richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1503 Commits
3 Branches
120 Tags
80 MiB
Tree: 190063cc67
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '190063cc67'
${ noResults }
wiki/server/models/users.js

754 lines
22 KiB
Raw Normal View History

refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: remove config namespaces
6 years ago
feat: user edit UI + admin UI improvements + fixes
6 years ago
feat: account verification + mail config in admin area
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: save page
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: twitch auth module
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: admin create user + markdown help fix
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
fix: truncate pictureUrl if too long (#1311)
4 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: twitch auth module
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: client login
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
fix: code linting
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: code linting
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
fix: code linting
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
fix: objection 2 changes
4 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
fix: missing guest global permissions (#788)
5 years ago
fix: objection 2 changes
4 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: user profile page - save info + change pwd
4 years ago
fix: bypass users model when updating lastLoginAt
4 years ago
feat: user profile page - save info + change pwd
4 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: timezone + dateFOrmat + appearance profile settings
4 years ago
feat: page Rules access check
5 years ago
feat: user menu + jwt certs + UI fixes
6 years ago
feat: guest + user permissions
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: utilities section (wip) + auth utilities
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register validation + create + admin improvements
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
feat: update user
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: update user
5 years ago
feat: timezone + dateFOrmat + appearance profile settings
4 years ago
feat: update user
5 years ago
fix: cannot update user email from admin (#1197)
5 years ago
feat: update user
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
feat: update user
5 years ago
feat: timezone + dateFOrmat + appearance profile settings
4 years ago
feat: update user
5 years ago
fix: drop userKeys on user delete
4 years ago
feat: update user
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: admin general + verify account
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: account verification + mail config in admin area
5 years ago
fix: self-registration not assigning to predefined group
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: admin general + verify account
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
6 years ago
feat: guest + user permissions
5 years ago
fix: objection.js 2.0 compat fixes
4 years ago
feat: page Rules access check
5 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: guest + user permissions
5 years ago
feat: local disk import all action + v1 import content (#1100)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
  1. /* global WIKI */
  3. const bcrypt = require('bcryptjs-then')
  4. const _ = require('lodash')
  5. const tfa = require('node-2fa')
  6. const jwt = require('jsonwebtoken')
  7. const Model = require('objection').Model
  8. const validate = require('validate.js')
  10. const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
  12. /**
  13. * Users model
  14. */
  15. module.exports = class User extends Model {
  16. static get tableName() { return 'users' }
  18. static get jsonSchema () {
  19. return {
  20. type: 'object',
  21. required: ['email'],
  23. properties: {
  24. id: {type: 'integer'},
  25. email: {type: 'string', format: 'email'},
  26. name: {type: 'string', minLength: 1, maxLength: 255},
  27. providerId: {type: 'string'},
  28. password: {type: 'string'},
  29. tfaIsActive: {type: 'boolean', default: false},
  30. tfaSecret: {type: 'string'},
  31. jobTitle: {type: 'string'},
  32. location: {type: 'string'},
  33. pictureUrl: {type: 'string'},
  34. isSystem: {type: 'boolean'},
  35. isActive: {type: 'boolean'},
  36. isVerified: {type: 'boolean'},
  37. createdAt: {type: 'string'},
  38. updatedAt: {type: 'string'}
  39. }
  40. }
  41. }
  43. static get relationMappings() {
  44. return {
  45. groups: {
  46. relation: Model.ManyToManyRelation,
  47. modelClass: require('./groups'),
  48. join: {
  49. from: 'users.id',
  50. through: {
  51. from: 'userGroups.userId',
  52. to: 'userGroups.groupId'
  53. },
  54. to: 'groups.id'
  55. }
  56. },
  57. provider: {
  58. relation: Model.BelongsToOneRelation,
  59. modelClass: require('./authentication'),
  60. join: {
  61. from: 'users.providerKey',
  62. to: 'authentication.key'
  63. }
  64. },
  65. defaultEditor: {
  66. relation: Model.BelongsToOneRelation,
  67. modelClass: require('./editors'),
  68. join: {
  69. from: 'users.editorKey',
  70. to: 'editors.key'
  71. }
  72. },
  73. locale: {
  74. relation: Model.BelongsToOneRelation,
  75. modelClass: require('./locales'),
  76. join: {
  77. from: 'users.localeCode',
  78. to: 'locales.code'
  79. }
  80. }
  81. }
  82. }
  84. async $beforeUpdate(opt, context) {
  85. await super.$beforeUpdate(opt, context)
  87. this.updatedAt = new Date().toISOString()
  89. if (!(opt.patch && this.password === undefined)) {
  90. await this.generateHash()
  91. }
  92. }
  93. async $beforeInsert(context) {
  94. await super.$beforeInsert(context)
  96. this.createdAt = new Date().toISOString()
  97. this.updatedAt = new Date().toISOString()
  99. await this.generateHash()
  100. }
  102. // ------------------------------------------------
  103. // Instance Methods
  104. // ------------------------------------------------
  106. async generateHash() {
  107. if (this.password) {
  108. if (bcryptRegexp.test(this.password)) { return }
  109. this.password = await bcrypt.hash(this.password, 12)
  110. }
  111. }
  113. async verifyPassword(pwd) {
  114. if (await bcrypt.compare(pwd, this.password) === true) {
  115. return true
  116. } else {
  117. throw new WIKI.Error.AuthLoginFailed()
  118. }
  119. }
  121. async enableTFA() {
  122. let tfaInfo = tfa.generateSecret({
  123. name: WIKI.config.site.title
  124. })
  125. return this.$query.patch({
  126. tfaIsActive: true,
  127. tfaSecret: tfaInfo.secret
  128. })
  129. }
  131. async disableTFA() {
  132. return this.$query.patch({
  133. tfaIsActive: false,
  134. tfaSecret: ''
  135. })
  136. }
  138. async verifyTFA(code) {
  139. let result = tfa.verifyToken(this.tfaSecret, code)
  140. return (result && _.has(result, 'delta') && result.delta === 0)
  141. }
  143. getGlobalPermissions() {
  144. return _.uniq(_.flatten(_.map(this.groups, 'permissions')))
  145. }
  147. getGroups() {
  148. return _.uniq(_.map(this.groups, 'id'))
  149. }
  151. // ------------------------------------------------
  152. // Model Methods
  153. // ------------------------------------------------
  155. static async processProfile({ profile, providerKey }) {
  156. const provider = _.get(WIKI.auth.strategies, providerKey, {})
  157. provider.info = _.find(WIKI.data.authentication, ['key', providerKey])
  159. // Find existing user
  160. let user = await WIKI.models.users.query().findOne({
  161. providerId: _.toString(profile.id),
  162. providerKey
  163. })
  165. // Parse email
  166. let primaryEmail = ''
  167. if (_.isArray(profile.emails)) {
  168. const e = _.find(profile.emails, ['primary', true])
  169. primaryEmail = (e) ? e.value : _.first(profile.emails).value
  170. } else if (_.isString(profile.email) && profile.email.length > 5) {
  171. primaryEmail = profile.email
  172. } else if (_.isString(profile.mail) && profile.mail.length > 5) {
  173. primaryEmail = profile.mail
  174. } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
  175. primaryEmail = profile.user.email
  176. } else {
  177. throw new Error('Missing or invalid email address from profile.')
  178. }
  179. primaryEmail = _.toLower(primaryEmail)
  181. // Find pending social user
  182. if (!user) {
  183. user = await WIKI.models.users.query().findOne({
  184. email: primaryEmail,
  185. providerId: null,
  186. providerKey
  187. })
  188. if (user) {
  189. user = await user.$query().patchAndFetch({
  190. providerId: _.toString(profile.id)
  191. })
  192. }
  193. }
  195. // Parse display name
  196. let displayName = ''
  197. if (_.isString(profile.displayName) && profile.displayName.length > 0) {
  198. displayName = profile.displayName
  199. } else if (_.isString(profile.name) && profile.name.length > 0) {
  200. displayName = profile.name
  201. } else {
  202. displayName = primaryEmail.split('@')[0]
  203. }
  205. // Parse picture URL
  206. let pictureUrl = _.truncate(_.get(profile, 'picture', _.get(user, 'pictureUrl', null)), {
  207. length: 255,
  208. omission: ''
  209. })
  211. // Update existing user
  212. if (user) {
  213. if (!user.isActive) {
  214. throw new WIKI.Error.AuthAccountBanned()
  215. }
  216. if (user.isSystem) {
  217. throw new Error('This is a system reserved account and cannot be used.')
  218. }
  220. user = await user.$query().patchAndFetch({
  221. email: primaryEmail,
  222. name: displayName,
  223. pictureUrl: pictureUrl
  224. })
  226. return user
  227. }
  229. // Self-registration
  230. if (provider.selfRegistration) {
  231. // Check if email domain is whitelisted
  232. if (_.get(provider, 'domainWhitelist', []).length > 0) {
  233. const emailDomain = _.last(primaryEmail.split('@'))
  234. if (!_.includes(provider.domainWhitelist, emailDomain)) {
  235. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  236. }
  237. }
  239. // Create account
  240. user = await WIKI.models.users.query().insertAndFetch({
  241. providerKey: providerKey,
  242. providerId: _.toString(profile.id),
  243. email: primaryEmail,
  244. name: displayName,
  245. pictureUrl: pictureUrl,
  246. localeCode: WIKI.config.lang.code,
  247. defaultEditor: 'markdown',
  248. tfaIsActive: false,
  249. isSystem: false,
  250. isActive: true,
  251. isVerified: true
  252. })
  254. // Assign to group(s)
  255. if (provider.autoEnrollGroups.length > 0) {
  256. await user.$relatedQuery('groups').relate(provider.autoEnrollGroups)
  257. }
  259. return user
  260. }
  262. throw new Error('You are not authorized to login.')
  263. }
  265. static async login (opts, context) {
  266. if (_.has(WIKI.auth.strategies, opts.strategy)) {
  267. const strInfo = _.find(WIKI.data.authentication, ['key', opts.strategy])
  269. // Inject form user/pass
  270. if (strInfo.useForm) {
  271. _.set(context.req, 'body.email', opts.username)
  272. _.set(context.req, 'body.password', opts.password)
  273. }
  275. // Authenticate
  276. return new Promise((resolve, reject) => {
  277. WIKI.auth.passport.authenticate(opts.strategy, {
  278. session: !strInfo.useForm,
  279. scope: strInfo.scopes ? strInfo.scopes : null
  280. }, async (err, user, info) => {
  281. if (err) { return reject(err) }
  282. if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
  284. // Must Change Password?
  285. if (user.mustChangePwd) {
  286. try {
  287. const pwdChangeToken = await WIKI.models.userKeys.generateToken({
  288. kind: 'changePwd',
  289. userId: user.id
  290. })
  292. return resolve({
  293. mustChangePwd: true,
  294. continuationToken: pwdChangeToken
  295. })
  296. } catch (errc) {
  297. WIKI.logger.warn(errc)
  298. return reject(new WIKI.Error.AuthGenericError())
  299. }
  300. }
  302. // Is 2FA required?
  303. if (user.tfaIsActive) {
  304. try {
  305. const tfaToken = await WIKI.models.userKeys.generateToken({
  306. kind: 'tfa',
  307. userId: user.id
  308. })
  309. return resolve({
  310. tfaRequired: true,
  311. continuationToken: tfaToken
  312. })
  313. } catch (errc) {
  314. WIKI.logger.warn(errc)
  315. return reject(new WIKI.Error.AuthGenericError())
  316. }
  317. }
  319. context.req.logIn(user, { session: !strInfo.useForm }, async errc => {
  320. if (errc) { return reject(errc) }
  321. const jwtToken = await WIKI.models.users.refreshToken(user)
  322. resolve({ jwt: jwtToken.token })
  323. })
  324. })(context.req, context.res, () => {})
  325. })
  326. } else {
  327. throw new WIKI.Error.AuthProviderInvalid()
  328. }
  329. }
  331. static async refreshToken(user) {
  332. if (_.isSafeInteger(user)) {
  333. user = await WIKI.models.users.query().findById(user).withGraphFetched('groups').modifyGraph('groups', builder => {
  334. builder.select('groups.id', 'permissions')
  335. })
  336. if (!user) {
  337. WIKI.logger.warn(`Failed to refresh token for user ${user}: Not found.`)
  338. throw new WIKI.Error.AuthGenericError()
  339. }
  340. } else if (_.isNil(user.groups)) {
  341. user.groups = await user.$relatedQuery('groups').select('groups.id', 'permissions')
  342. }
  344. // Update Last Login Date
  345. // -> Bypass Objection.js to avoid updating the updatedAt field
  346. await WIKI.models.knex('users').where('id', user.id).update({ lastLoginAt: new Date().toISOString() })
  348. return {
  349. token: jwt.sign({
  350. id: user.id,
  351. email: user.email,
  352. name: user.name,
  353. av: user.pictureUrl,
  354. tz: user.timezone,
  355. lc: user.localeCode,
  356. df: user.dateFormat,
  357. ap: user.appearance,
  358. // defaultEditor: user.defaultEditor,
  359. permissions: user.getGlobalPermissions(),
  360. groups: user.getGroups()
  361. }, {
  362. key: WIKI.config.certs.private,
  363. passphrase: WIKI.config.sessionSecret
  364. }, {
  365. algorithm: 'RS256',
  366. expiresIn: WIKI.config.auth.tokenExpiration,
  367. audience: WIKI.config.auth.audience,
  368. issuer: 'urn:wiki.js'
  369. }),
  370. user
  371. }
  372. }
  374. static async loginTFA (opts, context) {
  375. if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
  376. let result = await WIKI.redis.get(`tfa:${opts.loginToken}`)
  377. if (result) {
  378. let userId = _.toSafeInteger(result)
  379. if (userId && userId > 0) {
  380. let user = await WIKI.models.users.query().findById(userId)
  381. if (user && user.verifyTFA(opts.securityCode)) {
  382. return Promise.fromCallback(clb => {
  383. context.req.logIn(user, clb)
  384. }).return({
  385. succeeded: true,
  386. message: 'Login Successful'
  387. }).catch(err => {
  388. WIKI.logger.warn(err)
  389. throw new WIKI.Error.AuthGenericError()
  390. })
  391. } else {
  392. throw new WIKI.Error.AuthTFAFailed()
  393. }
  394. }
  395. }
  396. }
  397. throw new WIKI.Error.AuthTFAInvalid()
  398. }
  400. /**
  401. * Change Password from a Mandatory Password Change after Login
  402. */
  403. static async loginChangePassword ({ continuationToken, newPassword }, context) {
  404. if (!newPassword || newPassword.length < 6) {
  405. throw new WIKI.Error.InputInvalid('Password must be at least 6 characters!')
  406. }
  407. const usr = await WIKI.models.userKeys.validateToken({
  408. kind: 'changePwd',
  409. token: continuationToken
  410. })
  412. if (usr) {
  413. await WIKI.models.users.query().patch({
  414. password: newPassword,
  415. mustChangePwd: false
  416. }).findById(usr.id)
  418. return new Promise((resolve, reject) => {
  419. context.req.logIn(usr, { session: false }, async err => {
  420. if (err) { return reject(err) }
  421. const jwtToken = await WIKI.models.users.refreshToken(usr)
  422. resolve({ jwt: jwtToken.token })
  423. })
  424. })
  425. } else {
  426. throw new WIKI.Error.UserNotFound()
  427. }
  428. }
  430. /**
  431. * Create a new user
  432. *
  433. * @param {Object} param0 User Fields
  434. */
  435. static async createNewUser ({ providerKey, email, passwordRaw, name, groups, mustChangePassword, sendWelcomeEmail }) {
  436. // Input sanitization
  437. email = _.toLower(email)
  439. // Input validation
  440. let validation = null
  441. if (providerKey === 'local') {
  442. validation = validate({
  443. email,
  444. passwordRaw,
  445. name
  446. }, {
  447. email: {
  448. email: true,
  449. length: {
  450. maximum: 255
  451. }
  452. },
  453. passwordRaw: {
  454. presence: {
  455. allowEmpty: false
  456. },
  457. length: {
  458. minimum: 6
  459. }
  460. },
  461. name: {
  462. presence: {
  463. allowEmpty: false
  464. },
  465. length: {
  466. minimum: 2,
  467. maximum: 255
  468. }
  469. }
  470. }, { format: 'flat' })
  471. } else {
  472. validation = validate({
  473. email,
  474. name
  475. }, {
  476. email: {
  477. email: true,
  478. length: {
  479. maximum: 255
  480. }
  481. },
  482. name: {
  483. presence: {
  484. allowEmpty: false
  485. },
  486. length: {
  487. minimum: 2,
  488. maximum: 255
  489. }
  490. }
  491. }, { format: 'flat' })
  492. }
  494. if (validation && validation.length > 0) {
  495. throw new WIKI.Error.InputInvalid(validation[0])
  496. }
  498. // Check if email already exists
  499. const usr = await WIKI.models.users.query().findOne({ email, providerKey })
  500. if (!usr) {
  501. // Create the account
  502. let newUsrData = {
  503. providerKey,
  504. email,
  505. name,
  506. locale: 'en',
  507. defaultEditor: 'markdown',
  508. tfaIsActive: false,
  509. isSystem: false,
  510. isActive: true,
  511. isVerified: true,
  512. mustChangePwd: false
  513. }
  515. if (providerKey === `local`) {
  516. newUsrData.password = passwordRaw
  517. newUsrData.mustChangePwd = (mustChangePassword === true)
  518. }
  520. const newUsr = await WIKI.models.users.query().insert(newUsrData)
  522. // Assign to group(s)
  523. if (groups.length > 0) {
  524. await newUsr.$relatedQuery('groups').relate(groups)
  525. }
  527. if (sendWelcomeEmail) {
  528. // Send welcome email
  529. await WIKI.mail.send({
  530. template: 'accountWelcome',
  531. to: email,
  532. subject: `Welcome to the wiki ${WIKI.config.title}`,
  533. data: {
  534. preheadertext: `You've been invited to the wiki ${WIKI.config.title}`,
  535. title: `You've been invited to the wiki ${WIKI.config.title}`,
  536. content: `Click the button below to access the wiki.`,
  537. buttonLink: `${WIKI.config.host}/login`,
  538. buttonText: 'Login'
  539. },
  540. text: `You've been invited to the wiki ${WIKI.config.title}: ${WIKI.config.host}/login`
  541. })
  542. }
  543. } else {
  544. throw new WIKI.Error.AuthAccountAlreadyExists()
  545. }
  546. }
  548. /**
  549. * Update an existing user
  550. *
  551. * @param {Object} param0 User ID and fields to update
  552. */
  553. static async updateUser ({ id, email, name, newPassword, groups, location, jobTitle, timezone, dateFormat, appearance }) {
  554. const usr = await WIKI.models.users.query().findById(id)
  555. if (usr) {
  556. let usrData = {}
  557. if (!_.isEmpty(email) && email !== usr.email) {
  558. const dupUsr = await WIKI.models.users.query().select('id').where({
  559. email,
  560. providerKey: usr.providerKey
  561. }).first()
  562. if (dupUsr) {
  563. throw new WIKI.Error.AuthAccountAlreadyExists()
  564. }
  565. usrData.email = email
  566. }
  567. if (!_.isEmpty(name) && name !== usr.name) {
  568. usrData.name = _.trim(name)
  569. }
  570. if (!_.isEmpty(newPassword)) {
  571. if (newPassword.length < 6) {
  572. throw new WIKI.Error.InputInvalid('Password must be at least 6 characters!')
  573. }
  574. usrData.password = newPassword
  575. }
  576. if (_.isArray(groups)) {
  577. const usrGroupsRaw = await usr.$relatedQuery('groups')
  578. const usrGroups = _.map(usrGroupsRaw, 'id')
  579. // Relate added groups
  580. const addUsrGroups = _.difference(groups, usrGroups)
  581. for (const grp of addUsrGroups) {
  582. await usr.$relatedQuery('groups').relate(grp)
  583. }
  584. // Unrelate removed groups
  585. const remUsrGroups = _.difference(usrGroups, groups)
  586. for (const grp of remUsrGroups) {
  587. await usr.$relatedQuery('groups').unrelate().where('groupId', grp)
  588. }
  589. }
  590. if (!_.isEmpty(location) && location !== usr.location) {
  591. usrData.location = _.trim(location)
  592. }
  593. if (!_.isEmpty(jobTitle) && jobTitle !== usr.jobTitle) {
  594. usrData.jobTitle = _.trim(jobTitle)
  595. }
  596. if (!_.isEmpty(timezone) && timezone !== usr.timezone) {
  597. usrData.timezone = timezone
  598. }
  599. if (!_.isNil(dateFormat) && dateFormat !== usr.dateFormat) {
  600. usrData.dateFormat = dateFormat
  601. }
  602. if (!_.isNil(appearance) && appearance !== usr.appearance) {
  603. usrData.appearance = appearance
  604. }
  605. await WIKI.models.users.query().patch(usrData).findById(id)
  606. } else {
  607. throw new WIKI.Error.UserNotFound()
  608. }
  609. }
  611. /**
  612. * Delete a User
  613. *
  614. * @param {*} id User ID
  615. */
  616. static async deleteUser (id) {
  617. const usr = await WIKI.models.users.query().findById(id)
  618. if (usr) {
  619. await WIKI.models.userKeys.query().delete().where('userId', id)
  620. await WIKI.models.users.query().deleteById(id)
  621. } else {
  622. throw new WIKI.Error.UserNotFound()
  623. }
  624. }
  626. /**
  627. * Register a new user (client-side registration)
  628. *
  629. * @param {Object} param0 User fields
  630. * @param {Object} context GraphQL Context
  631. */
  632. static async register ({ email, password, name, verify = false, bypassChecks = false }, context) {
  633. const localStrg = await WIKI.models.authentication.getStrategy('local')
  634. // Check if self-registration is enabled
  635. if (localStrg.selfRegistration || bypassChecks) {
  636. // Input sanitization
  637. email = _.toLower(email)
  639. // Input validation
  640. const validation = validate({
  641. email,
  642. password,
  643. name
  644. }, {
  645. email: {
  646. email: true,
  647. length: {
  648. maximum: 255
  649. }
  650. },
  651. password: {
  652. presence: {
  653. allowEmpty: false
  654. },
  655. length: {
  656. minimum: 6
  657. }
  658. },
  659. name: {
  660. presence: {
  661. allowEmpty: false
  662. },
  663. length: {
  664. minimum: 2,
  665. maximum: 255
  666. }
  667. }
  668. }, { format: 'flat' })
  669. if (validation && validation.length > 0) {
  670. throw new WIKI.Error.InputInvalid(validation[0])
  671. }
  673. // Check if email domain is whitelisted
  674. if (_.get(localStrg, 'domainWhitelist.v', []).length > 0 && !bypassChecks) {
  675. const emailDomain = _.last(email.split('@'))
  676. if (!_.includes(localStrg.domainWhitelist.v, emailDomain)) {
  677. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  678. }
  679. }
  680. // Check if email already exists
  681. const usr = await WIKI.models.users.query().findOne({ email, providerKey: 'local' })
  682. if (!usr) {
  683. // Create the account
  684. const newUsr = await WIKI.models.users.query().insert({
  685. provider: 'local',
  686. email,
  687. name,
  688. password,
  689. locale: 'en',
  690. defaultEditor: 'markdown',
  691. tfaIsActive: false,
  692. isSystem: false,
  693. isActive: true,
  694. isVerified: false
  695. })
  697. // Assign to group(s)
  698. if (_.get(localStrg, 'autoEnrollGroups.v', []).length > 0) {
  699. await newUsr.$relatedQuery('groups').relate(localStrg.autoEnrollGroups.v)
  700. }
  702. if (verify) {
  703. // Create verification token
  704. const verificationToken = await WIKI.models.userKeys.generateToken({
  705. kind: 'verify',
  706. userId: newUsr.id
  707. })
  709. // Send verification email
  710. await WIKI.mail.send({
  711. template: 'accountVerify',
  712. to: email,
  713. subject: 'Verify your account',
  714. data: {
  715. preheadertext: 'Verify your account in order to gain access to the wiki.',
  716. title: 'Verify your account',
  717. content: 'Click the button below in order to verify your account and gain access to the wiki.',
  718. buttonLink: `${WIKI.config.host}/verify/${verificationToken}`,
  719. buttonText: 'Verify'
  720. },
  721. text: `You must open the following link in your browser to verify your account and gain access to the wiki: ${WIKI.config.host}/verify/${verificationToken}`
  722. })
  723. }
  724. return true
  725. } else {
  726. throw new WIKI.Error.AuthAccountAlreadyExists()
  727. }
  728. } else {
  729. throw new WIKI.Error.AuthRegistrationDisabled()
  730. }
  731. }
  733. static async getGuestUser () {
  734. const user = await WIKI.models.users.query().findById(2).withGraphJoined('groups').modifyGraph('groups', builder => {
  735. builder.select('groups.id', 'permissions')
  736. })
  737. if (!user) {
  738. WIKI.logger.error('CRITICAL ERROR: Guest user is missing!')
  739. process.exit(1)
  740. }
  741. user.permissions = user.getGlobalPermissions()
  742. return user
  743. }
  745. static async getRootUser () {
  746. let user = await WIKI.models.users.query().findById(1)
  747. if (!user) {
  748. WIKI.logger.error('CRITICAL ERROR: Root Administrator user is missing!')
  749. process.exit(1)
  750. }
  751. user.permissions = ['manage:system']
  752. return user
  753. }
  754. }