filesafe/controllers/authController.js

256 lines
7.8 KiB
JavaScript
Raw Normal View History

const bcrypt = require('bcrypt')
const config = require('./../config')
const db = require('knex')(config.database)
const randomstring = require('randomstring')
const utils = require('./utilsController')
2017-10-04 00:13:38 +00:00
const authController = {}
2017-10-04 00:13:38 +00:00
2018-10-09 19:52:41 +00:00
authController.permissions = {
user: 0, // upload & delete own files, create & delete albums
moderator: 50, // delete other user's files
admin: 80, // manage users (disable accounts) & create moderators
superadmin: 100 // create admins
// groups will inherit permissions from groups which have lower value
}
authController.is = (user, group) => {
// root bypass
if (user.username === 'root') { return true }
const permission = user.permission || 0
return permission >= authController.permissions[group]
}
authController.higher = (user, target) => {
const userPermission = user.permission || 0
const targetPermission = target.permission || 0
return userPermission > targetPermission
}
authController.mapPermissions = user => {
const map = {}
Object.keys(authController.permissions).forEach(group => {
map[group] = authController.is(user, group)
})
return map
}
2017-10-04 00:13:38 +00:00
authController.verify = async (req, res, next) => {
const username = req.body.username
const password = req.body.password
2017-10-04 00:13:38 +00:00
if (username === undefined) { return res.json({ success: false, description: 'No username provided.' }) }
if (password === undefined) { return res.json({ success: false, description: 'No password provided.' }) }
2017-10-04 00:13:38 +00:00
const user = await db.table('users').where('username', username).first()
2018-10-09 19:52:41 +00:00
if (!user) {
return res.json({ success: false, description: 'Username doesn\'t exist.' })
}
if (user.enabled === false || user.enabled === 0) {
More improvements to albums, and others Improvements related to albums: * Changed "rename album" option with a better "edit album" feature. With it you can also disable download or public link and even request a new public link (https://i.fiery.me/fz1y.png). This also adds a new API route: /api/albums/edit. The old API route, /api/albums/rename, is still available but will silently be using the new API in backend. * Deleting album will now also delete its zip archive if exists. * Renaming albums will also rename its zip archive if exists. * Generating zip will use async fs.readFile instead of fs.readFileSync. This should improve generating speed somewhat. * The codes that tries to generate random identifier for album will now check whether an album with the same identifier already exists. It will also rely on "uploads.maxTries" config option to limit how many times it will try to re-generate a new random identifier. * Added a new config option "uploads.albumIdentifierLength" which sets the length of the randomly generated identifier. * Added "download" and "public" columns to "albums" table in database/db.js. Existing users can run "node database/migration.js" to add the columns. Others: * uploadsController.getUniqueRandomName will no longer accept 3 paramters (previously it would accept a callback in the third parameter). It will now instead return a Promise. * Album name of disabled/deleted albums will no longer be shown in uploads list. * Added "fileLength" column to "users" table in database/db.js. * Renamed HTTP404.html and HTTP500.html in /pages/error to 404.html and 500.html respectively. I'm still using symlinks though. * Added a new CSS named sweetalert.css which will be used in homepage, auth and dashboard. It will style all sweetalert modals with dark theme (matching the current color scheme used in this branch). * Updated icons (added download icon). * Some other improvements/tweaks here and there.
2018-04-28 17:26:39 +00:00
return res.json({ success: false, description: 'This account has been disabled.' })
}
2017-10-04 00:13:38 +00:00
bcrypt.compare(password, user.password, (error, result) => {
if (error) {
console.error(error)
return res.json({ success: false, description: 'There was an error.' })
}
if (result === false) { return res.json({ success: false, description: 'Wrong password.' }) }
return res.json({ success: true, token: user.token })
})
}
2017-10-04 00:13:38 +00:00
authController.register = async (req, res, next) => {
if (config.enableUserAccounts === false) {
return res.json({ success: false, description: 'Register is disabled at the moment.' })
}
const username = req.body.username
const password = req.body.password
if (username === undefined) { return res.json({ success: false, description: 'No username provided.' }) }
if (password === undefined) { return res.json({ success: false, description: 'No password provided.' }) }
if (username.length < 4 || username.length > 32) {
return res.json({ success: false, description: 'Username must have 4-32 characters.' })
}
if (password.length < 6 || password.length > 64) {
return res.json({ success: false, description: 'Password must have 6-64 characters.' })
}
const user = await db.table('users').where('username', username).first()
if (user) { return res.json({ success: false, description: 'Username already exists.' }) }
bcrypt.hash(password, 10, async (error, hash) => {
if (error) {
console.error(error)
return res.json({ success: false, description: 'Error generating password hash (╯°□°)╯︵ ┻━┻.' })
}
const token = randomstring.generate(64)
await db.table('users').insert({
username,
password: hash,
token,
2018-10-09 19:52:41 +00:00
enabled: 1,
permission: authController.permissions.user
})
return res.json({ success: true, token })
})
}
2017-10-04 00:13:38 +00:00
authController.changePassword = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) { return }
2017-10-04 00:13:38 +00:00
const password = req.body.password
if (password === undefined) { return res.json({ success: false, description: 'No password provided.' }) }
2017-10-04 00:13:38 +00:00
if (password.length < 6 || password.length > 64) {
return res.json({ success: false, description: 'Password must have 6-64 characters.' })
}
2017-10-04 00:13:38 +00:00
bcrypt.hash(password, 10, async (error, hash) => {
if (error) {
console.error(error)
return res.json({ success: false, description: 'Error generating password hash (╯°□°)╯︵ ┻━┻.' })
}
2017-10-04 00:13:38 +00:00
More improvements to albums, and others Improvements related to albums: * Changed "rename album" option with a better "edit album" feature. With it you can also disable download or public link and even request a new public link (https://i.fiery.me/fz1y.png). This also adds a new API route: /api/albums/edit. The old API route, /api/albums/rename, is still available but will silently be using the new API in backend. * Deleting album will now also delete its zip archive if exists. * Renaming albums will also rename its zip archive if exists. * Generating zip will use async fs.readFile instead of fs.readFileSync. This should improve generating speed somewhat. * The codes that tries to generate random identifier for album will now check whether an album with the same identifier already exists. It will also rely on "uploads.maxTries" config option to limit how many times it will try to re-generate a new random identifier. * Added a new config option "uploads.albumIdentifierLength" which sets the length of the randomly generated identifier. * Added "download" and "public" columns to "albums" table in database/db.js. Existing users can run "node database/migration.js" to add the columns. Others: * uploadsController.getUniqueRandomName will no longer accept 3 paramters (previously it would accept a callback in the third parameter). It will now instead return a Promise. * Album name of disabled/deleted albums will no longer be shown in uploads list. * Added "fileLength" column to "users" table in database/db.js. * Renamed HTTP404.html and HTTP500.html in /pages/error to 404.html and 500.html respectively. I'm still using symlinks though. * Added a new CSS named sweetalert.css which will be used in homepage, auth and dashboard. It will style all sweetalert modals with dark theme (matching the current color scheme used in this branch). * Updated icons (added download icon). * Some other improvements/tweaks here and there.
2018-04-28 17:26:39 +00:00
await db.table('users')
.where('id', user.id)
.update('password', hash)
return res.json({ success: true })
})
}
2017-10-04 00:13:38 +00:00
authController.getFileLengthConfig = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) { return }
2018-10-09 19:52:41 +00:00
return res.json({
success: true,
fileLength: user.fileLength,
config: config.uploads.fileLength
})
}
authController.changeFileLength = async (req, res, next) => {
if (config.uploads.fileLength.userChangeable === false) {
2018-10-09 19:52:41 +00:00
return res.json({
success: false,
description: 'Changing file name length is disabled at the moment.'
})
}
const user = await utils.authorize(req, res)
if (!user) { return }
const fileLength = parseInt(req.body.fileLength)
2018-10-09 19:52:41 +00:00
if (fileLength === undefined) {
return res.json({
success: false,
description: 'No file name length provided.'
})
}
if (isNaN(fileLength)) {
return res.json({
success: false,
description: 'File name length is not a valid number.'
})
}
if (fileLength < config.uploads.fileLength.min || fileLength > config.uploads.fileLength.max) {
2018-10-09 19:52:41 +00:00
return res.json({
success: false,
description: `File name length must be ${config.uploads.fileLength.min} to ${config.uploads.fileLength.max} characters.`
})
}
if (fileLength === user.fileLength) {
return res.json({ success: true })
}
More improvements to albums, and others Improvements related to albums: * Changed "rename album" option with a better "edit album" feature. With it you can also disable download or public link and even request a new public link (https://i.fiery.me/fz1y.png). This also adds a new API route: /api/albums/edit. The old API route, /api/albums/rename, is still available but will silently be using the new API in backend. * Deleting album will now also delete its zip archive if exists. * Renaming albums will also rename its zip archive if exists. * Generating zip will use async fs.readFile instead of fs.readFileSync. This should improve generating speed somewhat. * The codes that tries to generate random identifier for album will now check whether an album with the same identifier already exists. It will also rely on "uploads.maxTries" config option to limit how many times it will try to re-generate a new random identifier. * Added a new config option "uploads.albumIdentifierLength" which sets the length of the randomly generated identifier. * Added "download" and "public" columns to "albums" table in database/db.js. Existing users can run "node database/migration.js" to add the columns. Others: * uploadsController.getUniqueRandomName will no longer accept 3 paramters (previously it would accept a callback in the third parameter). It will now instead return a Promise. * Album name of disabled/deleted albums will no longer be shown in uploads list. * Added "fileLength" column to "users" table in database/db.js. * Renamed HTTP404.html and HTTP500.html in /pages/error to 404.html and 500.html respectively. I'm still using symlinks though. * Added a new CSS named sweetalert.css which will be used in homepage, auth and dashboard. It will style all sweetalert modals with dark theme (matching the current color scheme used in this branch). * Updated icons (added download icon). * Some other improvements/tweaks here and there.
2018-04-28 17:26:39 +00:00
await db.table('users')
.where('id', user.id)
.update('fileLength', fileLength)
return res.json({ success: true })
}
2018-10-09 19:52:41 +00:00
authController.editUser = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) { return }
const id = parseInt(req.body.id)
if (isNaN(id)) {
return res.json({ success: false, description: 'No user specified.' })
}
const target = await db.table('users')
.where('id', id)
.first()
if (!target) {
return res.json({ success: false, description: 'Could not get user with the specified ID.' })
} else if (!authController.higher(user, target)) {
return res.json({ success: false, description: 'The user is in the same or higher group as you.' })
} else if (target.username === 'root') {
return res.json({ success: false, description: 'Root user may not be edited.' })
}
const username = String(req.body.username)
if (username.length < 4 || username.length > 32) {
return res.json({ success: false, description: 'Username must have 4-32 characters.' })
}
await db.table('users')
.where('id', id)
.update({
username,
enabled: Boolean(req.body.enabled)
})
if (!req.body.resetPassword) {
return res.json({ success: true, username })
}
const password = randomstring.generate(16)
bcrypt.hash(password, 10, async (error, hash) => {
if (error) {
console.error(error)
return res.json({ success: false, description: 'Error generating password hash (╯°□°)╯︵ ┻━┻.' })
}
await db.table('users')
.where('id', id)
.update('password', hash)
return res.json({ success: true, password })
})
}
authController.listUsers = async (req, res, next) => {
const user = await utils.authorize(req, res)
if (!user) { return }
const isadmin = authController.is(user, 'admin')
if (!isadmin) { return res.status(403) }
let offset = req.params.page
if (offset === undefined) { offset = 0 }
const users = await db.table('users')
// .orderBy('id', 'DESC')
.limit(25)
.offset(25 * offset)
.select('id', 'username', 'enabled', 'fileLength', 'permission')
for (const user of users) {
user.groups = authController.mapPermissions(user)
delete user.permission
}
return res.json({ success: true, users })
}
module.exports = authController