|
|
|
// Should not be more than 72 characters
|
2022-05-24 00:02:06 +00:00
|
|
|
// https://github.com/kelektiv/node.bcrypt.js/tree/v5.0.1#security-issues-and-concerns
|
2019-09-17 04:13:41 +00:00
|
|
|
max: 64,
|
|
|
|
// Length of randomized password
|
2022-07-30 01:02:17 +00:00
|
|
|
// when resetting password through Dashboard's Manage Users.
|
2019-09-17 04:13:41 +00:00
|
|
|
rand: 16
|
|
|
|
}
|
2019-09-08 01:56:29 +00:00
|
|
|
}
|
2017-10-04 00:13:38 +00:00
|
|
|
|
2022-07-31 08:51:32 +00:00
|
|
|
/** Preferences */
|
|
|
|
|
2022-05-24 00:02:06 +00:00
|
|
|
// https://github.com/kelektiv/node.bcrypt.js/tree/v5.0.1#a-note-on-rounds
|
2019-09-17 04:13:41 +00:00
|
|
|
const saltRounds = 10
|
|
|
|
|
2022-07-31 08:51:32 +00:00
|
|
|
const usersPerPage = config.dashboard
|
|
|
|
? Math.max(Math.min(config.dashboard.usersPerPage || 0, 100), 1)
|
|
|
|
: 25
|
|
|
|
|
2022-08-04 16:09:14 +00:00
|
|
|
// ip is an optional parameter, which if set will be rate limited
|
2022-08-04 16:34:58 +00:00
|
|
|
// using tokens.authFailuresRateLimiter pool
|
2022-08-04 16:09:14 +00:00
|
|
|
self.assertUser = async (token, fields, ip) => {
|
|
|
|
if (ip) {
|
2022-08-04 16:34:58 +00:00
|
|
|
const rateLimiterRes = await tokens.authFailuresRateLimiter.get(ip)
|
2022-08-04 16:09:14 +00:00
|
|
|
if (rateLimiterRes && rateLimiterRes.remainingPoints <= 0) {
|
2022-08-04 16:34:58 +00:00
|
|
|
throw new ClientError('Too many auth failures. Try again in a while.', { statusCode: 429 })
|
2022-08-04 16:09:14 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-04 14:59:06 +00:00
|
|
|
// Default fields/columns to fetch from database
|
|
|
|
const _fields = ['id', 'username', 'enabled', 'timestamp', 'permission', 'registration']
|
|
|
|
|
|
|
|
// Allow fetching additional fields/columns
|
|
|
|
if (typeof fields === 'string') {
|
|
|
|
fields = [fields]
|
|
|
|
}
|
|
|
|
if (Array.isArray(fields)) {
|
|
|
|
_fields.push(...fields)
|
|
|
|
}
|
|
|
|
|
|
|
|
const user = await utils.db.table('users')
|
|
|
|
.where('token', token)
|
|
|
|
.select(_fields)
|
|
|
|
.first()
|
|
|
|
if (user) {
|
|
|
|
if (user.enabled === false || user.enabled === 0) {
|
|
|
|
throw new ClientError('This account has been disabled.', { statusCode: 403 })
|
|
|
|
}
|
|
|
|
return user
|
|
|
|
} else {
|
2022-08-04 16:09:14 +00:00
|
|
|
if (ip) {
|
|
|
|
// Rate limit attempts with invalid token
|
2022-08-04 16:34:58 +00:00
|
|
|
await tokens.authFailuresRateLimiter.consume(ip, 1)
|
2022-08-04 16:09:14 +00:00
|
|
|
}
|
|
|
|
throw new ClientError('Invalid token.', { statusCode: 403, code: 10001 })
|
2022-08-04 14:59:06 +00:00
|
|
|
}
|
|
|
|
}
|
2022-07-22 01:40:40 +00:00
|
|
|
|
2022-09-21 01:02:13 +00:00
|
|
|
self.requireUser = (req, res, next, options = {}) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
// Throws when token is missing, thus use only for users-only routes
|
2022-09-21 01:02:13 +00:00
|
|
|
const token = options.token || req.headers.token
|
2022-08-19 00:30:32 +00:00
|
|
|
if (!token) {
|
2022-08-04 16:09:14 +00:00
|
|
|
return next(new ClientError('No token provided.', { statusCode: 403 }))
|
2022-08-04 14:59:06 +00:00
|
|
|
}
|
|
|
|
|
2022-09-21 01:02:13 +00:00
|
|
|
self.assertUser(token, options.fields, req.ip)
|
2022-08-04 16:09:14 +00:00
|
|
|
.then(user => {
|
|
|
|
// Add user data to Request.locals.user
|
|
|
|
req.locals.user = user
|
|
|
|
return next()
|
|
|
|
})
|
|
|
|
.catch(next)
|
2022-08-04 14:59:06 +00:00
|
|
|
}
|
|
|
|
|
2022-09-21 01:02:13 +00:00
|
|
|
self.optionalUser = (req, res, next, options = {}) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
// Throws when token if missing only when private is set to true in config,
|
|
|
|
// thus use for routes that can handle no auth requests
|
2022-09-21 01:02:13 +00:00
|
|
|
const token = options.token || req.headers.token
|
2022-08-19 00:30:32 +00:00
|
|
|
if (!token) {
|
2022-08-19 00:01:45 +00:00
|
|
|
if (config.private === true) {
|
|
|
|
return next(new ClientError('No token provided.', { statusCode: 403 }))
|
|
|
|
} else {
|
|
|
|
// Simply bypass this middleware otherwise
|
|
|
|
return next()
|
|
|
|
}
|
2022-08-04 14:59:06 +00:00
|
|
|
}
|
2022-08-19 00:01:45 +00:00
|
|
|
|
2022-09-21 01:02:13 +00:00
|
|
|
self.assertUser(token, options.fields, req.ip)
|
2022-08-19 00:01:45 +00:00
|
|
|
.then(user => {
|
|
|
|
// Add user data to Request.locals.user
|
|
|
|
req.locals.user = user
|
|
|
|
return next()
|
|
|
|
})
|
|
|
|
.catch(next)
|
2022-08-04 14:59:06 +00:00
|
|
|
}
|
2019-09-08 01:56:29 +00:00
|
|
|
|
2022-08-04 14:59:06 +00:00
|
|
|
self.verify = async (req, res) => {
|
2022-07-10 12:46:25 +00:00
|
|
|
const username = typeof req.body.username === 'string'
|
|
|
|
? req.body.username.trim()
|
|
|
|
: ''
|
2022-08-04 14:59:06 +00:00
|
|
|
if (!username) {
|
|
|
|
throw new ClientError('No username provided.')
|
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
|
|
|
|
const password = typeof req.body.password === 'string'
|
|
|
|
? req.body.password.trim()
|
|
|
|
: ''
|
2022-08-04 14:59:06 +00:00
|
|
|
if (!password) {
|
|
|
|
throw new ClientError('No password provided.')
|
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
|
2022-08-04 16:34:58 +00:00
|
|
|
// Use tokens.authFailuresRateLimiter pool for /api/login as well
|
|
|
|
const rateLimiterRes = await tokens.authFailuresRateLimiter.get(req.ip)
|
|
|
|
if (rateLimiterRes && rateLimiterRes.remainingPoints <= 0) {
|
|
|
|
throw new ClientError('Too many auth failures. Try again in a while.', { statusCode: 429 })
|
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const user = await utils.db.table('users')
|
|
|
|
.where('username', username)
|
|
|
|
.first()
|
|
|
|
|
2022-08-04 14:59:06 +00:00
|
|
|
if (!user) {
|
2022-08-04 16:34:58 +00:00
|
|
|
await tokens.authFailuresRateLimiter.consume(req.ip, 1)
|
2022-08-04 14:59:06 +00:00
|
|
|
throw new ClientError('Wrong credentials.', { statusCode: 403 })
|
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
|
|
|
|
if (user.enabled === false || user.enabled === 0) {
|
|
|
|
throw new ClientError('This account has been disabled.', { statusCode: 403 })
|
|
|
|
}
|
|
|
|
|
|
|
|
const result = await bcrypt.compare(password, user.password)
|
|
|
|
if (result === false) {
|
2022-08-04 16:34:58 +00:00
|
|
|
await tokens.authFailuresRateLimiter.consume(req.ip, 1)
|
2022-07-10 12:46:25 +00:00
|
|
|
throw new ClientError('Wrong credentials.', { statusCode: 403 })
|
|
|
|
} else {
|
|
|
|
return res.json({ success: true, token: user.token })
|
|
|
|
}
|
2018-01-23 20:06:30 +00:00
|
|
|
}
|
2017-10-04 00:13:38 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.register = async (req, res) => {
|
|
|
|
if (config.enableUserAccounts === false) {
|
|
|
|
throw new ClientError('Registration is currently disabled.', { statusCode: 403 })
|
|
|
|
}
|
2018-12-18 17:01:28 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const username = typeof req.body.username === 'string'
|
|
|
|
? req.body.username.trim()
|
|
|
|
: ''
|
|
|
|
if (username.length < self.user.min || username.length > self.user.max) {
|
|
|
|
throw new ClientError(`Username must have ${self.user.min}-${self.user.max} characters.`)
|
|
|
|
}
|
2018-01-23 20:06:30 +00:00
|
|
|
|
2022-08-07 23:22:18 +00:00
|
|
|
// Please be advised that root user is hard-coded to always have superadmin permission
|
|
|
|
// However, you may choose to delete the root user via direct database query,
|
|
|
|
// so it is also hard-coded to always prevent it from being re-created via the API
|
|
|
|
if (username === 'root') {
|
|
|
|
throw new ClientError('Username is reserved.')
|
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const password = typeof req.body.password === 'string'
|
|
|
|
? req.body.password.trim()
|
|
|
|
: ''
|
|
|
|
if (password.length < self.pass.min || password.length > self.pass.max) {
|
|
|
|
throw new ClientError(`Password must have ${self.pass.min}-${self.pass.max} characters.`)
|
|
|
|
}
|
2018-01-23 20:06:30 +00:00
|
|
|
|
2022-08-04 16:34:58 +00:00
|
|
|
// Use tokens.authFailuresRateLimiter pool for /api/register as well
|
|
|
|
const rateLimiterRes = await tokens.authFailuresRateLimiter.get(req.ip)
|
|
|
|
if (rateLimiterRes && rateLimiterRes.remainingPoints <= 0) {
|
|
|
|
throw new ClientError('Too many auth failures. Try again in a while.', { statusCode: 429 })
|
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const user = await utils.db.table('users')
|
|
|
|
.where('username', username)
|
|
|
|
.first()
|
2019-09-08 01:56:29 +00:00
|
|
|
|
2022-08-04 16:34:58 +00:00
|
|
|
if (user) {
|
|
|
|
// Also consume rate limit to protect this route
|
|
|
|
// from being brute-forced to find existing usernames
|
|
|
|
await tokens.authFailuresRateLimiter.consume(req.ip, 1)
|
|
|
|
throw new ClientError('Username already exists.')
|
|
|
|
}
|
2019-06-18 21:04:14 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const hash = await bcrypt.hash(password, saltRounds)
|
|
|
|
|
2022-07-30 01:37:57 +00:00
|
|
|
const token = await tokens.getUniqueToken(res)
|
2019-06-18 21:04:14 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
await utils.db.table('users')
|
|
|
|
.insert({
|
|
|
|
username,
|
|
|
|
password: hash,
|
|
|
|
token,
|
|
|
|
enabled: 1,
|
|
|
|
permission: perms.permissions.user,
|
|
|
|
registration: Math.floor(Date.now() / 1000)
|
|
|
|
})
|
2022-07-30 01:37:57 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
utils.invalidateStatsCache('users')
|
|
|
|
|
|
|
|
return res.json({ success: true, token })
|
2018-01-23 20:06:30 +00:00
|
|
|
}
|
2017-10-04 00:13:38 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.changePassword = async (req, res) => {
|
|
|
|
const password = typeof req.body.password === 'string'
|
|
|
|
? req.body.password.trim()
|
|
|
|
: ''
|
|
|
|
if (password.length < self.pass.min || password.length > self.pass.max) {
|
|
|
|
throw new ClientError(`Password must have ${self.pass.min}-${self.pass.max} characters.`)
|
|
|
|
}
|
2021-01-08 03:11:56 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const hash = await bcrypt.hash(password, saltRounds)
|
2017-10-04 00:13:38 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
await utils.db.table('users')
|
2022-08-04 14:59:06 +00:00
|
|
|
.where('id', req.locals.user.id)
|
2022-07-10 12:46:25 +00:00
|
|
|
.update('password', hash)
|
2018-04-28 17:26:39 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
return res.json({ success: true })
|
2018-03-24 13:52:47 +00:00
|
|
|
}
|
|
|
|
|
2019-10-06 23:11:07 +00:00
|
|
|
self.assertPermission = (user, target) => {
|
2022-08-09 10:51:31 +00:00
|
|
|
if (target.username === 'root') {
|
|
|
|
throw new ClientError('User "root" may not be tampered with.', { statusCode: 403 })
|
2020-10-30 18:12:09 +00:00
|
|
|
} else if (!perms.higher(user, target)) {
|
2021-01-08 03:11:56 +00:00
|
|
|
throw new ClientError('The user is in the same or higher group as you.', { statusCode: 403 })
|
2020-10-30 18:12:09 +00:00
|
|
|
}
|
2019-10-06 23:11:07 +00:00
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.createUser = async (req, res) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
const isadmin = perms.is(req.locals.user, 'admin')
|
|
|
|
if (!isadmin) {
|
|
|
|
return res.status(403).end()
|
|
|
|
}
|
2020-04-17 07:25:18 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const username = typeof req.body.username === 'string'
|
|
|
|
? req.body.username.trim()
|
|
|
|
: ''
|
|
|
|
if (username.length < self.user.min || username.length > self.user.max) {
|
|
|
|
throw new ClientError(`Username must have ${self.user.min}-${self.user.max} characters.`)
|
|
|
|
}
|
|
|
|
|
2022-08-07 23:22:18 +00:00
|
|
|
if (username === 'root') {
|
|
|
|
throw new ClientError('Username is reserved.')
|
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
let password = typeof req.body.password === 'string'
|
|
|
|
? req.body.password.trim()
|
|
|
|
: ''
|
|
|
|
if (password.length) {
|
|
|
|
if (password.length < self.pass.min || password.length > self.pass.max) {
|
|
|
|
throw new ClientError(`Password must have ${self.pass.min}-${self.pass.max} characters.`)
|
2020-04-17 07:25:18 +00:00
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
} else {
|
|
|
|
password = randomstring.generate(self.pass.rand)
|
|
|
|
}
|
2020-04-17 07:25:18 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
let group = req.body.group
|
|
|
|
let permission
|
|
|
|
if (group !== undefined) {
|
|
|
|
permission = perms.permissions[group]
|
|
|
|
if (typeof permission !== 'number' || permission < 0) {
|
|
|
|
group = 'user'
|
|
|
|
permission = perms.permissions.user
|
2021-01-08 03:11:56 +00:00
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
}
|
2021-01-08 03:11:56 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const exists = await utils.db.table('users')
|
|
|
|
.where('username', username)
|
|
|
|
.first()
|
2020-04-17 07:25:18 +00:00
|
|
|
|
2022-08-07 23:22:18 +00:00
|
|
|
if (exists) {
|
|
|
|
throw new ClientError('Username already exists.')
|
|
|
|
}
|
2020-04-17 07:25:18 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const hash = await bcrypt.hash(password, saltRounds)
|
2020-04-17 07:25:18 +00:00
|
|
|
|
2022-07-30 01:37:57 +00:00
|
|
|
const token = await tokens.getUniqueToken(res)
|
2020-04-17 07:25:18 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
await utils.db.table('users')
|
|
|
|
.insert({
|
|
|
|
username,
|
|
|
|
password: hash,
|
|
|
|
token,
|
|
|
|
enabled: 1,
|
|
|
|
permission,
|
|
|
|
registration: Math.floor(Date.now() / 1000)
|
|
|
|
})
|
2022-07-30 01:37:57 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
utils.invalidateStatsCache('users')
|
|
|
|
|
|
|
|
return res.json({ success: true, username, password, group })
|
2020-04-17 07:25:18 +00:00
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.editUser = async (req, res) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
const isadmin = perms.is(req.locals.user, 'admin')
|
|
|
|
if (!isadmin) {
|
|
|
|
return res.status(403).end()
|
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const id = parseInt(req.body.id)
|
2022-08-04 14:59:06 +00:00
|
|
|
if (isNaN(id)) {
|
|
|
|
throw new ClientError('No user specified.')
|
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const target = await utils.db.table('users')
|
|
|
|
.where('id', id)
|
|
|
|
.first()
|
2022-08-04 14:59:06 +00:00
|
|
|
|
2022-08-09 10:51:31 +00:00
|
|
|
if (!target) {
|
|
|
|
throw new ClientError('Could not get user with the specified ID.')
|
|
|
|
}
|
|
|
|
|
2022-08-04 14:59:06 +00:00
|
|
|
// Ensure this user has permission to tamper with target user
|
|
|
|
self.assertPermission(req.locals.user, target)
|
2019-01-01 19:39:08 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const update = {}
|
2018-10-10 17:33:11 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
if (req.body.username !== undefined) {
|
|
|
|
update.username = String(req.body.username).trim()
|
|
|
|
if (update.username.length < self.user.min || update.username.length > self.user.max) {
|
|
|
|
throw new ClientError(`Username must have ${self.user.min}-${self.user.max} characters.`)
|
2020-10-30 18:12:09 +00:00
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
if (req.body.enabled !== undefined) {
|
|
|
|
update.enabled = Boolean(req.body.enabled)
|
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
if (req.body.group !== undefined) {
|
|
|
|
update.permission = perms.permissions[req.body.group]
|
|
|
|
if (typeof update.permission !== 'number' || update.permission < 0) {
|
|
|
|
update.permission = target.permission
|
2018-10-09 19:52:41 +00:00
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
let password
|
|
|
|
if (req.body.resetPassword) {
|
|
|
|
password = randomstring.generate(self.pass.rand)
|
|
|
|
update.password = await bcrypt.hash(password, saltRounds)
|
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-08-23 08:09:47 +00:00
|
|
|
if (!Object.keys(update).length) {
|
|
|
|
throw new ClientError('You are not editing any properties of this user.')
|
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
await utils.db.table('users')
|
|
|
|
.where('id', id)
|
|
|
|
.update(update)
|
|
|
|
utils.invalidateStatsCache('users')
|
|
|
|
|
|
|
|
const response = { success: true, update }
|
|
|
|
if (password) {
|
|
|
|
response.update.password = password
|
|
|
|
}
|
|
|
|
|
|
|
|
return res.json(response)
|
2018-10-09 19:52:41 +00:00
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.disableUser = async (req, res) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
// Re-map Request.body for .editUser()
|
|
|
|
req.body = {
|
|
|
|
id: req.body.id,
|
|
|
|
enabled: false
|
|
|
|
}
|
2022-07-22 01:40:40 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
return self.editUser(req, res)
|
2019-01-01 19:39:08 +00:00
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.deleteUser = async (req, res) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
const isadmin = perms.is(req.locals.user, 'admin')
|
|
|
|
if (!isadmin) {
|
|
|
|
return res.status(403).end()
|
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
|
|
|
|
const id = parseInt(req.body.id)
|
|
|
|
const purge = req.body.purge
|
2022-08-04 14:59:06 +00:00
|
|
|
if (isNaN(id)) {
|
|
|
|
throw new ClientError('No user specified.')
|
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
|
|
|
|
const target = await utils.db.table('users')
|
|
|
|
.where('id', id)
|
|
|
|
.first()
|
2022-08-04 14:59:06 +00:00
|
|
|
|
2022-08-09 10:51:31 +00:00
|
|
|
if (!target) {
|
|
|
|
throw new ClientError('Could not get user with the specified ID.')
|
|
|
|
}
|
|
|
|
|
2022-08-04 14:59:06 +00:00
|
|
|
// Ensure this user has permission to tamper with target user
|
|
|
|
self.assertPermission(req.locals.user, target)
|
2022-07-10 12:46:25 +00:00
|
|
|
|
|
|
|
const files = await utils.db.table('files')
|
|
|
|
.where('userid', id)
|
|
|
|
.select('id')
|
|
|
|
|
|
|
|
if (files.length) {
|
|
|
|
const fileids = files.map(file => file.id)
|
|
|
|
if (purge) {
|
2022-08-04 14:59:06 +00:00
|
|
|
const failed = await utils.bulkDeleteFromDb('id', fileids, req.locals.user)
|
2022-07-10 12:46:25 +00:00
|
|
|
utils.invalidateStatsCache('uploads')
|
|
|
|
if (failed.length) {
|
|
|
|
return res.json({ success: false, failed })
|
2019-10-06 23:11:07 +00:00
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
} else {
|
|
|
|
// Clear out userid attribute from the files
|
|
|
|
await utils.db.table('files')
|
|
|
|
.whereIn('id', fileids)
|
|
|
|
.update('userid', null)
|
2019-10-06 23:11:07 +00:00
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
}
|
2019-10-06 23:11:07 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
const albums = await utils.db.table('albums')
|
|
|
|
.where('userid', id)
|
|
|
|
.where('enabled', 1)
|
|
|
|
.select('id', 'identifier')
|
2019-10-06 23:11:07 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
if (albums.length) {
|
|
|
|
const albumids = albums.map(album => album.id)
|
|
|
|
await utils.db.table('albums')
|
|
|
|
.whereIn('id', albumids)
|
2019-10-06 23:11:07 +00:00
|
|
|
.del()
|
2022-07-10 12:46:25 +00:00
|
|
|
utils.deleteStoredAlbumRenders(albumids)
|
|
|
|
|
|
|
|
// Unlink their archives
|
|
|
|
await Promise.all(albums.map(async album => {
|
|
|
|
try {
|
|
|
|
await paths.unlink(path.join(paths.zips, `${album.identifier}.zip`))
|
|
|
|
} catch (error) {
|
|
|
|
// Re-throw non-ENOENT error
|
|
|
|
if (error.code !== 'ENOENT') throw error
|
|
|
|
}
|
|
|
|
}))
|
|
|
|
}
|
2019-10-06 23:11:07 +00:00
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
await utils.db.table('users')
|
|
|
|
.where('id', id)
|
|
|
|
.del()
|
|
|
|
utils.invalidateStatsCache('users')
|
|
|
|
|
|
|
|
return res.json({ success: true })
|
2019-10-06 23:11:07 +00:00
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.bulkDeleteUsers = async (req, res) => {
|
2019-10-06 23:11:07 +00:00
|
|
|
// TODO
|
|
|
|
}
|
|
|
|
|
2022-07-10 12:46:25 +00:00
|
|
|
self.listUsers = async (req, res) => {
|
2022-08-04 14:59:06 +00:00
|
|
|
const isadmin = perms.is(req.locals.user, 'admin')
|
|
|
|
if (!isadmin) {
|
|
|
|
return res.status(403).end()
|
|
|
|
}
|
2018-10-12 10:19:14 +00:00
|
|
|
|
2022-07-31 08:51:32 +00:00
|
|
|
// Base result object
|
|
|
|
const result = { success: true, users: [], usersPerPage, count: 0 }
|
|
|
|
|
|
|
|
result.count = await utils.db.table('users')
|
2022-07-10 12:46:25 +00:00
|
|
|
.count('id as count')
|
|
|
|
.then(rows => rows[0].count)
|
2022-07-31 08:51:32 +00:00
|
|
|
if (!result.count) {
|
|
|
|
return res.json(result)
|
2022-07-10 12:46:25 +00:00
|
|
|
}
|
|
|
|
|
2022-07-21 19:03:59 +00:00
|
|
|
let offset = req.path_parameters && Number(req.path_parameters.page)
|
2022-07-31 08:51:32 +00:00
|
|
|
if (isNaN(offset)) {
|
|
|
|
offset = 0
|
|
|
|
} else if (offset < 0) {
|
|
|
|
offset = Math.max(0, Math.ceil(result.count / usersPerPage) + offset)
|
|
|
|
}
|
2022-07-10 12:46:25 +00:00
|
|
|
|
2022-07-31 08:51:32 +00:00
|
|
|
result.users = await utils.db.table('users')
|
|
|
|
.limit(usersPerPage)
|
|
|
|
.offset(usersPerPage * offset)
|
2022-07-10 12:46:25 +00:00
|
|
|
.select('id', 'username', 'enabled', 'timestamp', 'permission', 'registration')
|
|
|
|
|
|
|
|
const pointers = {}
|
2022-07-31 08:51:32 +00:00
|
|
|
for (const user of result.users) {
|
2022-07-10 12:46:25 +00:00
|
|
|
user.groups = perms.mapPermissions(user)
|
|
|
|
delete user.permission
|
|
|
|
user.uploads = 0
|
|
|
|
user.usage = 0
|
|
|
|
pointers[user.id] = user
|
|
|
|
}
|
|
|
|
|
|
|
|
const uploads = await utils.db.table('files')
|
|
|
|
.whereIn('userid', Object.keys(pointers))
|
|
|
|
.select('userid', 'size')
|
|
|
|
|
|
|
|
for (const upload of uploads) {
|
|
|
|
pointers[upload.userid].uploads++
|
|
|
|
pointers[upload.userid].usage += parseInt(upload.size)
|
|
|
|
}
|
2018-10-09 19:52:41 +00:00
|
|
|
|
2022-07-31 08:51:32 +00:00
|
|
|
return res.json(result)
|
2018-10-09 19:52:41 +00:00
|
|
|
}
|
|
|
|
|
2019-09-08 01:56:29 +00:00
|
|
|
module.exports = self
|