mirror of
https://github.com/BobbyWibowo/lolisafe.git
synced 2024-12-13 07:56:23 +00:00
9e9b0d4439
Updated some dev dependencies. --- Gulp will now build CSS/JS files during development into dist-dev directory, to prevent IDE's Git from unnecessarily building diff's. Added dist-dev to ignore files. --- The entire config fille will now be passed to Nunjuck templates for ease of access of config values. Root domain for use in Nunjuck templates will now be parsed from config. Better page titles. Updated help message for "Uploads history order" option in homepage's config tab. Added "Load images for preview" option to homepage's config tab. Setting this to false will now prevent image uploads from loading themselves for previews. Uploads' original names in homepage's uploads history are now selectable. Min/max length for user/pass are now enforced in auth's front-end. Improved performance of album public pages. Their generated HTML pages will now be cached into memory. Unfortunately, No-JS version of their pages will be cached separately, so each album may take up to double the memory space. File names in thumbnails no longer have their full URLs as tooltips. I saw no point in that behavior. Added video icons. Homepage's uploads history will now display video icons for videos. "View thumbnail" button in Dashboard is now renamed to "Show preview". Their icons will also be changed depending on their file types. Added max length for albums' title & description. These will be enforced both in front-end and back-end. Existing albums that have surpassed the limits will not be enforced. A few other small improvements.
252 lines
7.7 KiB
JavaScript
252 lines
7.7 KiB
JavaScript
const bcrypt = require('bcrypt')
|
|
const randomstring = require('randomstring')
|
|
const perms = require('./permissionController')
|
|
const tokens = require('./tokenController')
|
|
const utils = require('./utilsController')
|
|
const config = require('./../config')
|
|
const logger = require('./../logger')
|
|
const db = require('knex')(config.database)
|
|
|
|
// Don't forget to update min/max length of text inputs in auth.njk
|
|
// when changing these values.
|
|
const self = {
|
|
user: {
|
|
min: 4,
|
|
max: 32
|
|
},
|
|
pass: {
|
|
min: 6,
|
|
// Should not be more than 72 characters
|
|
// https://github.com/kelektiv/node.bcrypt.js#security-issues-and-concerns
|
|
max: 64,
|
|
// Length of randomized password
|
|
// when resetting passwordthrough Dashboard's Manage Users.
|
|
rand: 16
|
|
}
|
|
}
|
|
|
|
// https://github.com/kelektiv/node.bcrypt.js#a-note-on-rounds
|
|
const saltRounds = 10
|
|
|
|
self.verify = async (req, res, next) => {
|
|
const username = typeof req.body.username === 'string'
|
|
? req.body.username.trim()
|
|
: ''
|
|
if (!username)
|
|
return res.json({ success: false, description: 'No username provided.' })
|
|
|
|
const password = typeof req.body.password === 'string'
|
|
? req.body.password.trim()
|
|
: ''
|
|
if (!password)
|
|
return res.json({ success: false, description: 'No password provided.' })
|
|
|
|
try {
|
|
const user = await db.table('users')
|
|
.where('username', username)
|
|
.first()
|
|
|
|
if (!user)
|
|
return res.json({ success: false, description: 'Username does not exist.' })
|
|
|
|
if (user.enabled === false || user.enabled === 0)
|
|
return res.json({ success: false, description: 'This account has been disabled.' })
|
|
|
|
const result = await bcrypt.compare(password, user.password)
|
|
if (result === false)
|
|
return res.json({ success: false, description: 'Wrong password.' })
|
|
else
|
|
return res.json({ success: true, token: user.token })
|
|
} catch (error) {
|
|
logger.error(error)
|
|
return res.status(500).json({ success: false, description: 'An unexpected error occurred. Try again?' })
|
|
}
|
|
}
|
|
|
|
self.register = async (req, res, next) => {
|
|
if (config.enableUserAccounts === false)
|
|
return res.json({ success: false, description: 'Registration is currently disabled.' })
|
|
|
|
const username = typeof req.body.username === 'string'
|
|
? req.body.username.trim()
|
|
: ''
|
|
if (username.length < self.user.min || username.length > self.user.max)
|
|
return res.json({ success: false, description: `Username must have ${self.user.min}-${self.user.max} characters.` })
|
|
|
|
const password = typeof req.body.password === 'string'
|
|
? req.body.password.trim()
|
|
: ''
|
|
if (password.length < self.pass.min || password.length > self.pass.max)
|
|
return res.json({ success: false, description: `Password must have ${self.pass.min}-${self.pass.max} characters.` })
|
|
|
|
try {
|
|
const user = await db.table('users')
|
|
.where('username', username)
|
|
.first()
|
|
|
|
if (user)
|
|
return res.json({ success: false, description: 'Username already exists.' })
|
|
|
|
const hash = await bcrypt.hash(password, saltRounds)
|
|
|
|
const token = await tokens.generateUniqueToken()
|
|
if (!token)
|
|
return res.json({ success: false, description: 'Sorry, we could not allocate a unique token. Try again?' })
|
|
|
|
await db.table('users')
|
|
.insert({
|
|
username,
|
|
password: hash,
|
|
token,
|
|
enabled: 1,
|
|
permission: perms.permissions.user
|
|
})
|
|
utils.invalidateStatsCache('users')
|
|
tokens.onHold.delete(token)
|
|
|
|
return res.json({ success: true, token })
|
|
} catch (error) {
|
|
logger.error(error)
|
|
return res.status(500).json({ success: false, description: 'An unexpected error occurred. Try again?' })
|
|
}
|
|
}
|
|
|
|
self.changePassword = async (req, res, next) => {
|
|
const user = await utils.authorize(req, res)
|
|
if (!user) return
|
|
|
|
const password = typeof req.body.password === 'string'
|
|
? req.body.password.trim()
|
|
: ''
|
|
if (password.length < self.pass.min || password.length > self.pass.max)
|
|
return res.json({ success: false, description: `Password must have ${self.pass.min}-${self.pass.max} characters.` })
|
|
|
|
try {
|
|
const hash = await bcrypt.hash(password, saltRounds)
|
|
|
|
await db.table('users')
|
|
.where('id', user.id)
|
|
.update('password', hash)
|
|
|
|
return res.json({ success: true })
|
|
} catch (error) {
|
|
logger.error(error)
|
|
return res.status(500).json({ success: false, description: 'An unexpected error occurred. Try again?' })
|
|
}
|
|
}
|
|
|
|
self.editUser = async (req, res, next) => {
|
|
const user = await utils.authorize(req, res)
|
|
if (!user) return
|
|
|
|
const id = parseInt(req.body.id)
|
|
if (isNaN(id))
|
|
return res.json({ success: false, description: 'No user specified.' })
|
|
|
|
try {
|
|
const target = await db.table('users')
|
|
.where('id', id)
|
|
.first()
|
|
|
|
if (!target)
|
|
return res.json({ success: false, description: 'Could not get user with the specified ID.' })
|
|
else if (!perms.higher(user, target))
|
|
return res.json({ success: false, description: 'The user is in the same or higher group as you.' })
|
|
else if (target.username === 'root')
|
|
return res.json({ success: false, description: 'Root user may not be edited.' })
|
|
|
|
const update = {}
|
|
|
|
if (req.body.username !== undefined) {
|
|
update.username = String(req.body.username).trim()
|
|
if (update.username.length < self.user.min || update.username.length > self.user.max)
|
|
return res.json({
|
|
success: false,
|
|
description: `Username must have ${self.user.min}-${self.user.max} characters.`
|
|
})
|
|
}
|
|
|
|
if (req.body.enabled !== undefined)
|
|
update.enabled = Boolean(req.body.enabled)
|
|
|
|
if (req.body.group !== undefined) {
|
|
update.permission = perms.permissions[req.body.group]
|
|
if (typeof update.permission !== 'number' || update.permission < 0)
|
|
update.permission = target.permission
|
|
}
|
|
|
|
let password
|
|
if (req.body.resetPassword) {
|
|
password = randomstring.generate(self.pass.rand)
|
|
update.password = await bcrypt.hash(password, saltRounds)
|
|
}
|
|
|
|
await db.table('users')
|
|
.where('id', id)
|
|
.update(update)
|
|
utils.invalidateStatsCache('users')
|
|
|
|
const response = { success: true, update }
|
|
if (password) response.password = password
|
|
return res.json(response)
|
|
} catch (error) {
|
|
logger.error(error)
|
|
return res.status(500).json({ success: false, description: 'An unexpected error occurred. Try again?' })
|
|
}
|
|
}
|
|
|
|
self.disableUser = async (req, res, next) => {
|
|
req.body = { id: req.body.id, enabled: false }
|
|
return self.editUser(req, res, next)
|
|
}
|
|
|
|
self.listUsers = async (req, res, next) => {
|
|
const user = await utils.authorize(req, res)
|
|
if (!user) return
|
|
|
|
const isadmin = perms.is(user, 'admin')
|
|
if (!isadmin)
|
|
return res.status(403).end()
|
|
|
|
try {
|
|
const count = await db.table('users')
|
|
.count('id as count')
|
|
.then(rows => rows[0].count)
|
|
if (!count)
|
|
return res.json({ success: true, users: [], count })
|
|
|
|
let offset = req.params.page
|
|
if (offset === undefined) offset = 0
|
|
|
|
const users = await db.table('users')
|
|
.limit(25)
|
|
.offset(25 * offset)
|
|
.select('id', 'username', 'enabled', 'permission')
|
|
|
|
const pointers = {}
|
|
for (const user of users) {
|
|
user.groups = perms.mapPermissions(user)
|
|
delete user.permission
|
|
user.uploads = 0
|
|
user.usage = 0
|
|
pointers[user.id] = user
|
|
}
|
|
|
|
const uploads = await db.table('files')
|
|
.whereIn('userid', Object.keys(pointers))
|
|
.select('userid', 'size')
|
|
|
|
for (const upload of uploads) {
|
|
pointers[upload.userid].uploads++
|
|
pointers[upload.userid].usage += parseInt(upload.size)
|
|
}
|
|
|
|
return res.json({ success: true, users, count })
|
|
} catch (error) {
|
|
logger.error(error)
|
|
return res.status(500).json({ success: false, description: 'An unexpected error occurred. Try again?' })
|
|
}
|
|
}
|
|
|
|
module.exports = self
|