|
|
/* global WIKI */
const bcrypt = require('bcryptjs-then') const _ = require('lodash') const tfa = require('node-2fa') const securityHelper = require('../helpers/security') const Model = require('objection').Model
const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
/** * Users model */ module.exports = class User extends Model { static get tableName() { return 'users' }
static get jsonSchema () { return { type: 'object', required: ['email', 'name', 'provider'],
properties: { id: {type: 'integer'}, email: {type: 'string', format: 'email'}, name: {type: 'string', minLength: 1, maxLength: 255}, providerId: {type: 'number'}, password: {type: 'string'}, role: {type: 'string', enum: ['admin', 'guest', 'user']}, tfaIsActive: {type: 'boolean', default: false}, tfaSecret: {type: 'string'}, jobTitle: {type: 'string'}, location: {type: 'string'}, pictureUrl: {type: 'string'}, createdAt: {type: 'string'}, updatedAt: {type: 'string'} } } }
static get relationMappings() { return { groups: { relation: Model.ManyToManyRelation, modelClass: require('./groups'), join: { from: 'users.id', through: { from: 'userGroups.userId', to: 'userGroups.groupId' }, to: 'groups.id' } }, provider: { relation: Model.BelongsToOneRelation, modelClass: require('./authentication'), join: { from: 'users.providerKey', to: 'authentication.key' } }, defaultEditor: { relation: Model.BelongsToOneRelation, modelClass: require('./editors'), join: { from: 'users.editorKey', to: 'editors.key' } }, locale: { relation: Model.BelongsToOneRelation, modelClass: require('./locales'), join: { from: 'users.localeCode', to: 'locales.code' } } } }
async $beforeUpdate(opt, context) { await super.$beforeUpdate(opt, context)
this.updatedAt = new Date().toISOString()
if (!(opt.patch && this.password === undefined)) { await this.generateHash() } } async $beforeInsert(context) { await super.$beforeInsert(context)
this.createdAt = new Date().toISOString() this.updatedAt = new Date().toISOString()
await this.generateHash() }
async generateHash() { if (this.password) { if (bcryptRegexp.test(this.password)) { return } this.password = await bcrypt.hash(this.password, 12) } }
async verifyPassword(pwd) { if (await bcrypt.compare(pwd, this.password) === true) { return true } else { throw new WIKI.Error.AuthLoginFailed() } }
async enableTFA() { let tfaInfo = tfa.generateSecret({ name: WIKI.config.site.title }) return this.$query.patch({ tfaIsActive: true, tfaSecret: tfaInfo.secret }) }
async disableTFA() { return this.$query.patch({ tfaIsActive: false, tfaSecret: '' }) }
async verifyTFA(code) { let result = tfa.verifyToken(this.tfaSecret, code) return (result && _.has(result, 'delta') && result.delta === 0) }
static async processProfile(profile) { let primaryEmail = '' if (_.isArray(profile.emails)) { let e = _.find(profile.emails, ['primary', true]) primaryEmail = (e) ? e.value : _.first(profile.emails).value } else if (_.isString(profile.email) && profile.email.length > 5) { primaryEmail = profile.email } else if (_.isString(profile.mail) && profile.mail.length > 5) { primaryEmail = profile.mail } else if (profile.user && profile.user.email && profile.user.email.length > 5) { primaryEmail = profile.user.email } else { return Promise.reject(new Error(WIKI.lang.t('auth:errors.invaliduseremail'))) }
profile.provider = _.lowerCase(profile.provider) primaryEmail = _.toLower(primaryEmail)
let user = await WIKI.models.users.query().findOne({ email: primaryEmail, provider: profile.provider }) if (user) { user.$query().patchAdnFetch({ email: primaryEmail, provider: profile.provider, providerId: profile.id, name: profile.displayName || _.split(primaryEmail, '@')[0] }) } else { user = await WIKI.models.users.query().insertAndFetch({ email: primaryEmail, provider: profile.provider, providerId: profile.id, name: profile.displayName || _.split(primaryEmail, '@')[0] }) }
// Handle unregistered accounts
// if (!user && profile.provider !== 'local' && (WIKI.config.auth.defaultReadAccess || profile.provider === 'ldap' || profile.provider === 'azure')) {
// let nUsr = {
// email: primaryEmail,
// provider: profile.provider,
// providerId: profile.id,
// password: '',
// name: profile.displayName || profile.name || profile.cn,
// rights: [{
// role: 'read',
// path: '/',
// exact: false,
// deny: false
// }]
// }
// return WIKI.models.users.query().insert(nUsr)
// }
return user }
static async login (opts, context) { if (_.has(WIKI.auth.strategies, opts.strategy)) { _.set(context.req, 'body.email', opts.username) _.set(context.req, 'body.password', opts.password)
// Authenticate
return new Promise((resolve, reject) => { WIKI.auth.passport.authenticate(opts.strategy, async (err, user, info) => { if (err) { return reject(err) } if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
// Is 2FA required?
if (user.tfaIsActive) { try { let loginToken = await securityHelper.generateToken(32) await WIKI.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600) return resolve({ tfaRequired: true, tfaLoginToken: loginToken }) } catch (err) { WIKI.logger.warn(err) return reject(new WIKI.Error.AuthGenericError()) } } else { // No 2FA, log in user
return context.req.logIn(user, err => { if (err) { return reject(err) } resolve({ tfaRequired: false }) }) } })(context.req, context.res, () => {}) }) } else { throw new WIKI.Error.AuthProviderInvalid() } }
static async loginTFA(opts, context) { if (opts.securityCode.length === 6 && opts.loginToken.length === 64) { let result = await WIKI.redis.get(`tfa:${opts.loginToken}`) if (result) { let userId = _.toSafeInteger(result) if (userId && userId > 0) { let user = await WIKI.models.users.query().findById(userId) if (user && user.verifyTFA(opts.securityCode)) { return Promise.fromCallback(clb => { context.req.logIn(user, clb) }).return({ succeeded: true, message: 'Login Successful' }).catch(err => { WIKI.logger.warn(err) throw new WIKI.Error.AuthGenericError() }) } else { throw new WIKI.Error.AuthTFAFailed() } } } } throw new WIKI.Error.AuthTFAInvalid() } }
|