You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

260 lines
7.4 KiB

6 years ago
  1. /* global WIKI */
  2. const bcrypt = require('bcryptjs-then')
  3. const _ = require('lodash')
  4. const tfa = require('node-2fa')
  5. const securityHelper = require('../helpers/security')
  6. const Model = require('objection').Model
  7. const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
  8. /**
  9. * Users model
  10. */
  11. module.exports = class User extends Model {
  12. static get tableName() { return 'users' }
  13. static get jsonSchema () {
  14. return {
  15. type: 'object',
  16. required: ['email', 'name', 'provider'],
  17. properties: {
  18. id: {type: 'integer'},
  19. email: {type: 'string', format: 'email'},
  20. name: {type: 'string', minLength: 1, maxLength: 255},
  21. providerId: {type: 'number'},
  22. password: {type: 'string'},
  23. role: {type: 'string', enum: ['admin', 'guest', 'user']},
  24. tfaIsActive: {type: 'boolean', default: false},
  25. tfaSecret: {type: 'string'},
  26. jobTitle: {type: 'string'},
  27. location: {type: 'string'},
  28. pictureUrl: {type: 'string'},
  29. createdAt: {type: 'string'},
  30. updatedAt: {type: 'string'}
  31. }
  32. }
  33. }
  34. static get relationMappings() {
  35. return {
  36. groups: {
  37. relation: Model.ManyToManyRelation,
  38. modelClass: require('./groups'),
  39. join: {
  40. from: 'users.id',
  41. through: {
  42. from: 'userGroups.userId',
  43. to: 'userGroups.groupId'
  44. },
  45. to: 'groups.id'
  46. }
  47. },
  48. provider: {
  49. relation: Model.BelongsToOneRelation,
  50. modelClass: require('./authentication'),
  51. join: {
  52. from: 'users.providerKey',
  53. to: 'authentication.key'
  54. }
  55. },
  56. defaultEditor: {
  57. relation: Model.BelongsToOneRelation,
  58. modelClass: require('./editors'),
  59. join: {
  60. from: 'users.editorKey',
  61. to: 'editors.key'
  62. }
  63. },
  64. locale: {
  65. relation: Model.BelongsToOneRelation,
  66. modelClass: require('./locales'),
  67. join: {
  68. from: 'users.localeCode',
  69. to: 'locales.code'
  70. }
  71. }
  72. }
  73. }
  74. async $beforeUpdate(opt, context) {
  75. await super.$beforeUpdate(opt, context)
  76. this.updatedAt = new Date().toISOString()
  77. if (!(opt.patch && this.password === undefined)) {
  78. await this.generateHash()
  79. }
  80. }
  81. async $beforeInsert(context) {
  82. await super.$beforeInsert(context)
  83. this.createdAt = new Date().toISOString()
  84. this.updatedAt = new Date().toISOString()
  85. await this.generateHash()
  86. }
  87. async generateHash() {
  88. if (this.password) {
  89. if (bcryptRegexp.test(this.password)) { return }
  90. this.password = await bcrypt.hash(this.password, 12)
  91. }
  92. }
  93. async verifyPassword(pwd) {
  94. if (await bcrypt.compare(pwd, this.password) === true) {
  95. return true
  96. } else {
  97. throw new WIKI.Error.AuthLoginFailed()
  98. }
  99. }
  100. async enableTFA() {
  101. let tfaInfo = tfa.generateSecret({
  102. name: WIKI.config.site.title
  103. })
  104. return this.$query.patch({
  105. tfaIsActive: true,
  106. tfaSecret: tfaInfo.secret
  107. })
  108. }
  109. async disableTFA() {
  110. return this.$query.patch({
  111. tfaIsActive: false,
  112. tfaSecret: ''
  113. })
  114. }
  115. async verifyTFA(code) {
  116. let result = tfa.verifyToken(this.tfaSecret, code)
  117. return (result && _.has(result, 'delta') && result.delta === 0)
  118. }
  119. static async processProfile(profile) {
  120. let primaryEmail = ''
  121. if (_.isArray(profile.emails)) {
  122. let e = _.find(profile.emails, ['primary', true])
  123. primaryEmail = (e) ? e.value : _.first(profile.emails).value
  124. } else if (_.isString(profile.email) && profile.email.length > 5) {
  125. primaryEmail = profile.email
  126. } else if (_.isString(profile.mail) && profile.mail.length > 5) {
  127. primaryEmail = profile.mail
  128. } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
  129. primaryEmail = profile.user.email
  130. } else {
  131. return Promise.reject(new Error(WIKI.lang.t('auth:errors.invaliduseremail')))
  132. }
  133. profile.provider = _.lowerCase(profile.provider)
  134. primaryEmail = _.toLower(primaryEmail)
  135. let user = await WIKI.models.users.query().findOne({
  136. email: primaryEmail,
  137. provider: profile.provider
  138. })
  139. if (user) {
  140. user.$query().patchAdnFetch({
  141. email: primaryEmail,
  142. provider: profile.provider,
  143. providerId: profile.id,
  144. name: profile.displayName || _.split(primaryEmail, '@')[0]
  145. })
  146. } else {
  147. user = await WIKI.models.users.query().insertAndFetch({
  148. email: primaryEmail,
  149. provider: profile.provider,
  150. providerId: profile.id,
  151. name: profile.displayName || _.split(primaryEmail, '@')[0]
  152. })
  153. }
  154. // Handle unregistered accounts
  155. // if (!user && profile.provider !== 'local' && (WIKI.config.auth.defaultReadAccess || profile.provider === 'ldap' || profile.provider === 'azure')) {
  156. // let nUsr = {
  157. // email: primaryEmail,
  158. // provider: profile.provider,
  159. // providerId: profile.id,
  160. // password: '',
  161. // name: profile.displayName || profile.name || profile.cn,
  162. // rights: [{
  163. // role: 'read',
  164. // path: '/',
  165. // exact: false,
  166. // deny: false
  167. // }]
  168. // }
  169. // return WIKI.models.users.query().insert(nUsr)
  170. // }
  171. return user
  172. }
  173. static async login (opts, context) {
  174. if (_.has(WIKI.auth.strategies, opts.strategy)) {
  175. _.set(context.req, 'body.email', opts.username)
  176. _.set(context.req, 'body.password', opts.password)
  177. // Authenticate
  178. return new Promise((resolve, reject) => {
  179. WIKI.auth.passport.authenticate(opts.strategy, async (err, user, info) => {
  180. if (err) { return reject(err) }
  181. if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
  182. // Is 2FA required?
  183. if (user.tfaIsActive) {
  184. try {
  185. let loginToken = await securityHelper.generateToken(32)
  186. await WIKI.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600)
  187. return resolve({
  188. tfaRequired: true,
  189. tfaLoginToken: loginToken
  190. })
  191. } catch (err) {
  192. WIKI.logger.warn(err)
  193. return reject(new WIKI.Error.AuthGenericError())
  194. }
  195. } else {
  196. // No 2FA, log in user
  197. return context.req.logIn(user, err => {
  198. if (err) { return reject(err) }
  199. resolve({
  200. tfaRequired: false
  201. })
  202. })
  203. }
  204. })(context.req, context.res, () => {})
  205. })
  206. } else {
  207. throw new WIKI.Error.AuthProviderInvalid()
  208. }
  209. }
  210. static async loginTFA(opts, context) {
  211. if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
  212. let result = await WIKI.redis.get(`tfa:${opts.loginToken}`)
  213. if (result) {
  214. let userId = _.toSafeInteger(result)
  215. if (userId && userId > 0) {
  216. let user = await WIKI.models.users.query().findById(userId)
  217. if (user && user.verifyTFA(opts.securityCode)) {
  218. return Promise.fromCallback(clb => {
  219. context.req.logIn(user, clb)
  220. }).return({
  221. succeeded: true,
  222. message: 'Login Successful'
  223. }).catch(err => {
  224. WIKI.logger.warn(err)
  225. throw new WIKI.Error.AuthGenericError()
  226. })
  227. } else {
  228. throw new WIKI.Error.AuthTFAFailed()
  229. }
  230. }
  231. }
  232. }
  233. throw new WIKI.Error.AuthTFAInvalid()
  234. }
  235. }