richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1376 Commits
3 Branches
120 Tags
80 MiB
Tree: 4398573645
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4398573645'
${ noResults }
wiki/server/models/users.js

727 lines
21 KiB
Raw Normal View History

refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: remove config namespaces
6 years ago
feat: user edit UI + admin UI improvements + fixes
5 years ago
feat: account verification + mail config in admin area
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: save page
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: twitch auth module
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: admin create user + markdown help fix
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
fix: truncate pictureUrl if too long (#1311)
4 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: twitch auth module
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: client login
6 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: oauth2 login (wip)
5 years ago
feat: auth0 + discord + github + slack auth modules
5 years ago
feat: oauth2 login (wip)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
fix: code linting
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: code linting
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
fix: code linting
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
fix: objection 2 changes
4 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
fix: missing guest global permissions (#788)
5 years ago
fix: objection 2 changes
4 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: user menu + jwt certs + UI fixes
6 years ago
feat: guest + user permissions
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: mandatory password change on login + UI fixes
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: utilities section (wip) + auth utilities
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register validation + create + admin improvements
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
feat: update user
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: admin create user + markdown help fix
5 years ago
misc: migrate to vuetify 2.0 (wip)
5 years ago
feat: update user
5 years ago
fix: cannot update user email from admin (#1197)
5 years ago
feat: update user
5 years ago
feat: mandatory password change on login + UI fixes
5 years ago
feat: update user
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: admin general + verify account
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: account verification + mail config in admin area
5 years ago
fix: self-registration not assigning to predefined group
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: admin general + verify account
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
5 years ago
feat: guest + user permissions
5 years ago
fix: objection.js 2.0 compat fixes
4 years ago
feat: page Rules access check
5 years ago
fix: missing guest global permissions (#788)
5 years ago
feat: guest + user permissions
5 years ago
feat: local disk import all action + v1 import content (#1100)
5 years ago
refactor: migrate to objection.js + knex
6 years ago
  1. /* global WIKI */
  3. const bcrypt = require('bcryptjs-then')
  4. const _ = require('lodash')
  5. const tfa = require('node-2fa')
  6. const jwt = require('jsonwebtoken')
  7. const Model = require('objection').Model
  8. const validate = require('validate.js')
  10. const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
  12. /**
  13. * Users model
  14. */
  15. module.exports = class User extends Model {
  16. static get tableName() { return 'users' }
  18. static get jsonSchema () {
  19. return {
  20. type: 'object',
  21. required: ['email'],
  23. properties: {
  24. id: {type: 'integer'},
  25. email: {type: 'string', format: 'email'},
  26. name: {type: 'string', minLength: 1, maxLength: 255},
  27. providerId: {type: 'string'},
  28. password: {type: 'string'},
  29. tfaIsActive: {type: 'boolean', default: false},
  30. tfaSecret: {type: 'string'},
  31. jobTitle: {type: 'string'},
  32. location: {type: 'string'},
  33. pictureUrl: {type: 'string'},
  34. isSystem: {type: 'boolean'},
  35. isActive: {type: 'boolean'},
  36. isVerified: {type: 'boolean'},
  37. createdAt: {type: 'string'},
  38. updatedAt: {type: 'string'}
  39. }
  40. }
  41. }
  43. static get relationMappings() {
  44. return {
  45. groups: {
  46. relation: Model.ManyToManyRelation,
  47. modelClass: require('./groups'),
  48. join: {
  49. from: 'users.id',
  50. through: {
  51. from: 'userGroups.userId',
  52. to: 'userGroups.groupId'
  53. },
  54. to: 'groups.id'
  55. }
  56. },
  57. provider: {
  58. relation: Model.BelongsToOneRelation,
  59. modelClass: require('./authentication'),
  60. join: {
  61. from: 'users.providerKey',
  62. to: 'authentication.key'
  63. }
  64. },
  65. defaultEditor: {
  66. relation: Model.BelongsToOneRelation,
  67. modelClass: require('./editors'),
  68. join: {
  69. from: 'users.editorKey',
  70. to: 'editors.key'
  71. }
  72. },
  73. locale: {
  74. relation: Model.BelongsToOneRelation,
  75. modelClass: require('./locales'),
  76. join: {
  77. from: 'users.localeCode',
  78. to: 'locales.code'
  79. }
  80. }
  81. }
  82. }
  84. async $beforeUpdate(opt, context) {
  85. await super.$beforeUpdate(opt, context)
  87. this.updatedAt = new Date().toISOString()
  89. if (!(opt.patch && this.password === undefined)) {
  90. await this.generateHash()
  91. }
  92. }
  93. async $beforeInsert(context) {
  94. await super.$beforeInsert(context)
  96. this.createdAt = new Date().toISOString()
  97. this.updatedAt = new Date().toISOString()
  99. await this.generateHash()
  100. }
  102. // ------------------------------------------------
  103. // Instance Methods
  104. // ------------------------------------------------
  106. async generateHash() {
  107. if (this.password) {
  108. if (bcryptRegexp.test(this.password)) { return }
  109. this.password = await bcrypt.hash(this.password, 12)
  110. }
  111. }
  113. async verifyPassword(pwd) {
  114. if (await bcrypt.compare(pwd, this.password) === true) {
  115. return true
  116. } else {
  117. throw new WIKI.Error.AuthLoginFailed()
  118. }
  119. }
  121. async enableTFA() {
  122. let tfaInfo = tfa.generateSecret({
  123. name: WIKI.config.site.title
  124. })
  125. return this.$query.patch({
  126. tfaIsActive: true,
  127. tfaSecret: tfaInfo.secret
  128. })
  129. }
  131. async disableTFA() {
  132. return this.$query.patch({
  133. tfaIsActive: false,
  134. tfaSecret: ''
  135. })
  136. }
  138. async verifyTFA(code) {
  139. let result = tfa.verifyToken(this.tfaSecret, code)
  140. return (result && _.has(result, 'delta') && result.delta === 0)
  141. }
  143. getGlobalPermissions() {
  144. return _.uniq(_.flatten(_.map(this.groups, 'permissions')))
  145. }
  147. getGroups() {
  148. return _.uniq(_.map(this.groups, 'id'))
  149. }
  151. // ------------------------------------------------
  152. // Model Methods
  153. // ------------------------------------------------
  155. static async processProfile({ profile, providerKey }) {
  156. const provider = _.get(WIKI.auth.strategies, providerKey, {})
  157. provider.info = _.find(WIKI.data.authentication, ['key', providerKey])
  159. // Find existing user
  160. let user = await WIKI.models.users.query().findOne({
  161. providerId: _.toString(profile.id),
  162. providerKey
  163. })
  165. // Parse email
  166. let primaryEmail = ''
  167. if (_.isArray(profile.emails)) {
  168. const e = _.find(profile.emails, ['primary', true])
  169. primaryEmail = (e) ? e.value : _.first(profile.emails).value
  170. } else if (_.isString(profile.email) && profile.email.length > 5) {
  171. primaryEmail = profile.email
  172. } else if (_.isString(profile.mail) && profile.mail.length > 5) {
  173. primaryEmail = profile.mail
  174. } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
  175. primaryEmail = profile.user.email
  176. } else {
  177. throw new Error('Missing or invalid email address from profile.')
  178. }
  179. primaryEmail = _.toLower(primaryEmail)
  181. // Find pending social user
  182. if (!user) {
  183. user = await WIKI.models.users.query().findOne({
  184. email: primaryEmail,
  185. providerId: null,
  186. providerKey
  187. })
  188. if (user) {
  189. user = await user.$query().patchAndFetch({
  190. providerId: _.toString(profile.id)
  191. })
  192. }
  193. }
  195. // Parse display name
  196. let displayName = ''
  197. if (_.isString(profile.displayName) && profile.displayName.length > 0) {
  198. displayName = profile.displayName
  199. } else if (_.isString(profile.name) && profile.name.length > 0) {
  200. displayName = profile.name
  201. } else {
  202. displayName = primaryEmail.split('@')[0]
  203. }
  205. // Parse picture URL
  206. let pictureUrl = _.truncate(_.get(profile, 'picture', _.get(user, 'pictureUrl', null)), {
  207. length: 255,
  208. omission: ''
  209. })
  211. // Update existing user
  212. if (user) {
  213. if (!user.isActive) {
  214. throw new WIKI.Error.AuthAccountBanned()
  215. }
  216. if (user.isSystem) {
  217. throw new Error('This is a system reserved account and cannot be used.')
  218. }
  220. user = await user.$query().patchAndFetch({
  221. email: primaryEmail,
  222. name: displayName,
  223. pictureUrl: pictureUrl
  224. })
  226. return user
  227. }
  229. // Self-registration
  230. if (provider.selfRegistration) {
  231. // Check if email domain is whitelisted
  232. if (_.get(provider, 'domainWhitelist', []).length > 0) {
  233. const emailDomain = _.last(primaryEmail.split('@'))
  234. if (!_.includes(provider.domainWhitelist, emailDomain)) {
  235. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  236. }
  237. }
  239. // Create account
  240. user = await WIKI.models.users.query().insertAndFetch({
  241. providerKey: providerKey,
  242. providerId: _.toString(profile.id),
  243. email: primaryEmail,
  244. name: displayName,
  245. pictureUrl: pictureUrl,
  246. localeCode: WIKI.config.lang.code,
  247. defaultEditor: 'markdown',
  248. tfaIsActive: false,
  249. isSystem: false,
  250. isActive: true,
  251. isVerified: true
  252. })
  254. // Assign to group(s)
  255. if (provider.autoEnrollGroups.length > 0) {
  256. await user.$relatedQuery('groups').relate(provider.autoEnrollGroups)
  257. }
  259. return user
  260. }
  262. throw new Error('You are not authorized to login.')
  263. }
  265. static async login (opts, context) {
  266. if (_.has(WIKI.auth.strategies, opts.strategy)) {
  267. const strInfo = _.find(WIKI.data.authentication, ['key', opts.strategy])
  269. // Inject form user/pass
  270. if (strInfo.useForm) {
  271. _.set(context.req, 'body.email', opts.username)
  272. _.set(context.req, 'body.password', opts.password)
  273. }
  275. // Authenticate
  276. return new Promise((resolve, reject) => {
  277. WIKI.auth.passport.authenticate(opts.strategy, {
  278. session: !strInfo.useForm,
  279. scope: strInfo.scopes ? strInfo.scopes : null
  280. }, async (err, user, info) => {
  281. if (err) { return reject(err) }
  282. if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
  284. // Must Change Password?
  285. if (user.mustChangePwd) {
  286. try {
  287. const pwdChangeToken = await WIKI.models.userKeys.generateToken({
  288. kind: 'changePwd',
  289. userId: user.id
  290. })
  292. return resolve({
  293. mustChangePwd: true,
  294. continuationToken: pwdChangeToken
  295. })
  296. } catch (errc) {
  297. WIKI.logger.warn(errc)
  298. return reject(new WIKI.Error.AuthGenericError())
  299. }
  300. }
  302. // Is 2FA required?
  303. if (user.tfaIsActive) {
  304. try {
  305. const tfaToken = await WIKI.models.userKeys.generateToken({
  306. kind: 'tfa',
  307. userId: user.id
  308. })
  309. return resolve({
  310. tfaRequired: true,
  311. continuationToken: tfaToken
  312. })
  313. } catch (errc) {
  314. WIKI.logger.warn(errc)
  315. return reject(new WIKI.Error.AuthGenericError())
  316. }
  317. }
  319. context.req.logIn(user, { session: !strInfo.useForm }, async errc => {
  320. if (errc) { return reject(errc) }
  321. const jwtToken = await WIKI.models.users.refreshToken(user)
  322. resolve({ jwt: jwtToken.token })
  323. })
  324. })(context.req, context.res, () => {})
  325. })
  326. } else {
  327. throw new WIKI.Error.AuthProviderInvalid()
  328. }
  329. }
  331. static async refreshToken(user) {
  332. if (_.isSafeInteger(user)) {
  333. user = await WIKI.models.users.query().findById(user).withGraphFetched('groups').modifyGraph('groups', builder => {
  334. builder.select('groups.id', 'permissions')
  335. })
  336. if (!user) {
  337. WIKI.logger.warn(`Failed to refresh token for user ${user}: Not found.`)
  338. throw new WIKI.Error.AuthGenericError()
  339. }
  340. } else if (_.isNil(user.groups)) {
  341. user.groups = await user.$relatedQuery('groups').select('groups.id', 'permissions')
  342. }
  344. return {
  345. token: jwt.sign({
  346. id: user.id,
  347. email: user.email,
  348. name: user.name,
  349. pictureUrl: user.pictureUrl,
  350. timezone: user.timezone,
  351. localeCode: user.localeCode,
  352. defaultEditor: user.defaultEditor,
  353. permissions: user.getGlobalPermissions(),
  354. groups: user.getGroups()
  355. }, {
  356. key: WIKI.config.certs.private,
  357. passphrase: WIKI.config.sessionSecret
  358. }, {
  359. algorithm: 'RS256',
  360. expiresIn: WIKI.config.auth.tokenExpiration,
  361. audience: WIKI.config.auth.audience,
  362. issuer: 'urn:wiki.js'
  363. }),
  364. user
  365. }
  366. }
  368. static async loginTFA (opts, context) {
  369. if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
  370. let result = await WIKI.redis.get(`tfa:${opts.loginToken}`)
  371. if (result) {
  372. let userId = _.toSafeInteger(result)
  373. if (userId && userId > 0) {
  374. let user = await WIKI.models.users.query().findById(userId)
  375. if (user && user.verifyTFA(opts.securityCode)) {
  376. return Promise.fromCallback(clb => {
  377. context.req.logIn(user, clb)
  378. }).return({
  379. succeeded: true,
  380. message: 'Login Successful'
  381. }).catch(err => {
  382. WIKI.logger.warn(err)
  383. throw new WIKI.Error.AuthGenericError()
  384. })
  385. } else {
  386. throw new WIKI.Error.AuthTFAFailed()
  387. }
  388. }
  389. }
  390. }
  391. throw new WIKI.Error.AuthTFAInvalid()
  392. }
  394. /**
  395. * Change Password from a Mandatory Password Change after Login
  396. */
  397. static async loginChangePassword ({ continuationToken, newPassword }, context) {
  398. if (!newPassword || newPassword.length < 6) {
  399. throw new WIKI.Error.InputInvalid('Password must be at least 6 characters!')
  400. }
  401. const usr = await WIKI.models.userKeys.validateToken({
  402. kind: 'changePwd',
  403. token: continuationToken
  404. })
  406. if (usr) {
  407. await WIKI.models.users.query().patch({
  408. password: newPassword,
  409. mustChangePwd: false
  410. }).findById(usr.id)
  412. return new Promise((resolve, reject) => {
  413. context.req.logIn(usr, { session: false }, async err => {
  414. if (err) { return reject(err) }
  415. const jwtToken = await WIKI.models.users.refreshToken(usr)
  416. resolve({ jwt: jwtToken.token })
  417. })
  418. })
  419. } else {
  420. throw new WIKI.Error.UserNotFound()
  421. }
  422. }
  424. /**
  425. * Create a new user
  426. *
  427. * @param {Object} param0 User Fields
  428. */
  429. static async createNewUser ({ providerKey, email, passwordRaw, name, groups, mustChangePassword, sendWelcomeEmail }) {
  430. // Input sanitization
  431. email = _.toLower(email)
  433. // Input validation
  434. let validation = null
  435. if (providerKey === 'local') {
  436. validation = validate({
  437. email,
  438. passwordRaw,
  439. name
  440. }, {
  441. email: {
  442. email: true,
  443. length: {
  444. maximum: 255
  445. }
  446. },
  447. passwordRaw: {
  448. presence: {
  449. allowEmpty: false
  450. },
  451. length: {
  452. minimum: 6
  453. }
  454. },
  455. name: {
  456. presence: {
  457. allowEmpty: false
  458. },
  459. length: {
  460. minimum: 2,
  461. maximum: 255
  462. }
  463. }
  464. }, { format: 'flat' })
  465. } else {
  466. validation = validate({
  467. email,
  468. name
  469. }, {
  470. email: {
  471. email: true,
  472. length: {
  473. maximum: 255
  474. }
  475. },
  476. name: {
  477. presence: {
  478. allowEmpty: false
  479. },
  480. length: {
  481. minimum: 2,
  482. maximum: 255
  483. }
  484. }
  485. }, { format: 'flat' })
  486. }
  488. if (validation && validation.length > 0) {
  489. throw new WIKI.Error.InputInvalid(validation[0])
  490. }
  492. // Check if email already exists
  493. const usr = await WIKI.models.users.query().findOne({ email, providerKey })
  494. if (!usr) {
  495. // Create the account
  496. let newUsrData = {
  497. providerKey,
  498. email,
  499. name,
  500. locale: 'en',
  501. defaultEditor: 'markdown',
  502. tfaIsActive: false,
  503. isSystem: false,
  504. isActive: true,
  505. isVerified: true,
  506. mustChangePwd: false
  507. }
  509. if (providerKey === `local`) {
  510. newUsrData.password = passwordRaw
  511. newUsrData.mustChangePwd = (mustChangePassword === true)
  512. }
  514. const newUsr = await WIKI.models.users.query().insert(newUsrData)
  516. // Assign to group(s)
  517. if (groups.length > 0) {
  518. await newUsr.$relatedQuery('groups').relate(groups)
  519. }
  521. if (sendWelcomeEmail) {
  522. // Send welcome email
  523. await WIKI.mail.send({
  524. template: 'accountWelcome',
  525. to: email,
  526. subject: `Welcome to the wiki ${WIKI.config.title}`,
  527. data: {
  528. preheadertext: `You've been invited to the wiki ${WIKI.config.title}`,
  529. title: `You've been invited to the wiki ${WIKI.config.title}`,
  530. content: `Click the button below to access the wiki.`,
  531. buttonLink: `${WIKI.config.host}/login`,
  532. buttonText: 'Login'
  533. },
  534. text: `You've been invited to the wiki ${WIKI.config.title}: ${WIKI.config.host}/login`
  535. })
  536. }
  537. } else {
  538. throw new WIKI.Error.AuthAccountAlreadyExists()
  539. }
  540. }
  542. /**
  543. * Update an existing user
  544. *
  545. * @param {Object} param0 User ID and fields to update
  546. */
  547. static async updateUser ({ id, email, name, newPassword, groups, location, jobTitle, timezone }) {
  548. const usr = await WIKI.models.users.query().findById(id)
  549. if (usr) {
  550. let usrData = {}
  551. if (!_.isEmpty(email) && email !== usr.email) {
  552. const dupUsr = await WIKI.models.users.query().select('id').where({
  553. email,
  554. providerKey: usr.providerKey
  555. }).first()
  556. if (dupUsr) {
  557. throw new WIKI.Error.AuthAccountAlreadyExists()
  558. }
  559. usrData.email = email
  560. }
  561. if (!_.isEmpty(name) && name !== usr.name) {
  562. usrData.name = _.trim(name)
  563. }
  564. if (!_.isEmpty(newPassword)) {
  565. if (newPassword.length < 6) {
  566. throw new WIKI.Error.InputInvalid('Password must be at least 6 characters!')
  567. }
  568. usrData.password = newPassword
  569. }
  570. if (_.isArray(groups)) {
  571. const usrGroupsRaw = await usr.$relatedQuery('groups')
  572. const usrGroups = _.map(usrGroupsRaw, 'id')
  573. // Relate added groups
  574. const addUsrGroups = _.difference(groups, usrGroups)
  575. for (const grp of addUsrGroups) {
  576. await usr.$relatedQuery('groups').relate(grp)
  577. }
  578. // Unrelate removed groups
  579. const remUsrGroups = _.difference(usrGroups, groups)
  580. for (const grp of remUsrGroups) {
  581. await usr.$relatedQuery('groups').unrelate().where('groupId', grp)
  582. }
  583. }
  584. if (!_.isEmpty(location) && location !== usr.location) {
  585. usrData.location = _.trim(location)
  586. }
  587. if (!_.isEmpty(jobTitle) && jobTitle !== usr.jobTitle) {
  588. usrData.jobTitle = _.trim(jobTitle)
  589. }
  590. if (!_.isEmpty(timezone) && timezone !== usr.timezone) {
  591. usrData.timezone = timezone
  592. }
  593. await WIKI.models.users.query().patch(usrData).findById(id)
  594. } else {
  595. throw new WIKI.Error.UserNotFound()
  596. }
  597. }
  599. /**
  600. * Register a new user (client-side registration)
  601. *
  602. * @param {Object} param0 User fields
  603. * @param {Object} context GraphQL Context
  604. */
  605. static async register ({ email, password, name, verify = false, bypassChecks = false }, context) {
  606. const localStrg = await WIKI.models.authentication.getStrategy('local')
  607. // Check if self-registration is enabled
  608. if (localStrg.selfRegistration || bypassChecks) {
  609. // Input sanitization
  610. email = _.toLower(email)
  612. // Input validation
  613. const validation = validate({
  614. email,
  615. password,
  616. name
  617. }, {
  618. email: {
  619. email: true,
  620. length: {
  621. maximum: 255
  622. }
  623. },
  624. password: {
  625. presence: {
  626. allowEmpty: false
  627. },
  628. length: {
  629. minimum: 6
  630. }
  631. },
  632. name: {
  633. presence: {
  634. allowEmpty: false
  635. },
  636. length: {
  637. minimum: 2,
  638. maximum: 255
  639. }
  640. }
  641. }, { format: 'flat' })
  642. if (validation && validation.length > 0) {
  643. throw new WIKI.Error.InputInvalid(validation[0])
  644. }
  646. // Check if email domain is whitelisted
  647. if (_.get(localStrg, 'domainWhitelist.v', []).length > 0 && !bypassChecks) {
  648. const emailDomain = _.last(email.split('@'))
  649. if (!_.includes(localStrg.domainWhitelist.v, emailDomain)) {
  650. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  651. }
  652. }
  653. // Check if email already exists
  654. const usr = await WIKI.models.users.query().findOne({ email, providerKey: 'local' })
  655. if (!usr) {
  656. // Create the account
  657. const newUsr = await WIKI.models.users.query().insert({
  658. provider: 'local',
  659. email,
  660. name,
  661. password,
  662. locale: 'en',
  663. defaultEditor: 'markdown',
  664. tfaIsActive: false,
  665. isSystem: false,
  666. isActive: true,
  667. isVerified: false
  668. })
  670. // Assign to group(s)
  671. if (_.get(localStrg, 'autoEnrollGroups.v', []).length > 0) {
  672. await newUsr.$relatedQuery('groups').relate(localStrg.autoEnrollGroups.v)
  673. }
  675. if (verify) {
  676. // Create verification token
  677. const verificationToken = await WIKI.models.userKeys.generateToken({
  678. kind: 'verify',
  679. userId: newUsr.id
  680. })
  682. // Send verification email
  683. await WIKI.mail.send({
  684. template: 'accountVerify',
  685. to: email,
  686. subject: 'Verify your account',
  687. data: {
  688. preheadertext: 'Verify your account in order to gain access to the wiki.',
  689. title: 'Verify your account',
  690. content: 'Click the button below in order to verify your account and gain access to the wiki.',
  691. buttonLink: `${WIKI.config.host}/verify/${verificationToken}`,
  692. buttonText: 'Verify'
  693. },
  694. text: `You must open the following link in your browser to verify your account and gain access to the wiki: ${WIKI.config.host}/verify/${verificationToken}`
  695. })
  696. }
  697. return true
  698. } else {
  699. throw new WIKI.Error.AuthAccountAlreadyExists()
  700. }
  701. } else {
  702. throw new WIKI.Error.AuthRegistrationDisabled()
  703. }
  704. }
  706. static async getGuestUser () {
  707. const user = await WIKI.models.users.query().findById(2).withGraphJoined('groups').modifyGraph('groups', builder => {
  708. builder.select('groups.id', 'permissions')
  709. })
  710. if (!user) {
  711. WIKI.logger.error('CRITICAL ERROR: Guest user is missing!')
  712. process.exit(1)
  713. }
  714. user.permissions = user.getGlobalPermissions()
  715. return user
  716. }
  718. static async getRootUser () {
  719. let user = await WIKI.models.users.query().findById(1)
  720. if (!user) {
  721. WIKI.logger.error('CRITICAL ERROR: Root Administrator user is missing!')
  722. process.exit(1)
  723. }
  724. user.permissions = ['manage:system']
  725. return user
  726. }
  727. }