filesafe/controllers/authController.js

289 lines
8.6 KiB
JavaScript
Raw Normal View History

const bcrypt = require('bcrypt')
const config = require('./../config')
const db = require('knex')(config.database)
const logger = require('./../logger')
const perms = require('./permissionController')
const randomstring = require('randomstring')
const tokens = require('./tokenController')
const utils = require('./utilsController')
2017-10-04 00:13:38 +00:00
const authController = {}
2017-10-04 00:13:38 +00:00
authController.verify = async (req, res, next) => {
let username = req.body.username
let password = req.body.password
2017-10-04 00:13:38 +00:00
if (username === undefined)
return res.json({ success: false, description: 'No username provided.' })
if (password === undefined)
return res.json({ success: false, description: 'No password provided.' })
username = username.trim()
password = password.trim()
2017-10-04 00:13:38 +00:00
const user = await db.table('users').where('username', username).first()
if (!user)
return res.json({ success: false, description: 'Username does not exist.' })
if (user.enabled === false || user.enabled === 0)
More improvements to albums, and others Improvements related to albums: * Changed "rename album" option with a better "edit album" feature. With it you can also disable download or public link and even request a new public link (https://i.fiery.me/fz1y.png). This also adds a new API route: /api/albums/edit. The old API route, /api/albums/rename, is still available but will silently be using the new API in backend. * Deleting album will now also delete its zip archive if exists. * Renaming albums will also rename its zip archive if exists. * Generating zip will use async fs.readFile instead of fs.readFileSync. This should improve generating speed somewhat. * The codes that tries to generate random identifier for album will now check whether an album with the same identifier already exists. It will also rely on "uploads.maxTries" config option to limit how many times it will try to re-generate a new random identifier. * Added a new config option "uploads.albumIdentifierLength" which sets the length of the randomly generated identifier. * Added "download" and "public" columns to "albums" table in database/db.js. Existing users can run "node database/migration.js" to add the columns. Others: * uploadsController.getUniqueRandomName will no longer accept 3 paramters (previously it would accept a callback in the third parameter). It will now instead return a Promise. * Album name of disabled/deleted albums will no longer be shown in uploads list. * Added "fileLength" column to "users" table in database/db.js. * Renamed HTTP404.html and HTTP500.html in /pages/error to 404.html and 500.html respectively. I'm still using symlinks though. * Added a new CSS named sweetalert.css which will be used in homepage, auth and dashboard. It will style all sweetalert modals with dark theme (matching the current color scheme used in this branch). * Updated icons (added download icon). * Some other improvements/tweaks here and there.
2018-04-28 17:26:39 +00:00
return res.json({ success: false, description: 'This account has been disabled.' })
2017-10-04 00:13:38 +00:00
bcrypt.compare(password, user.password, (error, result) => {
if (error) {
logger.error(error)
return res.json({ success: false, description: 'There was an error.' })
}
if (result === false) return res.json({ success: false, description: 'Wrong password.' })
return res.json({ success: true, token: user.token })
})
}
2017-10-04 00:13:38 +00:00
authController.register = async (req, res, next) => {
if (config.enableUserAccounts === false)
return res.json({ success: false, description: 'Register is disabled at the moment.' })
let username = req.body.username
let password = req.body.password
if (username === undefined)
return res.json({ success: false, description: 'No username provided.' })
if (password === undefined)
return res.json({ success: false, description: 'No password provided.' })
username = username.trim()
password = password.trim()
if (username.length < 4 || username.length > 32)
return res.json({ success: false, description: 'Username must have 4-32 characters.' })
if (password.length < 6 || password.length > 64)
return res.json({ success: false, description: 'Password must have 6-64 characters.' })
const user = await db.table('users').where('username', username).first()
if (user)
return res.json({ success: false, description: 'Username already exists.' })
bcrypt.hash(password, 10, async (error, hash) => {
if (error) {
logger.error(error)
return res.json({ success: false, description: 'Error generating password hash (╯°□°)╯︵ ┻━┻.' })
}
const token = await tokens.generateUniqueToken()
if (!token)
return res.json({ success: false, description: 'Error generating unique token (╯°□°)╯︵ ┻━┻.' })
await db.table('users').insert({
username,
password: hash,
token,
2018-10-09 19:52:41 +00:00
enabled: 1,
permission: perms.permissions.user
})
utils.invalidateStatsCache('users')
return res.json({ success: true, token })
})
}
2017-10-04 00:13:38 +00:00
authController.changePassword = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) return
2017-10-04 00:13:38 +00:00
const password = req.body.password
if (password === undefined)
return res.json({ success: false, description: 'No password provided.' })
2017-10-04 00:13:38 +00:00
if (password.length < 6 || password.length > 64)
return res.json({ success: false, description: 'Password must have 6-64 characters.' })
2017-10-04 00:13:38 +00:00
bcrypt.hash(password, 10, async (error, hash) => {
if (error) {
logger.error(error)
return res.json({ success: false, description: 'Error generating password hash (╯°□°)╯︵ ┻━┻.' })
}
2017-10-04 00:13:38 +00:00
More improvements to albums, and others Improvements related to albums: * Changed "rename album" option with a better "edit album" feature. With it you can also disable download or public link and even request a new public link (https://i.fiery.me/fz1y.png). This also adds a new API route: /api/albums/edit. The old API route, /api/albums/rename, is still available but will silently be using the new API in backend. * Deleting album will now also delete its zip archive if exists. * Renaming albums will also rename its zip archive if exists. * Generating zip will use async fs.readFile instead of fs.readFileSync. This should improve generating speed somewhat. * The codes that tries to generate random identifier for album will now check whether an album with the same identifier already exists. It will also rely on "uploads.maxTries" config option to limit how many times it will try to re-generate a new random identifier. * Added a new config option "uploads.albumIdentifierLength" which sets the length of the randomly generated identifier. * Added "download" and "public" columns to "albums" table in database/db.js. Existing users can run "node database/migration.js" to add the columns. Others: * uploadsController.getUniqueRandomName will no longer accept 3 paramters (previously it would accept a callback in the third parameter). It will now instead return a Promise. * Album name of disabled/deleted albums will no longer be shown in uploads list. * Added "fileLength" column to "users" table in database/db.js. * Renamed HTTP404.html and HTTP500.html in /pages/error to 404.html and 500.html respectively. I'm still using symlinks though. * Added a new CSS named sweetalert.css which will be used in homepage, auth and dashboard. It will style all sweetalert modals with dark theme (matching the current color scheme used in this branch). * Updated icons (added download icon). * Some other improvements/tweaks here and there.
2018-04-28 17:26:39 +00:00
await db.table('users')
.where('id', user.id)
.update('password', hash)
return res.json({ success: true })
})
}
2017-10-04 00:13:38 +00:00
authController.getFileLengthConfig = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) return
2018-10-09 19:52:41 +00:00
return res.json({
success: true,
fileLength: user.fileLength,
config: config.uploads.fileLength
})
}
authController.changeFileLength = async (req, res, next) => {
if (config.uploads.fileLength.userChangeable === false)
2018-10-09 19:52:41 +00:00
return res.json({
success: false,
description: 'Changing file name length is disabled at the moment.'
})
const user = await utils.authorize(req, res)
if (!user) return
const fileLength = parseInt(req.body.fileLength)
if (fileLength === undefined)
2018-10-09 19:52:41 +00:00
return res.json({
success: false,
description: 'No file name length provided.'
})
if (isNaN(fileLength))
2018-10-09 19:52:41 +00:00
return res.json({
success: false,
description: 'File name length is not a valid number.'
})
if (fileLength < config.uploads.fileLength.min || fileLength > config.uploads.fileLength.max)
2018-10-09 19:52:41 +00:00
return res.json({
success: false,
description: `File name length must be ${config.uploads.fileLength.min} to ${config.uploads.fileLength.max} characters.`
})
if (fileLength === user.fileLength)
return res.json({ success: true })
More improvements to albums, and others Improvements related to albums: * Changed "rename album" option with a better "edit album" feature. With it you can also disable download or public link and even request a new public link (https://i.fiery.me/fz1y.png). This also adds a new API route: /api/albums/edit. The old API route, /api/albums/rename, is still available but will silently be using the new API in backend. * Deleting album will now also delete its zip archive if exists. * Renaming albums will also rename its zip archive if exists. * Generating zip will use async fs.readFile instead of fs.readFileSync. This should improve generating speed somewhat. * The codes that tries to generate random identifier for album will now check whether an album with the same identifier already exists. It will also rely on "uploads.maxTries" config option to limit how many times it will try to re-generate a new random identifier. * Added a new config option "uploads.albumIdentifierLength" which sets the length of the randomly generated identifier. * Added "download" and "public" columns to "albums" table in database/db.js. Existing users can run "node database/migration.js" to add the columns. Others: * uploadsController.getUniqueRandomName will no longer accept 3 paramters (previously it would accept a callback in the third parameter). It will now instead return a Promise. * Album name of disabled/deleted albums will no longer be shown in uploads list. * Added "fileLength" column to "users" table in database/db.js. * Renamed HTTP404.html and HTTP500.html in /pages/error to 404.html and 500.html respectively. I'm still using symlinks though. * Added a new CSS named sweetalert.css which will be used in homepage, auth and dashboard. It will style all sweetalert modals with dark theme (matching the current color scheme used in this branch). * Updated icons (added download icon). * Some other improvements/tweaks here and there.
2018-04-28 17:26:39 +00:00
await db.table('users')
.where('id', user.id)
.update('fileLength', fileLength)
return res.json({ success: true })
}
2018-10-09 19:52:41 +00:00
authController.editUser = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) return
2018-10-09 19:52:41 +00:00
const id = parseInt(req.body.id)
if (isNaN(id))
2018-10-09 19:52:41 +00:00
return res.json({ success: false, description: 'No user specified.' })
const target = await db.table('users')
.where('id', id)
.first()
if (!target)
2018-10-09 19:52:41 +00:00
return res.json({ success: false, description: 'Could not get user with the specified ID.' })
else if (!perms.higher(user, target))
2018-10-09 19:52:41 +00:00
return res.json({ success: false, description: 'The user is in the same or higher group as you.' })
else if (target.username === 'root')
2018-10-09 19:52:41 +00:00
return res.json({ success: false, description: 'Root user may not be edited.' })
const update = {}
if (req.body.username !== undefined) {
update.username = `${req.body.username}`
if (update.username.length < 4 || update.username.length > 32)
return res.json({ success: false, description: 'Username must have 4-32 characters.' })
}
2018-10-09 19:52:41 +00:00
if (req.body.enabled !== undefined)
update.enabled = Boolean(req.body.enabled)
if (req.body.group !== undefined) {
update.permission = perms.permissions[req.body.group] || target.permission
if (typeof update.permission !== 'number' || update.permission < 0)
update.permission = target.permission
}
2018-10-09 19:52:41 +00:00
await db.table('users')
.where('id', id)
.update(update)
utils.invalidateStatsCache('users')
2018-10-09 19:52:41 +00:00
if (!req.body.resetPassword)
return res.json({ success: true, update })
2018-10-09 19:52:41 +00:00
const password = randomstring.generate(16)
bcrypt.hash(password, 10, async (error, hash) => {
if (error) {
logger.error(error)
2018-10-09 19:52:41 +00:00
return res.json({ success: false, description: 'Error generating password hash (╯°□°)╯︵ ┻━┻.' })
}
await db.table('users')
.where('id', id)
.update('password', hash)
return res.json({ success: true, update, password })
2018-10-09 19:52:41 +00:00
})
}
authController.disableUser = async (req, res, next) => {
const body = {
id: req.body.id,
enabled: false
}
req.body = body
return authController.editUser(req, res, next)
}
2018-10-09 19:52:41 +00:00
authController.listUsers = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) return
2018-10-09 19:52:41 +00:00
const isadmin = perms.is(user, 'admin')
if (!isadmin)
return res.status(403).end()
2018-10-09 19:52:41 +00:00
const count = await db.table('users')
.count('id as count')
.then(rows => rows[0].count)
if (!count)
return res.json({ success: true, users: [], count })
2018-10-09 19:52:41 +00:00
let offset = req.params.page
if (offset === undefined) offset = 0
2018-10-09 19:52:41 +00:00
const users = await db.table('users')
.limit(25)
.offset(25 * offset)
.select('id', 'username', 'enabled', 'fileLength', 'permission')
const userids = []
2018-10-09 19:52:41 +00:00
for (const user of users) {
2018-10-13 11:09:09 +00:00
user.groups = perms.mapPermissions(user)
2018-10-09 19:52:41 +00:00
delete user.permission
userids.push(user.id)
user.uploadsCount = 0
user.diskUsage = 0
}
const maps = {}
const uploads = await db.table('files').whereIn('userid', userids)
for (const upload of uploads) {
// This is the fastest method that I can think of
if (maps[upload.userid] === undefined)
maps[upload.userid] = {
count: 0,
size: 0
}
maps[upload.userid].count++
maps[upload.userid].size += parseInt(upload.size)
}
for (const user of users) {
if (!maps[user.id]) continue
user.uploadsCount = maps[user.id].count
user.diskUsage = maps[user.id].size
2018-10-09 19:52:41 +00:00
}
return res.json({ success: true, users, count })
2018-10-09 19:52:41 +00:00
}
module.exports = authController