richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1045 Commits
3 Branches
119 Tags
73 MiB
Tree: 1a143d84da
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1a143d84da'
${ noResults }
wiki/server/models/users.js

475 lines
14 KiB
Raw Normal View History

refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: remove config namespaces
6 years ago
feat: user edit UI + admin UI improvements + fixes
5 years ago
feat: account verification + mail config in admin area
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: save page
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: twitch auth module
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: twitch auth module
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: client login
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: user menu + jwt certs + UI fixes
5 years ago
feat: guest + user permissions
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: removed redis + new scheduler engine
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register validation + create + admin improvements
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: admin general + verify account
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: account verification + mail config in admin area
5 years ago
fix: self-registration not assigning to predefined group
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: admin general + verify account
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: guest + user permissions
5 years ago
refactor: migrate to objection.js + knex
6 years ago
  1. /* global WIKI */
  3. const bcrypt = require('bcryptjs-then')
  4. const _ = require('lodash')
  5. const tfa = require('node-2fa')
  6. const securityHelper = require('../helpers/security')
  7. const jwt = require('jsonwebtoken')
  8. const Model = require('objection').Model
  9. const validate = require('validate.js')
  11. const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
  13. /**
  14. * Users model
  15. */
  16. module.exports = class User extends Model {
  17. static get tableName() { return 'users' }
  19. static get jsonSchema () {
  20. return {
  21. type: 'object',
  22. required: ['email'],
  24. properties: {
  25. id: {type: 'integer'},
  26. email: {type: 'string', format: 'email'},
  27. name: {type: 'string', minLength: 1, maxLength: 255},
  28. providerId: {type: 'string'},
  29. password: {type: 'string'},
  30. role: {type: 'string', enum: ['admin', 'guest', 'user']},
  31. tfaIsActive: {type: 'boolean', default: false},
  32. tfaSecret: {type: 'string'},
  33. jobTitle: {type: 'string'},
  34. location: {type: 'string'},
  35. pictureUrl: {type: 'string'},
  36. isSystem: {type: 'boolean'},
  37. isActive: {type: 'boolean'},
  38. isVerified: {type: 'boolean'},
  39. createdAt: {type: 'string'},
  40. updatedAt: {type: 'string'}
  41. }
  42. }
  43. }
  45. static get relationMappings() {
  46. return {
  47. groups: {
  48. relation: Model.ManyToManyRelation,
  49. modelClass: require('./groups'),
  50. join: {
  51. from: 'users.id',
  52. through: {
  53. from: 'userGroups.userId',
  54. to: 'userGroups.groupId'
  55. },
  56. to: 'groups.id'
  57. }
  58. },
  59. provider: {
  60. relation: Model.BelongsToOneRelation,
  61. modelClass: require('./authentication'),
  62. join: {
  63. from: 'users.providerKey',
  64. to: 'authentication.key'
  65. }
  66. },
  67. defaultEditor: {
  68. relation: Model.BelongsToOneRelation,
  69. modelClass: require('./editors'),
  70. join: {
  71. from: 'users.editorKey',
  72. to: 'editors.key'
  73. }
  74. },
  75. locale: {
  76. relation: Model.BelongsToOneRelation,
  77. modelClass: require('./locales'),
  78. join: {
  79. from: 'users.localeCode',
  80. to: 'locales.code'
  81. }
  82. }
  83. }
  84. }
  86. async $beforeUpdate(opt, context) {
  87. await super.$beforeUpdate(opt, context)
  89. this.updatedAt = new Date().toISOString()
  91. if (!(opt.patch && this.password === undefined)) {
  92. await this.generateHash()
  93. }
  94. }
  95. async $beforeInsert(context) {
  96. await super.$beforeInsert(context)
  98. this.createdAt = new Date().toISOString()
  99. this.updatedAt = new Date().toISOString()
  101. await this.generateHash()
  102. }
  104. // ------------------------------------------------
  105. // Instance Methods
  106. // ------------------------------------------------
  108. async generateHash() {
  109. if (this.password) {
  110. if (bcryptRegexp.test(this.password)) { return }
  111. this.password = await bcrypt.hash(this.password, 12)
  112. }
  113. }
  115. async verifyPassword(pwd) {
  116. if (await bcrypt.compare(pwd, this.password) === true) {
  117. return true
  118. } else {
  119. throw new WIKI.Error.AuthLoginFailed()
  120. }
  121. }
  123. async enableTFA() {
  124. let tfaInfo = tfa.generateSecret({
  125. name: WIKI.config.site.title
  126. })
  127. return this.$query.patch({
  128. tfaIsActive: true,
  129. tfaSecret: tfaInfo.secret
  130. })
  131. }
  133. async disableTFA() {
  134. return this.$query.patch({
  135. tfaIsActive: false,
  136. tfaSecret: ''
  137. })
  138. }
  140. async verifyTFA(code) {
  141. let result = tfa.verifyToken(this.tfaSecret, code)
  142. return (result && _.has(result, 'delta') && result.delta === 0)
  143. }
  145. getGlobalPermissions() {
  146. return _.uniq(_.flatten(_.map(this.groups, 'permissions')))
  147. }
  149. getGroups() {
  150. return _.uniq(_.map(this.groups, 'id'))
  151. }
  153. // ------------------------------------------------
  154. // Model Methods
  155. // ------------------------------------------------
  157. static async processProfile({ profile, providerKey }) {
  158. const provider = _.get(WIKI.auth.strategies, providerKey, {})
  159. provider.info = _.find(WIKI.data.authentication, ['key', providerKey])
  161. // Find existing user
  162. let user = await WIKI.models.users.query().findOne({
  163. providerId: _.toString(profile.id),
  164. providerKey
  165. })
  167. // Parse email
  168. let primaryEmail = ''
  169. if (_.isArray(profile.emails)) {
  170. const e = _.find(profile.emails, ['primary', true])
  171. primaryEmail = (e) ? e.value : _.first(profile.emails).value
  172. } else if (_.isString(profile.email) && profile.email.length > 5) {
  173. primaryEmail = profile.email
  174. } else if (_.isString(profile.mail) && profile.mail.length > 5) {
  175. primaryEmail = profile.mail
  176. } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
  177. primaryEmail = profile.user.email
  178. } else {
  179. throw new Error('Missing or invalid email address from profile.')
  180. }
  181. primaryEmail = _.toLower(primaryEmail)
  183. // Parse display name
  184. let displayName = ''
  185. if (_.isString(profile.displayName) && profile.displayName.length > 0) {
  186. displayName = profile.displayName
  187. } else if (_.isString(profile.name) && profile.name.length > 0) {
  188. displayName = profile.name
  189. } else {
  190. displayName = primaryEmail.split('@')[0]
  191. }
  193. // Parse picture URL
  194. let pictureUrl = _.get(profile, 'picture', _.get(user, 'pictureUrl', null))
  196. // Update existing user
  197. if (user) {
  198. if (!user.isActive) {
  199. throw new WIKI.Error.AuthAccountBanned()
  200. }
  201. if (user.isSystem) {
  202. throw new Error('This is a system reserved account and cannot be used.')
  203. }
  205. user = await user.$query().patchAndFetch({
  206. email: primaryEmail,
  207. name: displayName,
  208. pictureUrl: pictureUrl
  209. })
  211. return user
  212. }
  214. // Self-registration
  215. if (provider.selfRegistration) {
  216. // Check if email domain is whitelisted
  217. if (_.get(provider, 'domainWhitelist', []).length > 0) {
  218. const emailDomain = _.last(primaryEmail.split('@'))
  219. if (!_.includes(provider.domainWhitelist, emailDomain)) {
  220. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  221. }
  222. }
  224. // Create account
  225. user = await WIKI.models.users.query().insertAndFetch({
  226. providerKey: providerKey,
  227. providerId: _.toString(profile.id),
  228. email: primaryEmail,
  229. name: displayName,
  230. pictureUrl: pictureUrl,
  231. localeCode: WIKI.config.lang.code,
  232. defaultEditor: 'markdown',
  233. tfaIsActive: false,
  234. isSystem: false,
  235. isActive: true,
  236. isVerified: true
  237. })
  239. // Assign to group(s)
  240. if (provider.autoEnrollGroups.length > 0) {
  241. await user.$relatedQuery('groups').relate(provider.autoEnrollGroups)
  242. }
  244. return user
  245. }
  247. throw new Error('You are not authorized to login.')
  248. }
  250. static async login (opts, context) {
  251. if (_.has(WIKI.auth.strategies, opts.strategy)) {
  252. const strInfo = _.find(WIKI.data.authentication, ['key', opts.strategy])
  254. // Inject form user/pass
  255. if (strInfo.useForm) {
  256. _.set(context.req, 'body.email', opts.username)
  257. _.set(context.req, 'body.password', opts.password)
  258. }
  260. // Authenticate
  261. return new Promise((resolve, reject) => {
  262. WIKI.auth.passport.authenticate(opts.strategy, {
  263. session: !strInfo.useForm,
  264. scope: strInfo.scopes ? strInfo.scopes : null
  265. }, async (err, user, info) => {
  266. if (err) { return reject(err) }
  267. if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
  269. // Is 2FA required?
  270. if (user.tfaIsActive) {
  271. try {
  272. let loginToken = await securityHelper.generateToken(32)
  273. await WIKI.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600)
  274. return resolve({
  275. tfaRequired: true,
  276. tfaLoginToken: loginToken
  277. })
  278. } catch (err) {
  279. WIKI.logger.warn(err)
  280. return reject(new WIKI.Error.AuthGenericError())
  281. }
  282. } else {
  283. // No 2FA, log in user
  284. return context.req.logIn(user, { session: !strInfo.useForm }, async err => {
  285. if (err) { return reject(err) }
  286. const jwtToken = await WIKI.models.users.refreshToken(user)
  287. resolve({
  288. jwt: jwtToken.token,
  289. tfaRequired: false
  290. })
  291. })
  292. }
  293. })(context.req, context.res, () => {})
  294. })
  295. } else {
  296. throw new WIKI.Error.AuthProviderInvalid()
  297. }
  298. }
  300. static async refreshToken(user) {
  301. if (_.isSafeInteger(user)) {
  302. user = await WIKI.models.users.query().findById(user).eager('groups').modifyEager('groups', builder => {
  303. builder.select('groups.id', 'permissions')
  304. })
  305. if (!user) {
  306. WIKI.logger.warn(`Failed to refresh token for user ${user}: Not found.`)
  307. throw new WIKI.Error.AuthGenericError()
  308. }
  309. } else if (_.isNil(user.groups)) {
  310. await user.$relatedQuery('groups').select('groups.id', 'permissions')
  311. }
  313. return {
  314. token: jwt.sign({
  315. id: user.id,
  316. email: user.email,
  317. name: user.name,
  318. pictureUrl: user.pictureUrl,
  319. timezone: user.timezone,
  320. localeCode: user.localeCode,
  321. defaultEditor: user.defaultEditor,
  322. permissions: user.getGlobalPermissions(),
  323. groups: user.getGroups()
  324. }, {
  325. key: WIKI.config.certs.private,
  326. passphrase: WIKI.config.sessionSecret
  327. }, {
  328. algorithm: 'RS256',
  329. expiresIn: WIKI.config.auth.tokenExpiration,
  330. audience: WIKI.config.auth.audience,
  331. issuer: 'urn:wiki.js'
  332. }),
  333. user
  334. }
  335. }
  337. static async loginTFA(opts, context) {
  338. if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
  339. let result = null // await WIKI.redis.get(`tfa:${opts.loginToken}`)
  340. if (result) {
  341. let userId = _.toSafeInteger(result)
  342. if (userId && userId > 0) {
  343. let user = await WIKI.models.users.query().findById(userId)
  344. if (user && user.verifyTFA(opts.securityCode)) {
  345. return Promise.fromCallback(clb => {
  346. context.req.logIn(user, clb)
  347. }).return({
  348. succeeded: true,
  349. message: 'Login Successful'
  350. }).catch(err => {
  351. WIKI.logger.warn(err)
  352. throw new WIKI.Error.AuthGenericError()
  353. })
  354. } else {
  355. throw new WIKI.Error.AuthTFAFailed()
  356. }
  357. }
  358. }
  359. }
  360. throw new WIKI.Error.AuthTFAInvalid()
  361. }
  363. static async register ({ email, password, name, verify = false, bypassChecks = false }, context) {
  364. const localStrg = await WIKI.models.authentication.getStrategy('local')
  365. // Check if self-registration is enabled
  366. if (localStrg.selfRegistration || bypassChecks) {
  367. // Input sanitization
  368. email = _.toLower(email)
  370. // Input validation
  371. const validation = validate({
  372. email,
  373. password,
  374. name
  375. }, {
  376. email: {
  377. email: true,
  378. length: {
  379. maximum: 255
  380. }
  381. },
  382. password: {
  383. presence: {
  384. allowEmpty: false
  385. },
  386. length: {
  387. minimum: 6
  388. }
  389. },
  390. name: {
  391. presence: {
  392. allowEmpty: false
  393. },
  394. length: {
  395. minimum: 2,
  396. maximum: 255
  397. }
  398. }
  399. }, { format: 'flat' })
  400. if (validation && validation.length > 0) {
  401. throw new WIKI.Error.InputInvalid(validation[0])
  402. }
  404. // Check if email domain is whitelisted
  405. if (_.get(localStrg, 'domainWhitelist.v', []).length > 0 && !bypassChecks) {
  406. const emailDomain = _.last(email.split('@'))
  407. if (!_.includes(localStrg.domainWhitelist.v, emailDomain)) {
  408. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  409. }
  410. }
  411. // Check if email already exists
  412. const usr = await WIKI.models.users.query().findOne({ email, providerKey: 'local' })
  413. if (!usr) {
  414. // Create the account
  415. const newUsr = await WIKI.models.users.query().insert({
  416. provider: 'local',
  417. email,
  418. name,
  419. password,
  420. locale: 'en',
  421. defaultEditor: 'markdown',
  422. tfaIsActive: false,
  423. isSystem: false,
  424. isActive: true,
  425. isVerified: false
  426. })
  428. // Assign to group(s)
  429. if (_.get(localStrg, 'autoEnrollGroups.v', []).length > 0) {
  430. await newUsr.$relatedQuery('groups').relate(localStrg.autoEnrollGroups.v)
  431. }
  433. if (verify) {
  434. // Create verification token
  435. const verificationToken = await WIKI.models.userKeys.generateToken({
  436. kind: 'verify',
  437. userId: newUsr.id
  438. })
  440. // Send verification email
  441. await WIKI.mail.send({
  442. template: 'accountVerify',
  443. to: email,
  444. subject: 'Verify your account',
  445. data: {
  446. preheadertext: 'Verify your account in order to gain access to the wiki.',
  447. title: 'Verify your account',
  448. content: 'Click the button below in order to verify your account and gain access to the wiki.',
  449. buttonLink: `${WIKI.config.host}/verify/${verificationToken}`,
  450. buttonText: 'Verify'
  451. },
  452. text: `You must open the following link in your browser to verify your account and gain access to the wiki: ${WIKI.config.host}/verify/${verificationToken}`
  453. })
  454. }
  455. return true
  456. } else {
  457. throw new WIKI.Error.AuthAccountAlreadyExists()
  458. }
  459. } else {
  460. throw new WIKI.Error.AuthRegistrationDisabled()
  461. }
  462. }
  464. static async getGuestUser () {
  465. const user = await WIKI.models.users.query().findById(2).eager('groups').modifyEager('groups', builder => {
  466. builder.select('groups.id', 'permissions')
  467. })
  468. if (!user) {
  469. WIKI.logger.error('CRITICAL ERROR: Guest user is missing!')
  470. process.exit(1)
  471. }
  472. user.permissions = user.getGlobalPermissions()
  473. return user
  474. }
  475. }